mixidj hijacking / can't access Google

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by noavatars, Jul 31, 2013.

  1. noavatars

    noavatars Private E-2

    SYMPTOMS:

    1. Cannot open gmail from any browser (IE8, Firefox, or Chrome). From all browsers, I get this message:
    Your browser's cookie functionality is turned off. Please turn it on. [?]
    I made sure that cookies _were_ enabled on all my browsers, but the error persists.
    Google Chrome has an even more ominous message when I try to reach Gmail:
    The server's security certificate is revoked!
    You attempted to reach gmail.com, but the certificate that the server presented has been revoked by its issuer. This means that the security credentials the server presented absolutely should not be trusted. You may be communicating with an attacker.
    You cannot proceed because the website operator has requested heightened security for this domain.

    2. My browser was hijacked by mixidj, as well as my new tab default pages. I found that an add-on called "Trustworthy" (how ironic) had been installed without my knowledge. Search engines had also been installed for search.conduit.com. I uninstalled everything I could and restored my original home pages, and I am holding my breath, hoping they don't resurface. I don't need any immediate assistance with #2, but I thought you might need to know.

    3. The computer seems slow and sluggish in general.

    This started about one week ago, when someone else who uses this computer installed cheatengine for use with JFK Reloaded. He SWEARS that he DE-selected the option to change the browser and search settings (and another person who was there confirmed it), but the settings were changed anyway.

    I ran all the recommended scans and will attach my logs herein.
     

    Attached Files:

    noavatars, Jul 31, 2013
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Uninstall Search Protect by conduit. Move onto the next fix where these items may or may not show now:

    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these 4 detections:

    • [RUN][SUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Documents and Settings\Owner\Application Data\SearchProtect\bin\cltmng.exe [7]) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-21-3091199535-1605197292-2987400933-1007\[...]\Run : SearchProtect (C:\Documents and Settings\Owner\Application Data\SearchProtect\bin\cltmng.exe [7]) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-21-3091199535-1605197292-2987400933-1008\[...]\Run : SearchProtect (C:\Documents and Settings\Noah\Application Data\SearchProtect\bin\cltmng.exe [7]) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-21-3091199535-1605197292-2987400933-1010\[...]\Run : SearchProtect (C:\Documents and Settings\Sarahh\Application Data\SearchProtect\bin\cltmng.exe [7]) -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.

    Rerun TDSSKiller, just a scan and attach the log.

    Rerun Hitman and have it delete Malware remnants.



    Delete these if they show:

    • C:\Documents and Settings\Owner\Local Settings\Application Data\lqa21by28au6qjbiowoc085355e2rub413l57ghbbl0
    • C:\Documents and Settings\Owner\Application Data\PriceGong
    • C:\Documents and Settings\Owner\Application Data\SearchProtect
    • C:\Documents and Settings\Owner\Templates\lqa21by28au6qjbiowoc085355e2rub413l57ghbbl0

    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Repair Windows Firewall
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.

    After reboot, check to see if your firewall is working.

    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Please save the work in your browsers before proceeding.
    • Double-click JRT.exe to run (Vista/7 right-click and select Run as Administrator)
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Please attach JRT.txt to your next message. (See: HOW TO: Attach Items To Your Post )


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Aug 2, 2013
    #2
  3. noavatars

    noavatars Private E-2

    1. Uninstall Search Protect by conduit.
    [NOAVATARS] DONE

    2. Now click the Registry tab and locate these 4 detections:
    [RUN][SUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Documents and Settings\Owner\Application Data\SearchProtect\bin\cltmng.exe [7]) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-3091199535-1605197292-2987400933-1007\[...]\Run : SearchProtect (C:\Documents and Settings\Owner\Application Data\SearchProtect\bin\cltmng.exe [7]) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-3091199535-1605197292-2987400933-1008\[...]\Run : SearchProtect (C:\Documents and Settings\Noah\Application Data\SearchProtect\bin\cltmng.exe [7]) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-3091199535-1605197292-2987400933-1010\[...]\Run : SearchProtect (C:\Documents and Settings\Sarahh\Application Data\SearchProtect\bin\cltmng.exe [7]) -> FOUND

    [NOAVATARS] I deleted all that I could find. Logs are attached (I am not sure why I have two logs)

    3. Rerun TDSSKiller, just a scan and attach the log.
    [NOAVATARS] DONE

    4. Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop. Now run Repair_Windows.exe.
    [NOAVATARS] DONE

    5. After reboot, check to see if your firewall is working.
    [NOAVATARS] DONE. Firewall seems to be working fine.

    6. Please download Junkware Removal Tool to your desktop. Please save the work in your browsers before proceeding. Double-click JRT.exe to run.
    [NOAVATARS] DONE. Log attached.

    7. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.
    [NOAVATARS] DONE. Log attached.

    8. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

    [NOAVATARS] When I first started these steps, the system was basically trashed. "System Care Antivirus" had been installed, and a desktop shortcut had been installed for it. As soon as I would boot up, the system would begin "scanning" and finding all sorts of viruses. Anytime I tried to launch anything, the "antivirus" program would tell me the executable was corrupted. I had to login as another user just to run the roguekiller. Soon, that other user's profile was corrupted in the same way, however.

    Eventually I tried to run it in safe mode, but I was not able to see the "Scan" button and I couldn't get to it by dragging the mouse or tabbing over!

    Another desktop shortcut was installed for "Internet security pro", and both shortcuts are still there.

    The Windows Repair seemed to turn the system around. I don't know if it's totally perfect, but after I ran this, I was able to login, browse the internet (including Google and Gmail!) and run scans.

    How do the logs look?
    -Noavatars
     

    Attached Files:

    noavatars, Aug 4, 2013
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Loads more to do, but hopefully this is a more complete fix and should nail most if not all of it.


    Before we continue, I would like for you to uninstall Limewire for the duration of this fix. Thanks. ;)

    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections if they show:

    • [RUN][SUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Documents and Settings\Noah\Application Data\SearchProtect\bin\cltmng.exe
    • [RUN][SUSP PATH] HKCU\[...]\Run : Internet Security (C:\Documents and Settings\All Users\Application Data\wmdefender.exe
    • [RUN][SUSP PATH] HKLM\[...]\Run : mdlile ("C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Owner\Application Data\mdlile.dll",ExecCodeModuleEx
    • [RUN][SUSP PATH] HKLM\[...]\Run : ladsv ("C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Owner\Application Data\ladsv.dll",Clear
    • [RUN][SUSP PATH] HKUS\S-1-5-19\[...]\Run : Adobe CSS5.1 Manager (C:\Documents and Settings\LocalService\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe
    • [RUN][SUSP PATH] HKUS\S-1-5-20\[...]\Run : Adobe CSS5.1 Manager (C:\Documents and Settings\NetworkService\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe
    • [RUN][SUSP PATH] HKUS\S-1-5-21-3091199535-1605197292-2987400933-1008\[...]\Run : SearchProtect (C:\Documents and Settings\Noah\Application Data\SearchProtect\bin\cltmng.exe
    • [RUN][SUSP PATH] HKUS\S-1-5-21-3091199535-1605197292-2987400933-1008\[...]\Run : Internet Security (C:\Documents and Settings\All Users\Application Data\wmdefender.exe
    • [RUN][SUSP PATH] HKUS\S-1-5-19\[...]\RunOnce : Adobe CSS5.1 Manager (C:\Documents and Settings\LocalService\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe
    • [RUN][SUSP PATH] HKUS\S-1-5-20\[...]\RunOnce : Adobe CSS5.1 Manager (C:\Documents and Settings\NetworkService\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe
    • [V1][SUSP PATH] {9CC1B3F4-4953-460D-BE09-BF869E905BBE}.job : C:\Documents and Settings\LocalService\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe
    • [V1][SUSP PATH] {5A1A8BCE-95E8-4605-849E-E1D17C3C634D}.job : C:\Documents and Settings\Owner\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.

    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.

    Code:
    :Files
C:\Documents and Settings\Owner\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad
C:\Documents and Settings\Noah\Application Data\SearchProtect
C:\Documents and Settings\All Users\Application Data\wmdefender.exe 
C:\Documents and Settings\Owner\Application Data\mdlile.dll
C:\Documents and Settings\Owner\Application Data\ladsv.dll
C:\Documents and Settings\All Users\Application Data\E0F640D56D1343F40000E0F55FE4482F
C:\Documents and Settings\Owner\Desktop\System Care Antivirus
C:\Documents and Settings\All Users\Desktop\Internet Security Pro.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\System Care Antivirus
C:\WINDOWS\system32\drivers\36108030.sys
C:\WINDOWS\system32\drivers\56624428.sys

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document into a text file and attach it here in your next post.


    • Run Ccleaner, not the reg scanner just the cleaner itself to be rid of temp files.
    • Rescan again with RogueKiller, (just a scan) and attach that log too.
    • Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Aug 5, 2013
    #4
  5. noavatars

    noavatars Private E-2

    Here you go. Looking better, but not 100% yet I don't think.
     

    Attached Files:

    noavatars, Aug 9, 2013
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [RUN][SUSP PATH] HKCU\[...]\Run : Adobe CSS5.1 Manager (C:\Documents and Settings\Owner\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe [-]) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-19\[...]\Run : Adobe CSS5.1 Manager (C:\Documents and Settings\LocalService\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe [-]) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-20\[...]\Run : Adobe CSS5.1 Manager (C:\Documents and Settings\NetworkService\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe [-]) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-21-3091199535-1605197292-2987400933-1007\[...]\Run : Adobe CSS5.1 Manager (C:\Documents and Settings\Owner\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe [-]) -> FOUND
    • [RUN][SUSP PATH] HKCU\[...]\RunOnce : Adobe CSS5.1 Manager (C:\Documents and Settings\Owner\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe [-]) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-19\[...]\RunOnce : Adobe CSS5.1 Manager (C:\Documents and Settings\LocalService\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe [-]) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-20\[...]\RunOnce : Adobe CSS5.1 Manager (C:\Documents and Settings\NetworkService\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe [-]) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-21-3091199535-1605197292-2987400933-1007\[...]\RunOnce : Adobe CSS5.1 Manager (C:\Documents and Settings\Owner\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe [-]) -> FOUND
    • [RUN][SUSP PATH] HKCU\[...]\Run : afbabeaebbcbad (C:\Documents and Settings\Owner\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe [-]) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-21-3091199535-1605197292-2987400933-1007\[...]\Run : afbabeaebbcbad (C:\Documents and Settings\Owner\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe [-]) -> FOUND
    • [SERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{4e0d156a-61a6-140b-0b7c-bc3f827ac6e6}\ \ \???ﯹ๛\{4e0d156a-61a6-140b-0b7c-bc3f827ac6e6}\GoogleUpdate.exe" < [x]) -> FOUND
    • [SERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{4e0d156a-61a6-140b-0b7c-bc3f827ac6e6}\ \ \???ﯹ๛\{4e0d156a-61a6-140b-0b7c-bc3f827ac6e6}\GoogleUpdate.exe" < [x]) -> FOUND
    • [SERVICE][ZeroAccess] HKLM\[...]\CS002\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{4e0d156a-61a6-140b-0b7c-bc3f827ac6e6}\ \ \???ﯹ๛\{4e0d156a-61a6-140b-0b7c-bc3f827ac6e6}\GoogleUpdate.exe" < [x]) -> FOUND
    • [HID SVC][Hidden from API] HKLM\[...]\CCSet\[...]\Services : . e () -> FOUND
    • [HID SVC][Hidden from API] HKLM\[...]\CS001\[...]\Services : . e () -> FOUND
    • [HID SVC][Hidden from API] HKLM\[...]\CS002\[...]\Services : . e () -> FOUND
    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.

    ...and the same for these on he file/folder tab...
    • [ZeroAccess][File] Desktop.ini : C:\WINDOWS\assembly\GAC\Desktop.ini [-] --> FOUND
    • [ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.



    [​IMG] For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)


    Re run RogueKiller yet again (just a scan) and attach that log too.
     
    Last edited: Aug 9, 2013
    Kestrel13!, Aug 9, 2013
    #6
  7. noavatars

    noavatars Private E-2

    I ran RogueKiller and deleted the items you requested. I wan't quite sure if I could delete the registry items and file/folder items together, so I did them separately. The logs are attached. Not sure how I wound up with 4 logs, but here they are.

    I downloaded Farbar as you requested, but I could not enter System Recovery Options, because the option wasn't available. I did some research online and apparently this option does not exist on WinXP!

    Anyway, in the midst of trying to find the System Recovery Options, I rebooted my system, only to find my PC locked with the Interpol "warning" taking up the whole screen. The only way I am able to send you this message is by logging in as another user, and I have no idea how long it will work, so please help me when you can! Things seem to have gotten 10 times worse!!
     

    Attached Files:

    noavatars, Aug 12, 2013
    #7
  8. noavatars

    noavatars Private E-2

    After some further research, I found that I could run FRST.exe by creating a PE CD and booting to that. Once I did so, I was able to run FRST and get the logs you requested. They are attached.

    Please reply when you can.
     

    Attached Files:

    noavatars, Aug 12, 2013
    #8
  9. noavatars

    noavatars Private E-2

    Sorry for the multiple replies, but I logged in as the other user and ran roguekiller as you requested. Here is the log.
     

    Attached Files:

    noavatars, Aug 12, 2013
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Kestrel13!, Aug 13, 2013
    #10
  11. noavatars

    noavatars Private E-2

    Ran the Kaspersky thing and the Interpol page is gone for now.

    Here's another RK log.
     

    Attached Files:

    noavatars, Aug 20, 2013
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    - So... go into this account and run RK:

    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [RUN][SUSP PATH] HKUS\S-1-5-19\[...]\Run : Adobe CSS5.1 Manager (C:\Documents and Settings\LocalService\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe [-]) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-20\[...]\Run : Adobe CSS5.1 Manager (C:\Documents and Settings\NetworkService\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe [-]) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-19\[...]\RunOnce : Adobe CSS5.1 Manager (C:\Documents and Settings\LocalService\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe [-]) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-20\[...]\RunOnce : Adobe CSS5.1 Manager (C:\Documents and Settings\NetworkService\Local Settings\Application Data\a256fb97-162a-4558-be23-08ae4bbcb195ad\afbabeaebbcbad.exe [-]) ->
    • [HJ DLL][SUSP PATH] HKLM\[...]\CCSet\[...]\Parameters : ServiceDll (C:\DOCUME~1\ALLUSE~1\APPLIC~1\Internet.exe [x]) -> FOUND
    • [HJ DLL][SUSP PATH] HKLM\[...]\CS001\[...]\Parameters : ServiceDll (C:\DOCUME~1\ALLUSE~1\APPLIC~1\Internet.exe [x]) -> FOUND
    • [HJ DLL][SUSP PATH] HKLM\[...]\CS002\[...]\Parameters : ServiceDll (C:\DOCUME~1\ALLUSE~1\APPLIC~1\Internet.exe [x]) -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.

    ...same for this item on the start up entries tab:

    • [Owner][SUSP PATH] tenretnI.lnk : C:\Documents and Settings\Owner\Start Menu\Programs\Startup\tenretnI.lnk @C:\WINDOWS\system32\rundll32.exe C:\DOCUME~1\Owner\LOCALS~1\Temp\Internet.exe,OKL00 [-][7][-] -> FOUND

    and finally...same for this entry on the file/folder tab:

    • [ZeroAccess][File] Desktop.ini : C:\WINDOWS\assembly\GAC\Desktop.ini [-] --> FOUND
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)

    • Reboot the machine.
    • Re run RogueKiller again now on this account (just a scan) and attach log.
    • Explain how things are running.
     
    Kestrel13!, Aug 21, 2013
    #12
  13. noavatars

    noavatars Private E-2

    Seems to be running fine, the scan didn't find anything
     

    Attached Files:

    noavatars, Aug 22, 2013
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Ready for final steps? :)
     
    Kestrel13!, Aug 23, 2013
    #14
  15. noavatars

    noavatars Private E-2

    I sure am. Just let me know what to do.

    This was a challenging one, I will say that. I will be donating to you guys for sure.
     
    noavatars, Aug 24, 2013
    #15
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    7. After doing the above, you should work thru the below link:
     
    Kestrel13!, Aug 24, 2013
    #16
  17. noavatars

    noavatars Private E-2

    Done!

    I want to donate to you guys--what is the best way to do so?
     
    noavatars, Aug 28, 2013
    #17
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    At the end of all my posts you will see a link to some "geekwear" hoodies, t-shirts and such as... :) See if anything takes your fancy. And thankyou very much for wanting to express your appreciation.
     
    Kestrel13!, Aug 28, 2013
    #18

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds