FBI lockout, Claro redirect and who knows what else!

Discussion in 'Malware Help (A Specialist Will Reply)' started by HonestD, Dec 30, 2012.

  1. HonestD

    HonestD Private E-2

    Hi there,
    My problems started with the FBI lockout apr. 3 months ago, went to Micro Center and got some vague instructions which did not work, last ditch was to restore to prior restore point which I did, and now I've got this Claro redirect thingy going on in IE, Google Chrome is funky, and FireFox had Claro, but all the work I did following your instructions seemed to have removed Claro from FireFox. I once tried uninstalling Claro from the program files, but my AV (PC Tools) stopped it from doing what it does, slipping through the cracks.
    Anyway, all these logs that I have showed tons of interesting info which means diddly to me, so I hope you guys can help me out.
     

    Attached Files:

    HonestD, Dec 30, 2012
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You need to also attach the requested logs from TDSSkiller and MGtools.
     
    chaslang, Dec 31, 2012
    #2
  3. HonestD

    HonestD Private E-2

    Sorry Tdsskiller was run before I went and followed your instructions and that log is gone and fixed by someone else's instructions. But I wrote down what it said.
    c:\programfiles\common files\installshield\divert\11\intel32\idrivert.exe---APPL/InstallBrain.Gen
     

    Attached Files:

    HonestD, Dec 31, 2012
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It should still be there in your root folder and you still need to attach the logs from MGtools.
     
    chaslang, Dec 31, 2012
    #4
  5. HonestD

    HonestD Private E-2

    Sorry again, I don't know what a root folder is, but I did see some tdds files in this MG zip.
     

    Attached Files:

    HonestD, Jan 1, 2013
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The root folder is the top level folder on your hard disk. C:\ is the root folder.

    Yes MGtools copies them from your root folder. When you run TDSSKiller, it always puts the logs in the root folder.

    Before I can work up a proper fix, I have to get some questions answered as I see too many security programs installed and or running. I see signs of all of the below in your logs.

    Microsoft Security Essentials
    Windows Defender
    Emisoft Anti-Malware
    Malwarebytes Anti-Malware
    Norton Internet Security
    PC Tools Internet Security 9.1
    PC Tools Threatfire
    SUPERAntiSpyware

    You have 3 antivirus programs installed and you should have only one.
    And you may have up to 7 antispyware/antimalware protections programs installed. Depends on how many of the above are paid versions and how many are just free programs. So which of the above are paid for and which are free?

    No wonder you had a problem trying to uninstall Claro. All of the above running could make it impossible for any malware to be removed.

    In fact, since having all the above installed could really have messed up your PC and Windows Security center, let's clean all this up first before we do anything else. So let's uninstall ALL ( yes ALL ) of the below ( if some do not uninstall, just continue but explain the problems to me later ):

    Microsoft Security Essentials
    Windows Defender
    Emisoft Anti-Malware
    Malwarebytes Anti-Malware
    Norton Internet Security
    PC Tools Internet Security 9.1
    PC Tools Threatfire
    SUPERAntiSpyware

    After uninstalling ( or inbetween each one if they request a reboot ) reboot your PC and get me an new MGtools log by doing the below.

    See if you can now uninstall the below:
    Ask Toolbar
    Claro LTD toolbar
    Viewpoint Media Player

    Even if you cannot uninstall all them, do the below anyway.



    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\Documents and Settings\All Users\Application Data\Babylon
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
C:\Documents and Settings\Compaq_Owner.YOUR-F78BF48CE2\Application Data\Babylon
C:\Documents and Settings\Compaq_Owner.YOUR-F78BF48CE2\Application Data\Claro LTD
C:\Documents and Settings\Compaq_Owner.YOUR-F78BF48CE2\Application Data\Mozilla\Firefox\Profiles\8g71dbue.default\extensions\plugin@yontoo.com
C:\Documents and Settings\Compaq_Owner.YOUR-F78BF48CE2\Local Settings\Application Data\AskToolbar
C:\Documents and Settings\Compaq_Owner.YOUR-F78BF48CE2\Local Settings\Application Data\AskToolbar
C:\Documents and Settings\Penny.YOUR-F78BF48CE2\Application Data\Claro LTD
C:\Documents and Settings\Penny.YOUR-F78BF48CE2\Local Settings\Application Data\AskToolbar
C:\Documents and Settings\Penny.YOUR-F78BF48CE2\Local Settings\Application Data\AskToolbar
C:\Program Files\Ask.com
C:\Program Files\Claro LTD
C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml
C:\Program Files\Vid-Saver
C:\WINDOWS\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_USERS\S-1-5-21-1056627933-1232823715-3677886551-1009\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_USERS\S-1-5-21-1056627933-1232823715-3677886551-1009\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{00000000-6E41-4FD3-8538-502F5495E5FC}]
[-HKEY_USERS\S-1-5-21-1056627933-1232823715-3677886551-1010\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_USERS\S-1-5-21-1056627933-1232823715-3677886551-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}]
[-HKEY_USERS\S-1-5-21-1056627933-1232823715-3677886551-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_USERS\S-1-5-21-1056627933-1232823715-3677886551-1010\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{9E131A93-EED7-4BEB-B015-A0ADB30B5646}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\claro.clarodskBnd.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\claro.clarodskBnd]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E131A93-EED7-4BEB-B015-A0ADB30B5646}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]
[-HKEY_USERS\S-1-5-21-1056627933-1232823715-3677886551-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9E131A93-EED7-4BEB-B015-A0ADB30B5646}]
[-HKEY_USERS\S-1-5-21-1056627933-1232823715-3677886551-1010\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9E131A93-EED7-4BEB-B015-A0ADB30B5646}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Babylon]
[-HKEY_LOCAL_MACHINE\SOFTWARE\babylontoolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Claro LTD]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escort.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escortApp.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escorTlbr.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\esrv.EXE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C3110516-8EFC-49D6-8B72-69354F332062}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CCC3E766-7BA9-4629-AC1A-7F4B7F362E65}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\c]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\claro.claroappCore.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\claro.claroappCore]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\claro.clarodskBnd.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\claro.clarodskBnd]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\claro.claroHlpr.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\claro.claroHlpr]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000F18F2-09EB-4A59-82B2-5AE4184C39C3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05340575-7D2A-4266-9A84-7EEBDC476884}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{97C47A30-3CFB-474B-94E3-6019A7EE0610}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E131A93-EED7-4BEB-B015-A0ADB30B5646}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE4FC43F-84CE-4E20-88C2-2188525B47FB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F398D871-ED00-42A8-BEAA-0209E9E59FCC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.claroESrvc.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\esrv.claroESrvc]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{16466D47-74A8-4928-B8B2-07CD79ABFC9F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26D5CC0A-7A46-4D86-AF45-2EFA320B0C54}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2D13AC8F-037E-40C5-ADA6-231BA74EA2F4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{322EDCF5-9E7D-4021-8C67-F3FFE4961A38}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3E254398-828F-4D51-A39E-3F6B6D96A12C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{442DAF0C-7EAD-48D9-ABEA-E0036470D6D5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{58EB187D-24F8-4423-BD6C-655CE4C416BD}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6BEB066C-A791-4A21-B934-7783533FE888}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A07612DF-B1DD-484F-A1C3-36CA4CE919D2}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A76F97B2-2C56-456A-A29E-72741595C2E8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B19D9D96-E59C-4936-B283-8A831CDB3A53}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DC8AAABA-3F8B-4866-8B3A-D9368133A478}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E15519AE-99BE-42DD-BE60-FFC3C183F443}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Prod.cap]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A903AC15-686E-4D67-A355-86FCBE9F60DA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CCC3E766-7BA9-4629-AC1A-7F4B7F362E65}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{60295942-9E5F-4EE8-B785-3A655904D24F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{9E131A93-EED7-4BEB-B015-A0ADB30B5646}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000F18F2-09EB-4A59-82B2-5AE4184C39C3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\claro]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}]
[-HKEY_USERS\S-1-5-21-1056627933-1232823715-3677886551-1009\Software\Ask.com]
[-HKEY_USERS\S-1-5-21-1056627933-1232823715-3677886551-1009\Software\AskToolbar]
[-HKEY_USERS\S-1-5-21-1056627933-1232823715-3677886551-1009\Software\Claro LTD]
[-HKEY_USERS\S-1-5-21-1056627933-1232823715-3677886551-1009\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}]
[-HKEY_USERS\S-1-5-21-1056627933-1232823715-3677886551-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{000F18F2-09EB-4A59-82B2-5AE4184C39C3}]
[-HKEY_USERS\S-1-5-21-1056627933-1232823715-3677886551-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9E131A93-EED7-4BEB-B015-A0ADB30B5646}]
[-HKEY_USERS\S-1-5-21-1056627933-1232823715-3677886551-1009\Software\Vid-Saver]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jan 1, 2013
    #6
  7. HonestD

    HonestD Private E-2

    Hi,
    Sorry it took so long to get back. Followed your instructions and the Claro is gone.
    Was not able to uninstall the Norton (2005) program, couldn't find PC tools threatfire.
    What do you recommend I use as a Antivirus, that I previously had? Can;t afford to buy anything else just got laid off.
    Also, there was something I had turned off and was to wait until you guys told me to turn it back on?
    Thanks for you help so far.:)
     

    Attached Files:

    HonestD, Jan 5, 2013
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Please run the below and then reboot:

    Norton Removal Tool

    After reboot, Uninstall the below very old versions of software:
    Java(TM) 6 Update 37


    Don't install any of these yet. We have to finish your cleanup and make sure Norton is gone first. However, you can use Microsoft Security Essentials. It is free. Or you can use one of the below free tools but ONLY USE ONE!!!

    AntiVir Personal Edition
    Avast! Home Edition


    Now let's check to make sure Norton was fully removed. Run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\MGlogs.zip
     
    chaslang, Jan 5, 2013
    #8
  9. HonestD

    HonestD Private E-2

    Hi,
    After using the Norton removal tool, some funny things started to happen:
    1. A flashing cursor in the top left corner of a black screen sits and blinks forever, until I press Esc?
    2. It takes forever for the PC to load with funny flashing screens.
    3. Smart Webprinting is trying to find the source to install or uninstall instructions.
    On the other hand :-D, Norton is gone, find attached the newest Mg zip,and the registry key were successfully added.

    Thanks again,
    Denes.
     

    Attached Files:

    HonestD, Jan 6, 2013
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a ton of stuff in MSconfig registry keys. Including stuff not even installed anymore. You should not be using MSconfig as a long term start manager. It was not meant for that. See this >> Dealing with Startup Process

    Now run MSconfig and put your PC into normal startup mode and then reboot. After reboot, make sure you do the below properly, last time you did not. You ran MGtools.exe instead which is not what I requested.

    Now let's check to make sure Norton was fully removed. Run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
     
    chaslang, Jan 6, 2013
    #10
  11. HonestD

    HonestD Private E-2

    Hi,
    Sorry to have wasted your time.:( I dld the Highjack program and will learn to use it, just not tonight. Thank you.
     

    Attached Files:

    HonestD, Jan 7, 2013
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    HijackThis was suggested for permanent deletions if you never want the startups ever again. Even though it makes backups, they can get deleted so I don't recommend this for things you may want to toggle from off to on and vice versa. My suggestion is to use Autoruns for things you may want to toggle.

    Okay now we will cleanup some of the items that you previously had stuck in MSconfig that are no longer installed. And we will permanently remove a few others that you do not need.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:9421;*.local;<local>
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\PC Tools\PC Tools Security\pctsGui.exe" /hideGUI
    O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Compaq_Owner.YOUR-F78BF48CE2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

    After clicking Fix, exit HJT.

    Now open a command prompt window by clicking Start, Run, and enter cmd and click OK. If the window opens type each of the below commands in. Follow each by the enter key. Note there are spaces after the sc and after the stop and after the delete.

    sc stop !SASCORE
    sc delete !SASCORE

    Now reboot your PC.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Jan 9, 2013
    chaslang, Jan 7, 2013
    #12
  13. HonestD

    HonestD Private E-2

    Hello,
    Followed your instruction ( I hope correctly) and there was a snag. When I ran cmd, the PC froze! I gave it about 30 minutes to see if it would open the window, but it din't. I rebooted, than ran cmd, with your instructions, and rebooted again, then ran the MGtools| getlogs.bat.

    When I entered sc delte !SASCORE I received this message:

    Open service failed 1060
    The specified service does not exist as an installed service

    See attached the MGlogs.zip.

    Thanks, D.
     

    Attached Files:

    HonestD, Jan 8, 2013
    #13
  14. HonestD

    HonestD Private E-2

    Hi there,
    The Claro seems to be gone and the same with Norton, but there was an automatic update for some Microsoft security program, and Adobe Reader 10.1.4
    is installing automated updates. I was wondering if you had time to look at the MGlog, and if we can take the next step?:confused
    Thanks for you valuable time.
     
    HonestD, Jan 10, 2013
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Are you sure you enter the commands correctly? It's still there per your logs. Try the below command

    sc query !SASCORE

    Make sure you have a space before and after query and make sure that !SASCORE is in caps.

    Your logs are looking good otherwise.
     
    chaslang, Jan 11, 2013
    #15
  16. HonestD

    HonestD Private E-2

    It seems that I goofed again. Here's the new Log. Thanks for your patience. D
     

    Attached Files:

    HonestD, Jan 11, 2013
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Looks good now.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove, you can delete these files now.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Jan 12, 2013
    #17
  18. HonestD

    HonestD Private E-2

    I wanted to thank you, for your time, expertise and your patience.
    Were there any other suggestions that I should do?
    Thank you very much.

    Sincerely,
    Denes Szabo.
     
    HonestD, Jan 12, 2013
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    Just those final instructions. ;)
     
    chaslang, Jan 12, 2013
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds