Virus "symptoms" still present after removal

[JanetB]

FYI, the link to MCShield in this thread referenced within this link (posted in Pondus's reply on Dec 23) http://forum.avast.com/index.php?topic=53253.0  gives a 404.
Likewise for the one posted by Essexboy.

For reference:
The requested URL /downloads.html was not found on this server.

Apache/2.2.16 (Debian) Server at www.mcshield.net Port 80

I'll try tomorrow.

JB

[JanetB]

Here is the last file you asked me to attach (other than MCShield, which can't be done at the moment).

I await your review and any further instructions.

Thanks so much.

Janet B.

[essexboy]

OK I believe I can see the problem.  I will also attach the OTL fix as a text file if you are unable to copy it on the sick system

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
SRV - [2014/01/14 21:04:29 | 001,771,544 | ---- | M] (AVG Secure Search) [Auto | Running] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe -- (vToolbarUpdater17.3.0)
SRV - [2013/09/06 12:29:38 | 000,235,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe -- (McComponentHostService)
DRV - [2013/11/20 15:43:41 | 000,037,664 | ---- | M] (AVG Technologies) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtpx86.sys -- (avgtp)
IE - HKU\S-1-5-21-3334157229-1843940417-2705372315-1000\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = http://127.0.0.1:4664/search&s=F4Ohn6C-M-oPlcU5DzTcfMvYbJw?q={searchTerms}
IE - HKU\S-1-5-21-3334157229-1843940417-2705372315-1000\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={49C36A2B-0AA1-47D5-A431-23EC18CED411}&mid=95ac9ede46df74924f9140b1d0a2b11e-4e74e30fd1940bb5905c7101d2faeb3f67145431&lang=&ds=&coid=&cmpid=&pr=&d=&v=17.3.0.49&pid=avg&sg=&sap=dsp&q={searchTerms}
IE - HKU\S-1-5-21-3334157229-1843940417-2705372315-1002\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = http://127.0.0.1:4664/search&s=wp4geEaPqFbgGrkkgy2vaDNcg6A?q={searchTerms}
FF - HKLM\Software\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin: C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\17.3.0\\npsitesafety.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/McAfeeMssPlugin: C:\Program Files\McAfee Security Scan\3.8.130\npMcAfeeMss.dll (McAfee, Inc.)
[2009/12/22 08:35:06 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG8\FIREFOX
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\17.3.0.49\AVG Secure Search_toolbar.dll (AVG Secure Search)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\17.3.0.49\AVG Secure Search_toolbar.dll (AVG Secure Search)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-3334157229-1843940417-2705372315-1000\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-3334157229-1843940417-2705372315-1000\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB (Reg Error: Key error.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
[2010/03/10 17:28:54 | 002,495,592 | ---- | C] (Amazon.com) -- C:\Users\Vic\AmazonMP3Downloader.exe
[2013/04/15 20:13:03 | 000,000,000 | ---D | M] -- C:\Users\Vic\AppData\Roaming\AVG2013
[2013/11/16 17:24:36 | 000,000,000 | ---D | M] -- C:\Users\Vic B\AppData\Roaming\AVG2013

:Files
C:\Program Files\AVG Secure Search
C:\Program Files\Common Files\AVG Secure Search
C:\Program Files\McAfee Security Scan
C:\Program Files\AVG

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

If you need to copy the text file across then copy fix.txt to the desktop of the sick computer
Run OTL and press fix, a dialogue will appear asking for the location of fix.txt
Navigate to the copy on the desktop and select it
Press run fix again to execute

On completion of the fix then try to download MCShield, it should now work

[JanetB]

Thanks--I'll do this in just a bit. One question... While the fix is running, "unhindered" if the screen goes dark for lack of user activity, will that hinder progress, or is it ok? 

JB

[thekochs]

Thanks--I'll do this in just a bit. One question... While the fix is running, "unhindered" if the screen goes dark for lack of user activity, will that hinder progress, or is it ok? 

JB

....in case Essexboy is busy.............
I've run OTL fix many times.....with scripts from the experts.
Some machines you do not see any slow down....some there is.
However, trying to do anything on the machine will definitely freeze things up....in my experience.
Thus, it is best to run it and leave it alone....be patient.....leave it alone....no mouse moves, nothing.

[JanetB]

Hi--That was my plan... to just let it run without anyone touching it... but when we do that, the screen goes dark (asleep?). I think everything keeps running in the background, but I just wasn't sure.

J

[essexboy]

The fix should not taker longer than 10 minutes to run (unless the temp files are full)  You can move the mouse to keep the screen active and monitor the bar at the bottom as it progresses through the fix

[JanetB]

Hi-Just checking in.

The fix is still running. Started it about 40 minutes ago. The first part went quickly--it's been sitting at the last two lines (emptytemp and reboot) for about 20 minutes so far. Is that normal? I'll just let it keep going.....

JB

[thekochs]

Hi-Just checking in.

The fix is still running. Started it about 40 minutes ago. The first part went quickly--it's been sitting at the last two lines (emptytemp and reboot) for about 20 minutes so far. Is that normal? I'll just let it keep going.....

JB

Hmmmmmm..........Essexboy is UK so not sure if he is a sleep.
If you've never emptied your TEMP then perhaps.......I'd wait a good 30 minutes more.
If nothing happens then I'd hold off for Essexboy in morning to post.

[JanetB]

Reporting back again. So two hours later, the Run Fix is stopped in the same place.

I'll just leave it as is, until I hear back.

[Eddy]

Please do not change the topic of a thread.

[JanetB]

I'm sorry--do you mean in the subject line? The original subject is always there--"Re: Virus "symptoms" still present after removal. I was just trying to focus the subject line further  for those helping....I didn't think the subject line would matter much once the thread was established (otherwise, why would there still be a subject line), since everything is contained in this thread..... but perhaps this is not good practice.

The topic hasn't changed (other than the people who asked questions about the MCShield product (not the 404) I was instructed in this thread to run MCShield, and it came up 404. It seemed to me to be important.......

So, if the comment was meant for me--and you mean the subject line--...... it won't happen again. 

[JanetB]

Essexboy:

After three hours of being stuck on those last two lines, something happened, albeit accidentally. The screen had gone dark, I touched the power to reactivate. The same screen was still there (run fix), but then it suddenly disappeared, and the laptop shutdown. On reboot, there was a log opened on the screen. I've attached. It.

So, to be clear, this is the log that appeared at the end of the OTL Run Fix.

I'll wait until I hear from you before I do anything else, as I don't know if the "fix" completed successfully.

Thanks,
JB

[thekochs]

Essexboy:

I'll wait until I hear from you before I do anything else, as I don't know if the "fix" completed successfully.

Thanks,
JB

While we wait for Essexboy how does the laptop work ?
I think one of the initial problems was downloading files......can you now ?

[essexboy]

It was the size of the temp files plus the removal of AVG that caused the delay, sorry about that it is unusual for it to take that long.   Can you now download ?

Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Attach  the entire report in your next reply.

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.