Malware infection - help please - logs included

Discussion in 'Malware Help (A Specialist Will Reply)' started by Basil the Fox, Feb 21, 2014.

  1. Basil the Fox

    Basil the Fox Private E-2

    Hello,

    A colleague in my office has somehow infected his PC with a browser redirecter "feed.helperbar" as well as "Optimizer pro".

    I have followed the instructions in your malware removal guide including emptying cache, using CCleaner etc, and then followed the scans, recording the logs which I've attached.

    • Malware Bytes seemed to remove quite a lot of the offending material.
    • Hitman Pro picked up lots more infected files which MWB seemed to miss. As instructed, I haven't removed any infected files using this program.
    • Kaspersky's program found no results and didn't give me a log to attach.

    The feed.helperbar doesn't seem to be affecting the browser any more, however I can still see a listing for Optimizer pro in the Uninstall programs list along with a shortcut. I'm not confident that this PC is clean right now.

    Logs are attached for your perusal.

    I hope you guys can help and advise.
     

    Attached Files:

    Basil the Fox, Feb 21, 2014
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there. :)

    Are you deliberately set up to use a proxy?
     
    Kestrel13!, Feb 21, 2014
    #2
  3. Basil the Fox

    Basil the Fox Private E-2

    Hi. :)

    No we're not deliberately set-up to use a proxy.

    However, I am using Google's DNS server on that machine: 8.8.8.8 and 8.8.4.4.
     
    Last edited: Feb 24, 2014
    Basil the Fox, Feb 24, 2014
    #3
  4. Basil the Fox

    Basil the Fox Private E-2

    I have to admit, I'm getting a bit of an itchy trigger finger with Hitman Pro, if I let Hitman do its thing, will that affect any possible solutions?
     
    Basil the Fox, Feb 24, 2014
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there :)

    Optimizer Pro v3.2     <<< Uninstall this.



    http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these 3 detections:

    • [RUN][SUSP PATH] HKCU\[...]\Run : Browser Infrastructure Helper (C:\Users\pmc telecom\AppData\Local\Smartbar\Application\Smartbar.exe startup [7][x]) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-21-1181397642-3544793409-3064858191-1000\[...]\Run : Browser Infrastructure Helper (C:\Users\pmc telecom\AppData\Local\Smartbar\Application\Smartbar.exe startup [7][x]) -> FOUND
    • [PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyServer ( [Country: UNITED KINGDOM (GB), City: (Unknown city)]) -> FOUND
    • [V2][SUSP PATH] TidyNetwork Update : C:\Users\pmc telecom\AppData\Local\TidyNetwork\petnupdate.exe - CID=TRUK07 NAME="TidyNetwork" AUTOGUID={44B68756-28FD-336E-DF49-430E83B49FDC} [-][x][x][x] -> FOUND

    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.




    Re run Hitman Pro and have it delete all of the Potential Unwanted Programs that it finds.




    http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.



    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.



    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Feb 24, 2014
    #5
  6. Basil the Fox

    Basil the Fox Private E-2

    Hello, thank you so much for your detailed response.

    I'll list below the instructions I've followed and my results with each bit.

    Optimizer Pro - The first thing I did was to try and uninstall using the windows uninstaller - there was a file missing which wouldn't let me complete this. I launched msconfig and disabled any Optimizer Pro processes and startup items, rebooted, then used Revo to uninstall Optimizer Pro completely.

    Rogue Killer - After the initial scan, I could only find two items you listed

    • [PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyServer ( [Country: UNITED KINGDOM (GB), City: (Unknown city)]) -> FOUND
    • [V2][SUSP PATH] TidyNetwork Update : C:\Users\pmc telecom\AppData\Local\TidyNetwork\petnupdate.exe - CID=TRUK07 NAME="TidyNetwork" AUTOGUID={44B68756-28FD-336E-DF49-430E83B49FDC} [-][x][x][x] -> FOUND

    I checked and removed the bottom reg entry leaving all others intact. I went back to the proxies tab to remove the Proxy entry and Rogue Killer wouldn't allow me to delete this. I rescanned, clicked the Proxies tab, selected the Proxy then clicked "delete", not realising that all the registry entries that were picked up were now checked. In short, I've now deleted ALL registry entries that Rogue Killer had picked up. I have included the latest log for you... for what it's worth, but it's now showing as empty. I do have the previous scan logs stored if you would like to see them?

    Hitman Pro - Found traces of some bits & pieces. I removed them all. Log attached for completion.

    Junkware Removal Tool - Log attached.

    RegKey
    Successfully added.

    MGTools - Log attached

    After posting this, I'm going to reboot this PC and see how things go. I will report back with an update in a following post.
     

    Attached Files:

    Basil the Fox, Feb 25, 2014
    #6
  7. Basil the Fox

    Basil the Fox Private E-2

    Everything seems okay now. No popups, or browser redirects seem to remain. Optimizer Pro has gone. PC seems to be running smoothly.

    Would appreciate feedback from the logs, though.

    Again, thank you so much for the help! :)
     
    Basil the Fox, Feb 25, 2014
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Rescan with RogueKiller one more time and attach the fresh log for me to check please. :)
     
    Kestrel13!, Feb 25, 2014
    #8
  9. Basil the Fox

    Basil the Fox Private E-2

    Sure. Here you go!

    The registry elements it's found are the ones I thought I'd accidentally deleted in my previous post.
     

    Attached Files:

    Basil the Fox, Feb 26, 2014
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    It's still detecting this proxy. Is this due to Google's DNS server set up?

     
    Kestrel13!, Feb 26, 2014
    #10
  11. Basil the Fox

    Basil the Fox Private E-2

    I think so. I double checked the DNS set-up and nothing was out of place, the PC is still using Google's DNS settings. User hasn't reported any further problems.
     
    Basil the Fox, Feb 27, 2014
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Excellent. :)



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

    7. After doing the above, you should work thru the below link:
     
    Kestrel13!, Feb 27, 2014
    #12
  13. Basil the Fox

    Basil the Fox Private E-2

    Thank you Kestrel, you've been awesome!

    :cool
     
    Basil the Fox, Mar 3, 2014
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're most welcome. :) Safe surfing!
     
    Kestrel13!, Mar 3, 2014
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds