Author Topic: [in progress] New country, new computer, more problems  (Read 2723 times)

Offline Broly3k8

  • Bronze Member
  • Posts: 71
Re: [in progress] New country, new computer, more problems
« Reply #15 on: April 08, 2016, 05:36:27 PM »
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/9/2016
Scan Time: 12:10 AM
Logfile: MWB.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.04.08.06
Rootkit Database: v2016.04.03.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Manuela

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 366727
Time Elapsed: 38 min, 22 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 445
Re: [in progress] New country, new computer, more problems
« Reply #16 on: April 10, 2016, 02:03:30 AM »
Thanks for the logs, a couple of necessary checks to do:-
 
 Run A Scan With SystemLook

Please download SystemLook from the download mirror :-
http://downloads.malwareremoval.com/SystemLook/SystemLook_x64.exe
and save it to your Desktop.
  • Double-click SystemLook_x64.exe to run it.
  • OK the User Account Control.
  • Copy the content of the following codebox into the main textfield:
Code: [Select]

:folderfind
Speedmon
CheckMeup
Pokki
:filefind
Speedmon
CheckMeup
Pokki
:regfind
Speedmon
Pokki
  • Click the Look button to start the scan.
  • Because of the Registry searches, the scan may take 15 minutes or a bit more to run on a large machine. Please be patient.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The results log can also be found on your Desktop.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


Please download AdwCleaner]  onto your Desktop.

Take care NOT to click on any ad, such as PC Optimizer Pro. The correct link is the button labeled "Download from Bleeping Computer".
NOTE: If using Internet Explorer and you get an alert that stops the program downloading, click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens. Then click on the link again.

  • Close your browser and double click the AdwCleaner icon on your desktop.
  • Click on the Scan in the Actions box
  • Please wait for the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
       
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot

    After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply....
   
  • If you lose track of the log, it is saved in this folder C:\AdwCleaner\

NOTE: If using Internet Explorer and you get an alert that stops the program downloading, click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens. Then click on the link again.
Close your browser and double click the AdwCleaner icon on your desktop.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

We still need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed.
This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:
This utility can only be run using Internet Explorer, Chrome, or Firefox. Chrome and Firefox users will need to download and run a small utility file when prompted before starting scan

Run Eset Online Scanner

**Note** You will need to use Internet Explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin.

(To run ESET Online Scanner in a browser other than Internet Explorer, you'll need to download ESET SMART Installer during the process)

Go to Eset web page HERE to run an online scan from ESET.
   
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
       
  • Click on the Run ESET Online Scanner button
Click Start
   
  • When asked, allow the add/on to be installed
Click Start
   
  • Make sure that the option "Remove found threats" is UNticked
       
  • Click on Advanced Settings, ensure the following options are checked:
Scan for potentially unsafe applications
    Enable Anti-Stealth Technology

   
  • Select "Change" next to Current scan targets A new window will open, select any extra drives, Flash drives etc as required.
        Click Scan
       
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish


When the scan is complete
   
  • If no threats were found[/COLOR]
       
    • put a checkmark in "Uninstall application on close"
    • close program
    • report to me that nothing was found


    If threats were found
       
    • click on "list of threats found"
    • click on "export to text file" and save it as ESET SCAN and save to the desktop
    • Click on back
    • put a checkmark in "Uninstall application on close"
    • click on finish

    Please copy & paste the log  (If applicable) here.

    I need SysLook log,Adware log & (if applicable) Eset log please.

    How is your machine running now?






Offline Broly3k8

  • Bronze Member
  • Posts: 71
Re: [in progress] New country, new computer, more problems
« Reply #17 on: April 17, 2016, 04:36:31 PM »
Hey just giving a quick update since I have been MIA. I havent forgotten this, Ive just not been around the computer a whole lot this past few weeks. between strepp throat, Drill, and job searching, I havent actually been at home a whole lot. When I am I find myself using my phone more than anything because I dont really have a need for the laptop as I only really check reddit other social media, and or emails atm.

I will do what you last told me to in the next week or so, but I at least wanted to come in and let you know I havent forgotten and I will continue shortly.

2 Side notes:

1. How can I check and see if anyone other than the 2 phones in the house, and the laptop when its on, is using the wifi/router?

2. I have a 4tb hitachi external hard drive. It was working fine until yesterday. Now it's giving me error 38 when I look it up in the device manager. Give me a sec Ill copy paste it.... Annndd scratch that. It apparently connects now. Idk what was going on before, but now it works. Thank god because it has all of my resume stuff on it.

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 445
Re: [in progress] New country, new computer, more problems
« Reply #18 on: April 18, 2016, 02:13:03 PM »

Hello Broly3k8,

Appreciate the update thank you, no problem for me, I will be here when you are ready,
Would prefer that you do not use the laptop until you run those scans above.

Sorry to hear you have been poorly ...

Quote
. How can I check and see if anyone other than the 2 phones in the house, and the laptop when its on, is using the wifi/router?

I will check that out & come back to you.

Offline Broly3k8

  • Bronze Member
  • Posts: 71
Re: [in progress] New country, new computer, more problems
« Reply #19 on: April 26, 2016, 06:26:39 AM »
Hey sorry for the delay again, actually ended up going to Austria for a little week long vacation with my girlfriend, and got back about an hour ago. Really good and relaxing week, but unfortunatly today things seem to have escalated.

While away in Austria, we left the laptop here at the house, so no one was using it. As we were coming home from the trip though I found out Funimation is streaming Yu Yu Hakusho for free. I waited all day to check their website and see if we could view it in Germany as well (Spoiler alert, we cant. :'( ). Well, when I first typed in Funimation.com it sent me to this page: http://i.imgur.com/Qp7kaVx.png (I attached the picture as well just in case you guys don\t click links). This is very concerning to me, as if you look at my first post here, it was a page like this that alerted me to the possibility that my computer was/is compromised.

I've been talking to my GF, that owner of this computer, and she just doesnt understand computer security or even really care about it, even though she knows for a fact that it can get you in alot of trouble (In 2012 one of her cousins used his laptop in her apartment for downloading something, and she got sued over it. Ended up costing her like 5000 Euro.) She keeps using this one website called Solarmovies.is. I have repeatedly begged her to not use the site because Google Chrome wont even allow the page to be open, and if Google Chrome says it's bad I tend to believe it 1, and 2 I just do NOT trust any movie streaming site like that at all. Funimation sure because its a reputable company with a decent and secure site.

I have no idea what to do now. I am almost 100% certain her computer and router are compromised. Even though her router is in German I know how to access it online and can change password and stuff, but I have no idea what to do about the computer.


Should I just do what your last instructions said still, or shall we start something new? Im sorry for all the delays, but I forgot how busy life is here in Germany. I havent been this active in years.

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 445
Re: [in progress] New country, new computer, more problems
« Reply #20 on: April 27, 2016, 02:20:36 PM »

   Hello again Broly3k8,

Good to see you back. :)1

I would like you to carry out my last instructions please & see what remians after the thorough check by ESET.
Just to emphasise that "Remove found threats " is UNTICKED

   
Quote
How can I check and see if anyone other than the 2 phones in the house, and the laptop when its on, is using the wifi/route


I suggest that you read this article which is quite helpful :-

http://www.recoverysoftware.com/signs-that-someone-is-in-your-wifi-network/

I find that repeatedly watching the router lights with all in house connections switched off is simple & effective.

This might interest you:-http://www.nirsoft.net/utils/wireless_network_watcher.html.
platypuss

Offline Broly3k8

  • Bronze Member
  • Posts: 71
Re: [in progress] New country, new computer, more problems
« Reply #21 on: April 30, 2016, 05:13:56 PM »
Eset came back clean, here are the two other documents:

Systemlook.txt

SystemLook 04.09.10 by jpshortstuff
Log created at 13:41 on 30/04/2016 by Manuela
Administrator - Elevation successful

========== folderfind ==========

Searching for "Speedmon"
No folders found.

Searching for "CheckMeup"
No folders found.

Searching for "Pokki"
C:\Users\Public\Pokki   d------   [20:39 11/03/2015]

========== filefind ==========

Searching for "Speedmon"
No files found.

Searching for "CheckMeup"
No files found.

Searching for "Pokki"
No files found.

========== regfind ==========

Searching for "Speedmon"
[HKEY_CURRENT_USER\SOFTWARE\SpeedMon]
[HKEY_USERS\S-1-5-21-1843969628-2550347277-812774644-1001\SOFTWARE\SpeedMon]

Searching for "Pokki"
No data found.

-= EOF =-



Adwcleaner[C1].txt

# AdwCleaner v5.114 - Bericht erstellt am 30/04/2016 um 18:34:13
# Aktualisiert am 27/04/2016 von Xplode
# Datenbank : 2016-04-27.1 [Server]
# Betriebssystem : Windows 10 Home  (X64)
# Benutzername : Manuela - TINKKITTEN1701
# Gestartet von : C:\Users\Manuela\Desktop\AdwCleaner.exe
# Option : Löschen
# Unterstützung : http://toolslib.net/forum

***** [ Dienste ] *****


***** [ Ordner ] *****

[-] Ordner gelöscht : C:\ProgramData\91fe301400005847
[-] Ordner gelöscht : C:\Program Files (x86)\predm
[-] Ordner gelöscht : C:\Users\Manuela\AppData\Local\globalUpdate
[-] Ordner gelöscht : C:\Users\Manuela\AppData\Roaming\RPEng

***** [ Dateien ] *****

[-] Datei gelöscht : C:\END
[-] Datei gelöscht : C:\Users\Manuela\AppData\Local\Temp\Utils.dll

***** [ DLLs ] *****


***** [ WMI ] *****


***** [ Verknüpfungen ] *****


***** [ Aufgabenplanung ] *****


***** [ Registrierungsdatenbank ] *****

[-] Schlüssel gelöscht : HKLM\SOFTWARE\d2e745dd-b95b-a2fe-5726-37e85f9df314
[-] Schlüssel gelöscht : HKCU\Software\Classes\PepperZip
[-] Schlüssel gelöscht : HKLM\SOFTWARE\Classes\CLSID\{02966FA9-C01A-47E7-A169-C83AEA1FB0BA}
[-] Schlüssel gelöscht : HKLM\SOFTWARE\Classes\CLSID\{9AD5C084-B6E6-456A-8BA2-A559663780E5}
[-] Schlüssel gelöscht : HKLM\SOFTWARE\Classes\CLSID\{70C7334A-66D9-46DE-A4E2-6B923C7DB94E}
[-] Schlüssel gelöscht : HKLM\SOFTWARE\Classes\CLSID\{5780633B-414C-446F-8EB2-FF1C9A731C99}
[-] Schlüssel gelöscht : HKLM\SOFTWARE\Classes\CLSID\{4EECDED2-40FB-4500-85B4-86FB0EBECA68}
[-] Schlüssel gelöscht : HKLM\SOFTWARE\Classes\CLSID\{10A7F29D-4B00-40EC-B07D-8616DF8135E6}
[-] Schlüssel gelöscht : HKLM\SOFTWARE\Classes\CLSID\{05FF6A00-76A3-4AA1-A9A4-A782152ABE60}
[-] Schlüssel gelöscht : HKLM\SOFTWARE\Classes\Interface\{2E5FA7B4-61A2-4662-BBCE-62BBB20FC649}
[-] Schlüssel gelöscht : HKLM\SOFTWARE\Classes\Interface\{5D7F05E3-075A-43AF-8BC7-21E2F7F38845}
[-] Schlüssel gelöscht : HKLM\SOFTWARE\Classes\Interface\{617E26CE-E6E1-4C75-A68A-A001F2B98491}
[-] Schlüssel gelöscht : HKLM\SOFTWARE\Classes\Interface\{79FBDBEA-A722-4ABD-BEC0-B7D463F6BA0E}
[-] Schlüssel gelöscht : HKLM\SOFTWARE\Classes\Interface\{8128586C-DF69-4266-873F-CF4C6F705A7C}
[-] Schlüssel gelöscht : HKLM\SOFTWARE\Classes\Interface\{C1F9CFCE-A7DC-4072-8B31-1DEA57004C86}
[-] Schlüssel gelöscht : HKLM\SOFTWARE\Classes\Interface\{EA4AD895-2A7F-430E-B973-DEE6C4E743A9}
[-] Schlüssel gelöscht : HKLM\SOFTWARE\Classes\Interface\{EBF4B60F-A863-426F-BE6F-5DFE83BC574F}
[-] Schlüssel gelöscht : HKLM\SOFTWARE\Classes\Interface\{A8F7D0A5-7074-40B8-9BDC-1174BDD0A132}
[-] Schlüssel gelöscht : HKLM\SOFTWARE\Classes\Interface\{59D188FA-757A-424E-8C93-F58FFD896BD7}
[-] Schlüssel gelöscht : HKLM\SOFTWARE\Classes\TypeLib\{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}
[-] Schlüssel gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5645E0E7-FC12-43BF-A6E4-F9751942B298}
[-] Schlüssel gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}
[-] Schlüssel gelöscht : HKCU\Software\ClientConnect
[-] Schlüssel gelöscht : HKCU\Software\GlobalUpdate
[-] Schlüssel gelöscht : HKCU\Software\InstalledBrowserExtensions
[-] Schlüssel gelöscht : HKCU\Software\SpeedMon
[-] Schlüssel gelöscht : HKCU\Software\Wnkey
[-] Schlüssel gelöscht : HKLM\SOFTWARE\Clara
[-] Schlüssel gelöscht : HKLM\SOFTWARE\InstalledBrowserExtensions
[-] Schlüssel gelöscht : HKLM\SOFTWARE\VisualDiscovery
[-] Schlüssel gelöscht : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
[-] Schlüssel gelöscht : [x64] HKLM\SOFTWARE\InstalledBrowserExtensions
[-] Schlüssel gelöscht : [x64] HKLM\SOFTWARE\WebBar
[-] Schlüssel gelöscht : HKU\S-1-5-21-1843969628-2550347277-812774644-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Installer
[-] Daten wiederhergestellt : HKCU\Software\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]
[-] Daten wiederhergestellt : HKU\S-1-5-21-1843969628-2550347277-812774644-1001\Software\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]
[-] Schlüssel gelöscht : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\azlyrics.com
[-] Schlüssel gelöscht : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.azlyrics.com
[-] Schlüssel gelöscht : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\azlyrics.com
[-] Schlüssel gelöscht : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.azlyrics.com
[-] Wert gelöscht : HKU\S-1-5-21-1843969628-2550347277-812774644-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [Optimizer Pro]
[-] Wert gelöscht : HKU\S-1-5-21-1843969628-2550347277-812774644-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [Pokki]
[-] Wert gelöscht : HKU\S-1-5-21-1843969628-2550347277-812774644-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [SpeedMon]

***** [ Internetbrowser ] *****


*************************

:: "Tracing" Schlüssel gelöscht
:: Winsock Einstellungen zurückgesetzt

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [5770 Bytes] - [30/04/2016 18:34:13]
C:\AdwCleaner\AdwCleaner[S1].txt - [6196 Bytes] - [30/04/2016 18:27:58]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [5916 Bytes] ##########

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 445
Re: [in progress] New country, new computer, more problems
« Reply #22 on: May 02, 2016, 10:36:29 AM »


 


 
 
Hello Broly3k8,
That is looking good.  :)1

Just as a final check for any missed items:-

Please download Junkware Removal Toolto your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
    >>>>>>>>>>>>>>>>>>>>>>>

    If it comes back clean :-

    Your system is now free of Malware. It is vital that you create a System Restore point for safety purposes.We need to remove some tools too.

    Download "Delfix by Xplode" and save it to your desktop.

    Or use the following if first link is down:

    "Delfix link mirror"http://ccm.net/download/download-24087-delfix

  • Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator
  • Make Sure the following items are checked:
Remove disinfection tools
    Purge System Restore <--- this will remove any previous and possibly exploited restore points, a new point will be created.
    Reset system settings



  • Now click on "Run" and wait patiently until the tool has completed.
  • The tool will create a log when it has completed. I don't need you to post this.
  • Any remnant files/logs from tools we have used can be deleted…
>>>>>>>>>>>>>

Now post back & confirm that the above steps  have been taken please.
Also the JRT.txt (If applicable)
How is the computer running now?

There is more to follow.....

platypuss

Offline Broly3k8

  • Bronze Member
  • Posts: 71
Re: [in progress] New country, new computer, more problems
« Reply #23 on: May 17, 2016, 02:05:15 PM »
Hey sorry it's taken me so long to reply. I actually thought i had replied, but came back today to check for replies from you guys and realized either mine didnt post, or I just didnt hit the right button. Who knows.

JRT came back clean, and I had already been systematically removing the programs after using them. I waited a week the first time before I 'tried' to post, just to make sure everything was going smoothly.

As of now everything is going smoothly. The computer hasnt had any problems as of late, and yesterday after a particularly aggravating bout with the router/internet provider, I went ahead and hard reset the router, and changed all of the security keys and passwords. Im still paranoid about her having been hacked by Ukranians or something, but short of figuring out how to change her IP, I think I've done all I can for now.

I am ready for the next step.

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 445
Re: [in progress] New country, new computer, more problems
« Reply #24 on: May 18, 2016, 01:34:20 PM »


  Hello Broly3k8
 
Quote
JRT came back clean, and I had already been systematically removing the programs after using them. I waited a week the first time before I 'tried' to post, just to make sure everything was going smoothly.

Good that the machine is running OK, there are no "Ukranians et al" on board. !
I am  not sure that you have run Delfix (It does more than just removing our Tools) ...if you haven`t please do this:-



 Please download Delfix by Xplode and save it to your desktop.

Or use the following if first link is down:

Delfix link mirror

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

       
    • Activate UAC
    • Remove disinfection tools
    • Create registry backup
    • Purge System Restore
    • Reset system settings


    Now click on Run and wait patiently until the tool has completed.

    The tool will create a log when it has completed. I don't need you to post this.

    Part of the routine will be to create a registry back up with ERUNT,  the back up will be created here:C:\Windows\ERUNT.

    >>>>>>>>>>>>>>>>>>>>>>>>>>


    Next,

    Please read the following link to fully understand PC security and best practices, you may find it very useful....

    http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

    This is another that might appeal to you HERE

    Thank you for staying with me throughout, it has been enjoyable working with you. Good luck in Germany.

    platypuss



    Platypuss