Help with windows explorer and manage credentials. Possible malware

[kach474]

Hello. I'm new here and figured I'd see if someone could help.

I started scanning the other day for spyware and maleware. Came up with a sweet IM program I never installed. So I uninstalled it. No issues. I started looking for other programs I didn't install. Found a toolbar widgi I think it was? Anyway I scanned with spyhunter and located application updater and lots of cookies. Could only delete some cookies the others where being used by another user. I found the pathway for some of the application updater files which begins c:/user. ..... when I go to windows explorer there is no user folder under c:/ ?? I found the application updater under c:/ but can't delete because its being used by another user. I can't find the process to stop it. Also don't know if its related but a couple files or programs tell me I dont have administrator privileges but im logged in as administrator. I go to manage credentials in control panel/ user accounts and it thinks a minute then gives me the windows explorer not responding and fails to open.

Any ideas our help would be appreciated. Thinking someone had hacked my pc? Or some maleware or spyware is there.

Thanks kach474

 

[stevieray]

The bad news is Widgi toolbar is definitely malware. The good news is it's not that hard to remove.

Download Malwarebyte (free version). Malwarebytes : Free anti-malware, anti-virus and spyware removal download
Open Control Panel.
Go to "uninstall a program" and uninstall the Widgi toolbar.
Then run Malwarebytes.

BTW... what browser are you using?

 

[kach474]

I have malewarebytes and have used it for a long time. It doesn't find it. I uninstalled it before these problems. I run Internet explorer

 

[stevieray]

Yeah... sometimes the little bugger hides. Did you look in IE > Tools > Manage Add ons? Sometimes it's in there, and can be removed like any other add on (it's a longshot, but worth a try).

I have also had good luck removing this particular malware by using ESET. ESET :: Get a FREE Online Virus Scan

 

[kach474]

I was able to get the toolbar taken care of. Now my problem is getting the application updater off and the user folder back.

 

[stevieray]

Hmmm... I've removed this from 3 or 4 computers, and uninstalling the toolbar always took the updater out with it. But that was back in 2010. They must've changed it since then. The trick was realizing it sometimes installed as a freestanding program and an addon, and you'd have to uninstall it in both places to get rid of it.

Sorry, but I've run out of things that I know will work. I'd be just guessing from here on out, and I don't want to steer you wrong.

 

[kach474]

I understand. Ill double check when I get home make sure its gone from both places. Thanks for the info.

 

[Borg 386]

- Widgi Toolbar is capable of extorting information such personal financial data (credit card numbers, online banking login details), user profiles, software registration keys, and passwords – from the infected system.

Some Widgi Toolbar infections contain trojan and keyloggers which can be used to steal sensitive data like passwords, credit card, bank account information etc.

It would be wise to change all your passwords immediately for any online sites you go to, particularly banking logins and other important sites. If you've used your credit cards online, keep an eye on your accounts for rouge usage and contact your banking facility.

It sounds as though it's still running in the background, limiting your access to the areas that would allow you to shut it down.

D/L & run this application (RKill). Read the instructions. Do not restart the system once you have run this or the malware will just restart.

Bleeping Computer Downloads: RKill

Now try running Malwarebytes (full system scan) to see if it picks up anything.

There may be remnants of it left in your system, particularly in the registry keys. Malwarebytes should be able to find these. However, just to be sure, check to see if these keys are present in your registry.

• HKEY_CLASSES_ROOT\Interface\{2DC9C611-D7C2-42A3-9312-BFF512812022}“(Default)” =“IWidgiToolbarHost”
• KEY_CLASSES_ROOT\Interface\{C3ABD5A3-E699-4B9F-97FF-25B121A41276 “(Default)” = “IWidgiBHO”
• HKEY_CLASSES_ROOT\CLSID\{C089D5FC-CFE2-4BCD-A522-2981448227CE}

If they are, back up the registry and then delete these registry keys.

Next, D/L & run MS Safety Scanner. (Full System Scan)

Microsoft Safety Scanner - Antivirus | Remove Spyware, Malware, Viruses Free

Hopefully this cleans everything out & you'll have control of your PC back.

 

[kach474]

cool thanks. will do the passwords immediately. i ran the ESET online scanner and it found the application updater and the toolbar got them deleted. ill check the registry tonight and make sure. thanks for the help. i have malewarebytes and have run it numerous times. it never found either one. didn't find then till i ran spyhunter and the ESE.

 

[Borg 386]

According to what I found, Malwarebytes should have been able to fully remove the infection. Of course, viruses are always evolving and this could have been a new variant. Just make sure to change all your passwords.

Another program you might try next time is SuperAntiSpyware, the portable version. Put it on a FD & run it from there. However, since they are constantly updating the definitions for it, you'll have to d/l the latest version when you need it.

SUPERAntiSpyware.com - SUPERAntiSpyware Portable Scanner

 

[kach474]

k ill keep that in mind. i have run malewarebytes avast spybot spyhunter and the ESET those seem to be gone. (still have to check the registry). however i keep getting 2 sweet IM entires on spybot on the registry. i found the sweet IM program a week ago and uninstalled it. looks like just the bloat but i can't delete them. still for whatever reason when i try and fix them with spybot it says i dont have administrator privileges but i do?? im logged in as an administrator. any ideas? if i run a registry cleaner will that help? or should i not worry?

o and also when i open the pathway to the registry i get a little window in the corner of my monitor "bluetooth notification"

thanks for all the help.

 

[stevieray]

Sweet IM has an installer/uninstaller app. You can download the file here. Uninstall SweetIM | Kioskea.net

After running that, download CCleaner and run the registry cleaner. That ought to get rid of any of the leftover registry entries. CCleaner - Optimization and Cleaning - Free Download

If you are still having admin privilege issues after that, try the sfc /scannow file repair function. http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html?ltr=S

 

[kach474]

I believe that I got the Sweet IM taken care of. I finally got the last two files taken care of. I uninstalled it earlier through COntrol panel with out any issues. Thanks for the tips Im gonna try the cleaner. Thanks

 

[kach474]

Sweet IM has an installer/uninstaller app. You can download the file here. Uninstall SweetIM | Kioskea.net

After running that, download CCleaner and run the registry cleaner. That ought to get rid of any of the leftover registry entries. CCleaner - Optimization and Cleaning - Free Download

If you are still having admin privilege issues after that, try the sfc /scannow file repair function. http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html?ltr=S

I seemed to have gotten all the Sweet IM files uninstalled and off. I ran the registry cleaner with no issues. Ran all my other scanners and seemed to be clear. But I still can not access the Credential Manager while logged in as an administrator. I click on it and it tells me that windows explorer is not responding then closes. If I log in as just a user I can open that with no issues. I ran the sfc scan verify only and it came up with no problems. Also I was able to get the Users folder under C:/ to appear by checking the show all folders in folders and search options. But that was only there for a day. Now when I open the windows explorer the users folder is gone again under C:/?? I can access the C:/user by typing the pathway into the bar at the top but can not on the left side of the windows explorer. Now I am thinking this is a PEBCAK error and I am just missing something small.

 

[stevieray]

Off the top of my head I cannot think of a user error that would cause these problems. We can also assume for now that there is no malware causing this as you've scanned the darn thing to within inches of it's life. And if Windows Explorer itself was corrupted, the sfc /scannow operation should have caught it. I'm leaning toward a bad non-Windows program somehow interfering with your Windows Explorer.

Boot into safe mode and then try all those failing operations again. If that solves it, you can then install ShellExView, and use that to disable non-Windows programs one-by-one until you find the offender. ShellExView - Shell Extension Manager For Windows

 

[kach474]

ok good idea. ill try that thanks.

 

[kach474]

Well I didn't get right back to that. Kinda put it on hiatus. I started in safe mode and I attempted to open the credential manager which was not responding in normal mode. It still does not open. I get an error 0x80070425. In gonna Google that and go from there. Wonder if I should restore back to before this was happening. However I am curious.