Hijacked Browser's run all test

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by water101, Nov 16, 2014.

  1. water101

    water101 Private E-2

    I have tried everything I know to clean up this browser hijacker but no luck. I have run the test here is order and done my best to follow the rules. I have done other things as well including trying to manually remove all traces of conduit from my registry. Here are the test results I ran.
    My tds file was too large to upload

    Thanks for your help very frustrated now.
     

    Attached Files:

    water101, Nov 16, 2014
    #1
  2. water101

    water101 Private E-2

    Here is the TDS result zipped
     

    Attached Files:

    water101, Nov 16, 2014
    #2
  3. water101

    water101 Private E-2

    Sorry I probably should have explained the issue first. I am trying to fix my Sister computer. There are constant pop up. I now have them stopped on IE by setting the blocker to the highest level, but that is only a Band-Aid not a solution. I have run 3 virus scanner and multiple malware programs and nothing is getting rid of it. When I first got it there was an error on start up about a missing piece of conduit. I have removed all of conduit from the system and still no luck. I usually can get these things fixed quick but this one I think was going on for a while and it is embedded somewhere deep that I can not find. Any and all help will be greatly appreciated.

    Thanks
    Water
     
    water101, Nov 16, 2014
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Rerun RogueKiller and have it remove these items:
    Code:
    ¤¤¤ Registry : 30 ¤¤¤
[PUP] (X64) HKEY_CLASSES_ROOT\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23} -> Found
[PUP] (X64) HKEY_CLASSES_ROOT\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52} -> Found
[PUP] (X64) HKEY_USERS\S-1-5-21-4026377226-2345802870-2634267205-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce | PennyBee : wscript /E:vbscript /B "C:\Users\Owner\AppData\Roaming\PennyBee\UpdateProc\bkup.dat"  -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-4026377226-2345802870-2634267205-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce | PennyBee : wscript /E:vbscript /B "C:\Users\Owner\AppData\Roaming\PennyBee\UpdateProc\bkup.dat"  -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CodecDatabaseMemory.exe (C:\Users\Owner\AppData\Local\CodecDatabaseMemory\CodecDatabaseMemory.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ContextualODBCRuby.exe (C:\Users\Owner\AppData\Local\ContextualODBCRuby\ContextualODBCRuby.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DriverRepositoryScrolling.exe (C:\Users\Owner\AppData\Local\DriverRepositoryScrolling\DriverRepositoryScrolling.exe) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PennyBee (C:\Program Files (x86)\PennyBee\PennyBee.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CodecDatabaseMemory.exe (C:\Users\Owner\AppData\Local\CodecDatabaseMemory\CodecDatabaseMemory.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContextualODBCRuby.exe (C:\Users\Owner\AppData\Local\ContextualODBCRuby\ContextualODBCRuby.exe) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DriverRepositoryScrolling.exe (C:\Users\Owner\AppData\Local\DriverRepositoryScrolling\DriverRepositoryScrolling.exe) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PennyBee (C:\Program Files (x86)\PennyBee\PennyBee.exe) -> Found
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=N360&pvid=6.4.1.14  -> Found
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=N360&pvid=6.4.1.14  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-4026377226-2345802870-2634267205-500\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=N360&pvid=6.4.1.14  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-4026377226-2345802870-2634267205-500\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=N360&pvid=6.4.1.14  -> Found


¤¤¤ Tasks : 2 ¤¤¤
[Suspicious.Path] PennyBee.job -- C:\Users\Owner\AppData\Roaming\PennyBee\UPDATE~1\UPDATE~1.EXE (/Check) -> Found
[Suspicious.Path] \\PennyBee -- C:\Users\Owner\AppData\Roaming\PennyBee\UPDATE~1\UPDATE~1.EXE (/Check) -> Found
    Now rerun Hitman and have it fix these items:
    Code:
    Malware remnants ____________________________________________________________

   HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}\ (Jotzey)

Potential Unwanted Programs _________________________________________________

   HKU\S-1-5-21-4026377226-2345802870-2634267205-1001\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\superfish.com\ (ShopperPro)
    Please download AdwCleaner by Xplode and save to your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
      Vista/Windows 7/8 users right-click and select Run As Administrator
    • Click on the Scan button.
    • AdwCleaner will begin...be patient as the scan may take some time to complete.
    • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
    • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
    • Attach the logfile to your next next reply.
    • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.


    Reboot and rescan with both RogueKiller and Hitman and attach the new logs.

    Also attach the log from ADW cleaner.

    Be sure to tell me how things are running.
     
    TimW, Nov 16, 2014
    #4
  5. water101

    water101 Private E-2

    I am doing those things now. Just a note the penny bee got in today but I took it out after those scan as you will see.

    Thanks
     
    water101, Nov 16, 2014
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Attach the logs when you are ready.
     
    TimW, Nov 16, 2014
    #6
  7. water101

    water101 Private E-2

    I think you got it which makes me very happy. I have lowered the pop up blocker to med on IE and no pop up's. Here are the reports and the only thing I still see if superfish.com if you can tell me which one to delete to get rid of and keep that off we might be just where we need to be.

    Thanks so much for the quick effective help.

    Water
     

    Attached Files:

    water101, Nov 16, 2014
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Go ahead and delete what ADW found.

    Then rerun Hitman and have it fix this item;

    Potential Unwanted Programs _________________________________________________
    HKU\S-1-5-21-4026377226-2345802870-2634267205-1001\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\superfish.com\ (ShopperPro)

    Reboot and rescan with Hitman and attach the log.

    Again, tell me how things are running and if you have any further issues.
     
    TimW, Nov 16, 2014
    #8
  9. water101

    water101 Private E-2

    It is running really well now with no issues. Clean report from hitman.

    Thank you again for your help
    Water
     

    Attached Files:

    water101, Nov 16, 2014
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    TimW, Nov 16, 2014
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds