Need help with removing adware.websearch and trojan

Welcome to MajorGeeks, telomere.

I am reviewing your logs and will get back to you with instructions as needed. Please be patient!

*Our queue is working the oldest threads first.

dr.m

 

Hello, telomere

*You need to run MSconfig and put your PC into normal startup mode as requested in step 4 of the READ & RUN ME guide.

Use MSconfig to setup for Normal Startup Mode

You're in need of a RAM upgrade:

Question: What can you tell me about this file "C:\YBCZP"?

Step 1:
Please look in Add/Remove Programs (Programs and Features if using Vista or Windows 7) for the following and uninstall if found. If you get any errors just make a note and continue on.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Step 2:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Step 3:
Now download The Avenger by Swandog469, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything inside the Quote box below, and paste it into the "Input script here:" part of the window.

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Step 4:
Delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).

Step 5:
Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!

Step 6:
Now install the latest Sun Java Runtime Environment

Step 7:
Please run this and attach the results.

Using ESET's Online Scanner

Step 8:
Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select Run As Administrator).

Please attach the new C:\MGlogs.zip file and the ESETscan.txtto your next reply.

* Make sure you tell me if you had any problems running this procedure; and answer this - "What malware problems are you still experiencing?"

dr.m

 

What program do you have from BillP Studios or is this a left-over folder?
C:\Program Files\BillP Studios

Step 1:
Please go to VirusTotal.com and upload the following file for analysis.
C:\YBCZP

Then post the URL link to the file scan report.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Step 2:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Step 3:
Let's again use Avenger

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything inside the Quote box below, and paste it into the "Input script here:" part of the window.

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Step 4:
Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!

Step 5:
Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select Run As Administrator).

Please attach the new C:\MGlogs.zip file and post the URL link to the VirusTotal scan result to your next reply.

*What malware problems are you still experiencing?

 

Hello, telomere

Only 1 out of 41 of the anti-virus engines flagged C:\YBCZP ; I wouldn't be concerned with it.

WinPatrol is produced by BillP Studios but I find no references to it in your logs. *If the folder [ C:\Program Files\BillP Studios ] is empty, you can just delete it.

Good choice as that might have negated our cleaning.

Your logs look good! I suggest that you post in our Software Forum for help diagnosing your Startup issues. If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and re-enable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Safe surfing! http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif

 

No, Avira doesn't include a firewall. *My personal selection includes Avira AntiVir Personal - Free and Comodo Personal Firewall 5.3.50343.1237.

You're welcome & Safe surfing!

 

You're very welcome!
PS: I sing in private.. that eliminates the complaints.

 

Well, let's start all over again and see what we can find -

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and then attach the requested logs to your next reply when you finish these instructions.

 

*You need to run MSconfig and put your PC into normal startup mode as requested in step 4 of the READ & RUN ME guide.

Use MSconfig to setup for Normal Startup Mode

* ComboFix shows you have multiple anti-virus and firewall applications installed:

You MUST uninstall one of each type application!

Also - ComboFix reports "- REDUCED FUNCTIONALITY MODE -" indicating that you did not allow it to update when prompted.

Move MGTools.exe directly onto your desktop, not here:
C:\Users\admin\Desktop\malware removl\MGtools.exe

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Now we need to use ComboFix.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Make sure you have shut down all protection software (antivirus, antispyware, firewall...etc) programs so they do not interfere with the running of ComboFix. *Remember to re-start them before coming back online.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text inside of the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  If it asks you to overide the previous file with the same name, click YES.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt

Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.

Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!

Please run this and attach the results.

Using ESET's Online Scanner

Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select Run As Administrator).

Please attach the new C:\MGlogs.zip file and the ESETscan.txtto your next reply.

* Make sure you tell me if you had any problems running this procedure; and answer this - "What malware problems are you still experiencing?"

dr.m

 

Your logs look good!

Not something to be concerned with, as you will read about in the last link that I'll give in this reply.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and re-enable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Safe surfing! http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif

 

You're very welcome, telomere.

:major

 

The detected infection isn't harmful at this point. Now to investigate!

• Right click on your Avira AntiVir icon located near your clock at the bottom right of your screen and click on the Admininstration tab
• Choose "Quarantine" then left click on the file shown in the large pane on the right side to high--light it
• Now, right click and select from the drop down menu "open quarantine directory"
• The quarantined file will be shown in the right pane
  • NOTE the filepath to the quarantined file (and it's name ending in ".qua")- it'll show something similiar to
    C: > ProgramData > Avira > AntiVir Desktop > INFECTED >
• CLOSE both the "INFECTED" file folder and the Avira application window

Please go to VirusTotal.com and upload the quarantined file pathway for analysis.

*When the scans complete, you will now have the information needed to determine how the file needs to be dealth with, using Avira:

• Delete object
• Restore object to

COMMENT: Since your machine has been re-formatted, a clean install performed, given the "All Clean" from running our cleaning procedure, but now have concerns about a trojan ...please "Re-examine" your recent activities using your pc.

 

You're welcome!

If you followed our recommendations in the "Final Steps", you do have the tools available to scan any downloads for malware before installing them, simply by right-clicking them - you then have the options to scan them with either MBAM or AntiVir.

*You could even "OPEN" SUPERAntiSpyware > "Scan your computer" > click on "Perform Custom Scan" > tick "Selected Folders" ONLY > choose "Add" > navigate to the folder containing your download > next choose "Close" > then "Next".

Practice - "Safe... downloading"! LOL

 

Please re-read my reply in post #26... scan suspect downloads before attempting their installs. That could keep your blood pressure a little lower.

:wine

 

:wave

Your question is outside my specialty, telomere. However, this seems to explain it rather well.

*I think that you would receive some great advice from the knowledgeable members who post in our Overclocking Forum. Why not also make an introductory thread in our Welcome Centre, then ask for some opinions in your Overclocking thread? Either way, you'll find that friends are easily made here, and there's a wealth of helpful information shared among us!

Hope to see you around the forums,
dr.m http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif