Laptop May Well Be Infected Following E-Set Antivirus Program

Discussion in 'Malware Help (A Specialist Will Reply)' started by mondola, Jun 7, 2013.

  1. mondola

    mondola Specialist

    Hello there,

    Have a laptop from a friend of a friend that I have looked at. It had the E-Set antivirus program on there that I have managed to remove through the use of RKill and Malwarebytes.

    The laptop wouldn't boot because of the E-set Antivirus program and required a startup repair before it would even go into Safe Mode to allow removal of E-Set.

    I then set about applying Windows Updates, running scans, removing the McAfee expired subscription and placing on Comodo Firewall and AVG Free.

    Then I went about updating various programs to latest versions.

    I'm thinking it is now relatively clean as a result, but thought it prudent to check in here to be sure.

    I have followed the ReadMe and so attach the logs to this post.

    Thanks in advance...

    :)
     

    Attached Files:

    mondola, Jun 7, 2013
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I just want to clarify something for people reading this thread. E-Set's NOD32 antivirus program is a valid and good antivirus program. The one that happened to be on the PC in this thread was a fake version.



    Uninstall the below programs:
    BearShare
    iMesh
    MediaBar
    Search-Results Toolbar
    SearchCore for Browsers
    If you do not find or they any will not uninstall, just keep on going.

    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe

:Files
C:\ProgramData\3241f6
C:\ProgramData\Browser Manager
C:\ProgramData\iMesh
C:\ProgramData\Wincert
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iMesh
C:\Program Files (x86)\E-Set 2011
C:\Users\james\AppData\Local\Temp\*.*
C:\PROGRA~3\Wincert
C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr
C:\PROGRA~2\BEARSH~1
C:\ProgramData\{7EAAFBB9-2051-44B5-A11D-DEE4D6CA7409}
C:\Program Files (x86)\iMesh Applications
C:\ProgramData\{309C802B-A076-4563-B164-B62C0C145153}
C:\Program Files (x86)\BearShare Applications
C:\PROGRA~2\IMESHA~1
C:\Program Files (x86)\SearchCore for Browsers

:Reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{28387537-e3f9-4ed7-860c-11e69af4a8a0}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{503e067f-2914-4edd-8432-2d6c52635e23}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DataMngr]
[-HKEY_USERS\S-1-5-21-2341397454-752539812-2154923971-1000\Software\DataMngr\]
[-HKEY_USERS\S-1-5-21-2341397454-752539812-2154923971-1000\Software\DataMngr_Toolbar]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"DATAMNGR"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"DATAMNGR"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BearShare]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BearShare 2 MediaBar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5F624839-947D-46EA-BD63-FD847C1AC6F1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F624839-947D-46EA-BD63-FD847C1AC6F1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BearShare]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BearShare 2 MediaBar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\iMesh]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\iMesh 1 MediaBar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\imeshtoolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SearchCore for Browsers]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8FB495A1-4A3F-4C1D-BD27-3F3AB2E66763}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iMesh]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iMesh 1 MediaBar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\imeshtoolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Results Toolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchCore for Browsers]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8FB495A1-4A3F-4C1D-BD27-3F3AB2E66763}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Search Results Toolbar]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now please download Junkware Removal Tool[/URL] to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXTlog
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jun 9, 2013
    #2
  3. mondola

    mondola Specialist

    Re: Laptop May Well Be Infected Following FAKE E-Set Antivirus Program

    Hello there,

    I must state, it was the fake E-Set NOD32 antivirus program that was problematic on the computer. Please feel free to change the subject to reflect this.

    I just wanted to state that I never responded after this post because the owner wanted the laptop back and were happy to use it as is, despite my advice to the contrary.

    :(

    I appreciate the help, as ever though, top notch !

    :cool
     
    mondola, Aug 1, 2013
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Laptop May Well Be Infected Following FAKE E-Set Antivirus Program

    You're welcome.
    Bad choice. :(
     
    chaslang, Aug 2, 2013
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds