Please help with virus/malware removal

Hi all. A friend at work brought his computer and asked if I could help clean it. There looks to be a lot of things on this computer that shouldn't be.

Refore going thru the READ ME AND RUN ME FIRST procedure, I uninstalled a few things: Claro toolbar, Snap.co, MyFunCards toolbar

I've noticed lots of popups, while browsing...and one at startup - Smart PC Cleaner (which I also uninstalled).

I have attached the logs and will await a response. Thank you!!

Diane

PS...I also noticed that as soon as I open the Roguekiller, it created a folder on the desktop called "RK Quarantine". I have not done anything with that folder...mainly because I haven't a clue what to do!

 

Hello

Do you know what this program is for and is it something you purposely installed? Strongvault Online Backup

__

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• ASPCA Reminder by We-Care.com v4.1.19.1
• Browser Manager
• DefaultTab Chrome
• DefaultTab
• Java(TM) 6 Update 25
• Strongvault Online Backup <== Uninstall it if you do not recall installing it.

__

This is RogueKiller's Quarantine folder. It is normal for this folder to be created. Leave it alone for now, when we remove our tools this folder should be deleted.

 

Thanks, and sorry it took a while to get back. The computer is not mine, so I had to check with the friend to see if Strongvault was something they installed. They don't remember installing it and don't use it, so I uninstalled it...and all the other programs you recommended.

There are some other programs their son installed (accidentally or on purpose) - a couple video converters, something called Yontoo, and Swiki. I was going to uninstall, but I'll wait on your instructions first.

Thanks again!
Diane

 

Yes uninstall those. I don't see Yontoo as being installed but do uninstall it if you are able to.

Also remove these:

• Swiki_IE
• Swiki version 1.0

__

http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next post.

__

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  drives
  netsvcs
  baseservices
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• Two reports will be created.
  • OTL.txt <-- Will be opened
  • Extras.txt <-- Will be minimized
• Attach both reports to your next message. (How to attach)

Let me know how the computer is doing at this point.

 

I uninstalled the programs and items you suggested.

I have attached the log files you requested.

The computer seems to be behaving better. I noticed a few popup windows earlier this morning, but it's definitely running faster now and the browser seems to be doing what it should.

Thanks again for your help!

 

Just a few more items

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

:otl
[2012/11/07 21:36:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Browser Manager
[1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]
[1 C:\Program Files (x86)\*.tmp files -> C:\Program Files (x86)\*.tmp -> ]
O3:64bit: - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
:files
C:\Program Files (x86)\pc checkup
:reg
[-hkey_current_user\software\datamngr]
[-hkey_current_user\software\datamngr_toolbar]
[-hkey_local_machine\software\datamngr]
[-hkey_local_machine\software\wow6432node\datamngr]
:commands
[clearallrestorepoints]
[emptytemp]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

One more thing, for Chrome, it is recommended to remove the "claro-search.com" related items using this method.

While you have Google Chrome open, type this into the address bar and press ENTER: chrome://chrome/settings/

From here you should be able to remove any settings related to "Claro".

Some other links that you should visit if you continue to have problems:

• chrome://plugins/
• chrome://chrome/extensions/

 

OK...ran the fix in OTL and attached the log here.

Also changed the chrome settings, as requested.

 

That looks good.

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

Thank you so much...everything is looking good!

 

You're welcome