Sticky Malware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by bananzi, Oct 22, 2014.

  1. bananzi

    bananzi Private E-2

    I think I have a case of very stubborn malware. The reason is, that despite many measures I've taken, my computer still behaves badly. The first symptom was that when I started my MacAfee program, instead of the usual central command window I got a large, blank, white window. I ran various free anti malware tools: ESET free online scanner, Malwarebytes, the AV scanners on Trinity rescue disk, Avast Rescue disk scanner. Most found malware despite the fact that the previous AV tools cleaned up what they found. All during this process more symptoms appeared. First two of my three user accounts disappeared. Then the System Event Notification Service stopped and could not be started again. Then Windows Firewall stopped and could not be started again, same with Windows Update. Next my Network disappeared and I could not get on the internet. I tried to create a New Network but could not. I thought MacAfee might be infected so I uninstalled it. However I noticed in the task manager that parts of it will still running. So I got MacAfeeā€™s removal tool, but it gave me the message that I did not have the right permissions to run (even though I was running it in the administrative account where I installed it. Finally I stumbled upon you forum. I followed the instruction in the Malware removal thread and have attached the logs. Malwarebytes found no problems and there seems to have been a problem with MGtools as it did not produce a log. I have attached the other logs
     

    Attached Files:

    bananzi, Oct 22, 2014
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Are you sure MGTools did not produce a MGlogs.zip? Have you done a search for it? Where did you run it from? If it really isn't there then you will have to run it fresh from scratch and let me know what happens, if you have any errors, and if it does indeed include a zipped log for us this time or not... :)
     
    Kestrel13!, Oct 22, 2014
    #2
  3. bananzi

    bananzi Private E-2

    First I'd like to say I'm very grateful for your response.
    As to MGtools, I must have made a mistake before, because when I ran it again I did get the log file. I've appended it.
     

    Attached Files:

    bananzi, Oct 23, 2014
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Good evening.

    TelevisionFanatic Toolbar Chrome Extension <<< Uninstall this junk.


    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [Suspicious.Path] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce | Installer : C:\windows\TEMP\RarSFX0\FI_PRO_14.3.32.6_ALL.exe --SerialNumber=C311-0271-00005-H2MS-GMUD-HMVY-6R1H -> Found
    • [Suspicious.Path] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce | Installer : C:\windows\TEMP\RarSFX0\FI_PRO_14.3.32.6_ALL.exe --SerialNumber=C311-0271-00005-H2MS-GMUD-HMVY-6R1H -> Found
    • [Suspicious.Path] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce | Installer : C:\windows\TEMP\RarSFX0\FI_PRO_14.3.32.6_ALL.exe --SerialNumber=C311-0271-00005-H2MS-GMUD-HMVY-6R1H -> Found
    • [Suspicious.Path] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce | Installer : C:\windows\TEMP\RarSFX0\FI_PRO_14.3.32.6_ALL.exe --SerialNumber=C311-0271-00005-H2MS-GMUD-HMVY-6R1H -> Found

    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.

    ...and the same for this entry on the Tasks tab please...

    • [Suspicious.Path] Playtopus Updater.job -- C:\Windows\SysWOW64\rundll32.exe (C:\Users\David\AppData\Local\PLAYTO~1\Updater.dll,ProcessRequest) -> Found
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.






    Please download this file to your dektop.

    Dhcp.reg

    • Now please click Start, and type regedit into the search box.
    • You should see a regedit.exe and icon appear in the Programs area of the Start Menu.
    • Right click on regedit.exe and select Run As Administrator
    • Then in the Registry Editor menu click File and select Import.
    • Navigate to the Dhcp.reg file saved to your Desktop and double click it. Allow it to be added to the registry.



    Delete this if you see it:
    • C:\windows\tasks\Playtopus Updater.job



    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.


    • Re run RogueKiller (just a scan) and attach that log too.
    • Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
    • Let me know of any problems you may have encountered with the above instructions and also let me know how things are running!
     
    Kestrel13!, Oct 23, 2014
    #4
  5. bananzi

    bananzi Private E-2

    When I ran RoqueKiller It reported the first file you mentioned (under the registry tab) as deleted, but reported errors on the next 3.Under the task tab the file you mentioned was reported as already deleted. Strangely when I went to close the program a message box appeared asking if I was sure I wanted to quit, as no files had been deleted. Not sure what to make of that. The other steps seemed to go smoothly. Still no luck with starting Windows firewall or connecting to the internet though. Attached are the files you asked for.
     

    Attached Files:

    bananzi, Oct 24, 2014
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    RK deleted all it should have. ;)


    This part takes a long time so do go off and do something else for a bit...

    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Repair Windows Firewall
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.

    After reboot, check to see if your Windows Updates is working.

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Oct 24, 2014
    #6
  7. bananzi

    bananzi Private E-2

    After running Windows Repair I noticed that my cable from the computer to the router was unplugged (seemed safer since my firewall was off). I plugged it back in and tried to turn on Windows Update with no success.
    Should I rerun Window Repair with the network cable plugged in?
    Anyways I ran GetLogs and have attached the resulting zip file
     

    Attached Files:

    bananzi, Oct 25, 2014
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Apart from the Windows Update issue, are there any other malware problems? :confused I may have to refer you to software as long as you are not having malware problems.
     
    Kestrel13!, Oct 25, 2014
    #8
  9. bananzi

    bananzi Private E-2

    I'm not sure if they are caused by a current infection, are the leftover problems from an infection we already cured, but there are other problems. Windows firewall cannot be started. I cannot get my network reestablished, 2 of my User accounts are gone and the System Events Notification Service cannot be started. If there is no Malware left, I suppose I can reinstall Windows as an Update. I've read that I will not lose my Data that way. Would you recommend that at this point?
     
    bananzi, Oct 25, 2014
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I would say there's no malware that I'm seeing. You look clean. The problems with the operating system should be posted about in the software forum, though. Best of luck.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

    7. After doing the above, you should work thru the below link:
     
    Kestrel13!, Oct 26, 2014
    #10
  11. bananzi

    bananzi Private E-2

    Ok, will do. I really appreciate the help you gave me, thanks!
     
    bananzi, Oct 26, 2014
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You are welcome! Safe surfing! :)
     
    Kestrel13!, Oct 26, 2014
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds