Please help

If you think this is a malware issues ( which I am doubtful about ), please do the following:

READ & RUN ME FIRST. Malware Removal Guide

 

I don't understand what you are trying to tell me. What function was restored?
Again, I can't help you without looking at the requested logs.

 

Using System Restore may not work because the restore points could be infected. Again, I can't say for sure without seeing the requested logs.

 

When ever you are ready, I will be here.

 

MGTools did not run to completion. You need to run it again and let it finish.

In the mean time, Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

Code:

¤¤¤ Registry : 18 ¤¤¤
[PUP] HKEY_CLASSES_ROOT\CLSID\{41564952-412D-5637-00A7-7A786E7484D7} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{44CBC005-6243-4502-8A02-3A096A282664} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{80703783-E415-4EE3-AB60-D36981C5A6F1} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{D8278076-BC68-4484-9233-6E7F1628B56C} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{F297534D-7B06-459D-BC19-2DD8EF69297B} -> Found
[PUP] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{41564952-412D-5637-00A7-7A786E7484D7} -> Found
[PUP] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | ApnTBMon : "C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe"  -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | {bdd08425-8fa4-0fcb-178f-481f050299a4} : "C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\{bdd08425-8fa4-0fcb-178f-481f050299a4}\{bdd08425-8fa4-0fcb-178f-481f050299a4}.exe"  -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | {bdd08425-8fa4-0fcb-178f-481f050299a4} : "C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\{bdd08425-8fa4-0fcb-178f-481f050299a4}\{bdd08425-8fa4-0fcb-178f-481f050299a4}.exe"  -> Found
[PUP] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\APNMCP ("C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe") -> Found
[PUP] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\APNMCP ("C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe") -> Found
[PUP] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\APNMCP ("C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe") -> Found
[PUM.Desktop] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1  -> Found

Place a checkmark next to each of these items, leave the others unchecked.
Now press the Delete button.

When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message.

Now rerun Hitman and have it fix everything it finds. Then attach the new log.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Attach the new C;\MGLogs.zip.

 

MyGTools still did not run properly. You are not showing any malware, so it may be a problem with your system.

Let's try this:

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
• Now select the Start Repairs tab.
• The click the Start button.
• Create a System Restore point if prompted.
• On the next screen, click the Unselect All button to first deselect all repairs.
• Now select the following repair options:
  
  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Repair WMI
  • Repair Windows Firewall
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Repair Windows Updates
  • Set Windows Services To Default Startup
  
  
• Now on the lower right side check the box to Restart/Shutdown System When Finished
• Then make sure the Restart System radio button is enabled.
• Shutdown any other programs that you are running now before continuing.
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• It should reboot automatically when finished.

After it completes, disable all protection software and try to run C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

 

Can you uninstall Avira for the time being? That's all I want you to do before you try running MGGet logs.

 

Try to run the Windows Repair tool, but other than that, if it doesn't help you will need to post in the software forum as this does not appear to be a malware issue.

 

Be patient with the scan....it takes a while. Let me know how you make out.

 

Try to run it in normal mode.

 

Since you are having some issues running the MGtools program properly, I'm going to jump in here for a bit. Make sure you run things as requested below! That is do not run MGtools.exe anymore and do not run the M.G.exe that you have been running. In fact the below will delete it.

We are going to also finish cleaning up after Avira since it did not uninstall properly.


Please download OTM by Old Timer and save it to your Desktop.

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe

:Services
AntiVirSchedulerService
AntiVirService
 
:Files
C:\Documents and Settings\Administrator.ME-8E7FF9DC8427\Desktop\M.G.exe
C:\Program Files\Avira

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{656EC4B7-072B-4698-B504-2A414C1F0037}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{41564952-412D-5637-00A7-7A786E7484D7}"=-
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

Now please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the C:\_OTM\MovedFiles log
• the JRT.TXT log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

This is okay for now. The rest of the program ran properly this time and now your logs are more complete.

Let's investigate a little further on your issues with System Restore. It did notice that there are a few Windows Services that are not running that should be. However do note that I see that this PC as had several issues with your user accounts and possibly registry hives for them. There are multiple secondary transfer accounts that were create automatically by Windows which is what happens when there are problems like this in Windows itself. This could be part of your problems and it may not be addressable in this forum.

Please download the latest version of FRST the below link.
Farbar Recovery Scan Tool and save it to your Desktop.



Note: Make sure you download the proper version ( 32 bit or 64 bit ) for your PC. Only one will run, the correct one. So it you make a mistake and download the wrong one, go back and get the other.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Now please download Farbar Service Scanner and run it on the computer with the issue.

• Put a check mark in each option box on the left side.
• Click "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach this log to your next reply.

 

Okay there are still a bunch of items from Avira to remove and also there are some policy restrictions to remove.


Download this >> View attachment fixlist.txt

Save fixlist.txt on your Desktop. Make sure you save it as a txt file.

• You should now have both fixlist.txt and FRST.exe on your Desktop.
• Run FRST.exe by double clicking on it
• Click the Fix button just once and wait.
• Your computer should reboot after the fix runs.
• The tool will make a log on the Desktop (Fixlog.txt) please attach this new log to your next reply (attach or paste)

Now rerun the Farbar Service Scanner and save a new log

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• Fixlog.txt
• the new FSS.txt
• C:\MGlogs.zip

 

I did not ask you to run MGtools.exe. Your logs show you ran the below

C:\Documents and Settings\Administrator.ME-8E7FF9DC8427\Desktop\MGtools.exe

Please delete this file and stop running it. You need to follow the instructions as given. I asked you to run C:\MGtools\Getlogs.bat

You don't need to run it again right now though but please pay closer attention to the details of the instructions.

Okay now we need to repeat the running of Farbar Recovery Scan Tool

• Double-click to run it. When the tool opens click Yes to disclaimer if there is one.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.

 

Okay there are still a few things from Avira that are not cleaning up since FRST is being run in normal boot mode which is the only way it can run on Win XP. Let's run ComboFix as below.


Now download and save a copy of combofix.exe and save it directly onto your Desktop folder.

• Then double click on it to run it. Do not disturb it by clicking in the window that opens or it may stall.
• After it finishes, it may reboot your PC. Attach the C:\combofix.txt log that it creates.
• If after running Combofix you discover none of your programs will open up because you receive the following error:
  • Illegal operation attempted on a registry key that has been marked for deletion
• Then you will need to reboot your computer which will normally fix this problem.

 

Now we need to use ComboFix to cleanup after Avira

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're welcome.

Your logs look good now.

All of your non-malware related questions are better served by posting in the Software Forum. But if you plan on keeping this PC for awhile then the first thing you should do is add another gigabyte of memory to it.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
   • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore​
   • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
   • Then we want you to Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Thanks for reporting this. I removed that reference now since it is no longer available. And fixed another link too while I was at it.


You're welcome and surf safely!