Logs Attached

indyattic · Jul 26, 2013

My kids downloaded something on my brand new laptop (grrr!) and I can't figure out what they did.

My issues weren't glaringly obvious, but Norton was telling me it was isolating a file. At the top of Firefox, where a toolbar would likely install, I was seeing something blocked by Flashblock. My "search from the address bar" has been changed to basicserve.com.

I uninstalled several things, like a PC speed booster, a video viewer and something to do with lyrics, then rebooted. I still had the flash in browser, so I ran the steps.

The Flash in the browser seems to be gone, but I am still getting an occasional pop-up from Malware bytes warning me that it is blocking access to a malicious site.

And I haven't fixed the redirect in my search.

TimW · Jul 26, 2013

Rerun RogueKiller and have it fix these items:
Code:
[RUN][SUSP PATH] HKCU\[...]\Run : Pokki ("%LOCALAPPDATA%\Pokki\Engine\pokki.exe" [7]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-2948223750-2544722546-3769388776-1001\[...]\Run : Pokki ("%LOCALAPPDATA%\Pokki\Engine\pokki.exe" [7]) -> FOUND
Download OTL to your desktop.

Double-click OTL.exe to start the program.

Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code
Code:
:processes
:killallprocesses
:otl
O4 - HKCU\..\Run: [Pokki] "%LOCALAPPDATA%\Pokki\Engine\pokki.exe"
O4 - HKUS\S-1-5-21-2948223750-2544722546-3769388776-1004\..\Run: [Pokki] "%LOCALAPPDATA%\Pokki\Engine\pokki.exe" (User 'drewc_000')
:files
C:\ProgramData\BasicServe
C:\Program Files (x86)\BasicServe
C:\Users\Mom\AppData\Local\Temp\*.*
C:\Users\Mom\AppData\Local\Pokki
:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Pokki"=-
"uTorrent"=-

[HKEY_USERS\S-1-5-21-2948223750-2544722546-3769388776-1001\Software\Microsoft\Windows\CurrentVersion\run]
"Pokki"=-
"uTorrent"=-

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{EDACEB17-FB71-4B3E-95D1-19F274479EFF}]

:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]
Then click the Run Fix button at the top.

Click the OK button.

OTL may ask to reboot the machine. Please do so if asked.

The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

Reboot and rescan with RogueKiller and attach that new log as well.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista ,Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

C:\MGlogs.zip

Make sure you tell me how things are working now!

indyattic · Jul 26, 2013

So far so good. Pokki came with the computer, it's a freeware thing to give Windows 8 a Start button. When running RogueKiller the second time, I hit "Delete" before I noticed that there were some fix options! So I deleted the things you said to fix. :-o

And I'm not used to this touchpad yet, so I hit enter before I meant to. Hence the edit.

Things seem to be better - no longer getting the Warnings. The search is still misdirected, but that's an easy fix.

indyattic · Jul 26, 2013

Actually, the search redirect isn't as simple to fix as I thought it would be, so any suggestions for that would be most appreciated.

I went into Firefox, typed about:config into the search bar, keyword.url in the search, then reset. It was Yahoo the first time I tried it, but now it's back to something that doesn't even work, at least wit Open DNS.

indyattic · Jul 27, 2013

Follow up, I poked around with it a little bit, and found an Add-on in Firefox called "BasicServe" that seems to be related. There is no option to remove it, so I disabled it. Now sometimes the search works right (ie: the Yahoo default) and sometimes it tries to connect to BasicServe.com, which is a parked domain, at least on the surface. I went into Firefox about:config and searched BasicServe, but got no matches.

I also went into Firefox Troubleshooting and reset it, but that didn't remove it either.

TimW · Jul 27, 2013

We are going to be uninstalling your old version of FireFox and installing the new version. Except we will be using Revo Uninstaller. So do the below to save bookmarks:

Run FireFox and click Bookmarks.

Then select Organize Bootmarks.

Then on the next window click File and then select Export. Save the bookmarks.html file to your Desktop for later use in importing.

Now download and save the installer for the current version of FireFox but DO NOT install it yet. Get it here: Mozilla FireFox

You will need exit FireFox now and use Internet Explorer to continue with the below until we reinstall FireFox.

Start by uninstalling FireFox and then reboot. Do not skip the reboot.

After reboot, delete the below folders:

C:\Program Files\Mozilla Firefox

C:\users\UserAccount\AppData\Roaming\Mozilla\Firefox

where UserAccount is the actual user account name being used.

Now reinstall FireFox from the file previously downloaded.
Import your bookmarks file. (similar process to exporting).

Any better?

indyattic · Jul 28, 2013

Yes, that seemed to do it. Thanks sooo much!

I am a little confused though. My Firefox was 22, which is the current release, but you had me install 16. I am fine with that, but I turned off updates. Is that the right thing to do?

TimW · Jul 28, 2013

Just go ahead and update Firefox.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix
(This uninstall will only work as written if you installed
ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK.
Note the quotes are required

"%userprofile%\Desktop\combofix" /uninstall

Notes: The space between the combofix" and the /uninstall, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows
defaults.

Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and
deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any
others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the
C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file
to run this cleanup program that will remove files and folders
related to MGtools and some other items from our cleaning procedures.

If you are running Win 7, Win8, Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 7 of the READ ME
for your Window version and see the instructions to Disable System Restore which will flush
your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Malware removal from a National Chain = $149
Malware removal from MajorGeeks = $0

Log in or Sign up

Logs Attached

indyattic Corporal

Attached Files:

RKreport[0]_S_07262013_103845.txt

mbam-log-2013-07-26 (10-45-00).txt

TDSSKiller.2.8.16.0_26.07.2013_10.59.37_log.txt

HitmanPro_20130726_1136.log

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

indyattic Corporal

Attached Files:

OTLog.txt

RKreport[0]_S_07262013_172318.txt

MGlogs.zip

indyattic Corporal

indyattic Corporal

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

indyattic Corporal

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member