Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Uninstall of System Progressive Protection Malware creates registery files problems


  • This topic is locked This topic is locked
40 replies to this topic

#1 venus.pemba

venus.pemba

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 12 December 2012 - 01:37 AM

First of all - thank you for your dedication to people like me!
I followed the removal instructions but then has a black screen when restarting my computer. Computer woks in safe mode.
I have done a Windows startup repair but it cannot be completed, I get the message that unspecified changes to system configuration might have caused the problem. Error code 0x490.
Also get Boot/BCD failed.
I have restored the computer and can work on it in normal mode. I still see the little lock of the Malware on my taskbar.
I have also purchased Advanced System Care to assist but I get no joy...
It seems like removal of the Malware also removes some system registry files but I am no expert.

Please, please help me!

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:29 PM

Posted 13 December 2012 - 07:46 PM

Please do the following:

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 venus.pemba

venus.pemba
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 14 December 2012 - 12:09 AM

Hello Tiger,

Attached the files as requested.
Thank you for your assistance.

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:29 PM

Posted 14 December 2012 - 07:13 AM

Please run the following:

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
--------------------------------------------------------------------
Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.
NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 venus.pemba

venus.pemba
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 14 December 2012 - 10:52 AM

Hi,

Quite strange, after the scan the computer rebooted and showed the log. I saved the file and attempted to open Firefox but the file was "deleted". So I rebooted the machine again and it worked!!!

Herewith then the file attached. Thank you for all your help

Attached Files

  • Attached File  log.txt   28.77KB   2 downloads


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:29 PM

Posted 14 December 2012 - 12:41 PM

please run the following:

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message


NEXT


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 venus.pemba

venus.pemba
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 17 December 2012 - 01:29 AM

Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.15.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
New :: NEW-PC [administrator]

Protection: Disabled

2012/12/15 07:39:30 AM
mbam-log-2012-12-15 (07-39-30).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 212044
Time elapsed: 6 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Attached Files



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:29 PM

Posted 17 December 2012 - 01:41 AM

You will need to back up your system again once we are done and make a new set of back ups as ESET has detected infections in your previous back-ups


Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Documents and Settings\New\Downloads\cbsidlm-cbsi5_2_0_83-Wondershare_PPT_to_Video-ORG2-10708133.exe	
C:\Documents and Settings\New\Downloads\cbsidlm-cbsi5_2_0_83-Xilisoft_PowerPoint_to_Video_Converter_Personal-ORG2-10976698.exe	
C:\Documents and Settings\New\Downloads\oi_remoteinstallmonitorsetupexe.exe	
C:\Documents and Settings\New\Downloads\SoftonicDownloader_for_pdfill-pdf-editor.exe	
C:\Documents and Settings\New\Downloads\WinSpyMonitoringSoftwarePro99_downloader_by_FileCart (1).exe	
C:\Documents and Settings\New\Downloads\WinSpyMonitoringSoftwarePro99_downloader_by_FileCart (2).exe	
C:\Documents and Settings\New\Downloads\WinSpyMonitoringSoftwarePro99_downloader_by_FileCart.exe	
C:\Documents and Settings\New\Downloads\Download\IObit Unlocker 1.0.exe	
C:\Users\New\Downloads\cbsidlm-cbsi5_2_0_83-Wondershare_PPT_to_Video-ORG2-10708133.exe	
C:\Users\New\Downloads\cbsidlm-cbsi5_2_0_83-Xilisoft_PowerPoint_to_Video_Converter_Personal-ORG2-10976698.exe	
C:\Users\New\Downloads\oi_remoteinstallmonitorsetupexe.exe	
C:\Users\New\Downloads\SoftonicDownloader_for_pdfill-pdf-editor.exe	
C:\Users\New\Downloads\WinSpyMonitoringSoftwarePro99_downloader_by_FileCart (1).exe	
C:\Users\New\Downloads\WinSpyMonitoringSoftwarePro99_downloader_by_FileCart (2).exe	
C:\Users\New\Downloads\WinSpyMonitoringSoftwarePro99_downloader_by_FileCart.exe	
C:\Users\New\Downloads\Download\IObit Unlocker 1.0.exe	
C:\Windows\System32\Systesvr.exe	
D:\Backup's from Vista\Documents\Downloads\MyWebFaceSetup2.3.67.1.GRman000.exe	
D:\Documents\Norton Utilities 16\Recovered Files\C\Users\New\AppData\Local\Temp\Temp\F219C009-BAB0-7891-A87B-B6F132E192C2\Latest\MyBabylonTB.exe	
D:\NEW-PC\Backup Set 2012-12-09 082715\Backup Files 2012-12-09 082715\Backup files 15.zip	
D:\NEW-PC\Backup Set 2012-12-09 082715\Backup Files 2012-12-09 082715\Backup files 16.zip	
D:\NEW-PC\Backup Set 2012-12-09 082715\Backup Files 2012-12-09 082715\Backup files 19.zip	
D:\NEW-PC\Backup Set 2012-12-09 082715\Backup Files 2012-12-09 082715\Backup files 21.zip	
D:\NEW-PC\Backup Set 2012-12-09 082715\Backup Files 2012-12-09 082715\Backup files 22.zip	
D:\NEW-PC\Backup Set 2012-12-09 082715\Backup Files 2012-12-09 082715\Backup files 96.zip	
D:\NEW-PC\Backup Set 2012-12-17 061944\Backup Files 2012-12-17 061944\Backup files 18.zip	
D:\NEW-PC\Backup Set 2012-12-17 061944\Backup Files 2012-12-17 061944\Backup files 19.zip	
D:\Software\cnet_freezonlinetv142_exe.exe	
D:\Software\Nero 8\Nero-8.1.1.4_eng_trial.exe

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 venus.pemba

venus.pemba
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 17 December 2012 - 02:08 AM

Good morning Tiger,

My computer does not want to boot up. The first boot got past the welcome screen with desktop but everything on taskbar and Start button is inactive. Second boot had black screen. I am now in Safe Mode. What should I do?

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:29 PM

Posted 17 December 2012 - 09:17 AM

that's very strange, let's investigate

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 venus.pemba

venus.pemba
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 17 December 2012 - 10:52 AM

==================== Memory info ===========================

Percentage of memory in use: 20%
Total physical RAM: 2042.89 MB
Available physical RAM: 1617.7 MB
Total Pagefile: 4085.78 MB
Available Pagefile: 3706.67 MB
Total Virtual: 2047.88 MB
Available Virtual: 1942.48 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:58.5 GB) (Free:24.91 GB) NTFS
2 Drive d: (DATAPART1) (Fixed) (Total:149.05 GB) (Free:0 GB) NTFS
4 Drive f: () (Removable) (Total:0.47 GB) (Free:0.39 GB) FAT
5 Drive i: () (Fixed) (Total:90.45 GB) (Free:88.57 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 149 GB 1024 KB
Disk 1 Online 149 GB 0 B
Disk 2 Online 484 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 58 GB 101 MB
Partition 3 Primary 90 GB 58 GB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 System Rese NTFS Partition 100 MB Healthy System (partition with boot components)

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 58 GB Healthy Boot

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 I NTFS Partition 90 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 149 GB 1024 KB

=========================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 D DATAPART1 NTFS Partition 149 GB Healthy

=========================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 483 MB 16 KB

=========================================================

Disk: 2
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 F FAT Removable 483 MB Healthy

=========================================================

Last Boot: 2012-12-10 21:22

==================== End Of Log ============================

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:29 PM

Posted 17 December 2012 - 11:01 AM

was that all there was for the log as most of it appears to have been cut off?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 venus.pemba

venus.pemba
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 17 December 2012 - 11:07 AM

Hi Tiger,

I downloaded the Farbar tool and saved it on to a memory stick but could not get the computer to boot from there, even changed boot to removable devices. I opened the Farbar from the desktop (I don't know if this is where my problem lies) and pressed the scan button. Would you like me to do that again and see what happens with the log file?

#14 venus.pemba

venus.pemba
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 17 December 2012 - 11:08 AM

Tiger, I also have a windows repair disk that I managed to download last week and I saved that onto a cd. do you perhaps want me to run that?

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:29 PM

Posted 17 December 2012 - 11:11 AM

The machine doesn't need to boot from the USB, it needs to boot to the Recovery Environment

either by pressing F8 and entering the Recovery Environment from there if it is pre-installed, or by accessing it through your installation disk


(print out the instructions from my previous post, that may help)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users