27 replies to this topic

[amfletch]

Hi I seem to have picked up a virus which stops me updating existing programs (eg; itunes). I get a message advising I have insufficent permissions to do these things plus my system is running pretty slow. and keeps freezing. I currently use Comodo Internet Security and run scans of Malware Bytes Anti Malware and also Advance System Care. Have tried Spybot and it picks up that I seem to have a Babylon Tool bar which I can't find and Spybot can't delete. Can anyone help please thanks Amanda

[fbfbfb]

Hello, Amanda. Welcome to WTT Forums.

My name is fbfbfb.

I will gladly assist you with your malware concerns. Malware logs may require some time to analyze, and because there is no quick-fix solution, we may need to use various approaches to clean your system. Please be patient.

While working to resolve the issues with your machine, please note the following guidelines:

• Read and follow my directions carefully, in the sequence they are posted.
• If you are unsure about anything, please ask for clarification before continuing.
• To avoid potential problems and setbacks, do not:

• install or uninstall any applications while your system is being cleaned.
• use any tools other than those recommended.
• run any other scans without being directed to do so.

• Copy and Paste the log files inside your posts. Do not send them as attachments unless otherwise instructed.
• Stay with this thread until your machine has been deemed all clear. Absence of symptoms does not mean your system is clear.
• Please reply within 3 days of each posting to avoid closing this topic. If you need more time to complete tasks, or if you will be away, please let me know in advance.

Please run the following scans

1. DDS

Please download DDS from HERE. Click Save File. The file will save to your default location.

• Disable any script blocking protection. (How to Temporarily Disable Security Programs: Anti-virus/Anti-spyware/Firewall)
• Double click dds.com > Click Run.
• At the next prompt, ensure check marks appear next to dds.com and attach.txt > Click Start to begin the scan. When done, click OK to close the DDS window.
• Two reports will automatically open: dds.txt and Attach.txt. These reports are also saved to your desktop.

Please copy and paste the scan results of DDS.txt.

Please attach the second file: Attach.txt.

To attach a file, do the following:

• Under the reply panel is the Attachments Panel.
• Browse for the attachment file you want to upload, then click the green Upload button.
• Once it has uploaded, click the Manage Current Attachments drop down box.
• Click on to insert the attachment into your post.

2. aswMBR

Please download aswMBR from HERE.

• Double click aswMBR.exe to run it.
• When asked if you want to download Avast's virus definitions, please select Yes.
• Click the Scan button to start the scan.

• On completion of the scan, click save log, save it to your desktop, and post in your next reply.

3. Security Check

Please download Security Check from HERE or HERE.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt. This may take a few minutes.

Please copy and paste the contents of that document into your next reply.

CHECKLIST: In your next reply, please post the following:

• dds.txt
• attach.txt
• checkup.txt

[amfletch]

Hi fbfbfb thanks for picking this up. Have run all the scans your requested and attached the logs Many thanks Amanda

Attached Files

•  checkup.txt   1.21KB   228 downloads
•  aswMBR.txt   1.79KB   250 downloads
•  attach.txt   10.01KB   198 downloads
•  dds.txt   24.07KB   239 downloads

[fbfbfb]

Hello, Amanda.

Thank you for your logs. There is quite a bit of garbage we need to delete from your system.

Please run the following scans

1. AdwCleaner

Please download AdwCleaner from HERE.

• Close all open programs and internet browsers.
• Double click on adwcleaner.exe to run the tool.
• Click on the Delete button.
• A logfile will automatically open after the scan has finished.
• You can also find the logfile at C:\AdwCleaner[S1].txt.

Copy and paste the adwcleaner.txt report into your next reply.

2. Junkware Removal Tool

Please download Junkware Removal Tool from HERE and save it to your desktop.

• Shutdown your antivirus to avoid any potential conflicts.
• Right-mouse click JRT.exe and select Run as Administrator.
• JRTwill begin to backup your registry and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, the log JRT.txt is saved on your desktop and will automatically open.

Post the contents of JRT.txt into your next reply.

3. OTL

• Please download OTL to your desktop from HERE or HERE
• Close all other applications and windows so that you have nothing open.
• Double click on the icon on your desktop.

Note: Vista and Windows 7 users right-click and select Run As Administrator. If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.

• Under Output, click Minimal Output to select it.
• Click the Scan All Users checkbox. Leave the remaining selections to the default settings.
• Do not use the computer while the scan is in progress.
• When the scan is complete, two log files will open in Notepad: OTListIt.txt (will be maximized) and Extras.txt <- (will be minimized in the Task Bar).
• Both logs are automatically saved to the Desktop.
• Please copy and paste the contents of OTListIt.txt and Extras.txt in your next reply. If the Extras.txt log is too long, you may need to add a second reply to your thread.
• Click the red X in the upper right corner to exit OTL.

CHECKLIST: In your next reply, please post the following:

• adwcleaner.txt
• JRT.txt
• OTListIt.txt
• Extras.txt

[amfletch]

Hi after literally hours of trying to get these scans done I have managed to attach the logs. Must have picked up something last night when I had my security switched off as everything was running really slowly...so frustrating. Once I ran JRT everything seemed to move a lot quicker. What I do need to say is an automatic Malware scan started whilst I has the PC on. I stopped it as soon as I saw it and didn't delete or remove and of the threats it found. Hope this hasn't messed things up too much. Really appreciate the help, and hoping, if possible we can get this all tied up over the weekend as I am travelling unexpectedly next week so wont have access to my laptop for a couple of weeks, thanks Amanda

Attached Files

•  OTL.Txt   98.32KB   195 downloads
•  Extras.Txt   57.82KB   182 downloads
•  JRT.txt   10.23KB   261 downloads
•  AdwCleaner_R3_.txt   12.04KB   209 downloads

[amfletch]

Sorry forgot to mention UniblueDriverscanner.exe on my desktop that I didn't have before....was this attached to any of the things you asked me to download? thanks again Amanda

[fbfbfb]

Hello, Amanda.

Thank you for the logs. Given the amount of infection on your system, I cannot guarantee that we can completely resolve all the issues completely by this weekend. Let's do what we can before you leave. If you will be away for 2 weeks, I will leave this topic open until you return.

Regarding UniblueDriverscanner.exe. This was not attached to any of my requests. It appears that this application installs on a system without a user's approval when downloading other software. It is an application designed to check the PC's currently installed drivers against a database and downloads an updated driver if available. However, before downloading the actual driver, the user has to purchase a standing order. We will go ahead and remove this software.

Please back up your system

The following fix requires altering your Windows Registry. Therefore, we need to back it up in case we run into problems.

• Please download ERUNT to your desktop from HERE.
• Right click erunt.zip, choose Extract All…, and follow the prompts to unzip the program.
• Open the ERUNT folder on your Desktop and double click ERUNT.exe to start the program.
• Click OK for all the prompts to back up your registry to the default location.

Note: if it becomes necessary to restore the registry, open the backup folder and start ERDNT.exe.

Please run the following scan

Run OTL.exe

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
• Then click the Run Fix button at the top.

:processes
killallprocesses

:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,bProtector Start Page = http://www1.delta-search.com/?babsrc=HP_ss&mntrId=007E00255631B513&affID=121240&tsp=4961
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\..\SearchScopes,bProtectorDefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://www1.deltasearch.com/?q={searchTerms}&babsrc=SP_ss&mntrId=007E00255631B513&affID=121240&tsp=4961
FF - user.js - File not found
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}: C:\Program Files\Wajam\Firefox\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi
[2013/08/01 23:28:59 | 000,000,000 | ---D | M] (Wajam) -- C:\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\vixxn2lu.default\extensions\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}
[2013/08/01 23:33:19 | 000,000,000 | ---D | M] ("QuickShare Widget") -- C:\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\vixxn2lu.default\extensions\{e5dce098-209c-4f1d-a3ee-52aa625feec2}
[2013/08/01 23:30:11 | 000,000,000 | ---D | M] ("Solid Savings") -- C:\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\vixxn2lu.default\extensions\9518042e-7ad6-4dac-b377-056e28d00c8f@f1cc0a13-4df1-4d66-938f-088db8838882.com
[2013/08/01 23:27:44 | 000,006,507 | ---- | M] () -- C:\Users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\vixxn2lu.default\searchplugins\babylon.xml
O3 - HKLM\..\Toolbar: (no name) -  - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKCU..\Run: [NTRedirect] C:\Windows\system32\rundll32.exe "C:\Users\Amanda\AppData\Roaming\BabSolution\Shared\NTRedirect.dll",Run File not found
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
O16 - DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} http://downloads.virginmedia.com/CST/ver1/vistainstaller.cab (Reg Error: Value error.)
O20 - AppInit_DLLs: (c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll) - c:\ProgramData\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserDefender.dll ()
O28 - HKLM ShellExecuteHooks: {4F07DA45-8170-4859-9B5F-037EF2970034} - No CLSID value found.
[2013/08/02 12:35:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Uniblue
[2013/08/01 23:31:41 | 000,000,000 | ---D | C] -- C:\Users\Amanda\AppData\Roaming\Uniblue
[2013/08/01 23:31:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uniblue
[2013/08/01 23:31:04 | 000,000,000 | ---D | C] -- C:\Program Files\Uniblue
[2013/08/01 23:30:02 | 000,000,000 | ---D | C] -- C:\Program Files\Solid Savings
[2013/08/01 23:28:14 | 000,000,000 | ---D | C] -- C:\Users\Amanda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BrowserDefender
[2013/08/01 23:28:06 | 000,000,000 | ---D | C] -- C:\ProgramData\BrowserDefender

:Files
ipconfig /flushdns /c

:Commands
[emptytemp]
[resethosts]
[CREATERESTOREPOINT]

• Let the program run unhindered; it will reboot when it is done. If it does not, please reboot your system.
• Post the new log in your next reply.

[amfletch]

Hi followed the instructions but when I ran OTL it froze the system. Left it about 20 mins and still nothing so I rebooted. Ran OTL again and got what looks like 2 reports...sorry!! It then wouldn't let me attach so put them in zip files and hopefully you can open them, I knew I wasn't very good with the PC but feel like I'm messing up each time you give an instruction. Also, have confirmation on my work travel and won't have access to my laptop until 24 August which is 3 weeks. If this is too long to leave the topic open I understand. If it's closed when I get back will log a new topic. thank you very much for your help Amanda

Attached Files

•  08042013_223135.zip   2.29KB   224 downloads
•  08042013_220946.zip   483bytes   200 downloads

[fbfbfb]

Hello, Amanda. Thank you for your logs. Let me reassure you that you are not messing anything up, and you are doing a good job completing the given tasks.

I will keep your thread open until you return. Please let me know when you are back and we will continue cleaning your system.

If you are still available, and are able to complete the next task, please do so; otherwise, you can complete it when you return.

Please run DDS again and send me a fresh log. Let me know how your computer is running at this stage, as well as any other issues you are experiencing.

[amfletch]

Hi back home and ran the DDS as asked. Have attached both logs. Laptop has not been on for the last 3 weeks so nothing should have changed. Thanks for your help Amanda

Attached Files

•  attach.txt   12.42KB   230 downloads
•  dds.txt   15.46KB   232 downloads

[fbfbfb]

Hello, Amanda. Welcome back.

Your system is looking better. We still need to remove some unwanted applications.

1. Remove Toolbars and Programs

Please remove the following applications via your Control Panel: BrowserDefender, Delta Chrome Toolbar, QuickShare, Solid Savings, Virgin Media Toolbar, and Wajam.

To uninstall:

• Click Start and select Control Panel.
• When the Control Panel window opens, click on Uninstall a program found under the Programs category.
• If you are using the Classic View of the Control Panel, then you would double-click on the Programs and Features icon instead.
• Begin with the first program (BrowserDefender) > left-click on it once to highlight it.
• Click on the Uninstall button.
• When asked if you are sure you want to uninstall, click Yes.
• The program will uninstall, and when completed you will be back at the list of programs installed on your computer.
• Continue to delete the remaining programs the same way.
• When finished, close the Programs and Features screen.

2. Remove Programs from Browsers

If any of these toolbars or applications (BrowserDefender, Delta Chrome Toolbar, QuickShare, Solid Savings, Virgin Media Toolbar, and Wajam) appear in your browsers, continue as follows:

For Internet Explorer:

• Open Internet Explorer.
• Click Tools > Manage Add-ons.
• In the Manage Add-ons window, under Add-on Types (found on left side) highlight Toolbars and Extensions.
• Under the Show: drop-down menu (found on left side) make sure All add-ons is selected.
• Highlight the extension (ex. browserdefender ) you wish to remove, and select Disable.
• The Disable add-on window may pop up to warn you that related services and add-ons will also be disabled. Click Disable.
• Click Close to exit the Manage Add-ons window.

For Firefox:

• Open Firefox.
• Click Tools > Add-ons.
• In the Add-ons window, under Add-on Types select Extensions.
• Click to highlight the extension (ex. browserdefender) you wish to remove and select Disable. If you want to delete an extension entirely, click Remove.
• The Disable add-on window may pop up to warn you that related services and add-ons will also be disabled. Click Disable.
• Exit the Add-ons Manager window, and restart Firefox to complete the process.

For Google Chrome

• Open Google Chrome.
• Click the wrench icon at the top right of the browser window.
• Click Tools > Select Extensions to open the Options tab.
• Uncheck Enabled to disable the extension (ex. browserdefender), or click Remove to delete it completely.

3. Reset Your Home Page and Default Search Engine

Removing the toolbars may have changed your browser settings (homepage, default search engines). If so, please follow the instructions found HERE.

Please let me know how your computer is running now and if you are experiencing any other issues.

[amfletch]

Hi have done everything you asked and then rebooted. I have now been able to update my itunes without being told I don't have sufficent permission which is fab. I currently use Comodo as my security and also Malwarebytes Anti-Malware plus Iobit as clean up tools. Do you think these are good programs or would you recommend I use something else? thanks Amanda

[fbfbfb]

Hello, Amanda.

Glad to hear itunes is updating for you. We still need to do a little bit of work to ensure your system is completely clean. Please stay with this topic until we have done that.

Comodo/Malwarebytes/Iobit

In answer to your question, you can keep Comodo Antivirus and Comodo Firewall as your main security protection. Malwarebytes is an excellent program to keep. If you have the free version of MBAM, it can be used on demand as needed; however, if you have paid for the pro version, it has real-time monitoring which should be disabled as explained below:

You are currently running multiple anti-spyware programs:

• Windows Defender
• IOBit Malware Fighter
• Comodo Defense.

All three programs have real time monitoring abilities. Running more than one set of spyware monitoring components can cause conflicts and can sometimes lead to unexpected complications and system slowdowns. It is recommended that you keep only one good anti-virus, one firewall, and one anti-spyware program.

Since Windows Defender is completely built into Windows, it cannot be uninstalled, so you must keep it.

Comodo Defense+ is part of your Comodo Firewall and cannot be deleted, but it can be deactivated. To disable, follow these instructions.

If you did not pay for IOBit Malware Fighter, you should uninstall it via your Control Panel > Programs and Features > Uninstall a program.

Bottom line: If you keep 2 anti-spyware programs installed on your system, you must disable one to avoid potential problems. You can use it as a second scan when you need it.

UniblueDriverscanner.exe

You mentioned earlier this was not installed by you. Please remove this program via your Control Panel > Programs and Features > Uninstall a program.

Please run the following scans

1. Malwarebytes

You already have Malwarebytes installed on your system. Please run a scan after updating the program and send me the log.

2. ESET Online Scanner

Note:

• Disable any antivirus program and antispyware programs to avoid conflicts.
• Run Eset with Internet Explorer, but if using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted, then double click on it to install.
• Please do not surf the internet while your security programs are disabled.
• Let the scan run uninterrupted to avoid a stall.
• Remember to enable your security programs when the scan has finished.

Run ESET Online Scanner from HERE.

• Click the green ESET Online Scanner button.
• Read the End User License Agreement and check the box YES, I accept the Terms of Use.
• Click on the Start button next to it.
• If prompted, allow the Add-On/Active X to install.

Under Computer scan settings:

• Do not check Remove found threats
• Check Scan Archives.
• Click Advanced settings and select the following:

• Scan potentially unwanted applications
• Scan for potentially unsafe applications
• Enable Anti-Stealth technology

• Click Start. ESET will download updates, install itself, and begin scanning your computer. Please be patient as this scan could take up to a few hours to complete.
• Wait for the scan to finish. When the scan completes, click List of found threats.
• Click Export and save the file to your desktop using a unique name, such as ESETScan.
• Copy and paste the contents of this report in your next reply.
• Click the Back button.
• Click the Finish button.

[amfletch]

Hi there did everything you asked. Uninstalled IOBit Malware. Disabled the defender part of Comodo so that should get rid of any conflict there. The Malware Antibytes I have is the free issue and I run it at least once a week. Removed UniblueDriver Scanner Ran Malware last night and have attached the 2 logs. Once from before the problems were removed and one from after. Ran ESET tonight and have also attached the log from that. Didn't remove any of the threats this threw up. As always thanks for your help cheers Amanda

Attached Files

•  MBAM_log_2013_08_27__04_52_21_.txt   11.12KB   245 downloads
•  mbam_log_2013_08_26__23_04_36_.txt   12.29KB   278 downloads
•  ESETSCAN.txt   1.74KB   238 downloads

[fbfbfb]

Hello, Amanda.

Thank you for the MBAM and ESET logs. Let's remove the threats found by ESET.

Please run the following OTL scan

Run OTL.exe

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
• Then click the Run Fix button at the top.

:OTL
C:\ProgramData\Spybot - Search & Destroy\Recovery\myPCBackup.zip	
C:\ProgramData\Spybot - Search & Destroy\Recovery\Wajam34.zip	
C:\ProgramData\Spybot - Search & Destroy\Recovery\Wajam68.zip	
C:\ProgramData\Spybot - Search & Destroy\Recovery\Wajam69.zip	
C:\Users\All Users\Spybot - Search & Destroy\Recovery\myPCBackup.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\Wajam34.zip	
C:\Users\All Users\Spybot - Search & Destroy\Recovery\Wajam68.zip	
C:\Users\All Users\Spybot - Search & Destroy\Recovery\Wajam69.zip	
C:\Users\Amanda\Downloads\cbsidlm-cbsi109-IObit_Malware_Fighter-BP-10967594.exe	
C:\Users\Amanda\Downloads\cbsidlm-cbsi5_3_0_96-Wondershare_Photo_Collage_Studio-ORG-10493378.exe	
C:\Users\Amanda\Downloads\cbsidlm-tr1_11-Publishit-ORG-10046724.exe	
C:\Users\Amanda\Downloads\cnet2_iwm-transfer-contacts_zip.exe	
C:\Users\Amanda\Downloads\cnet2_veryandroid-contacts-backup_zip.exe	
C:\Users\Amanda\Downloads\gusetup.exe	
C:\Users\Amanda\Downloads\SoftonicDownloader_for_clonecd.exe	

:Commands
[emptytemp]
[resethosts]

• Let the program run unhindered; it will reboot when it is done. If it does not, please reboot your system.
• Post the new log in your next reply.