Malware Help

Hello there

I am currently reviewing your logs and will get back to you soon.

 

You have a Shopperz infection.

Uninstall the below:

CleanBrowser


Re run Hitman Pro, activate/enable the free trial and have it remove/repair everything Except for these entries!

1. C:\Windows\WinSxS\amd64_microsoft-windows-ndis.resources_31bf3856ad364e35_10.0.10586.0_en-us_02a02e869e08c8f8\ndis.sys.mui
2. C:\Windows\WinSxS\amd64_microsoft-windows-netplwiz_31bf3856ad364e35_10.0.10586.0_none_d7def6f55fdd07b8\netplwiz.dll
3. C:\Windows\WinSxS\amd64_microsoft-windows-network-security_31bf3856ad364e35_10.0.10586.0_none_59aa0841d4e20b3a\wfplwfs.sys
4. C:\Windows\WinSxS\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_10.0.10586.103_none_d96559ae13091729\ntoskrnl.exe

Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

• [PUP] (X64) HKEY_CLASSES_ROOT\CLSID\{08ACFB57-8187-47f0-AF93-56360D03634A} -> Found
• [PUP] (X64) HKEY_CLASSES_ROOT\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4} -> Found
• [PUP] (X64) HKEY_LOCAL_MACHINE\Software\pcsp-pr -> Found
• [PUP] (X64) HKEY_LOCAL_MACHINE\Software\PCValidator -> Found
• [PUP] (X64) HKEY_LOCAL_MACHINE\Software\SearchModule -> Found
• [PUP] (X64) HKEY_LOCAL_MACHINE\Software\WebBar -> Found
• [PUP] (X86) HKEY_LOCAL_MACHINE\Software\Clara -> Found
• [PUP] (X86) HKEY_LOCAL_MACHINE\Software\SearchModule -> Found
• [PUP] (X64) HKEY_USERS\S-1-5-21-121304531-4036926684-2442940725-1001\Software\DailyPcClean -> Found
• [PUP] (X86) HKEY_USERS\S-1-5-21-121304531-4036926684-2442940725-1001\Software\DailyPcClean -> Found
• [PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564 -> Found
• [PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\CleanBrowser -> Found
• [PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdater -> Found
• [PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{0A7D6F3C-F2AB-48ED-BE23-99791BFF87D6} -> Found
• [PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{730E03E4-350E-48E5-9D3E-4329903D454D} -> Found
• [Root.Wajam] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\1ec04ebc8abc1e276ad6aaeaef20d143 -> Found
• [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Bokvunnu ("C:\Users\Brian\AppData\Roaming\GowvePitpagf\Lurzem.exe" -cms) -> Found
• [Root.Wajam] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\1ec04ebc8abc1e276ad6aaeaef20d143 -> Found
• [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Bokvunnu ("C:\Users\Brian\AppData\Roaming\GowvePitpagf\Lurzem.exe" -cms) -> Found

Place a checkmark next to each of these items, leave the others unchecked.

And the same for these entries on the Files tab please...

• [PUP][File] C:\Users\Brian\Desktop\Google Chrome.lnk [LNK@] C:\PROGRA~2\Google\Chrome\APPLIC~1\chrome.exe http://www-searching.com/?prd=set_epc&s=g8dzftptn095001at,d7543fe1-197e-429f-a6d1-769b8cfaed6c, --disable-quic -> Found
• [PUP][File] C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk [LNK@] C:\PROGRA~1\INTERN~1\iexplore.exe http://www-searching.com/?prd=set_epc&s=g8dzftptn095001at,d7543fe1-197e-429f-a6d1-769b8cfaed6c, -> Found
• [PUP][File] C:\Users\Brian\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk [LNK@] C:\PROGRA~2\Google\Chrome\APPLIC~1\chrome.exe http://www-searching.com/?prd=set_epc&s=g8dzftptn095001at,d7543fe1-197e-429f-a6d1-769b8cfaed6c, --disable-quic -> Found
• [PUP][File] C:\Users\Brian\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk [LNK@] C:\PROGRA~2\Google\Chrome\APPLIC~1\chrome.exe http://www-searching.com/?prd=set_epc&s=g8dzftptn095001at,d7543fe1-197e-429f-a6d1-769b8cfaed6c, --disable-quic -> Found
• [PUP][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk [LNK@] C:\PROGRA~2\Google\Chrome\APPLIC~1\chrome.exe http://www-searching.com/?prd=set_epc&s=g8dzftptn095001at,d7543fe1-197e-429f-a6d1-769b8cfaed6c, --disable-quic -> Found
• [PUP][Folder] C:\ProgramData\ValidatorPC -> Found
• [PUP][Folder] C:\Program Files\WebUpdater -> Found
• [PUP][Folder] C:\Program Files (x86)\4C4C4544-1455730472-4410-8031-C4C04F333132 -> Found
• [PUP][File] C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk [LNK@] C:\PROGRA~1\INTERN~1\iexplore.exe http://www-searching.com/?prd=set_epc&s=g8dzftptn095001at,d7543fe1-197e-429f-a6d1-769b8cfaed6c, -> Found

Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.



Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:Reg
[-HKLM\SYSTEM\CurrentControlSet\services\MPCKpt]

:Files
C:\Users\Brian\Appdata\LocalLow\company
C:\WINDOWS\system32\drivers\cherimoya.sys
C:\Program Files (x86)\mpc cleaner

:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


You did not upload the correct log for Malware Bytes, so can you please run it again, have it remove anything it may find and upload the log, please.
Could you also run TDSSKiller again please and upload fresh log.
Now also please re run RogueKiller (just a scan) and upload frsh log.
Same for Hitman Pro. (just a scan)
Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
Let me know how things are running!

 

Please remember to upload as many attachments as possible into one post. Don't post them as singles like you have in the last few posts. Thanks

MGTools did not run to completion. Please run MGTools.exe again, this time ensuring that you are running as admin, that you have disabled protection software and that UAC is indeed disabled. Then upload the new MGlogs.zip.

 

Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

• [Root.Wajam] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\1ec04ebc8abc1e276ad6aaeaef20d143 -> Found
• [Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hryxa (System32\drivers\cqnj.sys) -> Found
• [Root.Wajam] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\1ec04ebc8abc1e276ad6aaeaef20d143 -> Found

Place a checkmark next to each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Upload RKreport[2].txt to your next message. (How to attach)
Reboot the machine.



Re run Malware Bytes yet again and let it remove anything it may find. Upload a log showing this.


Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Delete these unless you know what they are for:

• 
  
• C:\Users\Brian\AppData\Roaming\Geunfy
• C:\Users\Brian\AppData\Roaming\PCDr

Download Cleano 1.31

Download it to your desktop, Right click the cleano.exe file and run as admin > and place check marks in the boxes as follows (click on link below to see image)

View attachment 148092
Click clean now and exit the program.


Re run RogueKiller (just a scan) and upload latest log.

 

May have to reset your Host File... let's see....

Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

• [PUP] (X64) HKEY_USERS\S-1-5-21-121304531-4036926684-2442940725-1004\Software\WebUpdater -> Found
• [PUP] (X86) HKEY_USERS\S-1-5-21-121304531-4036926684-2442940725-1004\Software\WebUpdater -> Found
• [Root.Wajam] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\1ec04ebc8abc1e276ad6aaeaef20d143 -> Found
• [Root.Wajam] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\1ec04ebc8abc1e276ad6aaeaef20d143 -> Found

Place a checkmark next to each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:Services
1ec04ebc8abc1e276ad6aaeaef20d143

:Reg
[-HKEY_USERS\S-1-5-21-121304531-4036926684-2442940725-1004\Software\WebUpdater]
[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\1ec04ebc8abc1e276ad6aaeaef20d143]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\1ec04ebc8abc1e276ad6aaeaef20d143]

:Commands
[emptytemp]
[resethosts]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into a text file to UPLOAD into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.



Re run Malware Bytes yet again please, let it remove anything it may find, and upload log.
Now re run RogueKiller (just a scan) and upload fresh log.

 

Okay, most of the malware is gone, but these reg entries are being stubborn.

[Root.Wajam] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\1ec04ebc8abc1e276ad6aaeaef20d143 -> Found
[Root.Wajam] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\1ec04ebc8abc1e276ad6aaeaef20d143 -> Found

Please do this:

Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then upload the new C:\MGlogs.zip file that will be created by running this.

Now also please download OTL by OldTimer.

• Save it to your desktop.
• Double-click on the OTL icon on your desktopto run it. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  drives
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Upload OTL.txt to your next message. (How to attach)
• Also attach Extras.txt

 

@briguyz71
The Purple arrows point to the areas.

 

What is this?
C:\Users\Brian\AppData\Roaming\Geunfy

Let me know.

We need to run an OTL Fix

• Right-click OTL.exe to run it as admin. If Windows UAC prompts you, please allow it.
• Copy and Paste the following code into the textbox. Do not include the word Code

Code:

:files
C:\WINDOWS\1ec04ebc8abc1e276ad6aaeaef20d143.ps1

:commands
[EMPTYTEMP]
[REBOOT]

• Then click the Run Fix button at the top.
• Click Image.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. UPLOAD that report in your next reply.

Now re run RogueKiller (jus a scan) and upload log.
Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Do this please:

Delete the current MGTools.exe and the C:\MGtools folder. Also delete any MGlogs.zip that remain.

Go to this MGTools and download the new version of MGtools.exe. Overwrite your previous MGtools.exe file with this one.

Run the new C:\MGTools.exe and attach the new C:\MGlogs.zip

Now do this:

Now please download OTL by OldTimer.

• Save it to your desktop.
• Double-click on the OTL icon on your desktopto run it. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  drives
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Upload OTL.txt to your next message. (How to attach)
• Also upload Extras.txt

See my next post...

 

SystemLook

Please download SystemLook from one of the links below appropriate for your operating system and save it to your Desktop.
Download 32 Bit
Download 64 Bit

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :regfind
  1ec04ebc8abc1e276ad6aaeaef20d143

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

We need to run an OTL Fix

• Right-click OTL.exe to run it as admin. If Windows UAC prompts you, please allow it.
• Copy and Paste the following code into the textbox. Do not include the word Code

Code:

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{259370F5-9B5A-49FE-A231-BECAEBE1985A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\1ec04ebc8abc1e276ad6aaeaef20d143]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\1ec04ebc8abc1e276ad6aaeaef20d143]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\1ec04ebc8abc1e276ad6aaeaef20d143]

• Then click the Run Fix button at the top.
• Click Image.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. UPLOAD that report in your next reply.

Now run SystemLook exactly the same way as before please and upload NEW log.

Rerun RogueKiller (just a scan) and upload NEW log from that too, please.

 

Almost there I think...

We need to run an OTL Fix

• Right-click OTL.exe And select " Run as administrator " to run it. If Windows UAC prompts you, please allow it.
• Copy and Paste the following code into the Image textbox. Do not include the word Code

Code:

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{259370F5-9B5A-49FE-A231-BECAEBE1985A}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\1ec04ebc8abc1e276ad6aaeaef20d143]

• Then click the Run Fix button at the top.
• Click Image.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. UPLOAD that report in your next reply.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now rerun SystemLook the same way again, and upload NEW log please.

 

That's better. Logs look great. How's the machine running?

 

I would ask about that in the software forum.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
   • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore​
   • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
   • Then we want you to Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!