infected start menu hyjacker

[will1204]

We have been infected with the start menu hyjacker. I have only these logs both were run while in safe mode. Malwarebytes pro is installed but I can not seem to find it to run in safe mode. I have run the scan in normal mode at least three times and removed registry values each time that it found infected with no luck.

DDS.txt

[Maurice Naggar]

Hello Will and welcome to MalwareBytes forums.

This is a home computer?

It is now in Safe Mode with Networking?

For the time being, do not do any websurfing. Do not go to any other sites. Only this forum and the sites I may guide you to.

Do not run tools on your own. Check here first and ask if you have questions.

Did you happen to see any rogue-popup windows, with maybe strange names?

Try to bring up Task Manager (CTRL+ALT+DEL keys) then select Task Manager.

Go to the Processes tab. Look for these 2 and 1 by 1 select by clicking the line in the list and select "End Process"

Just these 2 processes only.

J8L3yeFVgDat0e.exe

nMQsPVYoUn.exe

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

To show all files:

• Go to your Desktop
• Double-Click the Computer icon.
  
• From the menu options, Select Tools, then Folder Options.
  
• Next click the View tab.
  
• Locate and uncheck Hide file extensions for known file types.
  
• Locate and uncheck Hide protected operating system files (Recommended).
  
• Locate and click Show hidden files and folders and drives.
  
• Click Apply > OK.

Step 3

Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.

• Double click on RSIT.exe to run RSIT.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Step 4

Download Security Check by screen317 and save it to your Desktop: here or here

• Run Security Check
• Follow the onscreen instructions inside of the command window.
• A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

Step 5

Copy & Paste contents of Log.txt & Info.txt & Checkup.txt .

Use separate replies as needed if logs do not fit into one reply box.

[will1204]

No it is a work computer.

right now it is booted normal mode running malwarebytes full scan.

There are a bunch of windows coming up and some wierd programs none of which I can end. When I rebooted this last time it seems to have disappeared and I can now run the task manager and can't find those processes running which I assume is good. Malware is in the process of running a full scan should i still proceed with the above instructions.

[Maurice Naggar]

I really need & urge you to report the infection to the ownership & to the Help Desk (if your company has one).

If your company has a Corporate license, I need to know that.

If you do not have a Corporate license, it is against the MBAM EULA to have it on a company or organization computer.

There are other means available to quash the infection.

Furthermore, if you expect me to help you further, do NOT get and run any tools on your own.

That is to insure we are both in sync as to the current status of the computer.

You can't do what you have done just now (swicth modes) and run stuff on your own....once you asked for guided help here.

I gotta insist you get the owners OK before we get further along.

ALSO, if this system is connected to the company network, I must insist you disconnect from that (unplug the network cable).

If you do not do that, there's a good chance the malware on this system will spread to other machines on the company network !!!!

[Maurice Naggar]

Given that this is a business system, and that many businesses can use software or security that I may not be familiar with, or settings that are normal and should not be removed, then I will not be able to extend further help to you.

I would suggest you contact Consumer Support and/or Corporate Support for assistance.

Wish you well.