Computer has several malware/spyware issues

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by luv2bike2nv, Apr 17, 2014.

  1. luv2bike2nv

    luv2bike2nv Private E-2

    Windows XP SP 3, all ms updates were applied before/on April 8. had MS Security Essential installed and now have AVG free antivirus installed as of today. Computer is an eMachine.

    Yesterday the owner of company had logged into her computer through Logmein (which she does on a regular basis). She told me that a message came up on her screen and she click on the X in the top right corner of the box, she could not tell me what it said. Anyway, she decided to reboot the computer because it was acting very slow. she could not get back on to the computer after what she thought the computer would be back up for her to log in. She called me, I checked the computer, it was at the Network login screen, I could not do a control Alt Del, I was able to move the mouse. so I thought the keyboard was bad, changed it out with 2 other keyboards (the original keyboard is a PS2, the other 2 --- 1 was a PS2 and the other was a USB). I still could not do CTRL ALT DEL even after powering it off and on. I was able to boot up into Safe Mode, downloaded, installed and ran the following programs:
    SuperAntiSpyware, Malwarebytes, Spybot Search and Destroy, Glary Utilities.

    SuperAntiSpyware found quite a few tracking cookies and Trojan.Agent/Gen-Symmi. went through the process on removing it all.
    I ran SuperAntiSpyware once again however the Gen-Symmi showed up again and went through the process of removing it again. I hope it is gone, though I am not sure.

    Rebooted the computer and tried to get in through normal mode, I was able to do CTRL, ALT DEL entered my credentials and it sat there for quite some time. I rebooted and went into safe mode and ran Malwarebytes and it came up clean. I tried system restore and it failed.

    before I left for the day, I started in Safe Mode Sypbot and it found some threats, cleaned them up this morning. rebooted the computer in normal mode, I was able to get into the system it was running extremely slow. I uninstalled MS Security Essentials and installed AVG and scanned the computer. it came up with Trojan Horse, PSW.Generic10.RTC and I told it to clean it up.

    I had gone to a web page (easyremovevirus.com/how-to-remove-Trojan-agentgen-symmi-easy-remove-Trojan.agent/gen-symmi-from-pc) that gave instructions on how to clean the Gen-Symmi and it told me to run RegCurePro which found several issues. in order to "fix" it I had to register and I just did not feel right about that. the above webpage was 2nd in the google search for this Trojan... first was superantispyware which I had already performed.

    I have performed all the MajorGeeks steps that are needed to be able to post here.
    I have attached the logs for your review.

    I will wait for a response before doing anything else.

    Thank you very much in advance for your assistance.

    Robin :)
     

    Attached Files:

    luv2bike2nv, Apr 17, 2014
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there.

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode.
    Good call. It's junk. ;) Uninstall it.


    If you do not use Windows Messenger Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


    Re run Hitman and have it remove everything EXCEPT for: C:\WINDOWS\system32\THREED20.OCX



    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate this detection:

    • [ZeroAccess][Folder] U : C:\WINDOWS\Installer\{78787f67-def6-897d-d9bf-5d8826496575}\U [-] --> FOUND
    Place a checkmark next to this item, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.




    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.

    Code:
    :Files
C:\Documents and Settings\robini\Application Data\ParetoLogic
C:\Documents and Settings\All Users\Application Data\ParetoLogic
C:\Documents and Settings\robini\My Documents\4-17-14.reg
C:\Documents and Settings\robini\Start Menu\Programs\ParetoLogic
C:\Program Files\ParetoLogic
C:\Program Files\Common Files\ParetoLogic
C:\WINDOWS\Tasks\RegCure Pro_sch_538AB3A2-C639-11E3-BC7E-00167690F4F1.job
C:\WINDOWS\Tasks\RegCure Pro Startup.job
C:\Documents and Settings\jeakel.HORSESHOE\Local Settings\Temp\jar_cache2489371735593558011.tmp
C:\WINDOWS\Installer\{78787f67-def6-897d-d9bf-5d8826496575}\U

:reg
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E]
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6]
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852]
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0]
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA]
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96]
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59]
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC]
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA]
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E]
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF]
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E]

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.



    Re run RogueKiller (just a scan) and attach log.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Last edited: Apr 19, 2014
    Kestrel13!, Apr 18, 2014
    #2
  3. luv2bike2nv

    luv2bike2nv Private E-2

    thank you for your response.
    I uninstalled RegCurePro
    I can boot into Normal mode
    I ran and uninstall Windows Messenger.
    I ran Hitman Pro 3 times and make sure alll the items but Threed20.ocx says delete then click on Next... it is asking for an activation code.
    After I ran Hitman Pro the second time and it was still asking for activation code I deleted the Hitman Pro from the desktop and downloaded it again and ran it and it still is asking for an activiation code.
    Where do i get one? or how do i get around that?
    I did not do any of the other steps since I figured i needed to them in order.

    I will wait for your response. Thanks

    Robin
     
    luv2bike2nv, Apr 18, 2014
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I edited my post #2 to include the files Hitman couldn't take. So just continue on after the Hitman step... :)
     
    Kestrel13!, Apr 19, 2014
    #4
  5. luv2bike2nv

    luv2bike2nv Private E-2

    I will have to continue this on Tuesday as I have been called out of town. I will post back as soon as I complete the scans .

    Your help is greatly appreciated.

    Robin
     
    luv2bike2nv, Apr 19, 2014
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You are most welcome, Robin.
     
    Kestrel13!, Apr 19, 2014
    #6
  7. luv2bike2nv

    luv2bike2nv Private E-2

    Ok I am back, and I ran the Rogue Killer however as you will see in the attached gif I do not have

    " [ZeroAccess][Folder] U : C:\WINDOWS\Installer\{78787f67-def6-897d-d9bf-5d8826496575}\U [-] --> FOUND"
    in the registery tab.

    and ZeroAccess keeps on blinking in the Status box .

    i have attached the RKreport from today for you to review.

    i did not go to the next step. I will wait for your reply.

    thanks.
     

    Attached Files:

    luv2bike2nv, Apr 22, 2014
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes it's still showing: (File/folder tab!)


    • [ZeroAccess][Folder] U : C:\WINDOWS\Installer\{78787f67-def6-897d-d9bf-5d8826496575}\U [-] --> FOUND

    Fix the entry again with RogueKiller and then rescan (just a scan) and attach log for me.
     
    Last edited: Apr 23, 2014
    Kestrel13!, Apr 23, 2014
    #8
  9. luv2bike2nv

    luv2bike2nv Private E-2

    I was able to delete the ZeroAccess, ran the scan again and attached the log

    thanks
     

    Attached Files:

    luv2bike2nv, Apr 23, 2014
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OK, now continue on with the other instructions. :)
     
    Kestrel13!, Apr 23, 2014
    #10
  11. luv2bike2nv

    luv2bike2nv Private E-2

    I was finally able to download and run OTM after I uninstalled AVG software. AVG kept on blocking OTM from run, it would remove the program so i had to download it everytime. I finally uninstalled AVG and was able to continue on. i am installing AVG after I send this off to you.

    I will wait for your reply. Thanks! :)
     

    Attached Files:

    luv2bike2nv, Apr 23, 2014
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode

    Delete these:
    • C:\Documents and Settings\robini\Application Data\ParetoLogic
    • C:\Documents and Settings\All Users\Application Data\ParetoLogic

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Apr 24, 2014
    #12
  13. luv2bike2nv

    luv2bike2nv Private E-2

    I am not sure what you mean by
    "Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode"

    I have been booting up in Normal mode not in safe mode if that is what you mean.

    Unless you mean in MSConfig in the general tab it has normal startup, diagnostic startup or Selective startup. Selective Startup is selected. if i select Normal Startup than all the items in the startup tab are selected and there are a lot of items not selected and are not needed to startup.

    I went into Explorer and deleted the two directories.

    Attached you will find the MGLogs.zip file.

    I rebooted the computer and it is still experiencing extreme slowness.
    Once the Windows screen comes up after the manufacturers screen, it takes close to 2 1/2 minutes for the Windows screen to disappear and then i have a black screen for about another minute before the Network Login screen appears. I log in and it takes about 2 more minutes to load what needs to load.

    When I click on either Chrome or IE it takes 2 to 3 minutes for the Window just to open up and another 30 or 40 seconds for the home page to appear.

    The computer is a 2.80GHz, 2 GB RAM. 111GB free disk space, i am running defrag on the system right now.

    I will wait for your response. thanks again. :)
     

    Attached Files:

    luv2bike2nv, Apr 24, 2014
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes.. that's exactly what I mean. I need to see EVERYTHING that's starting up, so nothing is hiding from me. So please do what I have asked and then do this again so I can see how the land lies. Thanks.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Apr 24, 2014
    #14
  15. luv2bike2nv

    luv2bike2nv Private E-2

    MSconfig changed to normal startup and i have attached the MGLogs.zip file.

    thanks :)
     

    Attached Files:

    luv2bike2nv, Apr 24, 2014
    #15
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I am not seeing anything else to do. :)


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
    7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    Kestrel13!, Apr 25, 2014
    #16
  17. luv2bike2nv

    luv2bike2nv Private E-2

    Thank you for your assistance and time.

    I performed your last steps along with resetting the start up to selective startup and removed what is not needed. the boot up from the time the "Windows" is loading to the time it gets to the Login Screen is a little faster than before.

    Thanks again
     
    luv2bike2nv, Apr 26, 2014
    #17
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You are most welcome. :) Safe surfing!
     
    Kestrel13!, Apr 26, 2014
    #18

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds