Removal of malware

Please do the below so that we can boot to System Recovery Options to run a scan. There will be two options to choose from. One if you do not have your Windows 7 boot DVD and another when you have your DVD.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Option1: Enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

Option2: Enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)

 

Save fixlist.txt to your flash drive.

• You should now have both fixlist.txt and FRST.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.

Running MGTools.

 

How are things running???

 

Go to the below link and try to run as much of the instructions as you can. Attach any logs you are able to produce:

READ & RUN ME FIRST. Malware Removal Guide

 

Rerun RogueKiller and have it fix these items:

Code:

¤¤¤ Registry Entries : 4 ¤¤¤
[EXT RUN][SUSP PATH] HKCU\Leo_ON_C:\[...]\Run : qcgce2mrvjq91kk1e7pnbb19m52fx (C:\Users\Leo\AppData\Local\Temp\ACh0XXd.exe [-]) -> FOUND
[EXT RUN][SUSP PATH] HKCU\Leo_ON_C:\[...]\Run : qcgce2mrvjq91kk1e7pnbb19m52fx (C:\Users\Leo\AppData\Local\Temp\ACh0XXd.exe [-]) -> FOUND


¤¤¤ Startup Entries : 2 ¤¤¤
[Leo][Rans.Gendarm] regmonstd.lnk : C:\Users\Leo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk @X:\Windows\System32\rundll32.exe C:\PROGRA~2\9riofo.dat,XFG00 [-][7][x] -> FOUND
[Leo][Rans.Gendarm] regmonstd.lnk : C:\Users\Leo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk @X:\Windows\System32\rundll32.exe C:\PROGRA~2\9riofo.dat,XFG00 [-][7][x] -> FOUND

Download OTL to your desktop.

Double-click OTL.exe to start the program.

• Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

Code:

:processes
:killallprocesses
:files
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]

• Then click the Run Fix button at the top.
• Click the OK button.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Now reboot and rescan with RogueKiller and attach the new log.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Attach the log from running RogueKiller.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Your MG log was not complete. You will have to run it again. Plus you didn't attach a log from running RogueKiller again.

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now use windows explorer to find and delete:
C:\Users\Leo\AppData\Local\Temp\ACh0XXd.exe

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Attach the new C:\MGLogs.zip

 

Rerun RogueKiller and make sure all your protection software is disabled. Have it fix these items:

Code:

¤¤¤ Startup Entries : 2 ¤¤¤
[Leo][Rans.Gendarm] regmonstd.lnk : C:\Users\Leo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk @X:\Windows\System32\rundll32.exe C:\PROGRA~2\9riofo.dat,XFG00 [-][7][x] -> FOUND
[Leo][Rans.Gendarm] regmonstd.lnk : C:\Users\Leo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk @X:\Windows\System32\rundll32.exe C:\PROGRA~2\9riofo.dat,XFG00 [-][7][x] -> FOUND

Reboot and rescan with RogueKiller and attach the log.

Then Download OTL to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Attach both of these logs into your next reply.