Toshiba Satelite A135-s4527

http://img805.imageshack.us/img805/9659/rktigzy.gif Fix item using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate this detection:

• [ZeroAccess][Folder] Install : C:\Users\kam\AppData\Local\Google\Desktop\Install [-] --> FOUND

Place a checkmark next to this item, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.



Sadly BOOMM MGTools did not run correctly. Try this:

Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

• cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
• nwktst<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
• GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
• ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.
• analyse <-- this attempts to run HijackThis. Be sure to click the Accept button twice in the license agreement popup or it will just sit there and wait.

Now look for the C:\MGlogs.zip file and attach it no matter what happened while doing the above.

 

This is still being detected my friend: (In RogueKiller)

 

One more scan for me BOOMM (With RK) and attach log please.

 

No problem.

Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode, if you haven't done so already.


Do you know what this folder is? (It's just a dash for a folder name)
This one's create date was April 30th 2014

• C:\Users\kam\AppData\Local\_

This file has a date of April 24th 2014 - any ideas?

• C:\Windows\System32\drivers\{ba099a85-e825-4802-83e7-d386a5b4a734}t.sys

Again, April 30th 2014 - What's in this folder?

• C:\Windows\System32\x64

 

Could you please get this: {ba099a85-e825-4802-83e7-d386a5b4a734}t.sys into a zipped file and attach it for me in your next post? I want to have a nose at it. To do this, see the below:

Please go to start > Run and paste in the following:

log retrievable @ C:\collect.zip

 

Hi.

Seems that is a Symantec file. So nothing to worry about. It was so strangely named I had to look. This user does not use Symantec though, correct? We might just as well delete it. And also the same for the empty folder we talked about.

How are things running now BOOMM any better?

 

Hi Boomm. Which toolbars are you referring to?

 

Download OTL to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Attach both of these logs into your next reply.

 

Hi.

We need to run an OTL Fix

• Right-click OTL.exe to run it. If Windows UAC prompts you, please allow it.
• Copy and Paste the following code into the textbox. Do not include the word Code

Code:

:otl
CHR - default_search_provider: Mysearchdial ()
CHR - default_search_provider: search_url = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=irmsd103&cd=2XzuyEtN2Y1L1QzutDtDtCzyyB0EyB0A0BtAyE0ByD0FtDzztN0D0Tzu0CyCzztCtN1L2XzutBtFtBtFzztFtCtByEyBtN1L1Czu1L1C1H1B1QtCtDtA&cr=1150420295&ir=
[2014/04/30 13:16:59 | 000,000,000 | ---D | C] -- C:\Windows\System32\x64
[2014/04/28 14:42:06 | 000,055,232 | ---- | C] (StdLib) -- C:\Windows\System32\drivers\{ba099a85-e825-4802-83e7-d386a5b4a734}t.sys

:commands
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]

• Then click the Run Fix button at the top.
• Click Image.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. ATTACH that report in your next reply.

How is IE now? Still leftovers from toolbars?

 

Are there any remnants of any toolbars that you mentioned?

 

Well let me know which ones they were. Do you still have access to the machine?

 

You said control panel. Just to be clear, did you mean in the uninstall a program listing? If so I'm not seeing them there.

 

Seeing none of those installed :confused

And the only thing installed relating to coupons is this:

 

Aww thankyou! We appreciate that! :grouphug

Do this one more time BOOMM:

Run MGTools.exe and attach the new MGLogs.zip that it produces.

 

Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode. Explain to the owner that any other mode of startup is primarily used for diagnostic/troubleshooting purposesm and if they wish to control start up's to get a third party software to do the job.


They need to run this too BOOMM =

Reset Chrome to Defaults


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
   • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore​
   • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
   • Then we want you to Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!