Please Help! Malware Logs

Dear Malware Helpers,

I hope someone out there can help me! My problem began sometime back in mid-June/July when I began noticing my sound was switching between speakers. Sometimes sound would only come out of one speaker. I thought it was a hardware problem, so I took it to Best Buy where I bought the computer. I had hardware protection bought, had them take it in (Around 8/23/12), and they returned it to me (around 09/06/12) stating that there was a malware problem. They said it would cost $200 to fix, and they suggested restarting the entire OS. I knew there was a better solution and have been looking for a fix somewhere to do it on my own. However, I am afraid of altering my computer for the worst (I have done that before), so I hope you can help me. The sound seems to be fixed but...

I should note, sometime mid-July, I started having browser redirect problems, and my Accuweather program started having that weird "program has not responded" with "Switch To" and "Retry" buttons popup everytime I start the computer. My computer now starts and states that the adapter is not correct, although everything still works just fine. I just have to press F1 to continue now everytime I start my computer. I am not sure if this is all originating from the same source...but I am just giving you as much detail as possible.

I have run the steps for Windows 7 from the Malware Removal guide and attached the logs to this message. It looks like there's something there, but I do not know how to fix it myself.

Can anyone out there help me?

Anything would be great!

Thanks,
Jaimie

 

Hello Jaimie,

http://img805.imageshack.us/img805/9659/rktigzy.gif Delete items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Once the scan is complete, go to the Registry tab and checkmark everything except the below items:

• [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
• [HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
• [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
• [HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[3].txt
Attach RKreport[3].txt to your next message. (How to attach)

 

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Best Buy pc app
• BitTorrentBar Toolbar

__

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  drives
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extras.txt <-- Will be minimized
• Attach OTL.txt and Extras.txt to your next message. (How to attach)

 

thisisu,

Thank you for your quick reply. I really appreciate it. I did everything you asked in order, although I could not find the Bestbuy pc app data. I'm surprised it even still exists...I removed that when I first got the laptop. I actually did not find it on my control panel but through my Uninstaller program. The Uninstaller program could only bring it up to "Repair" the program, not uninstall it, what should I do?

All the logs are attached to this message.

 

Update: When I turned on my computer this morning, "ghosts" of old icons appeared on my Desktop, as well as in many other places in my computer. There are random things like my User folder (Jaimie Pantoja), Desktop.ini, and old file icons with names like $!datedresume.docx (for what used to be updatedresume.docx before I tossed it many months ago).

What is going on??

 

Leave it alone for now. I'll create a fix that should remove the remaining traces as well as the malware on your computer.


http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:otl[/COLOR]
IE - HKU\S-1-5-21-2145724641-1149917968-2640249532-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?l=dis&o=2159&gct=hp
IE - HKU\S-1-5-21-2145724641-1149917968-2640249532-1000\..\URLSearchHook: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - No CLSID value found
IE - HKU\S-1-5-21-2145724641-1149917968-2640249532-1000\..\SearchScopes\{123BC1D7-3CD5-40EB-A504-6A4792A258C0}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=OVO2&o=2159&src=kw&q={searchTerms}&locale=&apn_ptnrs=^A2E&apn_dtid=^YYYYYY^UQ^US&apn_uid=de142fe0-ad5f-49cf-b367-8d608d9ef513&apn_sauid=A81F4E77-E73F-4B3C-8E70-D5ABC526C791
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=685749&ilc=12"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.startup.homepage: "http://www.ask.com/?l=dis&o=2159&gct=hp"
FF - prefs.js..extensions.enabledAddons: {88c7f2aa-f93f-432c-8f0e-b7d85967a527}:3.15.1.0
FF - prefs.js..extensions.enabledAddons: {23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.2.145
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&SearchSource=2&q="
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@bestbuy.com/npBestBuyPcAppDetector,version=1.0: C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll (Best Buy)
FF - HKLM\Software\MozillaPlugins\@bestbuy.com/npBestBuyPcAppDetector,version=1.0: C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll (Best Buy)
[2012-08-31 14:22:25 | 000,002,404 | ---- | M] () -- C:\Users\Jaimie Pantoja\AppData\Roaming\Mozilla\Firefox\Profiles\nmyoyhxt.default\searchplugins\askcom.xml
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No CLSID value found.
O3 - HKU\S-1-5-21-2145724641-1149917968-2640249532-1000\..\Toolbar\WebBrowser: (no name) - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No CLSID value found.
[2012-08-27 08:44:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Geek Squad
[3 C:\Users\Jaimie Pantoja\Desktop\*.tmp files -> C:\Users\Jaimie Pantoja\Desktop\*.tmp -> ]
[1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]
[2009-07-13 23:55:00 | 000,000,227 | RHS- | M] () -- C:\windows\assembly\Desktop.ini
[COLOR="DarkRed"]:services [/COLOR]
IBUpdaterService
[COLOR="DarkRed"]:files[/COLOR]
C:\ProgramData\Best Buy pc app /d
C:\ProgramData\Geek Squad /d
C:\ProgramData\IBUpdaterService /d
C:\Program Files (x86)\1ClickDownload /d
type "C:\Users\Jaimie Pantoja\Documents\vba.ini" /c
C:\ProgramData\IBUpdaterService\ibsvc.exe /d
[COLOR="DarkRed"]:reg[/COLOR]
[-HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{08858AF6-42AD-4914-95D2-AC3AB0DC8E28}
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Best Buy pc app]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{123BC1D7-3CD5-40EB-A504-6A4792A258C0}]
[COLOR="DarkRed"]:commands[/COLOR]
[emptyjava]
[emptyflash]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

This is normal. They are revealed so that we can also see hidden and system files in the logs. They will disappear when we are finished with the procedure.

 

thisisu,

As soon as I hit Run Fix, my computer blue screened on me.

 

Sorry to hear that.

• What state is the computer in now?
• Are you able to boot into Normal Mode?
• Can you get into Safe Mode?

 

I checked all the important areas...Everything seems fine. The computer runs completely okay (Normal Mode, I assume) and has been this entire time. Though I have noticed, since the malware removal procedures earlier, it has been running significantly faster.

I can try to boot in Safe Mode and try the procedure again. Would you like me to do that?

 

Yes, try it from Safe Mode

 

Ran OTL in Safe Mode w/ Networking. It ran successfully!

Log is attached =)

 

That log looks good.

What problems are you experiencing now, if any?

 

So far I haven't run into any more problems. The Switch to and Retry thing from Accuweather even stopped. And Firefox is working a LOT faster. The change is notable. Not sure what was slowing it down precisely, but I think we killed it.

 

I think so too

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe