Suspected Malware, can you plz help review logs?

MaryC · Apr 28, 2014

Dear MajorGeeks,
Following unusual activity via my Outlook 2013 (email address was spoofed as best as I can guess), I thought it would be prudent to verify that my machine is clean. (password has been changed for the affected account, but no access to the account was apparent, so it's uncertain how the account was compromised.)

I did download 2 templates and 1 photo (not porn), but I thought all were trustworthy sources.

I have run all of the read & run initial tools. I had to download the debug version of RogueKiller and that appeared to have found suspicious entries. Hitman found these "funmoods" "escort" files that have me concerned.

Your expertise and help is greatly appreciated.

Regards,
Mary C.

chaslang · Apr 28, 2014

You are not having malware problems. Your logs are basically clean other than the junkware that Hitman found. Funmoods does not hack your computer or steal info. It is just adware/junkware. You can allow Hitman to delete those items and also run the below for good measure.

Now please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.

Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.

The tool will open and start scanning your system.

Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Attach JRT.txt to your next message.

MaryC · Apr 29, 2014

What a relief - thank you!
I ran Hitman once again and deleted the adware.
I also ran JRT as you suggested and the log is attached.

Since my logs are OK, this might be irrelevant, but I would like to mention it anyway. Rogue Killer created a quarantine folder on my desktop. Do I need to keep that or should I delete it? This was before I downloaded & ran the debug version of Rogue Killer. The original version kept crashing following the pre-scan. The first time I ran the original version, the pre-scan identified "yogaserver" as a possible or suspicious threat and it looked like it had been quarantined. But it didn't show up again later. Is that anything that I need to be worried about? I apologize if I should have mentioned this in my previous post.

Thank you again for your expertise and help.
Your service, support and guidance to us, without judgment and with empathy (and patience) is a tremendous asset to the community. Thank you!

chaslang · Apr 29, 2014

You're welcome.

MaryC said: ↑

Rogue Killer created a quarantine folder on my desktop. Do I need to keep that or should I delete it?
Click to expand...

Final instructions down below should take care of this and more.

MaryC said: ↑

The first time I ran the original version, the pre-scan identified "yogaserver" as a possible or suspicious threat and it looked like it had been quarantined. But it didn't show up again later. Is that anything that I need to be worried about?
Click to expand...

It is part of your Lenovo PC software.

The yogaserver.exe is a part of the Yoga Smart Switch which works in conjuction with the Lenovo Transition app that does following:

Automatically disable/enable keyboard & touchpad when the hinge position is above 190 degrees (see image below)

Automatically enable soft keyboard when inputting under tent / tablet mode

Automatically switch to full-screen for using PPT/Picture/Video

Click to expand...

Since you are not having malware problems, it is time to do our final steps:

We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.

Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.

Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.

If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

MaryC · Apr 30, 2014

All steps completed!
Thank you again. You are all incredible!
navigating to the donate button now. :heart

chaslang · May 2, 2014

You're welcome. And thanks!

Log in or Sign up

Suspected Malware, can you plz help review logs?

MaryC Private E-2

Attached Files:

HitmanPro_20140428_1800.log

RKreport[0]B_S_04282014_194040.txt

MGlogs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

MaryC Private E-2

Attached Files:

JRT.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

MaryC Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member