Is My Computer Still Infected?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by DrumsXO, May 20, 2015.

  1. DrumsXO

    DrumsXO Private E-2

    Hi, everyone. My name's Patrick. :)

    Sunday night into Monday morning I was getting back into Battlefield 4. I hadn't played it in months, and but I noticed immediately after playing a few matches that my connection was taking hits; lag spikes. I started diagnosing.

    Along the way, I reset my router to factory, as that's helped me in the past. This time it didn't work, so I decided to try forwarding the ports that Battlefield 4 uses. Doing so in my router's settings didn't appear to work; the ports were still closed when I checked them. So, I started searching for a tool to use.

    During that search, I downloaded a file that was supposed to be a program called "Simple Port Forwarding," but it turned out to be an infection; Malware, Adware or Spyware. I'm not too familiar with the different kinds. When I opened the file to install the program it triggered the rapid installation of an array of PUPs, and removing them triggered even more!

    Using the task manager I was able to close the installers down as they popped up, and combined with unplugging my Ethernet cable, I thought I had removed everything. When I went to log into Facebook to post a reminder to my friends and family about download safety, my password was wrong... So was the password to my email account, my clan's forum, etc.

    I called a friend who knows more about computers than I do and found out that I was in deep. He thinks whatever program was the culprit used my browser cookies to hack my accounts and change the passwords or something. We've worked ever since then to remove the infection, and seem to have succeeded. I want to be sure though, which is why I'm here.

    Here's a summary of the problems I faced:
    1. Opening an executable triggered sporadic PUPs to install themselves.
    2. Every password, to every account of mine, on every website I'd accessed since last clearing my browser history had been changed.
    3. My Internet began to act finicky; it ran slow, sites wouldn't load, I couldn't download anything, etc.
    4. Opera, my web browser, began to run very sluggishly; especially when opening it after it had been closed.
    5. The time from initial login to the time my startup programs finished loading was unusually long; as in 2-3 minutes long.

    Here's a summary of what has been done to fix the problems:
    1. Rebooting the computer.
    2. Rebooting the router.
    3. Running multiple scans with Avast, all of which detected nothing.
    4. Installing and running Malware Bytes multiple times. The first positive scan removed 1,635 threats, after which a system restore was done. The next scan removed 455 threats. All further scans have been negative.
    5. Installing and running AdwCleaner, which removed ~50 threats (give or take some).
    6. Installing and running AVG, which removed a HUGE number of threats, and seems to have cured the infection.
    7. Changing my IP to dynamic from static, then back to static, but with a different number has fixed the problems with my Internet and Opera.
    8. Following the Malware Removal Guide posted on this forum, found here.

    Here's what I did to protect my accounts and information:
    1. Reset my router to factory, then change the login credentials and WiFi password.
    2. Use my mom's uninfected computer to change every password, to every account of mine, on every website I could think of. I've avoided logging into any of them from this, potentially still infected machine since then.

    Basically, I faced some heavy infection. After everything I tried, I still can't believe something as simple as installing and running AVG seems to have been the cure. But, then again, AVG is a top-notch program; apparently more-so than Avast, haha.

    I'm here to try and ensure that the infection has been completely eradicated. I don't want to start logging back into my accounts only to have the new passwords be stolen and the accounts hacked into again. My machine needs a clean bill of health before I feel confident enough to start using my accounts again. That means no Malware, Adware, Sypware, Underwear... :p Hopefully you guys can help me with that!

    Attached to this post will be the logs from the programs I ran while following the Malware Removal Guide posted on this forum. If there's any other information you need, please do let me know! Otherwise, I'll await further instructions on how to proceed if further cleaning is needed.

    Hopefully I'm good to go though! Thanks in advance! :)
     

    Attached Files:

  2. DrumsXO

    DrumsXO Private E-2

    I'm attaching logs from scans I mentioned running while the infection was still raging; Malware Bytes, AdwCleaner and then AVG.

    These were all run BEFORE the programs in this forum's Malware Removal Guide.

    Their purpose is so you can see what I was up against, as it might help you determine if I'm still infected or not. They're attached in the order that they were ran.
     

    Attached Files:

  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re run Hitman Pro and have it remove the below:

    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate this detection:

    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.

    ...and the same for these entries on the Host File tab...

    • [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 anchorfree.net
    • [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 rss2search.com
    • [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 techbrowsing.com
    • [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 box.anchorfree.net
    • [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 www.mefeedia.com
    • [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 anchorfree.us
    • [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 a433.com
    • [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 rpt.anchorfree.net
    • [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 delivery.anchorfree.us/land.php
    • [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 hsselite.com
    • [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 www.hsselite.com [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 www.dvd-cloner.net
    • [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 bandicam.com
    • [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 ssl.bandisoft.com


    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.




    Can you see this file?

    • C:\Users\Patrick\AppData\Local???????????????????

    If so delete it.



    Download Cleano 0.61

    Download it to your desktop, Right click the cleano.exe file and run as admin > and place check marks in the boxes as follows (click on link below to see image)

    View attachment 148092
    Click clean now and exit the program.



    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.


    Now re run Hitman and RogueKiller (just scans) and attach logs from each.
    Describe how things are running.
     
  4. DrumsXO

    DrumsXO Private E-2

    Thanks, Kestrel. I've completed the steps that you asked me to.

    I didn't have any issues completing them, and the logs that you've requested from the processes will be attached to this post.

    My system seems to be running well, but I noticed something odd earlier earlier. My Internet was working fine, but then I put my PC to sleep before I started watching Netflix. When I came back to it, my Internet was acting up again. Disabling and enabling my Ethernet controller fixed it though. Weird!

    Here's the solution I put into play:

    1. Created a batch file that waits 5 seconds on start, disables the Ethernet controller, waits 5 seconds, then enables it again.
    2. Downloaded the Windows 7 Suspend/Resume Control program and set it to run that same batch file on resuming from sleep.

    It's not an ideal fix, but it works. I'm not sure why I need to do this to get my connection working properly. Perhaps my Ethernet controller is going?

    Other than that, I haven't noticed any issues; everything seems to be running well. I'm just trying to ensure all threats are removed before I resume normal use of my machine. It's a good thing I followed the Malware Removal Guide and posted here too, because there was more threats!

    Let me know if there's any new steps that need to be taken, or if my machine gets a clean bill of health! :)
     

    Attached Files:

  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Logs look great. :)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
    3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

    8. After doing the above, you should work thru the below link:
     
  6. DrumsXO

    DrumsXO Private E-2

    Thanks, Kestrel. :)

    I don't know if there's any more problems, but I assume that since you don't notice anything else based on the logs, then I'm probably in the clear! Whew! :D

    I've just completed going through the final steps you listed out, as well as following all of the steps in "How to Protect Yourself from Malware." Since my machine now has a clean bill of health, I'll be using my backup program (EaseUS Todo Backup) to create an emergency disk. Then I'll be backing up my drives in their entirety to my external HDD. :)

    Thanks again, Kestrel! You, and this forum (and also my friend Nate who I mentioned in my original post) saved me from having to reinstall my OS! :)
     
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You are most welcome. :) I gave final steps because the logs looked great and you said:

     
  8. DrumsXO

    DrumsXO Private E-2

    Yeah, it seems to be running great! I ran into a minor annoyance with Comodo Firewall in that it was blocking Logitech SetPointII from running its processes, which made the key bindings on my mouse not work. It was easy enough to fix though; I just created exceptions for all of the associated executables and now there's no issue.

    Honestly, as much of a hassle as this infection was, I think the good thing that came out of it is that now my system is more protected than it's ever been. :D

    Thanks again; to you, and everyone who helps / helped create and maintain those guides. :)
     
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Absolutely no problem, safe surfing! :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds