Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Urgent: Help - Having a problem with winmgr.exe*32 can not remove. [So

winmgr.exe

  • This topic is locked This topic is locked

#16
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

Excellent news. Let's do a couple final scans to ensure that there isn't anything else nefarious hiding around. Now that Malwarebytes is working let's do the following.
 
Step#1 - Malwarebytes Scan (Since you already have this installed you may open your existing one, ensure it updates the definitions and start at step#14)

  • Download Malwarebytes to your desktop from here.
  • Right-click on the file that is downloaded to your desktop and select Run as administrator.
  • Select the appropriate language and click OK.
  • Click Next.
  • Select "I accept the agreement" and click Next.
  • Click Next
  • Change the install path if desired. Normally you will keep this as is. Click Next.
  • Click Next again.
  • Click Next again.
  • Click Install.
  • Uncheck "Enable free trial of Malwarebytes Anti-Malware Premium".
  • Click Finish
  • If an update is found you will be prompted to download and install. Go ahead.
  • Click the Scan button at the top of the form and then click Scan Now.
    2.JPG
  • Once the scan completes click the View detailed log link.
    3.JPG
  • Then click the Copy to clipboard button and paste into your next post.
    4.JPG

Step#2 ESET Online Scanner and Post Results
Before running this scan, please temporarily disable your antivirus software to avoid conflicts. You can re-enable once it's done.

  • Please go here and click on 1.JPG
  • Note: This site is optimized for Internet Explorer. Please use it for this scan. If you wish to use Firefox or Chrome you will be asked to download the ESET Smart Installer first (esetsmartinstaller_enu.exe). Go ahead and download and run this file.
  • Please accept the ESET Online Scanner EULA and click Start.
  • If prompted, allow the Add-On/Active X to install. If you have problems with this step please see this link.
  • Make sure Enable detection of potentially unwanted applications is selected.
  • Click the Advanced Settings link.
  • Make sure Remove found threats is NOT checked.
  • Make sure Scan archives IS checked.
  • Make sure Scan for potentially unsafe applications IS checked.
  • Make sure Enable Anti-Stealth technology IS checked
  • 2.JPG
  • Click on Start
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the contents of the logfile located at C:\Program Files (x86)\ESET\Eset Online Scanner\log.txt
    Note: Copy/Paste the contents of the log.txt file BEFORE going on to the next step or the log file will be removed.
  • Also be sure to check Uninstall Application on Close before clicking finish.
  • Paste that log as a part of your next post.

 
 
Step#3 - Security Check
 
1. Download Security Check from here or here.
2. Save it to your Desktop.
3. Right-click SecurityCheck.exe and select Run as administrator. Follow the onscreen instructions inside of the black box.
4. A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note#1: Don't be alarmed if the process runs for 10 to 15 minutes before completing. If it runs for over 30 minutes, just close the program and try running it again.
Note#2: If SecurityCheck aborts and you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED! try rebooting the system and then run SecurityCheck again.

 

 

 

Items for your Next Post
1. Malwarebytes log

2. ESET log
3. Security Check log


  • 0

Advertisements


#17
ncaa76

ncaa76

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts

As requested....

 

Malwarebytes log

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/11/2014
Scan Time: 2:17:31 PM
Logfile: Malwarebytes log.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.10.11.09
Rootkit Database: v2014.10.11.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Owner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 359019
Time Elapsed: 8 min, 1 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
PUP.Optional.Spigot.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\Search Settings, , [363f28ebde9ead89fe3f077aac5826da],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

ESET log

 

C:\Config.Msi\47f52d4e.rbf    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Config.Msi\47f52d7a.rbf    Win32/Toolbar.Widgi.A potentially unwanted application
C:\Config.Msi\8ae92b1c.rbf    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Config.Msi\8ae92b48.rbf    Win32/Toolbar.Widgi.A potentially unwanted application
C:\Config.Msi\d3035f22.rbf    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Config.Msi\d3035f4e.rbf    Win32/Toolbar.Widgi.A potentially unwanted application
C:\Config.Msi\f1ea91b8.rbf    a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Config.Msi\f1ea91e4.rbf    Win32/Toolbar.Widgi.A potentially unwanted application
C:\FRST\Quarantine\C\Program Files (x86)\Windows Manager\winmgr.exe    a variant of MSIL/Injector.DKQ trojan
C:\FRST\Quarantine\C\Windows\SysWOW64\Microsoft.com.xBAD    a variant of MSIL/Injector.DKQ trojan
C:\Users\Owner\Downloads\7zip-setup.exe    Win32/DownloadAdmin.G potentially unwanted application
C:\Users\Owner\Downloads\CuteWriter.exe    a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
C:\Users\Owner\Downloads\New folder\xf-adsk2015_x64.exe    a variant of Win32/Keygen.HA potentially unsafe application
C:\Windows\System32\Adobe\Shockwave 12\gt.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Windows\SysWOW64\Adobe\Shockwave 12\gt.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
 

Security Check Log

 

 Results of screen317's Security Check version 0.99.88  
 Windows 7 Service Pack 1 x64 (UAC is disabled!)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Java 7 Update 45  
 Java version out of Date!
 Adobe Flash Player 15.0.0.152  
 Adobe Reader 10.1.12 Adobe Reader out of Date!  
 Mozilla Firefox (32.0.3)
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 Malwarebytes Anti-Malware mbam.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 


  • 0

#18
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

OK! Well done, your computer is clean again!  

1. - Final FRST Fix
 
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
1. Download attached file and save it to the Desktop. Attached File  fixlist.txt   435bytes   60 downloads
Note. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work (in this case...the desktop).
 
2. Run FRST64 by Right-Clicking on the file and choosing Run as administrator.
3. Press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
4. When finished FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents of it in your reply.

 

 

2.  Clean Up!
We need to remove all the tools that we used so that should you ever be re-infected, you will download updated versions which may have updated detection logic.
Download Delfix from here.
 

  • Ensure everything is checked. Note: I see that you have UAC disabled. We recommend that this is enabled as it provides an extra layer of security. If you intentionally disabled it and wish it to stay disabled then don't check Activate UAC.

Note: The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply.
 
3. Windows Updates
Another essential task is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats. Microsoft releases security updates that help your computer from becoming vulnerable. It is best if you have these set to download automatically. Follow the instructions below to ensure your settings are optimal.
1. Click the Start Orb in the lower left corner of the screen.
2. Type Windows Update in the search box that appears
3. Click on the Windows Update program that appears in the search results.
Windows%20Update.JPG

4. Click on Change Settings.
CheckForUpdates.JPG

5. Select "Install updates automatically (recommended)" from the Important updates drop-down.
WUChangeSettings.JPG

6. Choose a day and a time when you know the computer will be on and connected to the internet. The default is 3:00AM every day.
7. Ensure that all of the other check boxes are checked.
8. Click OK.

 
4. Keeping Programs Updated
You need to ensure that any programs installed on your machine are kept current. The bad guys exploit vulnerabilities that are found in older versions of software. A very good piece of software that keeps your programs up-to-date is Secunia Personal Software Inspector (PSI). You can download and install it from here. You can read more information about this free software as well as a video walkthrough from here.
 
Another alternative and popular software program for keeping your programs current is FileHippo Update Checker. Some people prefer this one.
 
1. Please download FileHippo update checker from here and save to your desktop.
2. Double-click the FHSetup.exe file that was downloaded and accept all the defaults to install the program.
3. The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases. Once updates are found you will see information
    from your task bar as follows. If you click on this informational message you will be take to a website showing the programs that you have that are outdated and links will be provided to the updates.
Capture.JPG

 

 
5. Keeping Java Updated
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java. You can read more about this here.
I would recommend that you completely uninstall Java unless you need it to run an important software. If you need it or are unsure or uncomfortable with removing it then I would recommend that you disable Java in your browsers until you need it and then enable it at that time. (See How to diasble Java in your web browser and How to unplug Java from the browser). If you don't uninstall it, it's also important that you follow the directions below to update to the latest version of Java.
 
1. Go to this page to download the latest version of Java SE Runtime Environment JRE 7 Update 67.
2. When you click this link you will need to click the "Accept License Agreement" radio button and then click on the "Windows x86 Offline" installer link. You will notice that there is also a Windows x64 link option, however even if you are using a 64-bit operating system, it's very likely you aren't running a 64-bit browser and should only download the "Windows x86 Offline" installer. To determine if you are using a 64-bit browser you can follow http://www.java.com/...4bit.xml#verify">these
instructions. If you find that you ARE using a 64-bit browser then you can download the "Windows x64" one.
Java.JPG

3. Once you click on the appropriate link, please download this to your Desktop like we have with all of our tools.
4. Close any programs you may have running - especially your web browser.
5. Now we need to uninstall all versions of Java that are currently on your machine before we install the newest version. Go to Add/Remove programs (instructions are here) and uninstall any item that appears in the list that has the following as part of the name: Java 7 Update 45 or Java Auto Updater.
6. Reboot your computer once all Java components are removed.
7. Then from your desktop, right click on the file that was downloaded (jre-7u67-windows-i586.exe or jre-7u67-windows-x64.exe) and select Run as an Administrator to install the latest version. Accept all the defaults and you're good to go.

Note: Java has been notorious for installing foistware (software downloaded without the users knowledge). If you follow the instructions I provided no foistware will be installed but that doesn't mean it won't in the future. While performing the install of this software or any software for that matter, pay attention to each screen and ensure you uncheck any extra software that you don't want installed (i.e. Ask Toolbar, Chrome Browser, etc.).
 
6. Keep Adobe Reader Updated
Check to see what the latest major version of Adobe Reader is here. The full version is something like 11.0.06 for example but the major version is just the first number before the period so 11 in this case or XI.
Verify what version you have by doing the following.
1. Open Adobe Reader
2. Click Help on the menu at the top
3. Select About Adobe Reader

If your major version matches the major version from Adobe then perform the following steps.
1. Open Adobe Reader
2. Click Help on the menu at the top
3. Click Check for Updates
4. Allow any Updates to be downloaded and installed
5. If asked to reboot, please do.
6. Repeat these steps until you are told that no updates are available.

If your major version is lower than the major version from Adobe then perform the following steps.
1. Uninstall Adobe Reader. Click here for instructions on how to uninstall a program.
2. Install the newest version from this website.
Note: Make sure to uncheck the Optional Offer (i.e. Google Chrome, Google Toolbar) unless you really want it.

NOTE: You should disable JavaScript in the program as this is a highly exploitable method for the bad guys to get in your machine. Follow these instructions to disable it in Adobe Reader.
1. Open Adobe Reader
2. Select Edit from the menu and select Preferences
3. Click on JavaScript in the left column and uncheck Enable Acrobat JavaScript.
4. Click OK and close the program.

NOTE: Many installers, including Adobe Reader, offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

 

 
7. Antivirus - Preventative

Note: Let's keep Malwarebytes installed as it's a fantastic piece of software. Malwarebytes is not actively monitoring your machine so it won't conflict with the Antivirus that you decide to install. I would recommend that you open up this program, allow it to update and scan your machine at least quarterly...monthly if you can.
 
8. Crypto Warning!!!! - Complete Data Loss can occur!
There are particularly nasty infections out there at the moment that encrypt your data and hold it for ransom. You may read more about this here.

  • Download CryptoPrevent free for home use here following the instructions below.
  • Save the file to your desktop from the link above and then open the program by clicking Run when prompted from your browser or by going to the desktop where the file was saved and double-clicking.
  • Accept all the defaults during the install. The last screen of the install has a checkmark in "Launch CryptoPrevent". This is good and will launch the program once you click Finish.
  • You will get a prompt asking if you purchased a Product Key for Automatic Updates. You can answer No.
  • You will then be prompted to learn more about automatic updates or if you want to purchase a key. This is up to you but you don't have to.
  • You will then be prompted to apply all default protections. Answer Yes.
  • You may get a message stating that Windows Sidebar and Desktop Gadgets are a major security vulnerability and asking you if you want to disable them. If you don't use these features, answer Yes.
  • That's it. The protection is in place.

Note: The free version doesn't provide automatic updates. Periodically, you should open up the program (there is a shortcut on your desktop now) and select the Updates! menu....and select Check for Updates to see if there are any as this infection has serious consequences.
 
Updates.JPG

 

OK, all the best, and stay safe!
 
Items for your next post.
1. FRST Fix log

2. Contents of the Delfix log.


  • 0

#19
ncaa76

ncaa76

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts

As requested;

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-10-2014 02
Ran by Owner at 2014-10-12 17:37:54 Run:9
Running from C:\Users\Owner\Downloads
Loaded Profile: Owner (Available profiles: Owner & Darryl)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKU\S-1-5-21-2281097704-164782711-356799163-1000\...\MountPoints2: D - D:\autorun.exe

 

 

# DelFix v10.8 - Logfile created 12/10/2014 at 17:42:28
# Updated 29/07/2014 by Xplode
# Username : Owner - OWNER-PC
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\Owner\Downloads\FRST-OlderVersion
Deleted : C:\TDSSKiller.3.0.0.40_24.09.2014_18.02.42_log.txt
Deleted : C:\Users\Owner\Desktop\AdwCleaner.exe
Deleted : C:\Users\Owner\Desktop\AdwCleaner[S0].txt
Deleted : C:\Users\Owner\Desktop\aswmbr.exe
Deleted : C:\Users\Owner\Desktop\aswMBR.txt
Deleted : C:\Users\Owner\Desktop\ComboFix.exe
Deleted : C:\Users\Owner\Desktop\FSS.exe
Deleted : C:\Users\Owner\Desktop\FSS.txt
Deleted : C:\Users\Owner\Desktop\JRT.exe
Deleted : C:\Users\Owner\Desktop\JRT.txt
Deleted : C:\Users\Owner\Desktop\MBR.dat
Deleted : C:\Users\Owner\Desktop\ServicesRepair.exe
Deleted : C:\Users\Owner\Downloads\Addition.txt
Deleted : C:\Users\Owner\Downloads\ComboFix.exe
Deleted : C:\Users\Owner\Downloads\esetsmartinstaller_enu.exe
Deleted : C:\Users\Owner\Downloads\Fixlog.txt
Deleted : C:\Users\Owner\Downloads\FRST.txt
Deleted : C:\Users\Owner\Downloads\FRST64.exe
Deleted : C:\Users\Owner\Downloads\SecurityCheck.exe
Deleted : C:\Users\Owner\Downloads\Shortcut.txt
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASWMBR

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #358 [Windows Update | 10/08/2014 10:00:11]
Deleted : RP #359 [Removed Java™ 6 Update 29 | 10/08/2014 23:05:32]
Deleted : RP #360 [Removed HP Officejet 6500 E710n-z Basic Device Software | 10/09/2014 07:17:49]
Deleted : RP #361 [Windows Update | 10/09/2014 10:00:11]
Deleted : RP #362 [Removed HP Officejet 6500 E710n-z Basic Device Software | 10/10/2014 06:18:31]
Deleted : RP #363 [Windows Update | 10/10/2014 10:00:11]
Deleted : RP #364 [Removed HP Officejet 6500 E710n-z Basic Device Software | 10/10/2014 15:49:03]
Deleted : RP #365 [Removed HP Officejet 6500 E710n-z Basic Device Software | 10/11/2014 00:26:00]
Deleted : RP #366 [Removed HP Officejet 6500 E710n-z Basic Device Software | 10/11/2014 01:02:59]
Deleted : RP #367 [Removed HP Officejet 6500 E710n-z Basic Device Software | 10/11/2014 01:04:56]
Deleted : RP #368 [Removed HP Officejet 6500 E710n-z Basic Device Software | 10/11/2014 01:07:13]
Deleted : RP #369 [Removed HP Officejet 6500 E710n-z Basic Device Software | 10/11/2014 01:16:52]
Deleted : RP #370 [Windows Update | 10/11/2014 10:00:14]
Deleted : RP #371 [Windows Update | 10/12/2014 10:00:11]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########
 


C:\Users\Owner\Downloads\New folder\xf-adsk2015_x64.exe
C:\Program Files (x86)\ESET
C:\users\owner\desktop\tweaking.com_windows_repair_aio
C:\users\owner\desktop\tweaking.com_windows_repair_aio.zip

reg: reg delete "HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\Search Settings" /F

DeleteQuarantine:

*****************

"HKU\S-1-5-21-2281097704-164782711-356799163-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\S-1-5-21-2281097704-164782711-356799163-1000" => Key not found.
"C:\Users\Owner\Downloads\New folder\xf-adsk2015_x64.exe" => File/Directory not found.
"C:\Program Files (x86)\ESET" => File/Directory not found.
"C:\users\owner\desktop\tweaking.com_windows_repair_aio" => File/Directory not found.
"C:\users\owner\desktop\tweaking.com_windows_repair_aio.zip" => File/Directory not found.

========= reg delete "HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\Search Settings" /F =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========

"C:\FRST\Quarantine" => removed successfully.

==== End of Fixlog ====


  • 0

#20
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

Excellent. Thanks for sticking with me. Please delete any of our tools that we used that are still in your downloads folder (i.e. tweaking.com folder and associated zip file).


  • 0

#21
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP