Solved! Requesting Help with My Computer's Infection

DrumsXO

Estimable
Aug 19, 2014
1
0
4,510
Hey, everyone.

My computer was infected last night. I'm honestly not too familiar with the different types, so I won't try to identify them.

The problem started after I downloaded and opened an executable for what was supposed to be Simple Port Forwarding. When I opened the executable, it wanted to install a bunch of other junk along with SPF, but when I tried to say no to the installation of the other junk, I kept getting an error message saying I had chosen wrong. I then tried to close the installer, but it gave me the same error message. Naturally, I then forced it closed using the Task Manager, but I guess it was too late.

Shortly after that, installation windows kept popping up; things were downloading and installing themselves. I started closing the processes via the Task Manager and removing the programs via Revo Uninstaller, but it wasn't stopping. Naturally I ran a scan on my system with Avast and found there was a ton of Malware and PUPs on it!

To make matters worse, when I tried to log into Facebook to chat with a friend of mine who knows more about computers than I do, it said my password was incorrect; I knew it wasn't. After multiple failed attempts I used the password recovery feature, only to discover the password to my email account was also coming up incorrect... So I called my friend and he told me I was in DEEP. Adware, Spyware and a Keylogger he suspected.

From there I installed Malware Bytes and let it do its thing a couple of times. On the first run it removed 1,635 threats, most of which were classified as either PUP or KEY threats. After that I started combing through my drives, folder by folder, looking for anything that had been added or modified on 5/18/2015 (the day this started). Once it looked like everything was completely eradicated I ran a System Restore back to Friday morning before this all started. But, it didn't fix the problem.

When the system came back on after the System Restore completed, I ran Malware Bytes again and to my surprise, it found 455 threats, most of which were PUP and KEY threats again. I've also noticed that my Internet isn't working properly, although it works absolutely fine on my mom's computer and our smartphones, which are on the same network as my computer is. So, something is going on here still. I suspect it's Malware or Spyware that I haven't removed.

Here's a summary of the problems:

  1. ■Programs kept installing themselves.
    ■Removing said programs usually triggered the installation of more programs.
    ■Every password, to every account, on every website I'd logged into since clearing my browser history had been changed.
    ■Most websites won't load, I can't download anything, and my Internet is generally acting very buggy (but only on MY PC).
    ■After initial login, startup programs take an unusually long time to load.
    ■My browser (Opera) takes a very long time to load when I start it, which is VERY unusual. It's normally very quick.

Here's a summary of what I've tried:

  1. ■Rebooting my PC.
    ■Rebooting my router.
    ■Running a Quick Scan with Avast, using the High Sensitivity and PUP Scan options.
    ■Running a Full Scan with Avast, using the High Sensitivity and PUP Scan options.
    ■Running numerous scans with Malware Bytes. Only two of the many scans detected threats (1,635 in one, 455 in the other).
    ■Manually scanning my system for suspicious files, programs, etc.
    ■Restoring my system to a previous point in time via System Restore.
    ■Running AdwCleaner.

Here's a summary of what I did to protect my information:

  1. ■Factory reset my router, then change the login credentials and WiFi password.
    ■Use my mom's computer to change every password, for every account of mine, on every website I could think of.
    ■Avoid logging into any of said accounts from this computer; my infected computer. The only account I've created / logged into on it since is this one.

Here's some information about my system gathered by a Tech Support Guy forum program:

Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows 7 Ultimate, Service Pack 1, 64 bit
Processor: Intel(R) Core(TM) i5-4670K CPU @ 3.40GHz, Intel64 Family 6 Model 60 Stepping 3
Processor Count: 4
RAM: 8136 Mb
Graphics Card: AMD Radeon HD 7900 Series, -1024 Mb
Hard Drives: C: Total - 238472 MB, Free - 110440 MB; E: Total - 1907625 MB, Free - 489420 MB; G: Total - 1907726 MB, Free - 1904817 MB;
Motherboard: MSI, Z87-G45 GAMING (MS-7821)
Antivirus: avast! Antivirus, Updated and Enabled

Here's the log from AdwCleaner:
A Malware Removal Specialist from the Tech Support Guy forums suggested I run this.

# AdwCleaner v4.204 - Logfile created 19/05/2015 at 04:10:29
# Updated 12/05/2015 by Xplode
# Database : 2015-05-12.2 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : Patrick - PATRICK-PC
# Running from : E:\My Files\Computer Files\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\apn
Folder Deleted : C:\ProgramData\SNT
Folder Deleted : C:\ProgramData\SafEweab
Folder Deleted : C:\ProgramData\d9460ee02887318b
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\SNT
Folder Deleted : C:\Program Files (x86)\SafEweab
Folder Deleted : C:\Program Files (x86)\YoutubeAdblocker
Folder Deleted : C:\Users\Administrator\AppData\Local\torch
Folder Deleted : C:\Users\Guest\AppData\Local\torch
Folder Deleted : C:\Users\HomeGroupUser$\AppData\Local\torch
Folder Deleted : C:\Users\Patrick\AppData\Local\Conduit
Folder Deleted : C:\Users\Patrick\AppData\Local\PackageAware
Folder Deleted : C:\Users\Patrick\AppData\Local\torch
Folder Deleted : C:\Users\Patrick\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Patrick\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\ceaohckoegdncfpojeiehjkaffbdahli
File Deleted : C:\Users\Patrick\AppData\Roaming\Mozilla\Firefox\Profiles\zfgkxw9m.default\ invalidprefs.js

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3299568
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\powerpack
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}
Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}
Key Deleted : HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\{77D46E27-0E41-4478-87A6-AABE6FBCF252}
Key Deleted : HKLM\SOFTWARE\aartemisSoftware
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\V9Software
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C670DCAE-E392-AA32-6F42-143C7FC4BDFD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}
Key Deleted : [x64] HKLM\SOFTWARE\aartemisSoftware
Key Deleted : [x64] HKLM\SOFTWARE\V9Software
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

***** [ Web browsers ] *****

-\\ Internet Explorer v10.0.9200.16736


-\\ Mozilla Firefox v


-\\ Chromium v


-\\ Comodo Dragon v


-\\ Opera v29.0.1795.47


*************************

AdwCleaner[R0].txt - [4803 bytes] - [19/05/2015 04:09:08]
AdwCleaner[S0].txt - [4579 bytes] - [19/05/2015 04:10:29]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4638 bytes] ##########

At this point, I haven't noticed an improvement in my system. The Internet is still finicky, and my browser takes forever to open. Time from initial login to startup programs completely loading hasn't improved either.

Thanks in advance, everyone. I'm really, really hoping I don't have to reinstall my OS and lose everything. :(
 
Solution
Try this program, if it doesn't fix it let me know.

You probably know what the Task manager is, open this while no other program is running and tell me what your CPU usage is. Or better yet printscreen it.

https://toolslib.net/downloads/viewdownload/1-adwcleaner/ <- Nevermind this since youve already done it.

It sounds like it could be a bitcoin miner which uses up a good amount of your CPU's processing power, so that's why i would like to know what your CPU usage is.

What you also could try his microsofts own virus removal tool: Microsoft Security Essentials not everyone is as positive about it as me, but i really like the program since it has found every virus i ever had. If you are going to try this though, make sure your other...

Sandstorm3000

Estimable
Aug 8, 2014
81
0
4,610
Try this program, if it doesn't fix it let me know.

You probably know what the Task manager is, open this while no other program is running and tell me what your CPU usage is. Or better yet printscreen it.

https://toolslib.net/downloads/viewdownload/1-adwcleaner/ <- Nevermind this since youve already done it.

It sounds like it could be a bitcoin miner which uses up a good amount of your CPU's processing power, so that's why i would like to know what your CPU usage is.

What you also could try his microsofts own virus removal tool: Microsoft Security Essentials not everyone is as positive about it as me, but i really like the program since it has found every virus i ever had. If you are going to try this though, make sure your other virus program is disabled so they don't interfere with eachother.

http://windows.microsoft.com/nl-NL/windows/security-essentials-download here you can download it, although the page is in dutch it shouldn't be to hard.
 
Solution

Wgfalcon

Distinguished
Feb 4, 2006
2
0
18,510
tap f8 key at startup enter safe mode try and do a system restore to point before you downloaded the program.
get kaperskey rescue disk 10 http://www.kaspersky.com/downloads/virusscanner google for how to use it . its worked well
for me. i understand malwarebytes should deal with it too not sure if they have a free solution though. buy a good antivirus
i use norton but any of the top 4 or 5 kept updated should help prevent this particular problem
 

mdd1963

Distinguished
try using sysinternals' processexplorer to suspend everything first (run it as admin), then trace everything's location (lower pane on processexplorer shows where it is located/came from, etc), then delete in mass. (processes that are suspended can not perform a 'Lazarus' on their buddy-processes)....

YOu might also look at freefixer...
 

ITkorea

Prominent
May 14, 2017
15
0
570
Disconnect from the internet first before you try to fix anything. I am pretty sure that if things are downloading by themselves, you should try disconnecting from internet. After that, as told by
Wgfalcon
May 19, 2015 3:38:50 AM, start from safe mode and try to find the problems.

If you remember the date of infection, going through your hard drive and deleting the folders/files that were modified during that date may be helpful.