Followed Malware Removal Guide and still having problems please help.

Hi and welcome.

Re run it again, and click on the report button at the end, it should be a .txt file

 

Re run Hitman Pro, have it remove all it finds. Also have it fix the entry on the "Repairs" tab.

Now re run RogueKiller (just a scan) and attach log.
Same again for Hitman please.

 

Did you have issue with Hitman? It's still finding stuff......

 

What about on the Repairs tab, could it not deal with that one??

 

Right, I think we can safely say it cannot deal with what it is finding.... hang in there for a fix.

 

But hang on, the latest RogueKiller log shows no proxy entry... run RogueKiller again please just so I can see if it sees it or not. Attach log.

 

Uninstall your anti virus before we continue or this fix may not implement.


Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
• Paste the following code under the area. Do not include the word Code.

Code:

:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000000
"ProxyOverride"=-
"ProxyServer"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-

[HKEY_USERS\S-1-5-21-521916397-739644250-3185766717-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000000
"ProxyOverride"=-
"ProxyServer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000000
"ProxyOverride"=-
"ProxyServer"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NlaSvc\Parameters\Internet\ManualProxies]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings"=-
"SavedLegacySettings"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxySettingsPerUser"=dword:00000000 
:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

• Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
• Now reboot the machine and re run both Hitman and Roguekiller (just scans) and attach logs.

 

Did you uninstall Norton antivirus as requested? The fix failed. We'll need to try again.

 

Plus you forgot to attach the last requested MGlogs.zip

 

Yes as stated previously just run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) then attach the new C:\MGlogs.zip file that will be created by running this.

 

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.



Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

• [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-521916397-739644250-3185766717-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
• [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-521916397-739644250-3185766717-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
• [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-521916397-739644250-3185766717-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:64550;https=127.0.0.1:64550 -> Found
• [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-521916397-739644250-3185766717-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:64550;https=127.0.0.1:64550 -> Found

Place a checkmark next to each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.


Now re run Hitman Pro (just a scan) and attach log.
Same for RogueKiller.

 

I am seeking advice from colleagues. Hang in there.

 

One more thing to try whilst we wait on advices.....

Reboot your machine into SAFE MODE and repeat the Roguekiller fix for those proxy entries. (See post #23)

• Now immediately reboot your pc back into normal mode.
• Run a new scan with RogueKiller (just a scan) and attach log.
• Also do this: Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

 

The below takes a long time to run, so whilst it's doing so go off and do something else for a while.

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
• Now select the Start Repairs tab.
• The click the Start button.
• Create a System Restore point if prompted.
• On the next screen, click the Unselect All button to first deselect all repairs.
• Now select the following repair options:
  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Repair WMI
  • Repair Windows Firewall
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Repair Windows Updates
  • Set Windows Services To Default Startup
• Now on the lower right side check the box to Restart/Shutdown System When Finished
• Then make sure the Restart System radio button is enabled.
• Shutdown any other programs that you are running now before continuing.
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• It should reboot automatically when finished.

After reboot re run RogueKiller once more and attach log.

 

Try following these instructions and then re running RogueKiller and attaching log once again please.

 

What Kestrel13! is asking you to do with these instructions is to make sure that you check each browser ( IE, FireFox, and Chrome ) and remove any proxy settings if there are any.

Also you should inform Kestrel13! whether there actually were any proxy configurations seen when you do this.

 

Let's deal with Google Chrome first....

Uninstall the below using Revo Uninstaller

• Google Chrome
• Google Update Helper

Reboot the machine.... rescan with RogueKiller (no need to attach log) Does it still find proxy entries?? Let us know.

 

Resetting to factory condition is not an easier solution than just fixing the problem with Chrome and Firefox having a proxy setup. You should just follow the instructions to remove the proxy.


And with respect to Kestrel13!'s proposal to uninstall Chrome, this may be overkill too and there is a risk that it will not fix the problem unless all the Chrome related files are deleted first before reinstalling. Otherwise you could just restore the same settings.
Easier solution is to remove the proxy as stated. Also a reset to defaults may be easier if it works to remove the proxy. It is still better than losing all settings and possibly all bookmarks.

And just removing Chrome does not remove the proxy for Firefox which means the registry items shown in RogueKiller may still be there until both are fixed.

 

Kestrel13! gave you a link in message # 32.

 

After following those instructions to remove the proxy settings from both Firefox and Chrome did you then restart each browser to check whether the proxy values came back in the browser itself. Please let me know.

If the proxy settings did come back then it is time to back up your bookmarks for both Firefox and Chrome and then uninstall them. After uninstall them please do not reinstall until requested. Just use IE for now. First we need to cleanup folders and files from them and also we need to clear out the proxy issue as seen in RogueKiller too.

So after uninstalling both Firefox and Chrome, continue with the below.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:64550;https=127.0.0.1:64550

After clicking Fix, exit HJT.

Please download OTM by Old Timer and save it to your Desktop.

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe

:Services
gupdatem
gupdate
 
:Files
C:\Users\sherr_000\AppData\Roaming\Mozilla\Firefox
C:\Users\sherr_000\AppData\Local\Google\Chrome
C:\Program Files (x86)\Google\Chrome
C:\Program Files (x86)\Mozilla Firefox
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
C:\ProgramData\ParetoLogic
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
C:\Program Files (x86)\Mozilla Firefox
C:\Program Files (x86)\Mozilla Maintenance Service
C:\Users\sherr_000\AppData\Local\Temp\*.*
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins]
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"GoogleChromeAutoLaunch_F4C69A64F16D2C30A616E8A6BF5F604F"=-
[HKEY_USERS\S-1-5-21-521916397-739644250-3185766717-1002\Software\Microsoft\Windows\CurrentVersion\run]
"GoogleChromeAutoLaunch_F4C69A64F16D2C30A616E8A6BF5F604F"=-
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

Now rerun RogerKiller. If those proxy items exist, fix them again and then reboot immediately. Get a new log from RogueKiller after reboot so we can see if they are gone.
If the proxy items were already gone then just tell me.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the C:\_OTM\MovedFiles log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You got that message from HijackThis because you did not run it as administrator.

Did you fix the proxy items in RogueKiller and then reboot and get the new log that you attached? Or was that log from before fixing and rebooting?

Also note that you are not running C:\MGtools\GetLogs.bat as requested to get new MGlogs.zip files. You keep running this C:\Users\sherr_000\Desktop\MGtools.exe
Please delete this file from your Desktop now so that you do not try to run it anymore.

 

You are not suppose to run MGtools.exe anymore. My last instructions said

Okay let me work on another attempted to fix this now that Chrome and Firefox are gone.

First while I prepare a fix, run the same Windows Repair fix Kestrel13! gave you last time. Don't worry about the Repair Winsock & DNS Cache item you could not find.

 

Okay if you have completed the Windows Repair step from my last message then continue on with the below.

Please follow the instructions below in the order written.

Copy the bold text below to notepad. Save it as proxyfix.reg to your desktop. Be sure the "Save as" type is set to "all files". We are only saving this to your Desktop at this time. We will use it later. Make sure that it shows up on your desktop as a registry patch. Notice the icon.

Now please uninstall any antivirus program that you may have. If you cannot uninstall it or do not have one installed then continue on with the next steps anyway!! Keep it uninstalled until requested to reinstall.

Now reboot your PC info safe boot mode.


Once in safe boot mode, click Start, and type regedit into the search box.

• You should see a regedit.exe and icon appear in the Programs area of the Start Menu.
• Right click on regedit.exe and select Run As Administrator
• Then in the Registry Editor menu click File and select Import.
• Navigate to the proxyfix.reg file saved to your Desktop and double click it. Allow it to be added to the registry. Please observe whether you receive a success message and confirm to me later that you had success or not.
• You can exit the Registry Editor now.

Now right click on RogueKiller.exe and Select Run As Administrator and run a scan. A fter it finishes the scan, select the Registry tab and then select any of the below that still exist and then click the Delete button.

Then immediately reboot your PC. But this time reboot into normal boot mode.

After reboot, run a new scan with RogueKiller and save a log as in original instructions and attach the new log.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the new RogueKiller log
• C:\MGlogs.zip

 

Very interesting! This makes it sound like some software that you are running is adding the proxy. And the software does not run in safe boot mode.

Please boot into safe boot mode again and run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then reboot in normal mode and attach the new C:\MGlogs.zip


But a question comes to mind. Do you run Skype thru some kind of proxy?

 

Wait....... I think it may be due to the SmartApp software you are running? Do you really need this? Or can you at least try uninstalling it for awhile to see if it is the cause of the proxy setting. Then you can decide whether you need the software or not later.