I think I have a small virus, please help.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by WhiteBoi360, Jan 18, 2015.

  1. WhiteBoi360

    WhiteBoi360 Private First Class

    Backstory: My hard drive fried a few months ago and I just now got a new one a couple of days ago and had to buy a new OS also (8.1 professional) as I couldn't find/remember my Windows 7 key/disc.

    After I got the OS installed and got my main programs back onto my computer my PC has been installing random software onto my computer. I'm pretty sure this started happening after I installed VLC media player. I've used VLC for years and have never had this problem so I'm not sure where this virus is coming from.

    Again, I just set this PC up so maybe I missed a firewall setting or a setting where to protect myself from this sort of thing. Still fairly new to Windows 8.

    Could I please get some assistance in finding the problem and removing it so I don't have a bunch of random software installing on my PC?

    Thanks!

    PS: I deleted all the randomly installed software a few days ago and this happened again. I don't remember the names of the software I removed but I do have the new ones that the virus put on my PC this time if it helps:

    "MyPCbackup", "GameHugArcade", "Sync Folder", "Ninja Loader" and "GeniusBox" are the current programs that the virus has installed.
     
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

  3. WhiteBoi360

    WhiteBoi360 Private First Class

    I have attached all the required logs below. Please note that I ran Malwarebytes a couple of days ago before I came here for help so those threats got deleted prior to coming here which is why it doesn't show anything in the log.


    I'm still experiencing problems stated in my OP and I also forgot to mention that I'm also getting these huge ads popping up on my screen when I access the web browser and also random software websites will pop open in new tabs.

    Will await for further instructions.

    Thanks for the help.
     

    Attached Files:

  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Rerun RogueKiller and have it fix these items:
    Code:
    ¤¤¤ Tasks : 7 ¤¤¤
    [Suspicious.Path] GXNVZC.job -- C:\Users\Chris\AppData\Roaming\GXNVZC.exe (/infocmdline=hxdAIuLGfLyaZGGrWoSuRSkXJEH7t+/qYnKID0IQIZF8cfE1u7Qk69KvRXJuSxC5ql6bNMyg1hgk2Vided4+JfwIJe4xJuikyxAMXDHyhhRVgw42R+WyuybQ//oTPuwbqbyfkksJU2aVHhcJxADY5RAXQ6Wwc0tQBwS9mVz/BdNcQCnie/T3ChpJ+LCHJfofQ6gwz+AtFbHlOrpBFndCyFYL3ieGXwmsmk0u0XIXX2Rs/dKWbg/1U9fC3tBrPIk8Q/pYmRA1NJ8NjcMsEzFcARW0xoPLHqaHV4z/VnCWHu5RlSWN2YnfSAOw+Q2l+M2SmLHJRkI+JH4YTNArX7tpA7LbD7RPdkz3mA/s6V4L9a7Mx+9RXVm55qMgI3MP1U3kkryAAmm1ZE+MF3cUMc9AtkZa27SMmxouebH6kxGX6RAwOAjcIWPIb7TZpYU/86JWVyt7Z16M9CuB1f4LaNmxr2uTT0tMlM8mEdVwsUO4i7WEZOPDYpbwOVCe+E7udqjI) -> Found
    [Suspicious.Path] KEQOKTAU.job -- C:\Users\Chris\AppData\Roaming\KEQOKTAU.exe (/infocmdline=GOaHheYD9oe2aKsv3754RThvoqhVNqA7t26CmvCAZCApE1g/+bquqiOUANuYDXvMqyrrEYAaWUoZbHSWTBZCq9pI/9m+iXphaliddOEYvJeCRd6xRX/SkkrE7LXrckxL48u3n51naxUy7pO8G8y4AsKjUGkby5m1ZN920I8tOjiwLtGWDSLXqg3NTRnwYX8GeOQXZ1d3HfwAueBmksuVjt/aMhwrVAf2Ffn0J4a5SphWlQu/bqy7d5eVqxUhi25FAnD3oIFAabKrXhKpDS6k/GRXhvR1fl7JuEIsp1yc7kUkSu6hgYAIw+okzOvaKikDVEgnA2Mn7o4O3vOjoFxDRjtFAczHz/nU300GKYeYp/bI7sb9CB067ZXntWXx+iVep5q07YaGlJzOz4uzEaYQr8MW/kEaVVsXQUQRwPBxZTEyzou9t6dqKkzn5RxXnA/B3Zxv1H78I4RQmh3COjHp8X0vLDp0RZb0frIhkEJD4i6x1okfvnnx4QsaTD44rRKXsZkLutK+wRg09MBTdV6esMVJAnVrHQ18v7KwLAnjHLQ6qygpZwcc4FRKmt288xLM80NNLghoNjL7A5LleUPNwEK91s0rHvKmd83SdnKb64/+DklNpVBvfiP1S7ufH9ZR3T06y0c1dfgiSyZsKto8dEXbr5D/fQu+D2xz3adWKyg=) -> Found
    [Suspicious.Path] KRIKYHD.job -- C:\Users\Chris\AppData\Roaming\KRIKYHD.exe (/infocmdline=weYbNUI7iKWiL8rUfqDSgzLs7vUb82SJXG2Tg6FX8aYr0tjZY1/ZxaE3gO+ZkejmOqdVkHvsQHECEi8IWdOOS1fnLs5QLS9ZxxjEk5v/lr8aL8dtpcajok4YKLPY1IsjgC4FnkZDVcYXyKurmu1e7poc0m8bW7XCweSJyrksEMGJHN58Vy/oXqsWCV7JLP6ECcu3mnO0PZGEQtw/Zl/4o6PpFRt5V3bH46DysVue76M6m4DAFLe0Z47ckXhgTIzJ1kRWI3ENZNBzBs7UGNbAahvCGGFHLCFKIjZVo61gGmDRJZzha2ec6DRKJv7CIRJXhr9GdJYvGLyX4785nlCk5DvIWmlWcBrne+eNIHIyccJYhnipRn+BsnrRt7sqszEkxTa04Gg6lfs7ZFHpVQmE5n1LA4R0nGbLBOAxkqO6QEWc78Hx/cH/ik7ireyhrg2bIgG72Eh9XPa8Javyn7lwZFjolIjKdtaa7+IPBEOOn7KXLTAPtACMwMyzi42anqZ1) -> Found
    [Suspicious.Path] \\GXNVZC -- C:\Users\Chris\AppData\Roaming\GXNVZC.exe (/infocmdline=hxdAIuLGfLyaZGGrWoSuRSkXJEH7t+/qYnKID0IQIZF8cfE1u7Qk69KvRXJuSxC5ql6bNMyg1hgk2Vided4+JfwIJe4xJuikyxAMXDHyhhRVgw42R+WyuybQ//oTPuwbqbyfkksJU2aVHhcJxADY5RAXQ6Wwc0tQBwS9mVz/BdNcQCnie/T3ChpJ+LCHJfofQ6gwz+AtFbHlOrpBFndCyFYL3ieGXwmsmk0u0XIXX2Rs/dKWbg/1U9fC3tBrPIk8Q/pYmRA1NJ8NjcMsEzFcARW0xoPLHqaHV4z/VnCWHu5RlSWN2YnfSAOw+Q2l+M2SmLHJRkI+JH4YTNArX7tpA7LbD7RPdkz3mA/s6V4L9a7Mx+9RXVm55qMgI3MP1U3kkryAAmm1ZE+MF3cUMc9AtkZa27SMmxouebH6kxGX6RAwOAjcIWPIb7TZpYU/86JWVyt7Z16M9CuB1f4LaNmxr2uTT0tMlM8mEdVwsUO4i7WEZOPDYpbwOVCe+E7udqjI) -> Found
    [Suspicious.Path] \\KEQOKTAU -- C:\Users\Chris\AppData\Roaming\KEQOKTAU.exe (/infocmdline=GOaHheYD9oe2aKsv3754RThvoqhVNqA7t26CmvCAZCApE1g/+bquqiOUANuYDXvMqyrrEYAaWUoZbHSWTBZCq9pI/9m+iXphaliddOEYvJeCRd6xRX/SkkrE7LXrckxL48u3n51naxUy7pO8G8y4AsKjUGkby5m1ZN920I8tOjiwLtGWDSLXqg3NTRnwYX8GeOQXZ1d3HfwAueBmksuVjt/aMhwrVAf2Ffn0J4a5SphWlQu/bqy7d5eVqxUhi25FAnD3oIFAabKrXhKpDS6k/GRXhvR1fl7JuEIsp1yc7kUkSu6hgYAIw+okzOvaKikDVEgnA2Mn7o4O3vOjoFxDRjtFAczHz/nU300GKYeYp/bI7sb9CB067ZXntWXx+iVep5q07YaGlJzOz4uzEaYQr8MW/kEaVVsXQUQRwPBxZTEyzou9t6dqKkzn5RxXnA/B3Zxv1H78I4RQmh3COjHp8X0vLDp0RZb0frIhkEJD4i6x1okfvnnx4QsaTD44rRKXsZkLutK+wRg09MBTdV6esMVJAnVrHQ18v7KwLAnjHLQ6qygpZwcc4FRKmt288xLM80NNLghoNjL7A5LleUPNwEK91s0rHvKmd83SdnKb64/+DklNpVBvfiP1S7ufH9ZR3T06y0c1dfgiSyZsKto8dEXbr5D/fQu+D2xz3adWKyg=) -> Found
    [Suspicious.Path] \\KRIKYHD -- C:\Users\Chris\AppData\Roaming\KRIKYHD.exe (/infocmdline=weYbNUI7iKWiL8rUfqDSgzLs7vUb82SJXG2Tg6FX8aYr0tjZY1/ZxaE3gO+ZkejmOqdVkHvsQHECEi8IWdOOS1fnLs5QLS9ZxxjEk5v/lr8aL8dtpcajok4YKLPY1IsjgC4FnkZDVcYXyKurmu1e7poc0m8bW7XCweSJyrksEMGJHN58Vy/oXqsWCV7JLP6ECcu3mnO0PZGEQtw/Zl/4o6PpFRt5V3bH46DysVue76M6m4DAFLe0Z47ckXhgTIzJ1kRWI3ENZNBzBs7UGNbAahvCGGFHLCFKIjZVo61gGmDRJZzha2ec6DRKJv7CIRJXhr9GdJYvGLyX4785nlCk5DvIWmlWcBrne+eNIHIyccJYhnipRn+BsnrRt7sqszEkxTa04Gg6lfs7ZFHpVQmE5n1LA4R0nGbLBOAxkqO6QEWc78Hx/cH/ik7ireyhrg2bIgG72Eh9XPa8Javyn7lwZFjolIjKdtaa7+IPBEOOn7KXLTAPtACMwMyzi42anqZ1) -> Found
    [Suspicious.Path] \\SQAKP -- "C:\ProgramData\9a57dd4bfbdc41d9a41d3b8b62f45107\9a57dd4bfbdc41d9a41d3b8b62f45107.exe" (-p "Installium" -c "Installium_Default" -s "TG1" -i "1458376" -g "") -> Found
    Now rerun Hitman and have it fix everything it finds.

    Download OTM by Old Timer and save it to your Desktop.


    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Paste the following code under the [​IMG] area. Do not include the word Code.


    Code:
    :Processes
    explorer.exe
    
    :files
    C:\Windows\tasks\GXNVZC.job
    C:\Windows\tasks\KEQOKTAU.job
    C:\Windows\tasks\KRIKYHD.job
    C:\Windows\system32\tasks\GXNVZC
    C:\Windows\system32\tasks\KEQOKTAU
    C:\Windows\system32\tasks\KRIKYHD
    C:\Windows\system32\tasks\SQAKP
    C:\Users\Chris\AppData\Local\Temp\*.*
    
    :Commands
    [purity]
    [ResetHosts]
    [emptytemp]
    [start explorer]
    [Reboot]

    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.


    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.

    Rreboot and rescan with both RogueKiller and Hitman and attach the new logs.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator). Attach the new C:\MGLogs.zip.
     
  5. WhiteBoi360

    WhiteBoi360 Private First Class

    The requested logs are below. And also, I was unable to copy/paste the text under the Results tab for OTM because as soon as it completed a window popped up and said that I needed to restart the PC (which was part of the instructions) and I tried dragging the window over but it still would not let me highlight the text in the Results window..

    And I'm not sure if it matters at this point in the process but I am still having the same problems.

    Will wait for further instructions. Thanks again.
     

    Attached Files:

  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    There is no evidence of those programs on your system. Are you still having issues?
     
  7. WhiteBoi360

    WhiteBoi360 Private First Class

    Yes, I'm still having issues. When I am on the web and I click anything on a web page a new tab or two will open up trying to tell me to get software. The sites are random. And also, when I'm on the web huge ads will keep popping up in the bottom right hand corner.
     
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member


    All this remains, Tim....

    • C:\ProgramData\39a67c400000167a
    • C:\ProgramData\tempimage.bmp
    • C:\Program Files (x86)\download Manager
    • C:\Program Files (x86)\globalUpdate
    • C:\Program Files (x86)\predm
    • C:\Windows\tasks\GXNVZC.job
    • C:\Windows\tasks\KEQOKTAU.job
    • C:\Windows\tasks\KRIKYHD.job
    • C:\Windows\system32\tasks\GXNVZC
    • C:\Windows\system32\tasks\KEQOKTAU
    • C:\Windows\system32\tasks\KRIKYHD
    • C:\Windows\system32\tasks\SQAKP
     
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    OTM couldnt find some of those items so use windows explorer and tell me if you can find:

    • C:\Windows\tasks\GXNVZC.job
    • C:\Windows\tasks\KEQOKTAU.job
    • C:\Windows\tasks\KRIKYHD.job
    • C:\Windows\system32\tasks\GXNVZC
    • C:\Windows\system32\tasks\KEQOKTAU
    • C:\Windows\system32\tasks\KRIKYHD
    • C:\Windows\system32\tasks\SQAKP
    Let me know.



    If you do find them, delete them.
     
  10. WhiteBoi360

    WhiteBoi360 Private First Class

    I couldn't find a single one of those using windows explorer.
     
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    TimW will give you a proper fix later on to deal with them. They might be hidden from your view...
     
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I got your PM, I will let TimW know that you are waiting. I'm sorry for any delay!
     
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's see if OTM can find them. If not, I will give you final clean up instructions.


    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Paste the following code under the [​IMG] area. Do not include the word Code.


    Code:
    :Processes
    explorer.exe
    
    :files
    C:\ProgramData\39a67c400000167a
    C:\ProgramData\tempimage.bmp
    C:\Program Files (x86)\globalUpdate
    C:\Program Files (x86)\predm
    C:\Windows\tasks\GXNVZC.job
    C:\Windows\tasks\KEQOKTAU.job
    C:\Windows\tasks\KRIKYHD.job
    C:\Windows\system32\tasks\GXNVZC
    C:\Windows\system32\tasks\KEQOKTAU
    C:\Windows\system32\tasks\KRIKYHD
    C:\Windows\system32\tasks\SQAKP
    
    :Commands
    [purity]
    [ResetHosts]
    [emptytemp]
    [start explorer]
    [Reboot]

    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.


    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.
     
  14. WhiteBoi360

    WhiteBoi360 Private First Class

    I don't think OTM found them but I attached the requested log below.
     

    Attached Files:

  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    True, but it did find the other items. Tell me how things are running before I give you the final cleanup.
     
  16. WhiteBoi360

    WhiteBoi360 Private First Class

    It's still running bad and getting crazy ads popping up everywhere.. that didn't help unfortunately =/
     
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What browser are you using?
     
  18. WhiteBoi360

    WhiteBoi360 Private First Class

  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

  20. WhiteBoi360

    WhiteBoi360 Private First Class

    Looks like that did it! That was simple enough thanks Tim.

    Edit: Are we 100% tho that we've removed everything?
     
  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now go to the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
  22. WhiteBoi360

    WhiteBoi360 Private First Class

    Thanks so much. I didn't see anything anywhere in any of those links saying I should re enable UAC back to default?
     
  23. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It is in the final instructions.
     
  24. WhiteBoi360

    WhiteBoi360 Private First Class

    Oh ok well I did that step and it didn't change my UAC settings. I had to go back in and put it back to the default setting.
     
  25. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    As long as you have re-enabled it. ;)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds