Rogue Killer forces reboot

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Horticulous, Aug 20, 2014.

  1. Horticulous

    Horticulous Private E-2

    I'm going through the steps for removing malware on a Windows 7 computer. When I run Rogue Killer the prescan starts automatically. About a quarter of the way through the prescan, while the processes are being scanned, I notice a red message pops up under the processes section stating:

    Status: Killed [TermProc]
    Type: Root.Zekos
    PID: 880
    Name: svchost.exe

    After that a windows message box shows up on the screen saying either:

    "Windows must now restart because the DCOM server process launcher service has terminated unexpectedly."

    or

    "Windows must now restart because the Plug and Play service has terminated unexpectedly."

    The computer then reboots. Any suggestions on how to get this to run to completion? I've tried a few times and (I'm guessing) because I can't get through the prescan no log is being created.

    Thanks for any help.
     
    Horticulous, Aug 20, 2014
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Is one step fails, just continue on with other steps and attach what logs you do have at the end. :)
     
    Kestrel13!, Aug 20, 2014
    #2
  3. Horticulous

    Horticulous Private E-2

    Word. Will do, cheers :wine.
     
    Horticulous, Aug 20, 2014
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No problem.
     
    Kestrel13!, Aug 21, 2014
    #4
  5. Horticulous

    Horticulous Private E-2

    I have gone through the READ ME and I am still having problems. I could not get most of the scans to complete. The logs of those that did complete are attached. While MGtools was running I had other things I had to do, so I left the person whose computer this is in charge of watching that scan. Apparently it was not running fast enough for her, so she decided to stop it and run it again. SMH... I don't know if those logs are usable, but I'm attaching them anyway. HitmanPro crashed after about 3 1/2 hours of running. I am attaching the crash log for that just in case it is of use.

    The main problem is that I keep getting a bunch of (like 30) processes showing up in Task Manager with:

    Image Path Name: C:\Windows\SysWOW64\dllhost.exe
    Description: COM Surrogate

    This makes the computer pretty much unusable. I tried ending the processes, but they just show right back up after a few minutes.

    At the time this started the user was looking at a normal website (I've checked it from other computers with no problems) and the monitor just suddenly went into sleep mode. She couldn't get it to turn back on so she did a hard reboot. At that point the computer restarted and ran CHKDSK. It came up with:

    Correcting error in $I30 file 4478

    and stalled there for about a day and a half. I know that interrupting CHKDSK can mess up the hard drive, so I just let it sit. Thankfully it finally completed. Since then I have been having major problems. At first I thought there might be a problem with the drive, so I tried to run a diagnostic from the manufacturer, but I could never get it to function properly.

    I appreciate any help you can offer.
     

    Attached Files:

    Horticulous, Aug 22, 2014
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there. :)

    • Re run TDSSKiller and attach the log for me to see.
    • Re run RogueKiller in safe mode.
    • Re run MGTools (This time it needs to be run to completion!!!) Ensure that protection software is disabled before doing so, that UAC is indeed disabled and that it is indeed being run as admin.
    • Attach logs once done.
     
    Kestrel13!, Aug 22, 2014
    #6
  7. Horticulous

    Horticulous Private E-2

    Kestrel,

    I'll do that. I was unaware that MGTools had not completed (I was told it had), so sorry for wasting your time on that. Next time I will keep an eye on it myself.

    Thanks for the help :)
     
    Horticulous, Aug 22, 2014
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OK no problem. ;)
     
    Kestrel13!, Aug 23, 2014
    #8
  9. Horticulous

    Horticulous Private E-2

    Alright! After 76 hours MGTools finally finished running...:tired... Attached are the logs you requested. I really appreciate all of your help :).
     

    Attached Files:

    Horticulous, Aug 29, 2014
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [Suspicious.Path] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | oiitgid : rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\oiitgid.dll",oiitgid -> FOUND
    • [Suspicious.Path] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | fa118d6 : C:\Windows\system32\config\systemprofile\AppData\Roaming\fa118d6.exe -> FOUND
    • [Suspicious.Path] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | oivtvid : rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\oivtvid.dll",oivtvid -> FOUND
    • [Suspicious.Path] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | oiitgid : rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\oiitgid.dll",oiitgid -> FOUND
    • [Suspicious.Path] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | fa118d6 : C:\Windows\system32\config\systemprofile\AppData\Roaming\fa118d6.exe -> FOUND
    • [Suspicious.Path] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | oivtvid : rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\oivtvid.dll",oivtvid -> FOUND
    • [Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3011669098-4229872675-3576073490-1000\Software\Microsoft\Windows\CurrentVersion\Run | ?tluafed? : C:\Users\ANNE\Application Data\{00006F76-52AE-7110-F888-B09FCDC40AA7}.exe -> FOUND
    • [Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3011669098-4229872675-3576073490-1000\Software\Microsoft\Windows\CurrentVersion\Run | ?tluafed? : C:\Users\ANNE\Application Data\{00006F76-52AE-7110-F888-B09FCDC40AA7}.exe -> FOUND
    • [Suspicious.Path] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run | oiitgid : rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\oiitgid.dll",oiitgid -> FOUND
    • [Suspicious.Path] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run | fa118d6 : C:\Windows\system32\config\systemprofile\AppData\Roaming\fa118d6.exe -> FOUND
    • [Suspicious.Path] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run | oivtvid : rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\oivtvid.dll",oivtvid -> FOUND
    • [Suspicious.Path] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run | oiitgid : rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\oiitgid.dll",oiitgid -> FOUND
    • [Suspicious.Path] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run | fa118d6 : C:\Windows\system32\config\systemprofile\AppData\Roaming\fa118d6.exe -> FOUND
    • [Suspicious.Path] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run | oivtvid : rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\oivtvid.dll",oivtvid -> FOUND
    • [PUM.SysRestore] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1 -> FOUND

    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.



    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    • O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    • O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
    • O4 - HKCU\..\Run: [?tluafed] C:\Users\ANNE\Application Data\{00006F76-52AE-7110-F888-B09FCDC40AA7}.exe

    After clicking Fix exit HJT.



    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.
    Code:
    :Files
C:\Users\ANNE\AppData\Roaming\{00006F76-52AE-7110-F888-B09FCDC40AA7}.exe
C:\ProgramData\ApufIrunz
C:\ProgramData\InoqPime
C:\ProgramData\UvbaxZanlo
C:\Windows\SysNative\chgjy.woj
C:\Windows\SysNative\phwz.nno
C:\Windows\SysNative\seetla.dll
C:\Windows\SysNative\ypmyxeg.dri
 C:\Windows\SysNative\ztnzn.zxj
C:\Windows\system32\config\systemprofile\AppData\Local\oiitgid.dll
C:\Windows\system32\config\systemprofile\AppData\Roaming\fa118d6.exe


:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.




    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Repair Windows Firewall
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.


    Please run Ccleaner (Not the registry scanner, just the cleaner itself) to be rid of a whole heap of temp files/folders.



    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.


    • Re run RogueKiller (just a scan) and attach new log.
    • Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
    • Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Aug 29, 2014
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds