Claro Search and desktop.ini removal help.

Discussion in 'Malware Help (A Specialist Will Reply)' started by dhoehna, Dec 3, 2012.

  1. dhoehna

    dhoehna Private E-2

    Hello,

    My name is Darren and my girlfriends computer has both Claro Search and desktop.ini on it. I have gone through read and run me first and all my logs are attached. I would look at another thread but I asked Timothy Tibbetts and he told me to always start a new thread since all problems are different.

    Also my computer is also affected with desktop.ini but my girlfriends computer has two viruses and mine has one.

    Also as a side note I did not read the read & run me very throughly and I did fix errors on Rouge killer and Hitman pro. The logs you are reading though are just the logs from the most recent runs where I did not fix any errors.

    If this makes things more complicated I am very sorry.

    Also the log from malware anti-malware did not save, so I copied the log and pasted the log into a text folder.

    Thank you very much for your help,

    Darren.
     

    Attached Files:

    dhoehna, Dec 3, 2012
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
     
    Kestrel13!, Dec 4, 2012
    #2
  3. dhoehna

    dhoehna Private E-2

    Thanks Kestrel13! for the reply. The log is attached. Also, why JunRemover tool?
     

    Attached Files:

    • JRT.txt
      File size:
      6.9 KB
      Views:
      6
    dhoehna, Dec 4, 2012
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Why run it? Did you not see what crap it removed? :) It targets Claro hence I had you run it.

    Uninstall the below junk.
    • Browser Manager

    Also uninstall this InstallIQ Updater unless you knowingly installed it.

    Rescan with Hitman and have it delete Potential Unwanted Programs

    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

    Delete this file:
    C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml

    Delete these folders:
    C:\ProgramData\Babylon
    C:\ProgramData\Browser Manager


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Dec 5, 2012
    #4
  5. dhoehna

    dhoehna Private E-2

    Sorry, wrong question. What I meant was "Why JRT"? Why not some other tool of some kind?

    Anyway, in the control panel I tried to uninstall the browser manager. I got an error saying that the program has already been uninstalled. I did delete the browser manager off the control panel so it would not show up.

    Their was no babylon.xml file. These were the only xml files.
    amazondotcom
    bing
    ebay
    google
    twitter
    wikipedia and
    yahoo.

    Their was no babylon folder

    I tried using windows explorer to delete the "Program Manager" folder but the computer said that the folder was in use.

    I then tried using the command prompt and I got the error "The specified service does not exist as an installed service"
     

    Attached Files:

    dhoehna, Dec 5, 2012
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode
    If you know to any better tools... go ahead and run them :) You came to me for assistance, ya know?


    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.


    Code:
    :Files
C:\ProgramData\Browser Manager

:reg
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


    How are things running at this point?
     
    Kestrel13!, Dec 6, 2012
    #6
  7. dhoehna

    dhoehna Private E-2

    I did come for you because I did not know what to do besides swim through the large information ocean known as the internet. I never knew an of these tools existed. That is why I am asking. I am also asking so I can gain some knowledge from all this and next time I have a virus or something like that, I can maybe go one step further then this time when I try to remove it.

    So really, why JRT? What does JRT do that other tools don't do? Is their something JRT does that nothing else does? What separated JRT from Hitman?

    Those are the questions running through my head. I don't think you have the time to spend here and answering all my questions. But that it what I am thinking.

    All processes killed
    ========== FILES ==========
    C:\ProgramData\Browser Manager\2.3.796.11\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings folder moved successfully.
    Folder move failed. C:\ProgramData\Browser Manager\2.3.796.11\{16cdff19-861d-48e3-a751-d99a27784753} scheduled to be moved on reboot.
    Folder move failed. C:\ProgramData\Browser Manager\2.3.796.11 scheduled to be moved on reboot.
    Folder move failed. C:\ProgramData\Browser Manager scheduled to be moved on reboot.
    ========== REGISTRY ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827}\ not found.
    Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 254925 bytes
    ->Temporary Internet Files folder emptied: 2275457 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 41054553 bytes
    ->Flash cache emptied: 566 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public

    User: Tierney
    ->Temp folder emptied: 28050530 bytes
    ->Temporary Internet Files folder emptied: 224917965 bytes
    ->Java cache emptied: 1818150 bytes
    ->FireFox cache emptied: 157750408 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 123803 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 34 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 1614005 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33304 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 753 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
    RecycleBin emptied: 1274667 bytes

    Total Files Cleaned = 438.00 mb


    OTM by OldTimer - Version 3.1.21.0 log created on 12062012_202840

    Files moved on Reboot...
    Folder move failed. C:\ProgramData\Browser Manager\2.3.796.11\{16cdff19-861d-48e3-a751-d99a27784753} scheduled to be moved on reboot.
    Folder move failed. C:\ProgramData\Browser Manager\2.3.796.11\{16cdff19-861d-48e3-a751-d99a27784753} scheduled to be moved on reboot.
    Folder move failed. C:\ProgramData\Browser Manager\2.3.796.11 scheduled to be moved on reboot.
    Folder move failed. C:\ProgramData\Browser Manager\2.3.796.11\{16cdff19-861d-48e3-a751-d99a27784753} scheduled to be moved on reboot.
    Folder move failed. C:\ProgramData\Browser Manager\2.3.796.11 scheduled to be moved on reboot.
    Folder move failed. C:\ProgramData\Browser Manager scheduled to be moved on reboot.
    C:\Users\Tierney\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

    Registry entries deleted on Reboot...

    A lot better, claro search is gone, but I still have all those desktop.ini files. Their are two on my desktop and one in my users folder.

    By the way, thank you for all your help thus far, I really do appreciate it. :)
     
    dhoehna, Dec 6, 2012
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    The variety of tools we use all do slightly different things. Some do the same but in a different way. JRT did a very good job of removing lots more files folder and bad reg entries than Hitman in this case. I like to use it on top of the other tools to be more thorough. And like I said, it targets claro.

    Normal. It is because at the moment, hidden files and folders are set up to show. ;)

    You are *most* welcome. :) Ready for final steps now?
     
    Kestrel13!, Dec 7, 2012
    #8
  9. dhoehna

    dhoehna Private E-2

    Oh, so those are okay hidden folders. Spiffy. Good to know...although I find it weird that their is more than one desktop.ini file.

    That I am, good malware expert.
     
    dhoehna, Dec 8, 2012
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    There's 2 on my desktop, too. :) I always like to have hidden files and folders set to show.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Dec 8, 2012
    #10
  11. dhoehna

    dhoehna Private E-2

    Everything works. Thank you very much for your time and assistance. I am sorry it took me so long to reply. Finals just got over. :)
     
    dhoehna, Dec 13, 2012
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No problem! Thanks for letting me know all is running nicely. :)
     
    Kestrel13!, Dec 13, 2012
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds