Malware Infected PC - Scan Logs

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Fatbuttbiker, Dec 23, 2014.

  1. Fatbuttbiker

    Fatbuttbiker Private E-2

    Hello All,

    Thanks in advance for the help. Long time reader of Major Geeks, first time poster. I'm helping my brother-in-law fix his computer over the holidays. I hope I can get some help before I need to go home as this PC has some problems.

    I've read the FAQs, downloaded the tools, disabled UAC as instructed. This computer is running 64 bit Windows 7. Attached are the requested 5 logs.

    Thanks again for you assistance. Happy Holidays.

    Fatbuttbiker
     

    Attached Files:

    Fatbuttbiker, Dec 23, 2014
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Seems this PC was loaded with junk!

    Please run Hitman Pro again and this time allow it to fix any of the items under the below headings if they still show up.
    Malware
    Malware remnants
    Potential Unwanted Programs

    After fixing, please reboot immediately. Then after reboot, re-run RogueKiller and looks to see if any of the below still show up under the registry tab. If they do they delete these and only these.

    [PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | BrowserSafeguard : "C:\Program Files (x86)\BrowserSafeguard\BrowserSafeguard.exe" -> Found
    [PUP] (X64) HKEY_USERS\S-1-5-21-2928693431-281075599-2112332827-1000\Software\Microsoft\Windows\CurrentVersion\Run | RocketTab : "C:\Users\rezac\AppData\Local\Search Extensions\Client.exe" -> Found
    [PUP] (X64) HKEY_USERS\S-1-5-21-2928693431-281075599-2112332827-1000\Software\Microsoft\Windows\CurrentVersion\Run | iLivid : "C:\Users\rezac\AppData\Local\iLivid\iLivid.exe" -autorun -> Found
    [PUP] (X86) HKEY_USERS\S-1-5-21-2928693431-281075599-2112332827-1000\Software\Microsoft\Windows\CurrentVersion\Run | RocketTab : "C:\Users\rezac\AppData\Local\Search Extensions\Client.exe" -> Found
    [PUP] (X86) HKEY_USERS\S-1-5-21-2928693431-281075599-2112332827-1000\Software\Microsoft\Windows\CurrentVersion\Run | iLivid : "C:\Users\rezac\AppData\Local\iLivid\iLivid.exe" -autorun -> Found
    [PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CltMngSvc -> Found
    [PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CltMngSvc -> Found
    [PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\CltMngSvc -> Found
    [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2928693431-281075599-2112332827-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2928693431-281075599-2112332827-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2928693431-281075599-2112332827-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49729;https=127.0.0.1:49729 -> Found
    [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2928693431-281075599-2112332827-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:49729;https=127.0.0.1:49729 -> Found


    After fixing, please reboot immediately. Then after reboot, continue with the below.


    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run new scans with Hitman Pro and Rogue Killer and save new logs.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the new Hitman and RogueKiller logs
    • the JRT.TXT log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Dec 23, 2014
    #2
  3. Fatbuttbiker

    Fatbuttbiker Private E-2

    chaslang,

    Thanks for the quick reply.

    I ran Hitman Pro again as requested. I'm a bit confused as to what qualifies as:
    Malware
    Malware remnants
    Potential Unwanted Programs

    I've attached the scan log. Can you help me identify which are okay to delete, quarantine, or repair?

    Items that are shown in my scan results with a Red "X" shield are:
    3 Proxy server issues pointing to the local computer. Can I repair these?
    2 Riskware (which seem like viruses or Trojans)
    - Client.exe (Gen:Variant.Adware.Graftor.164387)
    - MyOSProtect64.dll (Adware.LoadShop.C)
    14 items shown as "Activeris".

    Then I have a bunch of gray shields.

    Sorry to bug you. Just want to be very clear before moving forward with Hitman Pro.
     

    Attached Files:

    Fatbuttbiker, Dec 23, 2014
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    ADDITIONAL STEP TO TAKE FIRST: Make sure that you have uninstalled Avira before continuing because it will likely interfere with getting things fixed up.


    Basically, everything shown in your Hitman log file needs to be removed. You can see the headings I mentioned in the log file. You can also add the Proxy Repairs although they may or may not work yet. ​
     
    chaslang, Dec 24, 2014
    #4
  5. Fatbuttbiker

    Fatbuttbiker Private E-2

    chaslang,

    Thanks so much for all of your help. I've followed your instructions and have attached the 4 logs (JRT, Hitman, RogueKiller and MGlogs.zip).

    As I mentioned previously, this is my brother-in-law's computer and so I'm not sure how "well" it is running, but it seems to be responsive and running fine. I was going to run some Malwarebyte scans to see what might be picked up. It seems that most if not all of the malware is gone. I think there is an Avira Browser add-on that I might remove.

    After tomorrow, I'm leaving the area and won't be able to directly help my brother-in-law. Please advise if you think it is okay to change the UAC settings back to recommended. Also, please advise on what you think would be best to install on this PC to keep it as healthy as possible. (I know this depends on usage as well.)

    I also need to re-install a free antivirus program and wondered if you had a favorite. I personally like BitDefender, but I find that is a bit confusing to someone who is used to a standard Anti-Virus user interface.

    Thanks again for this. You've helped me immensely. Let me know if there is anything else that I should do based on the logs.

    Fatbuttbiker
     

    Attached Files:

    Fatbuttbiker, Dec 24, 2014
    #5
  6. Fatbuttbiker

    Fatbuttbiker Private E-2

    Update to my previous post.

    I scanned the C: Drive and an external hard drive (F:) using Malwarebytes and got 15 results of potentially unwanted programs. Some of which seem to match registry entries that you had me delete using Rogue Killer.

    I believe that Malwarebytes wants to quarantine these files. Please advise.

    Fatbuttbiker
     

    Attached Files:

    Fatbuttbiker, Dec 24, 2014
    #6
  7. Fatbuttbiker

    Fatbuttbiker Private E-2

    Further Update. I believe all problems are resolved.

    Thank you for your help. I was able to use Malwarebytes to remove the remaining 15 PUPs. I've run Hitman Pro and Malwarebytes and am now getting zero detections on a full scan.
    In the process of removing the 15 files above. I disabled and enable System restore and deleted old restore points as there were infected files in these.

    Turns out that my brother-in-law had just purchased Kaspersky Internet Security for a good deal for 3 years. So, I've reinstalled that security suite and he should be fairly well protected moving forward. Initial full scans resulted in zero detections.

    Happy Holidays and thanks again. I was able to give my sister and her family a nice Christmas gift by fixing their computer.

    Fatbuttbiker.
     
    Fatbuttbiker, Dec 25, 2014
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. We have a little final cleanup to do. Since you already reset system restore I will leave it out of my instructions.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Dec 25, 2014
    #8
  9. Fatbuttbiker

    Fatbuttbiker Private E-2

    chaslang,

    Malwarebytes Anti-Malware is installed. The pro version since he had a valid license. I hope this plays well with Kaspersky Internet Security. It seems to so far.

    I never disabled Disk Emulation software. I didn't think it applied so I skipped this step.

    When I went through the instructions, I put UAC at don't notify using the control panel. I ran the C:\MGtools\enableUAC.reg file as requested. It didn't seem to do anything. I manually set the UAC to recommended through the Control Panel. I also checked that the following Registry key was set at "1".
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

    Ran the MGclean.bat file and that cleaned up MGTools.

    I think we have a clean PC. Thanks so much for doing this over the holidays. It's really quite amazing that I got so much help on short notice. Thanks for the excellent guide. I've always used it, but following it to the letter to fix this PC really saved me some headaches. My sister and brother-in-law are thrilled to get their PC back.

    Happy Holidays.

    Fatbuttbiker
     
    Fatbuttbiker, Dec 25, 2014
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely and Happy Holidays to you too. :)
     
    chaslang, Dec 27, 2014
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds