LevelQualityWatcher32 and scardsvr infection

Discussion in 'Malware Help (A Specialist Will Reply)' started by pariah, Nov 22, 2013.

  1. pariah

    pariah Private E-2

    Earlier I downloaded stuff from Cnet--which I'm never going to do again--and I ended up with a batch of trojans and adware programs.

    I was able to uninstall the Outobox and Scorpionsaver, and Malwarebytes managed to get rid of a GreatestArcadeGames trojan, but there's still processes running that I don't recognize. I've never seen the LevelQualityWatcher32.exe or the scardsvr.exe files before.


    Not sure what this means, but the error message "Failed to Load Resources from Resource File. Please check your Setup" popped up as the MGLogs were being compiled.
     

    Attached Files:

    pariah, Nov 22, 2013
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re run Hitman Pro and have it delete all of the Potential Unwanted Programs.



    http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these 3 detections:

    • [V1][SUSP PATH] GreatArcadeHits.job : C:\Documents and Settings\Administrator\Local Settings\Application Data\GreatArcadeHits\GAHUpdate.exe [7] -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.



    Are you purposely set up to use a proxy? If not please have RK fix this item too:

    ¤¤¤ Web browsers : 2 ¤¤¤
    [FF][PROXY] 7hb2bu3o.default : user_pref("network.proxy.hxxp", "118.75.164.199"); -> FOUND
    [FF][PROXY] 7hb2bu3o.default : user_pref("network.proxy.hxxp_port", 6675); -> FOUND


    Delete these:
    • C:\Documents and Settings\Administrator\Local Settings\Application Data\GreatArcadeHits
    • C:\Program Files\Level Quality Watcher
    • C:\Program Files\MyPC Backup

    What is this that's installed>?

    C:\Documents and Settings\Administrator\ƒXƒ^[ƒg ƒƒjƒ…[ :confused


    Now re run RK, just a scan and attach log.
     
    Kestrel13!, Nov 23, 2013
    #2
  3. pariah

    pariah Private E-2

    The GAH was already gone before I could delete anything in RogueKiller--and yes, I set up the proxy myself.

    How odd. I didn't see those LQW or MyPCB files in the program files before. Also noticed ScorpionSaver too; gone now.

    And I believe that file come from a folder with Japanese characters in it. I assume the log was just unable to interpret it, and so it ended up being gibberish.


    Looks pretty clean now. Thank you.
     

    Attached Files:

    pariah, Nov 23, 2013
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I'm still seeing these in the RK log:
    • [FF][PROXY] 7hb2bu3o.default : user_pref("network.proxy.hxxp", "118.75.164.199"); -> FOUND
    • [FF][PROXY] 7hb2bu3o.default : user_pref("network.proxy.hxxp_port", 6675); -> FOUND
     
    Kestrel13!, Nov 23, 2013
    #4
  5. pariah

    pariah Private E-2

    Er, yeah. Deleted now.

    Unfortunately, I accidentally deleted some registry files with RogueKiller and I'm not sure if they were important. They're mentioned in the first log.

    Did I just shoot myself in the foot?
     

    Attached Files:

    pariah, Nov 24, 2013
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I wouldn't worry too much about that. :) Ready for final steps?
     
    Kestrel13!, Nov 24, 2013
    #6
  7. pariah

    pariah Private E-2

    Yes, thank you for your help.
     
    pariah, Nov 24, 2013
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Excellent. :)


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

    7. After doing the above, you should work thru the below link:
     
    Kestrel13!, Nov 24, 2013
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds