Malware problem

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Mariano10, Aug 19, 2014.

  1. Mariano10

    Mariano10 Private E-2

    Problems started today after I mistakenly downloaded a program. I have Symantec Endpoint Protection, which detected and eliminated a Trojan when the program was downloading.

    After following all the instructions in the Malware Removal/Cleaning procedure, the Internet Explorer icon in the taskbar has been replaced by a blank sheet (before running the scans it had been replaced by an icon with a magnified glass). When I place the cursor over it, it says "Search" instead of "Internet Explorer." If I click on it, it opens some search engine. Changing the homepage in Internet options-->homepage does not solve it. I seem to be able to go to google and other webpages without problems, though.

    Before running the malware removal procedure, I had followed the instructions on "Hijacking Problems", as I was being redirected.

    Thanks for your help!
     

    Attached Files:

    Mariano10, Aug 19, 2014
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log from Malwarebytes indicates you did not allow it to fix anything. You need to run it again and allow it to delete or quarantine all that junk it found.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {31ad400d-1b06-4e33-a59a-90c2c140cba0} - (no file)
    O3 - Toolbar: ShowPass Smartbar - {ae07101b-46d4-4a98-af68-0333ea26e113} - mscoree.dll (file missing)
    O16 - DPF: {4FF78044-96B4-4312-A5B7-FDA3CB328095} (ExentInf1 Class) -

    After clicking Fix, exit HJT.

    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\Users\Mariano\AppData\LocalLow\Smartbar
C:\ProgramData\Uniblue
C:\WINDOWS\TEMP\*.*
C:\Users\Mariano\AppData\Local\Temp\*.*
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCB08265-B35D-30B2-A6AF-6986CA957358}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E041E037-FA4B-364A-B440-7A1051EA0301}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IESmartBar.BandObjectAttribute]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IESmartBar.DockingPanel]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IESmartBar.IESmartBar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IESmartBar.IESmartBarBandObject]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IESmartBar.SmartbarDisplayState]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IESmartBar.SmartbarMenuForm]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{2009AF2F-5786-3067-8799-B97F7832FDD6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{425E7597-03A2-338D-B72A-0E51FFE77A7E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{915BB7D5-082E-3B91-B1E0-45B5FDE01F24}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{FB2E65F4-5687-33EF-9BBF-4E3C9C98D3B9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CCB08265-B35D-30B2-A6AF-6986CA957358}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E041E037-FA4B-364A-B440-7A1051EA0301}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2503}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} (FLV Player)
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\5E8031606EB60A64C882918F8FF38DD4]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3152E1F19977892449DC968802CE8964]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\649A52D257CA5DB4EAAE8BA9EB23E467]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\BrowserSafeguard_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\BrowserSafeguard_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}]
[-HKEY_USERS\S-1-5-21-1430520789-1920600086-1503763266-1001\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{AE07101B-46D4-4A98-AF68-0333EA26E113}]
[-HKEY_USERS\S-1-5-21-1430520789-1920600086-1503763266-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE07101B-46D4-4A98-AF68-0333EA26E113}]
[-HKEY_USERS\S-1-5-21-1430520789-1920600086-1503763266-1001\Software\Smartbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ae07101b-46d4-4a98-af68-0333ea26e113}"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2503}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2503}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXT log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 19, 2014
    #2
  3. Mariano10

    Mariano10 Private E-2

    Thank you, chaslang.

    Attached are the logs.

    The Internet Explorer icon on the taskbar is still a blank sheet, but when I click on it now the homepage is msn (no longer that random search engine). I'm not able to change the homepage though.

    Thanks again.
     

    Attached Files:

    Mariano10, Aug 20, 2014
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just right click on the icon and then in the popup form right click on Internet Explore and then select Properties. On the Properties form with the Shortcut tab selected, make sure the target is correctly referencing "C:\Program Files\Internet Explorer\iexplore.exe"

    If it is correct already then try to change the icon.

    This may be due to Symantec protecting your home page settings.
     
    chaslang, Aug 21, 2014
    #4
  5. Mariano10

    Mariano10 Private E-2

    Thanks chaslang.

    However, I still can't change the homepage. I disabled Symantec and went to Internet Options->general. I can type a new address there or "use current" and apply the changes, but when I open IE again it ignores the change. I cannot change it in the app (instead of the desktop) either.

    Also, although I can use the IE app, none of the other apps that require Internet connection work (Skype, the Windows store, etc).

    Thanks again!
     
    Mariano10, Aug 21, 2014
    #5
  6. Mariano10

    Mariano10 Private E-2

    Sorry for the misquote in the last post.
     
    Mariano10, Aug 21, 2014
    #6
  7. Mariano10

    Mariano10 Private E-2

    The computer is also running very slow. When I open task manager disk usage is consistently 100% and in red, even with no programs running.
     
    Mariano10, Aug 21, 2014
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Based on all of your logs it really is not looking like malware is the cause of your problems. You only had some minor junkware and search engine hijackt type issues which in the scheme of things are minor. I do see MANY MANY files that are each over 500KB in size being created in your C:\Users\Mariano\AppData\Local\Temp folder. This may be due to one of these sync applications ( like BoxSync or Sugar Sync ) that you are running. ALl of this disk activity creating these files may be what you are noticing. My suggestion would be to uninstall them ( uninstall not disable ) to see what changes occur.

    I also suggestion uninstalling Advanced SystemCare 7 which can be a resource hog and may not play well with Symantec.

    Also I have a question about that you have in the below folder
    C:\Program Files (x86)\iExplorer

    This would normally be assumed to be malware since it is very similar in naming to Windows related files and folders but it is not from Windows. Any commercial program that names the folders like this should be uninstalled due to them being too stupid to consider using. If this is Apple related and being used on a PC. It is still very stupid of them.

    However all the above being stated, let's run a couple more scans and also a fix or too to see what happens.

    First can you put one of those temp files I mentioned ( ones like C:\Users\Mariano\AppData\Local\Temp\tmp92qlcu ) into a ZIP file and attach it for me to look at.

    Be patient while doing the below. The fixes can sometimes take quite awhile to run. Especially the permissions repairs. It may be best to kick it off and goto bed or do something else. It is better not to run anything while the repairs are going on.


    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
      • Repair MSI (Windows Installer)
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the The ZIPPED tmp file log
    • C:\MGlogs.zip
     
    chaslang, Aug 21, 2014
    #8
  9. Mariano10

    Mariano10 Private E-2

    Thank you so much, chaslang.

    I uninstalled Box Sync and Advance System Care, then ran Windows Repair, and the GetLogs.bat file. I was finally able to change the homepage and can now use the apps, so those issues are gone.

    The disk usage, however, is for some reason still 100% almost all the time. If I go to Task Manager and the processes tab, I can see that under Windows Processes, "System" is very active, even when I have nothing running. It was never like this before.

    About your question, I looked into "C:\Program Files (x86)\iExplorer". The only thing in there is "SQLite3.dll". I have no clue what is that.

    I am attaching one of those big temp files you mentioned, along with the MGLogs.zip (I was not sure about the MovedFiles log since I didn't run OTM again).

    Thanks for all your time!
     

    Attached Files:

    Mariano10, Aug 22, 2014
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay that file is a picture of a young girl lying across a bed look at some pamphlet. You have thousands of files like this being created in your temp folder. The problems you are having are not related to malware. They are more likely related to these synchronization applications you are running. You still have SugarSync, iTunes, Bonjour, iCloud.... and I even still see BoxSync. I also see signs of something call ImageMagick in your temp folder too.

    You will have to discuss your problems in the Software Forum. My suggestion would be to stop all these applications from running and see what happens.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Last edited: Aug 22, 2014
    chaslang, Aug 22, 2014
    #10
  11. Mariano10

    Mariano10 Private E-2

    Thanks chaslang. BoxSync was the only sycrhonization application I was running and I uninstalled it, but I'll take it to the software forum then.

    Thanks again for your help!
     
    Mariano10, Aug 24, 2014
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely.
     
    chaslang, Aug 25, 2014
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds