Hi there! You are currently browsing as a guest. Why not create an account? Then you get less ads, can thank creators, post feedback, keep a list of your favourites, and more!
Scholar
Original Poster
#26 Old 22nd Jul 2014 at 3:44 AM
Thanks I just read that. I've still got it I think, although I did just try to uninstall it (which didn't work). I'm not sure if all of it's there because I don't know what it looked like before. When I looked in program files (I looked in the x86 one), it said it had been modified today (21st) at 9:53pm. That might have been when I did a System Restore. I do have the option to 'Restore previous versions' if I right click on it, do you think that would work?

I'll see if I can get rid of the babylon thing.
Advertisement
Former Hamster
retired moderator
#27 Old 22nd Jul 2014 at 3:54 AM Last edited by mustluvcatz : 22nd Jul 2014 at 4:06 AM.
For the time being don't try to do anything with the MalwareBytes (or parts of it) that is on your computer. Try what I already suggested about downloading a new copy first. IF malware changed anything about your existing MalwareBytes it might not be possible to remove it just yet.

If anyone else thinks differently, speak up please! I'm just going by what I had to do in the past thanks to that AntiVirus2000something from a few years ago!
Scholar
Original Poster
#28 Old 22nd Jul 2014 at 4:13 AM
Right, I've uninstalled babylon, used CCleaner and re-scanned with Hijack This, here's the log


Is it safe to get rid of that slick savings thing? I'm sure I've read somewhere it's a bit dodgy.

Something else that's a bit weird, is that I keep subscribing to this thread, and each time I come back, it's not in my subscriptions. Also I keep having to type things in which are normally auto-filled.

I'm afraid I'll have to go to bed now, sorry. But if you have anything to add, I'll check in the morning. Thanks for helping me (Also maybe it will help the computer if it has a shut down aswell)
Former Hamster
retired moderator
#29 Old 22nd Jul 2014 at 4:33 AM
Honestly? I'd get rid of that SlickSavings thing AND I'd get rid of all the toolbars. I don't like them and know that some of them are downright dodgy.

Not sure why you're having trouble with the thread subscription. That's something Delphy could answer. You're welcome for the help I've been able to give so far. At the moment I can't think of anything else though, my brain insists on a certain bedtime and tends to shut down well before the rest of me, lol.
In the Arena
retired moderator
#30 Old 22nd Jul 2014 at 4:48 AM Last edited by ellacharmed : 22nd Jul 2014 at 5:47 AM. Reason: added spoiler and links
The processes show that you have 2 AntiVirus apps: McAfee and Avast. Having 2 might conflict and cause issues. If you choose Avast, get rid of anything that has McAfee in its name. Or you can have 2 Antivirus, but can only have one running LIVE scans and be resident in memory at Startup. The other can be a backup but only run upon your command.

And did you rename the HijackThis executable? What name? Because I saw a BaronFace.exe and I wondered what that is. Google wasn't much help as it returns this thread in its search result.

First thing I'd do is to go to Control Panel, and uninstall absolutely everything that you don't use or that you don't recall installing yourself. This includes the Coupon stuff and anything that has the word "Toolbar" in its name, and the ones I provide links to additional guides below. If Windows cannot uninstall, use CCleaner or Revo Uninstaller.

Second thing, check c:\windows\system32\ path. Are there any files there? The report shows that you're missing a lot of the Windows services files. If you enter %systemroot% in the address bar of Windows Explorer, what path does that shortcut lead to? Removal or renaming of Windows files is a sure-fire sign of an infestation.

3rd: verify running programs for their source and validity.
Do you really run the Windows Sidebar? With gadgets? Like for Weather, CPU usage, calculator or other services? That's also an easy way to become a target for malicious programs. If you don't recall setting this to be used, or if the computer manufacturer enabled this by default, it is safer to disable this.

The following (includes the spoiler below) are the lines that raises a red flag in my mind...can you check the path for these programs and if they fit the symptoms and details in the linked pages, go ahead and remove them. You can use an MD5 checker to check that they match...I wrote a blog post on using MD5 Checker to verify EXEs
  1. "userinit.exe" http://www.iobit.com/exedll/userinit-exe.html and http://www.shouldiblockit.com/useri...4ec7380f89.aspx
    • it is suspicious that this is running on a Win 7 machine, as this is mostly an XP-specific program
  2. "Sidebar.exe" http://www.shouldiblockit.com/sidebar.exe-370.aspx
  3. "ApplicationUpdater.exe" http://www.bleepingcomputer.com/sta....exe-26318.html



If MBAM cannot run, you can go to <install path>\Malwarebytes Anti-Malware\Chameleon\Windows and run the "chameleon.chm". It would let you test all the different executables there if the main mbam.exe happens to be corrupted/infected.

Best case scenario to fix infestation is to use a LIVE CD that you install to a CD or USB from a known clean machine. So that any nasties that has corrupted the boot loader, those that also gets past the Windows Safe Boot, won't even be loaded and can be removed. It is like when Sims 3 crash and is still locking the file and next time you tried to load the game you get a "Serious Error has occurred". It is because to the system this file is locked and in use. If a file is reported as "in use" it cannot be cleaned up and deleted.
Scholar
Original Poster
#31 Old 22nd Jul 2014 at 10:07 AM Last edited by Dizzy-noodles : 22nd Jul 2014 at 11:16 AM.
Well the sleep hasn't worked for either of us, the computer is still misbehaving and I feel ill! lol!

mustluvcatz - Oh good, I like getting rid of things. Sometimes it's better than getting new things! The subscription seems to be working today.

ellacharmed - Oh thanks, I didn't know that. I've got a mixture because to have a whole one of something I'd have to pay. How do I tell it to only run on my command?

Yeah I did, sorry, Baron is my dog and I was looking at his face at the time. I was advised to rename it as some viruses know what it is otherwise.

I'm not at all computer savvy, so I'm not sure which things are safe to remove. I seem to have a lot of Microsoft Visual C++ things, which I think I installed when I was trying to fix my GIMP, do I need them all?


I can't find anything called 'path' in there . The missing files have been worrying me quite a bit. %systemroot% leads to a file that just says 'Windows', do you need a photo of what's in it?

What's the Windows Sidebar? I don't think I use anything like that.

Thankyou for helping by the way. EDIT-Ok I've got this far , but I'm not sure what to do next.

What's a LIVE CD?

Also I still keep getting the error messages from post #3, even though I have removed Datamgr.

EDIT2 - I think I've got rid of the toolbars


EDIT3 - I have downloaded 'Should I Remove It'. I'm just going to have a read of it all.

I keep thinking that my computer is so messed up that restoring to factory settings would be the best, what do you think?

Thanks
Former Hamster
retired moderator
#32 Old 22nd Jul 2014 at 1:50 PM Last edited by mustluvcatz : 22nd Jul 2014 at 4:19 PM. Reason: omg, typo that made a sentence not make any sense :)
The Live CD- that's a CD (or it can be on a USB drive) with an operating system on it. When you use it your hard drive isn't used- which means that you can alter files on it because they're not being used- which, in turn, means that you can get rid of malware easier because the hard drive isn't being used. Did that just confuse you more? If so, sorry.. I just woke up a bit ago and haven't even finished my first cup of coffee. Think of it this way: if you're using a Live CD, your hard drive isn't invited to the party and is left sitting at home alone in the dark. That means that you can sneak up behind any nasties on it because they don't know you're there. Without the Live CD, the hard drive is partying hard and you can't sneak up behind those nasties because they know you're there and can't use any defenses they might have. You probably don't have a Live CD because that's something you have to make. Like Ella said, that has to be made on a computer that you know is clean.

So, no- simply restoring to factory settings through Windows may not help because your hard drive will be in use. Some of the nasties out there can bury themselves deep and hide from you- which is one of the defenses they may have.

Your HijackThis log: I see some lines with Toolbar. Did you run CCleaner to clean the registry? And did you check your Chrome add-ons/extensions to make sure they were removed or disabled. (Assuming that they were add-ons or extensions in the first place.)

These 3 things from Ella's post: userinit.exe, Sidebar.exe and ApplicationUpdater.exe - I'm not completely sure how to get rid of those. I'm pretty sure Sidebar is Windows Gadgets (Weatherbug for example) and would think there would be an uninstaller for that.

*****************************
edit: Worst case scenario is that you'd have to wipe your hard drive. Wiping is different than simply reformatting through the Windows options. When you wipe (also called scrub) a hard drive you overwrite all data on it with 1's and 0's- leaving you with a.. blank slate with absolutely nothing on it that can be retrieved. (Simply reformatting DOES leave data on it that can be retrieved.) This is something I've done once and it was a learning experience. (Boy, was it ever!) But I ended up with a working computer that worked until the hard drive died a natural death. And all it cost me was a few grey hairs and a 12 pack for the person who's clean computer I borrowed. But, like I said- that's a worst case scenario! And I went through all of that because I didn't have anyone to help me with the original problem I had- which was malware that was buried deep. YOU, on the other hand, DO have help. So just keep taking deep breaths- if it comes down to having to make a Live CD someone will be able to walk you through that and how to use it.
In the Arena
retired moderator
#33 Old 22nd Jul 2014 at 4:06 PM
  1. "Run on your command" - by this I meant that only Avast is running in System Tray and in Services (Start menu > Search bar > msconfig > Services tab). And when you want to run McAfee, you suspend the Avast service from System Tray and launch McAfee Scan to scan a drive or folder or whatever. So at any one time, only one Antivirus is running.
  2. Control Panel image. Leave any Microsoft installers or Microsoft updates. I see you have multiple Java, that is also one program that is best to have only the current version running and uninstall all the old versions.
  3. c:\windows\system32\ "path" is the location "path". I was trying to ensure the files listed in your HijackThis log as "(file missing)" is still intact and not actually missing. And that "%systemroot%" is pointing correctly to "C:\Windows" and so "%SystemRoot%\system32\" does bring you to "C:\Windows\system32\" correctly.
  4. What is Windows Sidebar, and why is it bad? http://www.nbcnews.com/tech/gadgets...gadgets-f879132
  5. new HijackThis log shows that the services are still trying to run all those missing and uninstalled programs.

Why don't we start over? Back from the top? When you mentioned you have CCleaner, I had assumed you had used that tool to do most of the cleanup together with MBAM.
  • Launch CCleaner (is this the most current version? if not, please update)
  • Go to Tools tab > Startup. If you know what you want running and not running, you can go through each of those tabs and disable any entries that you don't use on a regular basis, or any entries that you don't need at your fingertips. Eg: on my Windows tab I disable any links to program that I don't want running in the background as I always want to read what the updates for them would do as I don't trust their AutoUpdates. And I have 4 shortcuts to run at Startup and that's it. I go through the same process for the other tabs.
  • If you are not confident what to enable or disable, post the images of each tab with the Program and File column showing in full.

We'll proceed with next steps after this...
Screenshots
Scholar
Original Poster
#34 Old 23rd Jul 2014 at 5:16 AM
Thankyou both, and sorry for the late reply. I wasn't feeling well, went for a nap, and ended up sleeping for ages.

mustluvcatz - I see, thanks. I could probably make one of those on my mum's computer or my sister's computer, although I haven't checked if they're clean.

As for those toolbar lines, I don't know what they are. I removed anything that said toolbar from the control panel, and the only one that shows up under extensions is avast. I did use Ccleaner to clean the registry. Should I remove them with Hijack This?

So I should get rid of userinit.exe, Sidebar.exe and ApplicationUpdater.exe? I wasn't sure what to put in the MD5 checker for Saved MD5.

ellacharmed - I had a look and it says that McAfee is stopped, but I haven't changed anything.

The missing files are worrying me, I don't know how to get them back.

I might do a new Hijack This scan, because (fingers crossed) I haven't had any error messages since turning the computer on about half an hour ago.

I think it's up to date, I clicked where it said new version available, and it wanted me to pay for an 'upgrade', so I left it. I only got it a few months ago.


Thanks
In the Arena
retired moderator
#35 Old 23rd Jul 2014 at 5:44 AM Last edited by ellacharmed : 23rd Jul 2014 at 5:53 AM. Reason: added adobearm.exe to disable list
Where are you downloading CCleaner from? My version is v4.15.4725.
Of course, they would prompt for people to buy it, I just scroll down and click "No Thanks!" Get it here: http://www.piriform.com/ccleaner/download/standard

There is still one McAfee executable getting started at each windows boot, according to that Startup screen.

If you don't use any of these, it is safe to disable them (for now). If disabling causes some app that you use to not work correctly, it can be re-enabled later.
- Adobe's entry for AdobeARM.exe http://www.bleepingcomputer.com/sta....exe-25493.html
- is Kodak entry for AIO Printer? still connected and in-use? if not, disable it.
- anything Toshiba can be disabled as they are mostly superficial stuff, like extra menus on the system tray. if you don't use them, disable!
-- one exception is the entry for "hwsetup.exe". this might be tied to the keyboard's wake from sleep and USB ports. leave this enabled
- disable the McAfee entry

You can always input "Publisher-Name <name of exe file>" in a search engine (without the " and <>), and there'd be numerous entries like the shouldIremoveit website I linked to above to advise on its purpose and validity status.

I think we also need to see the Google Chrome tab, since that is the cause of all your troubles.
Scholar
Original Poster
#36 Old 23rd Jul 2014 at 11:27 AM Last edited by Dizzy-noodles : 23rd Jul 2014 at 12:34 PM.
Thanks, I downloaded it from your link.

I'm still trying to catch up on bits of advice. I just tried what you said about the Malwarebytes chameleons. Chameleon 8 sort of worked, it tried to run it, but I got this error message . None of the other chameleons worked.

Also, I've been reading back through this thread. Is the LIVE CD to fix Malwarebytes, or all the computer's problems?

I have been trying to get rid of the bolded toolbar lines below, with no luck. Even running as administrator doesn't work.


I went to my Internet Explorer, and deleted all toolbars except Google, which didn't help.

I'm not sure if I have got rid of userinit.exe, Sidebar.exe and ApplicationUpdater.exe. How do I check?

CCleaner stuff:


Sorry for such a long post, it's just that when it comes to computers I have no idea what I'm doing! I'm really grateful for all the help
In the Arena
retired moderator
#37 Old 23rd Jul 2014 at 3:57 PM
I suggested starting over, since to do cleanup, we need to do the steps in certain sequence. Since, some Apps won't uninstall cleanly (if badly coded) while the file is being used or loaded as a service or in memory. So no point to keep asking you to provide HijackThis log or MBAM if things that have already been cleaned up is still being scanned. The report is no longer accurate.
And you need to do only the things I ask from now on. Or we might need to backtrack and repeat things over again. If you're unsure, just ask before proceeding...

  1. Startup: Toshiba's TCrdMain.exe & KENotify.exe
    • I missed these on the first pass, sorry. Looks like they control your Function keys - those F1 - F12 keys - on top of the numeral keys. If you use these FN keys extensively, re-enable them (the .KENotify.exe is grayed out)
  2. IE and Google: looks good
  3. Scheduled Tasks:
    • remove everything. why do you need to schedule a program like a game or Milkshape, you start them from icons in Start menu or Desktop, don't you?
    • Program Compatibility Assistant pcaluaexe can be removed. more - http://answers.microsoft.com/en-us/...25-ed5bb9032e9b
    • Pareto Logic - remove! http://www.techrepublic.com/forums/...-friend-or-foe/
    • FBTDDIW - what game is this? what's in the folder if you go to this location in Windows Explorer? remove for now. the game is not schedule to launch to run at a specific time, right?
      • you set a lot of things in Compatibility mode, huh. I've never had to set ms3d in Compatibility mode (yes, I have Win 7). And for Sims, if you have it, should only be one entry in there, for the executable you use to start the game. And why under Scheduled Task? Something's weird...so let's remove these first and if you need to, you can reset the exe to be in Compatibility mode when you next run the respective programs
    • those 2 games you mention, are you able to redownload and reinstall them? Weird that games have symbols in their names and are an acronym
  4. Context menu: why are there duplicates. If you do use them, have only one entry per Program. They are located in the same location and for the same exact filename, correct? Remove the 00avast and th eother (there's 3 entries!). If you don't use them, disable and we'll uninstall them next.

Tip: you can resize the Ccleaner window so you don't have to take separate images to make things fit. Just drag the borders and the column to size them before you screencap.
Tip 2: To see what time these Scheduled Task are scheduled for in Computer Management and what they actually do, click Start menu > right-click the Computer icon, and select Manage. See image. The scheduled task (even the disabled ones) have a corresponding entry in the Task Scheduler under System Tools.

After you've disabled all these, reboot the laptop. Let me know if you get any error messages pop up with all these stuff getting disabled. Do a quick test with Chrome, is issue still there?

Next task is to go through and uninstall all your unused Programs. You can use the tab in CCleaner or the Control Panel in Windows. Go through each item, ask if unsure with an image (resize the window and columns first).
Screenshots
Former Hamster
retired moderator
#38 Old 23rd Jul 2014 at 10:43 PM
Since Ella's got you covered here, I'm going to just sit on the sidelines now.
Scholar
Original Poster
#39 Old 24th Jul 2014 at 11:25 AM
Thankyou so much for helping.

I just thought I'd let you know I have to tidy the house today, ready for going on holiday (my auntie and cousin are dog-sitting), so I won't be able to do any work on the computer until this evening at least, possibly tomorrow morning. I do really appreciate the help though and I will definitely follow your instructions.
In the Arena
retired moderator
#40 Old 24th Jul 2014 at 2:53 PM
@mustluvcatz,
of course chime in when you see something off! Doesn't mean you can't comment or give feedback. I just saw things going around in circles and thought to help. The plan is to clean up anything not needed to be run or launched on Startup or in the background, uninstall stuff, clean-up any remnants of uninstalled Apps, and only then run MBAM, Antivirus, Ccleaner, Spyware Search & Destroy, HijackThis. Maybe not all is needed, we'll see how things go.

@Dizzy-noodles,
time lag's not an issue, it's a forum not a chat room. I steal bits of time here and there myself...
Former Hamster
retired moderator
#41 Old 24th Jul 2014 at 5:05 PM
@ellacharmed - Yeah, I know things were going in circles so I'm glad you stepped in because I wasn't sure how to stop the merry go round, lol. Not being familiar with HijackThis didn't help- I'm just used to using MalwareBytes and other programs where you need to restart to finish the process. Don't worry, if need be I'll speak up.
Née whiterider
retired moderator
#42 Old 24th Jul 2014 at 11:36 PM
It's always interesting seeing other people's methods of solving malware issues, because everyone has a different process. I like HijackThis as a starting point because it helps identify things, can sometimes fix them itself, and if not, it gives you a good place to start in googling specific removal steps for the particular nasty you've got.

What I lack in decorum, I make up for with an absence of tact.
Scholar
Original Poster
#43 Old 25th Jul 2014 at 11:46 AM Last edited by Dizzy-noodles : 25th Jul 2014 at 12:41 PM.
Hello again.

ellacharmed-Thanks, I am working through these one at a time:

1. I re-enabled the KENotify.exe

2. Yay!

3. a)Sorry to be thick, but please can I just double-check that you want me to delete these things, not just disable?
b)pcaluaexe-In the link you gave me, MeadowsPV said that they wouldn't delete it. Is it ok to just disable it instead?
c)I have deleted Pareto Logic.
d)FBTDDIW is Far Beyond The Doki Doki In Warsaw. There are more details here if you need them http://lemmasoft.renai.us/forums/vi...hp?f=11&t=21601 . Is this what you wanted to look at? As far as I know it's not scheduled to run at a certain time, but I could never get it to run anyway.
e)I have set some things in compatibility mode when I was trying to fix problems with them, such as Milkshape crashing, and those games not running. I don't remember doing it for Sims though. I don't know why they are in Scheduled Tasks, I'm sure I didn't set that up.
f)I probably can, if I can find them. Is it better to do that now, or wait until my computer is working a bit better? As for the game names, I think a couple of them are homemade by amateurs. They are dating games, which are apparently simple to make.

4. I have disabled 00avast, but the other duplicates seem to be something different under the Key heading, which ones should I disable?

Tip1-Thanks, I have just tried though, and I can't drag the borders, only the columns.

Tip2-The Task Scheduler Library seems to be missing

Is a reboot shutting the computer down, and then starting it up again? I've just done that, so if it means something else, please tell me and I will do it. I have had no error messages so far. The Google Chrome problem is still there.

Sorry to be a pain, but I am stuck on whether or not to uninstall these programs:


mustluvcatz-Feel free to add things too, I am learning from both of you(hopefully it's all going in!).

Sorry to keep asking, but am I supposed to be trying to get Malwarebytes to work? It's still not working, I did download it again, and re-named it, but then it asked me if I wanted it to go in the folder with the original version, so I said yes, and it gave me the same error message as before. Was I supposed to say no? Would it let me make a new folder in there?

Thankyou for all the help, I'm really grateful. Unfortunately I am going on holiday tomorrow morning, for a week, and I don't know if I will have internet access or not. Hopefully I will, but if not, then I will definitely check back here when I get back.
In the Arena
retired moderator
#44 Old 25th Jul 2014 at 11:56 PM
  1. Disable vs remove: disable first if not confident you're going to need it. can always remove later
  2. pcalua.exe: just remove for now. After we've cleaned things up, we'll see if the system even need Compatibility setting for any old programs. Sometimes it is Windows stuff that is acting up that is giving us the impression old programs don't work in Win 7/8/8.1
  3. your games: leave it, if it is a hassle to re-download and re-install, we'll wait to see what all the security scan programs return for them
  4. context menu: right! I missed that it is for different contexts - whether you right-click on a folder or file. The Directory and Folder naming also threw me. So, it's fine to have duplicates if they are for different Keys
  5. Task Scheduler Library: you need to expand to see the actual entries one level below that
  6. reboot: yes, shutdown and restart, or simply restart from the menu would do
  7. Google Chrome problem: what's the version of Chrome you're using? And have you uninstalled, redownload and reinstall since the problem started? If not, we'll tackle this bit when we reach the uninstall programs portion of the cleanup
  8. uninstalling
    • you can sort by date installed and go down the list. if you never used them, get rid of it.
    • uninstall all Java instances except for the latest (Version 7 Update 65)
    • uninstall the Systems Requirements Lab's 2 entries
    • leave anything by Microsoft be
    • uninstall Chrome and MBAM, download the latest versions but don't install yet; we're going to need to let CCleaner do its thing after all this Uninstalling exercise
    • if you're hesitant to uninstall anything - use Firefox - search its name and locate the installer for the program, and download this to the desktop for later use (name the folder Hold or something meaningful to you). So when you know you can reinstall it easily, can have more confidence of uninstalling; this way we also know the Program is the current version. But don't install things right away, only install them when you find yourself looking for that program. This way, after 6 months or so, if there are still uninstalled and unused programs in that Hold folder, you can totally delete it and you're assured of no junk and unused programs in the system. It is the same thing I do for my wardrobe - it is a variation of the unturned clothing-hangar trick.
    • if you are hesitant to switch web browsers simply because of the hassle of no access to your bookmarks, use a service/program to sync it. I've used http://www.xmarks.com/ for years. It has support for all the major web browsers as an extension/add-on. And I have things sync so I have my bookmarks on my cellphone, tablet, whichever PC or Mac and web browser I use. For temp machines (not my permanent system), I simply logon to the web version and have access to my bookmarks on the web. Does mean that it needs Internet connection, however.

ps: No need to check in while you're on holidays. Have fun on vacation! Works out well as I won't be around after this for the whole weekend, back on Tues.
pps: I think I answered everything; if not, just repeat the question when we get back to this in a week.
Scholar
Original Poster
#45 Old 11th Aug 2014 at 10:06 PM Last edited by Dizzy-noodles : 19th Aug 2014 at 4:24 PM.
Hello, I'm back, sorry for the delay, I kind of had a lot to sort out after my holiday.

1&2. So I removed some things from Startup:


3&4. I have left the games as they are.

5. I expanded the Task Scheduler:


6. I see, thanks.

7. I have just now uninstalled and re-installed Google Chrome. Fingers crossed, it seems to be working well! It hasn't frozen once in the last 5 minutes!

8. a)Do I need Cisco EAP-FAST Module, Cisco LEAP Module, and Cisco PEAP Module? I have never used them. I googled them and it said they are to connect to a domain network. I don't know what that is, so I don't think I have ever done it.



9. I did as Slig advised, and asked for help on the Malware website about the Malware not working. That is fixed now.

10. Here's my latest HijackThis scan:



Thanks
Scholar
Original Poster
#46 Old 18th Aug 2014 at 12:13 PM
I hope no-one minds if I bump this, sorry, I'm not sure if anybody has seen it or not. Thanks
Test Subject
#47 Old 20th Oct 2015 at 1:33 PM
Thanks for giving me the useful information. I think I need it. Thank you


educba
 
Page 2 of 2
Back to top