Curse Of Seattle

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Buckleyterp, Mar 15, 2016.

  1. Buckleyterp

    Buckleyterp Private First Class

    ...every time I go there, no matter how careful I am, my PC gets compromised. (Wazoo in the 1990s, key recorder in 2011, now this.) It must be ground zero for malware development.
    My PC is running very slow and it is getting worse. I cleared caches from IE, Chrome and FF.
    I did all of the preliminary cleaning. When I rebooted after disabling the UAC, reboot took 34 seconds. When I rebooted after MBAM, it took 3:44.
    I had problems in that no ignore drop down appeared in the upper right hand corner in HitMan (I get a product key demand page in order to progress to cleaning the malware files). Hitman identified something like 1 problem risk and 23 'traces'. The popup window in MBAM took four tries and 5 minutes latency in order to appear.
    TDSS found nothing.
    MBAM, RK, TDSS and MGtools reports are attached.

    Buckley
     

    Attached Files:

    Buckleyterp, Mar 15, 2016
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hitman Pro should produce a log regardless of whether the trial has expired or not. Please upload it. :)
     
    Kestrel13!, Mar 15, 2016
    #2
  3. Buckleyterp

    Buckleyterp Private First Class

    When the Hitman display threats list page is presented, it gives three choices: "Buy Now", "Next", and "Cancel". Hitting 'next' brings it to the product key demand page, where the choices are: "Buy Now", "Next", "Cancel", and "Activate". Hitting 'next' brings it back to the display threats page, and it just toggles back and forth in this manner. Please give me another option. The forum upload is not allowing a 311 KB .jpg screen shot of the hitman dilemma.
     

    Attached Files:

    Buckleyterp, Mar 15, 2016
    #3
  4. Buckleyterp

    Buckleyterp Private First Class

    Oh, I guess it did. Here is page 2:
     

    Attached Files:

    Buckleyterp, Mar 15, 2016
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Which version are you using? It tells you at the top... see my screenshot.
    Also check the screenshot I posted for the save log option, do you really not see that?
     

    Attached Files:

    Kestrel13!, Mar 15, 2016
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    A very old outdated version per the snapshot. ;) The current version was not downloaded and installed.
     
    chaslang, Mar 15, 2016
    #6
    Kestrel13! likes this.
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Buckleyterp as Chaslang says, it's outdated, you need to remove the version you have, download the newest as per the instructions in the R&R. Run it and upload log.
     
    Kestrel13!, Mar 16, 2016
    #7
  8. Buckleyterp

    Buckleyterp Private First Class

    Dear Kestrel13! and chaslang,
    Sorry to bog you down with stuttering incompetence. I had reinstalled an old download; now I corrected for it. thank you. Here is the file. The computer is still operating at about 1/3 usual speed.
     

    Attached Files:

    Buckleyterp, Mar 16, 2016
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Download OTL to your desktop.

    We need to run an OTL Fix


    • Right-click OTL.exe to run it as admin. If Windows UAC prompts you, please allow it.
    • Copy and Paste the following code into the textbox. Do not include the word Code

    Code:
    
:Files
C:\Users\Daily account\AppData\Roaming\setup.exe
C:\Users\Nat & Buckley\Downloads\FreemakeVideoDownloaderFull.exe
C:\Users\Daily account\AppData\Roaming\Open Download Manager
C:\Users\Daily account\AppData\Roaming\Microsoft\Windows\Templates\0838yf26k2n1v55p0jw6ar3178gcx630

:Reg
[-HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_F06DEFF2-5B9C-490D-910F-35D3A9119622]
[-HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_F06DEFF2-5B9C-490D-910F-35D3A9119622]
[-HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_F06DEFF2-5B9C-490D-910F-35D3A9119622]
[-HKU\S-1-5-21-1716380253-918637925-561613556-1001\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}]
[-HKU\S-1-5-21-1716380253-918637925-561613556-1001\Software\OpenDownloadManager.COM]
[-HKU\S-1-5-21-1716380253-918637925-561613556-1003\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975}]
[-HKU\S-1-5-21-1716380253-918637925-561613556-1003\Software\Microsoft\Internet Explorer\Approved Extensions\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}]
[-HKU\S-1-5-21-1716380253-918637925-561613556-1003\Software\Microsoft\Internet Explorer\Approved Extensions\{54739D49-AC03-4C57-9264-C5195596B3A1}]
[-HKU\S-1-5-21-1716380253-918637925-561613556-1003\Software\Microsoft\Internet Explorer\TabbedBrowsing\bProtectNewTabPageShow]
[-HKU\S-1-5-21-1716380253-918637925-561613556-1003\Software\Microsoft\Internet Explorer\TabbedBrowsing\bProtectShowTabsWelcome]
[-HKU\S-1-5-21-1716380253-918637925-561613556-1003\Software\OpenDownloadManager.COM]

:commands
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]
    • Then click the Run Fix button at the top.
    • Click Image.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. upload that report in your next reply.


    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Upload both of these logs into your next reply.


    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Upload JRT.txt to your next message.


    Now re run Hitman Pro again and upload fresh log.

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this. Let me know how things are running!
     
    Kestrel13!, Mar 17, 2016
    #9
  10. Buckleyterp

    Buckleyterp Private First Class

    Kestrel13!
    Things have improved. FF is not crashing every 5 minutes with a 'plugin stopped working' anymore, but I just got the 'shockwave flash script stopped working' message and FF froze for about 10 seconds. I opened no other program and majorgeeks is the only site open.
    Startup (reboot) is taking 1:20 instead of 15-20 secs, but OTL opened upon startup and wanted to scan. I just waited until it went away.
    Opening a single page .docx file is taking 10 seconds instead of 6.
    Any paths to improvement?
    MGlogs.zip with next reply
     

    Attached Files:

    Buckleyterp, Mar 17, 2016
    #10
    Kestrel13! likes this.
  11. Buckleyterp

    Buckleyterp Private First Class

    Done.
     

    Attached Files:

    Buckleyterp, Mar 17, 2016
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    How do you feel about going into the Windows Registry and deleteing these keys? (In bold)

    HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_F06DEFF2-5B9C-490D-910F-35D3A9119622
    HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_F06DEFF2-5B9C-490D-910F-35D3A9119622
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_F06DEFF2-5B9C-490D-910F-35D3A9119622
    HKU\S-1-5-21-1716380253-918637925-561613556-1003\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975}
    HKU\S-1-5-21-1716380253-918637925-561613556-1003\Software\Microsoft\Internet Explorer\Approved Extensions\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
    HKU\S-1-5-21-1716380253-918637925-561613556-1003\Software\Microsoft\Internet Explorer\Approved Extensions\{54739D49-AC03-4C57-9264-C5195596B3A1}
    HKU\S-1-5-21-1716380253-918637925-561613556-1003\Software\Microsoft\Internet Explorer\TabbedBrowsing\bProtectShowTabsWelcome


    Download Cleano 1.31

    Download it to your desktop, Right click the cleano.exe file and run as admin > and place check marks in the boxes as follows (click on link below to see image)

    View attachment 148092
    Click clean now and exit the program.


    We need to run an OTL Fix


    • Right-click OTL.exe to run it as admin. If Windows UAC prompts you, please allow it.
    • Copy and Paste the following code into the textbox. Do not include the word Code
    Code:
    
:files
C:\Users\Daily account\AppData\Local\0838yf26k2n1v55p0jw6ar3178gcx630
C:\ProgramData\0838yf26k2n1v55p0jw6ar3178gcx630

:commands
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]
    • Then click the Run Fix button at the top.
    • Click Image.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. ATTACH that report in your next reply.


    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this. Let me know how things are running!
    Let me know if you removed those keys from the Windows Registry... if you did, then re run Hitman Pro yet again and then upload new log.
     
    Kestrel13!, Mar 17, 2016
    #12
  13. Buckleyterp

    Buckleyterp Private First Class

    I deleted LEGACY_F06DEFF2-5B9C-490D-910F-35D3A9119622 in HKLM\SYSTEM\ControlSet001\Enum\Root\
    I deleted LEGACY_F06DEFF2-5B9C-490D-910F-35D3A9119622 in HKLM\SYSTEM\ControlSet002\Enum\Root\
    When I got to HKLM\SYSTEM\CurrentControlSet\Enum\Root\,
    LEGACY_F06DEFF2-5B9C-490D-910F-35D3A9119622 wasn't there to delete.

    I don't know how to delete the binary values using the modify right click. Please tell me how; I didn't delete:
    {4D2D3B0F-69BE-477A-90F5-FDDB05357975}
    {4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
    {54739D49-AC03-4C57-9264-C5195596B3A1}

    I deleted \bProtectShowTabsWelcome in HKU\S-1-5-21-1716380253-918637925-561613556-1003\Software\Microsoft\Internet Explorer\TabbedBrowsing

    I ran cleano, OTL, getlogs.bat, and Hitman pro.

    PC is still rebooting slowly (1:34 by Total Security 360 boot report). FF is still getting hit with the plugin error box: shockwave flash stopped working...
     

    Attached Files:

    Buckleyterp, Mar 17, 2016
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Re run Hitman yet again, upload new log.
     
    Kestrel13!, Mar 17, 2016
    #14
  15. Buckleyterp

    Buckleyterp Private First Class

    We got a success notice, and here's Hitman...
     

    Attached Files:

    Buckleyterp, Mar 17, 2016
    #15
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Paste the following code under the [​IMG] area. Do not include the word Code.
    Code:
    :Reg
[-HKU\S-1-5-21-1716380253-918637925-561613556-1001\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}]
[-HKU\S-1-5-21-1716380253-918637925-561613556-1001\Software\OpenDownloadManager.COM]
[-HKU\S-1-5-21-1716380253-918637925-561613556-1003\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975}]
[-HKU\S-1-5-21-1716380253-918637925-561613556-1003\Software\Microsoft\Internet Explorer\Approved Extensions\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}]
[-HKU\S-1-5-21-1716380253-918637925-561613556-1003\Software\Microsoft\Internet Explorer\Approved Extensions\{54739D49-AC03-4C57-9264-C5195596B3A1}]
[-HKU\S-1-5-21-1716380253-918637925-561613556-1003\Software\Microsoft\Internet Explorer\TabbedBrowsing\bProtectNewTabPageShow]

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into a text file to upload into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and upload the contents of that document back here in your next post.


    Now re run Hitman again... upload new log. :)
     
    Kestrel13!, Mar 18, 2016
    #16
  17. Buckleyterp

    Buckleyterp Private First Class

    I had to run OTM and Hitman twice. There was no way I could find the OTM log using your instructions or using Windows Explorer. The 'moved files' folder contained another folder with today's date on it, but it was not a log file and contained no log files. (The forum doesn't upload folders, apparently.) The first OTM report contained 'not found' results for the key registry values and a minor amount of bytes emptied from browser caches. So, once I ran OTM again, I felt that I had to run HitM again so that the time stamps were what you expected.

    Total Security 360 gave first bootup time as 13 seconds (the usual) and the second bootup time as 1:05 (not good).

    One other thing, as long as you have my file logs: A window titled, "Adobe Digital Editions 5.4.0 Setup: License Agreement" keeps popping up and won't go away ever since I downloaded it to read e-library stuff. Now I know that it appears only when Chrome is active. It never appears if browsing only with FF. I dleted all Adobe stuff and reloaded, but that didn't solve the problem. A lot of people are complaining about this on the web. Any fix for me?
     

    Attached Files:

    Buckleyterp, Mar 19, 2016
    #17
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    STill those keys are there... I have no idea why the tools cannot remove them.

    Do you think you could try deleting them yourself from the Windows Registry?

    HKU\S-1-5-21-1716380253-918637925-561613556-1003\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975}
    HKU\S-1-5-21-1716380253-918637925-561613556-1003\Software\Microsoft\Internet Explorer\Approved Extensions\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
    HKU\S-1-5-21-1716380253-918637925-561613556-1003\Software\Microsoft\Internet Explorer\Approved Extensions\{54739D49-AC03-4C57-9264-C5195596B3A1}
    HKU\S-1-5-21-1716380253-918637925-561613556-1003\Software\Microsoft\Internet Explorer\TabbedBrowsing\bProtectNewTabPageShow
     
    Kestrel13!, Mar 19, 2016
    #18
  19. Buckleyterp

    Buckleyterp Private First Class

    In regedit, I R-clicked on bProtectNewTabPageShow, L-clicked on the popup item 'delete' and it disappeared.
    But I had done this before.
    I closed and opened regedit. bProtectNewTabPageShow was still gone. I rebooted the computer and reopened regedit, bProtectNewTabPageShow was still gone.

    I am uploading the hitman file

    I tried to delete the 3 values from the 'Approved Extensions' key using reg delete in CMD but, as usual, kept getting an 'invalid syntax' response after all of that typing.

    I tried exporting the key and using notebook to change the 3 values to '-' and double clicking the file but I got a 'can't do it' error message, the keys were open and being used by processes, etc.

    I do not know how to delete the binary values in the Approved Extensions key using the regedit modify function, but I am willing to try, if given clear instructions. Do I just clear the matrix in the box that comes up?

    Buckley
     

    Attached Files:

    Buckleyterp, Mar 19, 2016
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What do you mean by "all that typing"? You should not be typing anything. You should just navigate to the keys using your mouse and then select one and then delete it. Also very important:
    • Internet Explore must not be running!
    • You must run regedit.exe by using Right Click and select Run As Administrator
     
    chaslang, Mar 19, 2016
    #20
    Kestrel13! likes this.
  21. Buckleyterp

    Buckleyterp Private First Class

    Chaslang,
    Forgive my ignorance, but when I am in the DOS Command screen trying to use the 'reg delete' command, cuts and pastes are not usable for me so I have to type the long path name. I try to be careful about 'o' and '0'.

    Internet Explorer is seldom open on my machine, and never when I am doing something important.

    Regedit was another attempt by me to modify the keys; When I used the start button 'run' command, a line at the bottom of the run window said "this task would be created with administrative privileges". I know how to set privileges for keys and made sure that the IE Approved Extensions key had the proper permissions. I closed every program after I received the first regedit failure box, only get another with the second attempt.

    As Kestrel13! pointed out, these keys are being refractory to the usual removal programs, so it seems unlikely that my failures are solely due to my incompetence, but I am willing to retry with a more sophisticated or aggressive approach if I might get some expert advice tailored to this situation.
     
    Buckleyterp, Mar 19, 2016
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Kestrel13! wanted you to run the Windows Registry Editor not the reg command. Type regedit in the Run box and look for the regedit.exe icon to appear. Then Right Click on it and Select Run As Administrator. Then navigate to the keys ( one at a time ) and right click on them and select Delete
     
    chaslang, Mar 19, 2016
    #22
    Kestrel13! likes this.
  23. Buckleyterp

    Buckleyterp Private First Class

    Thank you for walking me through this.
    I typed regedit in the Run box (I also tried regedit.exe) and no icon appears.
    I then typed 'regedit.exe' in the search box and the name appeared along with its icon.
    As directed, I right clicked on the item and opened with Run as Administrator.
    The Registry Editor window appeared, already located at the IE\Approved Extensions key from prior attempts.
    The three unwanted values were present.
    Next, I checked permissions for the Approved Extensions key. Somehow, a 'Deny' type of permission had appeared for my administrative account! I corrected this and had no trouble deleting the three problem values.
    Reboot was only 5 seconds by Total Security 360.
    The three remain gone!
    Hitman is uploaded
    Could you help me get rid of Adobe Digital Editions 4.5.0 Setup: License Agreement persistence?
     

    Attached Files:

    Buckleyterp, Mar 20, 2016
    #23
  24. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I would post in the software forum regarding that.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
    3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

    8. After doing the above, you should work thru the below link:
     
    Kestrel13!, Mar 20, 2016
    #24

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds