Can't boot normally after virus removal...safe mode only

[kevinf80]

Yep let Malwarebytes deal with the entries, also post the log...

[dpinning]

The two items are as follows (seems I can't get to log until I do something with these...should I remove or ignore?): 

 

PUP. Optional. MySeardchDial.A      Registry Key      HKCU\Software\Google\Chrome\Extensions......

PUP. Optional. MySeardchDial.A      Registry Key      HKLM\Software\Google\Chrome\Extensions......

[dpinning]

Deleted both registry keys.  Here is the log.

 

 

 

 

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2013.10.10.07

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
David :: INSPIRONLAPTOP [administrator]

10/10/2013 6:14:12 PM
mbam-log-2013-10-10 (18-14-12).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 230218
Time elapsed: 9 minute(s), 59 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\Software\Google\Chrome\Extensions\pflphaooapbgpeakohlggbpidpppgdff (PUP.Optional.MySearchDial.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\pflphaooapbgpeakohlggbpidpppgdff (PUP.Optional.MySearchDial.A) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[dpinning]

Heading to grocery, back in a bit.

[kevinf80]

They definitely needed to go, browser hijacker.... We still need to run an online AV scan to ensure we miss no remnants of ZeroAcces infection, first run the following:

 

Download AdwCleaner by Xplode from here: http://www.bleepingcomputer.com/download/adwcleaner/ and save to your Desktop.

 

• Double click on AdwCleaner.exe to run the tool.
  
• Vista/Windows 7/8 users right-click and select Run As Administrator
  
• Click on the Scan button.
  
• AdwCleaner will begin...be patient as the scan may take some time to complete.
  
• When it's done you'll see: Pending: Uncheck any elements you don't want removed.
  
• Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  
• Look over the log especially under Files/Folders for any program you want to save.
  
• If there's a program you want to save, just uncheck it from AdwCleaner.
  
• If you're not sure, post the log for review.
  
• If you're ready to clean it all up.....click the Clean button.
  
• After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  
• Copy and paste the contents of that logfile in your next reply.
  
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  
• Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  
• To restore an item that has been deleted (if necessary):
  
• Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
  

 

Next,

 

We need to run an online AV scan to ensure there are no remnants of any infection left on your system, this scan can take several hours to complete, it is very thorough and well worth running, please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http:// http://www.eset.com/us/online-scanner-popup/ to run an online scan from ESET.

 

• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• click on the Run ESET Online Scanner button
  
• Tick the box next to YES, I accept the Terms of Use.
  Click Start
  
• When asked, allow the add/on to be installed
  Click Start
  
• Make sure that the option Remove found threats is unticked
  
• Click on Advanced Settings, ensure the options
  
• Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  Click Scan
  
• wait for the virus definitions to be downloaded
  
• Wait for the scan to finish
  

 

When the scan is complete

 

• If no threats were found
  
• put a checkmark in "Uninstall application on close"
  
• close program
  
• report to me that nothing was found
  

 

If threats were found

 

• click on "list of threats found"
  
• click on "export to text file" and save it as ESET SCAN and save to the desktop
  
• Click on back
  
• put a checkmark in "Uninstall application on close"
  
• click on finish
  

 

close program

 

copy and paste the report here

 

Let me see those logs, yes forgot to confirm FRST fix clear the .dll errors for us.... nearly 1 am local time for me, will catch up later....

 

Cheers,

 

Kevin....

[dpinning]

Bleeping computer site is not loading on either of my machines. Will try later, unless I can load from another site....

 

Best,

David

[dpinning]

Good morning Kevin,

 

I downloaded adwcleaner from Tom's Guide site as the bleepingcomputer site was unavailable...the entire site. I didn't want to delete anything until you saw the log. Does adwcleaner typical only list harmful things?  Anyway here is the log. I await your advice.

 

 

 

# AdwCleaner v3.007 - Report created 10/10/2013 at 20:26:08
# Updated 09/10/2013 by Xplode
# Operating System : Windows Vista Home Premium Service Pack 2 (32 bits)
# Username : David - INSPIRONLAPTOP
# Running from : C:\Users\David\Desktop\adwcleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

File Found : C:\Users\David\AppData\Local\mysearchdial.crx
File Found : C:\Windows\System32\Tasks\MySearchDial
File Found : C:\Windows\Tasks\MySearchDial.job
Folder Found C:\Program Files\Common Files\Tencent
Folder Found C:\ProgramData\apn
Folder Found C:\ProgramData\Ask
Folder Found C:\ProgramData\AskPartnerNetwork
Folder Found C:\ProgramData\Tencent
Folder Found C:\Users\David\AppData\Local\Temp\apn
Folder Found C:\Users\David\AppData\Roaming\BitLord
Folder Found C:\Users\David\AppData\Roaming\Tencent
Folder Found C:\Users\David\Documents\BitLord

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\APN
Key Found : HKCU\Software\APN PIP
Key Found : HKCU\Software\AppDataLow\Software\AskToolbar
Key Found : HKCU\Software\AskPartnerNetwork
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Found : HKCU\Software\PIP
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\Software\AskPartnerNetwork
Key Found : HKLM\SOFTWARE\Classes\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Found : HKLM\Software\InstallCore
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\MySearchDial
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\MySearchDial
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MySearchDial
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Key Found : HKLM\Software\PIP
Key Found : HKLM\Software\Tarma Installer
Key Found : HKLM\Software\TENCENT
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16502

-\\ Google Chrome v

[ File : C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [3544 octets] - [10/10/2013 20:26:08]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [3604 octets] ##########

[kevinf80]

Yes please remove all entries with AdwCleaner, all entries need to go.. When that completes continue and run ESET online AV scan..

 

Kevin..

[dpinning]

AdwCleaner post clean log:

 

 

# AdwCleaner v3.007 - Report created 11/10/2013 at 09:56:51
# Updated 09/10/2013 by Xplode
# Operating System : Windows Vista Home Premium Service Pack 2 (32 bits)
# Username : David - INSPIRONLAPTOP
# Running from : C:\Users\David\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\apn
Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\ProgramData\AskPartnerNetwork
Folder Deleted : C:\ProgramData\Tencent
Folder Deleted : C:\Program Files\Common Files\Tencent
Folder Deleted : C:\Users\David\AppData\Local\Temp\apn
Folder Deleted : C:\Users\David\AppData\Roaming\BitLord
Folder Deleted : C:\Users\David\AppData\Roaming\Tencent
Folder Deleted : C:\Users\David\Documents\BitLord
File Deleted : C:\Users\David\AppData\Local\mysearchdial.crx
File Deleted : C:\Windows\Tasks\MySearchDial.job
File Deleted : C:\Windows\System32\Tasks\MySearchDial

***** [ Shortcuts ] *****

***** [ Registry ] *****

[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MySearchDial
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0DBFC44D-3242-4FB9-879E-7FB4A0136A74}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0DBFC44D-3242-4FB9-879E-7FB4A0136A74}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\AskPartnerNetwork
Key Deleted : HKCU\Software\PIP
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
Key Deleted : HKLM\Software\AskPartnerNetwork
Key Deleted : HKLM\Software\InstallCore
Key Deleted : HKLM\Software\PIP
Key Deleted : HKLM\Software\Tarma Installer
Key Deleted : HKLM\Software\TENCENT
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16502

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [Tabs]

-\\ Google Chrome v

[ File : C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [3684 octets] - [10/10/2013 20:26:08]
AdwCleaner[s0].txt - [3582 octets] - [11/10/2013 09:56:51]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [3642 octets] ##########

[kevinf80]

Thanks for the log, continue with ESET...  http://www.eset.com/us/online-scanner/

[dpinning]

ESET halfway done.

[kevinf80]

Ok....

[dpinning]

ESET AVscan report:

 

 

C:\AdwCleaner\Quarantine\C\ProgramData\Ask\APN-Stub\ATU3\Local\APNIC.dll.vir a variant of Win32/Bundled.Toolbar.Ask application
C:\Documents and Settings\David\AppData\Local\Google\Chrome\User Data\Default\Default\aagfgfggdjdddidddbdadddjdedggddc\background.html Win32/BHO.OEI trojan
C:\Documents and Settings\David\Downloads\aTube_Catcher.exe multiple threats
C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Default\aagfgfggdjdddidddbdadddjdedggddc\background.html Win32/BHO.OEI trojan
C:\Users\David\Downloads\aTube_Catcher.exe multiple threats
 

[kevinf80]

Download OTM from either of the following links and save to your Desktop:

http://oldtimer.geekstogo.com/OTM.exe.
http://www.itxassociates.com/OT-Tools/OTM.com
http://www.itxassociates.com/OT-Tools/OTM.exe  

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion.... If your security alerts to OTM either, accept the alert or turn off security until OTM completes...

• Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Ensure to start with and include the colon before Files :Filles
  
  

  :FilesC:\FRSTipconfig /flushdns /cC:\Documents and Settings\David\AppData\Local\Google\Chrome\User Data\Default\Default\aagfgfggdjdddidddbdadddjdedggddc\background.htmlC:\Documents and Settings\David\Downloads\aTube_Catcher.exeC:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Default\aagfgfggdjdddidddbdadddjdedggddc\background.htmlC:\Users\David\Downloads\aTube_Catcher.exe:Commands[EmptyTemp]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
• Click the red button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM
  

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

 

Where mmddyyyy_hhmmss is the date of the tool run.

 

Next,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop.

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Let me see those logs, also let me know if any remaining issues or concerns..

[dpinning]

Hey Kevin,

 

Downloaded OTM from Oldtimer. Seems to be a bit of a quirky program. Avast didn't responed to it. Opened and pasted your instructions and clicked MoveIt! It worked for a bit (a few minutes) and it gave me results ending with line item  User: David. I though it done at this point and went to copy, but while I could move my pointer with the mouse, I couldn't select any of the text nor move the horizontal or vertical sliders. Got something to eat and came back. More text was displayed, but still couldn't select anything. More time has gone by (half hour at this point) and more text is displayed but still can't select anything to copy.

 

Thoughts?

[dpinning]

P.S. If I do select something in the results field with the point (click and drag) it responds two minutes later by showing the highlighted text!

[dpinning]

P.S.S.  Is it done (45 minutes) or potentially still working?

[kevinf80]

Usually OTM will be done in under 10 mins, if no log is produced re-boot your PC. Now check in this folder :-

 

c:\_OTMoveIt\MovedFiles\  There should be a log named  mmddyyyy_hhmmss.log  

 

Where mmddyyyy_hhmmss is the date of the tool run.

[dpinning]

Kevin,

 

The following was all that was in the log, despite there being tons of info in the results window. OTM did in fact hang and I had to end it with CTRLALTDEL to bring up task manager where it said it was not responding. I rebooted and found the following cryptic log.

 

Files moved on Reboot...

Registry entries deleted on Reboot...

 

There is a folder also in the folder in which the log was found, but no other "logs."

[kevinf80]

Can you check to see if this entry has gone:

 

C:\Documents and Settings\David\Downloads\aTube_Catcher.exe

[dpinning]

That entry is not longer there. I believe the program itself is still installed. Was there a problem with having the executable hanging around?

[kevinf80]

Yes, certain free software often comes with unwanted extras bundled during the install. If ESET identifies issues I always recommend to remove...

 

How is your system responding now, any issues or concerns...

[dpinning]

It seems to be running faster and of course booting up into normal mode every time.I haven't done anything with it yet other than work with you as I wanted to make sure I had the all clear first.  I haven't downloaded and run Security Check yet. Would you like me to do that?

 

Also

1) Does the PayPal donation go directly to you or the forum in general?

2) When we are done, I would appreciate your take on best practices going forward  security (recommend programs if you can do that) and backup/imaging etc...something like I ran across here http://maddoktor2.com/forums/index.php/topic,46886.0.html

Perhaps there is something like it already on this forum?  I definitely plan on purchasing the real time Malwarebytes program when we are through.

[kevinf80]

Yes please run Security Checks, it makes no changes just checks your security, version of Java Adobe etc etc...

 

The link you post is very comprehensive, well worth keeping/reading as required....

 

Paypal donations link, all goes direct to me, nothing to the Forum. 60% of all my donations go to a specific charity I support.

 

The following is my own security set up, I give for W7, is identical for W8 (I run both) only difference is with the AV program. In W7 is named Microsoft Security Essentials. In W8 is named Windows Defender.

I know that can cause confusion as WD was introduced earlier as an Anti-Spyware/Malware program. Since the conception of W8 MSE was more or less renamed as Windows Defender....Clear??

The set up for Vista (when I had it) was exactly the same.

 

My own security set up is :-

 

Windows own Firewall, Microsoft Security Essentials and Malwarebytes Pro. Windows FW and MSE are free, MB does also have a free version, however I prefer the pro version as it provides auto updates and realtime protection. Cost is about £20 for a lifetime license.

 

As an extra layer I also use WinPatrol, the free version is adeqaute for general home use. Available here: http://www.winpatrol.com/download.html

 

For my browser I use Firefox with these addons: Web of Trust, Adblock Plus, Flash Block, NoScipt, Ghostery. When Firefox is open select these keys together :- Ctrl - Shift - A that will access Addons manger, this gives access to find addons, use, start, stop or disable those features etc....

Before using NoScript read from this link http://noscript.net/ makes it easy to understand....

 

Understanding Windows 7 Firewall - http://windows.microsoft.com/en-GB/windows7/Understanding-Windows-Firewall-settings

 

Understanding Microsoft Security Essentials - http://www.microsoft.com/en-gb/security/pc-security/mse.aspx

 

Understanding Malwarebytes, how to create an exclusion in MSE - http://forums.malwarebytes.org/index.php?showtopic=10138&st=0&p=162100entry162100

 

Understanding WinPatrol - http://www.winpatrol.com/features.html

 

I also use the Professional version of Sandboxie, I believe there is also free version available. Visit this link http://www.sandboxie.com/ for access to d/l, also make sure to use the "Help and FAQ" option to understand its uses, specifically how to run your browser sandboxed!.

 

Regarding imaging/back up I use AX64 Time Machine, is not free but is very simple and easy to use. http://www.ax64.com/ Take the tour option at the site, see what you think.

 

Kevin....

[dpinning]

Security Check  threw up an error pop us that said Line-1 Error: Variable must be of type"object."  clicked okay and then it proceeded to run and gave me the following checkup.txt

 

 

 Results of screen317's Security Check version 0.99.74 
 Windows Vista Service Pack 2 x86 (UAC is disabled!) 
 Internet Explorer 9 
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 SpywareBlaster 5.0   
 SlimCleaner    
 Java version out of Date!
 Adobe Flash Player  11.7.700.224 
 Adobe Reader 8 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent```````` 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 8 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````