Win32.Load Money and Yandex removal advice please

Status
Not open for further replies.
Fixlist.txt log 6th installment

2014-03-21 04:03 - 2014-03-21 04:03 - 02284544 _____ (Microsoft Corporation) C:\Windows\system32\msmpeg2vdec.dll
2014-03-21 04:03 - 2014-03-21 04:03 - 01247744 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2014-03-21 04:03 - 2014-03-21 04:03 - 01158144 _____ (Microsoft Corporation) C:\Windows\system32\XpsPrint.dll
2014-03-21 04:03 - 2014-03-21 04:03 - 01080832 _____ (Microsoft Corporation) C:\Windows\system32\d3d10.dll
2014-03-21 04:03 - 2014-03-21 04:03 - 00906240 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2014-03-21 04:03 - 2014-03-21 04:03 - 00604160 _____ (Microsoft Corporation) C:\Windows\system32\d3d10level9.dll
2014-03-21 04:03 - 2014-03-21 04:03 - 00364544 _____ (Microsoft Corporation) C:\Windows\system32\XpsGdiConverter.dll
2014-03-21 04:03 - 2014-03-21 04:03 - 00293376 _____ (Microsoft Corporation) C:\Windows\system32\dxgi.dll
2014-03-21 04:03 - 2014-03-21 04:03 - 00249856 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1core.dll
2014-03-21 04:03 - 2014-03-21 04:03 - 00220160 _____ (Microsoft Corporation) C:\Windows\system32\d3d10core.dll
2014-03-21 04:03 - 2014-03-21 04:03 - 00207872 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecsExt.dll
2014-03-21 04:03 - 2014-03-21 04:03 - 00187392 _____ (Microsoft Corporation) C:\Windows\system32\UIAnimation.dll
2014-03-21 04:03 - 2014-03-21 04:03 - 00161792 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1.dll
2014-03-21 04:03 - 2014-03-21 04:03 - 00049152 _____ (Microsoft Corporation) C:\Windows\system32\taskhost.exe
2014-03-21 04:03 - 2014-03-21 04:03 - 00010752 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2014-03-21 04:03 - 2014-03-21 04:03 - 00009728 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-03-21 04:03 - 2014-03-21 04:03 - 00005632 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2014-03-21 04:03 - 2014-03-21 04:03 - 00005632 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2014-03-21 04:03 - 2014-03-21 04:03 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2014-03-21 04:03 - 2014-03-21 04:03 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2014-03-21 04:03 - 2014-03-21 04:03 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2014-03-21 04:03 - 2014-03-21 04:03 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2014-03-21 04:03 - 2014-03-21 04:03 - 00002560 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2014-03-21 04:02 - 2014-03-21 04:02 - 01505280 _____ (Microsoft Corporation) C:\Windows\system32\d3d11.dll
2014-03-20 04:25 - 2009-07-14 10:49 - 00000000 __SHD () C:\Windows\BitLockerDiscoveryVolumeContents
2014-03-20 04:25 - 2009-07-14 07:52 - 00000000 ____D () C:\Program Files\Windows Sidebar
2014-03-20 04:25 - 2009-07-14 07:52 - 00000000 ____D () C:\Program Files\Windows Portable Devices
2014-03-20 04:25 - 2009-07-14 07:52 - 00000000 ____D () C:\Program Files\Windows Photo Viewer
2014-03-20 04:25 - 2009-07-14 07:52 - 00000000 ____D () C:\Program Files\DVD Maker
2014-03-20 04:25 - 2009-07-14 05:37 - 00000000 ____D () C:\Windows\system32\AdvancedInstallers
2014-03-20 04:25 - 2009-07-14 05:37 - 00000000 ____D () C:\Program Files\Common Files\System
2014-03-20 04:07 - 2009-07-14 05:05 - 00152576 _____ (Microsoft Corporation) C:\Windows\system32\msclmd.dll
2014-03-20 04:02 - 2014-03-20 04:02 - 00000000 ____D () C:\Windows\system32\SPReview
2014-03-20 04:02 - 2014-03-20 04:02 - 00000000 ____D () C:\Windows\system32\EventProviders
2014-03-20 04:02 - 2014-03-20 04:00 - 00000000 ____D () C:\Windows\system32\MRT
2014-03-19 23:54 - 2014-03-19 23:54 - 00000000 ____D () C:\Users\gokarna\AppData\Roaming\Media Player Classic
2014-03-19 18:28 - 2014-03-15 14:08 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-03-19 16:29 - 2014-03-16 00:28 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-03-19 16:29 - 2014-03-16 00:28 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-03-19 16:18 - 2014-03-16 00:29 - 00002012 _____ () C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
2014-03-19 16:17 - 2014-03-19 16:17 - 00000000 ____D () C:\Program Files\McAfee Security Scan
2014-03-16 11:35 - 2014-03-16 10:58 - 00000000 ____D () C:\ProgramData\AnySend
2014-03-16 11:34 - 2014-03-16 10:58 - 00000000 ____D () C:\Users\gokarna\AppData\Roaming\AnySend
2014-03-16 11:15 - 2014-03-16 10:56 - 00000000 ____D () C:\Users\gokarna\AppData\Roaming\sweet-page
2014-03-16 11:04 - 2014-03-16 11:04 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-03-16 10:58 - 2014-03-16 10:31 - 00000000 ____D () C:\Users\gokarna\AppData\Roaming\DRPSu
2014-03-16 10:54 - 2014-03-16 10:55 - 01492336 _____ (Drivers For Free) C:\Users\gokarna\Downloads\DFFDriverDownloadManager.exe
2014-03-16 10:54 - 2014-03-16 10:54 - 00626056 _____ ( ) C:\Users\gokarna\Downloads\DriversForFreeSetup.exe
2014-03-16 10:36 - 2014-03-16 10:35 - 00000000 ____D () C:\ProgramData\Guard.Mail.Ru
2014-03-16 10:34 - 2014-03-16 10:34 - 00000000 ____D () C:\Users\gokarna\AppData\Roaming\Opera Software
2014-03-16 10:34 - 2014-03-16 10:34 - 00000000 ____D () C:\Users\gokarna\AppData\Roaming\Opera
2014-03-16 10:34 - 2014-03-16 10:34 - 00000000 ____D () C:\Users\gokarna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Haali Media Splitter
2014-03-16 10:34 - 2014-03-16 10:34 - 00000000 ____D () C:\Users\gokarna\AppData\Local\Opera
2014-03-16 10:34 - 2014-03-16 10:34 - 00000000 ____D () C:\Users\gokarna\AppData\Local\Chromium
2014-03-16 10:31 - 2014-03-16 10:31 - 00000000 ____D () C:\Program Files\DIFX
2014-03-16 10:31 - 2014-03-04 12:29 - 00017638 _____ () C:\Windows\DPINST.LOG
2014-03-16 10:29 - 2014-03-16 10:27 - 06782358 _____ (Kuzyakov Artur) C:\Users\gokarna\Downloads\2694_LAN_Win7-64_Win7_7006_.exe
2014-03-16 00:36 - 2014-03-16 00:36 - 00000000 ____D () C:\Users\gokarna\AppData\Local\Macromedia
2014-03-16 00:29 - 2014-03-16 00:29 - 00000000 ____D () C:\ProgramData\McAfee Security Scan
2014-03-16 00:29 - 2014-03-16 00:29 - 00000000 ____D () C:\ProgramData\McAfee
2014-03-16 00:24 - 2014-03-16 00:24 - 00000000 ____D () C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-03-16 00:24 - 2014-03-15 15:22 - 00001753 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-03-15 21:41 - 2014-03-15 20:40 - 00000000 ____D () C:\Users\gokarna\Documents\Sexy Stockings and Smoking Girls_files
2014-03-15 21:25 - 2014-03-15 21:25 - 01069920 _____ (Solid State Networks) C:\Users\gokarna\Downloads\install_reader11_en_mssa_aaa_aih(1).exe
2014-03-15 20:40 - 2014-03-15 20:40 - 00101217 _____ () C:\Users\gokarna\Documents\Sexy Stockings and Smoking Girls.htm
2014-03-15 18:38 - 2014-03-08 11:09 - 00000000 ____D () C:\Users\gokarna\AppData\Local\Microsoft Games
2014-03-15 15:38 - 2014-03-15 15:38 - 00000000 __SHD () C:\Windows\system32\%APPDATA%
2014-03-15 15:27 - 2009-07-14 05:04 - 00450709 ____R () C:\Windows\system32\Drivers\etc\hosts.20140328-215512.backup
2014-03-15 15:23 - 2014-03-15 15:23 - 00000000 ____D () C:\Users\gokarna\AppData\Local\Apple Computer
2014-03-15 15:22 - 2014-03-15 15:22 - 00000000 ____D () C:\ProgramData\Apple Computer
2014-03-15 15:22 - 2014-03-15 15:22 - 00000000 ____D () C:\Program Files\iTunes
2014-03-15 15:22 - 2014-03-15 15:22 - 00000000 ____D () C:\Program Files\iPod
2014-03-15 15:22 - 2014-03-15 15:02 - 00000000 ____D () C:\Program Files\Common Files\Apple
2014-03-15 15:02 - 2014-03-15 15:02 - 00000000 ____D () C:\Users\gokarna\AppData\Local\Apple
2014-03-15 15:02 - 2014-03-15 15:02 - 00000000 ____D () C:\ProgramData\Apple
2014-03-15 15:02 - 2014-03-15 15:02 - 00000000 ____D () C:\Program Files\Bonjour
2014-03-15 15:02 - 2014-03-15 15:02 - 00000000 ____D () C:\Program Files\Apple Software Update
2014-03-15 14:39 - 2014-03-15 14:34 - 137699152 _____ (Apple Inc.) C:\Users\gokarna\Downloads\iTunesSetup.exe
2014-03-15 14:33 - 2014-03-15 14:33 - 00559280 _____ (Safer-Networking Ltd. ) C:\Users\gokarna\Downloads\spybot2-license(1).exe
2014-03-15 14:33 - 2014-03-15 14:06 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy 2
2014-03-15 14:08 - 2014-03-15 14:08 - 00002123 _____ () C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2014-03-15 14:04 - 2014-03-15 14:04 - 00559280 _____ (Safer-Networking Ltd. ) C:\Users\gokarna\Downloads\spybot2-license.exe
2014-03-15 12:33 - 2009-07-14 05:37 - 00000000 ____D () C:\Windows\system32\NDF
2014-03-15 10:37 - 2014-03-04 12:19 - 00109280 _____ () C:\Users\gokarna\AppData\Local\GDIPFONTCACHEV1.DAT
2014-03-15 08:33 - 2014-03-15 08:31 - 00003885 _____ () C:\Windows\IE9_main.log
2014-03-13 09:00 - 2014-03-04 12:55 - 00000000 ____D () C:\Program Files\Beetel Connection Manager

Some content of TEMP:
====================
C:\Users\gokarna\AppData\Local\Temp\ose00000.exe
C:\Users\gokarna\AppData\Local\Temp\Quarantine.exe
C:\Users\gokarna\AppData\Local\Temp\_is76F.exe


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-04-09 08:51

==================== End Of Log ============================

Hoping this reveals my Winload Money and Yandex problems

Now moving on to safe mode JRT operation
 
After you run JRT, let me know by posting. I will have a fixlog for you to run after that.
 
JRT.txt

Hello again Juliet,

I followed the instruction for bringing up 'safe mode' went into it and downloaded the JRT program again. It seems to present no difference to the first time which You thought corrupted. Although you told me to expect it to be automatically saved on the desktop and I directed it so, nevertheless it did not and I had to make my own copy which I c and p here :

================================================================
[ ]
[ Junkware Removal Tool (JRT) by Thisisu ]
[ Version 6.1.4 (04.06.2014:1) ]
[ Information about this tool can be found at ]
[ www.thisisudax.org ]
[ ]
[ ]
[ Please save any work in your browsers before proceeding. ]
[ Your desktop may temporarily disappear during this scan. ]
[ A Windows Explorer window may also open. ]
[ These actions are normal. Don't panic. ]
[ ]
[ ** DISCLAIMER ** ]
[ ]
[ This software is provided "as is" without ]
[ warranty of any kind. You may use this software ]
[ at your own risk. ]
[ ]
[ Click the [X] in the top-right corner of this window ]
[ if you wish to exit. Otherwise, ]
================================================================

Press any key to continue . . .

Creating a registry backup
Checking Startup
Checking Modules

A bad module has been detected!
A reboot is required to remove modules.

Press 'y' to reboot now
Press 'n' to reboot later
Reboot now? [y,n]

I decided to do the reboot as when I asked you did not say not to. I hope I did right, also, that the result is that I will soon be out of this technical jungle.

Yesterday I heard for the first time about the pernicious and prevalent malware 'Heartbleed' it sounds very ominous, could you advise me on how best to protect against it ?

Thanking you very much as always, Wendy

Wendy
 
Yesterday I heard for the first time about the pernicious and prevalent malware 'Heartbleed' it sounds very ominous, could you advise me on how best to protect against it ?
Click to expand...
This enters through exploits and unpatched systems.

Have you had an alert this is on your machine?
http://support.emsisoft.com/topic/14146-heartbleed-threat/
Heartbleed Threat


Please delete the version of Farbar Recovery Scan Tool you have now the tool has been updated since you downloaded this one.
Save it to your desktop.

Please download Farbar Recovery Scan Tool

(use correct version for your system.....Which system am I using?)

Once you have the new one on desktop please download the file I will have attached to your desktop.(hope it works, if not I'll try again)

Slide the file Fixlog next to the Farbar Recovery Scan Tool Icon.

Run/Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

Please post the logs when done and give me an update on how the computer is at the moment.
 
Last edited:
Fixlog and FRST next to each other on desktop but .......

Hi Juliet,

I have deleted the old version of FRST and it is next to the fixlog on the desktop BUT when I open FRST and click fix it comes back with the message that the Fixlog and FRST need to be located in the same folder/place ??? Its a Huh ? moment - not what you expected to happen. So of course no log has been generated.

So hoping you can get back to me soon although it is now the middle of the night in the USA where you are - I live in Turkey.

Best regards, Wendy
 
Did you delete the old version and download the updated?, plus save it to desktop?
Can you see the Farbar Recovery Scan Tool Icon.....slide the fixlog you downloaded I saved in my earlier post next to it?, then open Farbar Recovery Scan Tool and click on fix?
 
Last edited:
Yes I did but.....

.......didn't phrase my sentence properly so you could understand that, sorry about that. Yes I did delete the old copy of FRST and download it next to the Fixlog to the desktop and then run it. and the reult was as I said above the program complained that they were not in the same place as each other .

Its getting to be quite a while (April 1st) since I first consulted this forum and have still got that high level infection Win32.Load Money although that annoying Yandex has gone. It has been that after running my Spybot purchase over my system that Win.32 would be detected and then once 'fixed' would disappear for a wee while however, this evening I ran the scan and t didn't 'fix' it until the second attempt.

Btw I followed up the Heartbleed thing and acted as suggested by the Mashable site.

Hoping you can soon get me disinfected, Wendy
 
Hoping you can soon get me disinfected
Click to expand...
I've honestly been trying to :)

Next, Please visit each of the following sites and lets reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings
http://support.microsoft.com/kb/923737

Firefox
Click on Help / Troubleshooting Information then click on the Reset Firefox button.

Chrome
Chrome - Reset browser settings
https://support.google.com/chrome/answer/3296214?hl=en
~~~~~~~~~~~~~~~~~~~

Download OTM by OldTimer Here & save it to your desktop.
* Save it to your desktop.
* Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


Code: 
:Files
C:\Users\gokarna\AppData\Roaming\sweet-page
C:\Users\gokarna\AppData\Local\Temp\ose00000.exe
C:\Users\gokarna\AppData\Local\Temp\Quarantine.exe
C:\Users\gokarna\AppData\Local\Temp\_is76F.exe
C:\Users\gokarna\AppData\Roaming\Yandex
C:\Users\gokarna\AppData\Roaming\Mozilla\Firefox\Profiles\hullhm7j.default\Extensions\vb@yandex.ru 
C:\Users\gokarna\AppData\Roaming\Mozilla\Firefox\Profiles\hullhm7j.default\searchplugins\yqs-barff-yandex.xml
C:\Users\gokarna\AppData\Roaming\Mozilla\Firefox\Profiles\hullhm7j.default\Extensions\vb@yandex.ru
:Commands
[emptytemp]
[Reboot]



* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
* Close OTM and reboot your PC.


Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


~~~~~~~~~~~~~~~~~~~

  • Please download RogueKillerX64.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

~~~~~~~~~~~~~~~~~~~~

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.
Emergency Backup Procedure - Tech Support Forum

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

How to use ComboFix

Download ComboFix from here:
Link 1
Link 2
Link 3

Place ComboFix.exe on your Desktop <--Important
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.



    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. Combofix may need to reboot your computer more than once to do its job this is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.
    ---------------------------------------------------------------------------------------------
  • If there are Internet issues after running ComboFix:
    Internet Explorer:
    Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". Also clear any proxy address and port. ok, apply (only if applicable), ok.
    Firefox:
    Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.
    Chrome:
    Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.
    Safari
    Launch Safari
    Go to general settings menu
    Then in Preferences/ Advanced
    Then on line click Proxies change settings ...
    Click Internet Options, then click the Connections tab, click Network Settings.
    Disable option (uncheck) for the use of proxy server ...


Please post:
OTM log
RKreport.txt
ComboFix.txt
 
Reset all browsers but....

Hi Juliet,

I do appreciate you are doing your best and that it is proving tricky.

I have an hit an unexpected problem following your instructions :

I reset all the browsers and then read through your instructions and then carried them out as far as downloading OTM, running it and copying and pasting into its window in the indicated places when suddenly,any warning everything except it disappeared and I couldn't go back to see what the next move was !

So I shut down and rebooted the computer and re-opened this site. I then read ahead. As you go on to point out, I need to print out or copy your instructions in a notepad doc and place them on a external memory drive so as not to lose access to them if the computer has to go offline BUT I can't, I am unable to use the save function !! I planned to copy the notepad doc to my ex drive to refer to as I haven't got a printer.

I will take a break now before I copy them out by hand and await your comments.

Kind regards, Wendy
 
Download Windows Repair (all in one) from http://www.bleepingcomputer.com/download/windows-repair-all-in-one-portable/

Install the program then run



Go to step 3 and allow it to run SFC



On the start repairs tab click start


Select the following items and tick restart system when finished

Reset Registry Permissions
Reset File Permissions
Register System Files
Repair WMI
Repair Windows Firewall
Repair Internet Explorer
Repair Hosts File
Remove Policies Set By Infections
Repair Missing Start menu Icons
Repair Icons
Repair Winsock & DNS Cache
Remove Temp Files
Repair Proxy Settings
Unhide Non System Files
Repair Windows Updates
Set windows Services To Default
Repair MSI (windows Installer)
Repair File Associations
Repair windows Safe mode

After that come back and tell me if that has made a difference.
 
Actually maybe that last direction.....

........is unnecessary if it is meant to address the problem I reported on saving stuff to notepad. I think it is my own fault as I have subsequently tried again but this time removed the asterix * from its place before the stop . whereas before I had allowed it to stay there. So now without it I have saved your directions to notepad and can proceed to carry them out. If you agree that is ?

Btw was that sudden shutdown without any warning after inserting that text into OTM to be expected or not ?

Best regards, Wendy
 
There was a reboot command script in the OTM log, can you please post
C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Can you proceed with the other directions?

Are you still with me?
 
Last edited:
Still with you

Hi Juliet, Its been several days since I could check in and am still with you and will proceed with that last suggested direction.

Cheers, Wendy
 
Win32l.LoadMoney seems to have disappeared ????

Dear Juliet,
In the period since I last contacted you ie., a several days ago, I have run Spybot every day and the Win32.LoadMoney threat SEEMS to have disappeared - although some registry changes are still taking place- and I wonder whether this is real or not :confused:?

Will still go ahead with the OTM scan and paste the log.

All the best Wendy
 
wendyseana said:
Dear Juliet,
In the period since I last contacted you ie., a several days ago, I have run Spybot every day and the Win32.LoadMoney threat SEEMS to have disappeared - although some registry changes are still taking place- and I wonder whether this is real or not :confused:?

Will still go ahead with the OTM scan and paste the log.

All the best Wendy
Click to expand...

Without being able to see any logs, or scan results, I have no idea what registry changes are there.
 
OTM.log

Hi Juliet, Here be that OTM log.


All processes killed
========== FILES ==========
File/Folder C:\Users\gokarna\AppData\Roaming\sweet-page not found.
File/Folder C:\Users\gokarna\AppData\Local\Temp\ose00000.exe not found.
File/Folder C:\Users\gokarna\AppData\Local\Temp\Quarantine.exe not found.
File/Folder C:\Users\gokarna\AppData\Local\Temp\_is76F.exe not found.
File/Folder C:\Users\gokarna\AppData\Roaming\Yandex not found.
File/Folder C:\Users\gokarna\AppData\Roaming\Mozilla\Firefox\Profiles\hullhm7j.default\Extensions\vb@yandex.ru not found.
File/Folder C:\Users\gokarna\AppData\Roaming\Mozilla\Firefox\Profiles\hullhm7j.default\searchplugins\yqs-barff-yandex.xml not found.
File/Folder C:\Users\gokarna\AppData\Roaming\Mozilla\Firefox\Profiles\hullhm7j.default\Extensions\vb@yandex.ru not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: gokarna
->Temp folder emptied: 1372 bytes
->Temporary Internet Files folder emptied: 171 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 295453038 bytes
->Google Chrome cache emptied: 16697053 bytes
->Flash cache emptied: 2251 bytes

User: Public

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33298 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 18549435 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 38352540 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 352.00 mb


OTM by OldTimer - Version 3.1.21.0 log created on 04262014_144732

Files moved on Reboot...
File C:\Users\gokarna\AppData\Local\Temp\etilqs_Yd4NrjxtxC1QCww not found!
File C:\Users\gokarna\AppData\Local\Temp\etilqs_zBg5wxOLa7Pc0NL not found!
File move failed. C:\Windows\temp\Low\SkypeClickToCall\Logs\AutoUpdateSvc.log scheduled to be moved on reboot.
File move failed. C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat scheduled to be moved on reboot.

Registry entries deleted on Reboot...
 
Updating you

H Juliet,

Yesterday I saw that contrary to what seemed to be that that awful browser Yandex is still with me and was managing the download of a program. Now this morning I botted up and discover that Yandex has completely hijacked Mozilla :fear:. I am scanning with SB as I write and will post result of that re Win32.LoadMoney when I its completed two scans as soon as done.

Is there anything else should I be doing and updating you on because you know I never went through with all your directions after the OTM thing ??

Best regards, Wendy
 
Yandex has hijacked Google chrome as well........

.......as I just discovered trying to circumvent the Mozilla take-over :fear::fear: !! For a long while ie., 2 months multiple Chromes have opened at a double click each with an error type message saying it saying :

" Your profile could not be opened correctly. Some features may be unavailable. Please check that the profile exists and that you you have permission to read and write its contents "

I didn't like the sound of that and had no idea what it meant but as I only use Chrome sometimes and have a busy life I didn't get round to following it up and forgot altogether to mention it to you. But I now see that it probably has a lot to do with this TOTAL Yandex invasion ?

I am very apprehensive about what Yandex is capable of doing
 
SB report doesn't contain Win32.LoadMoney....

.....but then I haven't a clue about waht might actually be going on as I can't understand the unauthorised changes it does report. I saved the scan logs just in case you were interested

Talk again soon Juliet, Wendy
 
Status
Not open for further replies.
Back
Top