Adlice forum
General Category => Malware removal help => Topic started by: Kurstah on March 31, 2021, 03:45:28 AM
-
Hey, I have this error when RogueKiller tries to delete this registry (that appears everytime I reset my pc), can you help me?
-
Hi Kurstah,
Welcome to Adlice.com Forum.
Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :
REG EXPORT HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies "%USERPROFILE%\Desktop\export.txt"
A new file named export.txt should has been created on your desktop. Please attach it with your next reply.
Regards.
-
Thanks for answering Curson,
Here it is
-
Hi Kurstah,
Download TCPView x64 (http://live.sysinternals.com/Tcpview64.exe), save it on your desktop and run it with administrator rights.
Locate the column "Local Port" and copy/paste the line that has the value 86 (you can sort the column) in your next reply.
Regards.
-
iKernel.exe,4468,TCP,Listen,127.0.0.1,86,0.0.0.0,0,03/04/2021 3:24:33,iKernel.exe
-
Hi arikpik,
This is probably nothing, but to be on the safe side, we will be doing a full system investigation.
Please download Farbar Recovery Scan Tool (x64) (https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/) and save it to your Desktop.
- Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will produce a log called FRST.txt in the same directory the tool is run from.
- Please attach log back here using the "Attachments and other options > Attach" feature.
- The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also attach that along with the FRST.txt into your reply.
Regards.
-
Here it is.
In addition to my reply, I have to say that if I don't delete the registry Equipo\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser I can´t use google in any browser because it say that the connection is not private (NET::ERR_CERT_COMMON_NAME_INVALID)
-
Hi Kurstah,
1) Please uninstall the following software :
Action!
Mirillis
NodeJS (the oldest one)
2) Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !
Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.
3) Please download Kaspersky Virus Removal Tool (http://devbuilds.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe) and save it on your desktop..
Right click on KVRT.exe and select Run as Administrator.
Read the EULA, then select Accept.
Wait for Kaspersky Virus Removal Tool to initialize.
In the main screen, select Change parameters, place a checkmark in System drive, then click OK.
Click Start scan.
Wait for Kaspersky Virus Removal Tool to complete scanning.
When the scan is finished, select Neutralize all for all detected objects.
Close Kaspersky Virus Removal Tool when done.
Please then informe me if something is detected.
How is your computer running ?
Regards.
-
Hi Curson!
Fortunately, for the moment it works.
The manual proxy log is not being rebuilt.
I will let you know if I have any problems related to this but for now, thanks for your help!
-
Hi Kurstah,
I'm glad it seems to be gone.
You are very welcome.
Regards.