Multiple Infections including Optimizer Pro

Discussion in 'Malware Help (A Specialist Will Reply)' started by kc61q, May 20, 2014.

  1. kc61q

    kc61q Private E-2

    Hello,

    Working on a friend's computer, which appears to have a dozen or so malware packages installed. Most refuse to uninstall via normal procedures, some corrupt system data when forcibly removed.

    I've had to do a system restore to return the system to an uncorrupted (though still infected) state, and have now gone through the initial scan progression....logs attached. Some malware has been removed via the initial scans, but many remain.

    Thanks for your help.
     

    Attached Files:

    kc61q, May 20, 2014
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Rerun Hitman and have it fix everything it finds. Then rerun RogueKiller and have it fix these items:​

    Code:
    [RUN][SUSP PATH] HKCU\[...]\Run : ContentExplorer ("C:\Users\Jan\AppData\Roaming\ContentExplorer\ContentExplorer.exe" [7]) -> FOUND
    Code:
    
[LEFT][RUN][SUSP PATH] HKUS\S-1-5-21-599228254-2945687923-1531319020-1000\[...]\Run : ContentExplorer ("C:\Users\Jan\AppData\Roaming\ContentExplorer\ContentExplorer.exe" [7]) -> FOUND
[LEFT][PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyServer (hxxp=hxxp://127.0.0.1:9880 [Country: (Private Address) (XX), City: (Private Address)]) -> FOUND
[PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyEnable (1) -> FOUND
[IFEO] HKLM\[...]\bitguard.exe : Debugger (tasklist.exe [7]) -> FOUND
[IFEO] HKLM\[...]\bprotect.exe : Debugger (tasklist.exe [7]) -> FOUND
[IFEO] HKLM\[...]\bpsvc.exe : Debugger (tasklist.exe [7]) -> FOUND
[IFEO] HKLM\[...]\browserdefender.exe : Debugger (tasklist.exe [7]) -> FOUND
[IFEO] HKLM\[...]\browserprotect.exe : Debugger (tasklist.exe [7]) -> FOUND
[IFEO] HKLM\[...]\browsersafeguard.exe : Debugger (tasklist.exe [7]) -> FOUND
[IFEO] HKLM\[...]\dprotectsvc.exe : Debugger (tasklist.exe [7]) -> FOUND
[IFEO] HKLM\[...]\jumpflip : Debugger (tasklist.exe [7]) -> FOUND
[IFEO] HKLM\[...]\protectedsearch.exe : Debugger (tasklist.exe [7]) -> FOUND
[IFEO] HKLM\[...]\searchinstaller.exe : Debugger (tasklist.exe [7]) -> FOUND
[IFEO] HKLM\[...]\searchprotection.exe : Debugger (tasklist.exe [7]) -> FOUND
[IFEO] HKLM\[...]\searchprotector.exe : Debugger (tasklist.exe [7]) -> FOUND
[IFEO] HKLM\[...]\searchsettings.exe : Debugger (tasklist.exe [7]) -> FOUND
[IFEO] HKLM\[...]\searchsettings64.exe : Debugger (tasklist.exe [7]) -> FOUND
[IFEO] HKLM\[...]\snapdo.exe : Debugger (tasklist.exe [7]) -> FOUND
[IFEO] HKLM\[...]\stinst32.exe : Debugger (tasklist.exe [7]) -> FOUND
[IFEO] HKLM\[...]\stinst64.exe : Debugger (tasklist.exe [7]) -> FOUND
[IFEO] HKLM\[...]\umbrella.exe : Debugger (tasklist.exe [7]) -> FOUND
[IFEO] HKLM\[...]\utiljumpflip.exe : Debugger (tasklist.exe [7]) -> FOUND
[IFEO] HKLM\[...]\volaro : Debugger (tasklist.exe [7]) -> FOUND
[IFEO] HKLM\[...]\vonteera : Debugger (tasklist.exe [7]) -> FOUND
[IFEO] HKLM\[...]\websteroids.exe : Debugger (tasklist.exe [7]) -> FOUND
[IFEO] HKLM\[...]\websteroidsservice.exe : Debugger (tasklist.exe [7]) -> FOUND[/LEFT]
[/LEFT]

    Also fix these:

    ¤¤¤ Scheduled tasks : 2 ¤¤¤​

    Then Reboot and rescan with both Hitman and RogueKiller and attach the new logs. ​

    For the items you want to uninstall, you can try using Revo Uninstaller to remove Optimizer Pro.​

    Let me know how you get along. ​
     
    Last edited: May 20, 2014
    TimW, May 20, 2014
    #2
  3. kc61q

    kc61q Private E-2

    So far, so good. I've made the fixes you recommended, and it seems like the more tenacious programs have been removed without corrupting the Programs and Features list in Control Panel, like it did the first time.

    I still have to do some file cleanup and remove some of the minor malware programs via uninstall or Revo Uninstaller, which I will do if you're happy with the logs.......

    Thanks, again!
     

    Attached Files:

    kc61q, May 20, 2014
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    There are three files in HItman that I am not familiar with. Do you know what they are related to?

    Things are running well now?
     
    TimW, May 21, 2014
    #4
  5. kc61q

    kc61q Private E-2

    Those three files are valid. They are associated with a software package that the user has installed on the system.

    System is getting better. Used Revo Uninstaller to remove other malware programs. One, called "VO Package" was the one that wiped out my Programs and Features list in Control Panel. Had to do a system restore to put it back and then try to pick it apart a little more carefully. It appears to install a service that installs and manages several browser helper objects, most of which had already been recognized and wiped out during the malware scans. Maybe this is why the uninstall got corrputed?? In any case, I had to delete some scheduled tasks, remove the service, and delete some files and folders, and now it seems to be running OK.

    A little it of final cleanup, and I think we are back in business! Thanks for your help!
     
    kc61q, May 21, 2014
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You're welcome.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    TimW, May 21, 2014
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds