Malware Removal

Hello, YACwade

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide

and then attach the requested logs to your next reply when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.
• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes, you could use a flash drive too, but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run RogueKiller, Malwarebytes, HitmanPro and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

* Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated - our system works the oldest threads FIRST.
​

 

Now shut down your protection software (antivirus, antispyware...etc) to avoid possible conflicts. *Re-enable them before physically reconnecting to your ISP.

Using "Programs & Features" uninstall: (If you do not find it or it will not uninstall, just keep going.)
Java(TM) 6 Update 20
Java 7 Update 67

Please download OTL by Old Timer to your desktop.

• See the download links under this icon:
• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, "Copy & Paste" the contents of the below code box into the Custom Scans/Fixes pane:
  Code:

  :OTL
  :Files
  C:\Program Files (x86)\Super Optimizer
  C:\Users\padmasankha\AppData\Roaming\KYSDD.exe 
  C:\Program Files (x86)\Lldupacemaphering\Lldupacemaphering.exe
  C:\Program Files (x86)\Lldupacemaphering
  :Reg
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  "Spotify Web Helper"=-
  "BitTorrent"=-
  [HKEY_USERS\S-1-5-21-946326290-360473736-156489971-1001\Software\Microsoft\Windows\CurrentVersion\run]
  "Spotify Web Helper"=-
  "BitTorrent"=-
  :Commands
  [purity]
  [EmptyTemp]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, and the PC should re-boot when it is done
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

• Open OTL again
• Check the "Scan All Users" checkbox.
• Set the "Output" to "Minimum Output".
• Change the setting of "Drivers" and "Services" to "Use Safelist"
• Copy & Paste the following code into the Custom Scans/Fixes pane:
  Code:

  activex
  netsvcs
  drives
  msconfig

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

Now please download Junkware Removal Tool to your desktop.

• Make sure to shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Next download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  Vista/Windows 7/8 users right-click and select Run As Administrator
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• When it's done you'll see: Pending: Please uncheck elements you don't want removed.
• Now click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
• Look over the log especially under Files/Folders for any program you want to save.
• If there's a program you may want to save, just uncheck it from AdwCleaner.
• If you're not sure, post the log for review. (all items found are either adware/spyware/foistware)
• If you're ready to clean it all up.....click the Clean button.
• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
• Attach that logfile to your next reply.
• A copy of all logfiles are saved in the C:\AdwCleaner folder which are created when running the tool.

Now install the current version of Sun Java from:

• Go here for 64 bit OS = Sun Java 64 bit Runtime Environment Make sure that when you see the form asking about installing Ask Toolbar that you uncheck this.
• Go here for 32 bit OS = Sun Java 32 bit Runtime Environment Make sure that when you see the form asking about installing Ask Toolbar that you uncheck this.

Make sure that when you install the new version of Java that you uncheck the Install the Ask Toolbar junkware checkbox. You do not want to add the stuff junk that most people consider malware to your PC. Also just in case Oracle changes the Java installation in the future to possible install other junk, uncheck all but just installing Java.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select "Run As Administrator").

Then attach the below logs:

• the C:\_OTL\MovedFiles log
• OTL.txt
• the JRT.TXT log
• C:\MGlogs.zip
• AdwCleaner[S#].txt

How are things are working now?

 

You're welcome.

This may be an issue for our Software or Hardware forums.

Re-run Malwarebytes' and have it fix everything detected. Please attach the resulting log.

We need to use OTL.exe again.

• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, "Copy & Paste" the contents of the below code box into the Custom Scans/Fixes pane:
  Code:

  :otl
  IE - HKLM\..\SearchScopes,DefaultScope = {3CFFABA7-771F-4473-AEBC-FDEBE67E1DCF}
  IE - HKLM\..\SearchScopes\{3CFFABA7-771F-4473-AEBC-FDEBE67E1DCF}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNF
  IE - HKU\S-1-5-21-946326290-360473736-156489971-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://groovorio.com/results.php?f=4&q={searchTerms}&a=grv_keyd3_14_24&cd=2XzuyEtN2Y1L1Qzu0Ezzzy0Azz0FzzzzyByBzy0F0A0E0A0DtN0D0Tzu0StCtDtAtDtN1L2XzutAtFyDtFtCtFtCtN1L1Czu1N1C2X1V1J1P2U1QtA1VtCyE1VtByEtN1L1G1B1V1N2Y1L1Qzu2StAyDzz0EyEtDyBtCtG0EzytC0AtG0CyBzztBtG0DyCyB0AtGtB0AtDyBtAzyyCyB0D0E0EtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAyCyDtB0Fzy0DyDtG0BzyyCyDtGyEzzyByDtGzytBtAzytG0EzzzzzytCyEtDyE0D0E0EtB2Q&cr=1027074647&ir=
  IE - HKU\S-1-5-21-946326290-360473736-156489971-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
  IE - HKU\S-1-5-21-946326290-360473736-156489971-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
  IE - HKU\S-1-5-21-946326290-360473736-156489971-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:9880;https=127.0.0.1:9880
  FF - prefs.js..browser.search.defaultenginename: "Groovorio"
  FF - prefs.js..browser.search.selectedEngine: "Groovorio"
  O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
  O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
  :Files
  C:\Windows\tasks\KYSDD.job
  C:\Users\padmasankha\AppData\Roaming\KYSDD
  :Reg
  [HKEY_USERS\S-1-5-21-946326290-360473736-156489971-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
  "BitTorrent"=-
  "Spotify"=-
  [HKEY_USERS\S-1-5-21-946326290-360473736-156489971-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
  "ProxyEnable"=dword:00000000
  "ProxyServer"=- 
  :Commands
  [purity]
  [EmptyTemp]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, and the PC should re-boot when it is done
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

Please attach the below logs to your reply:

• Malwarebytes Anti-Malware.txt log
• the C:\_OTL\MovedFiles log

How is your machine running now?

 

Do you have the C:\_OTL\MovedFiles log ready to attach?

 

Let's run OTL again

• Open OTL
• Check the "Scan All Users" checkbox.
• Set the "Output" to "Minimum Output".
• Change the setting of "Drivers" and "Services" to "Use Safelist"
• Copy & Paste the following code into the Custom Scans/Fixes pane:
  Code:

  activex
  netsvcs
  drives
  msconfig

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

You're welcome.

That log looks okay - how is the machine running?

 

Your remaining problem with the sound isn't malware-related and should be worked out in a new thread in our Software or Hardware forums.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase it, it provide no protection. It do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. Go back to step 6 of the READ ME and re-enable your Disk Emulation software with Defogger if you had disabled it.
3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. If running Vista, Win 7/8 - it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Go to add/remove programs and uninstall HijackThis.
6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
7. If you are running Win 7/8, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work through the below link:
   • How to Protect yourself from malware!

Safe surfing!