White Screen, Rans.Gendarm, ran RK, delete which files?

Discussion in 'Malware Help (A Specialist Will Reply)' started by helpthecow, Nov 19, 2012.

  1. helpthecow

    helpthecow Private E-2

    Hi, so I already ran FRST.ext and RogueKiller.exe

    I already deleted 1 file marked red with [SUSP PATH], but am not sure if i can delete the remaining problem files:


    ¤¤¤ Registry Entries : 4 ¤¤¤
    [SHELL][Rans.Gendarm] HKCU\[...]\Winlogon : shell (explorer.exe,C:\Users\Aladdin\AppData\Roaming\msconfig.dat) -> FOUND
    [SHELL][Rans.Gendarm] HKUS\S-1-5-21-4280187566-134643006-534490249-1005[...]\Winlogon : shell (explorer.exe,C:\Users\Aladdin\AppData\Roaming\msconfig.dat) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    in any case, i have attached the RKreport and FRST.txt.

    Please let me know if i can simply delete those files, or if not, what I need to do? Thanks!
     

    Attached Files:

    helpthecow, Nov 19, 2012
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [SHELL][Rans.Gendarm] HKCU\[...]\Winlogon : shell (explorer.exe,C:\Users\Aladdin\AppData\Roaming\msconfig.dat) -> FOUND
      [SHELL][Rans.Gendarm] HKUS\S-1-5-21-4280187566-134643006-534490249-1005[...]\Winlogon : shell (explorer.exe,C:\Users\Aladdin\AppData\Roaming\msconfig.dat) -> FOUND
    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)

    Now reboot your system and follow these instructions:

    READ & RUN ME FIRST. Malware Removal Guide
     
    TimW, Nov 19, 2012
    #2
  3. helpthecow

    helpthecow Private E-2

    Thanks, TimW,

    ok, i have attached some log files.

    TDS didn't find anything, but HitmanPro found a few suspicious files.
    Lemme know what to do next, thanks!
     

    Attached Files:

    helpthecow, Nov 20, 2012
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I still need the log from running MGTools.exe --- C:\MGLogs.zip.
     
    TimW, Nov 20, 2012
    #4
  5. helpthecow

    helpthecow Private E-2

    Hi, per your request, i have attached the MGlogs.zip file.

    please let me know what to do next, and what I do about those files that HitManPro found?

    Thanks, hope you're having Happy Holidays too.
     

    Attached Files:

    helpthecow, Nov 21, 2012
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Use windows explorer to find and delete:
    C:\Users\Aladdin\AppData\Roaming\Microsoft\Windows\Templates\jp31go0rfvh488pi58ew7km67c28p306s10322mu024qkr
    C:\Users\Aladdin\AppData\Local\ktbjjflrw\nwsiofptssd.exe
    C:\Users\Aladdin\AppData\Local\ktbjjflrw

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT
    ). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once
    you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now tell me how things are running.
     
    TimW, Nov 22, 2012
    #6
  7. helpthecow

    helpthecow Private E-2

    Hi TimW,
    so I managed to delete:

    C:\Users\Aladdin\AppData\Roaming\Microsoft\Windows\Templates\jp31go0rfvh488pi58ew7km67c28p306s10322mu024qkr

    but did not see:

    C:\Users\Aladdin\AppData\Local\ktbjjflrw\nwsiofptssd.exe
    C:\Users\Aladdin\AppData\Local\ktbjjflrw

    at all. i did not have hiding of hidden files turned on and even tried an Advanced search for just ktbjjflrw and nwsiofptssd, but to no avail.
    I did run the registry edit and it worked as I saw a successful message as indicated for registry addition.

    note I also turned UAC back on by manually going into the control panel and doing it in the same way i was first instructed to turn it off on the
    Vista and Win 7 Malware Removal/Cleaning Procedure

    What i don't quite get is why the instructions to turn UAC back on is by using the EnableUAC.reg file from the MGTools folder? Do I need to do it that way, or the way I did it manually via the control panel/accounts is fine?

    Anyways, my computer seems good so far tho i haven't used it much yet. I'll be using it a lot this weekend and let you know if something goes wrong or not.

    And thanks for the help thus far Tim, you guys are amazing!
     
    helpthecow, Nov 23, 2012
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You could do it either way. Use it this weekend and let me know if things remain good.
     
    TimW, Nov 24, 2012
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds