Various adware & malware symptoms

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by sirilion, Mar 15, 2015.

Thread Status:
Not open for further replies.
  1. sirilion

    sirilion Private E-2

    Hi,

    Being reasonably IT literate I always get family members asking for help. My brother dumped his laptop over to have a look at as he was getting loads of ad pop ups when using the laptop.

    In the short time I used it I found it to be unusable. Coupon popups down the sides, System Performance program starting at every boot, browsing websites & clicking on a page would open a new ad tab etc etc.

    I've run through the READ & RUN ME FIRST & while the ads, so far, have seemingly disappeared it looks like a lot of stuff was found in programs where logs were collected in the READ & RUN ME FIRST but no action taken.

    So I'm reasonably certain there is still stuff to clean.

    At the moment launching Programs and Features in Control Panel thinks for ages & then hangs with the progress bar incomplete. The system then needed powering off after a fair while as it wasn't responding to input.

    In general the laptop is very sluggish & non-responsive (I appreciate this is not necessarily a sign of malware).

    Before uploaded I looked through the logs, the Malware Bytes log looks clean but it reported a heap of detections on the screen (which were quarantined) before I exported the logs, not sure if this is normal or not.

    Please find attached the associated logs & thanks very much in advance for any assistance. (I had to compress the Hitman log as it exceeded file size limits)
     

    Attached Files:

    sirilion, Mar 15, 2015
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Uninstall the below programs. If you do not find them or they will not uninstall, just keep going.
    Java 7 Update 25
    Mobogenie


    Now intall the current version of Sun Java from:
    Make sure that when you install the new version of Java that you uncheck the Install the Ask Toolbar junkware checkbox. Also if it asks if you want to install McAfee Security Scan Plus that you uncheck this too. You do not need to add these unncessary items and to your PC. Also just in case Oracle changes the Java installation in the future to possibly install other junk, uncheck all but just installing Java.


    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\ProgramData\11627774501959534826UL
C:\ProgramData\4c0f6683-2f83-421e-8410-9d669d28d41d
C:\ProgramData\deal44mE
C:\ProgramData\IcoValiaD
C:\Program Files (x86)\SearchProtect
C:\Program Files (x86)\Conduit
C:\ProgramData\Conduit
C:\Users\Pashlee\AppData\LocalLow\Conduit
C:\Program Files (x86)\Mobogenie
C:\Program Files (x86)\MyPC Backup
C:\Program Files (x86)\Optimizer Pro
C:\Program Files (x86)\Speed Test
C:\Program Files (x86)\PortalMore
C:\ProgramData\blekko toolbar
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced-System Protector
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Optimizer Pro v3.2
C:\ProgramData\Systweak
C:\Users\Pashlee\AppData\Local\Conduit
C:\Users\Pashlee\AppData\Local\Mobogenie
C:\Users\Pashlee\AppData\Roaming\Optimizer Pro
C:\Users\Pashlee\AppData\Roaming\Performersoft
C:\Users\Pashlee\AppData\Roaming\Uniblue
C:\Users\Pashlee\Desktop\Speed Test.lnk
C:\Users\Pashlee\Desktop\Sync Folder.lnk
C:\Users\wangzhisong\AppData\Local\Mobogenie
C:\Windows\System32\Tasks\LaunchSignup
C:\Users\Pashlee\AppData\Local\Temp\*.*
 
:Reg
[-HKEY_CLASSES_ROOT\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}]
[-HKEY_CLASSES_ROOT\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}]
[-HKEY_CLASSES_ROOT\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1B084C86-9657-42F9-A5E5-AC8DD832CDE9}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1B084C86-9657-42F9-A5E5-AC8DD832CDE9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\AddonsFramework.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\BackgroundHost.EXE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\ButtonSite.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\ScriptHost.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{18B9B16E-716F-43DF-A6AD-512C7D2EB983}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{19975B78-1907-4DD6-A437-4C48120F46A4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{562B9316-C08A-444A-9482-62080DD851AE}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{562B9317-C08A-444A-9482-62080DD851AE}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0416BDB0-AFB0-4464-952D-1EAB5047B8E6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3F97FDF1-DA2B-4579-AD3E-E46641F9DBAB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A220BAB5-C335-48BA-8A01-309FDA37446F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{2009AF2F-5786-3067-8799-B97F7832FDD6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{425E7597-03A2-338D-B72A-0E51FFE77A7E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{915BB7D5-082E-3B91-B1E0-45B5FDE01F24}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{FB2E65F4-5687-33EF-9BBF-4E3C9C98D3B9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\speedupmypc]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C7405EEB-2E16-40FE-9E27-1F48CAAB15E1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\openas\command\Advanced System Protector.bak]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\opendlg\command\Advanced System Protector.bak]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\AddonsFramework.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\BackgroundHost.EXE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\ButtonSite.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\ScriptHost.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{18B9B16E-716F-43DF-A6AD-512C7D2EB983}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{19975B78-1907-4DD6-A437-4C48120F46A4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{562B9316-C08A-444A-9482-62080DD851AE}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{562B9317-C08A-444A-9482-62080DD851AE}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0416BDB0-AFB0-4464-952D-1EAB5047B8E6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F97FDF1-DA2B-4579-AD3E-E46641F9DBAB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A220BAB5-C335-48BA-8A01-309FDA37446F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{C7405EEB-2E16-40FE-9E27-1F48CAAB15E1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{62155D33-3CE2-401E-8967-5A270628A3D5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\LaunchSignup]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PC Performer Logon Scan]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PC Performer Scheduled Scan]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Mobogenie.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3152E1F19977892449DC968802CE8964]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\649A52D257CA5DB4EAAE8BA9EB23E467]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Conduit]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{62155D33-3CE2-401E-8967-5A270628A3D5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AdvancedSystemProtector_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\AdvancedSystemProtector_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\BackgroundHost_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\BackgroundHost_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dsrlte_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dsrlte_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dsrsetup_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\dsrsetup_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\OptimizerPro_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\OptimizerPro_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\OptProStart_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\OptProStart_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCPerformer_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\PCPerformer_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegCleanPro_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\RegCleanPro_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\systweakasp_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\systweakasp_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\Mobogenie.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mobilegeni daemon]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mobogenie]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Systweak]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\{6791A2F3-FC80-475C-A002-C014AF797E9C}]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\BackupStack]
[-HKEY_USERS\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_USERS\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_USERS\S-1-5-19\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_USERS\S-1-5-20\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_USERS\S-1-5-21-3085311642-3661256157-1779051052-1000\Software\AppDataLow\Software\Conduit]
[-HKEY_USERS\S-1-5-21-3085311642-3661256157-1779051052-1000\Software\AppDataLow\Software\Smartbar]
[-HKEY_USERS\S-1-5-21-3085311642-3661256157-1779051052-1000\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_USERS\S-1-5-21-3085311642-3661256157-1779051052-1000\Software\Classes\keepmysearch]
[-HKEY_USERS\S-1-5-21-3085311642-3661256157-1779051052-1000\Software\Conduit]
[-HKEY_USERS\S-1-5-21-3085311642-3661256157-1779051052-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\SnapDo.exe]
[-HKEY_USERS\S-1-5-21-3085311642-3661256157-1779051052-1000\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}]
[-HKEY_USERS\S-1-5-21-3085311642-3661256157-1779051052-1000\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}]
[-HKEY_USERS\S-1-5-21-3085311642-3661256157-1779051052-1000\Software\Optimizer Pro]
[-HKEY_USERS\S-1-5-21-3085311642-3661256157-1779051052-1000\Software\Systweak]
[-HKEY_USERS\S-1-5-21-3085311642-3661256157-1779051052-1000_Classes\keepmysearch]
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXT log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Mar 18, 2015
    chaslang, Mar 15, 2015
    #2
  3. sirilion

    sirilion Private E-2

    Thanks for that list of steps chaslang. Sadly it's Monday morning here now which means work :(

    I'll get onto this tonight when back at home.
     
    sirilion, Mar 15, 2015
    #3
  4. sirilion

    sirilion Private E-2

    Hi,

    I performed the uninstall of the programs successfully & then installed the newer Java.

    I launched Google Chrome to be able to copy & paste your codebox into OTM but when attempting to sign in to the forum the browser was hijacked by coupon ad popups & redirected me to survey sites for alleged grocery companies.

    I copied the OTM codebox from another PC to a txt file & then transferred to the PC.

    Otm went not responding numerous times during execution but ocassionally crept forward. It's now been running for well over an hour and has been in a not responding state for over half an hour. The laptop actually put itself to sleep after a while. After waking it up it's still using CPU % in task manager.

    Not sure how to proceed (I have disabled laptop going to sleep while plugged in for now).
     
    sirilion, Mar 16, 2015
    #4
  5. sirilion

    sirilion Private E-2

    Should have mentioned where it's stuck... it seems to be stuck on

    "[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]"

    from what I can tell based upon what's left to do in the yellow Paste instructions pane & the last thing it's done on the results pane.
     
    sirilion, Mar 16, 2015
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please try running the OTM part of the fix in safe boot mode. If this does not work then I will create a new fix possibly requiring another scan and another tool.
     
    chaslang, Mar 16, 2015
    #6
  7. sirilion

    sirilion Private E-2

    I launched OTM in safe mode almost 14 hours ago. Still hung on the same point as previously. It tore through the major parts in seconds but got to the same point & hung again.

    I've rebooted into Normal Windows mode & performed the Junkware Removal Steps. In order to do so I uninstalled a version of Lavasoft Ad-Aware Anti-Virus that kept popping up warnings about being out of date etc & wouldn't launch in order for me to close it down.

    I also allowed JRT to update itself to version 6.4.5 (03.17.2015:1).

    I then proceeded to run C:\MGtools\GetLogs.bat, it ran GetLogs.bat & GetUnKeys.bat before hanging on running GRK64.bat. At time of writing it's still hung on that step.

    Please find attached the first OTM log (the safe mode one didn't create one after boot to normal mode), the Junkware removal logs & the new MG tools zip (what it has done so far).
     

    Attached Files:

    sirilion, Mar 17, 2015
    #7
  8. sirilion

    sirilion Private E-2

    The finalised MGTools logs is attached. It took another 30 minutes almost after I gave up on it for the night.
     

    Attached Files:

    sirilion, Mar 17, 2015
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay I made a few changes to the original OTM fix. Please see if you can get it to run to completion now. If it run properly then also rerun C:\MGtools\GetLogs.bat to get a new MGLogs.zip file to also attach. Let it run through to completion before grabbing the log. It tells you when it is finished.

    You don't need to rerun JRT.
     
    chaslang, Mar 17, 2015
    #9
  10. sirilion

    sirilion Private E-2

    New OTM code ran fast up until:

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "mobilegeni daemon"=-

    Then it got bogged down. Left it for 20 minutes. Tried again in Safe Mode, same thing. 20 minutes later still on that same bit.
     
    sirilion, Mar 18, 2015
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay I removed those items from the OTM fix. Please try again. Hopefully the uninstall of Mobogenie got rid of those already.
     
    chaslang, Mar 18, 2015
    #11
  12. sirilion

    sirilion Private E-2

    Laptop was still in safe mode running the previous OTM code (your second OTM suggestions). I killed it off and launched it again, closed off the log file & had to relaunch it again. I ran OTM code #3, the one without those last two mobilegeni entries. It tore through it all and froze up when :Commands was the top line on the yellow "paste instructions" pane.

    In my previous responses I assumed it was doing it in order of the code pasted but maybe not so. The last few lines of the "result" pane don't match any pattern of lines from the code provided. i.e. it doesn't appear to be doing them in the same order as they're entered in the paste window... So maybe my assumptions as to where it was up to previously were incorrect and it could be getting hung somewhere else in the pasted code.

    It's probably fair to say at this point something doesn't like OTM too much on this laptop :p

    In the interests of completeness I've manually checked all the files you wanted removed in the OTM codes & can report that while there were a few not found in C:\_OTM\MovedFiles, these didn't exist in the original locations specified by your OTM code either (i.e. they don't seem to have existed in the first place or something else has removed them somewhere along the line).

    I also verified that everything was moved into C:\_OTM\MovedFiles hadn't been re-created since, or that no bits were missed.

    The only files from the :Files section still existing today are:

    So it looks like the :Files bit has pretty much been cleaned up. Every subsequent run of OTM seems to have just moved the C:\Users\Pashlee\AppData\Local\Temp\*.* again, and nothing else.

    I also checked all the registry key values manually and can report the following still exist:


    One of the ones you had was:

    And while this doesn't exist the following does which looks similar:

    Hopefully this is helpful in figuring out what is left from the multiple OTM attempts & helps with a way forward.
     
    sirilion, Mar 19, 2015
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay boot back up in normal boot mode and tell me if you are still having any problems.
     
    chaslang, Mar 19, 2015
    #13
  14. sirilion

    sirilion Private E-2

    Booted to normal mode & launched Chrome to try out some browsing.

    Had ad popups almost immediately after landing on YouTube & clicking on one of the categories on their sidebar. A massive splash page by "Ads by Ultra Coupons" popped up taking up most of the screen. Then a new Chrome tab launched from YouTube to a sportsbet.com.au ad, with a "PortalMore" side bar on the side, a "System Alert" fake dialogue in one corner and another "windows - system error" fake dialogue.

    I tried it again, went to Youtube, before I clicked anything this time I had Ultra Coupon ads embedded in the YouTube homepage. Clicking a category spawned a new tab with a different main ad, but the same "PortalMore" left hand sidebar and various other sub-frame ads, this time including a Chrome authentication pop up box for "http://ads.qadservice.com.au:80", the prompt said "The server says: QadabraTagsApi".

    When the new tab spawns the URL in the title bar is "www.youradexchange.com" usually but sometimes others before it lands on the URL it's redirecting me to.

    Since OTM isn't cleaning up those Registry keys I mentioned above should I go through & manually remove them?

    Or is there more going on here?
     
    sirilion, Mar 21, 2015
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run Hitman Pro and this time allow it to fix all the Malware remnants and Potential Unwanted Programs that it reports. Then immediately reboot your PC. After reboot, run the below:

    Reset Chrome to Defaults


    How is it working now?
     
    chaslang, Mar 22, 2015
    #15
  16. sirilion

    sirilion Private E-2

    Let Hitman kill everything it found. Log attached.

    Reset Chrome settings.

    Browsed through youtube some & a few other websites. Did not see any unexpected ads, no popup tabs or redirections.
     

    Attached Files:

    sirilion, Mar 22, 2015
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • For Windows 8 and 8.1 system restore see this link: Win 8 System Restore - How to enable/disable
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Mar 22, 2015
    #17
  18. sirilion

    sirilion Private E-2

    I haven't seen any more ads after some more testing.

    Thanks very much for your help & patience. I appreciate this probably wasn't as straight forward as it could be with the OTM issues.

    I've performed the final steps.

    Thanks very much again.
     
    sirilion, Mar 23, 2015
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Mar 24, 2015
    #19
  20. sirilion

    sirilion Private E-2

    Haha! I've told my brother I don't want to see his laptop in this state again... so we'll see how he goes ;)
     
    sirilion, Mar 24, 2015
    #20
Thread Status:
Not open for further replies.

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds