I followed "Read & Run me first" and here's all of the data. Now what?

Discussion in 'Malware Help (A Specialist Will Reply)' started by John2345, Apr 29, 2013.

  1. John2345

    John2345 Private E-2

    I followed "Read & Run me first" and here's all of the data.
    The rest of the data is in the second post.

    Thanks for the help.
     

    Attached Files:

    John2345, Apr 29, 2013
    #1
  2. John2345

    John2345 Private E-2

    Okay here's the last of the files (I think).
     

    Attached Files:

    John2345, Apr 29, 2013
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:


    • [RUN][SUSP PATH] HKCU\[...]\Run : Uqitahex (C:\Users\Ian\AppData\Roaming\Diguxo\tiist.exe) [-] -> FOUND
      [RUN][SUSP PATH] HKLM\[...]\Run : Uzovqog ("C:\Users\Ian\AppData\Roaming\Heidzo\awwuvi.exe") [x] -> FOUND
      [RUN][SUSP PATH] HKLM\[...]\Run : Ebuwwezufidoofi ("C:\Users\Ian\AppData\Roaming\Qeexryo\acanaw.exe") [x] -> FOUND
      [RUN][SUSP PATH] HKLM\[...]\Run : Kafoixnuahybaw ("C:\Users\Ian\AppData\Roaming\Vuifykun\ilefdui.exe") [-] -> FOUND
      [RUN][SUSP PATH] HKLM\[...]\Run : Uqitahex ("C:\Users\Ian\AppData\Roaming\Diguxo\tiist.exe") [-] -> FOUND
      [RUN][SUSP PATH] HKUS\S-1-5-21-1543932489-3764877316-4099323168-1000[...]\Run : Uqitahex (C:\Users\Ian\AppData\Roaming\Diguxo\tiist.exe) [-] -> FOUND
      [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\Run : Uqitahex (C:\Users\Ian\AppData\Roaming\Diguxo\tiist.exe) [-] -> FOUND
      [TASK][SUSP PATH] Security Center Update - 2786974963.job : C:\Users\Ian\AppData\Roaming\Diguxo\tiist.exe [-] -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Do not reboot your computer yet.

    Now run Hitman and fix these items:
    C:\Users\Ian\AppData\Roaming\Diguxo\tiist.exe
    C:\ProgramData\Babylon\ (Babylon)
    C:\Users\Ian\AppData\Local\Babylon\ (Babylon)
    C:\Users\Ian\AppData\Local\Babylon\Setup\ (Babylon)
    C:\Users\Ian\AppData\Local\Babylon\Setup\Dealply.zpb (Babylon)
    C:\Users\Ian\AppData\Local\Babylon\Setup\default_client_dats.zpb (Babylon)
    C:\Users\Ian\AppData\Local\Babylon\Setup\NoTB.zpb (Babylon)
    C:\Users\Ian\AppData\Local\Babylon\Setup\Setup-client.zpb (Babylon)
    C:\Users\Ian\AppData\Local\Babylon\Setup\Setup-tbmntr903.zpb (Babylon)
    C:\Users\Ian\AppData\Local\Babylon\Setup\Setup-tc.zpb (Babylon)
    C:\Users\Ian\AppData\Local\Babylon\Setup\Setup-w64.zpb (Babylon)
    C:\Users\Ian\AppData\Local\Babylon\Setup\xDealply.zpb (Babylon)
    C:\Users\Ian\AppData\Roaming\Babylon\ (Babylon)
    C:\Users\Ian\AppData\Roaming\Babylon\log_file.txt (Babylon)
    HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\ (Babylon)
    HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\ (Funmoods)
    HKLM\SOFTWARE\Classes\Prod.cap\ (Claro)
    HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\ (Babylon)
    HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\ (Funmoods)
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\ (Yontoo)
    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\ (Yontoo)

    Reboot and rescan with both RogueKiller and Hitman and attach those logs as well.,

    Be sure to tell me how things are running now.
     
    TimW, Apr 29, 2013
    #3
  4. John2345

    John2345 Private E-2

    Thanks Tim!

    It seems to be working better, at least it isn't going to blue screen every few minutes any more. But the scanner on McAfee still isn't working. It will take a while to find if anything else is wrong.

    RK created 2 logs the first time 2-3, Hitman is detecting a Trojan, it is in the log, would you like me to quarintine/delete it?

    Thanks,
    John
     

    Attached Files:

    John2345, Apr 30, 2013
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:


    • [RUN][SUSP PATH] HKCU\[...]\Run : Unnocytym (C:\Users\Ian\AppData\Roaming\Guaputn\weorsuu.exe) [-] -> FOUND
      [RUN][SUSP PATH] HKLM\[...]\Run : Agkainufu ("C:\Users\Ian\AppData\Roaming\Zewoygm\xeucy.exe") [x] -> FOUND
      [RUN][SUSP PATH] HKLM\[...]\Run : Unnocytym ("C:\Users\Ian\AppData\Roaming\Guaputn\weorsuu.exe") [-] -> FOUND
      [RUN][SUSP PATH] HKUS\S-1-5-21-1543932489-3764877316-4099323168-1000[...]\Run : Unnocytym (C:\Users\Ian\AppData\Roaming\Guaputn\weorsuu.exe) [-] -> FOUND
      [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\Run : Unnocytym (C:\Users\Ian\AppData\Roaming\Guaputn\weorsuu.exe) [-] -> FOUND
      [TASK][SUSP PATH] Security Center Update - 654750775.job : C:\Users\Ian\AppData\Roaming\Guaputn\weorsuu.exe [-] -> FOUND
      [TASK][SUSP PATH] Security Center Update - 654750775 : C:\Users\Ian\AppData\Roaming\Guaputn\weorsuu.exe [-] -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Do not reboot your computer yet.

    Now rescan with Hitman and have it delete what it finds.

    Reboot and rescan with both RogueKiller and Hitman and attach those new logs as well.
     
    TimW, Apr 30, 2013
    #5
  6. John2345

    John2345 Private E-2

    I figured out that the registry tab and what you posted aren't exactly the same, so I deleted 1-2 things that were incorrect and missed Wow643... But I figured out how to cross reference the first log from the scan and figure out which programs I need to select.

    The McAfee scanner still isn't working - Should I be worried about that?
    And earlier I was getting bombarded with requests to download files, it seems to have stopped since the restart though.

    Thanks,
    John
     

    Attached Files:

    John2345, Apr 30, 2013
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Hitman is clean, but rerun RogueKiller and get me a new log.
     
    TimW, May 1, 2013
    #7
  8. John2345

    John2345 Private E-2

    Alright here's the log.
     

    Attached Files:

    John2345, May 1, 2013
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:


    • [RUN][SUSP PATH] HKCU\[...]\Run : Ritonoqawocy (C:\Users\Ian\AppData\Roaming\Ofolpyow\ertoukn.exe) [-] -> FOUND
      [RUN][SUSP PATH] HKLM\[...]\Run : Ethuy ("C:\Users\Ian\AppData\Roaming\Aposnaef\leuxqy.exe") [x] -> FOUND
      [RUN][SUSP PATH] HKLM\[...]\Run : Ritonoqawocy ("C:\Users\Ian\AppData\Roaming\Ofolpyow\ertoukn.exe") [-] -> FOUND
      [RUN][SUSP PATH] HKUS\S-1-5-21-1543932489-3764877316-4099323168-1000[...]\Run : Ritonoqawocy (C:\Users\Ian\AppData\Roaming\Ofolpyow\ertoukn.exe) [-] -> FOUND
      [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\Run : Ritonoqawocy (C:\Users\Ian\AppData\Roaming\Ofolpyow\ertoukn.exe) [-] -> FOUND
      [TASK][SUSP PATH] Security Center Update - 3473724900.job : C:\Users\Ian\AppData\Roaming\Ofolpyow\ertoukn.exe [-] -> FOUND
      [TASK][SUSP PATH] Security Center Update - 3473724900 : C:\Users\Ian\AppData\Roaming\Ofolpyow\ertoukn.exe [-] -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Do not reboot your computer yet.

    Now rescan with RogueKiller and attach both the new logs.
     
    TimW, May 1, 2013
    #9
  10. John2345

    John2345 Private E-2

    Okay here they are.

    Thanks for all of the help so far,
    John
     

    Attached Files:

    John2345, May 2, 2013
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Why are you not selecting these for removal:
    [RUN][SUSP PATH] HKCU\[...]\Run : Hitic (C:\Users\Ian\AppData\Roaming\Yldetec\urenz.exe) [-] -> NOT SELECTED
    [RUN][SUSP PATH] HKLM\[...]\Run : Hitic ("C:\Users\Ian\AppData\Roaming\Yldetec\urenz.exe") [-] -> NOT SELECTED[RUN]
    [SUSP PATH] HKLM\[...]\Wow6432Node\Run : Hitic (C:\Users\Ian\AppData\Roaming\Yldetec\urenz.exe) [-] -> NOT SELECTED

    You should also use windows explorer to see if this still exist and delete them if found:
    C:\Users\Ian\AppData\Roaming\Yldetec\urenz.exe
     
    TimW, May 2, 2013
    #11
  12. John2345

    John2345 Private E-2

    I didn't intentionally avoid selecting those items.


    I've done a bit of exploring on my computer and found a few things.

    All of the programs (for lack of a better term) that you pointed out are gone.

    In McAfee's bandwidth usage pie graph there were two new and unknown programs using large amounts of bandwidth. I shredded one of them and tried shredding the other, McAfee said "Shredding almost completed, please reboot" so I complied, I went to see if the program was gone but it is still right were it was.

    All attempts to delete any part of it through RogueKiller have failed, it says not selected on the previously selected items, after I hit delete.

    I am attaching a screen shot showing all of the data.
     

    Attached Files:

    Last edited: May 2, 2013
    John2345, May 2, 2013
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please attach a new RogueKiller log.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator). Attach also the new C:\MGLogs.zip
     
    TimW, May 3, 2013
    #13
  14. John2345

    John2345 Private E-2

    I also ran Malwarebytes, I only scanned, the program is sitting at the same state as when the program finished scanning. I attached the log from MB's.
     

    Attached Files:

    John2345, May 3, 2013
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Fix what MBAM found. Reboot. Rescan with RogueKiller and remove these if still found:

    [RUN][SUSP PATH] HKCU\[...]\Run : Altuexapotepm (C:\Users\Ian\AppData\Roaming\Zinuam\afbealg.exe) [-] -> FOUND
    [RUN][SUSP PATH] HKLM\[...]\Run : Altuexapotepm ("C:\Users\Ian\AppData\Roaming\Zinuam\afbealg.exe") [-] -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-1543932489-3764877316-4099323168-1000[...]\Run : Altuexapotepm (C:\Users\Ian\AppData\Roaming\Zinuam\afbealg.exe) [-] -> FOUND
    [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\Run : Altuexapotepm (C:\Users\Ian\AppData\Roaming\Zinuam\afbealg.exe) [-] -> FOUND

    Reboot. Rescan with both MBAM and RogueKiller and attach both logs.
     
    TimW, May 3, 2013
    #15
  16. John2345

    John2345 Private E-2

    Okay, here are the logs.

    Thanks,
    John
     

    Attached Files:

    John2345, May 4, 2013
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looks good. What issues remain, if any?
     
    TimW, May 4, 2013
    #17
  18. John2345

    John2345 Private E-2

    The only issue that I can find is that the McAfee scanner still isn't working.
    Other than that everything seems to be working fine.

    Thanks,

    John
     
    John2345, May 4, 2013
    #18
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Try uninstalling, running CCleaner and reinstalling.
     
    TimW, May 4, 2013
    #19
  20. John2345

    John2345 Private E-2

    It worked.
    Everything seems to be working.
    Is there anything that I need to do know?

    And in the mean time - I can't thank you enough for helping me fix my computer! --John
     
    John2345, May 4, 2013
    #20
  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    2. Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    7. After doing the above, you should work thru the below link


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0
     
    TimW, May 5, 2013
    #21
  22. John2345

    John2345 Private E-2

    I can not Thank You enough Tim!

    Thank you for getting my computer back on it's feet!

    John
     
    John2345, May 6, 2013
    #22
  23. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Safe surfing. :)
     
    TimW, May 7, 2013
    #23

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds