Still several problems after malware process

Problem started 2 weeks ago, I was watching a movie on Netflix and Chrome Crashed and then when I tried to re-open it said Chrome was corrupted. Uninstalled Chrome and put in a new version it continued to crash at times.

2 days ago I started to have problems getting into my different email accounts, it kept saying the passwords were not accurate.

Today the bar where the start button is changed and I could not get to the start button without changing screen resolution. My emails had changed size and everything I tried to cut and paste and place into the mail ended up with the lines on top of each other.
I tried 2 system restores. ran all my anti-virus and spy-ware. I have been getting tons of adware in Chrome, almost 200 a day.

I cannot get my bar back the way it was at the same screen resolution and my browser is still crashing.

Thank you for any assistance you can offer. I had a problem two months ago and found several Trojans, I used the sites removal process and I assumed they were removed, now I am not sure.
Raven

 

I have added the MG Logs Zip file.

 

Suspicious files to scan

Please go to VirusTotal.com
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy the file path in the below Code box:

Code:

c:\windows\system32\drivers\lvuvc.hs

2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Next click Send File
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
This will perform a scan across multiple different virus scanning engines.
Important: Wait for all of the scanning engines to complete.
5. Copy and then Paste the link to the results in the next reply.

Important! If you get a page that says 'File has already been analysed' in the results then you will need to click the 'Show last report' button to get new scan results.

Also scan this file and post the link to the results.

Code:

c:\windows\system32\drivers\logiflt.iad

 

When I click on the link in Google I get this response:
Oops! This link appears to be broken.
Suggestions:
Go to www. virustotal. com
Search www.virustotal.com for indexf
Search on Google:

IN FF :not found
Went to site and found this box
I am not sure where or how to paste the link in this page
http://www.virustotal.com/index.html
This is the page Google sends me too is this the right page there is no browse on it. They want a file..
Not sure what I am doing wrong.

Am I on the wrong page? Sorry, I am not sure what to do. :-o

 

I do not know where you found the files. Which attachment did they come from? Every time I cut and paste it says this is not a file, or no file found. So, I cannot do what you are suggesting.

 

Thanks Chas. I was worried they are legit but have seen others remove them so wanted to be sure.

@ mladyraven - Your logs show no signs of infection but I would like to run a full virus scan just to be sure. The email password problem. What email client do you use or is it an online service like Gmail or Yahoo!


Please follow the directions here and attach the log when complete. Using ESET's Online Scanner

 

It happened with Gmail, Yahoo and Hotmail...
My tool bar is still acting crazy..
Thanks. Can I run it if I shut Mac off? Another problem, my connection keeps resetting, that started today and MS keeps sending me the same updates. I got the same update sent to me twice yesterday and again this evening.

 

I ran the program and there was no report, it said no virus found.
So, I am not sure why the computer is a bit wiggy but for now I can't find what is wrong with it.

Thank you for the help. I am grateful!

 

I did not do the scan right the first time. I saw a post by Chaslang and followed his directions to do the advanced options. This time it showed 4 Threats.

Attached scan results. Thank you!
Not sure what to do next.

 

Sorry, dyslexic, mis-read the page. I just clicked on the Scan link without reading everything. Thanks for sending me to Chas's link. I am not sure if I am ready to do a system restore or if there are other steps. Do I empty the quarantine and then delete the scanner.

 

I'm not seeing anything that would indicate this is a malware issue. It may be the end result of malware but as far as an active infection I don't think that is the case.

You might try creating a new user account and then if it works okay, transfer over your documents and settings then delete the old corrupted user account.

The other option would be to trouble shoot the current account but that could get pretty involved and may not have good results.



If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
3. Go back to step 6 of the READ ME and re-nable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Go to the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

 

When I try to run "%userprofile%\Desktop\combofix" /uninstall- I get a message that it cannot be found. I did download it to the desktop. I ran a search and deleted any files and folders I found. What the ESCAN got rid of was not a problem? There was a severe Trojan infection a few months ago so maybe these were left over from that. I assume I delete the ESCAN . I always keep SAS and Malwarebytes. I have through Cox MacSuite. Would it be better to use free AVG? Thanks for all the help I will do everything else you suggested.

 

What ESET found was not actually a threat. Just a false positive.

You can uninstall ESET in add or remove programs.

I would suggest using any of the following:
AVG
Avast
Avira
Microsoft Security Essentials

 

I would like to have some more information on a few files on your computer.

These two files:

c:\windows\system32\drivers\28994872.sys
c:\windows\system32\drivers\28994871.sys

Open 'My Computer' then go to C: > Windows > system32 > drivers, then locate the files in the list.

Once found Right-Click them and choose Properties then click the Version tab. See if you can get me any or all of the following:

- Company Name
- Original File Name
- Product Name

 

Information requested attached.
Thanks

 

Okay that checks out just fine.

Question: Do you use the Kaspersky Lab Boot Guard Driver or is this something you have uninstalled in the past?

 

This is something I un-installed in the past. I installed it in June when I had the 3 Trojans. Then I uninstalled it.

 

It didn't completely uninstall so we can go ahead and get rid of them now.


Click Start > Run and type in: services.msc
Click OK
In the Services window find: ICF
Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK

Now, go to Start > Run, and copy/paste the following into the Open box (one line at a time) then Click OK after each.

Code:

sc config 28994872 Boot Guard Driver start= disabled

Code:

sc stop 28994872 Boot Guard Driver

Code:

sc delete 28994872 Boot Guard Driver

Now do the same with these.

Code:

sc config 28994871 start= disabled

Code:

sc stop 28994871

Code:

sc delete 28994871

They should be gone now.

 

I went to run and typed in services.msc - it opened and looked in services and I do not have ICF- :-o
I have IMAPPI CD Burning
IPSEC Service
Indexing service and that's it as far as the letter I .
Not sure what to do and why ICF is not there.
Thanks

 

Sorry I messed those instructions up.

Do this instead please.

Download OTM by OldTimer to your desktop.

Note: If you are using Vista or Windows 7, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code:

:Processes
explorer.exe

:services
28994872 Boot Guard Driver
28994871

:files
c:\windows\system32\drivers\28994872.sys
c:\windows\system32\drivers\28994871.sys

:Commands
[purity]
[emptytemp]
[emptyflash]
[start explorer]
[Reboot]

* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

* Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

 

I did what you said, here is the report, it does not make sense to me.

It seem the file was empty? :confused Thanks...

 

* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code:

:Processes
explorer.exe

:services 
28994872

:Commands
[purity]
[emptytemp]
[emptyflash]
[start explorer]
[Reboot]

* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

* Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.