This Setting Is Enforced By The Administrator

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by wildgrem, Jun 7, 2017.

  1. wildgrem

    wildgrem Private E-2

    I tried using some backup software and got nailed with a browser hijacker and some other junk. Dumbass move. Anyway I ran through the Read and Run Me First section. Here are the logs. Running Win 7.

    Thanks, you guys are great.
     

    Attached Files:

    wildgrem, Jun 7, 2017
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please note:

    You may need to disable the Chrome synchronization from your Google account in order to fully remove the malicious preferences.

    Now rerun ADW and have it remove these items:

    ***** [ Shortcuts ] *****

    Shortcut infected: C:\Users\Public\Desktop\Google Chrome.lnk ( hxxps://launchpage.org/?uid=qT1KBGjchxltXu%2BaqRSvlKlsSVqxxeFf7B0Efi7PgWBw9GtwX78J%2FJHa6yFIukHWNys%3D )
    Shortcut infected: C:\Users\Public\Desktop\King's Quest III Redux.lnk ( hxxps://launchpage.org/?uid=qT1KBGjchxltXu%2BaqRSvlKlsSVqxxeFf7B0Efi7PgWBw9GtwX78J%2FJHa6yFIukHWNys%3D )
    Shortcut infected: C:\Users\Public\Desktop\Mozilla Firefox.lnk ( hxxps://launchpage.org/?uid=qT1KBGjchxltXu%2BaqRSvlKlsSVqxxeFf7B0Efi7PgWBw9GtwX78J%2FJHa6yFIukHWNys%3D )
    Shortcut infected: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk ( hxxps://launchpage.org/?uid=qT1KBGjchxltXu%2BaqRSvlKlsSVqxxeFf7B0Efi7PgWBw9GtwX78J%2FJHa6yFIukHWNys%3D )
    Shortcut infected: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk ( hxxps://launchpage.org/?uid=qT1KBGjchxltXu%2BaqRSvlKlsSVqxxeFf7B0Efi7PgWBw9GtwX78J%2FJHa6yFIukHWNys%3D )
    Shortcut infected: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AGD Interactive\King's Quest III Redux\King's Quest III Launcher.lnk ( hxxps://launchpage.org/?uid=qT1KBGjchxltXu%2BaqRSvlKlsSVqxxeFf7B0Efi7PgWBw9G
    Shortcut infected: C:\Users\Wild Gremlin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk ( hxxps://launchpage.org/?uid=qT1KBGjchxltXu%2BaqRSvlKlsSVqxxeFf7B0Efi7PgWBw9GtwX78J%2FJHa6yFIukHWNys%
    Shortcut infected: C:\Users\Wild Gremlin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk ( hxxps://launchpage.org/?uid=qT1KBGjchxltXu%2BaqRSvlKlsSVqxxeFf
    Shortcut infected: C:\Users\Wild Gremlin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk ( hxxps://launchpage.org/?uid=qT1KBGjchxltXu%2BaqRSvlKlsSVqxxeFf7B0Efi7PgWBw9GtwX78J

    Rerun Hitman and remove all the cookies that it found.

    Finally, rerun RogueKiller and have it remove these items:

    ¤¤¤ Files : 22 ¤¤¤
    [Hj.Shortcut][File] C:\Users\Public\Desktop\Google Chrome.lnk [LNK@] C:\PROGRA~2\Google\Chrome\APPLIC~1\chrome.exe https://launchpage.org/?uid=qT1KBGjchxltXu+aqRSvlKlsSVqxxeFf7B0Efi7PgWBw9GtwX78J/JHa6yFIukHWNys= -> Found
    [Hj.Shortcut][File] C:\Users\Public\Desktop\Mozilla Firefox.lnk [LNK@] C:\PROGRA~2\MOZILL~1\firefox.exe https://launchpage.org/?uid=qT1KBGjchxltXu+aqRSvlKlsSVqxxeFf7B0Efi7PgWBw9GtwX78J/JHa6yFIukHWNys= -> Found
    [Hj.Shortcut][File] C:\Users\Wild Gremlin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk [LNK@] C:\PROGRA~1\INTERN~1\iexplore.exe https://launchpage.org/?uid=qT1KBGjchxltXu+aqRSvlKlsSVqxxeFf7B0Efi7PgWBw9GtwX78J/JHa6yFIukHWNys= -> Found
    [Hj.Shortcut][File] C:\Users\Wild Gremlin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk [LNK@] C:\PROGRA~1\INTERN~1\iexplore.exe https://launchpage.org/?uid=qT1KBGjchxltXu+aqRSvlKlsSVqxxeFf7B0Efi7PgWBw9GtwX78J/JHa6yFIukHWNys= -> Found
    [Hj.Shortcut][File] C:\Users\Wild Gremlin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk [LNK@] C:\PROGRA~2\INTERN~1\iexplore.exe https://launchpage.org/?uid=qT1KBGjchxltXu+aqRSvlKlsSVqxxeFf7B0Efi7PgWBw9GtwX78J/JHa6yFIukHWNys= -> Found
    [PUP.SearchProtect][File] C:\Windows\System32\drivers\SPPD.sys -> Found
    [Tr.Gen0][File] C:\Users\Wild Gremlin\AppData\Roaming\uTorrent\updates\3.4.5_41372\utorrentie.exe -> Found
    [Tr.Gen0][File] C:\Users\Wild Gremlin\AppData\Roaming\uTorrent\updates\3.4.5_41865\utorrentie.exe -> Found
    [Tr.Gen0][File] C:\Users\Wild Gremlin\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe -> Found
    [Tr.Gen0][File] C:\Users\Wild Gremlin\AppData\Roaming\uTorrent\updates\3.4.9_42606\utorrentie.exe -> Found
    [Tr.Gen0][File] C:\Users\Wild Gremlin\AppData\Roaming\uTorrent\updates\3.4.9_42923\utorrentie.exe -> Found
    [Tr.Gen0][File] C:\Users\Wild Gremlin\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe -> Found
    [Tr.Gen0][File] C:\Users\Wild Gremlin\AppData\Roaming\uTorrent\updates\3.4.9_43085\utorrentie.exe -> Found
    [Tr.Gen0][File] C:\Users\Wild Gremlin\AppData\Roaming\uTorrent\updates\3.4.9_43295\utorrentie.exe -> Found
    [Tr.Gen0][File] C:\Users\Wild Gremlin\AppData\Roaming\uTorrent\updates\3.4.9_43388\utorrentie.exe -> Found
    [Tr.Gen0][File] C:\Users\Wild Gremlin\AppData\Roaming\uTorrent\updates\3.5.0_43580\utorrentie.exe -> Found
    [Tr.Gen0][File] C:\Users\Wild Gremlin\AppData\Roaming\uTorrent\updates\3.5.0_43804\utorrentie.exe -> Found
    [Hj.Shortcut][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk [LNK@] C:\PROGRA~2\Google\Chrome\APPLIC~1\chrome.exe https://launchpage.org/?uid=qT1KBGjchxltXu+aqRSvlKlsSVqxxeFf7B0Efi7PgWBw9GtwX78J/JHa6yFIukHWNys= -> Found
    [Hj.Shortcut][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk [LNK@] C:\PROGRA~2\MOZILL~1\firefox.exe https://launchpage.org/?uid=qT1KBGjchxltXu+aqRSvlKlsSVqxxeFf7B0Efi7PgWBw9GtwX78J/JHa6yFIukHWNys= -> Found
    [Hj.Shortcut][File] C:\Users\Public\Desktop\Google Chrome.lnk [LNK@] C:\PROGRA~2\Google\Chrome\APPLIC~1\chrome.exe https://launchpage.org/?uid=qT1KBGjchxltXu+aqRSvlKlsSVqxxeFf7B0Efi7PgWBw9GtwX78J/JHa6yFIukHWNys= -> Found
    [Hj.Shortcut][File] C:\Users\Public\Desktop\Mozilla Firefox.lnk [LNK@] C:\PROGRA~2\MOZILL~1\firefox.exe https://launchpage.org/?uid=qT1KBGjchxltXu+aqRSvlKlsSVqxxeFf7B0Efi7PgWBw9GtwX78J/JHa6yFIukHWNys= -> Found
    [Hj.Shortcut][File] C:\Users\Wild Gremlin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk [LNK@] C:\PROGRA~1\INTERN~1\iexplore.exe https://launchpage.org/?uid=qT1KBGjchxltXu+aqRSvlKlsSVqxxeFf7B0Efi7PgWBw9GtwX78J/JHa6yFIukHWNys= -> Found

    Reboot and rescan with ADW, Hitman and RogueKiller and attach the new logs.
     
    TimW, Jun 7, 2017
    #2
  3. Boston2011

    Boston2011 Private E-2

    Thank you! Here are the new logs. A few of the shortcuts are coming back when scanned with ADW, and there are a bunch of different alerts not in the shortcut folder that I left alone. I also noticed Chrome syncs back up on reboot. Not sure how to turn that off.
     

    Attached Files:

    Boston2011, Jun 7, 2017
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need to have ADW remove these shortcuts:

    ***** [ Shortcuts ] *****

    Shortcut infected: C:\Users\Public\Desktop\King's Quest III Redux.lnk ( hxxps://launchpage.org/?uid=qT1KBGjchxltXu%2BaqRSvlKlsSVqxxeFf7B0Efi7PgWBw9GtwX78J%2FJHa6yFIukHWNys%3D )
    Shortcut infected: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AGD Interactive\King's Quest III Redux\King's Quest III Launcher.lnk ( hxxps://launchpage.org/?uid=qT1KBGjchxltXu%2BaqRSvlKlsSVqxxeFf7B0Efi7PgWBw9G

    Otherwise, your logs are clean. What issues are you still having?
     
    TimW, Jun 7, 2017
    #4
  5. Boston2011

    Boston2011 Private E-2

    These guys are still in my extensions and settings and I can't get em out.


    upload_2017-6-7_15-4-36.png


    upload_2017-6-7_15-5-14.png
     
    Boston2011, Jun 7, 2017
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Jun 7, 2017
    #6
  7. Boston2011

    Boston2011 Private E-2

    So that didnt exactly work, but i cleaned out registries with the unTabs id (pphnm...ceid) and that worked.... but i'm still stuck with the cleanserp.net as my default search engine.

    It was affecting IE and Firefox but has been successfully removed with your help. Only affecting Chrome now.
     
    Boston2011, Jun 8, 2017
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    1. On your computer, open Chrome.
    2. At the top right, click More .
    3. Select Settings.
    4. At the bottom, click Show advanced settings.
    5. Under the "Reset settings" section, click Reset settings.
    6. Confirm by clicking Reset.
     
    TimW, Jun 8, 2017
    #8
  9. Boston2011

    Boston2011 Private E-2

    Yeah I did that before, but no dice so I uninstalled with Revo Uninstaller, rebooted and re installed Chrome. Cleanserp.net was still there but wasnt locked anymore so I deleted it. My computer is running clean now, thanks for the help!
     
    Boston2011, Jun 8, 2017
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You're welcome.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8 or 10, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. After doing the above, you should work thru the below link:
     
    TimW, Jun 8, 2017
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds