Malware Removal Assistance

Discussion in 'Malware Help (A Specialist Will Reply)' started by AloisD, Dec 21, 2013.

  1. AloisD

    AloisD Private E-2

    Hi, my computer is running somewhat slowly, and every so often I lose the Internet connection I have through my D-Link wireless adapter, requiring me to run "repair" on the connection. I have taken all the steps in the Malware "Read and Run Me First" sticky. I'm attaching the five logs/reports. As instructed, I was very careful with Hitman Pro not to correct anything, but from looking at the log it seems that some items might have somehow gotten deleted. I hope that doesn't create a problem. If someone could help me out when they get a chance, I would really appreciate it. Thank you very much.
     

    Attached Files:

    AloisD, Dec 21, 2013
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode.

    Re run Hitman Pro and have it delete Potential Unwanted Programs.



    http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate this 1 detection:

    • [RUN][SUSP PATH] HKLM\[...]\Run : SearchProtection (C:\Documents and Settings\All Users\Application Data\Search Protection\_run.bat [-]) -> FOUND

    Place a checkmark next to this item, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.




    Use Windows Explorer to find and delete the below:

    • C:\Program Files\Common Files\Spigot
    • C:\Documents and Settings\All Users\Application Data\Search Protection
    • C:\WINDOWS\SYSTEM32\SET101.tmp
    • C:\WINDOWS\SYSTEM32\SET105.tmp
    • C:\WINDOWS\SYSTEM32\SET10E.tmp
    • C:\WINDOWS\SYSTEM32\SETD8.tmp
    • C:\WINDOWS\SYSTEM32\SETDA.tmp
    • C:\WINDOWS\SYSTEM32\SETE5.tmp
    • C:\WINDOWS\SYSTEM32\SETE6.tmp
    • C:\WINDOWS\SYSTEM32\SETE9.tmp
    • C:\WINDOWS\SYSTEM32\SETF7.tmp
    • C:\WINDOWS\SYSTEM32\SETF8.tmp
    • C:\WINDOWS\SYSTEM32\_000005_.tmp.dll


    http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Dec 21, 2013
    #2
  3. AloisD

    AloisD Private E-2

    Thanks so much for your quick reply! I took the first three steps you recommended: put computer back in normal startup, ran Hitman Pro (it didn't find any potentially unwanted programs, just a 'suspicious' and one other), and ran RogueKiller. The RK log is attached. Also, on startup now, I get a few new error messages: one says 'can't find search protection exe' (with a DOS prompt in the background), the others I think are remnants from uninstalled hardware, like 'ink monitor exe'. I will go forward to the next steps now.
     

    Attached Files:

    AloisD, Dec 21, 2013
    #3
  4. AloisD

    AloisD Private E-2

    Okay, now I have completed the remaining steps. The two logs are attached. Also attached are screenshots of three error messages I received. It wouldn't let me delete the Spigot folder you referenced. Finally, every time I boot up, the Airplus XtremeG folder opens up on my Desktop. That is the folder for the wireless adapter I used for my Internet connection. Everything does seem to be running faster now, except for all the error messages. :)
     

    Attached Files:

    AloisD, Dec 21, 2013
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please disable Spybot's TeaTimer.

    How to disable Spybot's TeaTimer


    If you do not use Windows Messenger Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.


    Code:
    :Files
C:\Program Files\Common Files\Spigot

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.



    Any other issues will have to be discussed in the software forum, because they are not malware related.


    Ready for final steps?
     
    Kestrel13!, Dec 22, 2013
    #5
  6. AloisD

    AloisD Private E-2

    Okay, I disabled Tea Timer, uninstalled Windows Messenger, and ran Old Timer. It didn't find the Spigot folder, and I checked manually, and it isn't there anymore. Here is the log:

    BEGINLOG:

    All processes killed
    ========== FILES ==========
    File/Folder C:\Program Files\Common Files\Spigot not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Jeff Donius
    ->Temp folder emptied: 643108818 bytes
    ->Temporary Internet Files folder emptied: 61642283 bytes
    ->Java cache emptied: 91679226 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 803338 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 814783 bytes
    ->Flash cache emptied: 1689 bytes

    User: NetworkService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 216946 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 25778512 bytes
    %systemroot%\System32\dllcache .tmp files removed: 15844352 bytes
    %systemroot%\System32\drivers .tmp files removed: 21195 bytes
    Windows Temp folder emptied: 5606193 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 77005370 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 24545937 bytes

    Total Files Cleaned = 903.00 mb


    OTM by OldTimer - Version 3.1.21.0 log created on 12222013_204723

    Files moved on Reboot...
    File C:\WINDOWS\temp\Perflib_Perfdata_1a8.dat not found!

    Registry entries deleted on Reboot...

    ENDLOG

    Also, I know you said other issues will be software-related. I would just like to confirm this before proceeding to that forum. These are my remaining problems on startup. I'm including a couple screen shots:

    1. The Airplus ExtremeG folder keeps opening up.
    2. The Inkmonitor.exe error messages keeps displaying.
    3. An error message about "ANIWZCS2 Service Launcher failing" shows up.
    4. Malware Bytes, Hitman Pro, and Real Player keep launching.

    These are all software-related, yes?

    And which of all the programs I have run, should I continune to run regularly?

    Thank you very much for all of your help!
     

    Attached Files:

    AloisD, Dec 22, 2013
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes indeed, all topic for the software forum. :)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

    7. After doing the above, you should work thru the below link:
     
    Kestrel13!, Dec 23, 2013
    #7
  8. AloisD

    AloisD Private E-2

    Kestrel, thank you very much for following up with me again - I thought I was done! I have kept Malwarebytes on my Desktop. I re-enabled my Disk Emulation software. I went to uninstall HijackThis, but it's not there anymore. I am using Windows XP (Pro), so I clicked on MGClean.bat, and at the DOS prompt it said something like "the files you want aren't there" and then most of the files in the MGTools folder disappeared, but not all. I haven't yet deleted the tool programs because I'm not sure which to keep. I suppose Autorun Eater and Defogger should go, but what about TDSSKiller, IObit Malware Fighter, SpywareBlaster, and HitmanPro? (By the way, the "Suspicious Program" detected by HitmanPro is still there.) Finally, I finished reading through the "How to Protect Yourself from Malware" link, and taking those final steps. The main issue I'm left with now, is that I keep losing my Internet connection on my D-Link wireless adapter, and having to repair it every few minutes. I tried uninstalling the current driver version 1.5 and then installing the more current version 1.30 from D-Link's web site, but Device Manager says I still have 1.5. I don't know if the driver is the problem, but I just can't seem to be able to install 1.30!
     
    AloisD, Dec 24, 2013
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Nothing to worry about then.

    You can simply delete the MGTools folder if it still exists. :)
    You can keep Malware Bytes.

    I would uninstall all of those except for AutoRun Eater.

    It's not a suspicious file, Hitman just thinks it is. That's why I chose not to have you fix it. It is part of your anti virus.

    Not topic for this forum. You can ask about this in the Networking forum, or the software forum. :)
     
    Kestrel13!, Dec 24, 2013
    #9
  10. AloisD

    AloisD Private E-2

    Fantastic! Thanks again, and Merry Christmas! :wave
     
    AloisD, Dec 24, 2013
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Merry Christmas, Alois! :)
     
    Kestrel13!, Dec 26, 2013
    #11
  12. AloisD

    AloisD Private E-2

    Thank you, Kestrel. I hope you have a Happy New Year! I posted in the software forum about a week ago, with results from an analysis by Speccy, but there has been no response yet, and my message is now on the fourth page. How can you tell when you're still in line for a response from someone, or when your message has been overlooked? I don't know what to do. I don't have enough posts to send anyone a private message, and I don't want to bump the thread, but there seems to be activity going on in the forum! :)
     
    AloisD, Dec 30, 2013
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Go ahead and post again Alois. It won't really be classed as a bump. :)
     
    Kestrel13!, Dec 31, 2013
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds