Need help removing malware

Discussion in 'Malware Help (A Specialist Will Reply)' started by StiinaQT, Jul 8, 2013.

  1. StiinaQT

    StiinaQT Private First Class

    I am trying to clean up our main computer. When I ran the TDKiller, it referred me to a removal process in French and I couldn't figure out what they were doing. I'm attaching the logs per the Windows XP removal procedure.

    Thanks in advance for your help!
     

    Attached Files:

    StiinaQT, Jul 8, 2013
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Are you using a proxy server?

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:


    • [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-21-2347551192-1713109559-3450429547-1007\$77b5eedc2397430037ca52fc809b3bfa\n. [-]) -> FOUND
      [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-18\$77b5eedc2397430037ca52fc809b3bfa\n. [-]) -> FOUND
      [HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-18\$77b5eedc2397430037ca52fc809b3bfa\n. [-]) -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.

    Now click the Files/folders tab and locate these detections:


    • [ZeroAccess][File] n : C:\RECYCLER\S-1-5-18\$77b5eedc2397430037ca52fc809b3bfa\n [-] --> FOUND
      [ZeroAccess][File] n : C:\RECYCLER\S-1-5-21-2347551192-1713109559-3450429547-1007\$77b5eedc2397430037ca52fc809b3bfa\n [-] --> FOUND
      [ZeroAccess][File] @ : C:\RECYCLER\S-1-5-18\$77b5eedc2397430037ca52fc809b3bfa\@ [-] --> FOUND
      [ZeroAccess][File] @ : C:\RECYCLER\S-1-5-21-2347551192-1713109559-3450429547-1007\$77b5eedc2397430037ca52fc809b3bfa\@ [-] --> FOUND
      [ZeroAccess][Folder] U : C:\RECYCLER\S-1-5-18\$77b5eedc2397430037ca52fc809b3bfa\U [-] --> FOUND
      [ZeroAccess][Folder] U : C:\RECYCLER\S-1-5-21-2347551192-1713109559-3450429547-1007\$77b5eedc2397430037ca52fc809b3bfa\U [-] --> FOUND
      [ZeroAccess][Folder] L : C:\RECYCLER\S-1-5-18\$77b5eedc2397430037ca52fc809b3bfa\L [-] --> FOUND
      [ZeroAccess][Folder] L : C:\RECYCLER\S-1-5-21-2347551192-1713109559-3450429547-1007\$77b5eedc2397430037ca52fc809b3bfa\L [-] --> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Do not reboot your computer yet.

    Now empty out your recycle bin.

    Reboot and rescan with RogueKiller and attach that log as well. Be sure to tell me how things are running now.
     
    TimW, Jul 8, 2013
    #2
  3. StiinaQT

    StiinaQT Private First Class

    I don't think I'm using a proxy server.

    I tried to do as you explained, but there was only 1 registry value to delete and my recycle bin was empty--think that CCleaner had auto wiped it. I was out of town yesterday and I didn't get to run the cleanup until this morning. I'm attaching the logs and the computer seems to be running ok. Note that the log numbers aren't what you expect. I didn't want to glom up the desktop with all of that, so I have been making a folder and dropping all the logs into it, so RK would not see them. The date/time stamp tells the tale, however. I don't know why it made 3 files...?? Is one the prescan?

    Let me know what you think.

    I do appreciate your time to help me get this puppy cleaned up. I only get on it maybe once per year or when they are complaining that it's too slow or something like that, lol. Mine is in the opposite side of the house!

    Thanks again and I should have time later today to do any additional cleanup if you see anything else I need to tidy up.
     

    Attached Files:

    StiinaQT, Jul 10, 2013
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    According to the log, you are:
    Code:
    ¤¤¤ Registry Entries : 6 ¤¤¤
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (localhost:21320) -> FOUND
    What malware issues are you still having, if any?
     
    TimW, Jul 10, 2013
    #4
  5. StiinaQT

    StiinaQT Private First Class

    Sorry, ID10T error. No other problems that I can see.

    Thanks again!
     
    StiinaQT, Jul 11, 2013
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    2. Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    7. After doing the above, you should work thru the below link


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0
     
    TimW, Jul 11, 2013
    #6
  7. StiinaQT

    StiinaQT Private First Class

    I must be really stupid, but I can't get either CCleaner or the CP remove program functions to see either HitmanPro or RK as they installed on the desktop. What am I missing here? I've not had this problem before. Am I having a blonde moment or is there a toggle in the add/remove programs I'm not finding?

    I feel like I need to shout Duh! really loud right now...I cannot figure this out...(I know I'm going to feel stupid when you tell me.)

    Go ahead, you can laugh at me, just remind me what I'm missing, ok?

    Thanks!
     
    StiinaQT, Jul 11, 2013
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Just right click and choose delete.
     
    TimW, Jul 12, 2013
    #8
  9. StiinaQT

    StiinaQT Private First Class

    In my defense, I started using PC's when you had 5 1/4" floppies, almost all RAM and commands in DOS. It doesn't occur to me that all you have to do is delete a program....well ok, that's what you did back then, but it has been programmed into my brain that you never do that, you must uninstall when using Windows and now, just like English, you must learn the exceptions. Ok, I just hope the kiddo's didn't reinfect that computer since I last worked on it!

    Thanks for your help, Tim!
    :-D
     
    StiinaQT, Jul 20, 2013
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Safe surfing. :)
     
    TimW, Jul 20, 2013
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds