Highly troublesome malware infection, Help needed, Logs included

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Kidgid, Feb 25, 2014.

  1. Kidgid

    Kidgid Private E-2

    Hello,

    Recently after downloading a video my friend had sent me, a warning had popped up on my computer about a threat in the file location. Meaning to deny it access and delete it, I somehow accidentally clicked "Allow", and after around 10 seconds my Google Chrome crashed and would not start up, saying "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access this file."

    Panicked, I hastily restarted my computer, which may have been the wrong choice, as not a single one of the programs I had running at the time of the download started up again after that. After looking around a bit, I determined that I no longer had access to any Antivirus, any "Iobit" software, Google Chrome, Windows Defender, and a few other things. I am also unable to download or install any new antivirus, seemingly.

    I have followed the steps listed in your "Malware Removal" thread, and will attach the logs below, except for the fact that "Malwarebytes", when I try to install it, constantly get errors, denies me permissions even when I give myself permissions, and will not start properly.

    I have tried:

    -System Restore (Does not work/start)
    -Installing/running malwarebytes and other programs in safe mode (no difference from normal mode)
    -Fixing permissions, giving myself permissions, getting around permissions by installing in different places

    I used CCcleaner, as well as followed to steps in your guide, and that hasn't seemed to have done anything. If all else fails, I'll attempt to do a factory reset, as I have no particular need for anything on this computer, but if not necessary, it would be great.

    I have attached all the logs I was able to get from the steps, though one needed to be compressed into zip format as it was too large.

    I hope to hear back with some help or advice, thank you very much.
     

    Attached Files:

    Kidgid, Feb 25, 2014
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Rerun Hitman and have it remove everything it found!!

    Then rerun RogueKiller and have it fix these items:
    Code:
    ¤¤¤ Registry Entries : 56 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : NT Kernel Service (C:\ProgramData\load32.exe -rundll32 /SYSTEM32 "C:\Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows" [-][7][x]) -> FOUND
[SHELL][SUSP PATH] HKCU\[...]\Winlogon : shell (explorer.exe,"C:\ProgramData\load32.exe" [x][-]) -> FOUND
[SHELL][SUSP UNIC] HKCU\[...]\Windows : load (D:\Users\Gideon\Downloads\(18禁ゲーム) [071017] [サイクロン] カラークラシック×ローグスピア はにわ\bgm\installshield.exe [x][x][x][x][x]) -> FOUND
[SHELL][SUSP PATH] HKUS\[...]\Winlogon : shell (explorer.exe,"C:\ProgramData\load32.exe" [x][-]) -> FOUND
[SHELL][SUSP UNIC] HKUS\[...]\Windows : load (D:\Users\Gideon\Downloads\(18禁ゲーム) [071017] [サイクロン] カラークラシック×ローグスピア はにわ\bgm\installshield.exe [x][x][x][x][x]) -> FOUND
[IFEO] HKLM\[...]\ASCService.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\ASCTray.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\AutoUpdate.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\AvastSvc.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\AvastUI.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\avcenter.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\avconfig.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\avgcsrva.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\avgcsrvx.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\avgemca.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\avgidsagent.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\avgnsa.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\avgnt.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\avgrsx.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\avguard.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\avgui.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\avgwdsvc.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\avp.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\avscan.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\bdagent.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\ccuac.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\ComboFix.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\egui.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\hijackthis.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\IMF.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\IMFsrv.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\instup.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\keyscrambler.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\mbam.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\mbamgui.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\mbampt.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\mbamscheduler.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\mbamservice.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\Monitor.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\MpCmdRun.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\MSASCui.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\MsMpEng.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\msseces.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\NisSrv.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\rstrui.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\spybotsd.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\ToolbarUpdater.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\wireshark.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
[IFEO] HKLM\[...]\zlclient.exe : Debugger (D:\Users\Gideon\Documents\315load32.exe [-]) -> FOUND
    Reboot and rescan with both RogueKiller and Hitman and attach those new logs.

    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).
    Then attach the below logs:
    * C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    TimW, Feb 25, 2014
    #2
  3. Kidgid

    Kidgid Private E-2

    Thanks for getting to me so quickly!

    I've done what you asked, and will attach the logs to this post... things seem to work pretty much the same; I don't seem to have been given privileges back, BUT things like Windows Defender say that they are "off" instead of just saying they don't work anymore. I'm hesitant to try and do much on my own, given I made the problem in the first place... Thanks again for helping me with this.

    (Edit: Just after submitting this post, I realized that Microsoft Security Essentials came online, for any significance that may have)
    (Edit #2: I seem to be able to return some permissions to myself, unsure if I can return all of them, I'll keep up with edits as I check)
     

    Attached Files:

    Last edited: Feb 25, 2014
    Kidgid, Feb 25, 2014
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You still need to fix what Hitman found. After doing that ( All the malware remnants as well as the PUP;s) then rerun RogueKiller and fix this item:
    Code:
    [HJ][PUM] HKLM\[...]\Wow6432Node\[...]\SystemRestore : DisableSR (1) -> FOUND
    Reboot and rerun both RogueKiller and Hitman and attach the logs.
     
    TimW, Feb 26, 2014
    #4
  5. Kidgid

    Kidgid Private E-2

    Hi again, sorry it took me so long-haven't been around to access computer. Thanks for helping still!

    I'll attach the logs just here... also, this "hk" avast.. thingy can't seem to be removed, and I'm not sure what to do about it. Also, it may or may not be linked to some... program? Malware? That constantly pops up on my taskbar for a very short instant, taking me away from whatever I happen to be doing... not sure what it's doing besides annoying me, but it's there.
     

    Attached Files:

    Kidgid, Mar 9, 2014
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall the below programs. If you do not find them or they will not uninstall, just keep going.
    Anti-phishing Domain Advisor
    AVG 2013
    AVG PC Tuneup
    Java 7 Update 25 (64-bit)
    Java 7 Update 45
    Java(TM) 6 Update 37
    Spam Free Search Bar

    Now install the current version of Sun Java from:

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: (no name) - {50fafaf0-70a9-419d-a109-fa4b4ffd4e37} - (no file)
    R3 - URLSearchHook: (no name) - {687578b9-7132-4a7a-80e4-30ee31099e03} - (no file)
    R3 - URLSearchHook: (no name) - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - (no file)
    O2 - BHO: Updater For Spam Free Search Bar - {20a0be68-8fd9-4539-8712-ce3d1c1fdfc6} - (no file)
    O2 - BHO: Spam Free Search Bar - {26c9e18c-3717-4be1-a225-04e4471f5b6e} - (no file)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: Codec-C - {EB64D6B0-EA0E-4061-B650-14FE9BAD7AD8} - (no file)
    O3 - Toolbar: (no name) - {26c9e18c-3717-4be1-a225-04e4471f5b6e} - (no file)
    O4 - HKUS\S-1-5-21-2957666368-3584944445-519832662-501\..\Run: [SearchProtect] C:\Users\Guest\AppData\Roaming\SearchProtect\bin\cltmng.exe (User 'Guest')
    O4 - HKUS\S-1-5-21-2957666368-3584944445-519832662-501\..\Run: [TBHostSupport] "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Guest\AppData\Local\TBHostSupport\TBHostSupport_0.dll",DLLRunTBHostSupportPlugin (User 'Guest')
    O4 - HKUS\S-1-5-21-2957666368-3584944445-519832662-501\..\Run: [APISupport] "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Guest\AppData\Local\Conduit\APISupport\APISupport.dll",DLLRunAPISupport (User 'Guest')
    O18 - Protocol: linkscanner - (no CLSID) - (no file)
    O23 - Service: Application Updater - Spigot, Inc. - C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe

    After clicking Fix, exit HJT.

    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe

:Services
AVGIDSAgent
avgwd
vToolbarUpdater12.2.6
 
:Files
C:\Windows\tasks\PC Cleaner Pro Update Job.job
C:\ProgramData\Babylon]
C:\Users\Gideon\AppData\Local\Conduit
C:\Users\Gideon\AppData\LocalLow\BabylonToolbar
C:\Users\Gideon\AppData\LocalLow\Conduit
C:\Users\Gideon\AppData\Roaming\Mozilla\Firefox\Profiles\v9mxhvzr.default\extensions\ffxtlbr@babylon.com
C:\Users\Gideon\AppData\Roaming\Mozilla\Firefox\Profiles\v9mxhvzr.default\smartbar
C:\Users\Guest\AppData\Local\Conduit
C:\Users\Guest\AppData\LocalLow\Conduit
C:\Program Files (x86)\Conduit
C:\Users\Guest\AppData\Local\Conduit
C:\Users\Guest\AppData\Local\TBHostSupport
C:\Users\Guest\AppData\Roaming\SearchProtect
C:\Users\Gideon\Desktop\avg_avct_stb_all_2014_4259_cm10.exe
C:\Users\Gideon\Desktop\avg_free_stb_all_2014_4335_cnet.exe.part
C:\Users\Gideon\Desktop\GetUnKey.txt
C:\Users\Gideon\Desktop\GetUnKey.zip
C:\ProgramData\Anti-phishing Domain Advisor
C:\ProgramData\ParetoLogic
C:\Program Files (x86)\Application Updater
C:\Program Files (x86)\Common Files\Spigot
C:\ProgramData\Anti-phishing Domain Advisor
C:\Windows\TEMP\*.*
C:\Users\Gideon\AppData\Local\Temp\*.*

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe\]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Conduit]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DataMngr]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Anti-phishing Domain Advisor]
[-HKEY_USERS\S-1-5-21-2957666368-3584944445-519832662-1000\Software\AppDataLow\Software\blekkotb]
[-HKEY_USERS\S-1-5-21-2957666368-3584944445-519832662-1000\Software\AppDataLow\Software\Smartbar]
[-HKEY_USERS\S-1-5-21-2957666368-3584944445-519832662-1000\Software\Conduit]
[-HKEY_USERS\S-1-5-21-2957666368-3584944445-519832662-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975}]
[-HKEY_USERS\S-1-5-21-2957666368-3584944445-519832662-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_USERS\S-1-5-21-2957666368-3584944445-519832662-1000\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}]
[-HKEY_USERS\S-1-5-21-2957666368-3584944445-519832662-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvastSvc.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvastUI.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avcenter.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avconfig.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgcsrva.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgcsrvx.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgemca.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgidsagent.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgnsa.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgnt.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgrsx.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avguard.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgui.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avgwdsvc.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avp.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avscan.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdagent.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ComboFix.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dw20.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dwtrig20.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\egui.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\excel.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\excelcnv.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ExtExport.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GoogleUpdate.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\hijackthis.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mbam.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mbamgui.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mbampt.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mbamscheduler.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\mbamservice.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\spybotsd.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ToolbarUpdater.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Winword.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\wireshark.exe]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXT log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Mar 9, 2014
    #6
  7. Kidgid

    Kidgid Private E-2

    Hi, thanks again for all the help.

    So far everything seems to be fine, a few minor programs didn't activate on startup, but it's of no issue whatsoever... I have yet to notice any problems, but it's been such a short time, I'll be sure to update with anything I find,
     

    Attached Files:

    Kidgid, Mar 12, 2014
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Mar 12, 2014
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds