Think I got rid of malware, but mgtools won't run

Hey, I seem to have gotten rid of win32.agent.g*** (gpbl?)
Completed all the steps but when I got to mgtools I couldn't get it to run regularly or from a command prompt. Window flashes for a second and the directory is created, but that's it. Think I remember the message being "file or path specified can not be found."
Hoping someone here can get me up and moving with MG for the final leg of the journey. Thanks for any help.

Extra attachments in next post.

 

extra attachments.

 

Hi, becolt!

Please download RogueKiller by Tigzy to your desktop.

• See the download links under this icon:
• Double-click RogueKiller.exe to run it. (Vista and Win7 right-click and select Run as Administrator)
• When it opens, press the number 2 and press ENTER.
• A report should appear.
• Attach RKreport[1].txt to your next message. (How to attach items to your post)
  Note: It will be at whichever location you ran RogueKiller from. I asked that you put it on your desktop, so it should be there.
• You can now type the number 0 and press ENTER to exit RogueKiller.

The version of SUPERAntiSpyware you ran is out of date!
Please update to v5.0.1134 and run another Complete Scan, then attach the new log.

Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)


Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

Please download OTL by Old Timer to your desktop.

• See the download links under this icon:
• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
• Select Scan All Users.
• Check the boxes beside LOP Check and Purity Check.
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  netsvcs
  %systemdrive%\*.exe
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  explorer.exe
  ipnat.sys
  ipsec.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemroot%\*. /mp /s
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  %systemdrive%\MGtools
  %systemdrive%
  %userprofile%\desktop
  hklm\software\microsoft\windows\currentversion\run|exe /rs
  hklm\software\microsoft\windows\currentversion\runonce|exe /rs
  

• Now click the button.
• When the scan is complete, Notepad will open with the results of the OTL scan.
• Close Notepad.
• There will be two log files on your desktop entitled OTL.txt and Extras.txt.
• Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)

 

Hey, thanks for replying - damn that's a lot of scans, glad I cleaned up & defragged last night!

 

And the last one -

 

You forgot to attach the updated SAS log. Please do so now while I review the rest of your logs.

 

Whoooops here it is

 

Did you intentionally open up the above ports?

Your external drive shows an unknown MBR. May not be anything to worry about. Let me know how the PC runs after these steps.

Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.

• See the download links under this icon:
• Double-click MessengerDisable.exe
• Place a check-mark in Uninstall Windows Messenger
• Click Apply
• Click Exit

Now we need to make use of OTL by Old Timer.

• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the text-field.
  
  Code:

  [COLOR="DarkRed"]:processes[/COLOR]
  killallprocesses
  [COLOR="DarkRed"]:otl[/COLOR]
  CHR - plugin: Java(TM) Platform SE 6 U22 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
  O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - No CLSID value found.
  O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - No CLSID value found.
  O3 - HKU\S-1-5-21-1669051070-3190429066-321071993-1005\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
  O3 - HKU\S-1-5-21-1669051070-3190429066-321071993-1005\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
  O3 - HKU\S-1-5-21-1669051070-3190429066-321071993-1005\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
  O20 - Winlogon\Notify\!SASWinLogon: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
  O20 - Winlogon\Notify\crypt32chain: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
  O20 - Winlogon\Notify\cryptnet: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
  O20 - Winlogon\Notify\cscdll: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
  O20 - Winlogon\Notify\dimsntfy: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
  O20 - Winlogon\Notify\igfxcui: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
  O20 - Winlogon\Notify\ScCertProp: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
  O20 - Winlogon\Notify\Schedule: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
  O20 - Winlogon\Notify\sclgntfy: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
  O20 - Winlogon\Notify\SensLogn: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
  O20 - Winlogon\Notify\termsrv: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
  O20 - Winlogon\Notify\VESWinlogon: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
  O20 - Winlogon\Notify\wlballoon: DllName - (Reg Error: Key error.) - Reg Error: Key error. File not found
  [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
  [2006/07/24 16:45:11 | 000,610,304 | ---- | C] () -- C:\WINDOWS\System32\lpykrp.exe
  [2009/12/06 18:45:12 | 000,000,789 | ---- | M] () -- C:\incating.exe
  [2009/12/06 18:45:29 | 000,000,791 | ---- | M] () -- C:\lokes.exe
  [2010/02/13 13:33:07 | 000,017,467 | ---- | M] () -- C:\FLVDirect.exe
  @Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\tlpsplib10.dll:SummaryInformation
  @Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E7BE3E15
  @Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:054B9966
  @Alternate Data Stream - 1271 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:HUIuBPGaeuOgtYFKJG
  @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
  @Alternate Data Stream - 1173 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:lBYOl8iCDOupbYLwVMmdAmtNQ
  @Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
  @Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:89EAFAFC
  [COLOR="DarkRed"]:services [/COLOR]
  [COLOR="DarkRed"]:files[/COLOR]
  dir "c:\program files\Reason 1\" /c
  xcopy %temp%\smtmp\1 "%allusersprofile%\start menu" /s /i /h /y /c
  xcopy %temp%\smtmp\2 "%userprofile%\application data\microsoft\internet explorer\quick launch" /s /i /h /y /c
  xcopy %temp%\smtmp\3 "%appdata%\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
  xcopy %temp%\smtmp\4 "%allusersprofile%\desktop" /s /i /h /y /c
  ipconfig /flushdns /c
  [COLOR="DarkRed"]:reg[/COLOR]
  [COLOR="DarkRed"]:commands[/COLOR]
  [purity]
  [emptyjava]
  [emptytemp]
  [emptyflash]
  

• Now click the button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

• Now open OTL again and click the button
  Note: This automatically updates the OTL.txt log on your desktop.
• Attach OTL.txt to your next message. (How to attach items to your post)

Please download Tweaking.com - Windows Repair by Tweaking.com to your desktop.

• See the download links under this icon:
• Double-click Tweaking.com-WindowsRepair.exe to run the program.
• Click the Start Repairs tab on the far right.
• Click Custom Mode so there is a bullet in it.
• Click the Start button (bottom right)
• Click Unselect All
• Put a checkmark in the following boxes:
  • Repair WMI
  • Remove Policies Set By Infections
  • Repair Windows Updates
  Note: Leave everything else unchecked
• Put a checkmark in Restart System When Finished
• Now click the Start button (bottom right)

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

Ports - No, I don't actually know how to do that. Unless that might be associated with Codemeter (dongle for propellerhead reason) or Dropbox. Unclear on the nitty-gritty of all that. Doesn’t look like it’s Avast using those ports – it doesn't want to load into the tray on startup for some reason now btw, but the service is running.

Can you see where the MBR is on the external? Might be from a backup of an old C drive.

No feedback from the win msg killer? Wasn’t sure if it worked.

Everything looks as though it's working normally aside from the thing with Avast, but the initial symptom wasn't a big one in the first place: I was hearing clicks like when you open a folder in explorer and realized it was FF, searched and found the regenerating resultsnemo cookie and images. Adblock must have been blocking them from actually opening the windows.

Thanks so much for your help, I really appreciate it.

 

If you attach the logs requested I can make sure you are clean now.

 

Oh weird, I wonder why they disappeared -

 

What is this file?

• C:\Documents and Settings\Ben Coultry\Desktop\launch.exe

If you do not know, upload it to VirusTotal for analysis. Let me know the results.

There was not much malware in your logs to begin with, so I doubt whatever you had tampered with Avast. You may just want to uninstall Avast and reinstall it and see if that fixes the problem. The services are running like you say. It is probably a software related problem. You can seek additional help here: Software forum

Use the Avast Uninstaller if you do decide to try my suggestion: Download Avast Uninstall Tool

I don't know what is on it as we did not gather logs on its contents. It is fairly normal for an external drive to report an unknown MBR though. Unknown does not necessarily mean infected. In your case, I highly doubt it is in fact infected since you had very little malware to begin with.

That's normal. It did work though.

You're welcome. Surf safely!

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Launch.exe: Oh that's Dr. Web.
Avast: I'll give the avast uninstall a shot, I probably screwed it up myself last night--forgot that cleanup! automatically deletes things without allowing a checkthrough so it may've happened at the same time the program obliterated my "C:\Documents and Settings\B** C******\Local Settings" folder.
Thanks again man, mind at ease. :cool

 

Good to know. Take care