malware infection

Discussion in 'Malware Help (A Specialist Will Reply)' started by Skullduggery's Dupe, Oct 23, 2015.

Page 1 of 2
  1. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    I've got a malware infection. At first, it hijacked my browser and wouldn't allow any input from me. But after running the scans, now I can't get online at all. The malware keeps putting up various splash screens, purporting to be different parties, such as Windows, my ISP, various antimalware applications, etc., and trying to lure me into clicking on their "offers". I've attached 5 scan logs, and I'll attach another 3 on the next post.
     

    Attached Files:

    Skullduggery's Dupe, Oct 23, 2015
    #1
  2. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    OK, here are the rest of the logs.

    I ran TDSSKiller twice: once because I was told to do it early in the scanning protocal in order to fix browser and search engine redirection and hijacking, and another time because I was directed to do it as part of the sequence when all the scanning by the "powerful" tools was being done. The first time it produced 2 log files; I don't know why. The second time it found nothing, and it produced a single log file.
     

    Attached Files:

    Skullduggery's Dupe, Oct 23, 2015
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    What is this?

    C:\Users\Chris\AppData\Local\Birds\birds365.exe


    Uninstall the below: If they do not uninstall, note it down and let me know later, just continue on with other instructions.

    • InstantSupport
    • PCAcceleratePro
    • Pluto TV version 0.1.5
    • ScreenConnect Client (b862b1cc6657a9b9)
    • SwiftSearch 1.10.0.25



    http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Windows\CurrentVersion\Run | Birds : C:\Users\Chris\AppData\Local\Birds\birds365.exe [-] -> Found
    • [Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Windows\CurrentVersion\Run | Birds : C:\Users\Chris\AppData\Local\Birds\birds365.exe [-] -> Found
    • [PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CltMngSvc (C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe) -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FkaYGlYQ ("C:\ProgramData\NjsbYGgEb\FkaYGlYQ.exe") -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\iroductuol (C:\Users\Chris\AppData\Local\sancan.exe upyatg iroductuol) -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LMIRescue_79a63a7d-7553-4327-8c59-94d2e0082a4b ("C:\Users\Chris\AppData\Local\Temp\LMI8749.tmp\LMI_Rescue_srv.exe" -service -sid 79a63a7d-7553-4327-8c59-94d2e0082a4b) -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service Mgr ResultsHub ("C:\ProgramData\3929cb63-cbbd-4b9c-8b92-a50fbd04e656\plugincontainer.exe") -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service Mgr SonicTrain ("C:\ProgramData\1a0254e4-d458-47fa-82a0-6940ee729f6c\plugincontainer.exe") -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Zitenop (C:\ProgramData\\Zitenop\\Zitenop.exe -f "C:\ProgramData\\Zitenop\\Zitenop.dat" -l -a) -> Found
    • [PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CltMngSvc (C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe) -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FkaYGlYQ ("C:\ProgramData\NjsbYGgEb\FkaYGlYQ.exe") -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iroductuol (C:\Users\Chris\AppData\Local\sancan.exe upyatg iroductuol) -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LMIRescue_79a63a7d-7553-4327-8c59-94d2e0082a4b ("C:\Users\Chris\AppData\Local\Temp\LMI8749.tmp\LMI_Rescue_srv.exe" -service -sid 79a63a7d-7553-4327-8c59-94d2e0082a4b) -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Service Mgr ResultsHub ("C:\ProgramData\3929cb63-cbbd-4b9c-8b92-a50fbd04e656\plugincontainer.exe") -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Service Mgr SonicTrain ("C:\ProgramData\1a0254e4-d458-47fa-82a0-6940ee729f6c\plugincontainer.exe") -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Zitenop (C:\ProgramData\\Zitenop\\Zitenop.exe -f "C:\ProgramData\\Zitenop\\Zitenop.dat" -l -a) -> Found
    • [PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\CltMngSvc (C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe) -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\FkaYGlYQ ("C:\ProgramData\NjsbYGgEb\FkaYGlYQ.exe") -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\iroductuol (C:\Users\Chris\AppData\Local\sancan.exe upyatg iroductuol) -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\LMIRescue_79a63a7d-7553-4327-8c59-94d2e0082a4b ("C:\Users\Chris\AppData\Local\Temp\LMI8749.tmp\LMI_Rescue_srv.exe" -service -sid 79a63a7d-7553-4327-8c59-94d2e0082a4b) -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Service Mgr ResultsHub ("C:\ProgramData\3929cb63-cbbd-4b9c-8b92-a50fbd04e656\plugincontainer.exe") -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Service Mgr SonicTrain ("C:\ProgramData\1a0254e4-d458-47fa-82a0-6940ee729f6c\plugincontainer.exe") -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Zitenop (C:\ProgramData\\Zitenop\\Zitenop.exe -f "C:\ProgramData\\Zitenop\\Zitenop.dat" -l -a) -> Found
    • [PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://searchinterneat-a.akamaihd.n...MB1tGRwMFIk0FA1ADB0VXfVBdFElXTwhxJUpNDU0CaUBB -> Found
    • [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://searchinterneat-a.akamaihd.n...MB1tGRwMFIk0FA1ADB0VXfVBdFElXTwhxJUpNDU0CaUBB -> Found
    • [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://searchinterneat-a.akamaihd.n...MB1tGRwMFIk0FA1ADB0VXfVBdFElXTwhxJUpNDU0CaUBB -> Found
    • [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Internet Explorer\Main | Search Page : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bTUV5VdgJkAzflTANY6vkKfR1iXuu3BBYKXp7rH1xDUC8lyVraBf0y_7RSHoklJpi1RezUotxaXCIhbUnXoLGHsRyEIClndXqlqUKMnO__yqS1pJAnCXJGR6YmYHPcglR1OiRjnuSpY9tOD&q={searchTerms} -> Found
    • [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Internet Explorer\Main | Search Page : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bTUV5VdgJkAzflTANY6vkKfR1iXuu3BBYKXp7rH1xDUC8lyVraBf0y_7RSHoklJpi1RezUotxaXCIhbUnXoLGHsRyEIClndXqlqUKMnO__yqS1pJAnCXJGR6YmYHPcglR1OiRjnuSpY9tOD&q={searchTerms} -> Found
    • [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bTUV5VdgJkAzflTANY6vkKfR1iXuu3BBYKXp7rH1xDUC8lyVraBf0y_7RSHoklJpi1RezUotxaXCIhbUnXoLGHsRyEIClndXqlqUKMnO__yqS1pJAnCXJGR6YmYHPcglR1OiRjnuSpY9tOD&q={searchTerms} -> Found
    • [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bTUV5VdgJkAzflTANY6vkKfR1iXuu3BBYKXp7rH1xDUC8lyVraBf0y_7RSHoklJpi1RezUotxaXCIhbUnXoLGHsRyEIClndXqlqUKMnO__yqS1pJAnCXJGR6YmYHPcglR1OiRjnuSpY9tOD&q={searchTerms} -> Found
    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.

    ...and the same for this item on the Tasks tab:

    • [Suspicious.Path] \Ofprevnufepik -- "C:\ProgramData\Ofprevnufepik\1.0.6.1\isniubla.exe" ("/e=L3A9MjEwODAxXi91PWU5ZjYxNWUzYmIzZDRiNjI4NTc4OTAwZWNiYWZkNjUxXi9kPXRyYWNrYnJlYWtpbmduZXdzLmNvbV4vbj1ORVdTXi9hPUJyZWFraW5nTmV3c0FsZXJ0Xi90") -> Found

    ...and same for this item on Web Browser tab:

    • [PUM.HomePage][FIREFX:Config] i6wqd9oq.default-1359751077217 : user_pref("browser.startup.homepage", "http://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggbJghcAAxJEhgadw5bTA0XQgMOeQEBAhQQEgQTdFsMB1tGRwMFIk0FA18DB0VXfWFoKB8fHGdGM0xUFUo5VFc="); -> Found

    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.




    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    Code:
    :Files
C:\Program Files\Dondox
C:\Users\Chris\AppData\Local\sancan.exe.config
C:\Windows\Temp\tmp5A60.tmp
C:\ProgramData\Zitenop
C:\Windows\Temp\tmpA0D1.tmp
C:\Windows\Temp\tmpA7B4.tmp
C:\Windows\Temp\Smartbar
C:\Windows\Temp\tmpC15D.tmp
C:\Windows\Temp\tmpC39F.tmp
C:\Windows\Temp\tmpC593.tmp
C:\ProgramData\Zitenop\Lamstatit.dll
C:\Users\Chris\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_34CC30C32509C980EACCE843662C3E78
C:\Users\Chris\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_34CC30C32509C980EACCE843662C3E78
C:\Users\Chris\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC570EC0DE58335AFAF92FDC8E3AA330_12C06BF62124475DB8C7A3D85A83C400
C:\Users\Chris\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC570EC0DE58335AFAF92FDC8E3AA330_12C06BF62124475DB8C7A3D85A83C400
C:\Users\Chris\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0CCA7F4B3366C6FAA13012C139D5D8C6_D9C8FC868E948BB08F0B665EEA40BAE8
C:\Users\Chris\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0CCA7F4B3366C6FAA13012C139D5D8C6_D9C8FC868E948BB08F0B665EEA40BAE8
C:\Users\Chris\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0CCA7F4B3366C6FAA13012C139D5D8C6_DAEAF86395B03C877B932767EA6CCE14
C:\Users\Chris\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0CCA7F4B3366C6FAA13012C139D5D8C6_DAEAF86395B03C877B932767EA6CCE14

:reg
[-HKLM\SYSTEM\CurrentControlSet\Services\Dondox]
[-HKLM\SYSTEM\CurrentControlSet\Services\Zitenop]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.



    Give Ccleaner a run (not the reg scanner, just the cleaner itself to be rid of a chunk of temp files)


    Re run Malware Bytes, let it remove anything it may find.

    Re run RogueKiller and Hitman (just scans!) and attach logs.

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running!
     
    Kestrel13!, Oct 24, 2015
    #3
  4. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    I don't know what birds365.exe is. I literally inherited the infected computer recently. There's an off chance it was put on the computer when I looked at a website about songbirds, but even if that was so, it would still be an underhanded thing for such a website to do, since I wasn't asked if I wanted to install it. Just give me the word, and I'll (attempt to) blow it away.

    (Don't get me wrong. The computer had no apparent malware on it when I inherited it. I got the infection when I tried to download Microsoft OneNote from a source I wasn't familiar with, so it's my own fault.)

    InstantSupport, PCAcceleratePro and Pluto TV apparently uninstalled without a problem.

    When I tried to uninstall ScreenConnect Client (b862b1cc6657a9b9), I got a message window from it that said that 2 applications had to be closed before uninstalling it: ScreenConnect Client and ScreenConnect Client (b862b1cc6657a9b9). I didn't want to click on anything in that window, so I went into Task Manager and forced an end-task of ScreenConnect Client (b862b1cc6657a9b9). At that point my screen went blank except for the desktop image. The ScreenConnect message window, the Programs and Features window, all the desktop icons, and even the Task Manager window were all gone. I had to manually push the physical button to reboot the computer. I tried it again with the same results.

    When I tried to uninstall SwiftSearch, I got a message window, purportedly from Windows, that said there was an error in the attempted uninstall, and that the program may have already been uninstalled, and did I want to remove the program name from the Programs and Features list. Not sure that this message window was really from Windows, I killed it in Task Manager.

    So ScreenConnect is still installed, and I'm guessing that SwiftSearch still is too.

    I'll do everything else that you told me to do, but I won't be able to get to it until tomorrow, and from the look of your list, it might be nightfall before I finish. I will of course immediately post the results of my labors.

    Not to start an immense discussion, but why do these criminals infect people's computers with malware? What do they stand to gain? Or is it purely just for the malicious joy of harming others? Or do they have some nefarious motive, like hijacking people's computers to use them to communicate covertly with other criminals, or digitally steal or launder money, or what? Just wondering.

    Oh, and is there some kind of organization that the public can join to aid the police in going after and catching these crooks?

    Thanks very much for your help.
     
    Skullduggery's Dupe, Oct 24, 2015
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No worries, take as long as you need to. We will no doubt have to do a 'couple of sweeps' before we get the system clean again. :)
     
    Kestrel13!, Oct 25, 2015
    #5
  6. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    Hi Kestrel13! -

    In order to thwart the malware's interference to begin the cleaning process, I had to reboot in Safe Mode. I then ran RogueKiller.

    In order to obtain a list of suspicious items RogueKiller actually found to compare to the list of items you wanted me to have RogueKiller delete, I clicked the Report button and selected the text option. I named the resulting text file RogueKiller report.txt and saved it to the desktop.

    You had told me to have RogueKiller delete 30 items from the registry.

    The suspicious items RogueKiller actually found in the registry were the following 34:

    [PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{42D79B50-CC4A-4A8E-860F-BE674AF053A2} -> Found
    [Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Windows\CurrentVersion\Run | Birds : C:\Users\Chris\AppData\Local\Birds\birds365.exe [-] -> Found
    [Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Windows\CurrentVersion\Run | Birds : C:\Users\Chris\AppData\Local\Birds\birds365.exe [-] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LMIRescue_79a63a7d-7553-4327-8c59-94d2e0082a4b ("C:\Users\Chris\AppData\Local\Temp\LMI8749.tmp\LMI_Rescue_srv.exe" -service -sid 79a63a7d-7553-4327-8c59-94d2e0082a4b) -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Zitenop (C:\ProgramData\\Zitenop\\Zitenop.exe -f "C:\ProgramData\\Zitenop\\Zitenop.dat" -l -a) -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LMIRescue_79a63a7d-7553-4327-8c59-94d2e0082a4b ("C:\Users\Chris\AppData\Local\Temp\LMI8749.tmp\LMI_Rescue_srv.exe" -service -sid 79a63a7d-7553-4327-8c59-94d2e0082a4b) -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Zitenop (C:\ProgramData\\Zitenop\\Zitenop.exe -f "C:\ProgramData\\Zitenop\\Zitenop.dat" -l -a) -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\LMIRescue_79a63a7d-7553-4327-8c59-94d2e0082a4b ("C:\Users\Chris\AppData\Local\Temp\LMI8749.tmp\LMI_Rescue_srv.exe" -service -sid 79a63a7d-7553-4327-8c59-94d2e0082a4b) -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Zitenop (C:\ProgramData\\Zitenop\\Zitenop.exe -f "C:\ProgramData\\Zitenop\\Zitenop.dat" -l -a) -> Found
    [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/?pc=COSP&ptag=D102415-ABA01A7CCEB2146F8A7F&form=CONMHP&conlogo=CT3330961 -> Found
    [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/?pc=COSP&ptag=D102415-ABA01A7CCEB2146F8A7F&form=CONMHP&conlogo=CT3330961 -> Found
    [PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://lenovo.msn.com -> Found
    [PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://lenovo.msn.com -> Found
    [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://lenovo.msn.com -> Found
    [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://lenovo.msn.com -> Found
    [PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://lenovo.msn.com -> Found
    [PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://lenovo.msn.com -> Found
    [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Internet Explorer\Main | Search Page : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bTUV5VdgJkAzflTANY6vkKfR1iXuu3BBYKXp7rH1xDUC8lyVraBf0y_7RSHoklJpi1RezUotxaXCIhbUnXoLGHsRyEIClndXqlqUKMnO__yqS1pJAnCXJGR6YmYHPcglR1OiRjnuSpY9tOD&q={searchTerms} -> Found
    [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Internet Explorer\Main | Search Page : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bTUV5VdgJkAzflTANY6vkKfR1iXuu3BBYKXp7rH1xDUC8lyVraBf0y_7RSHoklJpi1RezUotxaXCIhbUnXoLGHsRyEIClndXqlqUKMnO__yqS1pJAnCXJGR6YmYHPcglR1OiRjnuSpY9tOD&q={searchTerms} -> Found
    [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bTUV5VdgJkAzflTANY6vkKfR1iXuu3BBYKXp7rH1xDUC8lyVraBf0y_7RSHoklJpi1RezUotxaXCIhbUnXoLGHsRyEIClndXqlqUKMnO__yqS1pJAnCXJGR6YmYHPcglR1OiRjnuSpY9tOD&q={searchTerms} -> Found
    [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bTUV5VdgJkAzflTANY6vkKfR1iXuu3BBYKXp7rH1xDUC8lyVraBf0y_7RSHoklJpi1RezUotxaXCIhbUnXoLGHsRyEIClndXqlqUKMnO__yqS1pJAnCXJGR6YmYHPcglR1OiRjnuSpY9tOD&q={searchTerms} -> Found
    [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
    [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
    [PUM.StartMenu] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
    [PUM.StartMenu] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs : C:\ProgramData\Zitenop\Lamstatit.dll [-] -> Found
    [Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs : C:\ProgramData\Zitenop\Tipdom.dll [-] -> Found
    [PUP] (X86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC} | StubPath : "C:\Program Files (x86)\speed browser\Application\45.0.2453.0\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level [x][x][x][x] -> Found


    Comparing the two lists, I found the following 12 matches:

    [Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Windows\CurrentVersion\Run | Birds : C:\Users\Chris\AppData\Local\Birds\birds365.exe [-] -> Found

    [Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Windows\CurrentVersion\Run | Birds : C:\Users\Chris\AppData\Local\Birds\birds365.exe [-] -> Found

    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LMIRescue_79a63a7d-7553-4327-8c59-94d2e0082a4b ("C:\Users\Chris\AppData\Local\Temp\LMI8749.tmp\LMI_Rescue_srv.exe" -service -sid 79a63a7d-7553-4327-8c59-94d2e0082a4b) -> Found

    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LMIRescue_79a63a7d-7553-4327-8c59-94d2e0082a4b ("C:\Users\Chris\AppData\Local\Temp\LMI8749.tmp\LMI_Rescue_srv.exe" -service -sid 79a63a7d-7553-4327-8c59-94d2e0082a4b) -> Found

    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\LMIRescue_79a63a7d-7553-4327-8c59-94d2e0082a4b ("C:\Users\Chris\AppData\Local\Temp\LMI8749.tmp\LMI_Rescue_srv.exe" -service -sid 79a63a7d-7553-4327-8c59-94d2e0082a4b) -> Found

    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Zitenop (C:\ProgramData\\Zitenop\\Zitenop.exe -f "C:\ProgramData\\Zitenop\\Zitenop.dat" -l -a) -> Found

    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Zitenop (C:\ProgramData\\Zitenop\\Zitenop.exe -f "C:\ProgramData\\Zitenop\\Zitenop.dat" -l -a) -> Found

    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Zitenop (C:\ProgramData\\Zitenop\\Zitenop.exe -f "C:\ProgramData\\Zitenop\\Zitenop.dat" -l -a) -> Found


    [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Internet Explorer\Main | Search Page : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bTUV5VdgJkAzflTANY6vkKfR1iXuu3BBYKXp7rH1xDUC8lyVraBf0y_7RSHoklJpi1RezUotxaXCIhbUnXoLGHsRyEIClndXqlqUKMnO__yqS1pJAnCXJGR6YmYHPcglR1OiRjnuSpY9tOD&q={searchTerms} -> Found

    The next one appears to be a duplicate of the preceding one.

    [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bTUV5VdgJkAzflTANY6vkKfR1iXuu3BBYKXp7rH1xDUC8lyVraBf0y_7RSHoklJpi1RezUotxaXCIhbUnXoLGHsRyEIClndXqlqUKMnO__yqS1pJAnCXJGR6YmYHPcglR1OiRjnuSpY9tOD&q={searchTerms} -> Found

    (end duplicate)

    [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Internet Explorer\Main | Search Page : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bTUV5VdgJkAzflTANY6vkKfR1iXuu3BBYKXp7rH1xDUC8lyVraBf0y_7RSHoklJpi1RezUotxaXCIhbUnXoLGHsRyEIClndXqlqUKMnO__yqS1pJAnCXJGR6YmYHPcglR1OiRjnuSpY9tOD&q={searchTerms} -> Found

    The next one appears to be a duplicate of the preceding one.

    [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bTUV5VdgJkAzflTANY6vkKfR1iXuu3BBYKXp7rH1xDUC8lyVraBf0y_7RSHoklJpi1RezUotxaXCIhbUnXoLGHsRyEIClndXqlqUKMnO__yqS1pJAnCXJGR6YmYHPcglR1OiRjnuSpY9tOD&q={searchTerms} -> Found

    (end duplicate)


    The first eight I selected for deletion.

    The last four seem to corespond closely to four items in the RogueKiller onscreen scan result display which each have a "data" field of http://lenova.msn.com (although Lenova is not mentioned in RogueKiller report.txt). I note that under Start > Computer, in addition to Windows7_OS (C:) and CD Drive (E:), is a drive labeled Lenova_Recovery (Q:), which was there prior to the appearance of the current malware infection and therefore seems to this layman to be innocent, but say the word and I'll (attempt to) delete these four items.

    I then clicked on the Delete button. Upon doing so, the eight selected items did not disappear from RogueKiller's scan result display. Thinking that the deletions might not take effect until rebooting, I continued following your instructions.

    RogueKiller had found no suspicious Tasks, so there were none to delete.

    For web browsers, you had wanted me to delete:

    • [PUM.HomePage][FIREFX:Config] i6wqd9oq.default-1359751077217 : user_pref("browser.startup.homepage", "http://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggbJghcAAxJEhgadw5bTA0XQgMOeQEBAhQQEgQTdFsMB1tGRwMFIk0FA18DB0VXfWFoKB8fHGdGM0xUFUo5VFc="); -> Found

    But the closest thing that RogueKiller found was:

    [PUM.HomePage][FIREFX:Config] i6wqd9oq.default-1359751077217 : user_pref("browser.startup.homepage", "http://www.bing.com/?pc=COSP&ptag=D102415-ABA01A7CCEB2146F8A7F&form=CONMHP&conlogo=CT3330961"); -> Not selected

    which I did not select for deletion pending your OK.

    IMPORTANT:
    After clicking on the Delete button, I did NOT find RogueKiller report file RKreport[2].txt on my desktop (or anywhere else on the infected computer). Is it possible I somehow accidentally deleted it by creating RogueKiller report.txt? Should I run RogueKiller again to try to obtain this file? I have not yet rebooted the machine, or for that matter, exited RogueKiller. For the moment, I have attached RogueKiller report.txt herewith.
     

    Attached Files:

    Skullduggery's Dupe, Oct 26, 2015
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Did you uninstall the software that I told you to?
    Just continue on with all the instructions in order, in safe mode if you need to.
    Attach all of the requested logs.
     
    Kestrel13!, Oct 27, 2015
    #7
  8. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    InstantSupport, PCAcceleratePro and Pluto TV apparently uninstalled without a problem.

    When I tried to uninstall ScreenConnect Client (b862b1cc6657a9b9), I got a message window from it that said that 2 applications had to be closed before uninstalling it: ScreenConnect Client and ScreenConnect Client (b862b1cc6657a9b9). I didn't want to click on anything in that window, so I went into Task Manager and forced an end-task of ScreenConnect Client (b862b1cc6657a9b9). At that point my screen went blank except for the desktop image. The ScreenConnect message window, the Programs and Features window, all the desktop icons, and even the Task Manager window were all gone. I had to manually push the physical button to reboot the computer. I tried it again with the same results.

    When I tried to uninstall SwiftSearch, I got a message window, purportedly from Windows, that said there was an error in the attempted uninstall, and that the program may have already been uninstalled, and did I want to remove the program name from the Programs and Features list. Not sure that this message window was really from Windows, I killed it in Task Manager.

    So ScreenConnect is still installed, and I'm guessing that SwiftSearch still is too.

    Will do.
     
    Skullduggery's Dupe, Oct 27, 2015
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Ahh yes you did say this before. My apologies. :)
    Will see what the next steps are when you post logs.
     
    Kestrel13!, Oct 27, 2015
    #9
  10. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    So I am to now exit RogueKiller, reboot, run OTM and proceed from there, right?
     
    Skullduggery's Dupe, Oct 27, 2015
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Exactly right :)
     
    Kestrel13!, Oct 27, 2015
    #11
  12. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    As requested, I ran (in order) OTM, CCleaner, Malwarebytes, RogueKiller, HitmanPro and MGtools. I've attached logs for all of these (except for CCleaner, which produced no log).

    The first time I attempted to run CCleaner (in this latest sequence, since your last post), it failed with one of those messages that said "such and such an application (CCleaner in this case) encountered a problem and has to close". I tried it again, and that time it ran fine.

    I rebooted in Normal Mode, and a dialog box came up whose "top bar" (what is that thing called?) said "Another instance is running" and the message in the main part of the box was "Object reference not set to an instance of an object".

    Also a Dashlane box came up. You know: "A secure place to keep all your passwords, get your free account"? Apparently the public accepts the concept, but the whole thing sounds very shady to me.

    After killing both of these in Task manager, I rebooted again, and CHKDSK (apparently authentic) ran, saying it was making corrections to indexes, and then bootup continued in Normal Mode.

    After that was done, I decided to play it as safe as possible, and rebooted again, this time in Safe Mode.

    I tried to access the internet, both via Internet Explorer and Firefox, immediately after running all the scans, and again after each time I rebooted, but each time got the "bad shortcut" error.

    So that's the situation at present.
     

    Attached Files:

    Skullduggery's Dupe, Oct 27, 2015
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Good morning :)

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode. Any other mode is primarily used for troubleshooting and diagnostic purposes. You should look into some third party software to control start up's.


    You need to attach the CORRECT log from running Malware Bytes last please.


    Did you install this yourself?

    • ScreenConnect Client (b862b1cc6657a9b9)



    Uninstall the below: (Using Revo Uninstaller)

    • Safer Browser
    • Safer Update Helper
    • Safer Updater
    • SwiftSearch 1.10.0.25



    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bTUV5VdgJkAzflTANY6vkKfR1iXuu3BBYKXp7rH1xDUC8lyVraBf0y_7RSHoklJpi1RezUotxaXCIhbUnXoLGHsRyEIClndXqlqUKMnO__yqS1pJAnCXJGR6YmYHPcglR1OiRjnuSpY9tOD&q={searchTerms}
    • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bTUV5VdgJkAzflTANY6vkKfR1iXuu3BBYKXp7rH1xDUC8lyVraBf0y_7RSHoklJpi1RezUotxaXCIhbUnXoLGHsRyEIClndXqlqUKMnO__yqS1pJAnCXJGR6YmYHPcglR1OiRjnuSpY9tOD&q={searchTerms}
    • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bTUV5VdgJkAzflTANY6vkKfR1iXuu3BBYKXp7rH1xDUC8lyVraBf0y_7RSHoklJpi1RezUotxaXCIhbUnXoLGHsRyEIClndXqlqUKMnO__yqS1pJAnCXJGR6YmYHPcglR1OiRjnuSpY9tOD&q={searchTerms}
    • R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bTUV5VdgJkAzflTANY6vkKfR1iXuu3BBYKXp7rH1xDUC8lyVraBf0y_7RSHoklJpi1RezUotxaXCIhbUnXoLGHsRyEIClndXqlqUKMnO__yqS1pJAnCXJGR6YmYHPcglR1OiRjnuSpY9tOD&q={searchTerms}
    • O2 - BHO: Sonic Train - {0c3ddfb7-4cdb-495b-b3e9-d59725b43dfc} - C:\Program Files (x86)\Sonic Train\Extensions\0c3ddfb7-4cdb-495b-b3e9-d59725b43dfc.dll
    • O2 - BHO: Dashlane BHO - {42D79B50-CC4A-4A8E-860F-BE674AF053A2} - C:\Users\Chris\AppData\Roaming\Dashlane\ie\Dashlanei.dll
    • O2 - BHO: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
    • O3 - Toolbar: Dashlane Toolbar - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\Users\Chris\AppData\Roaming\Dashlane\ie\KWIEBar.dll
    • O4 - HKLM\..\RunOnce: [OTM] "C:\Users\Chris\Desktop\OTM.exe"
    • O4 - HKCU\..\Run: [SaferAutoLaunch_7780959290BE074B866694A914ECE414] "C:\Program Files (x86)\Safer Technologies\Safer Browser\Application\safer.exe" --check-run=src=login --auto-launch-at-startup --profile-directory="Default"
    • O4 - HKCU\..\Run: [SaferBrowserIsDefault] "C:\Program Files (x86)\Safer Technologies\Safer Browser\Application\SaferBrowserProtector.exe" --force-protect
    • O4 - HKCU\..\Run: [Dashlane] "C:\Users\Chris\AppData\Roaming\Dashlane\Dashlane.exe" autoLaunchAtStartup
    • O21 - SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
    • O22 - SharedTaskScheduler: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll

    After clicking Fix exit HJT.



    http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Internet Explorer\Main | Search Page : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bTUV5VdgJkAzflTANY6vkKfR1iXuu3BBYKXp7rH1xDUC8lyVraBf0y_7RSHoklJpi1RezUotxaXCIhbUnXoLGHsRyEIClndXqlqUKMnO__yqS1pJAnCXJGR6YmYHPcglR1OiRjnuSpY9tOD&q={searchTerms} -> Found
    • [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Internet Explorer\Main | Search Page : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bTUV5VdgJkAzflTANY6vkKfR1iXuu3BBYKXp7rH1xDUC8lyVraBf0y_7RSHoklJpi1RezUotxaXCIhbUnXoLGHsRyEIClndXqlqUKMnO__yqS1pJAnCXJGR6YmYHPcglR1OiRjnuSpY9tOD&q={searchTerms} -> Found
    • [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bTUV5VdgJkAzflTANY6vkKfR1iXuu3BBYKXp7rH1xDUC8lyVraBf0y_7RSHoklJpi1RezUotxaXCIhbUnXoLGHsRyEIClndXqlqUKMnO__yqS1pJAnCXJGR6YmYHPcglR1OiRjnuSpY9tOD&q={searchTerms} -> Found
    • [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : http://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_B2393LadXJcLO8bTUV5VdgJkAzflTANY6vkKfR1iXuu3BBYKXp7rH1xDUC8lyVraBf0y_7RSHoklJpi1RezUotxaXCIhbUnXoLGHsRyEIClndXqlqUKMnO__yqS1pJAnCXJGR6YmYHPcglR1OiRjnuSpY9tOD&q={searchTerms} -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs : C:\ProgramData\Zitenop\Lamstatit.dll [x] -> Found
    • [PUP] (X86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC} | StubPath : "C:\Program Files (x86)\speed browser\Application\45.0.2453.0\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level [x][x][x][x] -> Found
    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.



    Code:
    :Files
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Templates\27oi5fmq0646gst826j6215842gry7ay0d7ygdmh4
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Templates\4gkk871xgvvbhqwu4hiln243ix7t1
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Templates\6uyj426kwdunyfnb6mpkl565nf1i4
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Templates\d471nrg341682171o7514jak74y0q
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Templates\v446rrn327107725k8301srl75u8k
C:\Users\Chris\Desktop\Dashlane.lnk
C:\Users\Chris\Desktop\Safer Browser.lnk
C:\Users\Chris\Desktop\Zeast_PC_Optimiser.lnk
C:\ProgramData\Browser
C:\ProgramData\Zitenops
C:\Program Files (x86)\Dashlane
C:\Program Files (x86)\PCAPDownloader
C:\Program Files (x86)\Pluto TV
C:\Program Files (x86)\SearchProtect
C:\Program Files (x86)\speed browser
C:\Windows\tasks\SaferBrowserProtectTask.job
C:\Windows\tasks\SaferUpdateTaskMachineCore.job
C:\Windows\tasks\SaferUpdateTaskMachineUA.job
C:\Windows\system32\tasks\20e301b0
C:\Windows\system32\tasks\22339fc0
C:\Windows\system32\tasks\27e10198
C:\Windows\system32\tasks\470956f8
C:\Windows\system32\tasks\561c5738
C:\Windows\system32\tasks\63257cd0
C:\Windows\system32\tasks\81bd9280
C:\Windows\system32\tasks\918f13f8
C:\Windows\system32\tasks\b12892c8
C:\Windows\system32\tasks\b270a090
C:\Windows\system32\tasks\b9386188
C:\Windows\system32\tasks\bade6298
C:\Windows\system32\tasks\bb8f550
C:\Windows\system32\tasks\c562f410
C:\Windows\system32\tasks\d8903148
C:\Windows\system32\tasks\e8469fa0
C:\Windows\system32\tasks\Ofprevnufepik
C:\Windows\system32\tasks\p523mfee
C:\Windows\system32\tasks\PMTask
C:\Windows\system32\tasks\SaferBrowserProtectTask
C:\Windows\system32\tasks\SaferUpdateTaskMachineCore
C:\Windows\system32\tasks\SaferUpdateTaskMachineUA
C:\Windows\system32\tasks\SaferUpdateTaskSCUD
C:\Windows\system32\tasks\SwiftSearch Auto Updater 1.10.0.25 Core
C:\Windows\system32\tasks\SwiftSearch Auto Updater 1.10.0.25 Pending Update

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SaferAutoLaunch_7780959290BE074B866694A914ECE414"=-
"SaferBrowserIsDefault"=-
"Dashlane"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\RunOnce]
"OTM"=-
[HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Windows\CurrentVersion\run]
"SaferAutoLaunch_7780959290BE074B866694A914ECE414"=-
"SaferBrowserIsDefault"=-
"Dashlane"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Safer Browser]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Safer Updater]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SwiftSearch_1.10.0.25]
:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.



    See if you can get into normal mode now as opposed to safe mode for this part:

    Re run RogueKiller (just a scan only) and attach new log.
    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running!
     
    Last edited: Oct 28, 2015
    Kestrel13!, Oct 28, 2015
    #13
  14. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    I don't know anything about MSConfig. A quick search on using it to start up in normal mode yielded nothing pertinent. Can you direct me to something to read about this?

    The existence of such software is news to me. Any suggestions on what I might use?

    Sorry, my mistake. Attached please find the correct log.

    No. I inherited this machine, so I know nothing about whatever it is, but as I mentioned above:

    I'm also guessing that ScreenConnect is malware.

    Safer Browser and Safer Updater were successfully uninstalled.

    Safer Update Helper wasn't found by Revo Uninstaller. Any comments or suggestions?

    Attempting to uninstall SwiftSearch generated the following warning:

    As I mentioned above:

    So now I'm unsure about whether SwiftSearch is indeed still installed. Should I assume it's gone and delete it from the Programs and Features list?

    I guess I should wait until I run MSConfig before continuing, right?
     
    Skullduggery's Dupe, Oct 28, 2015
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Click start > type in msconfig > click on msconfig.exe > choose normal start up > click apply > click OK and exit. Reboot the machine and continue on with my instructions. If something does not uninstall just move on to the next step. :)

    The Malware Bytes log did not attach ;)
     
    Kestrel13!, Oct 28, 2015
    #15
  16. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    It won't let me attach it again. I attached the most recent one,

    Malwarebytes 10-27-2015 log.txt

    yesterday at 18:13 EDT.

    Please let me know if for any reason you don't see it, and I'll rename it so I can attach it again.

    Meanwhile I will continue as you have instructed.
     
    Skullduggery's Dupe, Oct 28, 2015
    #16
  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I want you to run it again please! Attach the log whether or not it finds anything. :)
     
    Kestrel13!, Oct 28, 2015
    #17
  18. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    Here it is.
     

    Attached Files:

    Skullduggery's Dupe, Oct 28, 2015
    #18
  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OK, now continue on please.
     
    Kestrel13!, Oct 28, 2015
    #19
  20. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    The following was all done running Windows in Normal Mode. Like before, the following dialog boxes appeared at bootup:

    RunDLL
    There was a problem starting C:\Users\Chris\AppData\Local\desex5.dll
    The specified module could not be found.

    RunDLL
    There was a problem starting C:\Users\Chris\AppData\Local\oceresox.dll
    C:\Users\Chris\AppData\Local\oceresox.dll is not a valid Win32 application.

    RunDLL
    There was a problem starting C:\ProgramData\mfpmINFO64.dll
    The specified module could not be found.

    Another instance is running
    Object reference not set to an instance of an object.

    Plus the Dashlane splash screen came up.

    I didn't want to click on any of them, just in case they were malware "imposters", so I killed them all in Task Manager.
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    First I ran analyze.exe (HijackThis). I wasn't asked to have it produce a log, but I did so anyway. It is attached herewith ("HijackThis.log").

    I had HijackThis delete everything I was asked to have it delete, except for the following two items, which weren't found:

    O4 - HKLM\..\RunOnce: [OTM] "C:\Users\Chris\Desktop\OTM.exe"
    O4 - HKCU\..\Run: [SaferAutoLaunch_7780959290BE074B866694A914ECE414] "C:\Program Files (x86)\Safer Technologies\Safer Browser\Application\safer.exe" --check-run=src=login --auto-launch-at-startup --profile-directory="Default"
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    Then I ran RogueKiller. It found only two Items that I was asked to have it delete. I had RogueKiller delete both of them:

    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs : C:\ProgramData\Zitenop\Lamstatit.dll [x] -> Found
    [PUP] (X86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC} | StubPath : "C:\Program Files (x86)\speed browser\Application\45.0.2453.0\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level [x][x][x][x] -> Found

    AGAIN, RogueKiller did not produce a log automatically (am I doing something wrong?) so I did so manually, and it is attached herewith ("RKreport[2].txt").
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    I then ran OTM. The resultant log is attached herewith ("10302015_183541.log").
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    I then ran RogueKiller again. The resultant log is attached herewith ("RogueKiller log 10-31-2015.txt").
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    I then ran MGtools' GetLogs.bat. The resultant logs are attached herewith ("MGlogs.zip").
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    After doing all of the above and rebooting, the shortcuts to Internet Exploror and Firefox were gone, which is fine since they didn't point to valid targets anyway, but upon creating new, valid shortcuts, I still couldn't get online.
     

    Attached Files:

    Skullduggery's Dupe, Nov 1, 2015
    #20
  21. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

    Note: Make sure you download the correct version for your PC. Only the correct version will work.
    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
     
    Kestrel13!, Nov 2, 2015
    #21
  22. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    Here are the requested logs.

    What's happening right now is: on bootup in Normal Mode, in addition to the DLL warning dialog boxes, in Task Manager I'm seeing AMD and a couple other apps momentarily appear and then vanish before I can delete them, as if they're trying to do some dirty work before I can zap them.
     

    Attached Files:

    Skullduggery's Dupe, Nov 2, 2015
    #22
  23. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    NOTE: This script was written specifically for this user for use on this particular computer. Running this on another machine may cause damage to your operating system.


    Download Fixlist.txt

    Save fixlist.txt on your Desktop. Make sure you save it as a txt file.
    • You should now have both fixlist.txt and FRST64.exe on your Desktop.
    • Now I want you to disconnect your PC connection to the internet by unplugging the cable ( if it is wireless then temporarily shutdown the wireless network ).
    • Run FRST64.exe by right clicking on it and selecting Run As Adminstrator
    • Click the Fix button just once and wait.
    • Your computer should reboot after the fix runs.
    • Reconnect your internet connection after reboot so you can come back here to continue.
    • The tool will make a log on the Desktop (Fixlog.txt) please attach this new log to your next reply (attach or paste)

    Then attach the below logs:
    • Fixlog.txt
    Please attach the above log first before you continue with the below.
    Also at this point, I want to double check the status of things by having you run another scan with FRST like in my last message and attach the new FRST.txt and Addition.txt logs.

    ======================


    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.




    Also re run RogueKiller and attach that log, too.
    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running!
     

    Attached Files:

    Kestrel13!, Nov 2, 2015
    #23
  24. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    >...disconnect your PC connection to the internet by unplugging the cable ( if it is wireless then temporarily shutdown the wireless network )

    It's wireless. I already didn't have internet access, and when I checked it in Control Panel > Network and Sharing Center, there was no connection (not even a disabled one), so I just left the connectivity alone.

    I ran FRST64.exe > Fix.

    >Your computer should reboot after the fix runs.

    It didn't reboot automatically, so I rebooted it. At that point, more of those "Another instance is running" / "Object reference not set to an instance of an object" dialog boxes appeared, which I killed in Task Manager.

    >Reconnect your internet connection after reboot so you can come back here to continue.

    At the moment, I'm getting back to MajorGeeks on my other computer, which has internet access. Should I try to set up a new wireless connection on the infected computer?

    >The tool will make a log on the Desktop (Fixlog.txt) please attach this new log to your next reply (attach or paste)

    It's attached herewith.

    Please attach the above log first before you continue with the below.
    Also at this point, I want to double check the status of things by having you run another scan with FRST like in my last message and attach the new FRST.txt and Addition.txt logs.

    ======================

    Done; please find the requested files attached herewith.
     

    Attached Files:

    Skullduggery's Dupe, Nov 2, 2015
    #24
  25. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Did you do the regedit and the other steps below that step?
     
    Kestrel13!, Nov 2, 2015
    #25
  26. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    No, I thought you wanted to review the last attached logs before I was to continue. I can do it right now if you want.
     
    Skullduggery's Dupe, Nov 2, 2015
    #26
  27. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes do continue on :)
     
    Kestrel13!, Nov 2, 2015
    #27
  28. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    Yes, the fixME.reg thing was successful. And here are the logs you requested.

    Should I try to set up a new network connection in Control Panel > Network and Sharing Center?
     

    Attached Files:

    Skullduggery's Dupe, Nov 2, 2015
    #28
  29. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I have attached a new fixlist. Follow the instructions in post #23 to run it again the same way as before. Attach the logs same as before.

    After we are done.
     

    Attached Files:

    Kestrel13!, Nov 2, 2015
    #29
  30. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Have you already followed this fix? Let me know! I have included Dashlane in the fix, it's password management I presume you are using? :confused
     
    Kestrel13!, Nov 2, 2015
    #30
  31. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    New fixlist here - follow this one not the other one if you haven't already done so. :)
     

    Attached Files:

    Kestrel13!, Nov 2, 2015
    #31
  32. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    OK, I'm back. Here's the new fixlog.txt. You didn't want me to run RogueKiller and MGtools again, did you? And no, I didn't install Dashlane, and I actually suspect it's part of the malware.
     

    Attached Files:

    Skullduggery's Dupe, Nov 2, 2015
    #32
  33. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Follow my instructions in post #21 to run FRST again and produce the two logs. You can also re run RogueKiller and MGTools afterwards and attach logs from those too.
    Also let me know how things are running! :)

    Dashlane is a password manager which Syncs across PC, Mac, Android, iOS. It's legit.
     
    Kestrel13!, Nov 3, 2015
    #33
  34. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    Sorry, I thought I had sent the most recent fixlog.txt. Just to make absoutely sure I'm using the most recent fixlist.txt, could you please sent it again? Thanks.
     
    Skullduggery's Dupe, Nov 3, 2015
    #34
  35. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there :)

    You misunderstood, I just want you to do this again:
    • Double-click FRST to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
     
    Kestrel13!, Nov 3, 2015
    #35
  36. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    Sorry, I confused the FRST.txt (scan log) with the fixlog.txt (fix log). Here's the latest FRST.txt. No Addition.txt was produced, of course, since a FRST scan was done previously.
     

    Attached Files:

    Skullduggery's Dupe, Nov 3, 2015
    #36
  37. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No problem. How are things running currently?
     
    Kestrel13!, Nov 3, 2015
    #37
  38. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    I don't think I've seen any ill effects since doing the fix with FDST, but I'll have to watch for that, especially on bootups. I still have no internet access since I don't have any network connections; should I try to create one now?

    I have to go out right now for about two hours, but I'll look to see if you replied when I get back.
     
    Skullduggery's Dupe, Nov 3, 2015
    #38
  39. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes try to connect and let me know how it goes. I might have to head to bed soon though (late here in the UK) :)
     
    Kestrel13!, Nov 3, 2015
    #39
  40. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    I've tried to reconnect to the internet, but I can't. The broadband connection is shown in Windows 7's Control Panel > Network and Sharing Center, but it's disconnected. When I try to reconnect it, I get Windows error 651. I tried 7 different possible fixes for this I found at

    http://www.geeksgyaan.com/2015/04/fix-error-651.html

    but none worked. Whether this was caused by the malware or is due to some kind of reconfiguration effected by the antimalware software, I don't know, but if you can help me with this, I'd really appreciate it.

    Incidentally, on bootup I'm still getting a single "instance" error dialog box.
     
    Skullduggery's Dupe, Nov 7, 2015
    #40
  41. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I want to test something.... uninstall the below software. It's legit of course but it may be stopping your internet from working somehow.
    • Web Companion


    Code:
    :Files
C:\ProgramData\Lavasoft
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft
C:\Program Files (x86)\Lavasoft
C:\Windows\SysNative\LavasoftTcpService64.dll
C:\Windows\SysNative\LavasoftTcpServiceOff.ini
C:\Windows\SysWOW64\LavasoftTcpService.dll
C:\Windows\SysWOW64\LavasoftTcpServiceOff.ini
C:\Windows\TEMP\LavasoftTcpService.log
C:\Windows\TEMP\LavasoftTcpServicer.log

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{acb418a1-1313-4656-8125-89ca90ae700f}]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Web Companion"=-
[HKEY_USERS\S-1-5-21-2459259446-2465209840-817950953-1001\Software\Microsoft\Windows\CurrentVersion\run]
"Web Companion"=-

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Even if it doesn't, reboot yourself.
    • Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


    Re run Malware Bytes and have it remove anything it finds. Attach log *if* it finds anything.


    Please download AdwCleaner by Xplode and save to your Desktop.

    • Double click on AdwCleaner.exe to run the tool.
    • Vista/Windows 7/8 users right-click and select Run As Administrator
    • Click on the Scan button.
    • AdwCleaner will begin...be patient as the scan may take some time to complete.
    • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
    • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
    • Attach the logfile to your next next reply.
    • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.


    Are you able to connect to the internet now??
    I have something else to try if not in the next post.
     
    Kestrel13!, Nov 8, 2015
    #41
  42. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    After the above, run TDSSKiller again and attach the fresh log.
     
    Kestrel13!, Nov 8, 2015
    #42
  43. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    Trying to uninstall Web Companion without checking the boxes to restore previous homepage or browser yielded another "Another instance is running" / "Object reference not set to an instance of an object" error, and the progress bar on the uninstall only proceeded to about the 25% point.

    Killing the "instance" dialog box in Task Manager allowed the uninstall to procede to completion.

    Ran OTM. Log is attached herewith.

    My Malwarebytes database is out of date. The infected machine doesn't have internet access, so I downloaded the most recent database to my uninfected machine, but when I copied it to the infected machine and clicked on it, I got an "Application not found" error on the infected machine, even though PepperZip 2.0 is showing in Windows 7's Control Panel > Programs and Features. Unzipping it on my uninfected machine yields just two files, mbam-rules.exe and mbam2-rules.exe. I can just copy these to the infected machine, but which one of these should I run, and from where, the desktop? Or should I just run Malwarebytes with the existing database (v2015.09.22.05)?
     

    Attached Files:

    Skullduggery's Dupe, Nov 8, 2015
    #43
  44. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes, that should be good enough for now. We'll get it to update afterwards.

    Then continue on with other instructions too :)
     
    Last edited: Nov 8, 2015
    Kestrel13!, Nov 8, 2015
    #44
  45. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    OK, here are the requested logs.

    And no, I'm still not connected to the internet, and I'm still getting Windows error 651 when I try to create a broadband connection.
     

    Attached Files:

    Skullduggery's Dupe, Nov 8, 2015
    #45
  46. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    • Have Adwcleaner remove everything except for the PepperZip entries.
    • Have Malware Bytes fix what it is finding, too.

    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Repair Windows Firewall
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.

    After reboot, check to see if your internet is working.
     
    Kestrel13!, Nov 8, 2015
    #46
  47. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    How? With the Cleaning button or the Uninstall button? Incidentally, none of the things that show in the log file show in the Results part of Adwcleaner.

    I did. I already attached "pre-zap" and "post-zap" logs.

    My zip utility (PepperZip) on the infected computer is giving the "Application not found" error, but I did it manually.
     
    Skullduggery's Dupe, Nov 8, 2015
    #47
  48. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Cleaning button.

    You have to switch to different tabs, file, folder, registry etc.... you can uncheck the pepperzip entries. :)

    So you did, my apologies! ;)

    And did Windows Repair actually get run yet?
     
    Kestrel13!, Nov 8, 2015
    #48
  49. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Can you give me the exact word for word error? Is there more or is that all it says? :confused
     
    Kestrel13!, Nov 8, 2015
    #49
  50. Skullduggery's Dupe

    Skullduggery's Dupe Master Sergeant

    There are some IonicZip entries too (although I don't know what they are and I don't see it in Control Panel > Programs and Features).

    PepperZip already doesn't work. Maybe I should let it delete everything, and then install a new (free) zip utility. Any you'd like to recommend?

    No, I'll do it as soon as you advice me about deleting PepperZiup and/or IonicZip.

    Control Panel Network and Sharing Center > Set up a new connection or network > Connect to the Internet > create a new connection >

    Broadband Connection > Connect

    Connecting through WAN Miniport (PPPOE)...

    Connection failed with error 651
    The modem (or other connecting device) has reported an error.
     
    Skullduggery's Dupe, Nov 8, 2015
    #50
Page 1 of 2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds