Suspected Malware and Virus Removal Request

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Lery, Jan 15, 2015.

  1. Lery

    Lery Private E-2

    Hello and thank you for taking the time to read my post. I'm helping my elderly neighbor fix his PC problems. While I have a technical background, he does not.

    Symptoms: PC takes very long to start. This has gotten progressively worse over the past few months. In addition PC will randomly freeze for a minute and then free itself. The PC does run better when it's not connected to the internet vs. when it's connected.

    Operating System: Windows Vista Home Premium SP2 64-bit Dell Inspiron 5305 with 4GB of memory.

    I ran CCleaner as instructed on the READ & RUN ME FIRST Malware Removal Guide (incl. spyware, virus, trojan, hijacker) post.

    The Recovery Partition is full and I need to clean that up.

    Malwarebytes found plenty of threats. All of which are now quarantined as instructed.

    One item that I found did not match the instructions for Roguekiller is as follows. The instructions stated the following: "When it is finished, there will be a log on your desktop called RKreport[1].txt" It did not automatically create this file. I clicked on Export/Save and it's attached as RKreport_SCN_01152015_181402.log. I hope that is ok?

    Log files are attached.
     

    Attached Files:

    Lery, Jan 15, 2015
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Uninstall the below:
    • ShopAtHome.com Helper
    • ShopAtHome.com Toolbar


    http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | ShopAtHomeWatcher : C:\Users\AddisonP\AppData\Roaming\ShopAtHome\ShopAtHomeHelper\ShopAtHomeWatcher.exe -> Found
    • [Suspicious.Path] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce | SpUninstallDeleteDir : rmdir /s /q "C:\Windows\system32\config\systemprofile\AppData\Roaming\SearchProtect" -> Found
    • [Suspicious.Path] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce | SpUninstallDeleteDir : rmdir /s /q "C:\Windows\system32\config\systemprofile\AppData\Roaming\SearchProtect" -> Found
    • [Suspicious.Path] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce | SpUninstallDeleteDir : rmdir /s /q "C:\Windows\system32\config\systemprofile\AppData\Roaming\SearchProtect" -> Found
    • [Suspicious.Path] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce | SpUninstallDeleteDir : rmdir /s /q "C:\Windows\system32\config\systemprofile\AppData\Roaming\SearchProtect" -> Found
    • [Hj.RegVal] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_D_E7C2\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell : cmd.exe /k start cmd.exe -> Found
    • [Hj.RegVal] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_D_E7C2\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell : cmd.exe /k start cmd.exe -> Found

    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.


    Now re run RogueKiller again (just a scan) and attach log.


    http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.


    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running!
     
    Kestrel13!, Jan 16, 2015
    #2
  3. Lery

    Lery Private E-2

    Thanks for the prompt reply Kestrel13!. The logs you requested are attached. For some reason RogueKiller does not produce a log file after it's finished. I have to click on the Report button. No problems encountered.

    The computer starts up and restarts just fine now. It takes about 40-50 seconds to boot up to the log in prompt. The log in process takes about 3-4 minutes for what I would consider the PC to be in a usable state.

    Let me know how the logs look.
     

    Attached Files:

    Lery, Jan 16, 2015
    #3
  4. Lery

    Lery Private E-2

    So sorry, I forgot to mention. You said to do the following:

    Uninstall the below:
    ShopAtHome.com Helper
    ShopAtHome.com Toolbar

    ShopAtHome Toolbar was listed in Add/Remove programs and was uninstalled as requested. The Helper was not shown and I could not find it to remove it.
     
    Lery, Jan 16, 2015
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    The logs look great. Ready for final steps?

    Are you having any more malware problems?

    Delete all you can from this location:
    • C:\Users\AddisonP\AppData\Local\Temp
     
    Kestrel13!, Jan 16, 2015
    #5
  6. Lery

    Lery Private E-2

    Kestrel13!,

    Thank you so much for your help and quick replies. I think everything is running much better now. Logging onto the computer still takes awhile, but I think that is just because the PC is so old. I will continue to adjust things, but I think the malware and other garbage is now gone.
     
    Lery, Jan 16, 2015
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You are most welcome. :) Safe surfing!


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

    7. After doing the above, you should work thru the below link:
     
    Kestrel13!, Jan 17, 2015
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds