Computer is Infected, MB stuck on heuristic analysis

[Itay]

Hello,

I installed a program called "Imgburn" and now my computer is full of malware.

It became extremely slow, my chrome is hijakced and there are some unwanted programs forcely installed.

I have tried to run Malwarebytes on safe mode but It was stuck on Heuristic analysis for hours so I had to cancel it.

 

I attached files that I got on Farbar Recovery Scan.

 

Thanks in advance!

FRST_06-08-2015_19-52-20.txt

Addition_06-08-2015_19-52-20.txt

[Itay]

UPDATE

I've just tried to unistall and then reinstall Malwarebytes, have been running the app on Hyper scan for about an hour, and still got stuck on Heuristic analysis, it doesn't finish the scan.

 

Attached updated files from Farbar Recovery Scan.

FRST_06-08-2015_22-15-53.txt

Addition_06-08-2015_22-15-53.txt

[kevinf80]

Hello and welcome,

P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Run the following please;

 

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

• Quit all running programs.
• For Windows XP, double-click to start.
• For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
• Read and accept the EULA (End User Licene Agreement)
• Click Scan to scan the system.
• When the scan completes select "Report", log will open. Close the program > Don't Fix anything!
• Post back the report which should also be located here:
  

C:\Programdata\RogueKiller\Logs <-------- W7/8
C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <------XP
 

Thank you,

 

Kevin...

[Itay]

Hello and welcome,

P2P/Piracy Warning:

 

 

 

Run the following please;

 

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

 

• Quit all running programs.
• For Windows XP, double-click to start.
• For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
• Read and accept the EULA (End User Licene Agreement)
• Click Scan to scan the system.
• When the scan completes select "Report", log will open. Close the program > Don't Fix anything!
• Post back the report which should also be located here:

C:\Programdata\RogueKiller\Logs <-------- W7/8

C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <------XP

 

 

Thank you,

 

Kevin...

 

HI Kevin,

Thanks you for your help!

I've uninstalled all the piracy and P2P program I found.

I couldn't find .txt file just found .json file so I pasted the log here.

Here is the log from Rogue Killer:

 

RogueKiller V10.9.4.0 [Jul 30 2015] by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

 

Operating System : Windows 7 (6.1.7600 ) 32 bits version

Started in : Normal mode

User : itay679 [Administrator]

Started from : C:\Users\itay679\Downloads\RogueKiller.exe

Mode : Scan -- Date : 08/07/2015 12:57:59

 

¤¤¤ Processes : 0 ¤¤¤

 

¤¤¤ Registry : 7 ¤¤¤

[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([(Private Address) (XX)])  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([(Private Address) (XX)])  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.138 ([(Private Address) (XX)])  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3FA02250-A902-4333-8292-549A8EB92663} | DhcpNameServer : 10.0.0.138 ([(Private Address) (XX)])  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3FA02250-A902-4333-8292-549A8EB92663} | DhcpNameServer : 10.0.0.138 ([(Private Address) (XX)])  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3FA02250-A902-4333-8292-549A8EB92663} | DhcpNameServer : 10.0.0.138 ([(Private Address) (XX)])  -> Found

[PUM.StartMenu] HKEY_USERS\S-1-5-21-2625312380-2101670457-819080607-1012\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

 

¤¤¤ Tasks : 4 ¤¤¤

[suspicious.Path] %WINDIR%\Tasks\GoogleUpdateTaskUserS-1-5-21-2625312380-2101670457-819080607-1007Core.job -- C:\Users\Avilan\AppData\Local\Google\Update\GoogleUpdate.exe (/c) -> Found

[suspicious.Path] %WINDIR%\Tasks\GoogleUpdateTaskUserS-1-5-21-2625312380-2101670457-819080607-1007UA.job -- C:\Users\Avilan\AppData\Local\Google\Update\GoogleUpdate.exe (/ua /installsource scheduler) -> Found

[suspicious.Path] \GoogleUpdateTaskUserS-1-5-21-2625312380-2101670457-819080607-1007Core -- C:\Users\Avilan\AppData\Local\Google\Update\GoogleUpdate.exe (/c) -> Found

[suspicious.Path] \GoogleUpdateTaskUserS-1-5-21-2625312380-2101670457-819080607-1007UA -- C:\Users\Avilan\AppData\Local\Google\Update\GoogleUpdate.exe (/ua /installsource scheduler) -> Found

 

¤¤¤ Files : 0 ¤¤¤

 

¤¤¤ Hosts File : 1 ¤¤¤

[C:\Windows\System32\drivers\etc\hosts] 0.0.0.1 mssplus.mcafee.com

 

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: WDC WD3200AAKS-00B3A0 ATA Device +++++

--- User ---

[MBR] 6022c61e0b8df24c36181be87683d14d

[bSP] da5bb0547a9cead0dde304edbbccb922 : Windows Vista/7/8|VT.Unknown MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 305242 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]

User = LL1 ... OK

User = LL2 ... OK

[kevinf80]

Continue please:

 

Scan with ZOEK

Please download ZOEK by Smeenk from here: http://hijackthis.nl/smeenk/ and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on icon and select Run as Administrator to start the tool.
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:
  

services_list;standardsearch;autoclean;emptyclsid;emptyfolderscheck;deleteiedefaults;firefoxlook;chromelook;FFdefaults;CHRdefaults;

• Make sure that Scan All Users option is checked.
• Push Run Script and wait patiently. The scan may take a couple of minutes.
• When the scan completes, a zoek-results logfile should open in notepad.
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)
  

Please include its content in your next reply. Don't forget to re-enable security software!

 

Let me see that log, also give an update on any remaining issues or concerns....

 

Thanks,

 

Kevin
 

[Itay]

Hi Kevin,

The computer is still slow than it was before I installed the app with the malware and there is still a program called "Chromium" which I can't uninstall so I suspect there is still malware in my computer, but at least the browser is ok.

 

Attached the log.

zoek-results.log

[kevinf80]

Continue as follows:

 

Download AdwCleaner by Xplode onto your Desktop.

• Double click on Adwcleaner.exe to run the tool.
• Click on Scan
• Once the scan is done, click on the Clean button. <<<--- Ensure this option is completed
• You will get a prompt asking to close all programs. Click OK.
• Click OK again to reboot your computer.
• A text file will open after the restart. Please post the content of that logfile in your reply.
• You can also find the logfile at C:\AdwCleaner[sn].txt. Where n in the scan reference number
  

 
Next,
 
Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts. (re-enable when done)
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.
  

 

Next,

 

Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.

Click there Run ESET Online Scanner.

If using Internet Explorer:

• Accept the Terms of Use and click Start.
• Allow the running of add-on.
  

If using Mozilla Firefox or Google Chrome:

• Download esetsmartinstaller_enu.exe that you'll be given link to.
• Double click esetsmartinstaller_enu.exe.
• Allow the Terms of Use and click Start.
  

To perform the scan:

• Make sure that Remove found threats is Checked.
• Scan archives is checked.
• In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
• Under “Enable Stealth Technology select “Change” select any extra drives in that window.
• Click Start
• The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
• When completed, the program will begin to scan. This may take several hours. Please, be patient.
• Do not do anything on your machine as it may interrupt the scan.
• When the scan is done, click Finish.
• A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.
  

Please include this logfile in your next reply.

Don't forget to re-enable security software!

 

Post those ;ogs, also give an update on any remaining issues or concerns...

 

Thanks,

 

Kevin

 

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!