suspected hijacking on PC-1

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by agram, Oct 22, 2014.

  1. agram

    agram Private E-2

    Hi attached are requested logs except, possibly most important....the MGTools logs. I have turned off UAC, Turned off Avast AV, and rebooted. The only thing inside my MGTools file in my root folder in C is: Temp, filelog and scantime!!! Running W7 64 bit
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Can you please try and run MGTools in safe mode please.
     
  3. agram

    agram Private E-2

    Thanks "safe mode" did the trick here's mglogs.zip attached
     

    Attached Files:

  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Nope, almost empty bar one text file. Let's try one more time before we switch to another tool...

    Please click Start, Run, and enter cmd. Cmd.exe will pop up, right click it to run it. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    • cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    • nwktst<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    • GRK64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    • SN64 <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.

    Attach the MGlogs.zip
     
  5. agram

    agram Private E-2

    nwktst prompt appears to run fine. At end states Compressing nwktst.txt log file
    Finished with NwkTst.bat
    Then gave me backk C: \MGTools> prompt I enteredGRK64 and hit enter
    Came back
    GRK64.bat - 10/26/2013 Version 0.50

    Note: Ignore any error messages about not finding registry keys! Just wait for the program to finish running!!

    64 bit Windows OS found

    .....and that's as far as it goes?....seems like it never ran and did not leave me a command prompt to enter your third requested command
     
  6. agram

    agram Private E-2

    ok just ran command prompt again running each command GRK 64 explained in previous message. Then I went back to a blank command prompt and was able to run SN64 , so i ran all three requested prompts and attached is MGlogs zip with more files
     

    Attached Files:

  7. agram

    agram Private E-2

    Also, here's a hijack this log
     

    Attached Files:

  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Give Ccleaner a run (not the reg scanner) just the cleaner itself to be rid of a chunk of temp files.

    Re run Hitman Pro and have it remove what it finds.

    Then explain how things are running.
     
  9. agram

    agram Private E-2

    Did as you requested....found it hard to believe that Hitman found over twenty items, some Trojans that Avast and Malware Bytes didn't!!!

    Seems less clunky (a bit), but my concern was how fast HUGE chunks of system temp files built up! (new behavior ...telling me I was running out of space on disc C) That's why I originally requested help when my usual anti virus (Avast) found nothing. I haven't restarted Avast yet, but that gave me another concern when its little icon in the sys tray kept spinning all night long when I was doing NOTHING. That spinning icon indicated that something was running in the background...new behavior ....bad slowing things down.
     
  10. agram

    agram Private E-2

    Oh yeh, I have not restarted Avast or reset any of other pre-directed settings awaiting your further instructions
     
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Go into this folder:

    C:\Users\Big Blue\AppData\Local\Temp

    Edit, select all > delete as much as it will let you. Then restart your antivirus, yes indeed, and let me know if it complains about anything.
     
  12. agram

    agram Private E-2

    I cleaterd as much of that temp file as it allowed, turned on AV, and re-enabled disc emulator, toggled on and off system restore with a reboot in the middle....all APPEARS to be calm, normal and working fine...anything else?
     
  13. agram

    agram Private E-2

    Nope something running in the background again!!!!!...no windows updates!!!
     
  14. agram

    agram Private E-2

    Suddenly Avast icon started spinning in systray indicating some "background " operation and av quickly gave me threat has been detected warnings....attached are a few....I never went to these sites YIKES. I just got four more threat has been detected warnings....Help....attached are two of warnings....coming so fast I couldn't capture an image of them all
     

    Attached Files:

  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Avast just seems to be doing it's job.
    Windows Updates not working might be topic for the software forum.

    Do this:

    Now please download OTL by OldTimer.
    • Save it to your desktop.
    • Double-click on the OTL icon on your desktopto run it. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      activex
      netsvcs
      drives
      
    • Now click the [​IMG] button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
     
  16. agram

    agram Private E-2

    Perhaps I was not clear....I'm not having probs with W7 updates...just letting you know that was not running in background. What I meant (knowing Avast doing its job) never saw so many warnings abd blocks coming so fast. Said pc was going to rogue websites (Avast deems dangerous) that I've never been to....suspect some infection trying to go to these websites in background...heres OTL log
     

    Attached Files:

  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I need the OTL.txt as well please!! :)
     
  18. agram

    agram Private E-2

    Here's OTL
     

    Attached Files:

    • OTL.Txt
      File size:
      281.6 KB
      Views:
      1
  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You have two antivirus installed!! Before we continue you must uninstall one of them! I should have picked up on this earlier.

    • avast! Free Antivirus
    • AVG 2013


    We need to run an OTL Fix

    • Right-click OTL.exe to run it. If Windows UAC prompts you, please allow it.
    • Copy and Paste the following code into the textbox. Do not include the word Code

    Code:
    :otl
    IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2440}: "URL" = http://isearch.fantastigames.com/web?src=ieb&gct=ds&appid=100&systemid=440&q={searchTerms}
    IE - HKU\S-1-5-21-199422084-1554134321-2406980904-1001\..\SearchScopes\{13E666FC-EEF7-47E2-9154-D2586F7290A5}: "URL" = http://isearch.shopathome.com?user_id={E1157A10-5F96-4F7E-8ED2-58AFC894B03A}&q={searchTerms}
    
    
    :commands
    [EMPTYTEMP]
    [RESETHOSTS]
    [REBOOT]
    • Then click the Run Fix button at the top.
    • Click Image.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. ATTACH that report in your next reply.

    Go to this folder, once inside > select all and delete what you can of the temp files.
    C:\Users\Big Blue\AppData\Local\Temp


    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running!
     
    Last edited: Oct 25, 2014
  20. agram

    agram Private E-2

    I do not find AVG anywhere....I dumped AVG over a year ago for Avast....task mgr shows me only running Avast????
    OTL with command you gave me didn't work! "takes in" the :OTL commands and then just sits there dead with the :commands....pc does nothing, just sits there dead, acts like frozen, cant even shut off normally. Had to pull plug and reboot to send this message to you.
    Computer running very slow/sluggish
     
  21. agram

    agram Private E-2

    Also your instructions gave no settings checks like last time we ran otl
    Your instructions say click on run fix....then click on image....what image, where?
     
  22. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    AVG shows clearly in the Newfiles.log and also in GetUnKey.log

    Let's do this:
    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Reboot the machine.

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Is avast still alerting?
     
  23. agram

    agram Private E-2

    Did as you stated...Avast still alerting Heres new bat.file attached
     

    Attached Files:

  24. agram

    agram Private E-2

    OOOps forgot copy / pasted reg changes you gave me , registry accepted and did reboot before getting you MGlogs requested run and file
     
  25. agram

    agram Private E-2

    How to remove AVG as it doesnt show in programs in control panel to remove....doesnt show up in search?.....Avast still alerting
     
  26. agram

    agram Private E-2

    MY BAD....here's MGLogs zip file
     

    Attached Files:

  27. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I know it doesn't show in control panel, that's why I tried attacking it another way, but the fix didn't seem to work. ;) How do you feel about manually deleting these in the Windows Registry yourself?

    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{FCDBEA60-79F0-4FAE-BBA8-55A26C609A49}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{21B133D6-5979-47F0-BE1C-F6A6B304693F}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD27BE4B-A261-4F0A-AB5A-476C83EDAED2}
     
  28. agram

    agram Private E-2

    sending you mglogs.zip(1) as well in case ones newer than other
     
  29. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    It did not attach. :(
     
  30. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Also, I want to ask you what you are doing at the time you get these alerts from avast? Are you online or off? If online, what are you doing at the time? What websites are you on? Random, same sort of websites? Have you actually tried running a FULL system scan with avast?
     
  31. agram

    agram Private E-2

    I ran regedit and looked for all three keyes you listed and didn't find them to delete.....are you certain they're still there? Is there any way to send you copy of my registry to confirm they're gone?
     
  32. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OK forget that. Address my other questions please. :)
     
  33. agram

    agram Private E-2

    Doing nothing when Avast alerts me. Just have major geeks open awaiting your next response, nothing else....yes I ran a full Avast scan and it comes back no threats
     
  34. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hmm..

    Please download Combofix to your desktop. Please refer to these instructions prior to running. Attach log once done.
     
  35. agram

    agram Private E-2

    Heres combofix log
     

    Attached Files:

  36. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Okay, now re run RogueKiller and attach log.
     
  37. agram

    agram Private E-2

    Heres latest RK log
     

    Attached Files:

  38. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    How are things running?
     
  39. agram

    agram Private E-2

    According to task mgr....CPU usage down to 0-1% at idle, first time in days. Avast icon in systray no longer spinning at idle. I'm afraid to reboot, don't want to reinfect if something's still hidden
     
  40. agram

    agram Private E-2

    Also, are my restore points infected?
     
  41. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No, don't be afraid to reboot. Do so and please re run Combofix once more, then attach log.
     
  42. agram

    agram Private E-2

    newest combofix log
     

    Attached Files:

  43. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Looking good. Want to surf around for a day or so and report back to me? :)
     
  44. agram

    agram Private E-2

    Will do....at this point....THANK YOU SOOOOO MUCH
     
  45. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You are very welcome. Hope we've nailed it. :)
     
  46. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    And just because I want to be extra safe, run this as well please...

    [​IMG] For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)
     
  47. agram

    agram Private E-2

    attached per your instruct
     

    Attached Files:

  48. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Looks good :)

    Delete these if you see them.

    C:\Users\Big Blue\AppData\Roaming\Search Protection
    C:\Users\Big Blue\AppData\Local\CRE

    Let me know.
     
  49. agram

    agram Private E-2

    Hi
    I deleted the two files you instructed....they are in the recycle bin
     
  50. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Press and hold the Windows key [​IMG] and then press the letter R on your keyboard. This opens the Run dialog box.
      • Copy and paste the below into the Run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds