Totally Infected

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by linuxpowers, Feb 12, 2015.

  1. linuxpowers

    linuxpowers Corporal

    I had this computer brought to me, (for the second time). The user said it had all kinds of issues.

    The first thing I noticed when starting it up and getting logged in was all the Pop-up windows telling me that malware was detected! I wanted to get online to get some scanning software but the only two browsers on this system is Chrome and IE, both of which would not startup!

    Fortunately, I still had MalwareBytes on here from the last clean-up so I ran that as administrator, but even that would not scan! I then ran it's tool "Chameleon" and it finally loaded up the interface and ran the scan. I'm attaching that log to this first message just to indicate what I've done before I could even get to the "READ & RUN ME" thread. I'll post those logs on my next post.

    After deleting what MB found and rebooting, I could finally get Chrome to load up but then was hit with redirect after redirect as well as adware all over the pages. At that time, I followed the instructions for, "Fixing Google Redirection/Hijacking Problems". It slowed things down a bit but the redirects/adware still continues and I am finally able to download and run the the clean-up procedure. I still can't get Chrome to load up unless I bring up Windows Task Manager and end the processes of those I see that are obviously malware. I need to do that each time I reboot.
     

    Attached Files:

  2. linuxpowers

    linuxpowers Corporal

    Here are the scan logs from the READ & RUN ME procedure:
     

    Attached Files:

  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Will have a fix for you shortly. :)
     
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Reimage Repair <<< Uninstall this garbage.




    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Paste the following code under the [​IMG] area. Do not include the word Code.
    Code:
    :Files
    C:\Program Files\Reimage
    C:\ProgramData\Reimage Protector
    C:\Program Files\Reimage\Reimage Protector
    C:\Windows\System32\Tasks\ReimageUpdater
    C:\rei
    C:\ProgramData\Ascentive
    C:\ProgramData\Spyware Clear   
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ascentive
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Reimage Repair
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spyware Clear
    C:\Program Files (x86)\Ascentive
    C:\Program Files (x86)\PerforMax Cleaner
    C:\Program Files (x86)\Spyware Clear
    
    :reg
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "SpywareClearShield"=-
    "SpywareClearUpdater"=-
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
    "PerforMax Cleaner"=-
    [-HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}]
    :Commands
    [emptytemp]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.



    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [PUP] (X64) HKEY_CLASSES_ROOT\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52} -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3034225985-1860448087-2862568129-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3034225985-1860448087-2862568129-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3034225985-1860448087-2862568129-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8000;https=127.0.0.1:8000 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3034225985-1860448087-2862568129-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8000;https=127.0.0.1:8000 -> Found

    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.


    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.



    • Re run Hitman Pro and attach log.
    • Same for RogueKiller.
    • Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
    • Let me know of any problems you may have encountered with the above instructions and also let me know how things are running!
     
  5. linuxpowers

    linuxpowers Corporal

    OK, things have settled down quite a bit. Chrome will start up now without any manipulation of mine.

    I'm not a Chrome user so I'm not sure of this browsers behavior but, whenever I see a link, say "Malware Removal", to get to this page, most of the links are written twice, once in all CAPS and then again as intended with just the first letter in CAPS. When I hover over one of these, I get ads popping up for which I must click somewhere else on the page to close it. When I right-click on the link itself so I can open it in another tab, another tab pops up with another web site promising to fix my windows malware issues. I can go ahead and click on the "Open This Link in Another Tab" and it will open as well, correctly.

    I also see, all over the web pages "AdChoices, SavePath Deals, etc" ads and a bar popping up periodically in the bottom of the browser window that keeps "Waiting....and reloading" different ad sites. I suppose this is to keep the ads changing on the web page itself.

    JUST ADDED: While I was typing this post, a tab opened up with what looked like a java script box stating, "The Page at computer-notify.com says: Suspicious Activity Found on your computer Due to Windows Pop-Up Advertisements and Invasive Links". It wouldn't let me close out the tab or close out the message box. The only way I could get rid of it was to check a box in the error message saying, "Check Here to discontinue conversation with this page" and then clicking on the "Leave This Page" button. Once I did that, the tab and error message closed and I was back here at my post!

    I use FF on my computer with "AdBlock +" and "NoScript" and never see this stuff, so I'm not sure if this is Chromes normal behavior.

    Sent 5 of the 6 log files as requested, send the MGlogs.zip in next post!
     

    Attached Files:

  6. linuxpowers

    linuxpowers Corporal

    MGlogs.zip as requested!
     

    Attached Files:

  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OK, this is a much more thorough fix....

    Uninstall the below using Revo Uninstaller.


    • Finally Fast
    • Reimage Repair
    • Spyware Clear
    • Google Chrome
    • Google Toolbar for Internet Explorer
    • Google Update Helper

    Do NOT reinstall Google Chrome or other Google components yet!!!

    Not a malware problem. These are just mouse over ads that popup when your mouse moves over various underlined keywords. Many websites, including Major Geeks, use these as a source of revenue to help offset costs of running a free website and forums like this.



    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [PUP] (X64) HKEY_CLASSES_ROOT\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52} -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3034225985-1860448087-2862568129-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3034225985-1860448087-2862568129-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3034225985-1860448087-2862568129-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8000;https=127.0.0.1:8000 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3034225985-1860448087-2862568129-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8000;https=127.0.0.1:8000 -> Found

    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.


    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8000;https=127.0.0.1:8000
    • O4 - HKLM\..\Run: [PerforMax Cleaner] C:\Program Files (x86)\PerforMax Cleaner\PerforMax Cleaner.exe
    • O23 - Service: Reimage Real Time Protector (ReimageRealTimeProtector) - ReimageĀ® - C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe

    After clicking Fix exit HJT.





    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Paste the following code under the [​IMG] area. Do not include the word Code.
    Code:
    :Services
    Reimage Real Time Protector
    
    :Files
    C:\Program Files\Reimage
    C:\ProgramData\Ascentive
    C:\ProgramData\Reimage Protector
    C:\ProgramData\SonicFocus
    C:\ProgramData\Spyware Clear
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ascentive
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PerforMax Cleaner.lnk
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Reimage Repair
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spyware Clear
    C:\Program Files (x86)\Ascentive
    C:\Program Files (x86)\PerforMax Cleaner
    C:\Program Files (x86)\Spyware Clear
    C:\Program Files (x86)\WSE_Vosteran
    
    :reg
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "SpywareClearShield"=-
    "SpywareClearUpdater"=-
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
    "PerforMax Cleaner"=-
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
    [-HKLM\SOFTWARE\Classes\AppID\REI_AxControl.DLL]
    [-HKLM\SOFTWARE\Classes\AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}]
    [-HKLM\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}]
    [-HKLM\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}]
    [-HKLM\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}]
    [-HKLM\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}]
    [-HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine.1]
    [-HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine]
    [-HKLM\SOFTWARE\Classes\TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}]
    [-HKLM\SOFTWARE\Classes\Wow6432Node\AppID\REI_AxControl.DLL]
    [-HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}]
    [-HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}]
    [-HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}]
    [-HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}]
    [-HKLM\SOFTWARE\Microsoft\Tracing\StormWatch_RASAPI32]
    [-HKLM\SOFTWARE\Microsoft\Tracing\StormWatch_RASMANCS]
    [-HKU\S-1-5-21-3034225985-1860448087-2862568129-1000\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.]
    [-HKU\S-1-5-21-3034225985-1860448087-2862568129-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\StormWatchApp.exe]
    [-HKU\S-1-5-21-3034225985-1860448087-2862568129-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{10ECCE17-29B5-4880-A8F5-EAD298611484}]
    [-HKU\S-1-5-21-3034225985-1860448087-2862568129-1000\Software\PC Optimizer Pro]
    [-HKU\S-1-5-21-3034225985-1860448087-2862568129-1000\Software\Reimage]
    
    
    :Commands
    [emptytemp]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


    • Now rerun Hitman please and attach log.
    • Same for RogueKiller.
    • Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
    • Let me know of any problems you may have encountered with the above instructions and also let me know how things are running!
     
  8. linuxpowers

    linuxpowers Corporal

    OK, here's the new logs:
     

    Attached Files:

  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Google Update Helper <<< Still shows as installed. :( Can you uninstall it please, or let me know of any difficulties you have. Once done, rescan with Hitman again and attach that log too.
     
  10. linuxpowers

    linuxpowers Corporal

    OK, the only place I could find any reference to Google Update was an executable file located in c:\Program Files (x86)\Google\update\. Also I found it running at Startup and 2 instances in Windows Services, as well a a couple lines in the Registry. I unchecked it from the Startup list, Disabled the 2 instances in Windows Services and then manually deleted the files in the Google update folder. I rebooted, and ran Hitman as requested.

    I hope I did that correctly as I found no instance listed in Revo or any where else!
     

    Attached Files:

  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Good evening.

    I don't understand, Hitman is still showing garbage in Google Chrome when it's not even installed.....


    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3034225985-1860448087-2862568129-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3034225985-1860448087-2862568129-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3034225985-1860448087-2862568129-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8000;https=127.0.0.1:8000 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3034225985-1860448087-2862568129-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8000;https=127.0.0.1:8000 -> Found

    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.



    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    How do you feel about going into the Windows Registry yourself? These keys will not delete any other way I'm afraid. (The boldened keys at the end need deleting)

    • HKLM\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}
    • HKLM\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}
    • HKLM\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
    • HKLM\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
    • HKLM\SOFTWARE\Microsoft\Tracing\StormWatch_RASAPI32
    • HKLM\SOFTWARE\Microsoft\Tracing\StormWatch_RASMANCS
    • HKLM\SOFTWARE\Reimage
    • HKU\S-1-5-21-3034225985-1860448087-2862568129-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\StormWatchApp.exe


    Once all this has been done, please rescan with Hitman yet again and attach log.
    Same for RogueKiller.
     
  12. linuxpowers

    linuxpowers Corporal

    OK, ran RogueKiller and deleted the four indicated entries from the registry tab, rebooted.

    Secondly, I copied all text for the registry in notepad, saved it as requested, double-clicked on the file and it merged successfuly.

    Thirdly, I found each key in the registry that was indicated and deleted those.

    Lastly, ran Hitman and RogueKiller to generate the attached logs.
     

    Attached Files:

  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I am stumped. The proxy will not go. I have requested assistance from colleagues however, I want you to try something... uninstall Farm Frenzy! (Using Revo Uninstaller) Then re run RogueKiller and Hitman again please. Attach logs.
     
  14. linuxpowers

    linuxpowers Corporal

    I ran RevoUninstaller as administrator but I don't see "Farm Frenzy" listed. I also took a look at "Windows and Features" to no avail....both only show "HP Games"!

    Looking further into "Farm Frenzy", I see it is a "Wild Tangent" game bundled together with others and preinstalled on HP computers. I searched through the directories, c:\Program Files (x86)\HP Games\ and found a "Farm Frenzy" folder.

    Looking in this folder I see "Farm Frenzy" does have it's own uninstaller.exe inside. I also see a lot of registry items listed for "Wild Tangent" including a key for "Farm Frezy" uninstall, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WTA-xxxxxxxx-xxxxx-xxxxxxx, but I'm not sure how to get Revo to see the individual program.

    I'm assuming you don't need those logs just yet?

    I did try a search in Revo but it finds nothing until I use the phrase, "HP Games"...it wants to uninstall ALL the HP Games!
     
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Try running it's own uninstaller first, file path here:
    • C:\Program Files (x86)\HP Games\Farm Frenzy\uninstall\uninstaller.exe


    If that fails, do this:


    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    And delete this:
    • C:\Program Files (x86)\HP Games\Farm Frenzy

    Then re run RogueKiller and attach log.
     
  16. linuxpowers

    linuxpowers Corporal

    Ran the Farm Frenzy Uninstaller, received message that it was completely removed. Also received a Runtime Error message:

    Once I clicked on OK, I received another message:

    With this message I clicked on the "Cancel" button.

    Since it appears Farm Frenzy did NOT uninstall, I completed the REGEDIT4 merge with a successful merge. Deleted the "Farm Frenzy" folder and ran RogueKiller...log will be attached to next post. (I'm following this thread mostly on my own computer. Trying not to use the computer in questions browser to often)
     
  17. linuxpowers

    linuxpowers Corporal

    RogueKiller log as requested:
     

    Attached Files:

  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please download Combofix to your desktop. Please refer to these instructions prior to running. Attach log once done.
     
  19. linuxpowers

    linuxpowers Corporal

    ComboFix Log!
     

    Attached Files:

  20. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You have two anti virus installed.

    Norton 360 and Microsoft Security Essentials. One must be removed NOW before we continue.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    DDS::
    uInternet Settings,ProxyOverride = <-loopback>
    uInternet Settings,ProxyServer = http=127.0.0.1:8000;https=127.0.0.1:8000
    
    Driver::
    SC_Svc
    sp_rsdrv2
    
    Folder::
    c:\users\cdancy57\AppData\Roaming\Spyware Clear
    C:\4f42fc98-6c94-4b42-b945-45ee2180f91c
    C:\c1e0f2c6-85d2-4a2d-afd8-bbadd42fe95f
    c:\program files (x86)\Spyware Clear
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.




    Now re run RogueKiller again and attach log.

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  21. linuxpowers

    linuxpowers Corporal

    OK, I downloaded the Norton uninstaller from your site and removed Norton 360. I chose that program because it had control of everything and the owner let it expire and wasn't interested in renewing the prescription.

    After that, I rebooted, and then ran ComboFix as instructed...log file attached.

    Then RogueKiller, and finally GetLogs.bat with corresponding logs attached as well.
     

    Attached Files:

  22. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

    Note: Make sure you download the correct version for your PC. Only the correct version will work.
    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
     
  23. linuxpowers

    linuxpowers Corporal

    As requested:
     

    Attached Files:

  24. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Attached is fixlist.txt
    • Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.

    Now re-enter System Recovery Options.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (How to attach)

    Reboot the machine...

    Now re run RogueKiller and attach log.
     

    Attached Files:

  25. linuxpowers

    linuxpowers Corporal

    As requested:
     

    Attached Files:

  26. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I have had a chat with Chaslang who advises you to uninstall Miscrosoft Security Essentials as it's probably hindering the fixes we try to implement. Do that NOW before continuing.

    First step, do this:


    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now re run RogueKiller and attach log.

    Re run FRST...

    • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will produce a log called FRST.txt in the same directory the tool is run from.
    • Please copy and paste log back here.
    • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
     
  27. linuxpowers

    linuxpowers Corporal

    Uninstalled MSE! Received success message with merging text to registry, ran RogueKiller and FRST to generate logs attached!
     

    Attached Files:

  28. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re run RogueKiller once more (ensure there's been a REBOOT since uninstalling MSSE.) Attach log.
     
  29. linuxpowers

    linuxpowers Corporal

    Rebooted then ran RogueKiller as requested!
     

    Attached Files:

  30. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I don't understand what is the source of this proxy. Will see what Chaslang thinks. Hang in there.
     
  31. linuxpowers

    linuxpowers Corporal

    Will do and thanks for all your time and efforts!
     
  32. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    This takes a long time to run but I'm hoping it will help with the proxy....

    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Repair Windows Firewall
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.

    Once done rescan with RogueKiller once again and attach log.
     
  33. linuxpowers

    linuxpowers Corporal

    Mmm, I'm sure this is not what you were hoping for!
     

    Attached Files:

  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you have any protection software still installed? If yes, they all need to be uninstalled!!

    Also do you use any kind of software that attempts to hide you IP address? These commonly will use a proxy server?
     
  35. linuxpowers

    linuxpowers Corporal

    I have Malwarebytes installed but it does not run in the background, only for scanning purposes. Will delete if required!

    I have CCleaner running in background monitoring, also will delete if required.

    I ran CCleaner to generate a couple of txt files for you, one is "Programs Installed" and the other is a list of "Startups".

    Hope this helps!
     

    Attached Files:

  36. linuxpowers

    linuxpowers Corporal

    Not sure about all the HP stuff! I'm sure the owner probably attempted "Remote" connections through HP!
     
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay the free Malwarebytes is not an issue because it provides no protection. CCleaner is not an issue because it is not a protection program at all.

    I will continue on looking at your logs and post a fix in my next message, but please uninstall Spyware Clear if you see this installed because it is junkware that you should not have on your PC.
     
    Last edited: Feb 24, 2015
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download this >> View attachment fixlist.txt


    Save fixlist.txt on your Desktop. Make sure you save it as a txt file.
    • You should now have both fixlist.txt and FRST64.exe on your Desktop.
    • Now I want you to disconnect your PC connection to the internet by unplugging the cable ( if it is wireless then temporarily shutdown the wireless network ).
    • Run FRST64.exe by right clicking on it and selecting Run As Adminstrator
    • Click the Fix button just once and wait.
    • Your computer should reboot after the fix runs.
    • Reconnect your internet connection after reboot so you can come back here to continue.
    • The tool will make a log on the Desktop (Fixlog.txt) please attach this new log to your next reply (attach or paste)
    Now run RogueKiller and is you see the below items in the Registry tab, select them and click Delete

    [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3034225985-1860448087-2862568129-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3034225985-1860448087-2862568129-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3034225985-1860448087-2862568129-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8000;https=127.0.0.1:8000 -> Found
    [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3034225985-1860448087-2862568129-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8000;https=127.0.0.1:8000 -> Found

    If they were there then immediately reboot now before continuing. If not there then just continue.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • Fixlog.txt
    • C:\MGlogs.zip
    Please attach the above two logs first before you continue with the below.

    Now I want to double check the status of the above fix by having you run another scan with FRST like in my last message and attach the new FRST.txt. Now also run a new scan with RogueKiller and attach the new log.
     
  39. linuxpowers

    linuxpowers Corporal

    OK, I ran FRST64 as instructed, disconnected internet connection first, ran program as administrator (with fixlist.txt and FRST64 sitting on the desktop), and clicked on the Fix button. Computer rebooted, and automatically reconnected to the internet.

    Then I ran RogueKiller as instructed and yes, I saw the indicated Registry items mentioned, selected them and clicked on the Delete button. Immediatly rebooted and ran GetLogs.bat as adminsitrator.

    Have done nothing else except start up IE to get back to this thread to post the requested log files.

    BTW, I didn't see Spyware Clear listed in any of the installed programs lists. I checked Windows Programs and Features, RevoUninstaller and the list I posted from CCleaner, although I kept seeing it showing up in the logs that were being generated from all the previous scans. And, I was curious about SPD.exe and it's child program PT.exe being adware! At one time I even renamed the folder that contained them both, SPD, to SPD_old, rebooted and ran RogueKiller to see if the proxy server was still there! I probably didn't go deep enough because even though these Processes didn't show up in Windows Task Manager, the proxy server was still showing up in RogueKiller. Just a shot!!!
     

    Attached Files:

  40. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    But based on your last MGlogs.zip, it appears to be gone now.

    Are you still having any problems? Are you saying that if you run RogueKiller now the proxy is still showing?
     
  41. linuxpowers

    linuxpowers Corporal

    Sorry about that chaslang, I didn't mean to leave the impression that I was referring to anything recent! I just meant earlier on in the cleaning process when I stated, "At one time..".

    No, I haven't done anything else, at this time, other than what you've instructed, not even running RogueKiller again.

    You had additional instructions in your last post that I was waiting to complete:
    Do you still want me to complete these tasks or take another course?
     
  42. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes please run those two scans and attach the new logs.

    Also tell me whether you are still having problems?
     
  43. linuxpowers

    linuxpowers Corporal

    Ok...ran FRST and RogueKiller again as requested, scan logs attached!

    Everything seems to be running ok. The browser is running good with no redirects and no ads popping up when I hover over any links. Everything has settled down quite a bit.

    The only problem I'm seeing is the DVD player is now not recognizing the media. I see the drive and "Device Manager" is not showing any indications of any errors. The drive itself is working but when I stick in a CD/DVD, and double-click on the drives icon, I get a message to "Insert A Disc" and it ejects the CD/DVD I have inserted! I'll probably take that to another thread...Hardware or Software.
     

    Attached Files:

  44. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You repeated the fix! I needed you to run a new scan. But it does not matter now since RogueKiller looks fine and also you say everything is running okay.

    Yes this is a topic for a different forum. ;)


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
    7. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    8. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
  45. linuxpowers

    linuxpowers Corporal

    Ok, finished up the cleaning process, and followed the steps listed! Everything seems to be running just fine.

    I wanted to thank both of you, chaslang and Kestrel13!, for hanging in there and helping me fix these issues. I've been coming here for some time now and decided that it was time for me to give back something instead of always taking, so I made a donation to your site, it won't be the last!

    For anyone else that might be reading this thread, Majorgeeks does a tremendous job at helping anyone with questions and issues about their computers and other electronic devices. They are always there in support and I'm sure they can use some support as well.

    Thanks again for your help and I hope Majorgeeks stays online for a long time!!!

    Linuxpowers
     
  46. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Thankyou for the very kind comments LinuxPowers. Thankyou so much for donating also, this is so generous of you. :) Glad that we have been able to help. Chaslang is a legend. ;)
     
  47. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. And thanks for the kudos and donation. ;)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds