Picked up a virus

Discussion in 'Malware Help (A Specialist Will Reply)' started by hick, May 19, 2014.

  1. hick

    hick Private E-2

    Hello,

    My name is Mike, Please let me know if I did everything correct, and or what else I need to do.

    Thanks in advance.
    Ran all tests as requested before posting, What I have is redirecting my browser,(firefox) and always tries to keep IE open. Plus all the other stuff, slow, real slow, and than just wont work with anything.

    Also had to zip TDSSKiller .txt file in order to get it to attach.

    Again Thank you!
     

    Attached Files:

    hick, May 19, 2014
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Uninstall the below programs. If you do not find them or they will not uninstall, just keep going.
    Java(TM) 6 Update 11
    ScorpionSaver
    Wincore Mediabar

    Now install the current version of Sun Java from:
    Make sure that when you install the new version of Java that you uncheck the Install the Ask Toolbar junkware checkbox. You do not want to add the stuff junk that most people consider malware to your PC. Also just in case Oracle changes the Java installation in the future to possible install other junk, uncheck all but just installing Java.
    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=ad...zzyEyByEtN0D0TzutBtDtCtBtDyCtCtB&cr=532271489
    O2 - BHO: Wincore Mediabar - {28387537-e3f9-4ed7-860c-11e69af4a8a0} - C:\PROGRA~2\IMESHA~1\MediaBar\Datamngr\ToolBar\wincoreimdtx.dll
    O2 - BHO: (no name) - {95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
    O2 - BHO: DataMngr - {BE7A24F5-69CB-4708-B77B-B1EDA6043B95} - C:\PROGRA~2\IMESHA~1\MediaBar\Datamngr\BROWSE~1.DLL
    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    O3 - Toolbar: Wincore Mediabar - {28387537-e3f9-4ed7-860c-11e69af4a8a0} - C:\PROGRA~2\IMESHA~1\MediaBar\Datamngr\ToolBar\wincoreimdtx.dll
    O3 - Toolbar: (no name) - {95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
    O4 - HKLM\..\Run: [Windows Client Manager] "C:\Program Files (x86)\Flash Update\winclient32.exe"
    O20 - AppInit_DLLs: c:\progra~2\optimi~1\optpro~1.dll

    After clicking Fix, exit HJT.

    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe

:Services
gupdate
gupdatem
gusvc
 
:Files
C:\Program Files (x86)\Flash Update
C:\ProgramData\InstallMate
C:\Users\Raf's new lap top\Downloads\FreeFlash.exe
C:\Users\Raf's new lap top\Downloads\PSP_-_FIFA_12_USA-MEX_[www.pequepsp.es]_secure.exe
C:\Users\Raf's new lap top\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_licjnkifamhpbaefhdpacpmihicfbomb_0.localstorage
C:\Users\Raf's new lap top\AppData\Local\Conduit
C:\Users\Raf's new lap top\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_gaiilaahiahdejapggenmdmafpmbipje_0.localstorage
C:\Users\Raf's new lap top\AppData\Local\Google\Chrome\User Data\Default\Web Data
C:\Users\Raf's new lap top\AppData\LocalLow\DataMngr
C:\Users\Raf's new lap top\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BrowserProtect
C:\Windows\SysWOW64\WNLT
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\ProgramData\InstallMate
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Flash Update
C:\Program Files (x86)\Flash Update
C:\Program Files (x86)\PPÖúÊÖ
C:\Program Files (x86)\Search Results Toolbar
C:\Program Files (x86)\SearchProtect
C:\Program Files (x86)\TidyNetwork
C:\Users\Raf's new lap top\AppData\Local\Temp\*.*
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\BrowserConnection.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\DnsBHO.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AC662AF2-4601-4A68-84DF-A3FE83F1A5F9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D97A8234-F2A2-4AD4-91D5-FECDB2C553AF}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserConnection.Loader.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserConnection.Loader]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DnsBHO.BHO.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DnsBHO.BHO]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Prod.cap]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\BrowserConnection.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\DnsBHO.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{AC662AF2-4601-4A68-84DF-A3FE83F1A5F9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{D97A8234-F2A2-4AD4-91D5-FECDB2C553AF}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\BrowserConnection.Loader.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\BrowserConnection.Loader]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\DnsBHO.BHO.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\DnsBHO.BHO]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Prod.cap]
[-HKEY_LOCAL_MACHINE\SOFTWARE\DataMngr]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Babylon]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DataMngr]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\{6791A2F3-FC80-475C-A002-C014AF797E9C}]
[-HKEY_USERS\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_USERS\.DEFAULT\Software\ImInstaller]
[-HKEY_USERS\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_USERS\S-1-5-18\Software\ImInstaller]
[-HKEY_USERS\S-1-5-19\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_USERS\S-1-5-20\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_USERS\S-1-5-21-2558568679-204271034-3347168481-1000\Software\AppDataLow\Software\Conduit]
[-HKEY_USERS\S-1-5-21-2558568679-204271034-3347168481-1000\Software\AppDataLow\Software\Smartbar]
[-HKEY_USERS\S-1-5-21-2558568679-204271034-3347168481-1000\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_USERS\S-1-5-21-2558568679-204271034-3347168481-1000\Software\iLivid]
[-HKEY_USERS\S-1-5-21-2558568679-204271034-3347168481-1000\Software\IM]
[-HKEY_USERS\S-1-5-21-2558568679-204271034-3347168481-1000\Software\ImInstaller]
[-HKEY_USERS\S-1-5-21-2558568679-204271034-3347168481-1000\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_USERS\S-1-5-21-2558568679-204271034-3347168481-1000\Software\Mozilla\Firefox\Extensions\{58bd07eb-0ee0-4df0-8121-dc9b693373df}]
[-HKEY_USERS\S-1-5-21-2558568679-204271034-3347168481-1000\Software\WNLT]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Windows Client Manager"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"Windows Client Manager"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{28387537-e3f9-4ed7-860c-11e69af4a8a0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{28387537-e3f9-4ed7-860c-11e69af4a8a0}"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXT log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, May 19, 2014
    #2
  3. hick

    hick Private E-2

    chaslang,

    Thank you for your response,

    deleted Java(TM) 6 Update 11,Wincore Mediabar.
    could not find ScorpionSaver,

    Installed new version of Java for 64 bit,

    Ran HJT, checked and fixed as requested.

    Cut and pasted requested items into OTM, moved and rebooted.

    Ran JLT.

    Ran C:\MGtools\GetLogs.bat .

    Attached the requested files.

    Vast improvement on reboots times and a lot faster machine, IE is not trying to load and reload, and reload.

    Still get 2 notices on my screen during reboot and during the running of C:\MGtools\GetLogs.bat. The 2 notices are also attached.

    In general a much improved situation.

    Please let me know what my next steps need to be.

    Again Thank You for your help.

    Mike
     

    Attached Files:

    hick, May 20, 2014
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes becasue you made unrequested changes to your PC inbetween your first post and now. Thus the fixes did not work correctly. When you first came here you were not using MConfig to control startups and then you changed it. Now you are using MSconfig which you should not be. It is not meant to be a startup manager. Please put your PC into normal startup mode with MSconfig and then reboot. Then rereun the GetLogs.bat program to get a new MGlogs.zip file and attach it. We will likely have to make another fix now.
     
    chaslang, May 20, 2014
    #4
  5. hick

    hick Private E-2

    chaslang,

    I apologize for the changes made. Not sure how I did it, but I did it. I turned off the default setting in "Hit Man" to run a quick scan upon reboot this morning. I left the programs I download still on the computer and left the machine all nite. But enough of me admitting I'm a idiot.
    l Put windows back to normal start up, rebooted, and re ran GetLogs.bat.

    It is attached.

    Again I Apologize

    THANKS IN ADVANCE

    Mike
     

    Attached Files:

    hick, May 20, 2014
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is the below something that was knowingly installed and wanted?
    O4 - HKCU\..\Run: [Pogoplug Backup] "C:\Program Files (x86)\PogoplugBackup\ppbrowser.exe" --starthidden


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [PrivitizeVPN] "C:\Program Files (x86)\PrivitizeVPN\PrivitizeVPN.exe" /autorun
    O4 - HKLM\..\Run: [DATAMNGR] C:\PROGRA~2\IMESHA~1\MediaBar\Datamngr\DATAMN~1.EXE
    O4 - HKCU\..\Run: [Optimizer Pro] C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe

    After clicking Fix, exit HJT.

    Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe

:Services
70e6ca8c
 
:Files
C:\Program Files (x86)\PrivitizeVPN
C:\PROGRA~2\IMESHA~1
C:\Program Files (x86)\Optimizer Pro

:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Optimizer Pro"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"PrivitizeVPN"=-
"DATAMNGR"=-
[HKEY_USERS\S-1-5-21-2558568679-204271034-3347168481-1000\Software\Microsoft\Windows\CurrentVersion\run]
"Optimizer Pro"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\70e6ca8c]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, May 20, 2014
    #6
  7. hick

    hick Private E-2

    chaslang,

    Yes Pogoplug is wanted.

    Ran C:\MGtools\analyse.exe fixed 3 items

    Ran OTM.exe cut,pasted, moved. The log is attached

    Ran C:\MGtools\GetLogs.bat The file is attached


    Computer is running great. much faster boot time, all programs work, print, my browser takes to where I asked, I think all is well.

    Your time and patience with me is greatly appreciated.

    Thanks Mike
     

    Attached Files:

    hick, May 21, 2014
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, May 23, 2014
    #8
  9. hick

    hick Private E-2

    chaslang,

    Cleaned up, and protected as noted below.

    Made a donation to Major Geeks.

    Again Thanks for your time and patience with me.

    All is running great. Back in operation.


    Thank-You
    Mike

    :-D
     
    hick, Jun 2, 2014
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome and thanks for the donation. Glad to hear all is well.
     
    chaslang, Jun 2, 2014
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds