Virus HELP: cannot run malwarebytes - Log Included

Ravoblex · Jul 27, 2014

Please HELP with virus removal.

My Avast Antivirus found the CSRSS_Cancel.exe virus and removed it during a quick scan. I ran a boottime scan and it froze at 7%. Stopped completely.

So I followed the instructions in the read me first thread. I ran CCleaner. Then I ran RogueKiller. It seemed to find a "suspicious path." So find attached the log for that.

I already had Malwarebytes installed. So I renamed it to MB.exe and tried to run it. I got the "Malwarebytes has stopped working" message. So I uninstalled, restarted and downloaded it again. I renamed the install file and got several runtime errors during the install process. After installation I tried to run it: same error message "Malwarebytes has stopped working."

I ran TDSKiller as instructed and it found no threats.

And that's as far as I got.

Please help as I have been bluescreened on startup several times, had to restore to a previously saved restore point, and have been getting BSOD once the computer finally does start.

TimW · Jul 27, 2014

You didn;t attach anything. We need a log from Hitman as well as the RogueKiller log and you also need to run MGTools.exe and attach that log ( C:\MGLogs.zip).

Ravoblex · Jul 27, 2014

Here are the logs I was able to produce. MGTools hangs at "finding copies of actxprxy.dll," so I don't have a log for that.

The upload form insists that I have already uploaded the Rogue Killer log, which is not the case, so I instead pasted the log below. Sorry for the breach in protocol.

So attached is the hitman pro log and below is the rogue killer report.

--

RogueKiller V9.2.4.0 (x64) [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Thomas Murray [Admin rights]
Mode : Scan -- Date : 07/27/2014 12:59:49

¤¤¤ Bad processes : 1 ¤¤¤
[Suspicious.Path] tdsskiller.exe -- C:\Users\Thomas Murray\Desktop\tdsskiller.exe[7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 23 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8C2A9C1D-567C-4C2C-BDC8-712A791C0089} | NameServer : 8.26.56.26,156.154.70.22 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8C2A9C1D-567C-4C2C-BDC8-712A791C0089} | NameServer : 8.26.56.26,156.154.70.22 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{8C2A9C1D-567C-4C2C-BDC8-712A791C0089} | NameServer : 8.26.56.26,156.154.70.22 -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0 -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0 -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> FOUND
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2601632384-1076809792-656648644-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0 -> FOUND
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2601632384-1076809792-656648644-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0 -> FOUND
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2601632384-1076809792-656648644-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0 -> FOUND
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2601632384-1076809792-656648644-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-2601632384-1076809792-656648644-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-2601632384-1076809792-656648644-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-2601632384-1076809792-656648644-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-2601632384-1076809792-656648644-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-2601632384-1076809792-656648644-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-2601632384-1076809792-656648644-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-2601632384-1076809792-656648644-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-2601632384-1076809792-656648644-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[Suspicious.Path] \Open Hardware Monitor\Startup -- C:\Users\Thomas Murray\Desktop\Utilities\! Diagnostic\OpenHardwareMonitor\OpenHardwareMonitor.exe -> FOUND

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 1 (Driver: LOADED) ¤¤¤
[IAT:Addr] (explorer.exe) ntdll.dll - NtSetSystemInformation : Unknown @ 0x80690000

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST310005 28AS SATA Disk Device +++++
--- User ---
[MBR] b8756ee2f6d07395f705d8b275090451
[BSP] 43e2be632fa467e7e97cb39987fa84d2 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 161792 | Size: 9642 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 19908608 | Size: 944147 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD10 EARS-00Y5B1 SATA Disk Device +++++
--- User ---
[MBR] 30e195b41df1d6fa1f03df2316094791
[BSP] 7a9b4df54437fb9c881e24fa3fafb288 : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic- SM/xD-Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: Generic- MS/MS-Pro USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive6: Msft Virtual Disk SCSI Disk Device +++++
--- User ---
[MBR] 0fae3fa0d3ac74fd7cd42dc328a435ca
[BSP] 82e626f42dcc4656280258261fe665d7 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 65533 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

============================================
RKreport_SCN_07272014_121741.log

TimW · Jul 27, 2014

You need to remove all your cracked software.

Ravoblex · Jul 27, 2014

Okay. Done. I had downloaded some testing software from a "reputable" website. Didn't know it was cracked.

I've included the reports. There should be three: hitman, roguekiller and TDS.

MGTools still gets hung up at:
"path not found - C:\windows\system32\drivers\etc ========== Finding copies of actxprxy.dll"

TimW · Jul 28, 2014

Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.

Right click the Command Prompt entry and select Run As Administrator.

It is critical that you run it this way.

If you do this properly, a command prompt window will open with a title of Administrator Command Prompt.

Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple/brown is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
GRK64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
SN64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.

Ravoblex · Jul 28, 2014

Thanks for your reply.

I've been running MGTools as administrator since 11pm last night. GRK64.bat produced the error:

64 bit Windows OS found.
The system cannot find the file specified.
zipping runkeys.txt
Finished zipping runkeys.txt

SN64.bat produces the error:
Path not found - C:\Windows\System32\drivers\etc
======== Finding copies of actxprxy.dll
======== Finding copies of csrss.exe
======== Finding copies of ctfmon.exe

Now it's just hung up there very slowly finding the files.

I'll wait as long as it takes to clear this all up. But is this normal for the program to take 10 hours to run?

BTW, Chrome now won't fully load web pages. I had to log in today using Opera. Don't know what's going on with that...

TimW · Jul 28, 2014

Attach what logs you can get.

Ravoblex · Jul 28, 2014

My computer crashed before MGtools could complete its operation. I will run it again but it's more likely that my machine will crash before the scan is complete.

Are there any next steps I can take. I'm at my wit's end trying to troubleshoot this issue.

Thanks for your help, btw.

Ravoblex · Jul 28, 2014

After running Emsisoft Emergency Kit I was able to install and run Malwarebytes. I ran a scan with it, and there were no infections!

MGtools still locks up, however. Would that indicate that I am still infected?

dr.moriarty · Jul 28, 2014

Hello, Ravoblex

Ravoblex said: ↑

MGtools still locks up, however. Would that indicate that I am still infected?
Click to expand...

This has happened on occasion but may not be malware related. Running the below will provide some of the diagnostic information normally gathered in the MGlogs.zip.

Please download OTL by OldTimer.
Save it to your desktop.

Double-click on the OTL icon on your desktopto run it. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)

Check the "Scan All Users" checkbox.

Check the "Standard Output".

Change the setting of "Drivers" and "Services" to "All"
Copy the text in the code box below and paste it into the text-field.
Code:
activex
netsvcs
drives
Now click the button.

One report will be created:

OTL.txt <-- Will be opened

Attach OTL.txt to your next message. (How to attach)

Ravoblex · Jul 28, 2014

Thanks!

Small hiccup, however. OTL was plowing through my files until it hit my Mediaplayer Art Cache. Which, as it turns out, has 30 million files in it. So it ran for about three hours and froze ("not responding".)

I can't catch a break. How do I delete 30 million files without taking a week to do it?

Anyway, I'm retrying OTL. If you have any advice about the Mediaplayer Art Cache, I'm open to suggestions.

Ravoblex · Jul 29, 2014

OTL finally did output a report. I've attached it.

dr.moriarty · Jul 29, 2014

I've found drivers from both anti-virus apps avast and AVG2014 running. Let's try using the 64bit version of the below to remove the AVG leftovers, since it seems atleast broken . *Run it, re-boot, then once again.

AVG Remover 2014.4116

Did you set this?

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8C2A9C1D-567C-4C2C-BDC8-712A791C0089} | NameServer : 8.26.56.26,156.154.70.22 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8C2A9C1D-567C-4C2C-BDC8-712A791C0089} | NameServer : 8.26.56.26,156.154.70.22 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{8C2A9C1D-567C-4C2C-BDC8-712A791C0089} | NameServer : 8.26.56.26,156.154.70.22 -> FOUND
Click to expand...

Now shut down your protection software (antivirus, antispyware...etc) to avoid possible conflicts.

Double-click OTL.exe to run. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)

Copy the text in the code box below and paste it into the text-field.
Code:
:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD21}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}: "URL" = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=42&systemid=1&apn_dtid=IME001&apn_ptnrs=AG1&o=APN10653&apn_uid=6355431376044734&q={searchTerms}
IE - HKLM\..\SearchScopes,DefaultScope = {9CB96984-43C3-4D44-90EF-01466EFCF7BB}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}: "URL" = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=42&systemid=1&apn_dtid=IME001&apn_ptnrs=AG1&o=APN10653&apn_uid=6355431376044734&q={searchTerms}
IE - HKLM\..\SearchScopes\{9CB96984-43C3-4D44-90EF-01466EFCF7BB}: "URL" = http://us.yhs4.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD21}
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD21}
IE - HKU\S-1-5-21-2601632384-1076809792-656648644-1000\..\SearchScopes,DefaultScope = {9CB96984-43C3-4D44-90EF-01466EFCF7BB}
IE - HKU\S-1-5-21-2601632384-1076809792-656648644-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKU\S-1-5-21-2601632384-1076809792-656648644-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}: "URL" = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=42&systemid=1&apn_dtid=IME001&apn_ptnrs=AG1&o=APN10653&apn_uid=6355431376044734&q={searchTerms}
IE - HKU\S-1-5-21-2601632384-1076809792-656648644-1000\..\SearchScopes\{9CB96984-43C3-4D44-90EF-01466EFCF7BB}: "URL" = http://us.yhs4.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
IE - HKU\S-1-5-21-2601632384-1076809792-656648644-1000\..\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8}: "URL" = http://www.daemon-search.com/search/web?q={searchTerms}
FF - user.js - File not found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_14_0_0_145.dll File not found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKCU\Software\MozillaPlugins\ubisoft.com/uplaypc:  File not found
O2:[b]64bit:[/b] - BHO: (no name) - {10921475-03CE-4E04-90CE-E2E7EF20C814} - No CLSID value found.
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {95B7759C-8C7F-4BF1-B163-73684A933233} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O8:[b]64bit:[/b] - Extra context menu item: E&xport to Microsoft Excel - Reg Error: Value error. File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - Reg Error: Value error. File not found
O18:[b]64bit:[/b] - Protocol\Handler\belarc - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\linkscanner - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\skype4com - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\viprotocol - No CLSID value found
O18 - Protocol\Handler\linkscanner - No CLSID value found
O18 - Protocol\Handler\viprotocol - No CLSID value found
O34 - HKLM BootExecute: (搀渀挀氀攀愀渀㘀㐀⸀攀砀攀)
[2014/07/28 15:56:57 | 000,000,000 | ---D | C] -- C:\EEK
[2014/07/28 20:26:02 | 000,000,940 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2601632384-1076809792-656648644-1000UA.job
[2014/07/28 15:48:39 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2014/07/28 15:48:39 | 000,000,412 | ---- | M] () -- C:\Windows\tasks\AVG-Secure-Search-Update_1013b_rmv.job
[2014/07/28 15:48:39 | 000,000,362 | ---- | M] () -- C:\Windows\tasks\AVG-Secure-Search-Update_1013b_rel.job
[2014/07/27 21:26:00 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2601632384-1076809792-656648644-1000Core.job
@Alternate Data Stream - 170 bytes -> C:\ProgramData\TEMP:C39E55C5
@Alternate Data Stream - 16 bytes -> C:\Users\Thomas Murray\Downloads:Shareaza.GUID
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:B755D674
@Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:0B4227B4
@Alternate Data Stream - 1300 bytes -> C:\Users\Thomas Murray\AppData\Local\XqfGC1yu1V:dx9nLgeoECsaVsA5J5k4
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:553CA6CA
@Alternate Data Stream - 1253 bytes -> C:\ProgramData\Microsoft:kyaqOJsE68YllcWvIKKAoLf
@Alternate Data Stream - 1062 bytes -> C:\ProgramData\Microsoft:ReMM1RFOcs2fkDhpeYxrTv8UW
:Commands
[PURITY]
[EMPTYTEMP] 
[REBOOT]
Now click the button.

If the fix needed a reboot please do it.

Click the OK button (upon reboot).

When OTL is finished, Notepad will open. Close Notepad.

A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

Attach this log to your next message. (See: How to attach)

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator

Click on the Scan button.

AdwCleaner will begin...be patient as the scan may take some time to complete.

After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).

The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.

Attach the logfile to your next next reply.

A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

Now download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.

Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Attach the JRT.txt to your next message.

Now using the same steps with OTL, run a new scan and attach its updated OTL.txt log.

How is your pc running now?

dr.moriarty · Jul 29, 2014

:major

I forgot to ask - have you tried running Malwarebytes in Safe Mode?

Ravoblex · Jul 29, 2014

Ok. I ran AVG Remover. It rebooted into safe mode, then rebooted into regular mode and ran again. Everything appears to be fine there.

As far as those registry entries, the only thing that looks familiar there is DNS, and I did reset the DNS to goggle's DNS. I don't know if that's what you're thinking of.

I ran OTL as administrator several times but it got hung up at:
O34 - HKLM BootExecute: (搀渀挀氀攀愀渀㘀㐀⸀攀砀攀)

So I deleted that from the instructions and OTL ran fine. Rebooted. Ran itself in safe mode. Rebooted. Ran itself at startup. Let me know if I should try to re-enter that HKLM entry into OTL again and run it.

Attached are the adwcleaner, JRT, OTL and RKreport.

Ravoblex · Jul 29, 2014

I also did run Malwarebytes in boot mode with no infections.

As far as how my computer is running? Opening windows is more responsive. I notice that Silverlight doesn't fail when watching Netflix. And the computer hasn't crashed yet. So I guess things are definitely improved.

Is there a last step to perform?

dr.moriarty · Jul 29, 2014

Please run Adwcleaner again, this time have it remove what is detected. When completed, attach the latest log.

Now run the following online scan -
Using ESET's Online Scanner

Attach the ESETScan.txt log, please.

Ravoblex · Aug 1, 2014

Here are the logs you requested.

dr.moriarty · Aug 1, 2014

How's your machine running, now?

Ravoblex · Aug 1, 2014

It runs great! Thanks for all your help ridding my computer of that nasty bug.

I'm still getting shutdowns, I think I'm looking at either bad RAM or a bad GPU. I ran memtest and there were no errors, so it's probably the GPU.

Thanks again!

dr.moriarty · Aug 1, 2014

I hope that you did elect to remove those PUPs from the ESET scan, as well as the Conduit junk...and that you locate the shutdown cause.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.

Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.

Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.

If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Ravoblex · Aug 2, 2014

As far as the cause, we've taken care of the malware threat and I'm still having BSOD issues. And memtest found no RAM errors after 8 passes. So I've narrowed it down to the GPU or a driver conflict.

I'm researching new GPUs and I'll try a new one. I've been meaning to upgrade anyway. If that fails to rectify the issue, I'll cross that bridge when I come to it.

Thanks again for all your help!

dr.moriarty · Aug 2, 2014

:cool

You are very welcome!

Virus HELP: cannot run malwarebytes - Log Included

Ravoblex Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Ravoblex Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Ravoblex Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Ravoblex Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Ravoblex Private E-2

Ravoblex Private E-2

dr.moriarty Malware Super Sleuth Staff Member

Ravoblex Private E-2

Ravoblex Private E-2

Attached Files:

dr.moriarty Malware Super Sleuth Staff Member

dr.moriarty Malware Super Sleuth Staff Member

Ravoblex Private E-2

Attached Files:

Ravoblex Private E-2

dr.moriarty Malware Super Sleuth Staff Member

Ravoblex Private E-2

Attached Files:

dr.moriarty Malware Super Sleuth Staff Member

Ravoblex Private E-2

dr.moriarty Malware Super Sleuth Staff Member

Ravoblex Private E-2

dr.moriarty Malware Super Sleuth Staff Member

Useful Searches