Removing Toolbars/PUPS After Installing Acala DVD Ripper Professional Free Copy

[SG1Fan]

Hello,

I have been somewhat successful in my efforts to remove the crapware installed by Acala DVD Ripper Professional Free Copy. Crapware including the We-Care Reminder, Sweetpacks / SweetIM, Babylon, and Infoseeker. The installer for the DVD ripper did not function properly and would not let me choose (or not choose) toolbars.

I started with Microsoft Security Essentials, finding nothing. I manually disabled services and IE ad-ons, eliminating symptoms but not the software. Then, I used Spybot S&D, which removed part, though not all, of it. Malwarebytes had the same effect and successfully removed one other generic pre-existing trojan also. None of the programs have removed Infoseeker by Big Water though; what is it?

AdwCleaner popped up with some left-behind files and registry entries, in addition to some numerical registry keys I do not know how to identify. Is there a way to figure out which registry keys/values belong to which application if they are numbered with CLSIDs and such?

Before reading this forum, I also uninstalled DVD Video Soft and Firefox.

Here are the associated logs, in reverse chronological order; I figured the most recent are the most important.

I have been told to be careful with AdwCleaner and not just let it delete everything because it can create false positives, so I am hoping people on this forum will recognize the entries. The files, though left in for completeness, are obviously unwanted, and any labeled registry keys/values are definitely malware, but the rest, I have no idea. The exception is the DVDVideoSoft, which I installed but no longer need, and the Viewpoint, which I also installed but no longer need. Thanks in advance for any assistance anyone can give.

Also, since I know the time and date of infection, should I just run a system restore? Would that remove all registry keys/values and eliminate some of this headache?

 

There are also Spybot logs I can include, but they are rather long.

#####################

# AdwCleaner v2.306 - Logfile created 08/01/2013 at 12:55:34

# Updated 19/07/2013 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : administratoruser - COMPUTERNAME

# Boot Mode : Normal

# Running from : C:\Documents and Settings\administratoruser\Desktop\adwcleaner.exe

# Option [search]

　

***** [services] *****

　

***** [Files / Folders] *****

Folder Found : C:\Documents and Settings\administratoruser\Application Data\dvdvideosoftiehelpers

Folder Found : C:\Documents and Settings\All Users\Application Data\WeCareReminder

***** [Registry] *****

Key Found : HKCU\Software\BI

Key Found : HKCU\Software\DynConIE

Key Found : HKCU\Software\IM

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}

Key Found : HKCU\Software\wecarereminder

Key Found : HKCU\Software\WNLT

Key Found : HKLM\SOFTWARE\Classes\AppID\{4FBBF769-ECEB-420A-B536-133B1D505C36}

Key Found : HKLM\SOFTWARE\Classes\AppID\IEHelperv2.5.0.DLL

Key Found : HKLM\SOFTWARE\Classes\CLSID\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{F773BB94-6C19-4643-A570-0E429103D1C3}

Key Found : HKLM\SOFTWARE\Classes\IEHelperv250.WeCareReminder

Key Found : HKLM\SOFTWARE\Classes\IEHelperv250.WeCareReminder.1

Key Found : HKLM\Software\Classes\Installer\Features\FB6D58DD787439A4995AF3C00FEA8843

Key Found : HKLM\SOFTWARE\Classes\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}

Key Found : HKLM\SOFTWARE\Classes\Prod.cap

Key Found : HKLM\SOFTWARE\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}

Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj

Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AC5B6CDA-8F90-4740-9A8C-28AC5D3C73FE}

Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44ED99E2-16A6-4B89-80D6-5B21CF42E78B}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{03F998B2-0E00-11D3-A498-00104B6EB52E}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\A97CEC23332751B47BA4B95BAA50C9D0

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FB6D58DD787439A4995AF3C00FEA8843

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Viewpoint Manager

Key Found : HKLM\Software\TENCENT

Key Found : HKLM\Software\Viewpoint

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

*************************

AdwCleaner[R1].txt - [5270 octets] - [01/08/2013 12:25:17]

AdwCleaner[R2].txt - [3910 octets] - [01/08/2013 12:55:34]

########## EOF - C:\AdwCleaner[R2].txt - [3970 octets] ##########

#####################

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

Database version: v2013.07.31.07

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

administratoruser :: COMPUTERNAME [administrator]

7/31/2013 11:33:26 PM

mbam-log-2013-07-31 (23-33-26).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 405108

Time elapsed: 1 hour(s), 7 minute(s), 1 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Documents and Settings\administratoruser\Local Settings\Application Data\System Access to Go\SAWebStart\u3\uninstall.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{642A5A27-624A-49B1-8C37-712738ADB5AD}\RP1339\A0247443.dll (PUP.Optional.SweetPacks) -> Quarantined and deleted successfully.

(end)

#################

###############

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

Database version: v2013.07.31.07

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

administratoruser :: COMPUTERNAME [administrator]

7/31/2013 10:52:15 PM

mbam-log-2013-07-31 (22-52-15).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 291218

Time elapsed: 9 minute(s), 48 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 7

HKLM\SYSTEM\CurrentControlSet\Services\Updater By SweetPacks (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{7D4F1959-3F72-49D5-8E59-F02F8AA6815D} (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7D4F1959-3F72-49D5-8E59-F02F8AA6815D} (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847} (PUP.Optional.SweetPacks) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847} (PUP.Optional.SweetPacks) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7D4F1959-3F72-49d5-8E59-F02F8AA6815D}_is1 (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

Registry Values Detected: 2

HKLM\SOFTWARE\Mozilla\Firefox\Extensions|{7D4F1959-3F72-49D5-8E59-F02F8AA6815D} (PUP.Optional.SweetPacks.A) -> Data: C:\Program Files\Updater By SweetPacks\Firefox -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Mozilla\Firefox\Extensions\{7D4F1959-3F72-49d5-8E59-F02F8AA6815D} (PUP.Optional.SweetPacks.A) -> Data: -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 13

C:\Program Files\Updater By SweetPacks (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\Firefox (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\Firefox\chrome (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\Firefox\chrome\content (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\Firefox\chrome\content\libraries (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\Firefox\chrome\content\resources (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\Firefox\chrome\locale (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\Firefox\chrome\locale\en-US (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\Firefox\chrome\skin (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\Firefox\defaults (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\Firefox\defaults\preferences (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\libraries (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\resources (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

Files Detected: 20

C:\Program Files\Updater By SweetPacks\ExtensionUpdaterService.exe (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Documents and Settings\administratoruser\Local Settings\Temp\hsbing_717_active.exe (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Documents and Settings\administratoruser\Local Settings\Temp\DeltaTB.exe (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.

C:\Documents and Settings\administratoruser\Local Settings\Temp\3CD7F783-BAB0-7891-A2FA-FA1FD1112B09\Latest\Setup.exe (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.

C:\Documents and Settings\administratoruser\0.2672972944533223.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\Extension32.dll (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\InstallerHelper.dll (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\unins000.dat (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\unins000.exe (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\Firefox\chrome.manifest (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\Firefox\install.rdf (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\Firefox\chrome\content\main.js (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\Firefox\chrome\content\main.xul (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\Firefox\chrome\content\libraries\DataExchangeScript.js (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\Firefox\chrome\content\resources\localscript.js (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\Firefox\chrome\locale\en-US\overlay.dtd (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\Firefox\chrome\skin\overlay.css (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\Firefox\defaults\preferences\defaults.js (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\libraries\DataExchangeScript.js (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

C:\Program Files\Updater By SweetPacks\resources\localscript.js (PUP.Optional.SweetPacks.A) -> Quarantined and deleted successfully.

(end)

#################

[MrCharlie]

Welcome to the forum, please start HERE

Post back the 2 logs here.....DDS.txt and Attach.txt

(please don't put logs in code or quotes)

P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

<====><====><====><====><====><====><====><====>

Next................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

MrC

Note:

Please read all of my instructions completely including these.

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

[SG1Fan]

Here are the three logs you requested. Should I run system restore, and if so, when? How do I know which AdwCleaner registry entries are malware when they are just numbers? What is that registry entry RogueKiller found? Thanks so much.

 

dds.txtattach.txtRKreport0_S_08022013_025144.txt

[MrCharlie]

Please uninstall InfoSeeker from your add/remove programs if possible.

Then........

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
• Wait while the system shuts down and the cleanup process is performed.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

[SG1Fan]

Unfortunately, MBAR is not compatible with  the software that visually impaired people use to read the screen. The reason is that MBAR uses images, rather than standard text, to convey print on the screen. There is no command line alternative listed in Readme.txt. Therefore, I cannot use the program. For your information, the screenreader I use is called JFW in my process logs.

 

I did remove Infoseeker successfully. Is there a particular reason you suspect a rootkit, or was that just a standard reply? Would you be able to provide any other advice on my earlier results and questions? Thanks so much.

[SG1Fan]

I was also instructed on another thread to post this log here because I am getting an illegal instruction error when trying to exit the MBAM application.

CheckResults.txt

[SG1Fan]

Luckily, a sighted person was able to help me run the MBAR scan, and my system came up clean.

system-log.txt

mbar-log-2013-08-02 (15-14-45).txt

[MrCharlie]

We have to check ever system for rootkits....next:

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

MrC

[SG1Fan]

I'm sorry, but I have definitely been nervous about installing all of these programs and scripts. Please try to understand that I would rather not have to research and possibly download a new program without some answers to the questions I have already posed. I just wanted to know whether or not the registry entries shown in the ADWCleaner log our true malware or false positives. I also wanted to know if system restore would also help, because I know when I was infected. Any information you could offer about the usefulness of system restore and the interpretation of registry entries would be very helpful. I really do appreciate this forum, but so far, I have not received any personalized feedback.

[MrCharlie]

I just wanted to know whether or not the registry entries shown in the ADWCleaner log our true malware or false positives.
They are correct


I also wanted to know if system restore would also help, because I know when I was infected.
System restore isn't recommended to clean infections, it's only used when there's no other options.

MrC

[SG1Fan]

Thanks for your response, although without further explanation, I decided to look up the references in the registry instead. I didn't realize this, but a simple registry search for each Clsid turned up either human readable references to the malware or to Internet Explorer. The exception was a key referring to the Apple mobile service. I really don't want to break that one. Since the program let me exclude that entry, can I just uninstall my Apple services for now and then rerun the scan? At least then, hopefully, that key won't show up again. Thanks.

[MrCharlie]

What key is that?? MrC

[SG1Fan]

The key that AdwCleaner picked up, seemingly referring to Apple stuff, is

HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966

 

What is this RogueKiller result:

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

There are plenty of Windows references, talking about shell32.dll and desktop icon defaults. What could happen if I let RogueKiller delete/fix it?

 

I can't figure out what this unknown AdwCleaner result is either:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{03F998B2-0E00-11D3-A498-00104B6EB52E}

It doesn't seem to be in the registry anywhere else. What's the worst that could happen if I let AdwCleaner delete it?

 

Finally, the installer package for SweetIM, 59028.msi, to which I found references in the registry, is still on my system. Right-clicking/scanning it with MBAM and MS Security Essentials turns up nothing. Would it be useful to upload it somewhere to be added to the malware database? If paid users can be prevented from running this installer, it would save them a lot of headache.

Thanks.

[MrCharlie]

HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966

This key is targeted both by AdwCleaner and Junk Removal Tool, I can't see where it would have any affect on Apple.

---------------------------------------------------

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

I have no idea what this would do, entries like this are in just about every RK log, including mine,
I never have people delete them

---------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{03F998B2-0E00-11D3-A498-00104B6EB52E}

Belongs to Viewpoint, a program you should have on the system.

-----------------------------------------


SweetIM, 59028.msi,

You can upload to VirusTotal for a free scan:
https://www.virustotal.com/en/

MrC

[SG1Fan]

I have attached the registry key that refers to Apple that AdwCleaner flagged, as well as the JRT log and the log of the AdwCleaner scan I ran after running JRT. Please note that JRT removed a "bad module" and restarted my computer, but I cannot find that in the log; how do I discover what it removed? Thanks.

 

063A857434EDED11A893800002C0A966.txt

AdwCleanerR4.txt

JRT.txt

[MrCharlie]

The logs are called ---->JRT.txt

Do a search for it or them.

What problems are left?? MrC

[SG1Fan]

What do you think of the registry key I attached to my last message? The AdwCleaner log attached to the last message is the most current scan. The JRT log I had attached was the only log of its kind on my desktop with the application, and it does not include the removed module.

Remaining problems include the registry keys known to belong to the malware, and at least one browser add-on still left in Internet Explorer. If only I could just delete everything that AdwCleaner found. Could I just uninstall and reinstall Apple and viewpoint so that I could let the program clean my system? Thanks.

[MrCharlie]

What do you think of the registry key I attached to my last message? 

 

I have no thoughts on it, if the 2 programs target it...then it has to go.

 

 

Remaining problems include the registry keys known to belong to the malware, and at least one browser add-on still left in Internet Explorer.

Delete them

 

 If only I could just delete everything that AdwCleaner found. Could I just uninstall and reinstall Apple and viewpoint so that I could let the program clean my system? 

 

At this point I don't know what you want to do or are trying to do.

Run the programs, delete what they find, delete anything else you want to and be done with it.

 

MrC

 

[MrCharlie]

Please download OTC to your desktop.

http://oldtimer.geekstogo.com/OTC.exe

 

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")

Click on the CleanUp! button and follow the prompts.

(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)

You will be asked to reboot the machine to finish the Cleanup process, choose Yes.

After the reboot all the tools we used should be gone.

Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

 

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

 

-------------------------------

 

Any questions...please post back.

 

If you think I've helped you, please leave a comment > click on my  avatar picture > click Profile Feed.

 

Take a look at My Preventive Maintenance to avoid being infected again. (may be down right now)

Cached version:

http://webcache.googleusercontent.com/search?q=cache:T4_y-D1qZAoJ:maddoktor2.com/forums/index.php%3Ftopic%3D46886.0+&cd=3&hl=en&ct=clnk&gl=us

 

Good Luck and Thanks for using the forum,  MrC

 

 

[Maurice Naggar]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.