Malware Problems Again! :(

Discussion in 'Malware Help (A Specialist Will Reply)' started by ctillers, Jun 28, 2013.

  1. ctillers

    ctillers Private E-2

    Dear volunteer staff,

    Well, apparently someone in the house downloaded some software that definitely had some baddies attached to it. It was supposed to be an image editor called Gimp. I saw that Conduit was included as well as some kind of program called OtShot. I immediately tried to resolve the problem by uninstalling the program and its attached malware, but there's still a Conduit toolbar on my Google Chrome and OtShot is still showing on my programs.

    Also, Google Chrome is having some redirection problems, and even after trying to change my settings to the New Tab page, it still redirects itself. I already went through the redirection problems forum post, and it did not solve any of the problems. So here I am! I also must apologize...I was clicking too quickly through the HitmanPro scan and ended up deleting all of the problems instead of ignoring them. The MGTools initial scan didn't work the first time either, and I had to use the GetLogs.bat. It ran after that just fine, however.

    I hope that you can help :)
     

    Attached Files:

    Last edited: Jun 28, 2013
    ctillers, Jun 28, 2013
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com/?SearchSource=10&CUI=UN20394714003172615&UM=2&ctid=CT3286042
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10042&barid={1614CAA6-DC7F-11E2-BE99-84349794985F}
    R3 - URLSearchHook: (no name) - {03EB0E9C-7A91-4381-A220-9B52B641CDB1} - (no file)
    O2 - BHO: (no name) - {03EB0E9C-7A91-4381-A220-9B52B641CDB1} - (no file)
    O2 - BHO: (no name) - {2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3} - (no file)
    O4 - HKLM\..\Run: [OtShot] C:\Program Files (x86)\OtShot\otshot.exe -minimize
    O4 - HKUS\S-1-5-21-1204375187-72499919-495243353-1006\..\Run: [SearchProtect] C:\Users\Alejandro\AppData\Roaming\SearchProtect\bin\cltmng.exe (User 'Alejandro')
    O4 - HKUS\S-1-5-21-1204375187-72499919-495243353-1007\..\Run: [SearchProtect] C:\Users\Jeremymiah\AppData\Roaming\SearchProtect\bin\cltmng.exe (User 'Jeremymiah')
    O4 - HKUS\S-1-5-21-1204375187-72499919-495243353-1008\..\Run: [SearchProtect] C:\Users\Sammyboy\AppData\Roaming\SearchProtect\bin\cltmng.exe (User 'Sammyboy')



    After clicking Fix, exit HJT.


    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe


:Files
C:\Users\Alejandro\AppData\Roaming\SearchProtect\bin\cltmng.exe
C:\Users\Jeremymiah\AppData\Roaming\SearchProtect\bin\cltmng.exe
C:\Users\Sammyboy\AppData\Roaming\SearchProtect\bin\cltmng.exe
C:\Users\Alejandro\AppData\Roaming\SearchProtect\bin\cltmng.exe
C:\Users\Alejandro\AppData\LocalLow\Delta
C:\ProgramData\AVG2013
C:\ProgramData\Browser Manager
C:\ProgramData\Norton
C:\ProgramData\Tarma Installer
C:\ProgramData\ZalmanInstaller_52330
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OtShot
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OtShot.lnk
C:\Program Files (x86)\AVG
C:\Program Files (x86)\Conduit
C:\Program Files (x86)\OtShot
C:\Program Files (x86)\Common Files\Symantec Shared
C:\Users\tillers72\AppData\Local\Temp\*.*



:Reg
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"OtShot"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"

[=HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0F085791-B223-4680-B566-049CA9F9CD73}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{89B6320B-58A5-43D7-9EBC-8DE0CC3399A8}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{B3F9F2FC-5A8F-473F-A9DC-48F4C7503B7E}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03EB0E9C-7A91-4381-A220-9B52B641CDB1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXTlog
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jun 29, 2013
    #2
  3. ctillers

    ctillers Private E-2

    I ran all of the scans. In the HijackThis, I couldn't find the following:

    O4 - HKUS\S-1-5-21-1204375187-72499919-495243353-1006\..\Run: [SearchProtect] C:\Users\Alejandro\AppData\Roaming\SearchProtect\bin\cltmng.exe (User 'Alejandro')
    O4 - HKUS\S-1-5-21-1204375187-72499919-495243353-1007\..\Run: [SearchProtect] C:\Users\Jeremymiah\AppData\Roaming\SearchProtect\bin\cltmng.exe (User 'Jeremymiah')
    O4 - HKUS\S-1-5-21-1204375187-72499919-495243353-1008\..\Run: [SearchProtect] C:\Users\Sammyboy\AppData\Roaming\SearchProtect\bin\cltmng.exe (User 'Sammyboy')

    However, things looked okay for a little bit until I just now started Google Chrome. The thumbnail image in the left corner of the tab was switching back and forth to the Chrome webpage's to the Conduit key. Then, the toolbar downloaded itself and changed my home page again. When I restart Google, the homepage goes back to the Chrome new tab default, but the toolbar reappears and the process starts all over again!

    I've attached the logs.
     

    Attached Files:

    ctillers, Jul 1, 2013
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Chrome is quite annoying in that it does not have a reset to defaults feature. Backup any bootmarks that you want from Chrome and then uninstall Chrome and reboot. Then after reboot delete the folders for Chrome. Like the below:

    C:\Users\tillers72\AppData\Local\Google\Chrome


    Then redownload and reinstall. You can get it here >>> Google Chrome 27.0.1453.116 Stable

    Does that help?
     
    chaslang, Jul 3, 2013
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds