My sons old XP

Discussion in 'Malware Help (A Specialist Will Reply)' started by DelanoJoe, Dec 22, 2013.

  1. DelanoJoe

    DelanoJoe Private E-2

    Decided to replace the power supply and at the same time scan it - attached are the logs. There was quite a bit of malware removed, but not sure if it's been completely taken care of.

    Thanks,

    Joe
     

    Attached Files:

    DelanoJoe, Dec 22, 2013
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You said your son's PC yet you ran scans from the Connie 2 user account. Per the logs, every user account on this PC has the same junkware infections.


    Uninstall the below programs. If you do not find them or they will not uninstall, just keep going.
    Java(TM) 6 Update 15

    Now install the current version of Sun Java from:
    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: NCO 2.0 IE BHO - Disabled:{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
    O2 - BHO: Symantec Intrusion Prevention - Disabled:{6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
    O2 - BHO: Babylon toolbar helper - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll (file missing)
    O2 - BHO: MediaBar - {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - C:\PROGRA~1\BEARSH~1\MediaBar\Datamngr\ToolBar\bsdtxmltbpi.dll (file missing)
    O3 - Toolbar: MediaBar - {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - C:\PROGRA~1\BEARSH~1\MediaBar\Datamngr\ToolBar\bsdtxmltbpi.dll (file missing)
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKUS\S-1-5-21-3762205137-276579175-1832723659-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Joe')
    O4 - HKUS\S-1-5-21-3762205137-276579175-1832723659-1006\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'Joe')
    O4 - HKUS\S-1-5-21-3762205137-276579175-1832723659-1006\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Joe')
    O4 - HKUS\S-1-5-21-3762205137-276579175-1832723659-1010\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Michael')
    O4 - HKUS\S-1-5-21-3762205137-276579175-1832723659-1011\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Laura')

    After clicking Fix, exit HJT.

    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe

 
:Files
C:\Documents and Settings\All Users\Application Data\Babylon
C:\Documents and Settings\Christian\AppData\LocalLow\DataMngr\
C:\Documents and Settings\Christian\Application Data\BabylonToolbar
C:\Documents and Settings\Christian\Local Settings\Application Data\Conduit
C:\Documents and Settings\Connie 2\AppData\LocalLow\DataMngr
C:\Documents and Settings\Connie 2\Application Data\Mozilla\Firefox\Profiles\szjqtmv0.default\extensions\ffxtlbr@babylon.com\
C:\Documents and Settings\Connie 2\Local Settings\Application Data\Babylon
C:\Documents and Settings\Connie 2\Local Settings\Application Data\Conduit
C:\Documents and Settings\Connie 2\Local Settings\Application Data\OpenCandy
C:\Documents and Settings\Joe\AppData\LocalLow\DataMngr
C:\Documents and Settings\Joe\Local Settings\Application Data\Babylon
C:\Documents and Settings\Joe\Local Settings\Application Data\Conduit
C:\Documents and Settings\Laura\AppData\LocalLow\DataMngr
C:\Documents and Settings\Laura\Application Data\BabylonToolbar
C:\Documents and Settings\Laura\Local Settings\Application Data\Conduit
C:\Documents and Settings\Michael\AppData\LocalLow\DataMngr
C:\Documents and Settings\Michael\Application Data\BabylonToolbar
C:\Documents and Settings\Michael\Local Settings\Application Data\Conduit
C:\WINDOWS\Temp\*.*
C:\Documents and Settings\Connie 2\Local Settings\Temp\*.*
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Babylon]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escort.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escortApp.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\escorTlbr.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\esrv.EXE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bbylnApp.appCore.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bbylnApp.appCore]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\c]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{97F2FF5B-260C-4ccf-834A-2DDA4E29E39E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\escort.escortIEPane]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4D5132DD-BB2B-4249-B5E0-D145A8C982E1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8BE10F21-185F-4CA0-B789-9921674C3993}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Prod.cap]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}]
[-HKEY_USERS\S-1-5-21-3762205137-276579175-1832723659-1009\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_USERS\S-1-5-21-3762205137-276579175-1832723659-1009\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_USERS\S-1-5-21-3762205137-276579175-1832723659-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_USERS\S-1-5-21-3762205137-276579175-1832723659-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}]
[-HKEY_USERS\S-1-5-21-3762205137-276579175-1832723659-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
[-HKEY_USERS\S-1-5-21-3762205137-276579175-1832723659-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"OutfoxTV"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"HP Software Update"=-
"KernelFaultCheck"=-
"UserFaultCheck"=-
[HKEY_USERS\S-1-5-21-3762205137-276579175-1832723659-1009\Software\Microsoft\Windows\CurrentVersion\run]
"OutfoxTV"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{19F2B849-4ADE-4d4b-85F9-C31C643DBDE9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXTlog
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Dec 23, 2013
    #2
  3. DelanoJoe

    DelanoJoe Private E-2

    the Connie 2 account was an admin account - the rest were not. Here are the logs. It is running better but still not sure all of the malware has been cleaned off. Am I supposed to run these programs in all user accounts or just the admin account?

    Thanks

    Joe
     

    Attached Files:

    DelanoJoe, Dec 24, 2013
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You will have to run on any user account where you are having problems. Sometimes it will require temporarily changing the user account to an admin account while you clean it up. Then change it back to Restricted user after.


    The most recent MGlogs.zip from Connie 2 was not updated properly. You need to make sure that you disable protection software and then run C:\MGtools\GetLogs.bat Make sure you let it finish running before attaching the new log.
     
    chaslang, Dec 24, 2013
    #4
  5. DelanoJoe

    DelanoJoe Private E-2

    I've deleted 2 of the accounts and I'm going to delete connie2 account as well - here are the files from Christians account. It is going to be just my account and my sons.

    Joe
     

    Attached Files:

    DelanoJoe, Jan 17, 2014
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay the last log still shows the below accounts. The ones in purple are Windows system accounts. You need to disable the Guest account. It is a security risk.
    Code:
                                   USER INFORMATION     
******************************************************************************
 
Users on this computer:
Is Admin? | Username
------------------
[B][COLOR=purple]   Yes    | Administrator[/COLOR][/B]
   Yes    | Christian
   Yes    | Connie 2
[B][COLOR=purple]          | Guest
          | HelpAssistant (Disabled)[/COLOR][/B]
   Yes    | Joe
[B][COLOR=purple]          | SUPPORT_388945a0 (Disabled)[/COLOR][/B]
    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.entru.com/?s=21983
    R3 - URLSearchHook: (no name) - {811FB681-61C2-4442-9C96-9F164F619ED7} - (no file)
    R3 - URLSearchHook: (no name) - {a1e75a0e-4397-4ba8-bb50-e19fb66890f4} - (no file)

    After clicking Fix, exit HJT.

    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe

:Files
C:\Documents and Settings\Joe\AppData\LocalLow\DataMngr
C:\Documents and Settings\Joe\Local Settings\Application Data\Babylon
C:\Documents and Settings\Joe\Local Settings\Application Data\Conduit
C:\Documents and Settings\Christian\Local Settings\Application Data\BearShare
C:\Documents and Settings\Christian\Local Settings\Application Data\ConduitEngine
C:\Documents and Settings\Christian\Local Settings\Application Data\iLivid
C:\WINDOWS\Temp\*.*
C:\Documents and Settings\Christian\Local Settings\temp\*.*

:Reg
[-HKEY_USERS\S-1-5-21-3762205137-276579175-1832723659-1006\Software\Babylon]
[-HKEY_USERS\S-1-5-21-3762205137-276579175-1832723659-1006\Software\Conduit]
[-HKEY_USERS\S-1-5-21-3762205137-276579175-1832723659-1006\Software\Datamngr]
[-HKEY_USERS\S-1-5-21-3762205137-276579175-1832723659-1006\Software\Microsoft\Office\Word\Addins\BabylonOfficeAddin.OfficeAddin]
[-HKEY_USERS\S-1-5-21-3762205137-276579175-1832723659-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_USERS\S-1-5-21-3762205137-276579175-1832723659-1012\Software\Conduit]
[-HKEY_USERS\S-1-5-21-3762205137-276579175-1832723659-1012\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_USERS\S-1-5-21-3762205137-276579175-1832723659-1012\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
[-HKEY_USERS\S-1-5-21-3762205137-276579175-1832723659-1012\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
[-HKEY_USERS\S-1-5-21-3762205137-276579175-1832723659-1012\Software\Softonic]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=-
"Google Update"=-
[HKEY_USERS\S-1-5-21-3762205137-276579175-1832723659-1012\Software\Microsoft\Windows\CurrentVersion\run]
"swg"=-
"Google Update"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{172177F9-829F-E8EE-1BBD-47184C6E94BD}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{19F2B849-4ADE-4d4b-85F9-C31C643DBDE9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXTlog
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jan 19, 2014
    #6
  7. DelanoJoe

    DelanoJoe Private E-2

    I tried deleting the guest but it didn't have a option to do that. I deleted the connie2 account, but couldn't do much else after that. I then noticed more malware on his computer, so I started over from the beginning. I had just finished the MalwareBytes scan (35 items found) and restarted when the NTLDR is missing message came up. I am now trying to get his OS back up and running. If I get it up, I will finish the initial scans and also perform the the tasks you showed below. He was downloading game mods on some game site when he picked this stuff up. We are restricting what sites he can go on from now on.

    Thanks,

    Joe
     
    DelanoJoe, Jan 22, 2014
    #7
  8. DelanoJoe

    DelanoJoe Private E-2

    OK - I fixed the NTLDR missing message that started after the reboot of MalwareBytes run. I restarted from the beginning after finding more malware. I attached the 5 log files and will run the instructions below and attach in another post.

    Joe
     

    Attached Files:

    DelanoJoe, Jan 23, 2014
    #8
  9. DelanoJoe

    DelanoJoe Private E-2

    I finished running the instructions from below. I attached the files and things seem to be OK, but I'd be surprised if there aren't more instructions after the last round of malware found. I appreciate all your help and we are trying to lock this computer down the best we can.

    Thank you,

    Joe
     

    Attached Files:

    DelanoJoe, Jan 23, 2014
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks like some one who is using this PC is downloading more junkware all the time. That needs to be put in check!!! Otherwise we are just waisting our time. ;)


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run a scan with Hitman Pro one more time ( do not run anything else !!!!) Attach the new log.
     
    Last edited: Jan 25, 2014
    chaslang, Jan 25, 2014
    #10
  11. DelanoJoe

    DelanoJoe Private E-2

    Yes Chaslang - I agree with you 100% - I had a talk with him and told him he has to stay off gaming forums and no more downloads. The reg entries were successful. I attached the hitman pro log. Things seem OK but hard to say for sure.

    Thank you,

    Joe
     

    Attached Files:

    DelanoJoe, Jan 26, 2014
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Delete the below folders and you should be good.

    C:\Documents and Settings\Joe\AppData\LocalLow\DataMngr
    C:\Documents and Settings\Joe\Local Settings\Application Data\Babylon
    C:\Documents and Settings\Joe\Local Settings\Application Data\Conduit
     
    chaslang, Jan 28, 2014
    #12
  13. DelanoJoe

    DelanoJoe Private E-2

    Thank you Chaslang - seems like when it rains it pours - I'm now working on my father in-laws computer remotely - he is in Florida. I hope this stops soon as I'm gettting tired of scanning computers :) I do appreciate your time and effort (and patience).

    Joe
     
    DelanoJoe, Jan 28, 2014
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Jan 31, 2014
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds