Definite Infection

Discussion in 'Malware Help (A Specialist Will Reply)' started by carolhamburg, Dec 26, 2015.

  1. carolhamburg

    carolhamburg Private E-2

    Hi. This is a request for assistance in removing infections from my laptop. Last week I noticed that my laptop was doing weird things like opening pop-up ads and opening new tabs in my browser even though I have pop-up blockers enabled. Also my default search engine keeps changing to amazon all by itself. My boyfriend suggested that I run malwarebytes to see what it finds and it found and removed a lot of infections. I am including that original malwarbytes scan log and I will perform a new updated scan shortly after this post. I will be so grateful if anyone can help me with this.
     

    Attached Files:

    carolhamburg, Dec 26, 2015
    #1
  2. carolhamburg

    carolhamburg Private E-2

    For some reason the MB log would not post to the initial thread. I included two Hitman logs; I think that one may have been before infections were cleaned and one was from after but I am not completely sure about this, as my boyfriend is the one performing the scans and saving the logs.
     

    Attached Files:

    carolhamburg, Dec 26, 2015
    #2
  3. carolhamburg

    carolhamburg Private E-2

    Here is the newest MB log.
     

    Attached Files:

    carolhamburg, Dec 26, 2015
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there carolhamburg and a warm welcome to Majorgeeks !

    I am just reviewing your logs, over a cup of coffee and will post back with a response asap. ;)
     
    Kestrel13!, Dec 26, 2015
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Tasks tab and locate these detections:

    • [PUP] %WINDIR%\Tasks\HWLCUGMYAGRWVXAQ.job -- C:\ProgramData\Service0082\Service0082.exe -> Found
    • [Suspicious.Path] \Eahciureaee -- "C:\ProgramData\Eahciureaee\1.0.7.1\lowlorua.exe" ("/e=L3A9MTgzNTAxXi91PTQyN2FhZjAzNmYyNzQ5ZDNhMTUwMDNmMmM2M2FkNDkwXi9kPXRyYWNraGVhbHRoYWxlcnQuY29tXi9uPUhFTEFeL2E9SGVhbHRoQWxlcnReL3Q=") -> Found
    • [Suspicious.Path] \Web Bus -- C:\Windows\system32\rundll32.exe ("C:\Users\jesus4u\AppData\Local\Web Bus\{C64072C5-5EF1-7AC3-D178-721E0E183054}\WebBus.dll",#1) -> Found
    • [Suspicious.Path] \Web Bus2 -- C:\Windows\system32\rundll32.exe ("C:\Users\jesus4u\AppData\Local\Web Bus\{C64072C5-5EF1-7AC3-D178-721E0E183054}\wsc.dll",#1) -> Found

    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.

    ...and the same for these entries on the files tab please...

    • [PUP][Folder] C:\ProgramData\{C19CA186-4F06-4E22-A1E6-6BAB4723A0DE} -> Found
    • [PUP][Folder] C:\Program Files (x86)\34444335-1450789455-5637-444A-3863BBA79D91 -> Found

    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.




    Download and run OTM.

    Download >>> OTM by Old Timer and save it to your Desktop.

    Code:
    :files
C:\ProgramData\2acd4cb5c435461892520f3241ad43b9
C:\ProgramData\Application Data
C:\ProgramData\Browser
C:\ProgramData\Comms
C:\ProgramData\install_clap
C:\Program Files (x86)\34444335-1450789455-5637-444A-3863BBA79D91
C:\WINDOWS\tasks\HWLCUGMYAGRWVXAQ.job
C:\WINDOWS\system32\tasks\Eahciureaee
C:\WINDOWS\system32\tasks\HWLCUGMYAGRWVXAQ
C:\WINDOWS\system32\tasks\Kekgaue
C:\WINDOWS\system32\tasks\Web Bus
C:\WINDOWS\system32\tasks\Web Bus2
C:\WINDOWS\system32\tasks\YCMServiceAgent
C:\WINDOWS\system32\tasks\{FE229B42-E5E5-46B9-9C1D-F38C99B4CC46}

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.




    Download Cleano 1.31

    Download it to your desktop, Right click the cleano.exe file and run as admin > and place check marks in the boxes as follows (click on link below to see image)

    View attachment 148092
    Click clean now and exit the program.


    http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.



    Re run Hitman Pro and attach the log, let me see what remains.
    Re run RogueKiller (just a scan) and attach that fresh log, too.
    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running!
     
    Kestrel13!, Dec 26, 2015
    #5
  6. carolhamburg

    carolhamburg Private E-2

    Here are the first five logs.
     

    Attached Files:

    carolhamburg, Dec 26, 2015
    #6
  7. carolhamburg

    carolhamburg Private E-2

    And here are the new MG logs.
     

    Attached Files:

    carolhamburg, Dec 26, 2015
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re run RogueKiller, locate this detection on the registry tab and remove it.

    • [PUP] (X64) HKEY_LOCAL_MACHINE\Software\Partner -> Found

    Do you see this to delete? Delete it, reboot the machine and check back...is it gone or has it come back?

    C:\WINDOWS\system32\tasks\Kekgaue

    Explain how things are running.
     
    Kestrel13!, Dec 26, 2015
    #8
  9. carolhamburg

    carolhamburg Private E-2

    The task that you said to delete is gone. I followed your instructions and my machine seems to be working okay. There are no more strange popups and no more tabs opening by themselves but my default search engine in firefox keeps changing itself to Yahoo now no matter how many times that I set it to google. Maybe CCleaner is changing a firefox site preference? I'm not sure. I will test it to see if that is the case.
     

    Attached Files:

    • RK4.txt
      File size:
      3.8 KB
      Views:
      2
    carolhamburg, Dec 26, 2015
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Is there any chance that you installed a customized version of Firefox optimized for Yahoo?
     
    Kestrel13!, Dec 27, 2015
    #10
  11. carolhamburg

    carolhamburg Private E-2

    I refreshed Firefox and then changed all of my settings to where I would normally want them and everything seems to be working fine now. My laptop is behaving completely normally now. There are no more issues as far as I can tell. Thank you for the welcome to Majorgeeks and thank you even more for helping me to clean up the infections on my laptop.
     
    carolhamburg, Dec 27, 2015
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I am so pleased to hear all is running well again ;) You are most welcome for the assistance. I shall post final steps below...


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

    7. After doing the above, you should work thru the below link:
     
    Kestrel13!, Dec 27, 2015
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds