Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC Optimizer Pro & PC Tech Hotline remain after Remove PC Repair complete


  • This topic is locked This topic is locked
15 replies to this topic

#1 slloop3

slloop3

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:12:12 AM

Posted 13 March 2014 - 10:29 PM

Hi,

I need some help with remaining malware on my PC after I finished the Remove PC Repair (Uninstall Guide).

 

I was infected when a service desk rep from my company installed a random WinRAR app without checking to see if it was safe/approved first. It immediately installed PC Optimizer Pro & PC Tech Hotline, a pseudo bing redirect in my browsers, and when I ran Malwarebytes the first time it found PC Repair as well.

 

I followed the instructions for Remove PC Repair but still have PC Optimizer Pro & PC Tech Hotline after a clean reboot.

 

Below are log files from FRST64 & I've attached 'Addition.txt' also from FRST64, as well as log files from my first pass with MalwareBytes. (We've disconnected the K drive now that is listed, and we'll clean those files up later. They are old) and screenshots from after the Remove PC Repair try.

 

I'm running Windows 8.1 x64 bit.

 

Thanks, Sherrie

 

****'

Had multiple hangs trying to past in the FRST64 log file text. Couldn't attach it because it was too big (1.8 mg), so hopefully I can email it to someone who is willing to help me. DDS wouldn't run on my computer.

Attached Files


Edited by slloop3, 14 March 2014 - 08:57 AM.


BC AdBot (Login to Remove)

 


#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 AM

Posted 14 March 2014 - 03:07 AM

Hi Sherrie,

Had multiple hangs trying to past in the FRST64 log file text. Couldn't attach it because it was too big (1.8 mg)

If you can neither paste nor attach it then zip the log file (right-click on it -> Send to -> Compressed (zipped) folder) and attach this zip-file.
Thank you. :)

#3 slloop3

slloop3
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:12:12 AM

Posted 14 March 2014 - 08:57 AM

I think I must have been really tired last night. I didn't even think about zipping it. 

 

It's attached now.  Thanks.



#4 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 AM

Posted 14 March 2014 - 09:35 AM

Ok. Then continue with the following steps:


Step 1

Please download AdwCleaner (by Xplode) and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select "Run As Administrator"
  • Click on the Scan button.
  • After the scan has finished, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • After rebooting, a log file (that is saved in C:\AdwCleaner[S#].txt) will open automatically.
    Copy and paste the contents of that logfile in your next reply.

 

 

 

Step 2

Start FRST with administator privileges.

  • Press the Scan button.
  • When finished, FRST will produce a log (FRST.txt) in the same directory the tool was run from.
    Please copy and paste this log in your next reply.


#5 slloop3

slloop3
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:12:12 AM

Posted 14 March 2014 - 10:16 AM

AdwCleaner[S0].txt ::

 

# AdwCleaner v3.022 - Report created 14/03/2014 at 11:10:39
# Updated 13/03/2014 by Xplode
# Operating System : Windows 8.1  (64 bits)
# Username : slloo_000 - THEBEAST
# Running from : C:\Users\slloo_000\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
Service Deleted : 70e6ca8c
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\optimizer pro v3.2
Folder Deleted : C:\Program Files (x86)\Optimizer Pro
Folder Deleted : C:\Program Files (x86)\sweetpacks bundle uninstaller
Folder Deleted : C:\Users\Jared\AppData\Local\SearchProtect
Folder Deleted : C:\Users\slloo_000\AppData\Local\SearchProtect
Folder Deleted : C:\Users\slloo_000\AppData\Roaming\Optimizer Pro
Folder Deleted : C:\Users\slloo_000\Documents\Optimizer Pro
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk
File Deleted : C:\Users\slloo_000\Desktop\Optimizer Pro.lnk
 
***** [ Shortcuts ] *****
 
Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileParade bundle uninstaller\FileParade bundle uninstaller.lnk
 
***** [ Registry ] *****
 
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Optimizer Pro]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\Optimizer Pro
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\Software\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1
Data Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll
Data Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~2\OPTIMI~1\OPTPRO~2.DLL
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.16518
 
 
-\\ Google Chrome v33.0.1750.146
 
[ File : C:\Users\Jared\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
[ File : C:\Users\slloo_000\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
Deleted : homepage
Deleted : search_url
Deleted : suggest_url
Deleted : keyword
 
[ File : C:\Users\Jessi\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [3382 octets] - [14/03/2014 11:04:40]
AdwCleaner[S0].txt - [2797 octets] - [14/03/2014 11:10:39]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2857 octets] ##########


#6 slloop3

slloop3
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:12:12 AM

Posted 14 March 2014 - 10:24 AM

And here's that second run of the FRST64 log zipped up. 

Attached Files

  • Attached File  FRST.zip   108.77KB   6 downloads


#7 slloop3

slloop3
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:12:12 AM

Posted 14 March 2014 - 10:29 AM

That seems to have removed the PC Optimizer Pro but the PC Tech Helpline & the redirect (only with certain websites) still appear. 



#8 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 AM

Posted 14 March 2014 - 11:57 AM

All right, then let's go after the remaining issues.
What problems are still present after the following fix?


Please download this attached Attached File  fixlist.txt   954bytes   14 downloads and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button. Allow a reboot if requested.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.


#9 slloop3

slloop3
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:12:12 AM

Posted 14 March 2014 - 01:15 PM

It appears that everything has been fixed now. :)
 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2014
Ran by slloo_000 at 2014-03-14 14:07:05 Run:1
Running from C:\Users\slloo_000\Downloads\BleepingComputer
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
(Crawler, LLC) C:\Program Files (x86)\PCTechHotline\PCTechHotlineSvc.exe
AppInit_DLLs-x32: c:\progra~2\optimi~1\optpro~1.dll => "c:\progra~2\optimi~1\optpro~1.dll" File Not Found
R2 PCTechHotlineSvc; C:\Program Files (x86)\PCTechHotline\PCTechHotlineSvc.exe [701800 2014-02-13] (Crawler, LLC)
2014-03-13 09:59 - 2014-03-13 09:59 - 00000000 ____D () C:\Program Files (x86)\PCTechHotline
2014-03-13 09:59 - 2014-03-13 09:59 - 00000000 ____D () C:\Users\slloo_000\AppData\Roaming\PC Tech Hotline
2014-03-13 20:58 - 2014-03-13 20:58 - 00000000 ____D () C:\Users\Jared\AppData\Roaming\PC Tech Hotline
C:\Users\Jared\AppData\Local\Temp\*
Reboot:
*****************
 
[1136] C:\Program Files (x86)\PCTechHotline\PCTechHotlineSvc.exe => Process closed successfully.
"c:\\progra~2\\optimi~1\\optpro~1.dll" => Value Data removed successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\SuggestionsURL_JSON => Value deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\URL => Value deleted successfully.
PCTechHotlineSvc => Service deleted successfully.
C:\Program Files (x86)\PCTechHotline => Moved successfully.
C:\Users\slloo_000\AppData\Roaming\PC Tech Hotline => Moved successfully.
C:\Users\Jared\AppData\Roaming\PC Tech Hotline => Moved successfully.
 
"C:\Users\Jared\AppData\Local\Temp\*" directory move:
 
Could not move "C:\Users\Jared\AppData\Local\Temp\*" directory. => Scheduled to move on reboot.
 
 
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-03-14 14:08:50)<=
 
"C:\Users\Jared\AppData\Local\Temp\*" => Directory could not move.
 
==== End of Fixlog ====


#10 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 AM

Posted 14 March 2014 - 01:24 PM

Great!
Let's do a final check up then:


Step 1

Please download TFC (by Oldtimer) and save it to your Desktop.

  • Start TFC.exe with administrator privileges.
  • Close all other running programs.
  • Click on Start.
  • Allow a reboot if one is requested.

 

 

 

Step 2

Please download the ESET Online Scanner and save it to your Desktop.

  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start esetsmartinstaller_enu.exe with administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log file is created at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    Copy and paste the content of this log file in your next reply.

Note: Do not forget to re-enable your antivirus application after running the above scan!



#11 slloop3

slloop3
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:12:12 AM

Posted 14 March 2014 - 02:50 PM

ESET Scan running & taking quite a long time. Will update once it's completed (probably in 3-4 hours).



#12 slloop3

slloop3
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:12:12 AM

Posted 14 March 2014 - 04:12 PM

Well, didn't take as long as I expected.  Here's the ESET scan log:

 

C:\AdwCleaner\Quarantine\C\Program Files (x86)\Optimizer Pro\OptimizerPro.exe.vir a variant of Win32/SpeedingUpMyPC application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Optimizer Pro\OptProCrash.dll.vir a variant of Win32/SProtector.E potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Optimizer Pro\OptProCrashSvc.dll.vir a variant of Win32/SProtector.F potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Optimizer Pro\OptProCrash_x64.dll.vir a variant of Win64/SProtector.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Optimizer Pro\OptProLauncher.exe.vir a variant of Win32/AdWare.SpeedingUpMyPC.D application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Optimizer Pro\OptProSmartScan.exe.vir a variant of Win32/Adware.SpeedingUpMyPC.C application
C:\Users\slloo_000\Downloads\WinZip180.exe a variant of Win32/OpenInstall potentially unwanted application


#13 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 AM

Posted 14 March 2014 - 04:35 PM

Great! This looks good, just the stuff in AdwCleaner quarantine.


That's it! Your logs look clean to me at the moment.
We're gonna clean up everything now and in the end I'll provide you with a list of security tips so you hopefully will not need our help anymore in the future.


My help is free for everybody.
If you want to support me fighting against malware or buy me a beer for the assistance you received, then you can consider a donation: btn_donate_SM.gif.
Thank you!



Clean Up

Now we remove all the tools we used (including their logs and quarantine folders), restore your settings and delete old and infected system restorepoints:

  • You can uninstall programs that you had to install (e.g. MBAM or ESET Onlinescanner) in the control panel if you so wish.
  • Download DelFix (by Xplode) and save it to your Desktop.
    • Close all running programs and start delfix.exe.
    • Make sure that all available options are checked.
    • Click on Run
    • DelFix should remove all our tools and delete itself afterwards. I don't need the log file.
  • If there is still something left you can delete it manually.

 

 

Tips

I recommend to read and follow the "16 simple and easy ways to keep your computer safe and secure on the Internet" (Link) by Lawrence Abrams.



#14 slloop3

slloop3
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:12:12 AM

Posted 14 March 2014 - 04:54 PM

Thanks so much for you help. You guys rock! :)



#15 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 AM

Posted 14 March 2014 - 05:51 PM

You're welcome.
And thank you too! :)
All the best.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users