[CLOSED] Can't remove Trojan/Malware/Ransomware

Container for RESOLVED incidents, queries SOLVED by the experts, EXPIRED topics or those that have been CLOSED by the users.
Locked
Clsj1991
Registered user
Registered user
Posts: 1
Joined: Wed, 24 Jun 2015, 23:10

[CLOSED] Can't remove Trojan/Malware/Ransomware

Post by Clsj1991 » Thu, 25 Jun 2015, 00:17

Dear Operator,


A few day's ago got my desktop infected with Ransomware and problably more unwanted things.

After using the Panda RESCUE Disk is the Ransomware deleted, but there are still Spyware and/or Trojans on my system that no AV or AMW program can find or delete.
Even after two re-installations of Windows 7 it is still there. (It reinstalled my old Registry?)

First tool I used after reinstallation was RogueKiller and it detected : AV.Killer, wich I can't delete or find. (see attached file)

After RogueKiller I downloaded Panda Free Antivirus and did a scan, no threats found. I closed Panda and start it again for a second full system scan and during this scan, my desktop got slow, very very very slow, almost all aplications or windows folders did not react or froze, so I had to reboot my PC again.

After the reboot I did a scan with PandaCloudCleaner (Analyze all pc) and infections were found.

PCloudCleanerLOG :

Malware. FILE: C:\USERS\ALWEER\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\ALWEER@CASALEMEDIA[1].TXT to be deleted.

Malware. FILE: C:\USERS\ALWEER\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\ALWEER@WEBORAMA[2].TXT to be deleted.

Malware. FILE: C:\USERS\ALWEER\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\ALWEER@BS.SERVING-SYS[2].TXT to be deleted.

Malware. FILE: C:\Users\alweer\AppData\Roaming\MICROSOFT\Windows\Cookies\Low\ALWEER@SERVING-SYS[1].TXT to be deleted.

Malware. FILE: C:\USERS\ALWEER\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\ALWEER@DOUBLECLICK[2].TXT to be deleted.

Malware. FILE: C:\USERS\ALWEER\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\ALWEER@DOUBLECLICK[2].TXT to be deleted.

Malware. FILE: C:\USERS\ALWEER\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\ALWEER@SMARTADSERVER[1].TXT to be deleted.

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[HIDEFILEEXT] to be changed to: 0

Suspicious Policy. POLICY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED[HIDEFILEEXT] to be changed to: 0

Malware. REGKEY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM[DISABLEREGISTRYTOOLS]. Value: DISABLEREGISTRYTOOLS To be deleted.

Malware. REGKEY: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM[DISABLETASKMGR]. Value: DISABLETASKMGR To be deleted.


I had to reboot for the desinfection.
After the reboot I checked the C:\Program Files (x86)\Panda Security\Panda Cloud Cleaner folder and noticed that all the Application file names were changed with (application).exe .( example : PCloudCleaner to PCloudCleaner.exe ).

Did a second scan with RogueKiller and PandaCloud, no infections were found.

Deleted the software with delfix and purged the system restore.
Rebooted again, downloaded RogueKiller and PandaCloud again, and the same infections as in the first scans were found.

Can u please help me get rid of this crap? :oops:


Thank you for your time helping us :mrgreen:



Kind Regards
Roguegodver.png
Roguegodver.png (60.22 KiB) Viewed 2131 times
Roguagodver2.png
Roguagodver2.png (116.45 KiB) Viewed 2131 times

User avatar
VirusBuster
Official moderator
Official moderator
Posts: 7596
Joined: Mon, 02 Apr 2012, 18:53
Location: Panda HQ - Bilbao

Re: Can't remove Trojan/Malware/Ransomware

Post by VirusBuster » Thu, 25 Jun 2015, 11:17

Clsj1991 wrote:After the reboot I checked the C:\Program Files (x86)\Panda Security\Panda Cloud Cleaner folder and noticed that all the Application file names were changed with (application).exe .( example : PCloudCleaner to PCloudCleaner.exe ).
This is normal, its just showing the file extensions (by default they the most common extensions are hidden)
Clsj1991 wrote:Deleted the software with delfix and purged the system restore.
Rebooted again, downloaded RogueKiller and PandaCloud again, and the same infections as in the first scans were found.
Haven't you thought that it could be a false positive from Rogue Killer?
The svchost.exe detected in the screenshot seems to be legit as its in the path it should be.

Regarding the registry tab, it seems that you have wrong DNS settings under your network adapter
The first one seems to be correct as its a private address (192.168.x.x or 172.31.x.x) the others are public addresses. You should check them at http://cqcounter.com/whois/
Regards,

Image
Jorge Torre
TechSupport Department - Panda Security

I don't reply to private messages unless I have previously requested them

User avatar
VirusBuster
Official moderator
Official moderator
Posts: 7596
Joined: Mon, 02 Apr 2012, 18:53
Location: Panda HQ - Bilbao

Re: Can't remove Trojan/Malware/Ransomware

Post by VirusBuster » Tue, 07 Jul 2015, 11:52

Closed due to lack of response
TOPIC CLOSED
Regards,

Image
Jorge Torre
TechSupport Department - Panda Security

I don't reply to private messages unless I have previously requested them

Locked

Return to “Virus - Archive Issues”