multiple pc optimizers removed

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Drayden, Nov 22, 2014.

  1. Drayden

    Drayden Private E-2

    I don't know the usage history of this Dell laptop. It belonged to my uncle who recently passed away. Booting normal was so bad I couldn't even shut down (had to hold the power button to force shut down) because of multiple malware PC optimizers, browser protectors and antivirus programs. It seems he fell for everyone he came across. Funny, he did have malware bytes in the mix but it was the only legit one I found.

    I had to start in safe mode and use Revo uninstaller to uninstall as much as I could before I could even begin the "READ & RUN ME FIRST" thread.

    I got through all the steps and I'm still having issues. I had to start this thread on my laptop because when I go to the MajorGeeks support forum on his laptop, i get redirects every time I try to open a forum or thread.

    I've received help from this forum in the past with great success and I hope it turns out as well this time, however this is by far the worst infected computer I've dealt with.

    I've posted the logs as requested in the "READ & RUN ME FIRST" thread.
     

    Attached Files:

    Last edited: Nov 22, 2014
    Drayden, Nov 22, 2014
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    While I look at your logs, rerun MBAM and have it fix everything it finds. Then rerun RogueKiller and have it fix these items:
    Code:
    ¤¤¤ Registry : 31 ¤¤¤
[PUP] (X64) HKEY_CLASSES_ROOT\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52} -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670} -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CltMngSvc (C:\PROGRA~2\SearchProtect\Main\bin\CltMngSvc.exe) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\globalUpdate (C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe /svc) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\globalUpdatem (C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe /medsvc) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IePluginServices (C:\ProgramData\IePluginServices\PluginService.exe -service) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Northern Themes Service (C:\Users\Redbob\AppData\NTSFile\NTS.exe -svcname=Northern Themes Service) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CltMngSvc (C:\PROGRA~2\SearchProtect\Main\bin\CltMngSvc.exe) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\globalUpdate (C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe /svc) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\globalUpdatem (C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe /medsvc) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IePluginServices (C:\ProgramData\IePluginServices\PluginService.exe -service) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Northern Themes Service (C:\Users\Redbob\AppData\NTSFile\NTS.exe -svcname=Northern Themes Service) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\CltMngSvc (C:\PROGRA~2\SearchProtect\Main\bin\CltMngSvc.exe) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\globalUpdate (C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe /svc) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\globalUpdatem (C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe /medsvc) -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\IePluginServices (C:\ProgramData\IePluginServices\PluginService.exe -service) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Northern Themes Service (C:\Users\Redbob\AppData\NTSFile\NTS.exe -svcname=Northern Themes Service) -> Found
[PUM.SearchPage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : [URL]http://search.v9.com/web/?type=ds&ts=1416589612&from=brd&uid=WDCXWD5000BPVT-75HXZT1_WD-WXC1A61Y4297Y4297&i=psd&t=34c5a6bbb&q={searchTerms[/URL]} -> Found
[PUM.SearchPage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : [URL]http://search.v9.com/web/?type=ds&ts=1416589612&from=brd&uid=WDCXWD5000BPVT-75HXZT1_WD-WXC1A61Y4297Y4297&i=psd&t=34c5a6bbb&q={searchTerms[/URL]} -> Found
    Rerun Hitman and have it fix everything it finds.

    I will give you further instructions shortly. In the meantime, reboot and rescan with RogueKiller, MBAM and Hitman and attach those new logs.
     
    TimW, Nov 22, 2014
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not seeing much else, but some clean up to do.

    Download OTM by Old Timer and save it to your Desktop.


    Code:
    :Processes
explorer.exe

:files
C:\Users\Redbob\AppData\Local\nsuB772.tmp
C:\Users\Redbob\AppData\Local\nsxB588.tmp
C:\windows\TEMP\*.*
C:\Users\Redbob\AppData\Local\Temp\*.*
C:\windows\tasks\Adobe Flash Player Updater.job
C:\windows\tasks\APSnotifierPP1.job
C:\windows\tasks\APSnotifierPP2.job
C:\windows\tasks\APSnotifierPP3.job
C:\windows\tasks\DriverUpdate Startup.job
C:\windows\tasks\GoogleUpdateTaskMachineCore.job
C:\windows\tasks\GoogleUpdateTaskMachineUA.job
C:\windows\tasks\SA.DAT
C:\windows\tasks\SCHEDLGU.TXT
C:\windows\system32\tasks\Adobe Flash Player Updater
C:\windows\system32\tasks\APSnotifierPP1
C:\windows\system32\tasks\APSnotifierPP2
C:\windows\system32\tasks\APSnotifierPP3
C:\windows\system32\tasks\CCleanerSkipUAC
C:\windows\system32\tasks\DriverUpdate Startup
C:\windows\system32\tasks\GoogleUpdateTaskMachineCore
C:\windows\system32\tasks\GoogleUpdateTaskMachineUA
C:\windows\system32\tasks\LaunchApp
C:\windows\system32\tasks\LaunchSignup
C:\windows\system32\tasks\Microsoft
C:\windows\system32\tasks\OfficeSoftwareProtectionPlatform
C:\windows\system32\tasks\Optimizer Pro Schedule
C:\windows\system32\tasks\RegClean Pro_UPDATES
C:\windows\system32\tasks\SpeedUpMyPC Maintenance
C:\windows\system32\tasks\SpeedUpMyPC Startup
C:\windows\system32\tasks\SuperFastPC_AutorunOnStartup
C:\windows\system32\tasks\Tuneup Pro
C:\windows\system32\tasks\Tuneup Pro_DEFAULT
C:\windows\system32\tasks\Tuneup Pro_UPDATES
C:\windows\system32\tasks\User_Feed_Synchronization-{4933A046-69A0-4ED3-936D-87F4FC965AAB}
C:\windows\system32\tasks\WPD
C:\windows\system32\tasks\{F82BDFE9-A4F3-402D-8037-94D9AC8B8B0C}
C:\windows\syswow64\tasks\Microsoft

:reg
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\C57BCD732C12416FB166E0BA02620DD0]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{cf6e4b1c-dbde-457e-9cef-ab8ecac8a5e8}]

:Commands
[purity]
[ResetHosts]
[emptytemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

    Then attach the below logs:

    * OTM log
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Nov 22, 2014
    #3
  4. Drayden

    Drayden Private E-2

    I ran the scans in the order you detailed in your first post.

    MBAM
    Rogue Killer
    HitmanPro
    reboot

    The first time I ran MBAM the log found nothing. I ran it again after completing the other scans in your first post and rebooted. I included the MBAM log after the reboot.

    I ran Rogue Killer and only 5 entries were present from the list you had provided. The RK log file named ...152808.log is from before I deleted the 5 entries and the RK log named ...162056.log is from the scan after delete and reboot.

    I ran HitmanPro and let it fix everything. The log is from after the reboot. (found nothing)

    I then followed the steps from your second post.

    OTC went exactly as stated in your post.

    MGlogs completed without issue. However, TrendMicro Hijack This never appeared. I've reached the limit of 5 attachments per post so I'll attach the MGlogs.zip on the next post.

    The laptop is running much better now. The only remaining issue I can find is this. When opening Google Chrome I get the following error message:

    "Your preferences file is corrupt or invalid. Google Chrome is unable to recover your settings."
     

    Attached Files:

    Drayden, Nov 22, 2014
    #4
  5. Drayden

    Drayden Private E-2

    attached MGlogs.zip
     

    Attached Files:

    Drayden, Nov 22, 2014
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Everything looks good. You will probably have to post in the software forum, but try this first:

    Reset Chrome to Defaults


    Let me know if that works.
     
    TimW, Nov 22, 2014
    #6
  7. Drayden

    Drayden Private E-2

    THANK YOU! Everything is working great.

    Once again Major Geeks saves the day.

    To anyone reading this thread experiencing a malware issue, I encourage you to go to the malware forum and read the sticky titled "READ & RUN ME FIRST". This process works. If you get to the end and find you need to post a thread for customized help, you'll be in expert hands.

    Even though you'll never be asked by anyone at Major Geeks, I'd like to point out that there is a "Donate" button at the top of the page. Let's keep this great resource going!

    Again, THANKS for all the help.
     
    Drayden, Nov 23, 2014
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    TimW, Nov 23, 2014
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds