Malware Takeover

Discussion in 'Malware Help (A Specialist Will Reply)' started by sunny123, Jul 22, 2013.

  1. sunny123

    sunny123 Private E-2

    I am being hit by major amounts of malware. I've been using IE. After changing User Account settings, after reboot, my IE wouldn't let me go anywhere. So, now I am on Google Chrome.
    Posting my logs now....
    (additional logs are coming in next post.

    Thanks for your help.
     

    Attached Files:

    sunny123, Jul 22, 2013
    #1
  2. sunny123

    sunny123 Private E-2

    more logs...

    HitmanPro_x64.exe failed - Network Error
    C:\MGLogs.zip failed to be created
    (could not create output file <C:\MGlogs.zip>
     

    Attached Files:

    sunny123, Jul 22, 2013
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!
    Please run the C:\MGtools\ReZip.batfile by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator), then look in the C:\MGtools folder for a slightly different zip file named MGlogsR.zip Attach it to your next message.
     
    chaslang, Jul 22, 2013
    #3
  4. sunny123

    sunny123 Private E-2

    Thank you....
    attached is the log.
     

    Attached Files:

    sunny123, Jul 24, 2013
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.safesearch.net/?utm_medi...ce=sm&utm_content=1&utm_term=D10438B3F69B4BD4
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.safesearch.net/?utm_medi...ce=sm&utm_content=1&utm_term=D10438B3F69B4BD4
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.safesearch.net/?utm_medi...ce=sm&utm_content=1&utm_term=D10438B3F69B4BD4
    O2 - BHO: Fast Free Converter 4.0 - {4B72B1CE-C6E4-4089-89AF-1D01198E8B88} - C:\PROGRA~2\FASTFR~1\FASTFR~1\FASTFR~1.DLL
    O2 - BHO: Crawler Toolbar - {9234F5E0-56CC-4F0B-AAE4-0D4BD5032180} - C:\PROGRA~2\CRAWLE~1\Crawler.dll
    O2 - BHO: Inbox Toolbar - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~2\INBOXT~1\Inbox.dll
    O2 - BHO: SafeSearch - {e27d5867-80de-4449-9c03-71707c0db05b} - C:\Program Files\SafeSearch\ie\adxloader.dll
    O2 - BHO: Movies Toolbar (Dist. by Bandoo Media, Inc.) - {ec2bae47-25af-4ce9-9e78-10627a49c9ea} - C:\PROGRA~2\MOVIES~1\Datamngr\SRTOOL~1\IE\searchresultsDx.dll
    O3 - Toolbar: &Crawler Toolbar - {C4D78C72-08DB-4A3F-9175-B265157283F3} - C:\PROGRA~2\CRAWLE~1\Crawler.dll
    O3 - Toolbar: &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~2\INBOXT~1\Inbox.dll
    O3 - Toolbar: Movies Toolbar (Dist. by Bandoo Media, Inc.) - {ec2bae47-25af-4ce9-9e78-10627a49c9ea} - C:\PROGRA~2\MOVIES~1\Datamngr\SRTOOL~1\IE\searchresultsDx.dll
    O3 - Toolbar: SafeSearch Toolbar - {fc0c0170-4eb0-430d-a7f3-939ee7ea1a25} - C:\Program Files\SafeSearch\ie\adxloader.dll
    O4 - HKLM\..\Run: [Backup Files Today] C:\Program Files (x86)\BackupFilesToday\BackupFilesToday.exe
    O4 - HKLM\..\Run: [CrawlerToolbar] "C:\Program Files (x86)\Crawler Toolbar\Crawler.exe" /STARTUP
    O4 - HKLM\..\Run: [InboxToolbar] "C:\Program Files (x86)\Inbox Toolbar\Inbox.exe" /STARTUP
    O4 - HKCU\..\Run: [PC Speed Boost] C:\Program Files (x86)\PC Speed Boost\PCSBLauncher.exe
    O4 - HKCU\..\Run: [MPOptimizer] "C:\Program Files\MaxPerforma Optimizer\MaxPerforma.exe" /scan
    O18 - Protocol: crawler - {4545C96B-15D0-4E22-8DDE-6F2CAF531281} - C:\PROGRA~2\CRAWLE~1\Crawler.dll
    O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~2\INBOXT~1\Inbox.dll
    O20 - AppInit_DLLs: C:\PROGRA~3\Wincert\WIN32C~1.DLL C:\PROGRA~2\MOVIES~1\Datamngr\mgrldr.dll C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll
    O23 - Service: Search Protect by Conduit Service (CltMngSvc) - Conduit - C:\PROGRA~2\SearchProtect\Main\bin\CltMngSvc.exe
    O23 - Service: Datamngr Coordinator (DatamngrCoordinator) - Bandoo Media Inc. - C:\Program Files (x86)\Movies Toolbar\Datamngr\DatamngrCoordinator.exe
    O23 - Service: FastFreeConverterUpdt - Unknown owner - C:\Program Files (x86)\Fast Free Converter\FastFreeConverterUpdt.exe

    After clicking Fix, exit HJT.

    Now uninstall the below programs:
    Backup Files Today
    Crawler Toolbar
    Extreme Flash Player
    Fast Free Converter
    Files Access
    iLivid
    Inbox Toolbar
    Movies Toolbar for Chrome (Dist. by Bandoo Media, Inc.)
    Movies Toolbar for Internet Explorer (Dist. by Bandoo Media, Inc.)
    PC Speed Boost v3.1
    PCHealthBoost 2.3.0
    Search Protect


    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Services
CltMngSvc
DatamngrCoordinator
FastFreeConverterUpdt
 
:Files
C:\PROGRA~3\Wincert\WIN32C~1.DLL
C:\PROGRA~2\MOVIES~1\Datamngr\mgrldr.dll
C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll
C:\Windows\tasks\Backup Files Today.job
C:\Users\Sunny\Desktop\iLivid.lnk
C:\Users\Sunny\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\iLivid.lnk
C:\ProgramData\Datamngr
C:\ProgramData\ExtremeMediaPlayer
C:\ProgramData\PCHealthBoost
C:\ProgramData\Wincert
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Crawler Toolbar
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Extreme Flash Player
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Inbox Toolbar
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MaxPerforma Optimizer
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC HealthBoost
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Speed Boost
C:\Program Files (x86)\BackupFilesToday
C:\Program Files (x86)\Crawler Toolbar
C:\Program Files (x86)\Extreme Flash Player
C:\Program Files (x86)\Fast Free Converter
C:\Program Files (x86)\Files Access
C:\Program Files (x86)\Inbox Toolbar
C:\Program Files (x86)\Movies Toolbar
C:\Program Files (x86)\MyPC Backup
C:\Program Files (x86)\PC HealthBoost
C:\Program Files (x86)\PC Speed Boost
C:\Program Files (x86)\SearchProtect
C:\Users\Sunny\AppData\Local\Temp\*.*
 
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"PC Speed Boost"="C:\\Program Files (x86)\\PC Speed Boost\\PCSBLauncher.exe"
"MPOptimizer"="\"C:\\Program Files\\MaxPerforma Optimizer\\MaxPerforma.exe\" /scan"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Backup Files Today"="C:\\Program Files (x86)\\BackupFilesToday\\BackupFilesToday.exe"
"CrawlerToolbar"="\"C:\\Program Files (x86)\\Crawler Toolbar\\Crawler.exe\" /STARTUP"
"InboxToolbar"="\"C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe\" /STARTUP"
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"Backup Files Today"="C:\\Program Files (x86)\\BackupFilesToday\\BackupFilesToday.exe"
"CrawlerToolbar"="\"C:\\Program Files (x86)\\Crawler Toolbar\\Crawler.exe\" /STARTUP"
"InboxToolbar"="\"C:\\Program Files (x86)\\Inbox Toolbar\\Inbox.exe\" /STARTUP"
[HKEY_USERS\S-1-5-21-152492427-4223317403-3089435026-1000\Software\Microsoft\Windows\CurrentVersion\run]
"PC Speed Boost"="C:\\Program Files (x86)\\PC Speed Boost\\PCSBLauncher.exe"
"MPOptimizer"="\"C:\\Program Files\\MaxPerforma Optimizer\\MaxPerforma.exe\" /scan"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{4B51C980-C6B0-11E1-9136-AED16088709B}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{4B51C980-C6B0-11E1-9136-AED16088709B}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A26C36F3-9D6C-4551-86A4-B3E9C4B7B3CD}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{FC0C0170-4EB0-430D-A7F3-939EE7EA1A25}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXTlog
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jul 25, 2013
    #5
  6. sunny123

    sunny123 Private E-2

    again, thank you so much for your help!

    Cannot get rid of MaxPerformanOptimizer for PC.... ?
     

    Attached Files:

    sunny123, Jul 25, 2013
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jul 25, 2013
    #7
  8. sunny123

    sunny123 Private E-2

    Hi....
    sorry for the delay... I haven't had access to my computer.

    I saved the fixme file, and clicked it, and SUCESS (yay).
    Attached is the MGlogs.zip file.

    As of this morning, I was still getting one pop up.... I will go play now, and see what happens, and report back.
     

    Attached Files:

    sunny123, Jul 29, 2013
    #8
  9. sunny123

    sunny123 Private E-2

    HI...
    ok.... still have a couple of issues....
    One is a pop up that is occurring after reboot...
    MaxPerforma Optimizer - copyright 2012 AV software.
    Can we permanently delete that?

    Another is.. well, maybe....
    On IE.... there is 2 address bars... the top one is SafeSearch.net
    Is that supposed to be there? I thought it was one of the things we had gotten rid of.

    Other than those two issues, I haven't noticed any other problems.

    Thank you...
     
    sunny123, Jul 29, 2013
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I assume this is with Chrome ??? Uninstall Chrome and reboot. After reboot, delete the below folder:

    C:\\Program Files (x86)\\Google\\Chrome

    Then you can redownload and reinstall Chrome from the below

    Google Chrome 28.0.1500.72 Stable
     
    chaslang, Jul 30, 2013
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please do the below and make sure that all protection software is shutdown first. OTM did not fix everything it should have fixed last time.



    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.safesearch.net/?utm_medi...ce=sm&utm_content=1&utm_term=D10438B3F69B4BD4
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.safesearch.net/?utm_medi...ce=sm&utm_content=1&utm_term=D10438B3F69B4BD4
    O3 - Toolbar: (no name) - {ec2bae47-25af-4ce9-9e78-10627a49c9ea} - (no file)

    After clicking Fix, exit HJT.

    Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\Program Files\MaxPerforma Optimizer
C:\Windows\TEMP\*.*
C:\Users\Sunny\AppData\Local\Temp*.*

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaxPerforma Optimizer_is1]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{4B51C980-C6B0-11E1-9136-AED16088709B}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{FC0C0170-4EB0-430D-A7F3-939EE7EA1A25}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{4B51C980-C6B0-11E1-9136-AED16088709B}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ec2bae47-25af-4ce9-9e78-10627a49c9ea}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jul 30, 2013
    #11
  12. sunny123

    sunny123 Private E-2

    HI.... thank you again...
    I turned off Windows Firewall.
    attached is the reports....
     

    Attached Files:

    sunny123, Aug 2, 2013
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay the below still show in HijackThis.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.safesearch.net/?utm_medi...ce=sm&utm_content=1&utm_term=D10438B3F69B4BD4
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.safesearch.net/?utm_medi...ce=sm&utm_content=1&utm_term=D10438B3F69B4BD4


    Are you forgetting to fix these? Are you making sure your browser is closed before clicking the Fix Checked button? And the OTM fix still did not work. Are you forgetting to use Run As Administrator when you run the fixes.

    How are things working?
     
    chaslang, Aug 2, 2013
    #13
  14. sunny123

    sunny123 Private E-2

    HI....
    Yes, I saw that safesearch was still there :(
    Here's the thing.... this is my friends computer and she has company coming to stay for a couple of weeks, and she doesn't want to deal with it right now.

    I believe I have remembered to do all those things correctly, but I will redo it again just to make sure.

    I VERY MUCH appreciate your help! All the pop ups are now gone... woohoo!
    Do you have a virus protection that you recommend?
    Again, thank you!
     
    sunny123, Aug 5, 2013
    #14
  15. sunny123

    sunny123 Private E-2

    I redid things and Yay... no safesearch!
    all clean now :)
    Have a great day.
     

    Attached Files:

    sunny123, Aug 5, 2013
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Great but you really should rerun C:\MGtools\GetLogs.bat to create a new MGlogs.zip and attach that too so we can be sure.

    If all is clean, there will be final instructions/cleanup to perform.
     
    chaslang, Aug 6, 2013
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds