Need Help Again with Critter Removal

StiinaQT · Nov 21, 2013

I did it to myself, when trying to update one of my anti-malwares, I wasn't paying attention and accidentally clicked on the wrong download button and I got infected with all kinds of PUP's and other malware. When I checked, my Avira showed the following in the quarantine file:

Rogue.9764433.1
Staser.rfm
Buzus.nwwl (several locations)

My MBAM showed a whole host of PUP's, many in multiple locations:

pup.optional.WhiteSmoke.A, .BrowserDefender.A, OptimizerPro.A, Delta.A, SearchProtect.A, Conduit.A, DefaultTab, Desk365.A, .Lesstabs, .PlusHD.A, .CrossRider. I also found Pup.BProtector, .Babylon.A, .Tarma.A. PuP.Software.Updater, C:Windows\Tasks\AmiUpdXP.job, and TarmaInstaller. That is not a comprehensive list, but included to give you a scope of where I was.

I went on line to find out what these were and used a removal tool called ERARemoval Tool and then YAC. Avira did not let me run YAC fully. I wasn't sure if I needed to go to the Software repair forum or Malware. I started with the Software Repair and I was told that I might as well back up my files and start over with my computer from the base programs. I am rather bull headed and decided to see what the Malware tools might help me with. I have to say that the two tools I have already used seem to have done a fairly good job at repairing my Registry. I had 3 Blue Screens in 2 days and since using them, no more.

I have gone through the process and have my logs. Would someone please review them and see if we can finish the repair? I would so much appreciate it rather than having to start over with a clean hard drive. I just have too many files and hardware connections to start over! At my age, I just don't want to have to take that kind of time away from other things.

I will include the other MBAM log in a next post

Thanks in advance for your help!!

StiinaQT · Nov 21, 2013

View attachment 205843 Here is the second MBAM log

Kestrel13! · Nov 22, 2013

Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode.

Did you knowingly install 'Surfing Protection'? Is it anything to do with Iobit?

This service shows, do you use Isafe? It's not installed.

O23 - Service: iSafeService - Elex do Brasil Participações Ltda - C:\Program Files\iSafe\iSafeSvc.exe

Re run Hitman and have it delete all of the Potential Unwanted Programs, even if it is by default set to ignore them.

Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

Right-click OTM.exe And select " Run as administrator " to run it.

Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.
Code:
:Files
C:\Program Files\Mozilla Firefox\extensions\ffxtlbr@babylon.com
C:\Users\Laura\AppData\Roaming\DSite
C:\Users\Laura\AppData\Roaming\eCyber
C:\Users\Laura\AppData\Roaming\Optimizer Pro
C:\Windows\System32\b39f~1       
C:\Windows\System32\9cb6~1       
C:\Windows\System32\u2bd2~1

:reg
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9E4B94A3-4EE2-429D-8031-030C7CE06834}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9E4B94A3-4EE2-429D-8031-030C7CE06834}]

:Commands
[emptytemp]
[Reboot]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.

OTM may ask to reboot the machine. Please do so if asked.

Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.

Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Attach JRT.txt to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

StiinaQT · Nov 22, 2013

I changed the boot to normal as directed.

I believe the Surf Protection is part of one of my programs. I know I have too many and suggestions which to keep is appreciated.

The iSafe is part of the Apple software? Not sure what it is.

Hitman was rerun and I deleted all of the items. Log attached. I'm now going to run your next program, OTM. Sorry for multiple posts, but I thought it would be better to address each item as I deal with it so I forget nothing.

Thank you!!

StiinaQT · Nov 22, 2013

Crap, I screwed up the OTM. I copied the directions to my sticky notes and never dreamed that when it came back after reboot that everything else would be blacked out. My memory is crap and I couldn't remember what I was supposed to do next and nothing I did made my Win Exp. come back so I could see my notes. Without copying the results, I exited out. There were a few things that didn't work--not found and such. Can I rerun the OTC or am I screwed on that? Had I any clue the screen would be blacked out, I would have printed the directions!

Here is the log from the file folder (attached). On to the Junkware removal...

Thanks! and sorry for the multiple replies, if I don't do this, I forget to include information. PS I'm debating whether to get rid of the YAC, it keeps interfering.

StiinaQT · Nov 22, 2013

Ok, last reply...

JRT.txt and MGLogs.zip attached.

I'm going to reenable my Avira and one of the Iobit spyware programs to keep safe until I hear from you.

Thanks again!

Kestrel13! · Nov 23, 2013

Uninstall YAC (I missed that, had not heard of it before) and also uninstall McAfee Security Scan Plus, as you don't need that. How are things running now?

Kestrel13! · Nov 23, 2013

Are you comfortable manually deleting registry keys or not? If so, then can you delete these please too?

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9E4B94A3-4EE2-429D-8031-030C7CE06834}

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{D2FC5A74-A324-4159-9BF7-65BD01ECAAAB}

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{05713535-A8AB-E560-BAE3-5FC2F5235CAA}

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9E4B94A3-4EE2-429D-8031-030C7CE06834}

StiinaQT · Nov 23, 2013

Yes I am and I will do so. Thanks!

StiinaQT · Nov 23, 2013

I have removed the YAC and MacAfee.

Did you want me to also delete the following registry keys as well?

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0191A6B0-1154-4C22-9182-23A95BBE92D9}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{80AF416A-8EC2-4FDB-BBF6-CE648B649EC7}

These are also in that same directory. They were not on your list, but the first and 4th were duplicated in your list. I just want to make sure I delete the correct ones.

Thank you so very much!

The only problem I'm having is with my printer, but if that is the worst, I can fix that and I'll be doing the happy dance b/c the alternative was very bad!

Kestrel13! · Nov 24, 2013

No, there's nothing else that should be deleted.

Ready for final steps?
Hope you can work out issues with your printer in the software or hardware forum.

StiinaQT · Nov 24, 2013

Yes, I am ready for the final steps. All seems to be working well. I may just need to reinstall my printer driver. That will be my first step b/c it will print a test page, not something from Chrome.

Thanks again!

:cool

Kestrel13! · Nov 24, 2013

Excellent!

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.

Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.

Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.

If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

StiinaQT · Nov 24, 2013

Final steps completed and now my printer is working again! I'm extremely happy and sure do appreciate all of your help. I hope there is no next time, but there will be, so I hope next time takes longer than the last time.

Keep up the good work. Thanks again!

:celebrate

Kestrel13! · Nov 24, 2013

:-D I'm glad you're printer is working again. I did nothing to even attempt to fix it, so merely coincidence perhaps but I am pleased for you.

StiinaQT · Nov 24, 2013

I figured that one of the removal tools was blocking it, like the YAC--it blocked most activity that was even remotely suspicious. The printer started working after I removed it. It printed from the computer, but not anything on line, i.e. from the Chrome tools. Had I configured it to ignore my printer, it would probably have worked fine.

I love your new MGTools batch files! Makes the clean up go so easy. I'm sure it's much easier for all of you too.

:clap Thanks again!

Kestrel13! · Nov 25, 2013

I love your new MGTools batch files! Makes the clean up go so easy. I'm sure it's much easier for all of you too.
Click to expand...

Yes Chaslang does a wonderful job with that. Again, you're most welcome. Take care!

Log in or Sign up

Need Help Again with Critter Removal

StiinaQT Private First Class

Attached Files:

RKreport[0]_S_11212013_171946.txt

mbam-log-2013-11-21 (17-36-23).txt

TDSSKiller.3.0.0.19_21.11.2013_22.10.34_log.txt

HitmanPro_20131121_2234.log

MGlogs.zip

StiinaQT Private First Class

Attached Files:

mbam-log-2013-11-21 (17-23-03).txt

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

StiinaQT Private First Class

Attached Files:

HitmanPro_20131122_1313.log

StiinaQT Private First Class

Attached Files:

11222013_133049.log

StiinaQT Private First Class

Attached Files:

MGlogs.zip

JRT.txt

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

StiinaQT Private First Class

StiinaQT Private First Class

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

StiinaQT Private First Class

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

StiinaQT Private First Class

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

StiinaQT Private First Class

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member