Something Wicked This Way Came...

One afternoon a little over a week ago (right before we left on vacation), while my dear better half wasn't doing anything he doesn't do on the computer on a daily basis, Microsoft Security Essentials suddenly displayed a warning message that said the computer was at risk, and to call a provided phone number for help. The person that answered the call immediately stated they needed to run a scan on the computer, and proceeded to do so. The name of the scanning program is unknown (translation: he has forgotten the name). The person on the phone commented on the presence of Iobit Anti-Malware, and then went on to say that the computer needed a more thorough scan, that could be had for a one time fee, that would be applied to a credit card right there on the call. Just provide the full card info, please. At this point, my better half decided this was some kind of scam, and ended the phone call.

Concerned about what might have been done computer, he then went on to install and run multiple anti-malware apps, hoping they would remove any malicious files installed by the (alleged?) scammer.

MalwareBytes found something that it promptly cleaned out, but no log was collected at the time, so I can't confirm exactly what it found or what was done with it.

Ever since this incident, Chrome starts on one of its own folders on c:\, instead of the home page it's told to start at. There is no noticeable hijacking or redirection, or any other unusual browser behavior, once you start to use Chrome to browse the web. Firefox and IE are unaffected. No other unusual computer behavior has been noticed, but since my husband is concerned that there might be malicious things left installed somewhere on his computer, he asked me to take a look. Since malware removal isn't my exactly specialty I decided to make full use of the outstanding guides available here, rather than try to figure things out on my own.

I read through the guide for fixing browser hijack/redirection, and opted not to follow it. The thought of doing a factory reset on my router, and being forced to re-enter every single custom setting makes me cringe and whimper. I have two wireless networks, with nearly 20 devices between the two, and custom settings on everything. I would really prefer not to have to spend the rest of the day re-configuring all of that, over an issue that only affects one of the three installed browsers, on this one computer. All other wireless devices are connecting without issue or unusual behavior.

Just to clarify: I will go back and follow the entire browser hijack fixing guide if it is necessary. I would just really prefer not to have to do so until I know for sure that it is. All the cache flushing described in that guide, including DNS cache, I had already done on my own while trying to figure out why Chrome was being so ornery.

And yes, I'm having mental images of being yelled at for skipping steps now.

I went through the entire guide for Windows 10 (64-bit), without any problems. A few notes I took along the way:

1. When downloading all the tools and saving them to the specified locations, a very terse message popped up and told me that I did not have permission to save files to the root of C:\. I turned off all protection apps, but this made no difference. So I saved the MGTools file to Desktop and then manually moved it to the root of C:\ instead. The protection apps remained turned off for the remainder of the process.

2. MalwareBytes didn't automatically launch after it was installed. I manually launched it by right-clicking the desktop shortcut and running it As Administrator. It claimed it didn't find anything, but I saved the log anyway. After scanning, MBAM parked itself in the system tray and kept running there throughout the rest of the process. Since it didn't interfere with any of the other tools, that I could tell, I left it running.

3. While RougeKiller was running, Chrome suddenly opened a window to www.adlice.com/remove-pum/. Since I didn't recognize the site at all, and since RK found a few items that all were named PUM-something, I closed that browser window as soon as I could, and made sure not to accidentally click on anything in it.

4. When I installed Hitman Pro, a message in the main program window said "Trial license expired. Removal of viruses and other malicious software is disabled." There was a link to buying the full version. Since the R&R guide said that I should not, under pain of severe pain, actually remove anything that HMP found, I ignored the message, but decided to mention it here just in case it matters.

I think the R&R process took care of everything, but since I am not an expert, I decided to post my logs here just in case I'm wrong.

Thank you in advance for your time, and for helping me check and verify things.

 

1. We have had that conversation already. Let's just say I was not happy having to spend my last vacation day on computer clean-up duty...
2-4. Thanks for clearing that up! I was able to run MGTools from C:\, and have kept the file there in case I need to rerun it.

I will now stop posting here and wait for you to post back about the logs.

 

I re-ran the RougeKiller exe file. At the end it didn't have tabs and a delete button, but it labelled each type of threat clearly and had a very obvious "remove selected" button, so I just used that one instead. Rebooted, but I don't have an RKreport[2].txt file on my desktop. I opened a File Explorer window and ran a search for that file name, but nothing came up.

What is the best way to get you the log you wanted? I'm holding off on following the rest of the instructions until this step has been resolved.

 

Done. Here is the log.

The item RK found looks exactly like one of the ones I removed earlier. I didn't remove it this time, since I wasn't told to. Working on ZHPcleaner now, and will return with that log when I have it.

 

Almost forgot to turn off the resident anti-malware app, but thankfully ZHPcleaner reminded me. It ran for a very long time, and found a number of things. I repaired everything it found, and then I rebooted because ZHPcleaner said I needed to. The log is attached to this post.

After reboot I also deleted that folder. I've been wanting to test Iobit's file shredder one something.

 

Ran RK again, and removed the Firefox item it found. That browser and IE are both behaving the same as before, that is, they are acting perfectly normal. Chrome is still opening to file:///C:/PROGRA~2/Google/Chrome/Application/, as before. Aside from that one thing, everything is back to normal.

 

That fixed it! Thank you very much!

So am I correct in assuming the reason that didn't work yesterday was because of all the things that ZPHclener and RougeKiller removed for us?

 

I never did run Adwcleaner, no. My bad. It's not currently installed on that particular PC, but I can install it and run it if you want to see what it can find?

Aside from that, yes, all set for the final steps.

 

I've always been a fan of being thorough. JRT log and AdwCleaner log, as requested.

 

Yes,it can be. Good thing we like it so much, or we'd be tempted to get rid of it...

AdwCleaner log attached.

 

...and that should do it then. System Restore is back on, MalwareBytes and CCleaner get to stay installed, and all is well with the computer again.

Thank you again, for helping. Believe me, it's very much appreciated.