Help Removing Malware (was Sent Here From Other Forum)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Atomysk, Jan 9, 2017.

  1. Atomysk

    Atomysk Private E-2

    Hi there. I downloaded a torrent earlier tonight that basically was chock full of all sorts of nasty stuff that let loose on my computer. I seem to have gotten most of the viruses cleaned up but a few still remain and I'm not sure how to remove them.

    The 1st is a virus that is called "The Smart Search" It hijacks my browsers and makes it so I can't use google or connect to certain sites. I have Malware bytes and a few other programs such as Cloud system booster. Both of which dont do anything to detect or get rid of this fake search engine.

    The other virus is something malware bytes is blocking every second. Once every second or two the little dialog box pops up saying that malware bytes has blocked a site. It gives me the IP adress the port the type which is outbound and also the file which says C:\Program Files (x86)\\Waifs\dances.exe another variation is insead of waifs\dances.exe its Adv\dances.exe. I also noticed that my CPU usage is fluctuating from around 2% to 40% every few seconds and in my task manager there is a process called "ping" which is using my CPU power and seems to be related to the dances.exe.

    Any help is much appreciated I haven't come across something this resilient in a long while and I'm at a loss of how to continue.
     

    Attached Files:

    Atomysk, Jan 9, 2017
    #1
  2. Atomysk

    Atomysk Private E-2

    Here is the roguekiller txt
     

    Attached Files:

    • rk.txt
      File size:
      113.2 KB
      Views:
      3
    Atomysk, Jan 9, 2017
    #2
  3. Atomysk

    Atomysk Private E-2

    Well it seems that this dances.exe is being picked up on by roguekiller but trying to remove it with the program was unsuccessful.
     
    Atomysk, Jan 9, 2017
    #3
  4. Atomysk

    Atomysk Private E-2

    Here is hitmanpro txt log
     

    Attached Files:

    Atomysk, Jan 9, 2017
    #4
  5. Atomysk

    Atomysk Private E-2

    Here is the MGtools log
     

    Attached Files:

    Atomysk, Jan 9, 2017
    #5
  6. Atomysk

    Atomysk Private E-2

    Just a quick update. After running all the programs I'm still dealing with the same problems I posted about.
     
    Atomysk, Jan 9, 2017
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    IMPORTANT: Don't use/click on any of the shortcuts links that you have for any programs including your browsers. ( For example with Firefox, do not use the shortcut on your Desktop or any quick launch. You need to directly navigate to C:\Program Files (x86)\Mozilla Firefox\firefox.exe and run it. ) All of your lnk ( link ) files are infected and will have to be deleted. You will need to recreate new shortcuts later after your infection is cleaned up. It may take a number of iterations to get all of this due to the sheer amount of infected files/programs you managed to install! Hope you have learned that you need to be a lot more careful with torrents!

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKCU\..\Run: [suspenders] "C:\Program Files (x86)\Adv\dances.exe"
    O4 - HKCU\..\Run: [gds] "C:\Program Files (x86)\fibroid\gds.exe"
    O4 - HKCU\..\Run: [cavern] "C:\Program Files (x86)\porn\adament.exe"
    O4 - HKCU\..\Run: [concer] "C:\Program Files (x86)\fibroid\bong.exe"
    O4 - HKCU\..\Run: [famously] "C:\Program Files (x86)\Disgusting\aerobatic.exe"

    After clicking Fix, exit HJT.


    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of the code box
    • Make sure that you scroll all the way to the bottom of the code box to get the whole fix!
    Code:
    :Processes
explorer.exe

 
:Files
C:\Program Files (x86)\Adv
C:\Program Files (x86)\fibroid
C:\Program Files (x86)\porn
C:\Program Files (x86)\Disgusting
C:\Program Files (x86)\schriber
C:\Program Files (x86)\toward
C:\Program Files (x86)\Waifs
C:\Users\Galewinds\AppData\Local\dances.exe
C:\Users\Galewinds\AppData\Local\remedial.exe
C:\Users\Galewinds\AppData\Local\run.txt
C:\Users\Galewinds\AppData\Local\setupsuccessful.txt
C:\Users\Galewinds\AppData\Local\stxtname.txt
C:\Users\Galewinds\AppData\Roaming\34alz
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\G??kBuddy.lnk
C:\Users\Galewinds\AppData\Roaming\Browsers\exe.rehcnual.bat
C:\Users\Public\Desktop\G??kBuddy.lnk
C:\Users\Galewinds\AppData\Roaming\Browsers\exe.rehcnual.bat
C:\Users\Public\Desktop\G??gl? Chr?m?.lnk
C:\Users\Galewinds\AppData\Roaming\Browsers\exe.emorhc.bat
C:\Users\Public\Desktop\W?bDis?over ?r?ws?r.lnk
C:\Users\Galewinds\AppData\Roaming\Browsers\exe.resworb.bat
C:\Users\Public\Desktop\?ozilla Fir?f?x.lnk
C:\Users\Galewinds\AppData\Roaming\Browsers\exe.xoferif.bat
C:\Users\Galewinds\Desktop\?hr?me ??p Laun?her.lnk
C:\Users\Galewinds\AppData\Roaming\Browsers\exe.emorhc.bat
C:\Users\Galewinds\AppData\Local\Temp\*.*
C:\Users\Galewinds\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Int?rn?t Ex?lor?r.lnk
C:\Users\Galewinds\AppData\Roaming\Browsers\exe.erolpxei.bat
C:\Users\Galewinds\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome\?hr?m? ?p? Launch?r.lnk
C:\Users\Galewinds\AppData\Roaming\Browsers\exe.emorhc.bat
C:\Users\Galewinds\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\G??gle ?hr?m?.lnk
C:\Users\Galewinds\AppData\Roaming\Browsers\exe.emorhc.bat
C:\Users\Galewinds\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\b15f30ab853b7d31\Di?blo III.lnk
C:\Users\Galewinds\AppData\Roaming\Browsers\exe.rehcnual iii olbaid.bat
C:\Users\Galewinds\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\?ozilla Fir?f?x.lnk
C:\Users\Galewinds\AppData\Roaming\Browsers\exe.xoferif.bat
C:\Users\Galewinds\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\??zilla Fir?f??.lnk
C:\Users\Galewinds\AppData\Roaming\Browsers\exe.xoferif.bat

:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"suspenders"=-
"gds"=-
"cavern"=-
"concer"=-
"famously"=-

[-HKEY_USERS\RK_PlanetaryVagabond_ON_E_C331\Software\AppDataLow\Software\bflixtoolbar]
[-HKEY_USERS\RK_PlanetaryVagabond_ON_E_C331\Software\AppDataLow\Software\Crossrider]
[-HKEY_USERS\RK_PlanetaryVagabond_ON_E_C331\Software\AppDataLow\Software\Freecause]
[-HKEY_USERS\RK_PlanetaryVagabond_ON_E_C331\Software\AppDataLow\Software\Search Protection]
[-HKEY_USERS\RK_PlanetaryVagabond_ON_E_C331\Software\AppDataLow\Software\bflixtoolbar]
[-HKEY_USERS\RK_PlanetaryVagabond_ON_E_C331\Software\AppDataLow\Software\Crossrider]
[-HKEY_USERS\RK_PlanetaryVagabond_ON_E_C331\Software\AppDataLow\Software\Freecause]
[-HKEY_USERS\RK_PlanetaryVagabond_ON_E_C331\Software\AppDataLow\Software\Search Protection]
[-HKEY_USERS\RK_PlanetaryVagabond_ON_E_C331\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
[-HKEY_USERS\RK_PlanetaryVagabond_ON_E_C331\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now rerun Hitman Pro and activate the free 30 day trial license and then use it to delete all the malware it is reporting. Then immediately reboot your PC.

    After reboot, run a new scan with Hitman Pro and save a new log to attach down below.

    Also run a new scan with RogueKiller and save a new log to attach.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7, Win8 or Win10, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the new Hitman Pro log
    • the new RogueKiller log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jan 10, 2017
    #7
  8. Atomysk

    Atomysk Private E-2

    Thank you for the reply. I will update as soon as I get a chance to do what you listed.
     
    Atomysk, Jan 10, 2017
    #8
  9. Atomysk

    Atomysk Private E-2

    Everything seems ok now. Your instructions were very clear and this was way easier than I thought it was going to be. Thank you so much for the help. Let me know if I need to upload anything else. I will give it about 24 hours and make one more update.
     

    Attached Files:

    Atomysk, Jan 10, 2017
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Your logs look good now.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    3. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    4. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    5. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    6. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your Windows version in this link: Disable And Enable System Restore
      • For Windows 8 and 8.1 system restore see this link: Win 8 System Restore - How to enable/disable
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    7. After doing the above, you should work thru the below link:
     
    chaslang, Jan 10, 2017
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds