MajorGeeks Support Forums

MajorGeeks Support Forums (http://forums.majorgeeks.com/index.php)
-   Malware Removal (http://forums.majorgeeks.com/forumdisplay.php?f=35)
-   -   Heavily Infected, Please help... (http://forums.majorgeeks.com/showthread.php?t=277371)

Craig0822 06-09-13 20:19

Heavily Infected, Please help...
 
4 Attachment(s)
TDSS couldn't initialize log; received an error telling me so at startup. LOTS of unknown processes slowing computer to a crawl. Thanks in advance. :)

-Craig

Kestrel13! 06-11-13 16:41

Re: Heavily Infected, Please help...
 
Uninstall the below:
  • Search Protect by conduit
  • SweetPacks Updater Service

Re run Hitman and have it delete Potential Unwanted Programs.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Tell me how things are running.

Craig0822 06-11-13 22:26

Re: Heavily Infected, Please help...
 
1 Attachment(s)
Actually running somewhat faster now. Still, there are many questionable processes running and speed is not up to par, but not crawling anymore... here's the log, please help me clean the rest of the trash up, thanks in advance. :major

Kestrel13! 06-12-13 16:43

Re: Heavily Infected, Please help...
 
Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
  • R3 - URLSearchHook: (no name) - - (no file)
  • O2 - BHO: Updater By SweetPacks Helper - {7D4F1959-3F72-49d5-8E59-F02F8AA6815D} - C:\Program Files\Updater By SweetPacks\Extension32.dll
  • O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
  • O3 - Toolbar: SweetPacks Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
  • O4 - HKLM\..\RunOnce: [SpUninstallCleanUp] REG delete HKEY_CURRENT_USER\Software\SearchProtect /f
  • O4 - HKCU\..\RunOnce: [SpUninstallDeleteDir] rmdir /s /q "C:\Users\tonyndonna\AppData\Roaming\SearchProtect"
  • O23 - Service: Updater By SweetPacks - Unknown owner - C:\Program Files\Updater By SweetPacks\ExtensionUpdaterService.exe

After clicking Fix exit HJT.



Delete these folders:
  • C:\Program Files (x86)\SearchProtect
  • C:\Program Files (x86)\SweetIM



Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpUninstallDeleteDir"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\RunOnce]
"SpUninstallCleanUp"=-
[HKEY_USERS\S-1-5-21-1464129475-3288885889-2578775911-1000\Software\Microsoft\Windows\CurrentVersion\runonce]
"SpUninstallDeleteDir"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}]

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.



Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

What problems remain?

Craig0822 06-18-13 19:20

Re: Heavily Infected, Please help...
 
1 Attachment(s)
Still have "search index", "Search protocol" and "Search Protect" in my running processes; still seem to be pretty infected... at times, very slow, at other times cannot get online at all until I restart.

Kestrel13! 06-19-13 18:19

Re: Heavily Infected, Please help...
 
http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Please save the work in your browsers before proceeding.
  • Double-click JRT.exe to run (Vista/7 right-click and select Run as Administrator)
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Please attach JRT.txt to your next message. (See: HOW TO: Attach Items To Your Post )

Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Attach both of these logs into your next reply.

Any better?

Craig0822 06-21-13 12:30

Re: Heavily Infected, Please help...
 
2 Attachment(s)
Thanks so much. Running a lot better so far. Here's the logs; SearchIndex" still under my processes... uses a lot of cpu and restarts itself if I manually stop it. Any ideas?

Kestrel13! 06-22-13 09:10

Re: Heavily Infected, Please help...
 
Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
  • R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10043&barid={4A40D90A-CA0A-11E2-8D1A-ECA86B913001}
  • R3 - URLSearchHook: (no name) - - (no file)
  • O3 - Toolbar: SweetPacks Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
  • O4 - HKLM\..\Run: [Wondershare Helper Compact.exe] C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
  • O4 - HKLM\..\Run: [SearchProtectAll] C:\Program Files (x86)\SearchProtect\bin\cltmng.exe
  • O4 - HKCU\..\Run: [SearchProtect] C:\Users\tonyndonna\AppData\Roaming\SearchProtect\bin\cltmng.exe
  • O23 - Service: Updater By SweetPacks - Unknown owner - C:\Program Files\Updater By SweetPacks\ExtensionUpdaterService.exe
After clicking Fix exit HJT.



We need to run an OTL Fix
  • Right-click OTL.exe And select " Run as administrator " to run it. If Windows UAC prompts you, please allow it.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code

Code:

:otl
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1

:commands
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]

  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot. ATTACH that report in your next reply.


Delete these if you see them:
  • C:\Program Files (x86)\SweetIM
  • C:\Program Files\Updater By SweetPacks
  • C:\Users\tonyndonna\AppData\Roaming\SearchProtect

  • Does TDSSKiller run now?
  • Describe how things are running.


All times are GMT -5. The time now is 13:28.

Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger