Malware in software program

Romans10 · Jan 6, 2014

I have used a software program for a year and a half with my high school weight lifting class (BiggerFasterStronger). Now, when I try to open it I get the following error message: "Windows cannot find "C:\bfs\btcaas.exe". Make sure you typed the name correctly, and then try again." Immediately my a/v reports a malware infection in this program. Also, the icon disappears from the desktop. The only way I can get it back is to do a system restore. I still have the program in my menu. It acts the same way but it doesn't disappear.

I couldn't find how to attach the MBAM report. The log is in the folder but I can't find a way to browse to it so I can attach it. I thought I clicked on "save a log" but I'm not certain. I didn't want to run another scan before I sent this thread b/c I didn't want to have to restart my computer after I attached the other files.

While I wait for a response I am going to run another MBAM scan and be sure to click "save a log". I've done this before but I guess I messed it up this time.

Thanks for your help.

Romans10 · Jan 6, 2014

I found the MBAM log. Here it is.

I found it.

dr.moriarty · Jan 7, 2014

Welcome to MajorGeeks.

A Security Team Moderator named amateur posted instructions 4 days ago in this link.

http://www.techsupportforum.com/forums/f100/malware-virus-problem-773650.html for you to complete.

Note: While we appreciate that you very likely posted at multiple forums in order to ensure a response, in the future please do not cross-post. Resources that help perform malware removal are very precious and very limited, and cross-posting only serves to tie up the time of multiple helpers who could be using that time to help someone else who also has problems.
Click to expand...

Kestrel13! · Jan 7, 2014

Re: I found the MBAM log. Here it is.

As Dr Moriarty pointed out in your OTHER thread, you created a post at another forum and they are still waiting for you to respond. We don't agree with cross posting in this way because it wastes the time of ALL helpers involved.

Thanks for understanding. If you wish to stay with us to further investigate your issues then you will need to post at the other forum letting them know you are receiving help elsewhere.

Romans10 · Jan 7, 2014

I don't remember why I didn't continue with the other forum. All of you anti-malware warriors are very good at what you do and I appreciate you giving your time to help us. When I had a problem I usually went to "g4tv tech support forum" for help but, as you know, it no longer exists. Now, I'm trying to find another one to go to for help.

I informed the other forum that I am receiving help at another forum (here) and to disregard my previous post.

Waiting for further instructions. I attached three logs here and, unfortunately, my MBAM log in another post. I couldn't find it at the time to include in this thread.

Thanks.

Romans10 · Jan 7, 2014

Re: I found the MBAM log. Here it is.

Kestrel13! said: ↑

. . .If you wish to stay with us to further investigate your issues then you will need to post at the other forum letting them know you are receiving help elsewhere.
Click to expand...

I did that.

Kestrel13! · Jan 7, 2014

The requested logs did not attach.

Romans10 · Jan 7, 2014

I hope these logs upload successfully.

Thanks for your help.

Kestrel13! · Jan 8, 2014

Still need the MGlogs.zip from running MGTools.exe please.

Romans10 · Jan 8, 2014

Here is the MGlogs.zip.

Kestrel13! · Jan 9, 2014

Re run Hitman and have it remove Potential Unwanted Programs.

http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate this 1 detection:

[V2][SUSP PATH] RunAsStdUser Task : C:\Users\Sugar\AppData\Local\Temp\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\RunIE.exe - -secondattempt hxxp://sp.ask.com/toolbar/toolbarS/toolbar.php?tb=CDS2&browser=IE&success=1 [x][x] -> FOUND

Place a checkmark next to each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2BCE4344-B638-4E60-BED2-9E595654816C}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C8E3A283-400B-4CF5-8BB7-2B48E796DDEB}]
Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.

Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Attach JRT.txt to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Romans10 · Jan 9, 2014

I ran Hitman. I saw "Potential Unwanted Programs" in the log but I didn't see how to remove it. After the scan it said, "No threats found". I uploaded the log.

I uploaded the RogueKiller log but it isn't named "RKreport[2].txt.

I received a success message about adding the bold text to the registry.

After completing the instructions, I tried to open my "BiggerFasterStronger" software to access the information I recorded about the high school weightlifting classes I teach. I received the same alert from my a/v (avast!) as before. The only thing I could write down before it went away was, "Object: c\bfs\btcaas.exe". There were two more messages. 1) "Windows cannot find 'c:\bfs\btcaas.exe'. Make sure you typed the name correctly and then try again." 2) "AVAST information. To finish the clean up process, we recommend running a boot time scan, ie restarting the computer and letting avast! scan all your data before windows starts. Do you want to schedule the boot-time scan and restart the computer now. yes/no."

Avast! says, "everything is fine". I ran a scan anyway and it said, "No threats".

And the icon disappears from my desktop. The only way I know to get it back on the desktop is to do a system restore.

As a last resort, I can re-install my software program (if I can find the disc)but I will lose a whole semester of students' performance records. I'm hoping that doesn't have to happen but that's what I will have to do on 1/15. We start 2nd semester on 1/16.

I noticed you didn't look at the hijackthis log in the 8th post on this thread. That is the log I got when I ran MGtools. I didn't run hjt on my own.

Thanks for your help.

Kestrel13! · Jan 10, 2014

I need Hitman to remove Conduit, Yontoo, Rocketfuel items... do you see those? :confused

I noticed you didn't look at the hijackthis log in the 8th post on this thread.
Click to expand...

It's already included in the MGlogs.zip if you notice.

I am not sure what to say about avast flagging the program you are using. I do know that avast gave me some terrible troubles not so long ago - telling me that everything on my whole PC was infected when it wasn't. . .

Can you give me the link to the download of the exact program you are using? I will install it and see if Microsoft Security Essentials complains about it.

Romans10 · Jan 10, 2014

I opened the Hitman log and saw conduit, yontoo, and Rocketfuel in each line but two. I remember when I ran HJT several years ago, it created a log with a box in front of each line so you could check it to remove items. There are no such boxes in the Hitman log. How do I remove them? "Delete" is grayed out.

There is no link to the software. I installed it from a disc a couple of years ago. I'm going to spend the weekend looking for it. I didn't find it at my school.

Thanks for your continued help.

Kestrel13! · Jan 11, 2014

I'll take care of the Hitman step.

Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

Right-click OTM.exe And select " Run as administrator " to run it.

Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.
Code:
:Files
C:\Program Files\Conduit
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
C:\Users\Sugar\AppData\Local\Conduit

:reg
[-HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL]
[-HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}]
[-HKLM\SOFTWARE\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}]
[-HKLM\SOFTWARE\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}]
[-HKLM\SOFTWARE\Classes\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}]
[-HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
[-HKLM\SOFTWARE\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
[-HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44b0-A826-84C829536E93}]
[-HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}]
[-HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}]
[-HKLM\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}]
[-HKLM\SOFTWARE\Classes\YontooIEClient.Api.1]
[-HKLM\SOFTWARE\Classes\YontooIEClient.Api]
[-HKLM\SOFTWARE\Classes\YontooIEClient.Layers.1]
[-HKLM\SOFTWARE\Classes\YontooIEClient.Layers]
[-HKLM\SOFTWARE\Conduit]
[-HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc]
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
[-HKLM\SOFTWARE\Tarma Installer\Components\{9307081B-7444-494C-8CF6-2FA7C0E92BFB}]
[-HKLM\SOFTWARE\Tarma Installer\Components\{9D9785E5-3424-40B6-A287-BA143AD53109}]
[-HKLM\SOFTWARE\Tarma Installer\Components\{B6783DFA-B8C8-4CB6-AB9F-EF1A1F7F7AE8}]
[-HKLM\SOFTWARE\Tarma Installer\Products\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
[-HKU\.DEFAULT\Software\AskToolbar]
[-HKU\S-1-5-18\Software\AskToolbar]
[-HKU\S-1-5-21-3306569342-2905655260-10585436-1000\Software\AppDataLow\Software\SmartBar]
[-HKU\S-1-5-21-3306569342-2905655260-10585436-1000\Software\Conduit]
[-HKU\S-1-5-21-3306569342-2905655260-10585436-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
[-HKU\S-1-5-21-3306569342-2905655260-10585436-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]

:Commands
[emptytemp]
[Reboot]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.

OTM may ask to reboot the machine. Please do so if asked.

Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

---------------

Now re run Hitman again. Attach log.
I really don't know what to suggest about the software that avast keeps tagging. Have any of your fellow students who use the software experienced similar issues? Have you tried a different antivirus?

Romans10 · Jan 11, 2014

Here are the contents of the OTM folder and the new HitMan log.

All processes killed
========== FILES ==========
C:\Program Files\Conduit\Community Alerts folder moved successfully.
C:\Program Files\Conduit folder moved successfully.
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B} folder moved successfully.
File/Folder C:\Users\Sugar\AppData\Local\Conduit not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YontooIEClient.DLL\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44b0-A826-84C829536E93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44b0-A826-84C829536E93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D372567D-67C1-4B29-B3F0-159B52B3E967}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api.1\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Layers.1\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Layers\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Conduit\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9307081B-7444-494C-8CF6-2FA7C0E92BFB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9307081B-7444-494C-8CF6-2FA7C0E92BFB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9D9785E5-3424-40B6-A287-BA143AD53109}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D9785E5-3424-40B6-A287-BA143AD53109}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{B6783DFA-B8C8-4CB6-AB9F-EF1A1F7F7AE8}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B6783DFA-B8C8-4CB6-AB9F-EF1A1F7F7AE8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Products\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\ not found.
Registry key HKEY_USERS\.DEFAULT\Software\AskToolbar\ deleted successfully.
Registry key HKEY_USERS\S-1-5-18\Software\AskToolbar\ not found.
Registry key HKEY_USERS\S-1-5-21-3306569342-2905655260-10585436-1000\Software\AppDataLow\Software\SmartBar\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-3306569342-2905655260-10585436-1000\Software\Conduit\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-3306569342-2905655260-10585436-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ not found.
Registry key HKEY_USERS\S-1-5-21-3306569342-2905655260-10585436-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Sugar
->Temp folder emptied: 37658032 bytes
->Temporary Internet Files folder emptied: 536960109 bytes
->Java cache emptied: 123862797 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 59741 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2598021 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 25782966 bytes
RecycleBin emptied: 328069 bytes

Total Files Cleaned = 694.00 mb

OTM by OldTimer - Version 3.1.21.0 log created on 01112014_135814

Files moved on Reboot...
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Romans10 · Jan 12, 2014

I posted the contents in the OTM folder and the Hitman log in the above post.

I tried to run my software program again and It was flagged by avast again. Also, the icon disappeared from my desktop like before. I saw this: "Infection: FileRepMetagen". I thought it might be a good idea to uninstall AVAST! and install Avira to see if AVAST! was causing my problem. I had to do a system restore to get the icon back. This time it didn't come back after the system restore. However, I did get this message: "System restore did not complete successfully. Your computer's system files and settings were not changed. Details: an unspecified error occurred during system restore. You might want to try system restore again and choose a different restore point." I did run system restore again but got this same message. I don't think it helped. I can't get the shortcut back.

I typed BFS in the search window and clicked on the result. I got this error message: "The item 'btcaas.exe' that the shortcut refers to has been changed or moved so this shortcut will no longer work properly. Do you want to delete the shortcut?" But I got this message from the first time I had this problem.

Kestrel13! · Jan 12, 2014

Re run Hitman and have it remove the only item it should show. Potential Unwanted Program (ipumper)

I am afraid you are going to have to post in the softwrae forum regarding any other issues.

Let me know how you get on with Hitman.

Romans10 · Jan 12, 2014

Kestrel13!,
Thanks for all your help. Even though I didn't get my issue resolved I know my computer must be much cleaner than it was before even though I don't understand what was removed with the various items I downloaded and used to scan my computer. Nor do I understand why/what was added to the registry. I'm just glad you are here to help me and others.

I'll probably have to re-install the program (BiggerFasterStronger) with a disk again but I will lose all of my progress records for over 70 students from 1st semester. There are no grades lost--just 15 weeks of weight lifting logs that are important to me and the students in these classes.

Thanks, again, for all your time and instructions. I'll check back to see if you need me to do anything else.

Romans10

Oops! I forgot to attach the latest Hitman log. Now I need to post again. Sorry.

Romans10 · Jan 12, 2014

Kestrel13!,
Here is the newest Hitman log. I posted some info in a post just before this one.

Romans10 · Jan 12, 2014

I still have OTM and Hitman on my desktop. How do I remove them? I can right click and select "delete" but I think that will just remove the icon and not the program. I think I should remove the program. Right? I looked in the "Programs and Features" folder to uninstall the programs but they were not there. . . only on my desktop.

Thanks.

Kestrel13! · Jan 13, 2014

Double click OTM to start the program > (ensure everything else is closed out except for OTM) Press the Cleanup button, say yes to the prompt and allow OTM to reboot the machine.

If Hitman does not show as being installed, you can just delete the icon on your desktop, and the log files it made. You can also search for any folders it may have lef behind and delete those too.

I think it's so unfortunate that you lost all that data. I'm sorry I couldn't be of more help with that.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.

Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.

Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.

If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.

If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:

Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore

What we want you to do is to first disable System Restore to flush restore points some of which could be infected.

Then we want you to Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Romans10 · Jan 14, 2014

Kestrel!,
I would have preferred to send you a PM but I can't b/c I don't have 50 posts as required by this message board. I wanted you to know it's late and I'm tired and I have to get up early so I'll do what you posted for me to do tomorrow evening. nite-nite.

Kestrel13! · Jan 14, 2014

No problem, sleep well!

Romans10 · Jan 15, 2014

Done! No problems. Thanks for your help.

Romans10 :wave

Kestrel13! · Jan 15, 2014

You're most welcome. Safe surfing!

Malware in software program

Romans10 Private E-2

Romans10 Private E-2

Attached Files:

dr.moriarty Malware Super Sleuth Staff Member

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Romans10 Private E-2

Romans10 Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Romans10 Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Romans10 Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Romans10 Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Romans10 Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Romans10 Private E-2

Attached Files:

Romans10 Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Romans10 Private E-2

Romans10 Private E-2

Attached Files:

Romans10 Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Romans10 Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Romans10 Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member