New
#11
ok here it is..also,i ran the killer one again and the visualbee is gone but these show up again after deleting them...
ok here it is..also,i ran the killer one again and the visualbee is gone but these show up again after deleting them...
iceman087,
Datamngr is showing in OTL.
Would appreciate your patience.
Need to go out for a while, and cannot prepare a script to remove the Datamngr entries until I get back.
After you run the script in OTL, then, we will use whatever else is needed to make sure it is not there any longer.
Once again, thanks for your patience, and I will be back in about 3 to 4 hours.
Please post the RKreport from RogueKiller also. Everything showing it helps. Operating in the blind, as you have found out, does not always produce the desired results.
ok,np.i have to step out also.wont be able to get back on till tommorrow.thanksalot for your help.hope to hear from you tommorrow.
VisualBee\Bee.exe: A variant of the IRCBot family of worms and IRC backdoor Trojans
Microsoft Update Machine - bee.exe - Program Information
but the c/autoruns doesnt exsist nevermind,i hadto create it
While you're in the hands of the very best attempting to clean up the infection, keep in mind that many of these serious infections never completely clean up so you might want to be backing up your data to quarantine for thorough scanning, gathering your program installers, and studying these same steps to get a perfect Clean Reinstall - Factory OEM Windows 7.
Just sayin I have never had a situation where I ran perfect Windows 7 after such an infection.
Please go to Control Panel > Program and Features, and uninstall whatever entry you find with the following:
Datamngr
VisualBee
Conduit
Tarma
iLivid
Next, please run OTL once again.
Copy and paste the text inside of the code box below into the Custom Scans/Fixes box located at the bottom of OTL:
Code:IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=295&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=0795562833234272&q={searchTerms} IE - HKLM\..\URLSearchHook: {7aeae561-714b-45f6-ace3-4a8aed6e227b} - No CLSID value found IE - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=295&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=0795562833234272&q={searchTerms} IE - HKU\S-1-5-21-1709582024-3653389009-2489712307-1001\..\URLSearchHook: {7aeae561-714b-45f6-ace3-4a8aed6e227b} - No CLSID value found IE - HKU\S-1-5-21-1709582024-3653389009-2489712307-1001\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} O2:64bit: - BHO: (no name) - {C1ED9DA0-AFD0-4b90-AC6A-D3874F591014} - No CLSID value found. O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {7aeae561-714b-45f6-ace3-4a8aed6e227b} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found. O3 - HKU\S-1-5-21-1709582024-3653389009-2489712307-1001\..\Toolbar\WebBrowser: (no name) - {7AEAE561-714B-45F6-ACE3-4A8AED6E227B} - No CLSID value found. O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll) - File not found O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll) - File not found O20 - AppInit_DLLs: (C:\PROGRA~2\SEARCH~1\Datamngr\datamngr.dll) - File not found O20 - AppInit_DLLs: (C:\PROGRA~2\SEARCH~1\Datamngr\IEBHO.dll) - File not found :Folders C:\Users\chuck\AppData\Local\VisualBeeExe C:\Users\chuck\AppData\Local\Conduit C:\ProgramData\Tarma Installer C:\ProgramData\VisualBee :Commands [emptytemp] [Reboot] [CREATERESTOREPOINT]
After all the information (including :OTL), is pasted in the Custom Scans/Fixes box, click: Run Fix (at the top)>>> Note:
Having some problems using the code box in this forum, so, please type in the following right above the first entry: :OTL
It should look like this, make sure there is a colon before OTL
:OTL
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com
Here is an Image of how it should look in Custom Scans/Fixes (at the bottom):
Apparently, :OTL has the colon right before it, and that is throwing things off.
Allow the program to run without interruption.
The computer restarts itself, and a log is created after the machine reboots.
Please post the contents of the new OTL log in your next reply.
~~~~
Now, please download AdwCleaner:
http://general-changelog-team.fr/fr/...e/2-adwcleaner
Save to the desktop.
A text file report opens after the restart.
- Close all open programs.
- Double-click on AdwCleaner.exe to run it.
- Click on Delete and confirm the prompt.
- After it finishes, the computer is restarted.
Please post the content of the AdwCleaner report to your reply.
(A copy of the log is also saved at C:\AdwCleaner[S1].txt)
~~~~
Last, please run RogueKiller once again, do a Scan, and provide its RKreport.txt.
Please do not remove anything from RogueKiller, so I can see where we are at.
Last edited by cottonball; 02 Feb 2013 at 23:04.
here is the log
# AdwCleaner v2.109 - Logfile created 02/03/2013 at 12:17:19
# Updated 26/01/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : chuck - CHUCK-PC
# Boot Mode : Normal
# Running from : C:\Users\chuck\Desktop\adwcleaner.exe
# Option [Delete]
***** [Services] *****
***** [Files / Folders] *****
Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\ProgramData\Trymedia
Folder Deleted : C:\Users\chuck\AppData\Local\APN
Folder Deleted : C:\Users\chuck\AppData\Local\Conduit
Folder Deleted : C:\Users\chuck\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\chuck\AppData\LocalLow\ilividtoolbarguid
Folder Deleted : C:\Users\chuck\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\chuck\AppData\LocalLow\VisualBee_V.1
Folder Deleted : C:\Users\chuck\AppData\Roaming\OpenCandy
***** [Registry] *****
Data Deleted : [x64] HKLM\..\Windows [AppInit_DLLs] = C:\PROGRA~2\SEARCH~1\Datamngr\x64\datamngr.dll
Data Deleted : [x64] HKLM\..\Windows [AppInit_DLLs] = C:\PROGRA~2\SEARCH~1\Datamngr\x64\IEBHO.dll
Data Deleted : HKLM\..\Windows [AppInit_DLLs] = C:\PROGRA~2\SEARCH~1\Datamngr\datamngr.dll
Data Deleted : HKLM\..\Windows [AppInit_DLLs] = C:\PROGRA~2\SEARCH~1\Datamngr\IEBHO.dll
Key Deleted : HKCU\Software\APN DTX
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\AppDataLow\Software\VisualBee_V.1
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\DataMngr
Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKCU\Software\ilivid
Key Deleted : HKCU\Software\ilividtoolbarguid
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0DD0FE23-7024-4FB8-AD4B-6C65D085618F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1ED9DA0-AFD0-4B90-AC6A-D3874F591014}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D97A8234-F2A2-4AD4-91D5-FECDB2C553AF}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\BrowserConnection.dll
Key Deleted : HKLM\SOFTWARE\Classes\AppID\priam_bho.DLL
Key Deleted : HKLM\SOFTWARE\Classes\Applications\ilividsetup.exe
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{1FDC0B61-91AC-4157-9B27-CAD9A09AB67E}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{75E8DA27-44AF-40AE-927C-F2EEC99D65B1}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\DataMngr
Key Deleted : HKLM\Software\iLividSRTB
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iLivid_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iLivid_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iLividMediaBar_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iLividMediaBar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetup_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetup_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WajamUpdater_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WajamUpdater_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{0DD0FE23-7024-4FB8-AD4B-6C65D085618F}
Key Deleted : HKLM\Software\VisualBee_V.1
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35E7A657-A9BB-472E-A68B-AE7DEAEDAE3A}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{58F6C026-3A8C-4EEF-AE3E-3624180DBB5D}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Search Results Toolbar
Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WajamUpdater
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}
Key Deleted : HKLM\SOFTWARE\DataMngr
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C1ED9DA0-AFD0-4B90-AC6A-D3874F591014}
Key Deleted : HKLM\SOFTWARE\Tarma Installer
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{7AEAE561-714B-45F6-ACE3-4A8AED6E227B}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{7AEAE561-714B-45F6-ACE3-4A8AED6E227B}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{7AEAE561-714B-45F6-ACE3-4A8AED6E227B}]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{7AEAE561-714B-45F6-ACE3-4A8AED6E227B}]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [10]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [10]
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16457
[OK] Registry is clean.
-\\ Google Chrome v24.0.1312.57
File : C:\Users\chuck\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
*************************
AdwCleaner[R1].txt - [6199 octets] - [03/02/2013 12:16:48]
AdwCleaner[S1].txt - [6133 octets] - [03/02/2013 12:17:19]
########## EOF - C:\AdwCleaner[S1].txt - [6193 octets] ##########