Mbam Busy

Hello, tm711

Have you checked that site using VirusTotal - Free Online Virus, Malware, and URL Scanner ?

Please re-run RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist and then click the Delete button.

• [PUP] (X86) HKEY_LOCAL_MACHINE\Software\SlimWare Utilities Inc -> Found

And under the Files tab delete-

• [Hidden.ADS][Stream] C:\Windows:nlsPreferences -> Found

Then immediately reboot your PC.

After reboot, run a new scan with RogueKiller and save a log as in the original instructions and upload the new log.

Now shut down your protection software (antivirus, antispyware...etc) to avoid possible conflicts. *Re-enable them before physically reconnecting to your ISP.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

• O16 - DPF: {4FF78044-96B4-4312-A5B7-FDA3CB328095} (ExentInf1 Class) -

After clicking Fix, exit HJT.

Now please download Junkware Removal Tool to your desktop.

• Make sure to shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Next download Farbar Recovery Scan Tool (FRST) and save it to your Desktop.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run from.
• The first time the tool is run, it also makes another log (Addition.txt).
• Upload both log files to your next reply.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select "Run As Administrator").

Then upload the below logs:

• updated RK log.
• the JRT.TXT log
• FRST.txt
• Addition.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Did you turn off UAC, reboot, and run each tool "as Administrator"?

AVG is interfering with the download and running of FRST, you need to temporarily un-install it and repeat my instructions. As I stated, the first time Farbar is successfully ran, two logs will be produced.

 

I haven't forgotten you, tm711, I'm conferring with my colleagues about something strange in your logs.

dr.m

 

I imagine not! Your system should have detected AVG's firewall as being installed and auto-disabled the Windows' one... that's a puzzle, for sure.

 

Those are not issues. They are policies put into place to block malicious applications from running in various folders.

For example:

HKLM Group Policy restriction on software: C:\Users\*.com <====== ATTENTION

This would not allow any .com type executable to run from the C:\Users folder. MY guess is this is something new that AVG is doing.


FYI: My observation is that the service for Windows Firewall was still running per the logs.


SERVICE_NAME: MpsSvc
DISPLAY_NAME: Windows Firewall
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

 

Thanks for that info, tm711.

Please delete this copy of MGtools.exe as it's in the wrong directory and wouldn't be removed when we run our final clean-up .bat file.
C:\Users\Tom\Documents\MGtools.exe

What's in these folders?
C:\WINDOWS\system32\New folder (4)
C:\WINDOWS\system32\New folder (3)
C:\WINDOWS\system32\New folder (2)
C:\WINDOWS\system32\New folder

Please re-run RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select the below that exist and then click the Delete button.

[PUP] (X86) HKEY_LOCAL_MACHINE\Software\SlimWare Utilities Inc -> Found
​

Then immediately reboot your PC.

After reboot, run a new scan with RogueKiller, save a log as in the original instructions and upload the new log.

NOTE: This script was written specifically for this user for use on this particular computer. Running this on another machine may cause damage to your operating system.

• Save the attached (fixlist.txt) to your desktop.
• Right-click FRST(x64) and run it as admin.
• Click the FIX button.
• A report should pop up named Fixlog.txt, please upload it here in your next reply.

Next download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  Vista/Windows 7/8 users right-click and select Run As Administrator
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• When it's done you'll see: Pending: Please uncheck elements you don't want removed.
• Now click on the Report button...a logfile (AdwCleaner[S#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
• Upload this log to your next reply.

*Please answer the questions I've asked and also tell me how your PC is running.

 

No, you right-click FRST and "Run as Admin"/ click "Fix", etc. Please re-read my instructions. And yes - also run AdwCleaner per my instructions in post#12.

 

Let's now deal with the AdwCleaner detections -

Using AdwCleaner.exe previously downloaded:

• Double click on AdwCleaner.exe to run the tool. (Vista, Win7/8 users should right-click and "Run As Administrator")
• Click on the Scan button.
• After the scan has finished..
• Click on the Clean button.
• Press OK when asked to close all programs and follow the onscreen prompts.
• Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
• After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.
• Upload this log to your next reply.

 

Good!
Any remaining malware issues?

 

You're welcome.

Although I'm aware of CryptoPrevent, I hadn't seen a list of the policy changes detailed in the logs we normally receive before.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase it, it provide no protection. It do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. Go back to step 6 of the READ ME and re-enable your Disk Emulation software with Defogger if you had disabled it.
3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
5. If running Vista, Win 7/8 - it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Go to add/remove programs and uninstall HijackThis.
7. Go to the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
8. If you are running Win 7/8/10, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work through the below link:
   • How to Protect yourself from malware!

Safe surfing! http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif