Jump to content

cannot get rid of roraccoon


Recommended Posts

Scaning computer results in finding 2 roraccoon in the registry. Items found shows up in the scan memory circle while running.  Went thru the process of quarantine, said it was quarantined. And, should restart system. But system did not remove the 2 items when the scan was done a second time. The results were exported to a TXT file which is attached. 

How should we proceed to get rid of 'roraccoon' ??????

first-scan-results.txt

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

This may be the reason and  solution to your problems.

Chrome Secure Preferences detection always comes back
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/
----

If that fails execute these instructions.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Let me know what problems persists.

Wait for further instructions

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

ChesChapman

 

Your copy of Chrome may have been compromised.

step1.gif Remove Chrome from your Computer and reinstall a fresh copy later.

step2.gif Before you remove Chrome Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

How To: http://ccm.net/faq/31791-how-to-backup-your-google-chrome-bookmarks

step3.gifIf you sync you account you must remove it before you save your bookmarks etc...
Delete Your Google Chrome Browser Sync Data if you sync with other defices. <- Important ...
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

step4.gif Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

step5.gif Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

step6.gif Re-install Chrome and the Bookmarks.
<<<>>>

Keep me posted.

Link to post
Share on other sites

1. turned off sync
2. exported bookmarks to desktop
3. cleared cookies, cache and history
4. uninstalled chrome with also checking delete your bookmarks and browsing data
5. uninstalled goggle tool bar for IE
6. Re-installed chrome
7. Turned off sync
8. Imported bookmark
9. Scanned using malwarebytes, found 2 roraccoon threats again PLUS additional 15 -- see attached

Chrome Install #2.txt

Link to post
Share on other sites

1. turned off sync
2. exported bookmarks to desktop
3. cleared cookies, cache and history
4. uninstalled chrome with also checking delete your bookmarks and browsing data
5. uninstalled goggle tool bar for IE
6. Re-installed chrome
7. Turned off sync
8. Imported bookmark
9. Scanned using malwarebytes, found 2 roraccoon threats again PLUS additional 15 -- see attached

 

1. Shut down the computer

2. Rebooted and Scanned

3. The two Roraccoon Threats (that have always been there) reappeared - same place

4. Quarantined and Deleted them

5. Re-started and Re-Scanned

6. The Roraccoon Threats Reappeared - Same place

7. Quarantined and Deleted the again

Link to post
Share on other sites

Hi

Possible ENTERPRISE POLICY issues?

Read the instructions on this page if applicable.
http://forums.anvisoft.com/viewtopic-51-8494-0.html

Remove Installed by enterprise policy extension from Chrome.

If you find one and cannot remove it let me know the ID NUMBER that you have found.
<<<>>>

And/or

Reset your router. It may be infected.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html
 

Link to post
Share on other sites

The  link you set us does not exist.

Read the instructions on this page if applicable.
http://forums.anvisoft.com/viewtopic-51-8494-0.html

 

Chrome Displayed the following six extensions

Adobe Acrobat

Google Docs Offline

Norton Security Toolbar

Docs

Sheets

Slides

None of these say "Enterprise Policy" 

Should we delete any of these six extensions?

Our next step is re-setting the router

Should we remove any of these six extensions?

Our next step is to reset our router

 

 

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

I need more information.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Let me know what problems persists.

Wait for further instructions
===

p.s.
If you run the AdwCleaner tool do you still see these items?


Registry Key: 1
Trojan.Roraccoon, HKLM\SOFTWARE\SSO, No Action By User, [5452], [511495],1.0.6843

Registry Value: 1
Trojan.Roraccoon, HKLM\SOFTWARE\SSO|TM, No Action By User, [5452], [511495],1.0.6843

If you delete them will they return?

Link to post
Share on other sites

Hi,

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Next, 

Lets see what we can find in the Registry.

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
zonemap;BCSSync;WebDiscoverBrowser;CF10C1C0-B598-4ADB-B353-42C991C99A2E;AFBCB7E0-F91A-4951-9F31-58FEE57A25C4;1711FC25-F05A-40CE-B859-A0C1CF01FD18
Once done, click on the Search Registry button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
====

Post both files.
I will give you a fix to remove them.

fixlist.txt

Link to post
Share on other sites

  • performed the following.

    1. Downloaded and saved fixlist.txt to c/users/ches/downloads (other files were also in  folder)
    2. Ran farbar (FRST)
    3. clicked fix once
    (It created fixlog.txt)
    4. System prompt to shut down (shut down and restarted)
    5. Ran farbar and copied search criteria to search text area.
    6. Saved the searchreg.txt file
    7. Sent both files in our reply 

SearchReg for nasdaq.txt

Fixlog for nasdaq.txt

Link to post
Share on other sites

Hi,

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Let me know what problem persists.

fixlist.txt

Link to post
Share on other sites

Let's check your BIOS and Master boot record.

Read carefully and follow these steps.
TDSS

  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

  • If an infected file is detected, the default action will be Cure, click on Continue.

  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.

  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.


There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

Wait for further instructions.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.