Trojan Hider

Waterhouse · Jan 24, 2013

My pc has been infected to the point where AVG won't update, Malwarebytes and some other programs won't run (although I followed instructions here and elsewhere to work around the block on Malwarebytes and get it to run) and certain security websites won't open. I have followed the instructions in 'Read and Run Me First' and have run all the scans. The results are included below. I would be very grateful for any assistance.

TimW · Jan 25, 2013

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

[RUN][SUSP PATH] HKCU\[...]\Run : GmqCklpw (C:\Documents and Settings\Tommy.97C4839048604F4\Local Settings\Application Data\xgcpaljg\gmqcklpw.exe) -> FOUND
[RUN][BLACKLISTDLL] HKUS\S-1-5-19[...]\Run : nesakepoye (Rundll32.exe "C:\WINDOWS\system32\liwomajo.dll",s) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1993962763-2111687655-839522115-1004[...]\Run : GmqCklpw (C:\Documents and Settings\Tommy.97C4839048604F4\Local Settings\Application Data\xgcpaljg\gmqcklpw.exe) -> FOUND
[SHELL][SUSP PATH] HKLM\[...]\Winlogon : Userinit (C:\WINDOWS\system32\userinit.exe,,C:\DOCUME~1\TOMMY~1.97C\LOCALS~1\Temp\xroamnrd.exe,C:\Documents and Settings\Tommy.97C4839048604F4\Local Settings\Application Data\xgcpaljg\gmqcklpw.exe) -> FOUND
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Do not reboot your computer yet.

Now run Hitman and have it fix everything it finds.

Reboot and re-scan with both RogueKiller and Hitman and attach those logs as well.

Waterhouse · Jan 25, 2013

Done as instructed. Here are the logs. Must point out that I couldn't get Hitman to fix anything it found on its first scan. I clicked Next for it to fix and nothing happened - it said it was fixing but never advanced (I waited over 30 minutes to see if it was going to progress). Windows Task Manager said it was running but nothing was happening. I tried twice then tried rebooting and ran Hitman again and it worked that time. So there was a reboot between the RogueKiller scan and the Hitman one. Other than that I followed the instructions exactly.

TimW · Jan 26, 2013

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

[SHELL][SUSP PATH] HKLM\[...]\Winlogon : Userinit (C:\WINDOWS\system32\userinit.exe,,C:\DOCUME~1\TOMMY~1.97C\LOCALS~1\Temp\xroamnrd.exe) -> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)

Now toggle system restore and reboot. Re-enable system restore.

Run Hitman and have it fix these items:
C:\Documents and Settings\Tommy.97C4839048604F4\Start Menu\Programs\Startup\gmqcklpw.exe
C:\Documents and Settings\Tommy.97C4839048604F4\Local Settings\Temp\xroamnrd.exe
C:\Documents and Settings\Tommy.97C4839048604F4\Local Settings\Temp\gmqcklpw.exe
C:\Documents and Settings\Tommy.97C4839048604F4\Local Settings\Application Data\xgcpaljg\gmqcklpw.exe
C:\Documents and Settings\Tommy.97C4839048604F4\7655312.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\gmqcklpw.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\xroamnrd.exe

Now re-scan with both RogueKiller and Hitman and attach those logs as well.

Waterhouse · Jan 26, 2013

Followed instructions. When I had Hitman fix those listed problems it said it needed to reboot to complete and I clicked the button to reboot. System froze at the logging out stage. Had to use the reset switch. Other than that carried out everything exactly.

TimW · Jan 27, 2013

Toggle system restore. Turn it off, reboot and turn it back on. Then run Hitman and have it fix all those PUP's.

Tell me how things are running now.

Attach the new Hitman log.

Waterhouse · Jan 27, 2013

Did as instructed. Ran Hitman. No PUP's there. Log included.

Things are running well now. Yesterday's measures seemed to flush things out. Was able to updated AVG and Zone Alarm is working properly and sites like AVG and Malwarebytes aren't being blocked on the internet As far as I can tell you seem to have fixed things for me. Thank you very much indeed.

TimW · Jan 28, 2013

Good to know.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.

Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
related to MGtools and some other items from our cleaning procedures.

After doing the above, you should work thru the below link

How to Protect yourself from malware!

Malware removal from a National Chain = $149
Malware removal from MajorGeeks = $0

Waterhouse · Jan 28, 2013

Thank you. I feel a bit foolish but I can't find any of the programs I downloaded and can now get rid of in order to uninstall them. They don't show up in Add/Remove Software. The programs being Roguekiller, Hitman and TDSSKiller. I read (from a google search) a forum saying that TDSSKiller is a standalone tool and you just delete the exe from your desktop to remove it. Is it the same with Roguekiller and Hitman? On Hitman each time I ran it I chose the 'No, I just want to perform a one-time scan' option rather than the store a copy of the program option.

TimW · Jan 29, 2013

Yes, just delete them off your desktop.

Waterhouse · Jan 29, 2013

Thank you. I have removed all those programs and am now working my way through the How to Protect yourself from malware link. I would like to thank you sincerely for all the help you have provided in getting my old pc trojan free and functioning properly again. It's extremely generous to devote so much time and expertise to help strangers and forums like this do an incredible job.

TimW · Jan 30, 2013

You are most welcome. Safe surfing.

Log in or Sign up

Trojan Hider

Waterhouse Private E-2

Attached Files:

RKreport[1]_S_01252013_02d0241.txt

mbam-log-2013-01-25 (03-07-21).txt

TDSSKiller.2.8.7.0_25.01.2013_03.25.05_log.txt

HitmanPro_20130125_0346.log

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Waterhouse Private E-2

Attached Files:

RKreport[3]_D_01262013_02d0210.txt

RKreport[4]_S_01262013_02d0318.txt

HitmanPro_20130126_0329.log

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Waterhouse Private E-2

Attached Files:

RKreport[6]_D_01272013_02d0236.txt

RKreport[7]_S_01272013_02d0320.txt

HitmanPro_20130127_0326.log

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Waterhouse Private E-2

Attached Files:

HitmanPro_20130128_0224.log

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Waterhouse Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Waterhouse Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member