Trovi

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by JGonz10, Feb 19, 2015.

  1. JGonz10

    JGonz10 Private E-2

    Hello Major Geeks,

    First off I want to say thanks for the dedicated service that you guys provide. It has helped me multiple times in the past. :)

    I'm in need of help once again. My friend has been having some issues with her computer recently so I offered to have a look at it. It appears "Trovi" has taken over her browser homepage in Google Chrome and Internet Explorer. She's been getting a lot of pop ups and has never used an antivirus program until I suggested one a couple of days ago. I ran through the malware removal guide and attached the logs below. I noticed some issues but I need some expert advice to guide me from here. Thanks in advance. :)
     

    Attached Files:

    JGonz10, Feb 19, 2015
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there. Are you deliberately set up to use a proxy?
     
    Kestrel13!, Feb 20, 2015
    #2
  3. JGonz10

    JGonz10 Private E-2

    Hi Kestrel13,

    When I received the computer from my friend I was having problems connecting to the internet. In Google Crome when I tried to log on any site it would say "Unable to connect to the proxy server" and in Internet Explorer it was saying "The proxy server isn't responding". So I changed the proxy settings by deselecting "use a proxy server for your LAN" and then selected "Automatically detect settings".
     
    JGonz10, Feb 20, 2015
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\odbctspkgx64.exe (C:\Users\Faithy\AppData\Local\odbctspkgx64\odbctspkgx64.exe) -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RfButtonDriverService (C:\Windows\RfBtnSvc64.exe) -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\odbctspkgx64.exe (C:\Users\Faithy\AppData\Local\odbctspkgx64\odbctspkgx64.exe) -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RfButtonDriverService (C:\Windows\RfBtnSvc64.exe) -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:50359;https=127.0.0.1:50359 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:50359;https=127.0.0.1:50359 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-1213344256-1307908099-2331998132-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:12642 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-1213344256-1307908099-2331998132-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:12642 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:50359;https=127.0.0.1:50359 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:50359;https=127.0.0.1:50359 -> Found
    • [PUP.Ask?PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1213344256-1307908099-2331998132-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.trovi.com/?gd=&ctid=CT33...=SP56E9D28D-2550-402C-9297-EB946B94C27D&SSPV= -> Found
    • [PUP.Ask?PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1213344256-1307908099-2331998132-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.trovi.com/?gd=&ctid=CT33...=SP56E9D28D-2550-402C-9297-EB946B94C27D&SSPV= -> Found

    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.


    Re run Hitman Pro and have it remove all it finds.



    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.



    Now re run RogueKiller (just a scan) and attach log.

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Feb 21, 2015
    #4
  5. JGonz10

    JGonz10 Private E-2

    Attached Files:

    JGonz10, Feb 22, 2015
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I would like for you to uninstall your antivirus (AVG 2015) before we continue or it will just hinder our fix. . . Do not reinstall until I say. Once done, REBOOT the machine!!


    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:50359;https=127.0.0.1:50359 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:50359;https=127.0.0.1:50359 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:50359;https=127.0.0.1:50359 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:50359;https=127.0.0.1:50359 -> Found

    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.




    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Reboot the machine again.
    Now rescan with RogueKiller and attach log.
     
    Kestrel13!, Feb 22, 2015
    #6
  7. JGonz10

    JGonz10 Private E-2

    I removed AVG 2015 as per your request. I also received an error message after I tried to add fixME.reg to the registry. It said "Cannot import C:\Faithy\Desktop\fixME.reg: Error accessing the registry."
     

    Attached Files:

    JGonz10, Feb 22, 2015
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
    7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    Kestrel13!, Feb 23, 2015
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    And delete this:

    C:\Users\Faithy\AppData\Local\nsb91C.tmp
     
    Kestrel13!, Feb 23, 2015
    #9
  10. JGonz10

    JGonz10 Private E-2

    In your previous post you said:

    "Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it definitely did not work."

    I did not receive a success message. I received an error message when I tried adding the fixME.reg to the registry. It said:

    "Cannot import C:\Faithy\Desktop\fixME.reg: Error accessing the registry."

    And "Trovi" is still hijacking the browser in Google Crome.
     
    JGonz10, Feb 23, 2015
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Well, your latest RogueKiller log was CLEAN. Check for yourself. No sign of the proxy at all! :)



    OK, so let's rip out Chrome and all it's components, this is usually the best way to deal with it. I constantly find Google Chrome to be too weak, IE let's in more garbage than I see in other browsers.

    Uninstall the below with Revo Uninstaller please.

    • Google Chrome
    • Google Update Helper

    • Reboot the machine.
    • Reinstall Google Chrome if you still wish to use it.
    • Now let me know how it is behaving!
     
    Kestrel13!, Feb 23, 2015
    #11
  12. JGonz10

    JGonz10 Private E-2

    I just thought that "Trovi" still might be lurking somewhere since Rougekiller detected it the first time I ran the scan when I was just getting logs and didn't take any action. Then when you asked me to remove it, I ran Rougekiller the second time and it didn't detect it.

    I used Revo Uninstaller to uninstall Google Chrome and decided not to reinstall it. Everything seems to be fine now. Which browser do you recommend?
     

    Attached Files:

    JGonz10, Feb 24, 2015
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Personally, I use Mozilla Firefox. :)
     
    Kestrel13!, Feb 26, 2015
    #13
  14. JGonz10

    JGonz10 Private E-2

    Alright thanks. Should I move on to the final steps now?
     
    JGonz10, Feb 27, 2015
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're welcome. Yes indeed follow final steps now. :)
     
    Kestrel13!, Feb 27, 2015
    #15
  16. JGonz10

    JGonz10 Private E-2

    Thanks a lot Kestrel13! for all your help :)
     
    JGonz10, Feb 27, 2015
    #16
  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You are *most* welcome. :)
     
    Kestrel13!, Feb 28, 2015
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds