Need help with malware

Welcome to Major Geeks!

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {115d127b-3075-4e9e-9334-b78f26e8e502} - (no file)
O2 - BHO: (no name) - {783ceafd-cdb6-4d16-8818-a21d78ebc428} - (no file)
O2 - BHO: AVG SafeGuard toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\17.0.1.12\AVG SafeGuard toolbar_toolbar.dll
O3 - Toolbar: AVG SafeGuard toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\17.0.1.12\AVG SafeGuard toolbar_toolbar.dll
O4 - HKLM\..\Run: [vProt] "C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [SpUninstallDeleteDir] rmdir /s /q "\SearchProtect" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SpUninstallDeleteDir] rmdir /s /q "\SearchProtect" (User 'Default user')
O23 - Service: vToolbarUpdater17.0.12 - Unknown owner - C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.0.12\ToolbarUpdater.exe

After clicking Fix, exit HJT.

Now uninstall the below programs. If you do not find them or they will not uninstall, just keep going.
AVG SafeGuard toolbar


Please download OTM by Old Timer and save it to your Desktop.

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe
 
:Services
vToolbarUpdater17.0.12
 
:Files
C:\Program Files (x86)\Mobogenie
C:\ProgramData\APN
C:\Users\Jimmyor\AppData\Local\Conduit
C:\Users\Jimmyor\AppData\Local\Mobogenie
C:\Users\Jimmyor\AppData\LocalLow\Conduit
C:\Users\Jimmyor\Documents\APNSetup.exe
C:\Users\Jimmyor\My Documents\Mobogenie
C:\Program Files (x86)\AVG SafeGuard toolbar
C:\windows\TEMP\*.*
C:\Users\Jimmyor\AppData\Local\Temp\*.*
:Reg
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpUninstallDeleteDir"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{05660A04-00F1-3A04-AB3B-BC1074B84D67}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{37AC0F3B-749F-3B22-811B-5A019EED2E85}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{4392A6CC-7940-310E-8E16-799A8D93A438}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{66DF7821-ED6D-3534-893C-0E89E74B0F91}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{755CAFCC-F016-3B06-8F22-945EAA3AD10D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{76552F88-640C-314D-82B6-0D8A740907F7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{903F9872-E87F-3B74-83B0-DBE10073B29D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{9558EEB4-CDA6-3778-B53B-98076F0A1E90}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{B25AA9BA-FD52-3E5E-BFE3-9B106779DA6E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{C852CF9F-37DC-35AC-926A-7E6CFFF7C501}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{C9777796-4378-3C90-B52D-7238FFFC2A5C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{DB1BC8B2-FDBF-30E7-BE1C-AFF9160059E6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{F3D5729C-7DEB-3850-A026-D0E323ECFEF5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Record\{FEC70973-CB8B-351C-8047-CAE1274CE249}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MobogenieAdd]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Conduit]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\MobogenieAdd]
[-HKEY_USERS\.DEFAULT\Software\ImInstaller]
[-HKEY_USERS\.DEFAULT\Software\WNLT]
[-HKEY_USERS\S-1-5-18\Software\ImInstaller]
[-HKEY_USERS\S-1-5-18\Software\WNLT]
[-HKEY_USERS\S-1-5-21-310115502-2704310769-2187870394-1001\Software\AppDataLow\Software\Conduit]
[-HKEY_USERS\S-1-5-21-310115502-2704310769-2187870394-1001\Software\IM]
[-HKEY_USERS\S-1-5-21-310115502-2704310769-2187870394-1001\Software\ImInstaller]
[-HKEY_USERS\S-1-5-21-310115502-2704310769-2187870394-1001_Classes\Wow6432Node\CLSID\{BEBBC426-4F16-4567-8FE1-BE198C982027}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{115d127b-3075-4e9e-9334-b78f26e8e502}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{783ceafd-cdb6-4d16-8818-a21d78ebc428}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.


Now please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Now run the below procedure the reset Firefox:

Reset Firefox to Defaults


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• the C:\_OTM\MovedFiles log
• the JRT.TXT log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You mean you uninstalled it AFTER you attached logs? :confused Your latest logs show the below still installed...

AVG SafeGuard toolbar


Can you re run Hitman Pro (just a scan) and attach log.
Same for RogueKiller please.

 

I have a feeling that any excessive packets uploading/downloading may just be due to software you are running. You are running online backup programs and possibly other software that could be adding to this. See programs like:

Norton Online Backup
Skydrive
Skype
Sage\Peachtree


But note that 130.600 sending and 3,853.000 receiving are not very many packets!!! Are you misusing the period and comma.

 

I'm not referring to the update part. I'm referring to the online backup.

We use commas in the USA to represent the thousands markers. Thus 3,800,000 and ( 3 million 800,000 ). This is why I was confused by your decimal points instead of commas.

Windows Explorer does not download anything so I assume you really meant Internet Explorer? Where are you seeing your packet counts or are you looking at the bytes counter in the Network Connections Properties?

Not if you are not running anything, but as noted, you have an online backup program and other things they may be accessing the internet.