Solved annoying message

[jrmnr]

I ran Advcleaner to get rid of Aartemis virus, got rid of it but every time I turn on the computer I get this message

There was a problem starting

C:\user\jrmnr\AppData\Local\TBHostSupport\TBHostSupport.dll
The specified module could not be found


I noticed no adverse effects on my computer, Advcleaner removed.
Anything I can do to get rid of the message?

 

[Jacee]

Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  Vista/Windows 7/8 users right-click and select Run As Administrator.
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
• The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
• Copy and paste the contents of that logfile in your next reply.
• A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

Using AdwCleaner v3: Scan & Clean:
Double click on AdwCleaner.exe to run the tool again.
Click on the Scan button.
AdwCleaner will begin to scan your computer like it did before.
After the scan has finished...

This time click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
Copy and paste the contents of that logfile in your next reply.
A copy of that logfile will also be saved in the C:\AdwCleaner folder

 

[jrmnr]

# AdwCleaner v3.014 - Report created 09/12/2013 at 10:11:58
# Updated 01/12/2013 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : jrmnr - Y-PC
# Running from : C:\Users\jrmnr\AppData\Local\Temp\wzd8b5\adwcleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\Users\jrmnr\AppData\Local\Google\Chrome\User Data\Default\Extensions\newtab.crx
File Found : C:\Users\jrmnr\AppData\Roaming\Mozilla\Firefox\Profiles\c9t7q9xd.default\searchplugins\safeguard-secure-search.xml
File Found : C:\Users\jrmnr\AppData\Roaming\Mozilla\Firefox\Profiles\nei0cks9.default\searchplugins\safeguard-secure-search.xml
Folder Found C:\Users\jrmnr\AppData\Local\NativeMessaging
Folder Found C:\Users\jrmnr\AppData\Local\WhiteListing

***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16686


-\\ Mozilla Firefox v25.0.1 (en-US)

[ File : C:\Users\jrmnr\AppData\Roaming\Mozilla\Firefox\Profiles\c9t7q9xd.default\prefs.js ]


[ File : C:\Users\jrmnr\AppData\Roaming\Mozilla\Firefox\Profiles\nei0cks9.default\prefs.js ]


-\\ Google Chrome v31.0.1650.63

[ File : C:\Users\jrmnr\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Found : urls_to_restore_on_startup
Found : icon_url
Found : search_url
Found : suggest_url
Found : keyword
Found : urls_to_restore_on_startup
Found : search_url
Found : urls_to_restore_on_startup
Found : icon_url
Found : search_url
Found : suggest_url
Found : keyword
Found : urls_to_restore_on_startup

*************************

AdwCleaner[R0].txt - [1657 octets] - [09/12/2013 10:11:58]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1717 octets] ##########

 

[jrmnr]

After cleanup
# AdwCleaner v3.014 - Report created 09/12/2013 at 10:19:04
# Updated 01/12/2013 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : jrmnr - Y-PC
# Running from : C:\Users\jrmnr\AppData\Local\Temp\wzb099\adwcleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16686


-\\ Mozilla Firefox v25.0.1 (en-US)

[ File : C:\Users\jrmnr\AppData\Roaming\Mozilla\Firefox\Profiles\c9t7q9xd.default\prefs.js ]


[ File : C:\Users\jrmnr\AppData\Roaming\Mozilla\Firefox\Profiles\nei0cks9.default\prefs.js ]


-\\ Google Chrome v31.0.1650.63

[ File : C:\Users\jrmnr\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [1797 octets] - [09/12/2013 10:11:58]
AdwCleaner[R1].txt - [931 octets] - [09/12/2013 10:19:04]
AdwCleaner[S0].txt - [1678 octets] - [09/12/2013 10:14:59]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [1050 octets] ##########

 

[jrmnr]

See anything suspicious?

 

[Jacee]

No, but I don't see what was deleted, either

Now, download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

After rebooting, tell me if you still get the same message at startup --> "C:\user\jrmnr\AppData\Local\TBHostSupport\TBHostSupport.dll
The specified module could not be found"

 

[ShamrockRig]

I looked into the error specified, all i could see was other posts on alternate forums saying that it can be related to conduit and other malware.

 

[jrmnr]

Unfortunately, even after running TFC the message is still there.

 

[ShamrockRig]

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message

 

[jrmnr]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Professional x64
Ran by jrmnr on Mon 12/09/2013 at 15:26:26.87
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Suspicious HKCU\..\Run entries found. Trojan:JS/Medfos.B?

Value Name Type Value Data
========================================================================================
TBHostSupport REG_SZ "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\jrmnr\AppData\Local\TBHostSupport\TBHostSupport.dll",DLLRunTBHostSupportPlugin




~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\lyricsing
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{4AC4A837-8B8C-4016-A36F-3CBF083DC03C}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CAFC2AF4-2AB7-4E4E-BBAC-DFFBB7497D3B}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Users\jrmnr\appdata\local\cre"
Successfully deleted: [Folder] "C:\ai_recyclebin"
Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"



~~~ FireFox

Successfully deleted: [File] C:\Users\jrmnr\AppData\Roaming\mozilla\firefox\profiles\nei0cks9.default\searchplugins\privitize.xml
Successfully deleted the following from C:\Users\jrmnr\AppData\Roaming\mozilla\firefox\profiles\nei0cks9.default\prefs.js

user_pref("extensions.defaulttab.installdate", 1376679256);
user_pref("extensions.defaulttab.lastUsed", 1376680430);
user_pref("extensions.privitize.admin", false);
user_pref("extensions.privitize.aflt", "5");
user_pref("extensions.privitize.appId", "{301966DF-A84B-4255-AAB9-574B5CE237E4}");
user_pref("extensions.privitize.autoRvrt", "false");
user_pref("extensions.privitize.cntry", "US");
user_pref("extensions.privitize.dfltLng", "");
user_pref("extensions.privitize.dfltSrch", true);
user_pref("extensions.privitize.dnsErr", true);
user_pref("extensions.privitize.dpkLst", "1169821598,3855095921,302281469,2400444324,3654782829,1334533236,3874294282,3866767559,3224935090,3754950497,1766448872,2740670312,10
user_pref("extensions.privitize.excTlbr", false);
user_pref("extensions.privitize.ffxUnstlRst", false);
user_pref("extensions.privitize.hdrMd5", "1476812F6451A3CD82E34AA7F087FB4C");
user_pref("extensions.privitize.hmpg", true);
user_pref("extensions.privitize.hmpgUrl", "hxxp://searchou.com/?id=80ca95690000000000000024e82a637b&affilt=5");
user_pref("extensions.privitize.id", "80ca95690000000000000024e82a637b");
user_pref("extensions.privitize.instlDay", "15858");
user_pref("extensions.privitize.instlRef", "");
user_pref("extensions.privitize.kw_url", "hxxp://searchou.com/?q={searchTerms}&id=80ca95690000000000000024e82a637b&affilt=5");
user_pref("extensions.privitize.lastVrsnTs", "1.8.21.614:13:17");
user_pref("extensions.privitize.newTab", true);
user_pref("extensions.privitize.newTabUrl", "hxxp://searchou.com/?id=80ca95690000000000000024e82a637b&affilt=5");
user_pref("extensions.privitize.prdct", "privitize");
user_pref("extensions.privitize.prtnrId", "privitize");
user_pref("extensions.privitize.rvrt", "false");
user_pref("extensions.privitize.sg", "none");
user_pref("extensions.privitize.smplGrp", "none");
user_pref("extensions.privitize.tlbrId", "base");
user_pref("extensions.privitize.tlbrSrchUrl", "hxxp://searchou.com/?id=80ca95690000000000000024e82a637b&affilt=5&q=");
user_pref("extensions.privitize.vrsn", "1.8.21.6");
user_pref("extensions.privitize.vrsnTs", "1.8.21.614:13:17");
user_pref("extensions.privitize.vrsni", "1.8.21.6");
Emptied folder: C:\Users\jrmnr\AppData\Roaming\mozilla\firefox\profiles\nei0cks9.default\minidumps [362 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 12/09/2013 at 15:35:19.63
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[jrmnr]

The damn message is still there

 

[ShamrockRig]

Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open.
* Post the log back here.

 

[jrmnr]

I have run Malwarebytes before and it messed up my proxy internet provider, I lost connection and had to restore the system, am afraid this will happen again

 

[ShamrockRig]

Oh that is unusual, try this then, grabbed it from "Cottonball" on another thread,
Also download RogueKiller:
http://tigzy.geekstogo.com/roguekiller.php
Select the version that applies to the system.
Save to the Desktop.

After closing all windows and browsers, right-click the downloaded RogueKiller file and select: Run as Administrator
At the program console, wait for the Prescan to finish. (Under Status, it says: Prescan finished.)
Press: SCAN

When done, a report opens on the drive: RKreport.txt

:ar: Please provide the RKreport.txt (Mode: Scan) in your reply.

 

[jrmnr]

C:\Users\jrmnr\Downloads\RogueKillerX64.exe.part could not be saved, because the source file could not be read.

Try again later, or contact the server administrator.

 

[jrmnr]

Is the message indicating a threat or is it just an annoyance?

 

[ShamrockRig]

Did you click on the correct system version? The one with the 32-bit Or the 64-bit?

 

[jrmnr]

64bit

 

[ShamrockRig]

I just double checked the link, downloaded and ran the program without any trouble, try again?

 

[jrmnr]

same refusal, tried to save to the desktop and then to the documents.