Malware Please Help

Hello, titleistdrivr

Your MGlogs.zip file is very incomplete. Did you have a problem running MGtools? Did you follow all instructions ( like disable UAC, disable protection software, use Right Click and Run As Administrator )? Did you wait for it to tell you it was finished before attaching the log?

Compressed > the MGlogs.zip should be around 245KB is size, containing 22 files. *I'll give instructions when to attempt to get an updated one.

Re-run RogueKiller and have it delete these:

Now please download Junkware Removal Tool to your desktop.

• Make sure to shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Next download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  Vista/Windows 7/8 users right-click and select Run As Administrator
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• When it's done you'll see: Pending: Please uncheck elements you don't want removed.
• Now click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
• Look over the log especially under Files/Folders for any program you want to save.
• If there's a program you may want to save, just uncheck it from AdwCleaner.
• If you're not sure, post the log for review. (all items found are either adware/spyware/foistware)
• If you're ready to clean it all up.....click the Clean button.
• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
• Attach that logfile to your next reply.
• A copy of all logfiles are saved in the C:\AdwCleaner folder which are created when running the tool.

Re-run RogueKiller - do a scan ONLY and attach the new log.

*Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• updated MGlogs.zip
• AdwCleaner[S0].
• JRT.txt
• updated RKreport log.txt

 

Please Close all programs and all browser windows.

• Right-click the RogueKiller icon and click "Run as Administrator" to run the program.
• Wait until Prescan has finished ...
• Click the Scan button and wait for the scan to complete.
• After the scan has completed click the tabs until your see the Registry tab, place a check mark in all of the boxes listed below:

Code:

[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> FOUND
[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> FOUND
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> FOUND
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> FOUND
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> FOUND
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> FOUND
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3091409617-1739894626-2328089943-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> FOUND
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3091409617-1739894626-2328089943-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> FOUND
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> FOUND
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> FOUND
[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8118;https=127.0.0.1:8118  -> FOUND
[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8118;https=127.0.0.1:8118  -> FOUND
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8118;https=127.0.0.1:8118  -> FOUND
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8118;https=127.0.0.1:8118  -> FOUND
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8118;https=127.0.0.1:8118  -> FOUND
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8118;https=127.0.0.1:8118  -> FOUND
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3091409617-1739894626-2328089943-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8118;https=127.0.0.1:8118  -> FOUND
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3091409617-1739894626-2328089943-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8118;https=127.0.0.1:8118  -> FOUND
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8118;https=127.0.0.1:8118  -> FOUND
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8118;https=127.0.0.1:8118  -> FOUND

• Click on the Delete button.
• Please attach the latest RK log.txt to your next reply.

Then immediately reboot your PC.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

• R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8118;https=127.0.0.1:8118

After clicking Fix, exit HJT.

Please download OTL by OldTimer.

• Save it to your desktop.
• Double-click on the OTL icon on your desktopto run it. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  drives
  

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach the OTL.txt to your next message. (How to attach)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• updated MGlogs.zip
• OTL.txt
• updated RKreport log.txt

How is your machine running?

 

Please upload this file to VirusTotal and report the findings:
C:\Windows\Microsoft\sogr\WindowsUpdater.exe

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_dnldstr_14_49_ie&cd=2XzuyEtN2Y1L1Qzu0Bzz0A0CyC0FtC0ByCtCyCyCtCtC0AyCtN0D0Tzu0SzyyDtDtN1L2XzutAtFtDtFtCtDtFtBtN1L1CzutCyEtBzytDyD1V1OtN1L1G1B1V1N2Y1L1Qzu2SyBtBtC0F0FyEyD0AtGyD0E0E0DtG0DyCyC0FtGtCzztAtDtGtD0A0DyC0A0EyBzzyEyB0D0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2StDtDtA0AtByDzyzytG0E0A0AtBtGtByCyEtBtG0D0C0AyDtGyDyBtD0AtAtDtD0E0EtD0E0C2Q&cr=1751637719&ir=
IE - HKU\.DEFAULT\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_dnldstr_14_49_ie&cd=2XzuyEtN2Y1L1Qzu0Bzz0A0CyC0FtC0ByCtCyCyCtCtC0AyCtN0D0Tzu0SzyyDtDtN1L2XzutAtFtDtFtCtDtFtBtN1L1CzutCyEtBzytDyD1V1OtN1L1G1B1V1N2Y1L1Qzu2SyBtBtC0F0FyEyD0AtGyD0E0E0DtG0DyCyC0FtGtCzztAtDtGtD0A0DyC0A0EyBzzyEyB0D0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2StDtDtA0AtByDzyzytG0E0A0AtBtGtByCyEtBtG0D0C0AyDtGyDyBtD0AtAtDtD0E0EtD0E0C2Q&cr=1751637719&ir=
IE - HKU\S-1-5-18\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_dnldstr_14_49_ie&cd=2XzuyEtN2Y1L1Qzu0Bzz0A0CyC0FtC0ByCtCyCyCtCtC0AyCtN0D0Tzu0SzyyDtDtN1L2XzutAtFtDtFtCtDtFtBtN1L1CzutCyEtBzytDyD1V1OtN1L1G1B1V1N2Y1L1Qzu2SyBtBtC0F0FyEyD0AtGyD0E0E0DtG0DyCyC0FtGtCzztAtDtGtD0A0DyC0A0EyBzzyEyB0D0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2StDtDtA0AtByDzyzytG0E0A0AtBtGtByCyEtBtG0D0C0AyDtGyDyBtD0AtAtDtD0E0EtD0E0C2Q&cr=1751637719&ir=
O2:[b]64bit:[/b] - BHO: (LLuckyCCoupOn) - {C9D99360-8F10-5455-E058-0E6B7A1CF052} - C:\ProgramData\LLuckyCCoupOn\WjhX.x64.dll File not found
[2014/09/23 07:54:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Systweak
@Alternate Data Stream - 154 bytes -> C:\ProgramData\TEMP:67396145
@Alternate Data Stream - 152 bytes -> C:\ProgramData\TEMP:89FC8EEB
@Alternate Data Stream - 152 bytes -> C:\ProgramData\TEMP:52329B88
@Alternate Data Stream - 150 bytes -> C:\ProgramData\TEMP:CC7382F6
@Alternate Data Stream - 150 bytes -> C:\ProgramData\TEMP:9D2DE4B4
@Alternate Data Stream - 149 bytes -> C:\ProgramData\TEMP:CE707633
@Alternate Data Stream - 148 bytes -> C:\ProgramData\TEMP:84FA02E7
@Alternate Data Stream - 147 bytes -> C:\ProgramData\TEMP:B8408597
@Alternate Data Stream - 144 bytes -> C:\ProgramData\TEMP:9D03192E
@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:7D288858
@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:5C4A588B
@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:07D9FF25
@Alternate Data Stream - 139 bytes -> C:\ProgramData\TEMP:7BB584AA
@Alternate Data Stream - 139 bytes -> C:\ProgramData\TEMP:35629AE6
@Alternate Data Stream - 138 bytes -> C:\ProgramData\TEMP:C9B27A06
@Alternate Data Stream - 138 bytes -> C:\ProgramData\TEMP:97B3B270
@Alternate Data Stream - 138 bytes -> C:\ProgramData\TEMP:5E05F78B
@Alternate Data Stream - 137 bytes -> C:\ProgramData\TEMP:57173DB4
@Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:A6B07419
@Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:2F5A06FD
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:2CB9631F
@Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:99AC3203
@Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:CF1334B0
@Alternate Data Stream - 131 bytes -> C:\ProgramData\TEMP:373E1720
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:D61EB62D
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:AE289451
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:79C6A9CE
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:12A012A1
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:F18C0087
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:A1A86E40
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:D2397415
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:7E4E56EA
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:29C0641D
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:3D67D093
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:54531C7D
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:DCA79AB3
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:A9ABA3FF
:Files
C:\ProgramData\LLuckyCCoupOn
:Reg
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9D99360-8F10-5455-E058-0E6B7A1CF052}]
:commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

Attach this log to your next message. (How to attach)

Describe any remaining malware issues.

 

Can you manually delete these files (Safe Mode if necessary)... in the order given?

1. C:\Windows\Microsoft\sogr\WindowsUpdater.exe
2. C:\Windows\Microsoft\sogr

 

:cool

Good deal! If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase it, it provide no protection. It do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. Go back to step 6 of the READ ME and re-enable your Disk Emulation software with Defogger if you had disabled it.
3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. If running Vista, Win 7/8 - it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Go to add/remove programs and uninstall HijackThis.
6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
7. If you are running Win 7/8, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work through the below link:
   • How to Protect yourself from malware!

Safe surfing!

 

You're welcome and glad to be able to help!

dr.m