Infected PC - Logs attached

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by help.me.msft, Feb 24, 2013.

  1. help.me.msft

    help.me.msft Private E-2

    I'm helping a neighbor clean their WinXP PC. Machine is terribly slow and it appears to have numerous infections. Attached are the logs. Look forward to hearing the next steps.
    Thanks!
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Run Hitman Pro again and this time allow it to fix all the Malware and Potential Unwanted Programs that it found. Then reboot immediately.

    After reboot, run a new scan with Hitman Pro and attach the new log. Also tell me how things are running.

    You also need to run MSconfig and put this PC into Normal Startup mode. MSconfig should not bet used as a long term startup manager. See the below:

    Dealing with Startup Process
     
  3. help.me.msft

    help.me.msft Private E-2

    New Hitman Pro log attached. Results appear clean.

    PC seems to be running a bit faster. Haven't seen any pop ups yet.

    Need to add 1GB of RAM to help overall performance.

    Will run MSconfig soon and put it back into Normal startup mode, but I have many questions about this and will start a separate thread if necessary.

    When do I toggle "system restore" back on?

    Thanks
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! The log shows you did not fix the potentially unwanted programs as I requested. This junk will slow a PC down.

    3 GB total would be better.

    It should never have been off yet. It should only be toggle off and then back on after ALL malware has been removed. It is a safety net just in case things go wrong.
     
  5. help.me.msft

    help.me.msft Private E-2

    Sorry about that. I've never used this tool and I thought when the dialog box is no longer Red in color, then everything is clean. Here's the latest log.

    This PC has a max of 2GB of RAM. It currently has only 1GB.

    Thanks!
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay that looks better. ;)

    Now let's run one more tool which may cleanup some more junk.

    Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.


    Also make sure that you tell me how things are working!!
     
  7. help.me.msft

    help.me.msft Private E-2

    Here ya go.
     

    Attached Files:

    • JRT.txt
      File size:
      12.3 KB
      Views:
      4
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please reply to the last sentence in my last message.
     
  9. help.me.msft

    help.me.msft Private E-2

    Seems like a great improvement so far.
    I think there's more room for performance improvements. i.e. Lots of programs to uninstall and misc files that need to be deleted. Also need to get more RAM.

    Thanks for the help. :)
    You guys are helpful!!
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Okay we have a few more things to do to cleanup some garbage. Please follow the instructions below in the order written.


    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select any of the following lines that still exist ( many or all may already be gone ) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystart.incredibar.com/mb185?a=6Oz0V2olFN&i=26
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: DataMngr - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\PROGRA~1\WI9130~1\Datamngr\BROWSE~1.DLL
    O2 - BHO: Wincore Mediabar - {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - (no file)
    O3 - Toolbar: (no name) - {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - (no file)
    O3 - Toolbar: (no name) - !{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    O4 - HKUS\S-1-5-21-215359398-1740733606-1048663472-1006\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User 'Kids')

    After clicking Fix, exit HJT.


    Please download OTM by Old Timer and save it to your Desktop.
    • Run it by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
    explorer.exe
     
    :Files
    C:\Documents and Settings\Andre\liyawkpaqp.tmp
    C:\Documents and Settings\Andre\Application Data\Strongvault
    C:\Program Files\PersonalAV
    C:\Program Files\BEARSH~1
    C:\Program Files\Ask.com
    C:\Documents and Settings\Andre\Application Data\Allmyapps
    C:\Documents and Settings\Andre\Application Data\Bloson
    c:\windows\system32\hobokuzu.dll
    C:\WINDOWS\\system32\wegeyivi.dll
    C:\WINDOWS\Tasks\ParetoLogic Update Version3.job
    C:\WINDOWS\Tasks\ParetoLogic Registration3.job
    C:\WINDOWS\Tasks\ParetoLogic Update Version3 Startup Task.job
    C:\WINDOWS\Tasks\ProgramUpdateCheck.job
    C:\WINDOWS\Tasks\ProgramRefresh-ATFST.job
    C:\WINDOWS\Temp\*.*
    C:\Documents and Settings\Andre\Local Settings\Temp\*.*
     
    :Reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Allmyapps Update]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Allmyapps]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BlosonAddonUpdater]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DATAMNGR]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CPM57c5e42d]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CreateCD_Reminder]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PersonalAV]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\suwemosule]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VAIOSurvey]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2430}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}]
    :Commands
    [purity]
    [EmptyTemp]
    [start explorer]
    
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run MSconfig and select Norma Startup Mode!!! Do this now before continuing and and then reboot your PC to have it take effect.

    After reboot, contine.

    You have multiple antivirus program installed. Your logs show:

    avast! Free Antivirus
    Norton AntiSpam
    Norton Internet Security

    You need to either uninstall all of the Norton items or you need to uninstall Avast. Do this now and then move on to the below.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  11. help.me.msft

    help.me.msft Private E-2

    Sorry for the delay in responding. The machine is at my neighbors and they are gone all day.

    So, I ran Disable/Remove Windows Messenger, but it sure didn't seem like it did anything.

    mgtools.exe/analyse.exe found:
    O3 - Toolbar: (no name) - !{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    It appears the other ones were already gone.

    In terms of Antivirus software, we want to keep Avast. I'm confused because I thought Norton was gone. When I check out "Add/Remove Programs" I don't see it listed. I also checked for it inside ccleaner, and don't see it.
    I typed "Norton" into the Windows search and it generated no results.
    I went to the c drive and looked for a folder called Norton under Program Files, but there's nothing there. There was a folder called Symantec, which contained an empty folder called LiveUpdate.
    How do I find it and remove it properly?

    I ran MSconfig and put the PC back into Normal mode. I'm not thrilled about many of these things that are now loading. It certainly took longer to boot up. I downloaded the StartupCPL utility and it's not clear how to use it.
    How do I get rid of Hitman Pro? It also booted up at start and started a scan.

    I hope I attached the proper logs. It doesn't appear the otm/movedfiles log is attaching. Not sure why.

    Thanks
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I will give you steps to remove anything that I still see in the new logs.

    Yes and I already deleted ( in the last fix ) a bunch more that would have loaded. You did not need any of the ones I delete and some were malware/junkware. I can give you more to permanently delete from startup if you want. You even have tasks running that you don't really need. This is not malware, it is just unnecessary stuff that the end user has allowed to be installed an setup.

    Examples of what I would do.

    You can uninstall Hitman Pro because we are finished with it.

    I would delete the below tasks
    Code:
    "C:\WINDOWS\Tasks\"
    adobef~1.job  Feb 25 2013         830  "Adobe Flash Player Updater.job"
    apples~1.job  Feb 22 2013         284  "AppleSoftwareUpdate.job"
    google~1.job  Feb 22 2013         882  "GoogleUpdateTaskMachineCore.job"
    google~2.job  Feb 22 2013         884  "GoogleUpdateTaskMachineUA.job"
    hpusgd~1.job  Feb 25 2013         342  "HP Usg Daily.job"
    I would stop and disable the below services but be sure that the user does not need the Seagate Service. I delete those stupid/unnecessary and unwanted Google Services on all my PCs.
    I would permanently stop the below from running at startup. Exclude the Seagate item if automatic backups are being used and this process is really needed to load for them to work.
    Did the owner install and do they use File Type Assistant ? If not, uninstall it.


    Note per your last logs, you did not get the below fixed:

    O3 - Toolbar: (no name) - !{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

    All browsers must be closed and protection software disabled before fixing.


    Now let's remove the items from Norton that remained in the logs.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    After clicking Fix, exit HJT.




    Run OTM.exe by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
    explorer.exe
     
    :Files
    C:\$AVG8.VAULT$
    C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
     
    :Reg
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "URLLSTCK.exe"=-
    "IS CfgWiz"=-
    "ccApp"=-
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3B29A786-5803-4e9e-9B58-3014A5B4E519}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{449F3A9E-9903-4a0d-A209-08030D45A935}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5677563D-0CB1-485f-9E18-C5025306BB3F}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A93C9E60-29B6-49da-BA21-F70AC6AADE20}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "!{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    :Commands
    [purity]
    [EmptyTemp]
    [start explorer]
    
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  13. help.me.msft

    help.me.msft Private E-2

    Sorry, my brain is running slow tonight.
    How do I do this below?

    Also, do I run Hijackthis to do all of this?

    In terms of:
    O3 - Toolbar: (no name) - !{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    I'm disabling Avast and all browsers are closed, yet I can't seem to kill that toolbar.

    Finally, since I don't see Hitman Pro as a uninstallable program in ccleaner, do I use Hijackthis to delete it, or do I simply kill delete the .exe on my desktop?

    Thanks for all of your help so far...
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Open Windows Explorer and navigate to that folder. Locate the files and right click on them and select delete.

    See the link I previously gave you >>
    Dealing with Startup Process I suggest AutoRuns.


    Please fnish the rest of my last instructions.
     
  15. help.me.msft

    help.me.msft Private E-2

    Sorry guys. This is getting increasingly vague. I really really do appreciate the help, but the last two posts are unclear. I'm a computer novice helping my neighbor who is even a bigger novice. I don't want to screw up his machine. As far as I'm concerned the PC is clean of malware. So I'd like to just get instructions on how to uninstall HitmanPro. Thanks!
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm sorry but Windows Explorer is something that has been around since Windows has first been released. It is the file manager for Windows. You can find dozens of links to it on the Internet via Google or any other search tool. There are many ways to open up Windows Explorer. One example, hold down the Windows Logo key while pressing the "e" key.

    And the AutoRuns program is in that link I gave. Try running it. If you can run HijackThis, you can run AutoRuns which is a startup manager. HijackThis is not a startup manager.

    Also we are not at a point of removing malware. You are asking for help related to things that should really be discussed in the Software Forum. I was just trying to point you in the right direction since you were complaining about slow startup and this is not a malware issue. Also I cannot be the one who decides what from these items your friend runs or needs to run. I gave my recommendation but that does not mean that your friend does not need them or want them. That is something you need to figure out along with your friend.
     
  17. help.me.msft

    help.me.msft Private E-2

    ok, I figured out how to navigate to those files to delete in Windows Explorer. I was confused because I didn't understand which files you were referring to.

    I downloaded and ran Autoruns.

    Under "Services", I unchecked these.
    Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

    Under "Everything" Tab I unchecked HitmanPro.
    I then closed Autoruns and rebooted the PC. It appears it stopped HitmanPro from running, which is good.

    Do I use Autoruns to delete the stuff below too?
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not "delete". You disable them from loading at startup by unchecking it. That gives you the ability to reenable them if later you find that you want or need any of them to run at startup.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds