Not sure Laptop is clean - please verify

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by gmspider, Feb 4, 2015.

  1. gmspider

    gmspider Private E-2

    I first noticed problems in mid-December 2014. Was running slow. Hangs up when switching between windows, tasks in windows, etc. Programs frequently hang up and programs often show “Not Responding” status in Task Manager. When navigating through folders, they seem to spend a lot of time re-indexing before allowing me to open files. Laptop is approx. 4 years old. Figured it was the hard drive failing. Would occasionally hear 5 or 6 chimes (beeps). Cleaned fan and heat sink as much as possible. McAfee never indicated and problems until a full scan a couple of days ago. Couple of times over the past two weeks the Firefox search engine changed from Google to Yahoo. I think the homepage changed once also. (Footnote: The HitMan Pro search indicated results for ASK but did not say I had any malicious threats. It didn’t give me an option to ignore. I hit Next and it took me to a page to pay for a subscription. Hit cancel and went back to former results screen. Then saw the reports icon on the bottom left to generate the log). Also during the past couple of weeks I would get system pop up messages saying “Your current security settings do not allow this file to be downloaded”. I could never figure out what file it was trying to download.

    Before coming to Major Geeks I did the following: I have McAfee installed with continuous protection. Ran several full scans from mid-December to a couple of days ago. Never found any issues. Ran again a couple of days ago. Found two problems. Let McAfee fix them. Updated my Malwarebytes and ran Threat Scan. Found 4 issues. Let MBAM fix. Googled the names of Trojans found. One link suggested running Kaspersky Online Virus Removal. It found one Trojan and tried to automatically remove. Didn’t succeed. Ran McAfee full scan and MBAM threat scans again. Results said the computer is clean even though Kaspersky didn’t remove the threat it found. Computer seems to be running better now. Still some “Not Responding” problems but seems there are not as many.

    Kaspersky found Trojan.multi.regrun.ba. If it helps, I have screen shots of both the infected and clean McAfee scan results. I also have the infected and clean Malwarebytes logs.

    Can you review and verify that the infections are removed?

    I have attached the requested logs generated after I came to Major Geeks and went through the read me first process.
     

    Attached Files:

    gmspider, Feb 4, 2015
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Rerun RogueKiller and have it fix these items:
    Code:
    ¤¤¤ Registry : 15 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\0074321423095375mcinstcleanup (C:\Windows\TEMP\007432~1.EXE -cleanup -nolog) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\0074321423095375mcinstcleanup (C:\Windows\TEMP\007432~1.EXE -cleanup -nolog) -> Found
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-4208881228-2746468126-2523380943-1001\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Found
    Now rerun Hitman and have it fix all it found.

    Reboot and do this:

    Please download the latest version of FRST the below link.
    Farbar Recovery Scan Tool and save it to your Desktop.


    Note: Make sure you download the proper version ( 32 bit or 64 bit ) for your PC. Only one will run, the correct one. So if you make a mistake and download the wrong one, go back and get the other.

    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
     
    TimW, Feb 5, 2015
    #2
  3. gmspider

    gmspider Private E-2

    Attached are the logs requested.

    FYI, before I found your forum, the infections found and fixed by McAfee and MBAM are shown in the attached screenshots
     

    Attached Files:

    gmspider, Feb 5, 2015
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looks like the powerliks infection has been removed.

    Save fixlist.txt on your Desktop. Make sure you save it as a txt file.

    • You should now have both fixlist.txt and FRST64.exe on your Desktop.
    • Now I want you to disconnect your PC connection to the internet by unplugging the cable ( if it is wireless then temporarily shutdown the wireless network ).
    • Run FRST64.exe by right clicking on it and selecting Run As Adminstrator
    • Click the Fix button just once and wait.
    • Your computer should reboot after the fix runs.
    • Reconnect your internet connection after reboot so you can come back here to continue.
    • The tool will make a log on the Desktop (Fixlog.txt) please attach this new log to your next reply (attach or paste)
     

    Attached Files:

    TimW, Feb 5, 2015
    #4
  5. gmspider

    gmspider Private E-2

    Your post said my computer should reboot after the fix. It didn't. I received confirmation that the log had saved but I had to reboot manually.

    In one of the next replies, can you advise on or point me to resources that will tell me what personal and other information may have been compromised so I can determine if I should take any steps to prevent identity or financial theft?
     

    Attached Files:

    gmspider, Feb 5, 2015
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please rerun RogueKiller and attach the new log. It looks like you are clean at this point. I don't think any personal info was compromised.
     
    TimW, Feb 6, 2015
    #6
  7. gmspider

    gmspider Private E-2

    New RogueKiller log attached.

    You have been incredibly helpful!! My laptop performance has improved drastically....to the point I no longer suspect the hard drive to be failing.

    At one time, I had Malwarebytes running in the background on a trial subscription. Never went to a paid subscription. McAfee came installed on the Dell laptop and I have kept the subscription active. But, I have now lost a bit of confidence in McAfee. That said, are you allowed to recommend tools or combination suite of tools that will best protect me in the future. Basically a suite of tools for firewall, antivirus with full time monitoring of all necessary components including email, malware protection running in the background. Would prefer tools that are as resource friendly as possible,

    I have read that Bitdefender and Malwarebytes are recommended favorites.
     

    Attached Files:

    gmspider, Feb 6, 2015
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looks good. Pay attention to the How to Protect link.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now go to the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
    TimW, Feb 6, 2015
    #8
  9. gmspider

    gmspider Private E-2

    Tim,
    Thank you for your help!! One last question. I am going to try the free versions of the of the antivirus, firewall, and malware. Since I have purchased and have been using McAfee, do I need to only disable the program while using the other tools or do I have to fully remove it. Same if I decide to try a different free version. Do I need to disable or remove the previous free versions?
     
    gmspider, Feb 9, 2015
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You should only have one AV program installed. You can still run MBAM, but only one Anti-virus program.
     
    TimW, Feb 9, 2015
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds