Desktop Computer Infected

Hello there, and a warm welcome to Majorgeeks. I am just reviewing your logs and will post back with a response soon.

 

WebOptimum <<< Uninstall this if you can using Revo Uninstaller If you cannot, just continue on with next steps...


I'd like you to re run Hitman Pro, activate/enable the free trial, and then let it remove all that it finds.


Next, re run Malware Bytes and let it remove anything else it *may* find.



Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

• [PUP] (X86) HKEY_LOCAL_MACHINE\Software\SecureWebChannel -> Found
• [PUP] (X86) HKEY_LOCAL_MACHINE\Software\SP Global -> Found
• [PUP] (X86) HKEY_LOCAL_MACHINE\Software\WIN -> Found
• [PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b608cc98-54de-4775-96c9-097de398500c} -> Found
• [Suspicious.Path|VT.Backdoor.Win32.Agent.gprn] (X64) HKEY_USERS\S-1-5-21-3736828203-796322993-1323128906-1001\Software\Microsoft\Windows\CurrentVersion\Run | Pritc : C:\Users\Thomas\AppData\Local\Temp\is-GPOTA.tmp\print.exe [-] -> Found
• [Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3736828203-796322993-1323128906-1001\Software\Microsoft\Windows\CurrentVersion\Run | Chromium : "c:\users\thomas\appdata\local\chromium\application\chrome.exe" --auto-launch-at-startup --profile-directory="Default" --restore-last-session [x][x][x][x] -> Found
• [Suspicious.Path|VT.Backdoor.Win32.Agent.gprn] (X86) HKEY_USERS\S-1-5-21-3736828203-796322993-1323128906-1001\Software\Microsoft\Windows\CurrentVersion\Run | Pritc : C:\Users\Thomas\AppData\Local\Temp\is-GPOTA.tmp\print.exe [-] -> Found
• [Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3736828203-796322993-1323128906-1001\Software\Microsoft\Windows\CurrentVersion\Run | Chromium : "c:\users\thomas\appdata\local\chromium\application\chrome.exe" --auto-launch-at-startup --profile-directory="Default" --restore-last-session [x][x][x][x] -> Found

Place a checkmark next to each of these items, leave the others unchecked.
Now press the Delete button.

...Same for these on the Tasks tab...

• [PUP] %WINDIR%\Tasks\ENANJHXLHOVSUDQA.job -- C:\ProgramData\Service5191\Service5191.exe -> Found
• [Suspicious.Path|VT.UDSangerousObject.Multi.Generic] %WINDIR%\Tasks\Price Fountain.job -- C:\Users\Thomas\AppData\Roaming\PRICEF~1\UPDATE~1\UPDATE~1.EXE (/Check) -> Found
• [Suspicious.Path] %WINDIR%\Tasks\SOCZF1.job -- C:\ProgramData\CoffeeFeed\CoffeeFeed.exe -> Found
• [Suspicious.Path|VT.PUP.Optional.DealPly] \PFExe -- C:\Users\Thomas\AppData\Local\PriceFountain\pricefountain.exe -> Found
• [Suspicious.Path|VT.UDSangerousObject.Multi.Generic] \Price Fountain -- C:\Users\Thomas\AppData\Roaming\PRICEF~1\UPDATE~1\UPDATE~1.EXE (/Check) -> Found
• [Suspicious.Path] \runTask -- %TEMP%/Updater.exe (/install) -> Found
• [Suspicious.Path] \SOCZF1 -- C:\ProgramData\CoffeeFeed\CoffeeFeed.exe -> Found

...and these on the Files/Folder tab...

• [PUP][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WeatherBug®\WeatherBug® Update.lnk [LNK@] C:\ProgramData\{FA77A43D-F6ED-4924-87B5-517C061388C6}\WeatherBugSetup.exe /update /shw -> Found
• [Tr.DNSPatcher|VT.Unknown][File] C:\Windows\System32\dnsapi.dll -> Found
• [Tr.DNSPatcher|VT.Unknown][File] C:\Windows\SysWOW64\dnsapi.dll -> Found

When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.




Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Re run Hitman Pro (just a scan) and upload FRESH log.
Same for RogueKiller.
Please re run TDSSKiller, and upload the FRESH log.
Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

...and finally...

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: Make sure you download the correct version for your PC. Only the correct version will work.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Yes Tom, go ahead and reboot, that's fine

 

Hi there. Do you also have the Addition.txt from running FRST? I would like to see that as well, please. Best to be thorough. I am glad things are running better, however there is still some work to do here. I'm in the UK though, and it's my bedtime now. I am going out for a few hours tomorrow, so will post back to you at the soonest opportunity.

 

Hello there. I am back, reviewing the logs now. Will post back very soon.

 

NOTE: This script was written specifically for this user for use on this particular computer. Running this on another machine may cause damage to your operating system.
Download Fixlist.txt

Save fixlist.txt on your Desktop. Make sure you save it as a txt file.

• You should now have both fixlist.txt and FRST64.exe on your Desktop.
• Now I want you to disconnect your PC connection to the internet by unplugging the cable ( if it is wireless then temporarily shutdown the wireless network ).
• Run FRST64.exe by right clicking on it and selecting Run As Adminstrator
• Click the Fix button just once and wait.
• Your computer should reboot after the fix runs.
• Reconnect your internet connection after reboot so you can come back here to continue.
• The tool will make a log on the Desktop (Fixlog.txt) please upload this new log to your next reply.

Then attach the below logs:

• 
  
  
  • Fixlog.txt
    
    
    Also at this point, I want to double check the status of things by having you run another scan with FRST like in my last message and attach the new FRST.txt and Addition.txt logs.
    
    Next... Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Hi there

I have to pop out for a little while soon, so as I do, post back and explain to me how things are running.

 

I don't recommend using it, personally. Time and time again I see people posting here with problems with google chrome redirects and pop ups, and more and more frequently they are becoming harder problems to fix. Choice is yours though of course.

That is something to ask about in the software forum.

Desktop.ini files are fine, they are showing because during our procedures hidden files and folders were set to show. This will reverse when you follow final steps. The files will disappear from your view.

You are so welcome for the help, glad you're running nicely again. Final steps below...

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
   • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore​
   • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
   • Then we want you to Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

Most welcome, Tom. Safe surfing!