Posting per Caliban's instructions:Malware or a crappy system?

BeepJeep · Oct 20, 2012

Caliban graciously offered to help me figure out what is going on with my system (laptop HP Vista 32bit IE8) but advised me to start with the Read Me first and then post in Malware forums to see if this is the problem. I tried to do the first part of it, removing all anti's except 1 firewall, 1 anti-spyware and 1 anti-virus. That is part of what caused this problem to begin with. On the advice of a friend, I installed AVG and Comodo. Between the night of the 1st & the morning of the 2nd, something went wrong. The only thing I could see that happened overnight was a Windows Update. Just weird little things. Windows update was turned off. I followed Black Viper's advice and messed with what should Auto Start, etc. That made it worse. Takes forever to boot up. System runs slow. Task manager is giving errors (.mcupdate file corrupted, etc). Files are missing. I screwed up, admittedly and tried to get rid of AVG and Comodo. Easier said than done. Used iObit to try a forced uninstall. Used Revo, also. Neither got it all. Still saw traces of Symantec, Norton, AVG, Spybot S&D, Avast and any other thing I or HP has installed over the past 5 years in the registry when I ran HiJackThis, CCleaner and iObit. Yes, I'm sure I deleted things I shouldn't. Yes, I'm an idiot. Got Avast off of there last night and did the Norton Uninstall Tool and instantly started hearing a loud noise like a marble banging in my keyboard and a horrible screeching noise. So. Now hear I am. I apologize if I didn't get all of the malware software off of here but if I tried any harder, believe me, I wouldn't even be typing this. I had to reinstall Comodo just to get online. So, I've attached the logs and would like to know how to proceed, please.

TimW · Oct 21, 2012

Before we look at your logs, have you tried doing a system restore to a point before this all happened?

BeepJeep · Oct 21, 2012

Yes, I tried that. It was the first thing I did. Part of my idiocy of following Black Viper and another's suggestion was to disable auto updates. I reinstated it because it would only let me go back to the 9th. I tried that and it made it worse. If I click on View Install History, it shows back to the 10th. If I click on Installed Updates, it goes back to the 9th and then shows "Earlier this year" and those start at 9/22/2012 with a Security Update from Microsoft Windows (KB2744842). Nothing at all in the logs for 10/1 or 10/2. I've tried System Restore from my Start-Accessories-System Tools tab. I've tried from iObit. I've tried from Safe Mode. None of it will go past 10/9/2012.

TimW · Oct 22, 2012

Not really finding much in the way of malware on your system. Let's just do this:

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

[TASK][SUSP PATH] {019FDB80-0FDC-4478-9D65-658214811F5C} : C:\Windows\System32\pcalua.exe -a C:\Users\Bretta\AppData\Local\Temp\Temp1_InstallRoot_v3.15A[1].zip\InstallRoot_v3.15A.exe -> FOUND
[TASK][SUSP PATH] {431924F0-D78D-4DE8-9199-F6BC7A88198F} : C:\Windows\System32\pcalua.exe -a C:\Users\Bretta\AppData\Local\Google\Chrome\Application\15.0.874.106\Installer\setup.exe -c --uninstall --multi-install --chrome -> FOUND
[TASK][SUSP PATH] {474A92A9-E614-4F23-BEEA-D8321BF713D9} : C:\Windows\System32\pcalua.exe -a "C:\Users\Bretta\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPITOATI\InstallRoot_v3.15A[1].exe" -d C:\Users\Bretta\Desktop -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{2606F0A0-0D87-4080-9B13-0E2A301F5F21} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{2606F0A0-0D87-4080-9B13-0E2A301F5F21} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet003\Services\Interfaces\{2606F0A0-0D87-4080-9B13-0E2A301F5F21} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet003\Services\Interfaces\{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2} : NameServer (8.26.56.26,156.154.70.22) -> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Do not reboot your computer yet.

Rescan with HitmanPro.
Choose to Delete these files if they are detected:

HKLM\SOFTWARE\Classes\AppID\escort.DLL\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\escortApp.DLL\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\escortEng.DLL\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ (Funmoods)
HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\ (Funmoods)
HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj\ (Funmoods)
HKU\S-1-5-21-3515677185-638758715-877581476-1000\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj\ (Funmoods)
HKU\S-1-5-21-3515677185-638758715-877581476-1000\Software\Softonic\ (Softonic)

Ignore all other detections.
Afterwards, click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6A28AFCB-D7B6-4628-8EA2-D66964A22F01}]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8214ADD5-AD05-4B67-BD93-C3BB6003BCCF}]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}]

Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now re-scan with both RogueKiller and Hitman and attach both those logs. Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip

Make sure you tell me how things are working now!

BeepJeep · Oct 23, 2012

Ok, ran the tools and have attached. You're right. Other than the stupid Funtools thing, there's no malware so looks like I'm back to the software forum to bug Caliban on some particular (I think) like problems with task scheduler errors and best start up configs, etc. Oh and yes, the registry's did combine successfully. Thank you SO much for your help. You have no idea how much I appreciate it.

TimW · Oct 23, 2012

Let;s just clear up a few things before we send you back to the software forum.

Re-scan with RogueKiller and then click on the DNS tab. Fix these:

[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{2606F0A0-0D87-4080-9B13-0E2A301F5F21} : NameServer (8.26.56.26,156.154.70.22) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2} : NameServer (8.26.56.26,156.154.70.22) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{2606F0A0-0D87-4080-9B13-0E2A301F5F21} : NameServer (8.26.56.26,156.154.70.22) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2} : NameServer (8.26.56.26,156.154.70.22) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet003\Services\Interfaces\{2606F0A0-0D87-4080-9B13-0E2A301F5F21} : NameServer (8.26.56.26,156.154.70.22) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet003\Services\Interfaces\{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2} : NameServer (8.26.56.26,156.154.70.22) -> NOT REMOVED, USE DNSFIX

Then use windows explorer to find and delete:
C:\Users\Bretta\AppData\Roaming\Microsoft\Windows\Templates\fprntx1e8lgn2smy4pia6x068l4r

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.

Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
related to MGtools and some other items from our cleaning procedures.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Malware removal from a National Chain = $149
Malware removal from MajorGeeks = $0

BeepJeep · Oct 26, 2012

I just wanted to come and say thank you very, very much for what you did to help me, Tim. You all take time out of your day to come and help and words cannot express how grateful we are for that. I'm fairly certain there is still "junk" left on here that I'm trying to wade through and weed out but as for the malware or viruses, all seems to be just fine. So again, thank you!! :celebrate

TimW · Oct 26, 2012

You are most welcome. Safe surfing.

BeepJeep · Oct 29, 2012

Well, Tim, you're going to hate me. Or at least seriously kick me in the butt. I'm right back where I started. Just...worse. I wanted to start with a clean slate on all of the security measures you sent me off to so I did the AVG uninstaller. Looked in regedit. It didn't get nearly all of it. So, I reinstalled it, did the Revo. It still didn't. Then I started seeing things that really ticked me off because after 4 or 5 years, I had no idea some of those programs were still in there (Avast, Ad-Aware, Freecause, Paretologic and so many more) so yes. I am an idiot and have spent the last couple of days on an OCD fevered regedit fest. I know. I.am.an.idiot. Yes, very well aware. Finally was able to get back online after doing a system restore to the day we did all of this work. Now, everything is still on my computer, except of course certain files I need that don't work now because I'm an idiot (I think I may have mentioned that part). Like my iObit had upgraded from 5 to 6 and actually, I was just going to keep that and Spyware Bot and Malwarebyte's and call it a day but nooooo. Now, I still can execute iObit5 but can't get it to upgrade to 6. It's all just a mess and I come to you humbly on bended knee with my head hung in shame, hoping against hope that you can help me again. I'm so sorry, Tim. And yes. I've been driving my husband bat guano over the past few days. Not that it makes it any better.

TimW · Oct 29, 2012

There is no reason to be messing with the registry. You probably will do more harm than good. Tell me exactly what issues you are having. Is it just a few programs that are failing to run?

BeepJeep · Oct 29, 2012

Yes, I know. But I wanted to wipe the slate clean with all of the various spyware and virus software and just start from scratch. I have iObit v5 and had just updated to v6 (paid) the other day. I was going to ask for the opinion on here if that should be sufficient. But I can't even get the v6 to run now. Says I have to reinstall it but if I try and do that, it says I have to uninstall v5 and I'm afraid to do that because I have backup files of cleanings in there that I can at least restore to. And after doing a thorough look through the event viewer (which parts of won't even access now-code 13 error), I can see where something or someone went wrong between the 30th and the 1st now. I was able to do a registry restore from iObit v5 back to 9/29 and a system restore and got most of the tools you'd had me install back off of my desktop. Everything is still running slow. Still having errors in task scheduler. Spotify is even messed up now. Usually, if I X out of it, it still runs in the task bar, if I want to totally exit out of it, I just right click it and click on exit. There are now options I've never seen before, one of which being to click Next instead of Exit. Right clicking is super slow again. I did a registry back up the other day so I can probably just run it and put everything place. I'm so :mad at myself, I could cry. And yes, I've run every virus/spyware/adware app I have and it's found nothing and yet, Eset is running right now and it's already found the same thing as the other day. The variant of Windows Adware.Yontoo.B Application. And for what it's worth, my husband just walked through here, I told him what you said and he said, I told you so...and did he also tell you to make your husband a pot roast for dinner because he was right? As if I wasn't mortified enough. :banghead

TimW · Oct 29, 2012

Well, I can't tell if it is your messing around ( ), or the malware restored. The only way I can assess that is if you re-download the tools and attach the requested logs.

BeepJeep · Oct 29, 2012

Oh, let me go ahead and assure you now (knowing me as well as I do), it was a result of me screwing around where I shouldn't have. :-o I have ntuser.dat user files all OVER the place in my Desktop--->Bretta file. AppData is under there now. As well as Cookies, Application Data, Net Hood, Local Files and more folders in that file, too but of course, they're the ones with the blue arrow that if you try and click on, you get the Jeopardy buzzer thrown in your face. Tons of duplicate files all over the place (do I really need 3 Shockwave files in that downloads folder?!) or when I hit the Start button, All programs, almost every file has a duplicate under it. And when I open My Computer now, it now has another line that says Network Location 1 and underneath desktop.ini. THAT wasn't there before! Or when I try to move things into another folder, it's telling me I need admin permission just to do that. It wouldn't even let me do a dskchk so I went and looked and sure enough, in the regedit, it was showing my Bootup as having a /p\ and AVG in it. So what did I do? Changed it to the original settings of where it doesn't start automatically at bootup. So yea. You can pretty go ahead and lay odds that it was something in there I deleted that I shouldn't have. The ESET online scanner only found that one variant of Win32/Adware.Yontoo.B application. But if you're feelin froggy, we'll give it a go again. I'm off to Read & Run & Attach.

BeepJeep · Oct 30, 2012

Here goes nothin......

BeepJeep · Oct 30, 2012

Oh! And I did try to do as per the Read instructions and did still see a bunch of the AWL, AVG, AVG Secure Search, etc. when I ran a search for various AV before starting but I didn't delete anything. I wasn't in the registry. Just in My Computer and I made sure to check and see if any of those services or processes were running before I started and they weren't.

BeepJeep · Oct 31, 2012

Ok, maybe it wasn't me (entirely). Judging from what I've seen on the logs, etc....yes. It's still a virus.

TimW · Oct 31, 2012

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

[TASK][SUSP PATH] {019FDB80-0FDC-4478-9D65-658214811F5C} : C:\Windows\System32\pcalua.exe -a C:\Users\Bretta\AppData\Local\Temp\Temp1_InstallRoot_v3.15A[1].zip\InstallRoot_v3.15A.exe -> FOUND
[TASK][SUSP PATH] {2521E6C3-04FA-4789-BFC4-2C70DD88B1C1} : C:\Windows\System32\pcalua.exe -a "C:\Users\Bretta\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EZUG2ROO\AVGIDPUninstaller[1].exe" -d C:\Users\Bretta\Desktop -> FOUND
[TASK][SUSP PATH] {431924F0-D78D-4DE8-9199-F6BC7A88198F} : C:\Windows\System32\pcalua.exe -a C:\Users\Bretta\AppData\Local\Google\Chrome\Application\15.0.874.106\Installer\setup.exe -c --uninstall --multi-install --chrome -> FOUND
[TASK][SUSP PATH] {474A92A9-E614-4F23-BEEA-D8321BF713D9} : C:\Windows\System32\pcalua.exe -a "C:\Users\Bretta\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPITOATI\InstallRoot_v3.15A[1].exe" -d C:\Users\Bretta\Desktop -> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.

Now go to the DNS tab and fix these items:
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{2606F0A0-0D87-4080-9B13-0E2A301F5F21} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{2606F0A0-0D87-4080-9B13-0E2A301F5F21} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet003\Services\Interfaces\{2606F0A0-0D87-4080-9B13-0E2A301F5F21} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet003\Services\Interfaces\{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2} : NameServer (8.26.56.26,156.154.70.22) -> FOUND

When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.

Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Attach JRT.txt to your next message.

After a reboot, rescan with both RogueKiller and Hitman and attach both those logs as well.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).
Then attach the below logs:
* C:\MGlogs.zip
Make sure you tell me how things are working now!

BeepJeep · Oct 31, 2012

Well, I don't know what the deal is, Tim but the homepage has now been changed from Yahoo to Google and I can't get the MGTools zip file to work. I've also now got 5 RK logs on my desktop that weren't all there before. 2 and 5 are the ones that I'm pretty sure got ran today before and after the reboot. I'll show you what I have with a .jpg on the MGTools error that I received over and over again. .

BeepJeep · Oct 31, 2012

Also, when my Avira was running a scheduled scan last night, this came up: The file 'C:\HP\BIN\EndProcess.exe'
contained a virus or unwanted program 'APPL/KillApp.A' [program]
Action(s) taken:
The file was moved to the quarantine directory under the name '57eb21ce.qua'!

TimW · Nov 1, 2012

Rescan with RogueKiller and click the DNS tab and fix these:
Code:
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{2606F0A0-0D87-4080-9B13-0E2A301F5F21} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{2606F0A0-0D87-4080-9B13-0E2A301F5F21} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet003\Services\Interfaces\{2606F0A0-0D87-4080-9B13-0E2A301F5F21} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet003\Services\Interfaces\{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
Now download OTL to your desktop.
# Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

[*] Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
[*] When the window appears, underneath Output at the top change it to Minimal Output.
[*] Check the boxes beside LOP Check and Purity Check.
[*] Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[/LIST]
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Attach both of these logs into your next reply.

Also attach the new RogueKiller log.

BeepJeep · Nov 1, 2012

On it.......:major

BeepJeep · Nov 1, 2012

I've attached RK1 txt on here, as well, only because I'm curious as to what that HJDesk entry is on the last line at the beginning of the report, Tim.

TimW · Nov 1, 2012

Double-click OTL.exe to start the program.

Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code
Code:
:processes
:killallprocesses
:files
@Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:430C6D84
@Alternate Data Stream - 116 bytes -> C:\ProgramData\Temp:D1B5B4F1
@Alternate Data Stream - 113 bytes -> C:\ProgramData\Temp:C31F31E6
@Alternate Data Stream - 104 bytes -> C:\ProgramData\Temp:DFC5A2B2
@Alternate Data Stream - 100 bytes -> C:\ProgramData\Temp:5C321E34
:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]
Then click the Run Fix button at the top.

Click the OK button.

OTL may ask to reboot the machine. Please do so if asked.

The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

BeepJeep · Nov 1, 2012

Well, crap. I did as you said, system rebooted, report came up in notepad after restart, closed it....can't find it now.

BeepJeep · Nov 1, 2012

I followed your previous instructions and ran the scan again. OTL notepad text came up but not Extra. I've attached this second OTL scan, without running a fix or anything. Just a scan.

TimW · Nov 1, 2012

I am not finding any malware in your logs. You can use windows explorer to find and delete these old files:
C:\Users\Bretta\AppData\Local\fprntx1e8lgn2smy4pia6x068l4r
C:\ProgramData\fprntx1e8lgn2smy4pia6x068l4r

Otherwise you are clean.

BeepJeep · Nov 1, 2012

Ok, Tim. If you say it looks clean, then I guess I'll just go from here to the software forum because so much of this still just doesn't seem or look right to me. Thank you again for all of your help. I really, really appreciate it.

TimW · Nov 1, 2012

You are welcome.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall
RogueKiller and HitManPro.

Go back to step 6 of the
READ ME and renable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the
C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
related to MGtools and some other items from our cleaning procedures.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Malware removal from a National Chain = $149
Malware removal from MajorGeeks = $0

BeepJeep · Nov 3, 2012

Everything still seems to be running fine, Tim. I've installed all new anti-everything and a new firewall. Seems to be doing the trick. Take care and thank you again.

TimW · Nov 4, 2012

You are most welcome. Safe surfing.

Posting per Caliban's instructions:Malware or a crappy system?

BeepJeep Guest

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

BeepJeep Guest

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

BeepJeep Guest

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

BeepJeep Guest

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

BeepJeep Guest

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

BeepJeep Guest

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

BeepJeep Guest

BeepJeep Guest

Attached Files:

BeepJeep Guest

BeepJeep Guest

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

BeepJeep Guest

Attached Files:

BeepJeep Guest

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

BeepJeep Guest

BeepJeep Guest

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

BeepJeep Guest

BeepJeep Guest

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

BeepJeep Guest

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

BeepJeep Guest

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Useful Searches