Messed Up Machine

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by edpolakoff, Feb 12, 2016.

Tags:
  1. edpolakoff

    edpolakoff Private First Class

    I have a Win7 64 bit machine that I can't get online. The person who gave it to me admitted to watching porn, which is probably where her malware came from. It would pop up messages about threats, but the program producing the message didn't identify itself.

    I've gone through and removed all the tool bars and junk programs I could find and have run Ccleaner.

    I've renamed and installed Malwarebytes and updated the database manually. I hit scan, it gets 4 seconds in and terminates. I get a message that the threat scan was cancelled. I've tried running MB by double clicking and as an admin with the same results.

    Where do we go from here?

    As always, I appreciate all of you who spend your time helping myself and others here on this forum.
     
    edpolakoff, Feb 12, 2016
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome to the Malware Removal forum. :)

    Please read ALL of this message including the notes before doing anything.

    Please follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide

    and attach the requested logs when you finish these instructions.



      • **** If something does not run, write down the info to explain to us later but keep on going. ****
      • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.



      • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:




      • If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
      • If you have problems downloading on the problem PC, download the tools and the manual update Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
      • If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only RogueKiller and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run the rest of the READ & RUN ME FIRST instructions on the infected account.
      • To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:

    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    TimW, Feb 12, 2016
    #2
  3. edpolakoff

    edpolakoff Private First Class

    OK. Let me see if I can get you what you asked for. I ran Hitman Pro in regular mode and safe mode. It found 100 plus items, but would not allow me to save a log regardless of running in normal or safe mode.

    I tried running Malwarebytes in safe mode and it would not run there either.

    RK ran in regular mode.

    The enclosed logs from MGTools were run in safe mode. I figured I was already there, I'd stay there.
     

    Attached Files:

    edpolakoff, Feb 12, 2016
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Can you attach a screen shot of the Hitman results?

    Rerun RogueKiller and have it fix these items:
    ¤¤¤ Registry : 73 ¤¤¤
    [PUP] (X86) HKEY_LOCAL_MACHINE\Software\Conduit -> Found

    ¤¤¤ Files : 5 ¤¤¤
    [PUP][Folder] C:\Program Files (x86)\Conduit -> Found

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.

    Please download AdwCleaner by Xplode and save to your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
      Vista/Windows 7/8 users right-click and select Run As Administrator
    • Click on the Scan button.
    • AdwCleaner will begin...be patient as the scan may take some time to complete.
    • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
    • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
    • Attach the logfile to your next next reply.
    • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.


    Please do all the above in normal mode.
     
    TimW, Feb 12, 2016
    #4
  5. edpolakoff

    edpolakoff Private First Class

    Ok. The reg edit worked and terminated as complete. I ran the other scans you asked for and took a couple of Hitman Pro screenshots for you. Let me know what else you need. Thanks for your help.
     

    Attached Files:

    edpolakoff, Feb 16, 2016
    #5
  6. edpolakoff

    edpolakoff Private First Class

    one more log
     

    Attached Files:

    edpolakoff, Feb 16, 2016
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Well, from your screen shot, Hitman didn't find anything significant. Rerun RogueKiller and have it fix these items:

    ¤¤¤ Registry : 73 ¤¤¤
    [PUP] (X86) HKEY_LOCAL_MACHINE\Software\Conduit -> Found
    [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-657358059-43042059-3405116561-501-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Start Page : http://search.conduit.com?SearchSource=10&CUI=UN22289577861075120&UM=2&ctid=CT3298580 -> Found
    [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-657358059-43042059-3405116561-501-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Start Page : http://search.conduit.com?SearchSource=10&CUI=UN22289577861075120&UM=2&ctid=CT3298580 -> Found

    ¤¤¤ Files : 5 ¤¤¤
    [PUP][Folder] C:\Program Files (x86)\Conduit -> Found

    Reboot and rescan with RogueKiller and attach the new log.

    Did you save a log from ADWCleaner?
     
    TimW, Feb 16, 2016
    #7
  8. edpolakoff

    edpolakoff Private First Class

    Sorry about the ADW log. I didn't realize it was in a folder on C drive. I'm enclosing it. The other thing I really want to get rid of is the Best Buy app...it seems to be not real as well.
     

    Attached Files:

    edpolakoff, Feb 17, 2016
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Have ADWcleaner fix everything it found. Then rerun RogueKiller and have it fix these items:


    ¤¤¤ Registry : 29 ¤¤¤
    [PUP] (X86) HKEY_LOCAL_MACHINE\Software\SlimWare Utilities Inc -> Found
    [PUP] (X86) HKEY_LOCAL_MACHINE\Software\SweetIM -> Found
    [PUP] (X86) HKEY_LOCAL_MACHINE\Software\Systweak -> Found
    [PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670} -> Found
    [PUP] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01} -> Found
    [PUP] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01} -> Found
    [PUP] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01} -> Found
    [PUP] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01} -> Found
    [PUM.Proxy] (X64) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : -> Found
    [PUM.Proxy] (X86) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : -> Found
    [PUM.Proxy] (X64) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : -> Found
    [PUM.Proxy] (X86) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : -> Found
    [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-657358059-43042059-3405116561-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : localhost:8080 -> Found
    [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-657358059-43042059-3405116561-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : localhost:8080 -> Found

    Reboot and rescan with RogueKiller and attach the new log. Be sure to tell me how things are running.
     
    TimW, Feb 17, 2016
    #9
  10. edpolakoff

    edpolakoff Private First Class

    It was having a hard time connecting to my wireless and to the Internet. I still can't access the "settings" button on IE. This is the first time I'm trying to get it online again since it came here and wouldn't connect. I'm still passing files back and forth through my Mac. I figured if the USB drive picked up anything from the PC, it wouldn't have a lot of effect on my Mac. I still have not reinstalled any anti-virus software on it either. Avast is what I usually use, but I know it interferes with a lot of what you guys try and help with, so I've left it off.

    I updated Chrome. I was able to get to Google's store for ad ons and installed WOT and Adblock, though I'm not so sure it was the real site. I just tried to access my photography website and it said no website was configured at that address. I managed to get speedtest.net and Yahoo. come up, but everything is very slow to load and speediest is showing 38mbps down. So, Chrome seems to be working.

    Went back to IE. Now able to access advanced settings. I want it to clear the cache when it closes. Things seem to be working again I'm not sure why it was so slow to begin with. This machine does reboot quickly, something I wish my desktop would do. I'll start another thread to see if one of you can help me with that.

    Looks like I have an option to install Win10 on this machine. What's your thoughts on doing that...especially where safety is concerned.
     

    Attached Files:

    edpolakoff, Feb 19, 2016
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know. Any other issues should be addressed in the software forum.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8 or 10, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. After doing the above, you should work thru the below link:
     
    TimW, Feb 19, 2016
    #11
  12. edpolakoff

    edpolakoff Private First Class

    Tim, things seem to be working well. The upgrade to 10 was smooth. I appreciate your help and input!
     
    edpolakoff, Feb 20, 2016
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Safe surfing.
     
    TimW, Feb 20, 2016
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds