New laptop infected through using just like the old one (which kept getting infected)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mondola, Nov 27, 2014.

  1. mondola

    mondola Specialist

    Hi,

    It seems to be a common theme for the parents at my kid's school:

    • Own business
    • Buy business laptop
    • Let whole family use business laptop
    • Fail to keep up to date
    • Scratch head when it gets full of pop ups, redirections and general slowness
    • Ask "that guy in the playground who works in computers" to do "that thing on t'internet" that'll fix it that I've pointed them in the direction to do themselves
    • Promise to keep up to date going forward
    • Return to top of list and repeat...

    Log files attached. I've stressed again the importance of keeping up to date and don't know how low level I've got to get to explain. Also that it doesn't matter how much auto protection is on there, if you tell the computer it's ok to do something by overriding the warnings, it's no surprise when it then does the thing you told it was ok to do so.

    I think people just can't be bothered following the actions to keep them up to date. It's baffling!

    On a business computer too!

    A new one!

    >>bangsheadagainstdesk<<

    Thanks in advance...

    (Rant over).

    :)
     

    Attached Files:

    mondola, Nov 27, 2014
    #1
  2. mondola

    mondola Specialist

    Re: New laptop infected through using just like the old one (which kept getting infec

    Remaining logs...
     

    Attached Files:

    mondola, Nov 27, 2014
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: New laptop infected through using just like the old one (which kept getting infec

    Not finding any malware. Rerun Hitman and have it remove all it finds.

    Use windows explorer and find and delete:
    C:\ProgramData\uxxadbmu.rlu

    Tell me what issues you are having.
     
    TimW, Nov 27, 2014
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: New laptop infected through using just like the old one (which kept getting infec

    @TimW, Don't forget all the items in RogueKiller!!! Including the proxy.
     
    chaslang, Nov 27, 2014
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: New laptop infected through using just like the old one (which kept getting infec

    Oh, yeah....too much Turkey.

    Rerun RogueKiller and have it fix these items:
    Code:
    ¤¤¤ Registry : 26 ¤¤¤
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BackupStack (C:\Program Files (x86)\MyPC Backup\BackupStack.exe) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CltMngSvc (C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Wajam Internet Enhancer Service (C:\Program Files (x86)\Wajam\Wajam Internet Enhancer\WajamInternetEnhancerService.exe) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BackupStack (C:\Program Files (x86)\MyPC Backup\BackupStack.exe) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CltMngSvc (C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wajam Internet Enhancer Service (C:\Program Files (x86)\Wajam\Wajam Internet Enhancer\WajamInternetEnhancerService.exe) -> Found
[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Found
[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3798530367-4172069169-3016851918-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3798530367-4172069169-3016851918-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Found
[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:54042;https=127.0.0.1:54042  -> Found
[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:54042;https=127.0.0.1:54042  -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3798530367-4172069169-3016851918-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:54042;https=127.0.0.1:54042  -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3798530367-4172069169-3016851918-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:54042;https=127.0.0.1:54042  -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:54042;https=127.0.0.1:54042  -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:54042;https=127.0.0.1:54042  -> Found
    Reboot and rescan with both Hitman and RogueKiller and attach the new logs.
     
    Last edited by a moderator: Nov 27, 2014
    TimW, Nov 27, 2014
    #5
  6. mondola

    mondola Specialist

    Re: New laptop infected through using just like the old one (which kept getting infec

    Thanks. Can never have too much turkey.

    Upon reboot after Hitman Pro run there was a:

    It didn't stay up long enough for me to get the full error, sorry. I think it might have been 3.6?

    Moving on to the next part of the fix, then will post logs.
     
    mondola, Nov 28, 2014
    #6
  7. mondola

    mondola Specialist

    Re: New laptop infected through using just like the old one (which kept getting infec

    After Reboot, the following items were not present in Rogue Killer:

    But removed the rest.

    Just rebooting to get the new logs.
     
    mondola, Nov 28, 2014
    #7
  8. mondola

    mondola Specialist

    Re: New laptop infected through using just like the old one (which kept getting infec

    Logs as promised.
     

    Attached Files:

    mondola, Nov 28, 2014
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: New laptop infected through using just like the old one (which kept getting infec

    Are you set up to run a proxy? If not, rerun RogueKiller and address those items. How are things running?
     
    TimW, Nov 28, 2014
    #9
  10. mondola

    mondola Specialist

    Re: New laptop infected through using just like the old one (which kept getting infec

    Not set up to use a proxy.

    Tried to delete as you said, but they obviously came back.

    Tried once again, but they are back again.

    :(

    McAfee is installed as preloaded, but it's expired so can be removed if that is causing the problem?
     

    Attached Files:

    mondola, Nov 29, 2014
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: New laptop infected through using just like the old one (which kept getting infec

    Yes, uninstall all AV programs. Reboot and rerun Roguekiller and fix those proxy setting. Reboot again and rescan with RogueKiller and attach the new log. Don't install AV until I tell you to.
     
    TimW, Nov 29, 2014
    #11
  12. mondola

    mondola Specialist

    Re: New laptop infected through using just like the old one (which kept getting infec

    Looks like it worked?
     

    Attached Files:

    mondola, Nov 29, 2014
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: New laptop infected through using just like the old one (which kept getting infec

    Looks good. You can now reinstall AV software.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    TimW, Nov 29, 2014
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds