Trojan.Gen.SMH removal assistance. Logs attached

Hi and welcome!

May I begin by asking you if you are deliberately set up to use a proxy or not?

 

@JReesh

 

Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

• [Hj.Name|Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-407668556-3109764396-3965425102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows | Load : C:\Users\JASONR~1\AppData\Local\Temp\csrss.exe -> FOUND
• [Hj.Name|Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-407668556-3109764396-3965425102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows | Load : C:\Users\JASONR~1\AppData\Local\Temp\csrss.exe -> FOUND
• [RegVal.Brok] (X64) HKEY_CLASSES_ROOT\.exe\shell\open\command | : No Data ->
• [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-407668556-3109764396-3965425102-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://search.yahoo.com/?type=937811&fr=spigot-yhp-ie -> FOUND
• [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-407668556-3109764396-3965425102-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://search.yahoo.com/?type=937811&fr=spigot-yhp-ie -> FOUND

Place a checkmark next to each of these items, leave the others unchecked.
Now press the Delete button.

...and do the same on the Tasks tab for these entries:

• [Suspicious.Path] \\65c4673c -- C:\Users\JASONR~1\AppData\Local\Temp\\setup1571283496.exe -> FOUND
• [Suspicious.Path] \\IHUninstallTrackingTASK -- CMD (/C DEL C:\Users\JASONR~1\AppData\Local\Temp\IHU36C8.tmp.exe) -> FOUND

When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.




Please re run Hitman Pro and have it remove all that it finds.


Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the area. Do not include the word Code.

Code:

:Files
C:\Windows\SysNative\drivers\xqyrj.sys
C:\Users\JASONR~1\AppData\Local\Temp\csrss.exe
C:\Users\JASONR~1\AppData\Local\Temp\setup1571283496.exe
C:\Users\JASONR~1\AppData\Local\Temp\IHU36C8.tmp.exe

:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.





Download Cleano 0.61

Download it to your desktop, Right click the cleano.exe file and run as admin > and place check marks in the boxes as follows (click on link below to see image)

View attachment 148092
Click clean now and exit the program.



Now re run RogueKiller (just a scan) and attach log.
Same for Hitman.


Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Good morning. How are things running at this point?

 

Hmm, download Ccleaner Slim, http://www.majorgeeks.com/files/details/ccleaner_slim.html and run it. Do not use the registry scanner, just the cleaner side of things.

Let a day go by, and return back, let me know if symantec keeps finding those.

 

Private Internet Access Support Files is installed. This is why MBAM alerts you to rubyw.exe.

I would like to see a log from Symantec please showing what it finds.

 

Sigh. Then just simply jot down EXACTLY the name of a few files, and their exact file paths please.

 

Could you please zip up a couple and attach them here for me to look at.

 

How do you feel about temporarily disabling your AV for a little while? Then perhaps you can take a look into the temp folder where those files were reported and see if they then exist to zip up and attach here. I'll explain how once you let me know there are any.

Otherwise there's this which looks complicated.

http://support.moonpoint.com/security/antivirus/symantec/quarantine-vbn.php

 

Right, I downloaded those to my desktop. My antivirus did not alert. And when I studied the files, I can see they relate to adaware antivirus or browsing protection. Which brings up exclamation marks (sorry I did not notice before) You should NOT be using more than one antivirus!! This is why there's a problem, and why symantec keeps quarantining. They are both fighting for control over files and such as. Clashing with each other.

Uninstall Adware Antivirus now if Symantec is paid for.

 

You uninstalled both? :confused

• Ad-Aware Antivirus
• Ad-Aware Browsing Protection

 

You are most welcome.