OtShot, 24x7 Help, and FREE Computer Backup

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by TavisA, Jun 5, 2013.

  1. TavisA

    TavisA Private E-2

    My son downloads Minecraft modpacks from a variety of file hosting sites which typically have a number of deceptive "download" buttons. Recently he let me know that our desktop has acquired a bunch of malware. The ones I recognize are OtShot and 24x7 Help, but there's also a popup saying "Reminder: Your Computer is Not Backed Up, Backup Your Files Online Today FREE Computer Backup Available".

    All these survived running the Win 7 Malware Removal/Cleaning Procedure as per the forums. My logs are attached. I've restarted the computer since then but not taken any other actions.

    Thanks in advance for your help!
     

    Attached Files:

    TavisA, Jun 5, 2013
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:


    • [RUN][SUSP PATH] HKCU\[...]\Run : ROC_ROC_APR2013_AV (C:\Users\Tavis\AppData\Roaming\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid 9b0bc11efe264648bb245e697abaf754-40eea88ea66d52b0644b87af4b42bab73a1202c9 --CMPID ROC_APR2013_AV --CMPIDEXTRA 2013) [x] -> FOUND
      [RUN][SUSP PATH] HKCU\[...]\Run : Browser Infrastructure Helper (C:\Users\Tavis\AppData\Local\Smartbar\Application\QuickShare.exe startup) [x] -> FOUND
      [RUN][SUSP PATH] HKUS\S-1-5-21-2539690882-2553571496-3344013800-1001[...]\Run : ROC_ROC_APR2013_AV (C:\Users\Tavis\AppData\Roaming\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid 9b0bc11efe264648bb245e697abaf754-40eea88ea66d52b0644b87af4b42bab73a1202c9 --CMPID ROC_APR2013_AV --CMPIDEXTRA 2013) [x] -> FOUND
      [RUN][SUSP PATH] HKUS\S-1-5-21-2539690882-2553571496-3344013800-1001[...]\Run : Browser Infrastructure Helper (C:\Users\Tavis\AppData\Local\Smartbar\Application\QuickShare.exe startup) [x] -> FOUND
      [TASK][SUSP PATH] next.job : C:\ProgramData\Dimdim\Updater\next.exe [-] -> FOUND
      [TASK][SUSP PATH] next : C:\ProgramData\Dimdim\Updater\next.exe [-] -> FOUND
      [TASK][SUSP PATH] Updater26278.exe : C:\Users\Tavis\AppData\Local\Updater26278\Updater26278.exe /extensionid=26278 /extensionname="Solid Savings" /chromeid=cijeeimilokkhlfjombmalgpabbonmah [x] -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Do not reboot your computer yet.

    Download OTL to your desktop.

    Double-click OTL.exe to start the program.

    • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

    Code:
    :processes
:killallprocesses
:otl
O4 - HKLM\..\Run: [24x7HELP] "C:\Program Files (x86)\24x7Help\App24x7Help.exe" /STARTUP
O4 - HKLM\..\Run: [OtShot] C:\Program Files (x86)\OtShot\otshot.exe -minimize
:files
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OtShot.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OtShot
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\24x7 Help
C:\Program Files (x86)\OtShot\otshot.exe
C:\Program Files (x86)\24x7Help\App24x7Help.exe
C:\Program Files (x86)\24x7Help
C:\Users\Tavis\AppData\Local\Temp\15116100991029668.tmp
C:\Users\Tavis\AppData\Local\Temp\15116100991032882.tmp
C:\Users\Tavis\AppData\Local\Temp\15116100991043475.tmp
C:\Users\Tavis\AppData\Local\Temp\41530318191044957.tmp
C:\Users\Tavis\AppData\Local\Temp\41530318191045487.tmp
C:\Users\Tavis\AppData\Local\Temp\41530318191045518.tmp

:reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"24x7HELP"=-
"OtShot"=-

[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"OtShot"=-
"24x7HELP"=-

:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.


    Now reboot and rescan with RogueKiller. Attach the new log.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Jun 6, 2013
    #2
  3. TavisA

    TavisA Private E-2

    Attached Files:

    TavisA, Jun 7, 2013
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:


    • [RUN][SUSP PATH] HKCU\[...]\Run : ROC_ROC_APR2013_AV (C:\Users\Tavis\AppData\Roaming\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid 9b0bc11efe264648bb245e697abaf754-40eea88ea66d52b0644b87af4b42bab73a1202c9 --CMPID ROC_APR2013_AV --CMPIDEXTRA 2013) [x] -> FOUND
      [RUN][SUSP PATH] HKCU\[...]\Run : Browser Infrastructure Helper (C:\Users\Tavis\AppData\Local\Smartbar\Application\QuickShare.exe startup) [x] -> FOUND
      [RUN][SUSP PATH] HKUS\S-1-5-21-2539690882-2553571496-3344013800-1001[...]\Run : ROC_ROC_APR2013_AV (C:\Users\Tavis\AppData\Roaming\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid 9b0bc11efe264648bb245e697abaf754-40eea88ea66d52b0644b87af4b42bab73a1202c9 --CMPID ROC_APR2013_AV --CMPIDEXTRA 2013) [x] -> FOUND
      [RUN][SUSP PATH] HKUS\S-1-5-21-2539690882-2553571496-3344013800-1001[...]\Run : Browser Infrastructure Helper (C:\Users\Tavis\AppData\Local\Smartbar\Application\QuickShare.exe startup) [x] -> FOUND
      [TASK][SUSP PATH] next.job : C:\ProgramData\Dimdim\Updater\next.exe [-] -> FOUND
      [TASK][SUSP PATH] next : C:\ProgramData\Dimdim\Updater\next.exe [-] -> FOUND
      [TASK][SUSP PATH] Updater26278.exe : C:\Users\Tavis\AppData\Local\Updater26278\Updater26278.exe /extensionid=26278 /extensionname="Solid Savings" /chromeid=cijeeimilokkhlfjombmalgpabbonmah [x] -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)

    Reboot and go to add/remove programs and uninstall:
    24x7 Help
    Origin
    OtShot

    You may wish to use:

    Startup_CPL

    Tell me what issues continue, if any.
     
    TimW, Jun 7, 2013
    #4
  5. TavisA

    TavisA Private E-2

    I must have attached one of the older logs to my message, as those registry entries are already gone from my RogueKiller list. Here is a guaranteed-new RK log.
     

    Attached Files:

    TavisA, Jun 8, 2013
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What issues are you still having, if any?
     
    TimW, Jun 8, 2013
    #6
  7. TavisA

    TavisA Private E-2

    AdChoice appears in Chrome browser and FREE computer backup window pops up at startup.
     
    TavisA, Jun 8, 2013
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    While you have Google Chrome open, type this into the address bar and press ENTER: chrome://chrome/settings/

    From here you should be able to remove any settings related to AddChoice.

    And you can use the start up CPL I linked to you for the other.
     
    TimW, Jun 9, 2013
    #8
  9. TavisA

    TavisA Private E-2

    CPL took care of MyPCBackup and PCFixSpeed, but the AdChoices popups remain. A screenshot is attached.
     

    Attached Files:

    Last edited: Jun 10, 2013
    TavisA, Jun 10, 2013
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Uninstall Chrome, run CCleaner and reinstall. Tell me if that fixed it.
     
    TimW, Jun 11, 2013
    #10
  11. TavisA

    TavisA Private E-2

    That seems to have done the trick. Thanks!
     
    TavisA, Jun 12, 2013
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    2. Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    7. After doing the above, you should work thru the below link


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0
     
    TimW, Jun 13, 2013
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds