Doj Virus

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Pedro546, Jun 29, 2017.

  1. Pedro546

    Pedro546 Private E-2

    My old vista laptop got a virus on my main account(owner) and it caused my computer to freeze up after a minute of turning on with the "you must pay $300" scam.

    Thankfully I was able to make my 2nd account(itunz) an admin and was able to run the scans there.

    After running Malwarebytes it seems to have gotten rid of the popup on my main account, but it is very slow.

    I tried to run the next scan(roguekiller) on my 1st account but I gave up after letting it run for about 5 hours.
    The scan finished on my 2nd user in 1.5 hours.

    Here are all my log files..


    Thanks.
     

    Attached Files:

    Pedro546, Jun 29, 2017
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please rerun Hitman and remove all it finds. Do the same with RogueKiller.

    Reboot and rescan with both Hitman and RogueKiller and attach the new logs.
     
    TimW, Jun 29, 2017
    #2
    Pedro546 likes this.
  3. Pedro546

    Pedro546 Private E-2

    When I ran rogue killer there were a couple things that were selected that I removed.
    Was not sure if I should remove the other 30-40 things as well.
     

    Attached Files:

    Pedro546, Jun 29, 2017
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please rerun RogueKiller and remove these items:

    ¤¤¤ Registry : 37 ¤¤¤
    [PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E} (C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll) -> Found
    [Suspicious.Path] HKEY_CLASSES_ROOT\CLSID\{10202688-4113-1365-2177-815980518455} (C:\Users\Owner\AppData\Local\Temp\qom.dll) -> Found
    [PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD} (C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll) -> Found
    [Suspicious.Path] HKEY_CLASSES_ROOT\CLSID\{53156142-9747-6166-7482-039313986253} (C:\Users\Owner\AppData\Local\Temp\qom.dll) -> Found
    [PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Viewpoint -> Found
    [PUP.Gen1] HKEY_USERS\S-1-5-21-310632712-2980442124-3509702157-1000\Software\YahooPartnerToolbar -> Found
    [PUP.Gen1] HKEY_USERS\S-1-5-21-310632712-2980442124-3509702157-1000\Software\Zugo -> Found
    [PUP.Gen1] HKEY_USERS\S-1-5-21-310632712-2980442124-3509702157-1000\Software\AppDataLow\Software\Freecause -> Found
    [PUP.Gen1] HKEY_USERS\S-1-5-21-310632712-2980442124-3509702157-1000\Software\AppDataLow\Software\MyWebSearch -> Found
    [PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer -> Found
    [PUP.Gen1] HKEY_USERS\S-1-5-21-310632712-2980442124-3509702157-1000\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer -> Found
    [PUP.Gen1] HKEY_USERS\S-1-5-21-310632712-2980442124-3509702157-1001\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer -> Found
    [Suspicious.Path] HKEY_USERS\S-1-5-21-310632712-2980442124-3509702157-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\KdVfn | (default) : {10202688-4113-1365-2177-815980518455} (C:\Users\Owner\AppData\Local\Temp\qom.dll) [x] -> Found
    [PUP.Gen0] HKEY_USERS\S-1-5-21-310632712-2980442124-3509702157-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks | {7a55cbb2-2b2e-4a41-9de1-6ac5d2c2be0a} : -> Found
    [Suspicious.Path] HKEY_USERS\S-1-5-21-310632712-2980442124-3509702157-1000\Software\Microsoft\Windows\CurrentVersion\Run | WES : "C:\ProgramData\8e30cf2\WinESuite.exe" /s [x] -> Found
    [PUP.Gen0|PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Viewpoint Manager Service ("C:\Program Files\Viewpoint\Common\ViewpointService.exe") -> Found
    [PUP.Gen0|PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Viewpoint Manager Service ("C:\Program Files\Viewpoint\Common\ViewpointService.exe") -> Found

    Reboot and rescan. Attach the new log.
     
    TimW, Jun 29, 2017
    #4
    Pedro546 likes this.
  5. Pedro546

    Pedro546 Private E-2

     

    Attached Files:

    Pedro546, Jun 30, 2017
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looks good. What issues are you still having?
     
    TimW, Jun 30, 2017
    #6
    Pedro546 likes this.
  7. Pedro546

    Pedro546 Private E-2

    The majority of my issues have been on my main account(Owner).
    It seems to be running faster and I was able to finish a RK scan this time, but it did seem to find more things.
     

    Attached Files:

    Pedro546, Jun 30, 2017
    #7
  8. Pedro546

    Pedro546 Private E-2

    Also I'm still getting several pop up errors when windows starts.

    I don't know what is causing them.
     

    Attached Files:

    Pedro546, Jun 30, 2017
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Those are issues you need to address in the software forum.

    However, you still need to remove some items. Rerun RogueKiller and remove these items:


    ¤¤¤ Processes : 2 ¤¤¤
    [VT.TrojanProxy:Win32/Bedri.A] iexploror.exe(544) -- C:\Microsoft_SDK\lib\include\iexploror.exe[-] -> Found
    [VT.TrojanProxy:Win32/Bedri.A] iexploror.exe(4040) -- C:\Microsoft_SDK\lib\include\iexploror.exe[-] -> Found

    ¤¤¤ Files : 2 ¤¤¤
    [PUP.Gen1][Folder] C:\Users\Owner\AppData\Roaming\iWin -> Found
    [Root.ZeroAccess][Folder] C:\Users\Owner\AppData\Local\Google\Desktop\Install -> Found

    reboot and rescan and attach a new log.
     
    TimW, Jun 30, 2017
    #9
    Pedro546 likes this.
  10. Pedro546

    Pedro546 Private E-2

    I removed the items but the "iexploror.exe" is still there.
     

    Attached Files:

    • R.txt
      File size:
      7.8 KB
      Views:
      3
    Pedro546, Jul 1, 2017
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The log indicates it was killed. What malware issues remain?
     
    TimW, Jul 1, 2017
    #11
    Pedro546 likes this.
  12. Pedro546

    Pedro546 Private E-2

    That log is from the 2nd scan I did since your last post. I have removed those processes several times, but they keep coming back.
     
    Pedro546, Jul 1, 2017
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Rescan with RogueKiller and show me the new log.
     
    TimW, Jul 1, 2017
    #13
    Pedro546 likes this.
  14. Pedro546

    Pedro546 Private E-2

     

    Attached Files:

    Pedro546, Jul 1, 2017
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Jul 1, 2017
    #15
    Pedro546 likes this.
  16. Pedro546

    Pedro546 Private E-2

    Reset done
     
    Pedro546, Jul 1, 2017
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Reboot and send me a new Roguekiller log.
     
    TimW, Jul 1, 2017
    #17
    Pedro546 likes this.
  18. Pedro546

    Pedro546 Private E-2

     

    Attached Files:

    • rog.txt
      File size:
      8.3 KB
      Views:
      3
    Pedro546, Jul 1, 2017
    #18
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not sure if this is a false positive or not. Try uninstalling IE and do a reboot and a rescan with Roguekiller.
     
    TimW, Jul 1, 2017
    #19
    Pedro546 likes this.
  20. Pedro546

    Pedro546 Private E-2

    Seem to still be there.
     

    Attached Files:

    Pedro546, Jul 2, 2017
    #20
  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Jul 2, 2017
    #21
    Pedro546 likes this.
  22. Pedro546

    Pedro546 Private E-2

    I tried to install MSE last night and it was still installing this morning so I don't know what's going on there.

    I ran Hitman.Pro in the meantime and it was able to find the same trojan.

    HP seemed to be able to fully remove it because it does not show up on RK anymore. But now I get a "Windows cannot find 'C:\Microsoft_SDK......." when I start windows.

    I was able to install MSE this morning but I can't run a scan because it says windows vista is out of date.
     

    Attached Files:

    Pedro546, Jul 3, 2017
    #22
  23. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Well, at least you got rid of it, which is what MSE was supposed to do.

    Your pop-up message needs to be addressed in the software forum.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8 or 10, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. After doing the above, you should work thru the below link:
     
    TimW, Jul 3, 2017
    #23

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds