[itsdave]

No problem I appreciate all the effort you've gone through. Have we completely removed the KMS10 and Keygen files? So you're saying there is no other way except to reinstall the OS?

 

I've still got the New account. When I switch user and log into it, open Firefox, there is no hao123 hijack on the shortcut. Do you know how to transfer all my settings and files (except malicious ones) over to the other account and to remove this one? From what I understand, my main account only stores settings and other documents in C:\Users\David (and I hardly store anything in that folder - all the files are either in C or D drive outside of that directory tree)

 

What do you think?

 

edit: Also, would it not suffice to simply delete any registry entries in regedit that contains 'kms' or 'hao'? Or is that not effective?

Edited by itsdave, 14 March 2016 - 01:08 AM.

[Advertisements]

You can follow the steps in this article to move to a new user profile (the article says Win8 but the same is true for Win10).  However, there is no guarantee that the same problems won't come back.

 

The registry modifications (that I saw in the reports / research) made by the malware files were very extensive and involve some of the OS core functions.  I know from past experience that the wrong modification in some of these functions will result in a unbootable system.  And, unfortunately, the malware writers made sure that the terms you mentioned were very seldom, if ever, used in the registry.

 

Best to back up the personal data and format - install - load programs and copy personal data back.

 

Please let me know how you are proceeding; if you are not going to format the drive then we need to remove our tools from the system.

[dbreeze]

You can follow the steps in this article to move to a new user profile (the article says Win8 but the same is true for Win10).  However, there is no guarantee that the same problems won't come back.

 

The registry modifications (that I saw in the reports / research) made by the malware files were very extensive and involve some of the OS core functions.  I know from past experience that the wrong modification in some of these functions will result in a unbootable system.  And, unfortunately, the malware writers made sure that the terms you mentioned were very seldom, if ever, used in the registry.

 

Best to back up the personal data and format - install - load programs and copy personal data back.

 

Please let me know how you are proceeding; if you are not going to format the drive then we need to remove our tools from the system.

[itsdave]

Considering we've already moved all the files from \User directory to the New directory in a previous attempt, if I delete my main account now and switch over I don't lose anything right? Only personal settings, desktop shortcuts etc.

 

If that's the case then I can just switch everything over. I've switched onto the other account (New) and the Firefox shortcut is still clean.

 

I think it's worth a shot trying. I'll test the Firefox shortcut on my new account tomorrow/following day and see what happens. I haven't done any copying over since the first time you told me to do it. Everything looks ok for now and I'm a little paranoid to copy again (in the case the hijacking does cross over). Will keep you posted.

Edited by itsdave, 15 March 2016 - 02:25 AM.

[dbreeze]

The choice is up to you.  I am only reporting my findings and what my recommendations are.  I would be very careful about using the system with personel information (banking, etc.).

 

I would like to ask one favor however; I have recieved a request from a fellow malware fighter who would like to examine the MBR of your system for any malware that might slip by the standard scanners.  If you don't mind, please run the following scanner, post the resulting log and upload the MBR file to my malware channel at BleepingComputer.  Thanks.

 

Download aswMBR.exe ( 511KB ) to your desktop. If you already have this application, this is a new version I need you to download.
 
Double click the aswMBR.exe to run it
 

 
Click the "Scan" button to start scan
 
If your computer supports Virtualization Technology, select Yes to use it for rootkit detection.
 

 
On completion of the scan click Save Log, save it to your desktop and post in your next reply
 

 
The tool will also produce a copy of the mbrdump labeled MBR.dat. Please zip that file and attach it to a reply.
 

Please upload the mbrdump zipped file to here.

 

 

[itsdave]

MBR.dat file has been uploaded to the channel provided. Hope it is the right one you're after.

 

edit: I logged into the New account to do the scan. Firefox shortcut is fine.. for now.

 

 

aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software
Run date: 2016-03-16 19:32:05
-----------------------------
19:32:05.163    OS Version: Windows x64 6.2.9200
19:32:05.163    Number of processors: 4 586 0x5E03
19:32:05.165    ComputerName: DESKTOP-TTGS3RU  UserName: New
19:32:05.275    Initialize success
19:32:05.277    VM: initialized successfully
19:32:05.278    VM: Intel CPU supported
19:32:14.995    VM: disk I/O iaStorA.sys
19:32:16.882    AVAST engine defs: 16031401
19:32:35.645    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000002e
19:32:35.647    Disk 0 Vendor: Samsung_SSD_850_EVO_M.2_120GB EMT21B6Q Size: 114473MB BusType: 11
19:32:35.648    Disk 1  \Device\Harddisk1\DR1 -> \Device\0000002f
19:32:35.650    Disk 1 Vendor: ST1000DM003-1CH162 CC49 Size: 953869MB BusType: 11
19:32:35.656    Disk 0 MBR read successfully
19:32:35.657    Disk 0 MBR scan
19:32:35.659    Disk 0 Windows 7 default MBR code
19:32:35.660    Disk 0 Partition 1 80 (A) 07      HPFS/NTFS NTFS          500 MB offset 2048
19:32:35.663    Disk 0 Partition 2 00     07      HPFS/NTFS NTFS       113971 MB offset 1026048
19:32:35.668    Disk 0 scanning C:\WINDOWS\system32\drivers
19:32:36.891    Service scanning
19:32:37.103    Service AsrAutoChkUpdDrv C:\WINDOWS\SysWOW64\Drivers\AsrAutoChkUpdDrv.sys **LOCKED**
19:32:39.739    Modules scanning
19:32:39.751    Disk 0 trace - called modules:
19:32:39.767    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll iaStorA.sys
19:32:39.779    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe00171100060]
19:32:39.787    3 CLASSPNP.SYS[fffff8010cc17d95] -> nt!IofCallDriver -> [0xffffe00171d8c930]
19:32:39.792    5 ACPI.sys[fffff8010c871361] -> nt!IofCallDriver -> [0xffffe00171d8ae40]
19:32:39.797    7 ACPI.sys[fffff8010c871361] -> nt!IofCallDriver -> \Device\0000002e[0xffffe00171e39400]
19:32:39.905    AVAST engine scan C:\WINDOWS
19:32:40.039    AVAST engine scan C:\WINDOWS\system32
19:32:53.047    AVAST engine scan C:\WINDOWS\system32\drivers
19:32:54.670    AVAST engine scan C:\Users\New
19:33:15.470    AVAST engine scan C:\ProgramData
19:33:21.496    Disk 0 statistics 1293376/0/0 @ 2271.70 MB/s
19:33:21.501    Scan finished successfully
19:34:23.192    Disk 0 MBR has been saved successfully to "D:\Users\user\Desktop\MBR.dat"
19:34:23.195    The log file has been saved successfully to "D:\Users\user\Desktop\aswMBR.txt"

 

Edited by itsdave, 16 March 2016 - 12:39 AM.

[dbreeze]

IF you decide to stay with this installation (again, this is your right to do so) of the OS, then let us cleanth e removal tools off the system and I'll give you some closing advice.  I'm not sure how long the analysis of the MBR.dat file will take but I will let you know one way or another (either on this thread or via a PM).

 

Just run through the steps from the Cleanup of Tools to the Program Update Checker.


Clean up of Malware Removal Tools
Now that we are through using these tools, let's clean them off your system so that should you ever need to have malware removed again (we hope not) fresh, updated copies will be downloaded.
If you did not do so at the end of its scan, please uninstall ESET Online Scanner at this time.  You can use the Control Panel 'Add / Remove Programs' or 'Programs and Features' utility to uninstall it.
 

• Download Delfix from here or here
  to your desktop and double click it to start the program
• Ensure Remove disinfection tools is ticked
  Also tick:
• Activate UAC
• Create registry backup
• Purge system restore
• Reset system settings
• 
• Click Run
• The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply.

You can delete any log files left on your desktop as these are no longer needed.


Keep Windows Updated
Microsoft issues updates to Windows to close vulnerabilities as they are discovered. Staying updated helps protect your system from current exploits.

• Click Start and then type Settings.
• Whe the Search list is populated, under Programs, click on Settings.
• Click on the Update and Security and select Advanced Options under Windows Updates.
• Check that Automatic (recommended)is selected.
• You can close the Settings page after that.

Keep other Important Programs Updated
Along with keeping Windows updated, it is a good idea to keep important programs updated. Java and Adobe Reader both need to be kept updated to the latest versions; malware writers utilize exploits in the unpatched versions to their advantages.

Consider a program that will check for out-of-date programs on your system
Some programs don't have update checks built in or make you run the application to start the check for updates process. An easier way to stay on top of the current versions of your installed programs is to use a version checking program like Heimdal Free from Heimdal Security (you can get the software from here and read more about it on the same page).


You are now done!

Now some information on programs to help keep you safe:

First, an Antivirus program. You NEED one; free is just as good as paid-for as long as you keep them updated. ONLY use one at a time as having more than that will cause system problems. Here are some free ones to check out:
Microsoft Security Essentials
Avast! Free Antivirus

Next, a firewall is a must have now-a-days. The built in firewall in Windows 7 is fine (just make sure it is turned on (Start > Control Panel > Windows Firewall)). Or, if you like, you could choose one of the free ones listed here:
Zone Alarm Free Firewall  -  installer includes foistware so read the options very carefully

=== options ====
Unchecky is a small service that runs in the background to help keep those "extra toolbars" and tag along search engines from automatically installing.  By automatically directing you to a custom install with all the options unchecked, only what you manually choose and confirm gets installed.

CryptoPrevent is a free program that prevents CryptoLocker / ransomware from infecting your PC by locking down the OS so the malware can not get a grip on your system.  You can read the details about this program here.

Also, consider keeping MalwareBytes Antimalware in your arsenal of safe keeping programs. Use the free version (not the paid or trial version) and you won't have a problem with your antivirus scanner program. Keep it updated and run a scan with it once a week.

Lastly, if you use Firefox as your main web browser, consider adding the NoScript and AdBlockPlus add-ons to the browser to block scripting hijacks and remove unwanted ads from the pages you view.

You may also find some information and tips at this thread:
 How did I get infected in the first place?
and
COMPUTER SECURITY - a short quide to staying safer online
 

I'll leave this topic open for a few days so that if you have any questions you can come back here. Surf safe, my friend!!
 

[itsdave]

Thanks for all your time and effort up till now. At least I can feel (somewhat) safe with these security tools. I've started logging into the New account regularly and am using it as my main account now and there seems to be no effect on the Firefox shortcut. Looks clean. I'd like it to stay that way..

 

If you find anything else that might be of additional help please let me know.

 

# DelFix v1.010 - Logfile created 17/03/2016 at 19:42:43
# Updated 26/04/2015 by Xplode
# Username : New - DESKTOP-TTGS3RU
# Operating System : Windows 10 Home  (64 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\zoek_backup
Deleted : C:\AdwCleaner
Deleted : C:\TDSSKiller.3.1.0.9_17.02.2016_17.46.36_log.txt
Deleted : C:\zoek-results.log
Deleted : C:\zoek-results2016-02-14-095440.log
Deleted : C:\zoek-results2016-02-18-065629.log
Deleted : D:\Users\user\Desktop\AdwCleaner.exe
Deleted : D:\Users\user\Desktop\aswmbr.exe
Deleted : D:\Users\user\Desktop\FRST64.exe
Deleted : D:\Users\user\Desktop\JRT.exe
Deleted : D:\Users\user\Desktop\OTL.exe
Deleted : D:\Users\user\Desktop\tdsskiller.exe
Deleted : D:\Users\user\Desktop\zoek.exe
Deleted : HKLM\SOFTWARE\OldTimer Tools
Deleted : HKLM\SOFTWARE\TrendMicro\Hijackthis
Deleted : HKLM\SYSTEM\CurrentControlSet\Services\aswMBR

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #21 [Checkpoint by HitmanPro | 02/27/2016 21:25:19]
Deleted : RP #23 [Checkpoint by HitmanPro | 02/29/2016 07:45:08]
Deleted : RP #25 [Restore Point Created by FRST | 03/05/2016 08:48:48]
Deleted : RP #26 [Windows Update | 03/09/2016 22:53:14]
Deleted : RP #27 [Installed VMware Player | 03/11/2016 08:33:15]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########
 

[dbreeze]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.