Daughter's Laptop

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by douglaswlee, Sep 23, 2020.

  1. douglaswlee

    douglaswlee Private E-2

    Greetings,
    My daughter's laptop that she was using in college is needing help. I cannot tell you exactly what it was doing for her. She gave it to me and after opening it up the SuperAntiSpyware program was going crazy and after aboutv45 minutes it had detected over 3000 items to clean. I did not use that service to clean them, but jumped on to start the "Read Me......" instructions. It has been a few years since I have followed the path laid out, but hopefully someone here can help her out. Thanks for cleaning up our messes. The Malwarebytes file was too large to add, so I tried to zip it before adding it here.
     

    Attached Files:

    douglaswlee, Sep 23, 2020
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You have three main issues:
    Relevant knowledge
    Malware Crusher
    WebDiscoverBrowser

    I am going to give you a list with items from each scan to remove:
    ADWCleaner
    PUP.Optional.MalwareCrasher C:\Program Files\Malware Crusher
    PUP.Optional.MalwareCrasher C:\ProgramData\MalwareCrusher.com
    PUP.Optional.MalwareCrasher C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malware Crusher
    PUP.Optional.MalwareCrasher C:\Users\cmeda\AppData\Roaming\MalwareCrusher.com
    PUP.Optional.MalwareCrasher C:\Users\Public\Desktop\Malware Crusher.lnk
    Trojan.Agent C:\Windows\SysWOW64\rlls.dll

    PUP.Optional.MalwareCrasher C:\Windows\System32\Tasks\MALWARE CRUSHER
    PUP.Optional.MalwareCrasher C:\Windows\System32\Tasks\MALWARE CRUSHER_LOGON

    PUP.Optional.MalwareCrasher HKCU\Software\malwarecrusher.com
    PUP.Optional.MalwareCrasher HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D46F7BA0-4AA6-4851-A56F-EF1C7D4B7DAA}
    PUP.Optional.MalwareCrasher HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{90E17B41-0184-41ED-BC58-907D79829176}
    PUP.Optional.MalwareCrasher HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D46F7BA0-4AA6-4851-A56F-EF1C7D4B7DAA}
    PUP.Optional.MalwareCrasher HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Malware Crusher
    PUP.Optional.MalwareCrasher HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Malware Crusher_Logon
    PUP.Optional.MalwareCrasher HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{FA2268FD-F787-4DD3-B6F1-CA4F706F481E}_is1
    PUP.Optional.MalwareCrasher HKLM\Software\malwarecrusher.com
    PUP.Optional.MalwareCrasher HKLM\Software\mc-pr

    ROGUE:

    [PUP.MalwareCrusher (Potentially Malicious)] mcr.exe (1488) -- (Malware Crusher Inc) C:\Program Files\Malware Crusher\mcr.exe -> Found
    [PUP.MalwareCrusher (Potentially Malicious)] (Malware Crusher Inc) \Malware Crusher_Logon -- C:\Program Files\Malware Crusher\mcmonitor.exe [startupshow] -> Found
    [PUP.MalwareCrusher (Potentially Malicious)] (Malware Crusher Inc) \Malware Crusher -- C:\Program Files\Malware Crusher\mcmonitor.exe [scnd] -> Found
    [PUP.Gen1 (Potentially Malicious)] \WebDiscover Browser Launch Task -- "C:\Program Files\WebDiscoverBrowser\4.28.2\browser.exe" [--launch --docked] -> Found
    [PUP.Gen1 (Potentially Malicious)] \WebDiscover Browser Update Task -- "C:\Program Files\WebDiscoverBrowser\4.28.2\browser.exe" [--update] -> Found

    [PUP.MalwareCrusher (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\Software\mc-pr -- N/A -> Found
    [PUP.MalwareCrusher (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\Software\malwarecrusher.com -- N/A -> Found
    [PUP.Gen1 (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\Software\WebDiscoverBrowser -- N/A -> Found
    [PUP.ByteFence|PUP.Gen1 (Potentially Malicious)] (X86) HKEY_LOCAL_MACHINE\Software\ByteFence -- N/A -> Found
    [PUP.Gen1 (Potentially Malicious)] (X86) HKEY_LOCAL_MACHINE\Software\WebDiscoverBrowser -- N/A -> Found
    [PUP.Gen1 (Potentially Malicious)] (X64) HKEY_USERS\.DEFAULT\Software\WebDiscoverBrowser -- N/A -> Found
    [PUP.MalwareCrusher (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-2002250063-1656997147-3525524331-1001\Software\malwarecrusher.com -- N/A -> Found
    [PUP.Gen1 (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-2002250063-1656997147-3525524331-1001\Software\WebDiscoverBrowser -- N/A -> Found
    [PUP.Gen1 (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-18\Software\WebDiscoverBrowser -- N/A -> Found
    >>>>>> XX - Uninstall


    [PUP.MalwareCrusher (Potentially Malicious)] (shortcut) Malware Crusher.lnk -- C:\Users\Public\Desktop\Malware Crusher.lnk => C:\PROGRA~1\MALWAR~2\mcr.exe -> Found
    [PUP.RelevantKnowledge (Potentially Malicious)] (file) rlls64.dll -- (TMRG, Inc.) C:\Windows\System32\rlls64.dll -> Found
    [PUP.RelevantKnowledge (Potentially Malicious)] (file) rlls.dll -- (TMRG, Inc.) C:\Windows\SysWOW64\rlls.dll -> Found
    [PUP.MalwareCrusher (Potentially Malicious)] (folder) MalwareCrusher.com -- C:\Users\cmeda\AppData\Roaming\MalwareCrusher.com -> Found
    [PUP.MalwareCrusher (Potentially Malicious)] (folder) MalwareCrusher.com -- C:\ProgramData\MalwareCrusher.com -> Found
    [PUP.MalwareCrusher (Potentially Malicious)] (folder) Malware Crusher -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malware Crusher -> Found
    [PUP.RelevantKnowledge (Potentially Malicious)] (folder) RelevantKnowledge -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RelevantKnowledge -> Found
    [PUP.MalwareCrusher (Potentially Malicious)] (folder) Malware Crusher -- C:\Program Files\Malware Crusher -> Found
    [PUP.RelevantKnowledge (Potentially Malicious)] (folder) RelevantKnowledge -- C:\Program Files (x86)\RelevantKnowledge -> Found
    [PUP.Gen1 (Potentially Malicious)] (folder) WebDiscoverBrowser -- C:\Program Files (x86)\WebDiscoverBrowser -> Found

    Hitman:
    C:\Program Files (x86)\RelevantKnowledge\ (RelevantKnowledge)
    C:\Program Files (x86)\RelevantKnowledge\asmcf.dat (RelevantKnowledge)
    C:\Program Files (x86)\RelevantKnowledge\nscf.dat (RelevantKnowledge)
    C:\Program Files (x86)\RelevantKnowledge\readme.txt (RelevantKnowledge)
    C:\Program Files (x86)\RelevantKnowledge\rloci.bin (RelevantKnowledge)
    C:\Program Files (x86)\RelevantKnowledge\rlvknlg.exe (RelevantKnowledge)
    Size . . . . . . . : 5,733,744 bytes
    Age . . . . . . . : 276.3 days (2019-12-20 22:06:35)
    Entropy . . . . . : 6.8
    SHA-256 . . . . . : 62D2320D728C5016B783E7CEE6AED19B009B985A238B68B4C8D06D05DB106E03
    Product . . . . . : Relevant-Knowledge
    Publisher . . . . : TMRG, Inc.
    Description . . . : Relevant-Knowledge
    Version . . . . . : 1.3.338.311
    Copyright . . . . : Copyright © 2001-2019
    RSA Key Size . . . : 2048
    LanguageID . . . . : 1033
    Authenticode . . . : Valid
    Fuzzy . . . . . . : -15.0
    References
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RelevantKnowledge\RelevantKnowledge.lnk

    C:\Program Files (x86)\WebDiscoverBrowser\ (WebDiscoverBrowser)

    After doing the above, reboot and rescan with Rogue, Hitman and ADWCleaner. Attach the new logs
     
    TimW, Sep 23, 2020
    #2
  3. douglaswlee

    douglaswlee Private E-2

    When I try to run the Rogue it hangs up (over 14 hours without showing any time lapse) should I try to run it in safe mode with networking?
     
    douglaswlee, Sep 25, 2020
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sideline Rogue and do the others.
     
    TimW, Sep 25, 2020
    #4
  5. douglaswlee

    douglaswlee Private E-2

    Attached
     

    Attached Files:

    douglaswlee, Sep 26, 2020
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please allow ADWCleaner to remove:
    PUP.Optional.WebBar C:\Program Files (x86)\WebDiscoverBrowser
    PUP.Optional.RelevantKnowledge C:\Windows\System32\rlls64.dll
    PUP.Optional.Legacy C:\Windows\System32\Tasks\WEBDISCOVER BROWSER LAUNCH TASK
    PUP.Optional.Legacy C:\Windows\System32\Tasks\WEBDISCOVER BROWSER UPDATE TASKPUP.Optional.Legacy HKCU\Software\WebDiscoverBrowser

    PUP.Optional.Legacy HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|UDP Query User{E41F2187-F097-4C5F-A045-550E55FE2219}C:\program files (x86)\relevantknowledge\rlvknlg.exe

    PUP.Optional.Legacy HKLM\Software\WebDiscoverBrowser
    PUP.Optional.Legacy HKLM\Software\Wow6432Node\WebDiscoverBrowserPUP.Optional.Legacy HKU\.DEFAULT\Software\WebDiscoverBrowser
    PUP.Optional.Legacy HKU\S-1-5-18\Software\WebDiscoverBrowser

    From Rogue, manually remove these files/folders:
    C:\Windows\System32\rlls64.dll
    C:\Program Files (x86)\WebDiscoverBrowser

    There are still registry keys, but I don't know your comfort level with removing them. So for now, do the above, reboot and once back on, then run CCleaner - and the registry cleaner.

    Then reboot again and rerun both ADW and Rogue and attach the new logs.
     
    TimW, Sep 26, 2020
    #6
  7. douglaswlee

    douglaswlee Private E-2


    I do not mind doing some work in the register as long as I can use a back of a registry that I can get from CCleaner.
     

    Attached Files:

    douglaswlee, Sep 28, 2020
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looking much better.

    In ADW, remove these:
    PUP.Optional.SpecialSearchOffer.ShrtCln HKCU\Software\SpecialSearchOffer

    ***** [ Chromium (and derivatives) ] *****

    Adware.SpecialSearchOffer Special Search Option - mpicjgpamgcnpiacdciefbgahmkhhogc

    And in Rogue, remove this:
    [PUP.ByteFence|PUP.Gen1 (Potentially Malicious)] (X86) HKEY_LOCAL_MACHINE\Software\ByteFence -- N/A -> Found

    Reboot and rescan with both and tell me how things are running now.
     
    TimW, Sep 28, 2020
    #8
  9. douglaswlee

    douglaswlee Private E-2

    Things are running much better, do you have a book or article to teach my daughter how to not get herself in this mess again that she can refer to?
     

    Attached Files:

    douglaswlee, Sep 28, 2020
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looks good!!

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. If running Vista, Win 7 or Win 8, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    3. Now go to the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 or 10 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. After doing the above, you should work thru the below link:
     
    TimW, Sep 28, 2020
    #10
  11. douglaswlee

    douglaswlee Private E-2

    Thank you very much for your help.
     
    douglaswlee, Sep 28, 2020
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome.
     
    TimW, Sep 29, 2020
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds