Please help with malware removal

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by HowardW, Jul 14, 2015.

  1. HowardW

    HowardW Private E-2

    My PC is very slow at loading certain web pages. Also the speedtest.net website hangs up at "searching for best server based on ping." An identical PC on the same router does not have these symptoms.

    My logs are attached. I was unable to get a log froom HitmanPro because it hangon a screen asking me for my installation key.
     
    HowardW, Jul 14, 2015
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!
    No logs were attached.

    Hitman Pro is free to use for scanning. You do not need a key. Please just run a scan and save a log to attach.
     
    chaslang, Jul 15, 2015
    #2
  3. HowardW

    HowardW Private E-2

    Sorry about that. I retried HitManPro. This time it ran and I saved the log.

    Trying to upload the logs again -- hope it works this time.
     

    Attached Files:

    HowardW, Jul 15, 2015
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your Malwarebytes log does not show that you fixed anything? Did you save the log before fixing or did you forget to fix? Please check by running a new scan and if anything is detected, fix it first and then save a log. Attach the new log.

    Please attach a proper text log from RogueKiller not the json file which is in XML format.

    Do you use the Yahoo Companion Toolbar?
     
    chaslang, Jul 15, 2015
    #4
  5. HowardW

    HowardW Private E-2

    I didn't notice anything in the instructions (http://forums.majorgeeks.com/showthread.php?t=139681 Step 3) about saving the log for RogueKiller in text, rather than XML form. Anyhow, I re-ran Rogue Killer and this time saved a log in text format. It is attached.

    I tried to run Malwarebytes again. However, after I clicked Scan Now, it hung up for many minutes in the Checking for Updates process. No scanning seemed to be happening. Yesterday, when I did this, I closed the program and about an hour later it popped up again with a completed scan, showing about 10 malware registry settings. However I then forgot that we are supposed to proceed to cleaning with this program (unlike with the other programs), so I just saved the log without cleaning anything.

    Today I noticed that the instructions say, "If you have a problem automatically installing the update due to no internet connection or other reason, you can manually download and install the update from here: Malwarebytes' Anti-Malware Database - http://forums.majorgeeks.com/showthread.php?t=154672. From there, I figured out after a lot of head scratching that I should download the file mbam-rules-2015.07.02.zip. From this, I extracted the files mbam-rules.exe and mbam2-rules.exe. Then I exited from Malwarebytes and I ran the two rules files. However the second one failed so I aborted its installation and reinstalled the first one. Then I started Malwarebytes again. This time it progressed beyond Check for Updates and started scanning.

    The scan took an hour and found 32 threats, mostly registry entries, including 10 categorized as Malware. What I saw on the screen was different from what the web page http://forums.majorgeeks.com/showthread.php?t=154672 said. I clicked Remove Selected. After a bit the program said 43 threats successfully quarantined. I clicked Save Results. The log is attached also.

    And no, I don't use the Yahoo Companion toolbar but I do use Yahoo Instant Messenger.

    The problems have not been fixed.
     

    Attached Files:

    HowardW, Jul 15, 2015
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It has the below in it. Notice the .log file extension.


    Okay so then I suggest that you uninstall the toolbar now.


    Please download OTM by Old Timer and save it to your Desktop.

    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\Users\Howard.Weisberg\AppData\Local\Temp\*.*
 
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\{6791A2F3-FC80-475C-A002-C014AF797E9C}]
[-HKEY_USERS\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_USERS\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_USERS\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_USERS\S-1-5-21-304742085-4023170951-4043297385-129073-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_USERS\S-1-5-21-304742085-4023170951-4043297385-129073-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Optimizer Pro]
[-HKEY_USERS\S-1-5-21-304742085-4023170951-4043297385-129073\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_USERS\S-1-5-21-304742085-4023170951-4043297385-129073\Software\Optimizer Pro]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.

    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    • the C:\_OTM\MovedFiles log
    • the JRT.TXT log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Jul 15, 2015
    chaslang, Jul 15, 2015
    #6
  7. HowardW

    HowardW Private E-2

    I couldn't uninstall Yahoo Toolbar. The Yahoo Toolbar Uninstall Setup (32 bit) process got into a loop -- I let it run for a couple of minutes. Then I cancelled in Task Manager and tried again with no more success. Tried rebooting. Still no success.

    Any suggestions?

    I will proceed with OTM and the Junkware Removal Tool unless I hear otherwise.
     
    HowardW, Jul 16, 2015
    #7
  8. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    See if this portable appl GeekUninstaller lists and can remove it.
     
    dr.moriarty, Jul 16, 2015
    #8
  9. HowardW

    HowardW Private E-2

    Clicked on Uninstall Yahoo Toolbar. Yahoo Toolbar UnInstall Setup (32 bit) got into a loop -- After a couple of minutes, it was still running. So I cancelled it in Task Manager and tried again, but with no more success. Tried rebooting.

    Ran OTM.exe according to instructions. Rebooted. Speedtest.net now works. But then restarted Chrome and speedtest doesn't work. Log is attached.

    Ran Junkware Removal Tool according to instructions. Rebooted. Log is attached.

    Ran C:\MGtools\GetLogs.bat according to instructions. After a while it stopped, displaying

    MiscInfo.Bat - 10/26/2013 Version 0.13

    User Account List Seen From WMI

    There was no C:\MGlogs.zip file. Tried closing C:\MGtools\GetLogs.bat and then running it again. This time it hung up the same way, but there is a C:\MGlogs.zip file. Maybe I just didn't see the file last time. Log is attached.

    Tried uninstalling Yahoo Toolbar again with same lack of results as before. Closed the Yahoo Toolbar UnInstall Setup (32 bit) task.

    Ran GeekUninstaller. Selected Yahoo Toolbar, used Force Uninstall. YAHOO TOOLBAR WAS REMOVED (from the Programs and features list) SUCCESSFULY. Thanks Dr. Moriarty.

    Ran OTM.exe again. Rebooted. Have a new log. Speedtest.net works. But then restarted Chrome, and speedtest.net is back to not working (It hangs up at "searching for best server based on ping.").

    Web page loading is as slow as ever. It takes 10-20 seconds to load this http://forums.majorgeeks.com/showthread.php?p=1922024#post1922024 page. On another PC on the same router, it takes 1-2 seconds to load the page and speedtest.net works fine.

    Logs are attached.
     

    Attached Files:

    HowardW, Jul 16, 2015
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please do not rename the MGlogs.zip file to attach it. Just attach MGlogs.zip as is. The file at C:\MGlogs.zip is always updated with logs as they run. If the scan from GetLogs.bat does not complete ( like you see it hang at MiscInfo.Bat ) then scans from there on will not add new data and MGlogs.zip will not be copied to the desktop but C:\MGlogs.zip will still be there containing everything from last time run plus any new updates.

    This is not a malware problem. It is likely a Chrome problem. Have you tried running it with IE or Firefox? If not then try them.

    Also not a malware problem as you really did not have too much to do and there were no serious issues. This again may be a Chrome issue. Have you tried running it with IE or Firefox? If not then try them.
     
    chaslang, Jul 16, 2015
    #10
  11. HowardW

    HowardW Private E-2

    OK, done.

    No, I have always tested in different browsers.

    Now here is the truly bizarre part. This morning I did several hours of Internet reading and shopping. Browsing was slow as usual. Then at some point I noticed that suddenly, browsing speed had improved very dramatically -- 10 or 20 times faster than before. Also my speedtest.net benchmark was working again. I verified this on several websites and in Chrome and IE. I had done nothing to make this change happen.

    So then I rebooted to see if the improvement would stay -- it didn't. I was back to the problem that caused me to try malware removal in the first place. And running OTM with the code you gave me (and rebooting when prompted) didn't change anything this time.

    So there is something that came along after a few hours and fixed the problem. And either rebooting or just waiting a while made the problem come back. This seems nonsensical to me but I saw it.

    Do you have any more ideas? If not, I'll just give up on malware removal and reinstall the OS and apps and restore the data.
     
    HowardW, Jul 17, 2015
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    So does this mean that your browsing/surfing is slow in all three browsers? Also when you tested, did you shutdown the other browsers? You need to test by only have one browser running at any time and you need to make sure that when you exit the browser that it really terminates by looking in Task Manager.

    Again it does not sound like malware behavior.


    Let's try a couple more scans just to touch all bases.


    Please download AdwCleaner by Xplode and save to your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
      Vista/Windows 7/8 users right-click and select Run As Administrator
    • Click on the Scan button.
    • AdwCleaner will begin...be patient as the scan may take some time to complete.
    • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
    • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
    • Attach the logfile to your next next reply.
    • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

    Please download FRST the below link:

    Farbar Recovery Scan Tool

    and save it to your Desktop.


    Note: Make sure you download the proper version ( 32 bit or 64 bit ) for your PC. Only one will run, the correct one. So it you make a mistake and download the wrong one, go back and get the other.
    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
     
    chaslang, Jul 18, 2015
    #12
  13. HowardW

    HowardW Private E-2

    I looked at network timing using the browser developer tools in Chrome and IE. See attached. There are 5 second delays before each response. Suggests something is timing out.

    In any case I'm going ahead with rebuilding the entire system -- will take care of some other issues also.
     

    Attached Files:

    HowardW, Jul 18, 2015
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay thanks for the update. How your reinstall goes easily.
     
    chaslang, Jul 19, 2015
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds