My mom started deleting things and downloading things and NOW?!?

[abmetzy1]

Hello there I spent a better part of the day on the phone with my dad trying to download Java to his SLOW computer. It didn't take, so finally I have him run an OTL. Essexboy or Pondus, if there is any help you can offer in this mess I will be so grateful. I will try to get him hooked up on here but, it crashes and can take a 1/2 hour to do anything. I am attaching the logs both are pasted to the same note pad...Thanks in advance!

[Secondmineboy]

What you could do for now is to delete any unneeded software.
Then download and install Ccleaner and delete any crap on the PC.

Then i would uninstall AVG, its a really bad idea to run 2 AVs at the same time, also ITS COMPLETELY OUTDATED.
Please use one of this tools here to uninstall AVG: http://www.avg.com/de-de/utilities
ALSO UPDATE AVAST, HE IS RUNNING VERSION  (newrest is 2014.9.9.2011 http://forum.avast.com/index.php?topic=142936.0)

Then go to start>run and type in msconfig.
In the Window select the services tab and click hide all Microsoft services at the bottom and then disable everything except from the Antivirus.

Then go to start>All Programs>Accessories>System programs>Disk defragmenter and run this, should be run every few weeks.
Also go to the system start tab and do this there as well.

This could help a bit for now.

[polonus]

Hi abmetzy1,

Well it is getting towards midnight here on this side of the great fishing pond, so both Pondus and essexboy might be already "on one ear" (23.19 GMT while I write this message). But one of them will sure come to the rescue, be assured of that. Don't be too harsh on your mum and pat your dad on the back. Wait for an answer of one of our qualified removal/restoring experts and follow their instructions to the dot,

polonus

[abmetzy1]

Thanks Polonus and Steven...I am getting them on the road to recovery right now. Can't wait to hear more about what they need to do next?

[Michael (alan1998)]

Deleted by OP since Malware Analyst has arrived

[essexboy]

Hi there, dejunking time

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
SRV - [2013/12/16 04:09:22 | 002,251,552 | ---- | M] (Conduit) [Auto | Running] -- C:\Program Files\SearchProtect\Main\bin\CltMngSvc.exe -- (CltMngSvc)
SRV - [2013/12/10 12:10:24 | 000,418,808 | ---- | M] () [Auto | Running] -- C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher32.exe -- (Level Quality Watcher)
SRV - [2013/12/04 14:46:36 | 000,273,000 | ---- | M] (Highlightly) [Auto | Running] -- C:\Program Files\Highlightly\Service\hlsvc.exe -- (hlsvc)
DRV - [2013/12/04 14:46:36 | 000,052,752 | ---- | M] (Highlightly) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\hlnfd.sys -- (hlnfd)
IE - HKU\S-1-5-21-2387997505-1346415984-2750422374-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1
IE - HKU\S-1-5-21-2387997505-1346415984-2750422374-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com/?ctid=CT3311835&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SP6881D239-84D0-447E-8203-B72407D19D94&SSPV=
IE - HKU\S-1-5-21-2387997505-1346415984-2750422374-1008\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1
IE - HKU\S-1-5-21-2387997505-1346415984-2750422374-1008\..\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}: "URL" = http://search.conduit.com/Results.aspx?ctid=CT3287808&octid=EB_ORIGINAL_CTID&SearchSource=62&CUI=UN53608118917042117&UM=2&UP=SP6881D239-84D0-447E-8203-B72407D19D94&q={searchTerms}&SSPV=
IE - HKU\S-1-5-21-2387997505-1346415984-2750422374-1008\..\SearchScopes\{A9548A5C-F0B4-4FBE-8454-3FD2FDE671EC}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3287808&CUI=UN53608118917042117&UM=2
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{B21F5E31-B8E8-41CD-B74C-168A71A10E49}: C:\Documents and Settings\Harry\Local Settings\Application Data\GreatArcadeHits\{B21F5E31-B8E8-41CD-B74C-168A71A10E49}\ [2014/01/01 09:28:41 | 000,000,000 | ---D | M]
O2 - BHO: (Plus-HD-1.3) - {11111111-1111-1111-1111-110311121157} - C:\Program Files\Plus-HD-1.3\Plus-HD-1.3-bho.dll (Plus HD)
O2 - BHO: (Highlightly) - {83F2328D-0D6A-42B4-B0C4-02A929EDD4BE} - C:\Program Files\Highlightly\IE\HighlightlyClientIE.dll (Highlightly)
O2 - BHO: (GreatArcadeHits Add-on) - {D0C21091-FF8E-432C-9006-0540E81BA9D7} - C:\Documents and Settings\Harry\Local Settings\Application Data\GreatArcadeHits\GreatArcadeHitsIE.dll (GreatArcadeHits)
O3 - HKLM\..\Toolbar: (ZeroBar) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll File not found
O3 - HKLM\..\Toolbar: (ZeroBar) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll File not found
O3 - HKU\S-1-5-21-2387997505-1346415984-2750422374-1008\..\Toolbar\WebBrowser: (no name) - {311B58DC-A4DC-4B04-B1B5-60299AD3D803} - No CLSID value found.
O3 - HKU\S-1-5-21-2387997505-1346415984-2750422374-1008\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O3 - HKU\S-1-5-21-2387997505-1346415984-2750422374-1008\..\Toolbar\WebBrowser: (ZeroBar) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll File not found
O3 - HKU\S-1-5-21-2387997505-1346415984-2750422374-1008\..\Toolbar\WebBrowser: (ZeroBar) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll File not found
O4 - HKU\S-1-5-21-2387997505-1346415984-2750422374-1008..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run: notepad.exe = msmsgs.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O20 - AppInit_DLLs: (C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32Loader.dll) - C:\Program Files\SearchProtect\SearchProtect\bin\SPVC32Loader.dll (Conduit)
O20 - HKU\S-1-5-21-2387997505-1346415984-2750422374-1008 Winlogon: UserInit - (C:\WINDOWS\system32\qiawpbjj.exe) - File not found
[2014/01/01 09:35:37 | 000,000,000 | ---D | C] -- C:\Program Files\SearchProtect
[2014/01/01 09:35:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Harry\Local Settings\Application Data\SearchProtect
[2014/01/01 09:33:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Harry\Local Settings\Application Data\VisualBeeExe
[2014/01/01 09:30:29 | 000,000,000 | ---D | C] -- C:\Program Files\Highlightly
[2014/01/01 09:29:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Harry\Start Menu\Programs\GreatArcadeHits
[2014/01/01 09:28:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\VisualBee
[2014/01/01 09:28:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Harry\Local Settings\Application Data\GreatArcadeHits
[2014/01/01 09:27:58 | 000,000,000 | ---D | C] -- C:\Program Files\Level Quality Watcher
[2008/04/07 11:54:56 | 000,389,120 | ---- | C] (Citrix Online) -- C:\Documents and Settings\Harry\GoToAssist_phone__268_en.exe
[2014/01/07 12:56:44 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\GreatArcadeHits.job
[2014/01/07 11:14:01 | 000,001,284 | ---- | M] () -- C:\WINDOWS\tasks\Plus-HD-1.3-updater.job
[2014/01/07 11:08:01 | 000,001,086 | ---- | M] () -- C:\WINDOWS\tasks\Plus-HD-1.3-enabler.job
[2014/01/07 11:08:00 | 000,001,186 | ---- | M] () -- C:\WINDOWS\tasks\Plus-HD-1.3-codedownloader.job
[2014/01/01 09:28:49 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\GreatArcadeHits.job
[2013/11/06 15:42:12 | 000,005,360 | ---- | C] () -- C:\WINDOWS\System32\AdpeakProxy.ini
[2013/11/06 15:32:48 | 000,002,312 | ---- | C] () -- C:\WINDOWS\System32\AdpeakProxyOff.ini
[2011/04/09 19:10:30 | 000,000,336 | ---- | C] () -- C:\Program Files\temp995.bat

:Files
C:\Program Files\SearchProtect
C:\Program Files\Level Quality Watcher
C:\Program Files\Highlightly
C:\Program Files\Plus-HD-1.3

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.
  

[abmetzy1]

Hi there Essexboy, my Dad is eternally grateful, he said this is the fastest parts of this computer have run even after taking it in for just that problem. Anyway, I only have the OTL scan, as it has been quite the job and he is almost done with the other scan. But he did want me to ask a couple of questions...

Facebook keeps freezing both of my parents out. They can't go anywhere, click any button or even do ctrl/alt/dlt. They have to actually shut the system down manually. Would you know of a reason for that? They use IE, I suggested trying Chrome and to see if that would help?

Also, what do you know about Scorpion Saver Services? It keeps showing up and my dad is unsure if it is important or not?

Here is your attached doc.

Thanks for saving my life!! Because I would have had to put up will all the crazy parent calls if it were not for this forum!!

[essexboy]

Got most of it first time round, a few more to kill though.  Definitely need to run AdwCleaner though as it will get the bits I cannot see

For facebook, go to manage addons in IE and disable Avast online security

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKCU\..\SearchScopes\{CB59DDF8-2D50-4521-80A8-0398C2640266}: "URL" = http://www.infospace.com/vzn.dsl.tbar.sbie7/redirs_all.htm?pgtarg=wbsdogpile&qcat=web&qkw={searchTerms}
O4 - HKCU..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun File not found
O4 - HKCU..\Run: [Sonic RecordNow!] File not found
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228" File not found
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227" File not found
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\qiawpbjj.exe) - File not found
[2014/01/02 03:32:27 | 000,000,000 | ---D | C] -- C:\Program Files\ScorpionSaver Services
[2014/01/01 09:35:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Harry\Local Settings\Application Data\SearchProtect
[2014/01/10 18:00:10 | 000,001,882 | ---- | M] () -- C:\WINDOWS\tasks\Plus-HD-1.3-chromeinstaller.job
[2014/01/01 09:42:52 | 000,000,000 | ---- | M] () -- C:\END
[2011/03/03 19:41:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\cGhNlFe06300
[2014/01/01 09:41:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Conduit
[2014/01/01 15:08:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Harry\Application Data\PriceGong
[2011/06/02 08:01:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Harry\Application Data\Sammsoft
[2013/11/06 17:05:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Harry\Application Data\SearchProtect
[2011/12/06 12:54:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Harry\Application Data\ShopAtHomeToolbar

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[abmetzy1]

My Dad ran the Ad Cleaner and here is that scan. I just now sent him the updated scan changes and the info about facebook. Thank you!

[essexboy]

For some reason it is coming up as not deleted..  Lets change programmes

Please download Junkware Removal Tool to your desktop.

• Right-mouse click JRT.exe and select "Run as Administrator" the tool will open and start scanning your system
• please be patient as this can take a while to complete depending on your system's specifications
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• post the contents of JRT.txt into your next message.

[abmetzy1]

Ok, here is the latest OTL he is running the junkware removal in the morning and then hopefully we can see where we are at. Thanks for all this and sorry it has been so long and drawn out. My parents are so grateful and so am I. It saved me lots of trips over there and phone calls. I told him next time he has to come to the forum on his own. He has been amazed at how helpful you all have been! Thanks, thanks, and more thanks!!

[essexboy]

Looking better although another bunch was downloaded with slim drivers the other day...  They must remember to use the custom install option as that is where it all comes from

Anyway as you both have Avast you do know that you can remote to their computer ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
SRV - File not found [Auto | Stopped] -- C:\Program Files\Jump Flip\updateJumpFlip.exe -- (Update Jump Flip)
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1QzutDtDtD0DyDyCtD0FyBzyyDtAyBtBzyyCtN0D0Tzu0CyByEtCtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=84740369&ir=
IE - HKCU\..\SearchScopes\{5316878C-F539-4FF4-90DC-7A36FCB8AA53}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3306061&CUI=UN13514413271091730&UM=2
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1QzutDtDtD0DyDyCtD0FyBzyyDtAyBtBzyyCtN0D0Tzu0CyByEtCtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=84740369&ir=
O3 - HKLM\..\Toolbar: (Connect DLC 5 Toolbar) - {d1b5aad5-d1ae-4b20-88b1-feeaeb4c1ebc} - C:\Program Files\Connect_DLC_5\prxtbConn.dll (Conduit Ltd.)
O4 - HKLM..\Run: [mobilegeni daemon] C:\Program Files\Mobogenie\DaemonProcess.exe File not found
O4 - HKCU..\Run: [NextLive] C:\Documents and Settings\Harry\Application Data\newnext.me\nengine.dll (NewNextDotMe)
[2014/01/11 10:47:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Harry\Start Menu\Programs\Mobogenie
[2014/01/11 10:35:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Harry\Local Settings\Application Data\Connect_DLC_5
[2014/01/11 10:35:06 | 000,000,000 | ---D | C] -- C:\Program Files\Connect_DLC_5
[2014/01/10 19:11:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Harry\Local Settings\Application Data\cache
[2014/01/10 19:11:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Harry\Application Data\newnext.me
[2014/01/10 19:11:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Harry\Local Settings\Application Data\genienext
[2014/01/11 10:47:29 | 000,000,712 | ---- | M] () -- C:\Documents and Settings\Harry\Application Data\Microsoft\Internet Explorer\Quick Launch\Mobogenie.lnk
[2014/01/11 10:47:29 | 000,000,694 | ---- | M] () -- C:\Documents and Settings\Harry\Desktop\Mobogenie.lnk
[2014/01/13 09:50:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Harry\Application Data\newnext.me

:Files
C:\Program Files\Mobogenie

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[abmetzy1]

Thanks for reminding me about  the ability to remote to their computer. I can work on that with them tomorrow. You have been so patient and wonderful to work with!! Thanks so much! I just can't say enough! If there was anything that I am good at that you ever need, just let me know. I have a BA in Political Science, Pre-Law, some graduate work in management, leadership and marketing. Also a professional organizer, and starting a non-profit to help people with medical insurance, Doctor, FMLA, and any other kind of hard to figure out paper work in the medical field as well as being a patient advocate. That non-profit also helps with budgeting and financing and dealing with insurance companies so that one would not have to file for bankruptcy. I also dabble a bit in being an online personal assistant.

Sorry about all that...but since you all have been so great to me, let me know if there is anything I could ever help with. Believe me I am good with the medical stuff!!!

[abmetzy1]

Here is this scan from my dad. He will be running that last one tomorrow.

[essexboy]

Looks OK .. Reference this from JRT

Suspicious HKCU\..\Run entries found. Trojan:JS/Medfos.B?

    Value Name          Type                             Value Data                     
========================================================================================
    NextLive   REG_SZ   C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Harry\Application Data\newnext.me\nengine.dll",EntryPoint -m l

AdwCleaner will remove that as it is more adware