[godawgs]

Hi Daniel,

You have the following Peer-to-Peer program(s) installed:
uTorrent
GeeksToGo does not recommend using such programs, but you should read the description of Peer-to-Peer programs below before deciding for yourself.

Description of Peer-to-Peer (P2P) software.
P2P(Peer-to-Peer) may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. The program(s) may be safe, but there's no way to tell if the file being shared is infected. P2P programs, more often than not, install adware and/or spyware and worse still, some worms spread via P2P networks, infecting you as well.
Once upon a time, P2P file sharing was fairly safe. This is no longer true. P2P programs form a direct conduit inside your computer, their security measures are easily circumvented, and malware writers are increasingly exploiting them to spread their wares on to your computer. If your P2P program is not configured correctly, your computer may also be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

If you need convincing, please read these short reports on the dangers of peer-2-peer programs and file sharing.

• FBI Cyber Education Letter
• File sharing infects 500,000 computers
• infoworld

We advise removing any P2P programs you have now and avoiding this type of software application. Whether you remove them or not is your decision. But if you decide to keep and use Peer-to-Peer programs I can guarantee that you will be coming back to this forum or another malware forum. If you do choose to keep the program(s), please do not use it / them until the computer is clean and I give the all clear.

All programs, folders and files listed below in this color are optional removals, but if you uninstall the program(s) you must delete the folders and files in the corresponding colors. All programs in black are malware or viruses and must be deleted, along with the corresponding folders and files in black.


Step-1,

Malicious program uninstalls and Optional Removals

1. Please click the Start Orb, click Control Panel. Under the Programs heading click Uninstall a program
2. In the list of programs installed, locate the following program(s):

IObit Toolbar v5.8
uTorrent

3. Click on each program to highlight it and click Change/Remove. (Vista/7 users: right click the program and click Uninstall
4. After the programs have been uninstalled, close the Installed Programs window and the Control Panel.
5. Reboot the computer.

Delete the folders associated with the uninstalled programs.(Only do this if you uninstalled the program)

1. Using Windows Explorer (to get there right-click your Start button and click "Explore"), please delete the following folders(s) (if present):

C:\Program Files (x86)\uTorrent

2. Close Windows Explorer.


Step-2.

OTL Fix

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the Protection tab
Remove the tick from "Start with Windows"
Reboot and start with number 1. below to run the OTL fix.


1. Please copy all of the text in the code box below. To do this, highlight everything
inside the code box , right click and click Copy.

:COMMANDS
[CREATERESTOREPOINT]

:OTL
IE - HKU\S-1-5-21-3964745361-1973383320-2877571132-1000\..\URLSearchHook: {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} - SOFTWARE\Classes\CLSID\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F}\InprocServer32 File not found
O3 - HKLM\..\Toolbar: (IObit Toolbar) - {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} - Reg Error: Value error. File not found

:REG
ipconfig /flushdns /c

:COMMANDS
[EMPTYTEMP]

Warning: This fix is relevant for this system and no other. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Please re-open on your desktop.
3. Place the mouse pointer inside the textbox, right click and click Paste. This will put the above script inside the textbox.
4. Click the button.
5. Let the program run unhindered.
6. OTL may ask to reboot the machine. Please do so if asked.
7. Click the button.
8. A report will open. Copy and Paste that report in your next reply.
9. If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, (where mmddyyyy_hhmmss is the date of the tool run).
10. Run OTL again and click the button. Post the log it produces in your next reply.


Step-3.

Virustotal File Upload:

To use Virustotal go Here

• Click the Choose File button in the middle of the screen. This will open a File Upload window.
• On the File Upload window, in the File name box, type, or copy and paste the following and click Open: NOTE.. Only one file per scan
  
  • C:\Windows\SysWow64\D81DEDD44C.sys
  • C:\Users\DLee\l.php.
• This will put the file in the box on the Virustotal page.
• Click the Scan it! button.
• Please be patient while the file is scanned. It may take several minutes.
• Once the scan results appear, please provide them in your next reply, or copy and paste the Virustotal link(s) (URL) in your next reply
• Repeat 1 thru 6 for each file listed.

Step-4.

Things For Your Next Post:
1. The OTL fixes log
2. The new OTL.txt file
3. The results from VirusTotal
4. Tell me if any problems remain

[Advertisements]

I will do these tasks ASAP! Thanks Godawgs!

[Daniel Christmas Lee]

I will do these tasks ASAP! Thanks Godawgs!

[godawgs]

[Daniel Christmas Lee]

Please see screen shot...

This is what happens when I try to delete the IObit Toolbar

Attached Thumbnails

• 

[Daniel Christmas Lee]

Tried running the OTL Fix 3 times and each time it gets hung up on the :REG fix...

[godawgs]

Hi Daniel,

For the IOBIT toolbar, the uninstaller is missing. So let's use a dedicated IOBIT remover tool.


Step-1.

Go to this page and download BitRemover to your desktop.

• Run BitRemover.exe to remove Iobit. (Vista / 7 users:) You may need to right click on the file and click Run as Administrator
• Reboot as requested and reboot after completion before the next step.

The problem with the OTL fix is my fault...used the wrong command.



Step-2.

OTL Fix

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the Protection tab
Remove the tick from "Start with Windows"
Reboot and start with number 1. below to run the OTL fix.


1. Please copy all of the text in the code box below. To do this, highlight everything
inside the code box , right click and click Copy.

:COMMANDS
[CREATERESTOREPOINT]

:OTL
IE - HKU\S-1-5-21-3964745361-1973383320-2877571132-1000\..\URLSearchHook: {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} - SOFTWARE\Classes\CLSID\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F}\InprocServer32 File not found
O3 - HKLM\..\Toolbar: (IObit Toolbar) - {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} - Reg Error: Value error. File not found

:FILES
ipconfig /flushdns /c

:COMMANDS
[EMPTYTEMP]

Warning: This fix is relevant for this system and no other. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Please re-open on your desktop.
3. Place the mouse pointer inside the textbox, right click and click Paste. This will put the above script inside the textbox.
4. Click the button.
5. Let the program run unhindered.
6. OTL may ask to reboot the machine. Please do so if asked.
7. Click the button.
8. A report will open. Copy and Paste that report in your next reply.
9. If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, (where mmddyyyy_hhmmss is the date of the tool run).
10. Run OTL again and click the button. Post the log it produces in your next reply.


Step-3.

Virustotal File Upload:

To use Virustotal go Here

• Click the Choose File button in the middle of the screen. This will open a File Upload window.
• On the File Upload window, in the File name box, type, or copy and paste the following and click Open: NOTE.. Only one file per scan
  
  • C:\Windows\SysWow64\D81DEDD44C.sys
  • C:\Users\DLee\l.php.
• This will put the file in the box on the Virustotal page.
• Click the Scan it! button.
• Please be patient while the file is scanned. It may take several minutes.
• Once the scan results appear, please provide them in your next reply, or copy and paste the Virustotal link(s) (URL) in your next reply
• Repeat 1 thru 6 for each file listed.

Step-4.

Things For Your Next Post:
1. The OTL fixes log
2. The new OTL.txt file
3. The results from VirusTotal
4. Tell me if any problems remain

[Daniel Christmas Lee]

Got it. Will do ASAP! Thanks!

[Daniel Christmas Lee]

Ok I ran the IObit Remover thing but the toolbar is still in "add and remove" and also trying to remove it I receive the same error message as previously posted.

Here's the OTL Fix Log:

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-3964745361-1973383320-2877571132-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F}\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\DLee\Desktop\cmd.bat deleted successfully.
C:\Users\DLee\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: DLee
->Temp folder emptied: 2804057237 bytes
->Temporary Internet Files folder emptied: 4558161 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 443601551 bytes
->Google Chrome cache emptied: 332531013 bytes
->Apple Safari cache emptied: 0 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 16536 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 215398 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 3,419.00 mb


OTL by OldTimer - Version 3.2.55.0 log created on 08252012_122210

Files\Folders moved on Reboot...
C:\Users\DLee\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...
File C:\Users\DLee\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!

Registry entries deleted on Reboot...


Will run Virus Total soon.

[Daniel Christmas Lee]

Here's one Virus Total screen shot attached.

Attached Thumbnails

• 

[Daniel Christmas Lee]

And the file C:\Windows\SysWow64\D81DEDD44C.sys is missing.

[godawgs]

Hi Daniel,

Let's see if Revo Uninstaller will get rid of the IOBIT Toolbar leftovers.


Step-1.

Run Revo Uninstaller

Download Revo Uninstaller to the desktop.

• Double click ( Vista/7 users may need to right click the file and click Run as Administrator) the revosetup.exe installation file on the desktop to run the installer.
• Let it install to the default location.
• Double click ( Vista/7 users may need to right click the file and click Run as Administrator) the new Revo Uninstaller Icon on the desktop to start the program.
  
  You will now see a list of installed programs that Revo Uninstaller can remove.
  
• Locate the program you are uninstalling---In this case IOBIT or IOBIT Toolbar
• Right Click the program Icon then choose Uninstall.
• Click yes to the warning and choose the Uninstall Mode
• Choose the Advanced option and then click Next.
• This will launch the programs built in uninstaller. Be patient it can take several seconds.
• Once the Uninstaller is done click Next.
• Revo Uninstaller will now scan for leftover information. Be patient it can take several seconds.
• Once this scan is done click Next.
• You will then be presented with the leftover entries found by Revo Uninstaller
• Look at ALL of the entries to ensure they relate to the uninstall.
• Next click Select All > Delete to remove the entries.
• Click Next.
• If there are any program file folders left over you will be presented with a list to be removed.
• Again look at ALL of the entries to ensure they are related to the uninstall.
• Click Select All > Delete to remove the entries.
• Click Finish to go back to the uninstall list.
• Close the program

Now let's scan for any malware remnants:


Step-2.

Update and run MalwareByts

Open MalwareBytes

You will now be at the main program as shown below.

• click the Update tab and update the program.
• On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer.
• MBAM will now start scanning your computer for malware. This process can take quite a while, so I suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
  
  
  
• When the scan is finished a message box will appear as shown in the image below.
  
  
  You should click on the OK button to close the message box and continue with the removal process.
  
• You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
• A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
  
  
  
• Make sure that everything is checked, and click Remove Selected.<--Very Important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Step-3.

Run ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista / 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

• Please go here then click on:
• Please go here to run the scan.
  
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• Select the option YES, I accept the Terms of Use then click on:
• When prompted allow the Add-On/Active X to install.
• Uncheck the box beside Remove Found Threats
• Make sure that the option Scan archives is checked.
• Now click on Advanced Settings and select the following:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Now click on:
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically. The scan may take several hours.
• Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
• Now click on:
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt. For 64 bit systems the log will be at C:\Program Files(x86)\ESET\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


Step-4.

Things For Your Next Post:
1. Let me know how Revo worked for getting rid of the IOBIT toolbar leftovers
2.The MalwareBytes log
3. The ESET online scan log
4. Any remaining problems

[Daniel Christmas Lee]

Please give me some extra time till the weekend, I have guest!

[godawgs]

[Daniel Christmas Lee]

Ok running scans now!

[Daniel Christmas Lee]

Godawgs,

The same popup appeared when the "program uninstaller" tried to run, the same popup I took a screenshot of in post: http://www.geekstogo...ost__p__2195814

Do I need to do anything special?

I proceeded to delete ALL registry entries and all leftovers. The registry part is scary...

I will now run MBAM.