My father in-laws computer is infected

DelanoJoe · Jan 28, 2014

Running Vista and he is in Florida, so this was not fun. After I went through the pain of walking him through all the procedures, my wife had me install teamviewer so I could see and control his computer. I wish I had that earlier, although I'm not sure it will work when scanning with these tools. I hope these log files are OK as I tried my best to get him to follow the instructions. He had clicked an OK on a popup that said he needed to update his Vista drivers. It downloaded about 20 programs that I believe we successfully uninstalled, but I'm sure there is more cleanup to do.

Thank you,

Joe

Kestrel13! · Jan 29, 2014

Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode.

Reimage Repair <<< uninstall this.

Re run Hitman and have it delete Malware, Potential & Unwanted Programs.

http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

[RUN][SUSP PATH] HKCU\[...]\Run : SmileboxTray ("C:\Users\owner\AppData\Roaming\Smilebox\SmileboxTray.exe" [7]) -> FOUND

[RUN][SUSP PATH] HKCU\[...]\Run : ConduitFloatingPlugin_lcnnhcneegeeojhgpfijnlnocjdmlaon ("C:\Windows\system32\Rundll32.exe" "C:\Users\owner\AppData\Roaming\ValueApps\CH\TBVerifier.dll",RunConduitFloatingPlugin lcnnhcneegeeojhgpfijnlnocjdmlaon [7][7][x][x]) -> FOUND

[RUN][SUSP PATH] HKCU\[...]\Run : NextLive (C:\Windows\system32\rundll32.exe "C:\Users\owner\AppData\Roaming\newnext.me\nengine.dll",EntryPoint -m l [7][-][x]) -> FOUND

[RUN][SUSP PATH] HKUS\S-1-5-21-1519876136-1142033630-3369821233-1000\[...]\Run : SmileboxTray ("C:\Users\owner\AppData\Roaming\Smilebox\SmileboxTray.exe" [7]) -> FOUND

[RUN][SUSP PATH] HKUS\S-1-5-21-1519876136-1142033630-3369821233-1000\[...]\Run : ConduitFloatingPlugin_lcnnhcneegeeojhgpfijnlnocjdmlaon ("C:\Windows\system32\Rundll32.exe" "C:\Users\owner\AppData\Roaming\ValueApps\CH\TBVerifier.dll",RunConduitFloatingPlugin lcnnhcneegeeojhgpfijnlnocjdmlaon [7][7][x][x]) -> FOUND

[RUN][SUSP PATH] HKUS\S-1-5-21-1519876136-1142033630-3369821233-1000\[...]\Run : NextLive (C:\Windows\system32\rundll32.exe "C:\Users\owner\AppData\Roaming\newnext.me\nengine.dll",EntryPoint -m l [7][-][x]) -> FOUND

[RUN][SUSP PATH] HKLM\[...]\RunOnce : Del1107669 (cmd.exe /Q /D /c del "C:\Users\owner\AppData\Local\Temp\0.del" [x][x]) -> FOUND

[V1][SUSP PATH] Digital Sites.job : C:\Users\owner\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE - /Check [-] -> FOUND

[V1][SUSP PATH] SaveSense.job : C:\Users\owner\AppData\Roaming\SAVESE~1\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND

[V2][SUSP PATH] Digital Sites : C:\Users\owner\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE - /Check [-] -> FOUND

[V2][SUSP PATH] SaveSense : C:\Users\owner\AppData\Roaming\SAVESE~1\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND

Place a checkmark next to each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

DelanoJoe · Feb 17, 2014

I reset msconfig to normal. I tried uninstalling reimage but it wouldn't remove itself. Ran hitmanpro and rogue killer, as well as getlogs.bat. Attached are the files. I also removed a broadband2 dialup connection that was not setup by my father-inlaw.

Let me know next steps.

Joe

Kestrel13! · Feb 17, 2014

Let me know next steps.
Click to expand...

Hitman still shows loads! You need to rerun it again and have it delete ALL that it finds please. Once done, rescan with it again, and attach a fresh log.

If Reimage is being stubborn about uninstalling, please try Revo Uninstaller, and let me know how you get on with these two steps.

DelanoJoe · Mar 4, 2014

I was able to uninstall reimage and re-ran hitman pro and attached log.

Let me know if we need to do anything else,

Thanks,

Joe

Kestrel13! · Mar 5, 2014

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.

Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.

Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.

If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

DelanoJoe · Mar 5, 2014

I did all the cleanup last night and reset his settings.

I did re-run malwarebytes just to be safe and it found 23 threats - I removed them. I'm not sure if it was leftover or because reimage was still on the computer. I told my father in-law to let me know if he has any strange behaviour.

Thanks Again,

Joe

Kestrel13! · Mar 6, 2014

or because reimage was still on the computer.
Click to expand...

But you said it uninstalled. Did it? Attach the log from Malware Bytes if you like and I'll check it out.

DelanoJoe · Mar 6, 2014

I did uninstall the reimage and it was removed. I then re-ran hitman pro and deleted all as you requested. For good measure, I reran CCleaner and then MalwareBytes just to make sure everything was OK. That is when MalwareBytes found 23 more threats. I will get the file and upload later this evening. I was just speculating as to why the 23 items would show up after all the scans we did.

Joe

Kestrel13! · Mar 7, 2014

I was just speculating as to why the 23 items would show up after all the scans we did.
Click to expand...

No problem, well, as previously said, when you attach them I can probably shed more light on the whole thing

DelanoJoe · Mar 8, 2014

OK -here is the log file from Malwarebytes - there were 23 threats detected and removed - I reran it after this and it showed no threats. Both logs attached.

Joe

Kestrel13! · Mar 9, 2014

That's fine. Let's see if this finds any more remnants.

http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.

Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Attach JRT.txt to your next message.

DelanoJoe · Mar 12, 2014

OK - ran JRT and it said I had to reboot to remove infected modules. I said no until it finished and then rebooted. My Father in-law is now running CCleaner and Malwarebytes once a week. He ran it last Saturday and found 25 more threats. Not sure where these are coming from. Anyway, I attached the JRT log and the last malwarebytes log.

Thanks,

Joe

Kestrel13! · Mar 13, 2014

Is Malware Bytes finding any threats this week? :confused

DelanoJoe · Mar 13, 2014

I don't know because he was just running it once a week on Saturday - I told him to start doing this and he found 25 items last Saturday so I just included it. I don't know why these are still showing up. I can only do this once in a while since he is in florida right now. I am using teamviewer, which allows me to control his PC, so I have been able to verify nothing new installed in his programs. I just included the Saturday file in case it showed anything useful.

Joe

Kestrel13! · Mar 14, 2014

OK no problem.

Log in or Sign up

My father in-laws computer is infected

DelanoJoe Private E-2

Attached Files:

HitmanPro_20140125_1621.log

mbam-log-2014-01-25_(15-28-41).txt

MGlogsR.zip

RKreport[0]_S_01252014_152242.txt

TDSSKiller.3.0.0.19_25.01.2014_16.09.29_log.txt

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

DelanoJoe Private E-2

Attached Files:

RKreport[0]_D_02172014_104810.txt

MGlogs.zip

HitmanPro_20140217_1020.log

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

DelanoJoe Private E-2

Attached Files:

HitmanPro_20140304_2015.log

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

DelanoJoe Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

DelanoJoe Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

DelanoJoe Private E-2

Attached Files:

mbam-log-2014-03-04 (20-23-03).txt

mbam-log-2014-03-04 (20-39-20).txt

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

DelanoJoe Private E-2

Attached Files:

JRT.txt

mbam-log-2014-03-08 (16-07-55).txt

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

DelanoJoe Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member