Residual Traces of Infection

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

• O1 - Hosts: 54.204.28.26 ajakpekbmnkgnjbpajgkdhimcbeoocam
• O3 - Toolbar: (no name) - {41564952-412D-5637-00A7-7A786E7484D7} - (no file)
• O4 - HKCU\..\Run: [IhizErye] regsvr32.exe "
• O4 - HKLM\..\Policies\Explorer\Run: [81324703] C:\PROGRA~3\msdfvu.exe
• O9 - Extra button: (no name) - {4BEEA052-726D-4A6E-B65D-A6BD07C263F3} - (no file)
• O9 - Extra 'Tools' menuitem: About nurago web meter - {4BEEA052-726D-4A6E-B65D-A6BD07C263F3} - (no file)
• O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

After clicking Fix exit HJT.



Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the area. Do not include the word Code.

Code:

:reg
[-HKU\S-1-5-21-61326812-3260373432-3726041123-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\AppDataLow\Software\Conduit]
[-HKU\S-1-5-21-61326812-3260373432-3726041123-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\AppDataLow\Software\Smartbar]
[-HKU\S-1-5-21-61326812-3260373432-3726041123-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKU\S-1-5-21-61326812-3260373432-3726041123-1001\Software\AppDataLow\Software\Conduit]
[-HKU\S-1-5-21-61326812-3260373432-3726041123-1001\Software\AppDataLow\Software\Smartbar]
[-HKU\S-1-5-21-61326812-3260373432-3726041123-1001\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]

:Files
C:\PROGRA~3\msdfvu.exe
C:\$RECYCLE.BIN\S-1-5-21-61326812-3260373432-3726041123-1000\$RZ8MWRR.exe
C:\Users\Tez\AppData\Local\alkyqyva.log
C:\Users\Tez\AppData\Local\aobumajl.log
C:\Users\Tez\AppData\Local\aofihiqe.log
C:\Users\Tez\AppData\Local\bffifaql.log
C:\Users\Tez\AppData\Local\cwitwhcg.log
C:\Users\Tez\AppData\Local\cwvmsisr.log
C:\Users\Tez\AppData\Local\dnaaoiwo.log
C:\Users\Tez\AppData\Local\enssmpai.log
C:\Users\Tez\AppData\Local\huqifvnv.log
C:\Users\Tez\AppData\Local\IconCache.db
C:\Users\Tez\AppData\Local\jdlaobwy.log
C:\Users\Tez\AppData\Local\jnhcrury.log
C:\Users\Tez\AppData\Local\lvfwbdbf.log
C:\Users\Tez\AppData\Local\ncarwerw.log
C:\Users\Tez\AppData\Local\ndbpieuo.log
C:\Users\Tez\AppData\Local\pkumgmxd.log
C:\Users\Tez\AppData\Local\saexifdu.log
C:\Users\Tez\AppData\Local\vrbtxasi.log
C:\Users\Tez\AppData\Local\xgknxahb.log
C:\ProgramData\npgpkrqm.log


:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.



Empty your recycle bin.


Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

I was wrong about the trial expiring with Hitman, there are 28 days remaining. (My fix is attempting to remove the items it did show, though.)



Download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
• It will create a folder named HostsXpert in whatever folder you extract it to.
• Run HostsXpert.exe by double clicking on it.
• Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
• Click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

MGTools did not run correctly. Please run it again this time ensuring protection software is disabled, that you indeed ran it as admin, and that UAC is disabled. Then attach the new MGlogs.zip please.

 

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the area. Do not include the word Code.

Code:

:Commands
[resethosts]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.



Uninstall Avira please and try MGTools.exe again.

Let me know how you get on.

 

Shall we first try The Avira Removal Tool?

 

Yep, go for it. :major

 

Go ahead and use iobit uninstaller and let me know how that goes....

 

Why are you trying to run it after uninstalling it? :confused

I wanted it uninstalled so that MGTools could run, as you know. How is that going?

 

So you were still unable to run MGTools in normal mode??

I am not seeing anything else in that last set of logs anyway. How are things running?

Are you able to reinstall Avira? If having troubles let me know. I think it may be broken left right and centre, I think thanks to iobit.

 

Hmm, yes, do indeed install MSSE and let me know if you are able to run it.

 

I think avira just went a bit "iffy" is all. I'm glad Microsoft Security Essentials is playing nicely with your machine. It's what I use personally.

I suggest you surf around for a day or so and then come back to me and post about how things are running, any problems etc...

 

Becoming A Malware Forum Helper

Unfortunately we are too busy to offer training to anyone who is not already a recognized expert. There are a few websites that provide training rooms. The process can take awhile to complete since there is a lot to learn and the people training you are doing it in their free time. Make sure that you are serious about wanting to spend the time to learn and have the time to perform malware removal this because it takes a strong committment. Check out the below sites:

BootCamp

Geek U!

What the Tech Classroom

BleepingComputer Malware Removal Training Program

 

Explain how things are running RastaJohn. It's been a few days now. I need to give you final steps to follow if all is still well.

 

Glad the computer is running nicely. Enjoy your studies.