As a side note, I've been using Eusing for almost a decade so I've elected to keep that program. I'll update the thread as soon as the PC comes back up.
Confirmed Yontoo and Possible Other Infection [Solved]
#16
Posted 24 June 2013 - 07:20 PM
As a side note, I've been using Eusing for almost a decade so I've elected to keep that program. I'll update the thread as soon as the PC comes back up.
#17
Posted 24 June 2013 - 07:31 PM
Please refrain from Eusing until we have finished here. You may find this interesting it's a reply to a Vista thread but still applies Microsoft
I'm off to beddie byes now and have to clear my next post, I would like that update after reboot and how the PC is running. Still slow?
#18
Posted 24 June 2013 - 07:33 PM
What should I do?
#19
Posted 24 June 2013 - 07:40 PM
If all fail then I will have to wait for clearance before I issue you with a fix. It's not serious. What is happening is some files have been removed which makes the uninstaller hang or produce errors. Installing the items again corrects the issue but I do not want you to do that with these items.
Is this O.K?
#20
Posted 24 June 2013 - 07:52 PM
Thanks for all your help!
#21
Posted 25 June 2013 - 08:17 AM
O.K we will fix a couple of issues with this post. You have Avast, Windows Defender and SUPERAntiSpyware installed, this may have something to do with performance issues. Avast covers Virus and Spyware and is all that is needed along with Windows Firewall. I would like you to uninstall SASpyware and disable Defender to see how this affects things.
I still see an issue with Chrome I'd like you to address. The Remote Viewer plugin is still enabled which is the default setting. It allows you remote access to another computer and vice versa. Having this enabled is a security risk, an exploit waiting to happen and needs to be disabled.
1. Uninstall SAS
- Click Start then select Control Panel
- In control panel click Uninstall a Program or Programs and Features and uninstall SUPERAntiSpyware
2. Disable Windows Defender
- Click Start and in the search box type: CMD in the results right click CMD and Run as Administrator
- At the command prompt (flashing cursor) copy and paste the following: sc stop WinDefend and press Enter
- At the next command prompt copy and paste the following: sc config WinDefend start= disable and press Enter
- Close CMD box
3. OTL Fix
Open OTL then Copy the entire text in the Quote box below, do not include the word QUOTE and Paste into the Custom Scans/Fixes box in OTL.
:COMMANDS
[CREATERESTOREPOINT]
:OTL
IE - HKCU\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTNavAssist.dll (Yahoo! Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O8 - Extra context menu item: Copy to &Lightning Note - Reg Error: Value error. File not found
O8 - Extra context menu item: Open with WordPerfect - Reg Error: Value error. File not found
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
[2013/03/30 13:25:31 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\ConsumerSoft
[2012/07/02 11:33:26 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\QuickScan
[2013/03/29 09:22:39 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\TuneUp Software
[2012/07/02 11:34:33 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\OpswatLogs
[2012/07/02 11:33:26 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\QuickScan
:REG
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN]
"Start Page"="http://www.google.com"
:FILES
C:\Program Files\Yahoo!
- Then click Run Fix
- Click O.K to Reboot.
- An OTL fix log will be saved in the following location: C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log - Where mmddyyy _hhmmss is the date and time of fix.
- Copy and Paste Fix Log into your next reply.
4. OPEN CHROME BROWSER
Plugins
- In the Chrome Search Bar (top of the page with a star at the end) Copy and Paste the following: chrome://plugins/ and press Enter
- Disable: Chrome Remote Desktop Viewer and uncheck the Always allow? box
Settings
- In the Chrome Search Bar Copy and Paste the following: chrome://settings/ and press Enter
- Under On Start-Up check the box Open a specific page or set of pages and click the link Set Pages
- In the StartUp pages box hover the mouse over Search Genio to highlight, now click the x to remove.
- Copy and Paste the following into the Add a new page box: www.google.com and click O.K and close Chrome
5. Reset Windows Firewall
There are some AVG entries that I would like to clear
- Click Start select Control Panel select Security then Windows Firewall
- Click Change Settings select the Advanced tab and click Restore Defaults click Yes at the warning prompt
Things I want to see in your next post.
- OTL fix.txt
- How are the browsers behaving and PC in general?
- Try once more with the Yahoo and Maps Galaxy uninstalls and get back to me on this.
#22
Posted 25 June 2013 - 08:53 AM
#23
Posted 25 June 2013 - 08:56 AM
#24
Posted 25 June 2013 - 11:08 AM
O.K we will fix a couple of issues with this post. You have Avast, Windows Defender and SUPERAntiSpyware installed, this may have something to do with performance issues. Avast covers Virus and Spyware and is all that is needed along with Windows Firewall. I would like you to uninstall SASpyware and disable Defender to see how this affects things.
Little bit of history on this laptop - I just acquired it and when I started to clean it out was when I realized how infected and unprotected the system had been for some time. I installed Avast and started cleaning out the system, the steps having already been noted at the beginning of this thread. Generally speaking I use SAS once a week to check for spyware because in my own experience SAS removes more of it than MBAM. SAS does put a heavy drag on any system I've ever installed it on. I usually remove it from the Startup programs so that it only runs when I manually open and update the program. I find this is a happy medium. I just hadn't made it that far yet. However, until we're done with this process, I have uninstalled SAS.
I have no love for Windows Defender. Disabled.
Hi Velarie it looks like you installed Malwarebytes correctly This is meant as a standalone scanner only for you to update and run a scan once a week.
I've been using this site since 2005 and I have very few posts because I can generally find the answers or tools I need in other people threads. I have found the information in these forums and Bleepingcomputer.com to be very reliable. I started using MBAM around 2005 when I first found this site. As a web designer, often people come to me when they have computer problems (yes we know it's not even remotely the same, but . . .) so I have experience working on all kinds of systems and troubleshooting all kinds of problems. (Someday I might even be as geeky as you guys, lol.)
In the past I have suggested MBAM to people to help keep their systems clean, but in the last 2 or 3 years I noticed when running MBAM on my own (and other people's systems) that it almost never found any threats, even on infected systems. Then I started tracking the core and trace numbers each time I would update the program and I noticed that even though it went through the process of 'downloading' and 'installing' the updates, that often the core and trace numbers didn't change over long periods of time. Then I started having problems just installing the software, again on multiple computers with varying operating systems. That's when I quit using it.
I'm not saying MBAM is a bad program, I'm just saying in my own experience I'm not sure that I really trust it anymore. Any thoughts you have on this would be greatly appreciated.
I still see an issue with Chrome I'd like you to address. The Remote Viewer plugin is still enabled which is the default setting. It allows you remote access to another computer and vice versa. Having this enabled is a security risk, an exploit waiting to happen and needs to be disabled.
I will not disable Logmein.com because accessing this computer remotely is the entire reason it exists. I know that using any remote access software poses a huge security risk, but so does connecting to the internet. We do it anyway. As far as I have been able to discern, Logmein.com is one of the safest options available and I have been using them for almost a decade. However, as a precaution, the laptop is only on when I am connected to it. I call a human at the offsite location to setup, boot it and connect it to the internet. When I'm done using it, I call that human back and they disconnect it from the internet, power it down, and store it away. I imagine that's about as safe as I can be. Again, any thoughts you have would be greatly appreciated.
THIS PROCESS
1. Uninstalled SAS.
2. Tried to uninstall Maps Galaxy again. Produced same RunDLL error as pictured previously.
3. Tried to uninstall Yahoo Toolbar. This time it started the process over again as if I had never attempted to uninstall it. I let it run for 30 minutes and then ended the process. You said you have a fix for that so let's just use that.
4. When I tried to disable Windows Defender, I was unsure of the results. See attached pic. So I also went into Admin Tools/Services and verified that the service was stopped and changed the 'Startup Type' to disabled since it was still set to auto.
5. Ran OTL custom fix. Log below.
It took forever (almost 5 minutes) to shutdown and reboot, but I know I made several changes and there's the Yahoo Toolbar uninstall that never completed . . .
I'll get online now on the laptop, open some programs and see how things are running and then update the thread. Thank you for your patience with me.
#25
Posted 25 June 2013 - 11:11 AM
#26
Posted 25 June 2013 - 11:12 AM
OTL Custom Fix Log
************************************************************************
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}\ deleted successfully.
C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTNavAssist.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}\ deleted successfully.
C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll moved successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Copy to &Lightning Note\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Open with WordPerfect\ deleted successfully.
Starting removal of ActiveX control {7530BFB8-7293-4D34-9923-61A11451AFC5}
C:\Windows\Downloaded Program Files\OnlineScanner.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
C:\Users\owner\AppData\Roaming\ConsumerSoft\My Faster PC\backup folder moved successfully.
C:\Users\owner\AppData\Roaming\ConsumerSoft\My Faster PC folder moved successfully.
C:\Users\owner\AppData\Roaming\ConsumerSoft folder moved successfully.
C:\Users\owner\AppData\Roaming\QuickScan folder moved successfully.
C:\Users\owner\AppData\Roaming\TuneUp Software\TU2012\Backups folder moved successfully.
C:\Users\owner\AppData\Roaming\TuneUp Software\TU2012 folder moved successfully.
C:\Users\owner\AppData\Roaming\TuneUp Software folder moved successfully.
C:\Users\owner\AppData\Roaming\OpswatLogs folder moved successfully.
Folder C:\Users\owner\AppData\Roaming\QuickScan\ not found.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\\"Start Page"|"http://www.google.com" /E : value set successfully!
========== FILES ==========
C:\Program Files\Yahoo!\Companion\Installs\cpn0 folder moved successfully.
C:\Program Files\Yahoo!\Companion\Installs folder moved successfully.
C:\Program Files\Yahoo!\Companion\Data folder moved successfully.
C:\Program Files\Yahoo!\Companion folder moved successfully.
C:\Program Files\Yahoo!\Common folder moved successfully.
C:\Program Files\Yahoo! folder moved successfully.
OTL by OldTimer - Version 3.2.69.0 log created on 06252013_115703
#27
Posted 25 June 2013 - 11:29 AM
After reviewing the plugins in Chrome, I decided to disable the Chrome Remote Desktop Viewer. I don't think I need it for Logmein.com. I verified in Chrome settings that Genio has in fact been removed and the only page 'set' is my beloved Google.
I also restored default settings for Windows Firewall.
Awaiting further instructions.
#28
Posted 25 June 2013 - 11:49 AM
#29
Posted 25 June 2013 - 12:42 PM
I will answer your questions in a later post. I want to make sure all is clean first
1. Microsoft FixIt
- Use this link to run the Microsoft FixIt
- Choose Recommended option - Then Uninstalls - Then select Yahoo and Maps Galaxy one by one.
2. ESET Online Scan
Please run a free online scan with the ESET Online Scanner
Vista / Win7 users: Right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator.
Note: This scan works with Internet Explorer or Mozilla FireFox.
If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
- Click the green ESET Online Scanner box
- Tick the box next to YES, I accept the Terms of Use
then click on: Start - You may see a panel towards the top of the screen telling you the website wants to install an addon... click and allow it to install. If your firewall asks whether you want to allow installation, say yes.
- Make sure that the Remove Found Threats and Scan archives boxes are checked.
- Now click on Advanced Settings and select the following:
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
- Click on Start
- The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
- When completed the Online Scan will begin automatically. The scan may take several hours.
- Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
- Copy the logfile Then click on: Finish
- Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
- Copy and paste that log as a reply to this topic.
Things I want to see in your next post.
- ESET results
- How are things running now?
#30
Posted 25 June 2013 - 01:11 PM
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users