"Read & Run Me" in Safe Mode?

Discussion in 'Malware Help (A Specialist Will Reply)' started by linuxpowers, Feb 4, 2014.

  1. linuxpowers

    linuxpowers Specialist

    Before I go through the processes in the sticky post, "READ & RUN ME," I first need to find out if I can do this in safe mode?

    I'm asking because the laptop that I'm going to work on will not allow me to connect to the internet in regular mode. I suppose I could download everything I need in safe mode and then go into regular mode to run them but I was just asking what I should do first!

    BTW, I can boot in normal mode...just no internet access!
     
    linuxpowers, Feb 4, 2014
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Download everything you need with Safe mode with networking, and than actually run the tools in normal mode, as you say. :)
     
    Kestrel13!, Feb 4, 2014
    #2
  3. linuxpowers

    linuxpowers Specialist

    Hey Kestrel13!, Thanks for taking my post!

    It's interesting you are the one who answered this post because the last time I posted malware issues I told you I was interested in helping out instead of always asking for help....do you remember?
    Well, I took you up on that and joined BleepingComputer! I hung around there for a while and got the feel of things, read most of their info pages and got to know a few people. All the while I waited for an opening in their class. But, it was taking too long so I applied at SpywareInfo Forum and am currently a "helper trainee"! I hope it's not like going to college and spending four years learning things that are outdated by the time you graduate! There's so much to learn and it seems new stuff is added "daily".

    Anyway, thanks for the guidance and I'll send those scans as soon as I can get everything together.
     
    linuxpowers, Feb 4, 2014
    #3
  4. linuxpowers

    linuxpowers Specialist

    OK!

    I couldn't get RogueKiller to complete. It kept stalling while "Checking Processes."

    MBAM ran completely but it kept jumping back and forth from running, to not responding. BTW, it showed clean, during this scan but, I did run it last night in Safe Mode when I first got ahold of this computer and while running a quick scan, it detected almost 3000 items for which it successfully removed.

    Everything else ran properly. The log for HitmanPro was too large to upload so I had to install 7-zip from MG to compress it enough to send.
     

    Attached Files:

    linuxpowers, Feb 4, 2014
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes I do indeed. :)

    Excellent!

    I'm glad to hear you are registered at a malware removal training school. I wish you the very best of luck!


    How do you think you ended up reinfected? :confused


    Uninstall these garbage softwares!

    • SmartPCFix 3.09
    • Snap.Do
    • SpeedUpMyPC
    • Mobogenie
    • ScorpionSaver
    • Search Protect


    Re run Hitman Pro and have it remove Malware, Malware remnants & Potential Unwanted Programs.


    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.


    Code:
    :Files
C:\ProgramData\deaalusTer
C:\ProgramData\DeualsFinderPro
C:\ProgramData\ioohfdnlkipdjhigeibpehhkllgkdnaj
C:\ProgramData\mchdniegbacpemfcgagdjkmjfkgdnfjk
C:\ProgramData\PCFixSpeed
C:\ProgramData\Systweak
C:\ProgramData\Temp
C:\ProgramData\VisualBee
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RegClean Pro
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SmartPCFix
C:\Program Files (x86)\Conduit
C:\Program Files (x86)\Coupons
C:\Program Files (x86)\iSafe
C:\Program Files (x86)\Mobogenie
C:\Program Files (x86)\MyPC Backup
C:\Program Files (x86)\Optimizer Pro
C:\Program Files (x86)\SearchProtect81851805

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.



    http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Feb 5, 2014
    #5
  6. linuxpowers

    linuxpowers Specialist

    Thanks! I just got started...haven't even gotten past step one yet! But it's got me doing more focused reading and I'm learning quite a bit.

    :-D Not me this time! A desperate co-worker of mine came to me with this laptop and was ready to throw it away. I agreed to look at it but a lot of it is out of my league at the moment.

    The last time I was here, we were working on my desktop with a ZeroAccess issue. Since that time, I've installed a modem/router and set it up in stealth mode, made some changes to my own personal firewall and a few more security tweaks. Heh, my biggest problem right now is trying to figure out how to keep port 80 from responding to probes...even though it's closed!

    Anyway, I attached the requested logs and had no issues running anything. The system seems to be settled down now quite a bit, and the browsers are looking normal now.
     

    Attached Files:

    linuxpowers, Feb 5, 2014
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    When you re run Hitman Pro now, does it find anything?
     
    Kestrel13!, Feb 5, 2014
    #7
  8. linuxpowers

    linuxpowers Specialist

    No Threats Detected!
     
    linuxpowers, Feb 5, 2014
    #8
  9. linuxpowers

    linuxpowers Specialist

    Had to go to work...got home and noticed Windows Update ran and installed a new update. I noticed things were a bit slow so I started poking around. Went through the control panel to Programs and Features and noticed that "MyPCBackup", "ScorpianSaver" and "Snap.Do/Snap.Do Engine" are listed again.

    Tried to uninstall, but this time nothing happens!
     
    linuxpowers, Feb 6, 2014
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Try using Revo Uninstaller. Let me know how you get on.
     
    Kestrel13!, Feb 6, 2014
    #10
  11. linuxpowers

    linuxpowers Specialist

    Nice uninstaller, everything's gone! As far as I can tell, things are looking pretty good right now.
     
    linuxpowers, Feb 6, 2014
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Excellent! :=)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

    7. After doing the above, you should work thru the below link:
     
    Kestrel13!, Feb 7, 2014
    #12
  13. linuxpowers

    linuxpowers Specialist

    Nope, hang on! Got home tonight after work and the system had rebooted. When I logged on a pop-up came up that said:

    Your Computer Is Not Backed Up, Backup Your Files Online Today...Free Computer Backup Available

    ...MyPC Backup...it's still hiding somewhere!

    I thought I might take a look and see if RogueKiller would run this time and it did. But, after checking the processes, a pop-up came up and told me that the version I had was outdated and would I like to update. I've done this before so I went ahead and said yes. It opened my browser (Chrome) and went to Adlice. At first I saw the download button but then it changed to an advertisement. I exited out of Chrome and then logged into IE to come here.

    I tried RogueKiller one more time to see what would happen if I chose not to update and once I pressed NO, the EULA came up. So, I just clicked, Do Not Accept, and came here.

    Also, I'm not sure if this is malware related but I loose internet connection now and then. This laptop is connected via wifi to my personal modem/router. I am always connected but I loose internet connection now and then.

    Do you want me to try and run RogueKiller as is?
     
    linuxpowers, Feb 7, 2014
    #13
  14. linuxpowers

    linuxpowers Specialist

    Mmm, I have these sidebars now on either side of my browser, (IE). The right side has a facebook (f) and a twitter (bird). The left side has (f), (twitter bird), (envelope) and (printer)! Both of them have a hide button. Anyway, I went ahead and ran RogueKiller to get a log for you.

    BTW, seems the only way I can get Internet Connection back is to open the Network and Sharing Center and start troubleshooting the internet connection. Once I do, it comes right back.
     

    Attached Files:

    linuxpowers, Feb 7, 2014
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Normal, unless you use an adblocker.

    You're best bet is to run the rest of the requested tools as part of the R&R, attach the logs and hopefully we can kill this off once and for all.
     
    Kestrel13!, Feb 7, 2014
    #15
  16. linuxpowers

    linuxpowers Specialist

    OK, per your request!
     

    Attached Files:

    linuxpowers, Feb 8, 2014
    #16
  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [V1][SUSP PATH] MySearchDial.job : C:\Users\lou\AppData\Roaming\MYSEAR~1\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND
    • [V1][SUSP PATH] SaveSense.job : C:\Users\lou\AppData\Roaming\SAVESE~1\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND
    • [V2][ROGUE ST] Feven 2.2-chromeinstaller : C:\Program Files (x86)\Feven 2.2\Feven 2.2-chromeinstaller.exe -
    • [V2][ROGUE ST] Feven 2.2-firefoxinstaller : C:\Program Files (x86)\Feven 2.2\Feven 2.2-firefoxinstaller.exe -
    • [V2][SUSP PATH] GreatArcadeHits : C:\Users\lou\AppData\Local\GreatArcadeHits\GAHUpdate.exe [x] -> FOUND
    • [V2][SUSP PATH] MySearchDial : C:\Users\lou\AppData\Roaming\MYSEAR~1\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND
    • [V2][SUSP PATH] SaveSense : C:\Users\lou\AppData\Roaming\SAVESE~1\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND
    • [V2][ROGUE ST] weDownload Manager-chromeinstaller : C:\Program Files (x86)\weDownload Manager\weDownload Manager-chromeinstaller.exe -
    • [V2][ROGUE ST] weDownload Manager-firefoxinstaller : C:\Program Files (x86)\weDownload Manager\weDownload Manager-firefoxinstaller.exe -
    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.




    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    • O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    • O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    • O4 - Startup: MyPC Backup.lnk = C:\_OTM\MovedFiles\02052014_135800\C_Program Files (x86)\MyPC Backup\MyPC Backup.exe
    After clicking Fix exit HJT.



    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.


    Code:
    :Files
C:\Users\lou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk
C:\_OTM\MovedFiles\02052014_135800
C:\Users\lou\AppData\Roaming\MYSEAR~1
C:\Users\lou\AppData\Roaming\SAVESE~1
C:\Program Files (x86)\Feven 2.2
C:\Users\lou\AppData\Local\GreatArcadeHits
C:\Users\lou\AppData\Roaming\SAVESE~1\UPDATE~1
C:\Program Files (x86)\weDownload Manager
C:\Windows\tasks\HPCeeScheduleForlou.job
C:\Windows\tasks\MySearchDial.job
C:\Windows\tasks\SaveSense.job
C:\Windows\tasks\SmartPCFix Task.job
:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.



    http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.




    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Feb 9, 2014
    #17
  18. linuxpowers

    linuxpowers Specialist

    OK...had no issues with running the programs. All logs are attached.

    No more "MyPC Backup" pop-up! Everything seems to be running fine right now, loading quickly!
     

    Attached Files:

    linuxpowers, Feb 9, 2014
    #18
  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    So ready for final steps now? :) If so, they were posted above earlier as you know.
     
    Kestrel13!, Feb 10, 2014
    #19
  20. linuxpowers

    linuxpowers Specialist

    OK, Thank you very much! I appreciate you taking your time to work with me through this. Hope I can do the same one of these days. ;)
     
    linuxpowers, Feb 10, 2014
    #20
  21. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Most welcome. :)
     
    Kestrel13!, Feb 11, 2014
    #21

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds