Malware Intrusion - Help Needed

jallenaz · Dec 1, 2015

Hello,

I believe I still have some malware in my computer. The log files are attached from using the malware removal thread. When I ran Hitman it said it did not find anything, so I didn't save that log.

Right now I keep getting a message that my virus protection is not running. In the Security and Maintenance panel I have tried to turn it on, but it stays off. There is a window that flashes up in the upper right side of the monitor, but it is just a flash. We're not sure what that is.

Please let me know if I need to do anything else, if someone would look through my log files. You are all the best at fixing these things.

Thank you,

Jim

TimW · Dec 1, 2015

I am not finding any malware in your logs. I will probably send you to software and suggest you try uninstalling and running CCLeaner then try reinstalling after a reboot.

In the meantime, rerun RogueKiller and remove these items:
¤¤¤ Files : 8 ¤¤¤
[PUP][Folder] C:\ProgramData\{18165758-115C-4DC0-9EC2-FF89F725767F} -> Found
[PUP][Folder] C:\ProgramData\{BAF091CA-86C4-4627-ADA1-897E2621C1B0} -> Found
[PUP][Folder] C:\Program Files (x86)\Conduit -> Found
[PUP][Folder] C:\Program Files (x86)\Consumer Input -> Found
[PUP][Folder] C:\Program Files (x86)\Mobogenie -> Found
[PUP][Folder] C:\Program Files (x86)\OLBPre -> Found
[PUP][Folder] C:\Program Files (x86)\TweakBit -> Found
[PUP][Folder] C:\Program Files (x86)\Uninstaller -> Found

Download OTM by Old Timer and save it to your Desktop.

Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.
Code:
:Processes

:files
C:\Program Files (x86)\Online Services\Ask_icon\ask.ico
C:\WINDOWS\TEMP\*.*
C:\Users\Jim\AppData\Local\Temp\*.*

:reg
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A1C00F3B-334A-480A-ACB8-20CF15AB612B}]

:Commands
[purity]
[Reboot]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.

OTM may ask to reboot the machine. Please do so if asked.

Copy everything in the Results window (under the green bar), and paste it in your next reply.

After a reboot, rescan with RogueKiller and attach that new log as well.

jallenaz · Dec 1, 2015

Tim,

Thanks for your help. I will probably be away from here until tomorrow.

========== PROCESSES ==========
========== FILES ==========
File/Folder C:\Program Files (x86)\Online Services\Ask_icon\ask.ico not found.
File move failed. C:\WINDOWS\TEMP\adobegc.log scheduled to be moved on reboot.
C:\WINDOWS\TEMP\mavcperf-setup.log moved successfully.
C:\WINDOWS\TEMP\MpCmdRun.log moved successfully.
DllUnregisterServer procedure not found in C:\Users\Jim\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpgt3zy4.dll
DllUnregisterServer procedure not found in C:\Users\Jim\AppData\Local\Temp\sqlite-3.7.2-sqlitejdbc.dll
C:\Users\Jim\AppData\Local\Temp\adobegc.log moved successfully.
C:\Users\Jim\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpgt3zy4.dll moved successfully.
File move failed. C:\Users\Jim\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpgt3zy4.lck scheduled to be moved on reboot.
File move failed. C:\Users\Jim\AppData\Local\Temp\etilqs_kiNduV0rdVC9VeQ scheduled to be moved on reboot.
File move failed. C:\Users\Jim\AppData\Local\Temp\etilqs_nv13948TlHecVIn scheduled to be moved on reboot.
C:\Users\Jim\AppData\Local\Temp\h5520Sh04w@B14Y8.tmp.dat moved successfully.
C:\Users\Jim\AppData\Local\Temp\LuUpdater.log moved successfully.
C:\Users\Jim\AppData\Local\Temp\sqlite-3.7.2-sqlitejdbc.dll moved successfully.
C:\Users\Jim\AppData\Local\Temp\vv4MXMZX1IKm5x)e.tmp.dat moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A1C00F3B-334A-480A-ACB8-20CF15AB612B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A1C00F3B-334A-480A-ACB8-20CF15AB612B}\ not found.
========== COMMANDS ==========
OTM by OldTimer - Version 3.1.21.0 log created on 12012015_203012

jallenaz · Dec 1, 2015

TimW said: ↑
I am not finding any malware in your logs. I will probably send you to software and suggest you try uninstalling and running CCLeaner then try reinstalling after a reboot.

In the meantime, rerun RogueKiller and remove these items:
¤¤¤ Files : 8 ¤¤¤
[PUP][Folder] C:\ProgramData\{18165758-115C-4DC0-9EC2-FF89F725767F} -> Found
[PUP][Folder] C:\ProgramData\{BAF091CA-86C4-4627-ADA1-897E2621C1B0} -> Found
[PUP][Folder] C:\Program Files (x86)\Conduit -> Found
[PUP][Folder] C:\Program Files (x86)\Consumer Input -> Found
[PUP][Folder] C:\Program Files (x86)\Mobogenie -> Found
[PUP][Folder] C:\Program Files (x86)\OLBPre -> Found
[PUP][Folder] C:\Program Files (x86)\TweakBit -> Found
[PUP][Folder] C:\Program Files (x86)\Uninstaller -> Found

Download OTM by Old Timer and save it to your Desktop.

Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.
Code:
:Processes

:files
C:\Program Files (x86)\Online Services\Ask_icon\ask.ico
C:\WINDOWS\TEMP\*.*
C:\Users\Jim\AppData\Local\Temp\*.*

:reg
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A1C00F3B-334A-480A-ACB8-20CF15AB612B}]

:Commands
[purity]
[Reboot]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.

OTM may ask to reboot the machine. Please do so if asked.

Copy everything in the Results window (under the green bar), and paste it in your next reply.

After a reboot, rescan with RogueKiller and attach that new log as well.
Click to expand...

jallenaz · Dec 1, 2015

Windows Defender has started working again. It wanted to run a scan after I rebooted. I am running the scan now. Maybe it's all good now.

Thanks!

TimW · Dec 1, 2015

Let me know.

jallenaz · Dec 2, 2015

Started my computer this morning after it appears a major update was done and I still can't get Windows Defender to run. It was running when I left here last night. What should I try next?

Thanks.

TimW · Dec 2, 2015

Since it is not a malware issue, I suggest you post in the software forum.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.

Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.

Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.

If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

jallenaz · Dec 2, 2015

Okay. Thank you.

TimW · Dec 2, 2015

You are welcome. Good luck.

Log in or Sign up

Malware Intrusion - Help Needed

jallenaz Private E-2

Attached Files:

Malwarebytes Anti-Malware.txt

MGlogs.zip

RogueKiller.txt

TDSSKiller.3.1.0.6_29.11.2015_10.00.56_log.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

jallenaz Private E-2

Attached Files:

RogueKiller2.txt

jallenaz Private E-2

jallenaz Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

jallenaz Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

jallenaz Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member