Friend's Computer

Discussion in 'Malware Help (A Specialist Will Reply)' started by chadtlower, May 7, 2014.

  1. chadtlower

    chadtlower Private E-2

    A friend was getting video pop-ups randomly when he was on the internet. He said it was happening before and they thought they fixed it a month ago, but it started again, and now he said he had problems getting on IE last weekend. He brought me his laptop today (but forgot the power cord). I ran the first 4 steps and got logs from the first 3. I was in the middle of running MGTools when it gave me the low battery warning. I was able to save the logs for the first 3 before it went into hibernation and figured I would start with that for now because of an issue that happened after running MWB.

    MWB found issues, so I quarantined, grabbed the log, and then rebooted per your instructions. Upon rebooting, I kept getting these "image error" pop-ups. I would close one and then there would be another behind it. I got 3 before the desktop showed up, and then one or two dozen more afterwards before they "stopped." I use that loosely as they would randomly cope 1-3 at a time after that sporadically. That is, until I ran MGTools. Then I was constantly clicking Cancel, Cancel, Cancel. I was tempted to take the MWB files out of quarantine, but did not. Also, before running MWB, I was able to access the internet (hardwired), but after these pop-ups started happening, I could not access the internet, so ran the rest of the tests offline.

    Not sure if you had seen the MWB issue before or could offer any thought while I wait for a power cord.

    Thank you for any help you can provide.
     

    Attached Files:

    chadtlower, May 7, 2014
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There was nothing in your Malwarebytes log that showed anything that would be in Quarantine. Did you attach the wrong log? That is the one after the initial scan where you fixed things? We need the first log.

    Also I need a log from MGtools, but please do the below first perhaps it will help. Even it you have to try the below from safe boot mode.

    Uninstall anything that looks like any of the below:
    InternetUpdaterService
    InternetUpdater
    ChromeHelper
    FireFoxHelper
    IeHelper
    RHelpers
    iLivid
    ShopAtHomeWatcher
    ShopAtHomeUpdater
    ShopAtHomeHelper



    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now reboot the PC into normal mode and see if you can get the desired log from MGtools.
     
    chaslang, May 7, 2014
    #2
  3. chadtlower

    chadtlower Private E-2

    So I went back into MWB and looked at the history. There were two logs, both attached, and both showing nothing.

    So I went into the quarantine and checked all to restore (I think there were over 200) to run MWB again. I noticed looking at a lot of the file names and locations, the three most common phrases I saw were:

    Movies Toolbar
    WOW6432NODE
    ShopAtHome (this one had significantly less entries than the others)

    After restoring the entries and rebooting, no system pop-ups any more. I saw the ShopAtHome on your list, so uninstalled that with Revo Uninstaller, as well as Movies Toolbar since it showed a lot in the MWB listing.

    In total, I uninstalled (in order) Internet Updater, ShopAtHome.com Toolbar, and Movies Toolbar for Internet Explorer (Dist. by Bandoo Media, Inc.), then rebooted (nothing else from the list you sent was present).

    (The ShopAtHome.com Toolbar got stuck when it was unregistering - 5th line of the process. So I had to force that to stop.)

    I ran MWB again and had 208 items. I included a screenshot of the initial screen. I tried to save the log and MWB crashed, so I had to run again. The second time, I tried to save the log and it crashed again :( Both of these times, I tried to collect the log before quarantine in case that was what made the log look clean. The third time, I quarantined first.

    For the files uploaded:
    MGlogs1.zip was the log from yesterday when the power sent me to hibernation. I don't know if it finished running when they powered it back on, or if this is the log up until that point.
    mbam-log-2014-05-07.txt is the log from yesterday in the MWB history section
    MWB.jbg is a screenshot of today's MWB scan
    MBpost.txt is today's MWB log after quarantining
    TDSSKiller log was from yesterday, but I didn't get it copied to the thumb before hibernation.

    I will send another message with 2 more files.
     

    Attached Files:

    chadtlower, May 8, 2014
    #3
  4. chadtlower

    chadtlower Private E-2

    Last two files:

    MGlogs.zip was from today

    mbam-log-2014-05-07b.txt was the second MWB log in its history from yesterday. I don't know why there was two listed as I only ran it once (although they did have different names), but wanted to include both.
     

    Attached Files:

    chadtlower, May 8, 2014
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks like you did not run the registry patch that I requested so we will add it to the below fix. Please only follow the instructions given. Do not do anything on your own as we requested in the READ & RUN ME.


    Uninstall the below programs. If you do not find them or they will not uninstall, just keep going.
    Java 7 Update 45
    ShopAtHome.com Helper
    Updater

    Now install the current version of Sun Java from:
    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8877;https=127.0.0.1:8877;
    R3 - URLSearchHook: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - (no file)
    R3 - URLSearchHook: (no name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O3 - Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - (no file)
    O4 - HKLM\..\Run: [BringMeSports_1c Browser Plugin Loader 64] C:\Program Files (x86)\BringMeSports_1c\bar\1.bin\1cbrmon64.exe
    O4 - HKLM\..\Run: [mobilegeni daemon] C:\Program Files (x86)\Mobogenie\DaemonProcess.exe
    O4 - HKCU\..\Run: [iLivid] "C:\Users\ssdevlin\AppData\Local\iLivid\iLivid.exe" -autorun

    After clicking Fix, exit HJT.

    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\Program Files (x86)\Mobogenie
C:\Users\ssdevlin\AppData\Local\iLivid
C:\Program Files (x86)\BringMeSports_1c
C:\Windows\tasks\Dealply.job
C:\ProgramData\Updater
C:\Users\ssdevlin\AppData\Local\Temp\*.*

:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"iLivid"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"BringMeSports_1c Browser Plugin Loader 64"=-
"mobilegeni daemon"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"BringMeSports_1c Browser Plugin Loader 64"=-
"mobilegeni daemon"=-
[HKEY_USERS\S-1-5-21-2526149440-4096470655-1276286338-1000\Software\Microsoft\Windows\CurrentVersion\run]
"iLivid"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{D54E3D9F-FEB8-4D2D-A138-B69A5C80080B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ae07101b-46d4-4a98-af68-0333ea26e113}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bitguard.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bprotect.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bpsvc.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\browsemngr.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\browserdefender.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\browsermngr.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\browserprotect.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\browsersafeguard.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bundlesweetimsetup.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\cltmngsvc.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\delta babylon.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\delta tb.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\delta2.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\deltainstaller.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\deltasetup.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\deltatb.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\deltatb_2501-c733154b.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dprotectsvc.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iminentetup.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\jumpflip]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\protectedsearch.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rjatydimofu.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\searchinstaller.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\searchprotection.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\searchprotector.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\searchsettings.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\searchsettings64.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\snapdo.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\stinst32.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\stinst64.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sweetimsetup.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\tbdelta.exetoolbar783881609.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\umbrella.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\utiljumpflip.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\volaro]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vonteera]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\websteroids.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\websteroidsservice.exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{8c9ef753-beb6-4582-b653-93ac59274437}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8c9ef753-beb6-4582-b653-93ac59274437}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXT log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, May 10, 2014
    #5
  6. chadtlower

    chadtlower Private E-2

    chaslang,

    Thank you for the reply. I did actually do the registry patch you requested, but didn't remember until a few hours after I posted and didn't want to "bump" my post.

    I did have to give it back to him since we came up on the weekend and he needed it back. Before giving it back, I did install the newest java version. I will see if I can get it back or pay a home visit to do the rest. Thank you for your help so far.
     
    chadtlower, May 10, 2014
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    Okay then just post back whenever you have been able to finish those last instructions., but do note that it is best to complete things quickly to avoid possible reinfection.
     
    chaslang, May 11, 2014
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds