MajorGeeks Support Forums

MajorGeeks Support Forums (http://forums.majorgeeks.com/index.php)
-   Malware Removal (http://forums.majorgeeks.com/forumdisplay.php?f=35)
-   -   Malware infection - help please - logs included (http://forums.majorgeeks.com/showthread.php?t=284080)

Basil the Fox 02-21-14 06:35

Malware infection - help please - logs included
 
5 Attachment(s)
Hello,

A colleague in my office has somehow infected his PC with a browser redirecter "feed.helperbar" as well as "Optimizer pro".

I have followed the instructions in your malware removal guide including emptying cache, using CCleaner etc, and then followed the scans, recording the logs which I've attached.
  • Malware Bytes seemed to remove quite a lot of the offending material.
  • Hitman Pro picked up lots more infected files which MWB seemed to miss. As instructed, I haven't removed any infected files using this program.
  • Kaspersky's program found no results and didn't give me a log to attach.

The feed.helperbar doesn't seem to be affecting the browser any more, however I can still see a listing for Optimizer pro in the Uninstall programs list along with a shortcut. I'm not confident that this PC is clean right now.

Logs are attached for your perusal.

I hope you guys can help and advise.

Kestrel13! 02-21-14 14:23

Re: Malware infection - help please - logs included
 
Hi there. :)

Are you deliberately set up to use a proxy?

Basil the Fox 02-24-14 03:22

Re: Malware infection - help please - logs included
 
Hi. :)

No we're not deliberately set-up to use a proxy.

However, I am using Google's DNS server on that machine: 8.8.8.8 and 8.8.4.4.

Basil the Fox 02-24-14 07:04

Re: Malware infection - help please - logs included
 
I have to admit, I'm getting a bit of an itchy trigger finger with Hitman Pro, if I let Hitman do its thing, will that affect any possible solutions?

Kestrel13! 02-24-14 15:16

Re: Malware infection - help please - logs included
 
Hi there :)

Optimizer Pro v3.2
<<< Uninstall this.



http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these 3 detections:
  • [RUN][SUSP PATH] HKCU\[...]\Run : Browser Infrastructure Helper (C:\Users\pmc telecom\AppData\Local\Smartbar\Application\Smartbar.exe startup [7][x]) -> FOUND
  • [RUN][SUSP PATH] HKUS\S-1-5-21-1181397642-3544793409-3064858191-1000\[...]\Run : Browser Infrastructure Helper (C:\Users\pmc telecom\AppData\Local\Smartbar\Application\Smartbar.exe startup [7][x]) -> FOUND
  • [PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyServer ( [Country: UNITED KINGDOM (GB), City: (Unknown city)]) -> FOUND
  • [V2][SUSP PATH] TidyNetwork Update : C:\Users\pmc telecom\AppData\Local\TidyNetwork\petnupdate.exe - CID=TRUK07 NAME="TidyNetwork" AUTOGUID={44B68756-28FD-336E-DF49-430E83B49FDC} [-][x][x][x] -> FOUND

Place a checkmark next to each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.




Re run Hitman Pro and have it delete all of the Potential Unwanted Programs that it finds.




http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Attach JRT.txt to your next message.



Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}]

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.



Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Basil the Fox 02-25-14 05:18

Re: Malware infection - help please - logs included
 
4 Attachment(s)
Hello, thank you so much for your detailed response.

I'll list below the instructions I've followed and my results with each bit.

Optimizer Pro - The first thing I did was to try and uninstall using the windows uninstaller - there was a file missing which wouldn't let me complete this. I launched msconfig and disabled any Optimizer Pro processes and startup items, rebooted, then used Revo to uninstall Optimizer Pro completely.

Rogue Killer - After the initial scan, I could only find two items you listed
  • [PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyServer ( [Country: UNITED KINGDOM (GB), City: (Unknown city)]) -> FOUND
  • [V2][SUSP PATH] TidyNetwork Update : C:\Users\pmc telecom\AppData\Local\TidyNetwork\petnupdate.exe - CID=TRUK07 NAME="TidyNetwork" AUTOGUID={44B68756-28FD-336E-DF49-430E83B49FDC} [-][x][x][x] -> FOUND

I checked and removed the bottom reg entry leaving all others intact. I went back to the proxies tab to remove the Proxy entry and Rogue Killer wouldn't allow me to delete this. I rescanned, clicked the Proxies tab, selected the Proxy then clicked "delete", not realising that all the registry entries that were picked up were now checked. In short, I've now deleted ALL registry entries that Rogue Killer had picked up. I have included the latest log for you... for what it's worth, but it's now showing as empty. I do have the previous scan logs stored if you would like to see them?

Hitman Pro - Found traces of some bits & pieces. I removed them all. Log attached for completion.

Junkware Removal Tool - Log attached.

RegKey
Quote:

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}]
Successfully added.

MGTools - Log attached

After posting this, I'm going to reboot this PC and see how things go. I will report back with an update in a following post.

Basil the Fox 02-25-14 08:34

Re: Malware infection - help please - logs included
 
Everything seems okay now. No popups, or browser redirects seem to remain. Optimizer Pro has gone. PC seems to be running smoothly.

Would appreciate feedback from the logs, though.

Again, thank you so much for the help! :)

Kestrel13! 02-25-14 17:40

Re: Malware infection - help please - logs included
 
Rescan with RogueKiller one more time and attach the fresh log for me to check please. :)

Basil the Fox 02-26-14 10:51

Re: Malware infection - help please - logs included
 
1 Attachment(s)
Sure. Here you go!

The registry elements it's found are the ones I thought I'd accidentally deleted in my previous post.

Kestrel13! 02-26-14 11:25

Re: Malware infection - help please - logs included
 
It's still detecting this proxy. Is this due to Google's DNS server set up?

Quote:

[PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyServer ( [Country: UNITED KINGDOM (GB), City: (Unknown city)]) -> FOUND

Basil the Fox 02-27-14 03:33

Re: Malware infection - help please - logs included
 
Quote:

Originally Posted by Kestrel13! (Post 1862314)
It's still detecting this proxy. Is this due to Google's DNS server set up?

I think so. I double checked the DNS set-up and nothing was out of place, the PC is still using Google's DNS settings. User hasn't reported any further problems.

Kestrel13! 02-27-14 12:18

Re: Malware infection - help please - logs included
 
Excellent. :)



If you are not having any other malware problems, it is time to do our final steps:
  1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
  2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
  3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
  4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
  5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
  6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

  7. After doing the above, you should work thru the below link:

Basil the Fox 03-03-14 07:40

Re: Malware infection - help please - logs included
 
Thank you Kestrel, you've been awesome!

:cool

Kestrel13! 03-03-14 10:51

Re: Malware infection - help please - logs included
 
You're most welcome. :) Safe surfing!


All times are GMT -5. The time now is 21:26.

Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger