Malware Description And Scan Logs

Please upload the MGLogs.zip file. Did you use Bitdefender's official uninstaller tool?
re: https://www.bitdefender.com/site/view/uninstall_consumer_paid.html

 

Let's use another tool, then.

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: Make sure you download the correct version for your PC. Only the correct version will work.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please upload it to your next reply.
• The first time the tool is run, it makes also another log (Addition.txt). Upload it also to your reply.

 

Rerun RogueKiller, by right-clicking and select "Run as Administrator".
When it opens, press the Scan button. After the scan has finished, select the following items for removal and click on the “Remove Selected” button.

[PUP.Gen0|VT.PUP.Optional.Quiknowledge] HKEY_LOCAL_MACHINE\RK_System_ON_H_7BA4\ControlSet001\Services\qknfd (system32\drivers\qknfd.sys) -> Found
[PUP.Gen0|VT.PUP.Optional.Quiknowledge] HKEY_LOCAL_MACHINE\RK_System_ON_H_7BA4\ControlSet002\Services\qknfd (system32\drivers\qknfd.sys) -> Found​

After the removal is completed and your pc has rebooted, perform a new scan and upload the fresh log.


Using AdwCleaner.exe previously downloaded:

• Right-click on AdwCleaner.exe and "Run As Administrator".
• Click on the Scan button.
• When the scan has completed, click on the Clean button.
• Press OK when asked to close all programs and follow the on-screen prompts.
• Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
• After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.
• Upload this log to your next reply.

NOTE: This script was written specifically for this user for use on this particular computer. Running this on another machine may cause damage to your operating system.

• Save the attached (fixlist.txt) to your desktop.
• Right-click FRST and run it as admin.
• Click the FIX button.
• A report should pop up, please upload it here in your next reply.

 

Addtional instructions

Please download SystemLook.exe and save it to your Desktop.
http://downloads.malwareremoval.com/SystemLook/

• Double-click SystemLook.exe to run it.
• Copy the contents of the following codebox into the main textfield: Do Not include "Code:"
  
  Code:

  :filefind
  Bitdefender
  :folderfind
  Bitdefender
  :regfind
  Bitdefender

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please upload this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

Ok - how is your machine running?

*I'm tempted to have you remove these with AdwCleaner, as I find nothing installed relating to them, and not-so-favorable online comments regarding a certain parent company. What can you tell me about them?

PUP.Optional.Legacy, C:\Users\All Users\Documents\Speedbit
PUP.Optional.Legacy, C:\Users\paulm\AppData\LocalLow\Speedbit
PUP.Optional.Legacy, C:\Users\Public\Documents\Speedbit​

Download ZHPCleaner to your desktop.

• Close all applications (including your web browsers and antivirus)
• Double-click on ZHPCleaner to run the tool.
• If you are using Windows Vista, 7/8/10; instead of double-clicking, right-mouse click ZHPCleaner and select "Run as Administrator".
• Please click the "J'accepte/I agree" button.
• First press the "Scanner" button. Be patient, the scan may take some time.
• Do NOT fix/repair anything yet! Please upload that logfile also with your next reply.

 

Have you abandoned this thread also, paulmassoth?

 

Re-run ZHPCleaner and this time choose to Repair these items -

FOUND file: C:\Windows\prefetch\REIMAGE.EXE-02B30964.pf =>.SUP.ReimageRepair
FOUND file: C:\Windows\prefetch\REIMAGEPACKAGE.EXE-3CFBE52F.pf =>.SUP.ReimageRepair
FOUND file: C:\Windows\prefetch\REIMAGEREPAIR(1).EXE-D947C72C.pf =>.SUP.ReimageRepair
FOUND file: C:\Windows\prefetch\REIMAGEREPAIR(2).EXE-3EBA3869.pf =>.SUP.ReimageRepair
FOUND file: C:\Windows\prefetch\REIMAGEREPAIR.EXE-1FA0981A.pf =>.SUP.ReimageRepair​

Further investigation into whatever process that is causing a Bitdefender error pop-up would be a topic for our software forum, most likely requiring a tool such as Process Explorer to find it. Examples of threads giving details of its use follows:
https://forums.majorgeeks.com/threads/runcc-grief.308193/#post-1967212
https://forums.majorgeeks.com/threads/ransomware-twice-please-check-logs.311220/#post-1975434

~~~~~~~~~~~~~~

It is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase it, it provide no protection. It do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. Go back to step 4 of the READ ME and re-enable your Disk Emulation software with Defogger if you had disabled it.
3. If running Vista, Win 7/8/10 - it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
4. Go to add/remove programs and uninstall HijackThis. If it's not listed, just move on to the next steps.
5. Go to the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
6. After doing the above, you should work through the below link:
   • How to Protect yourself from malware!

 

This happens when you do not use Run As Administrator. Did you forget to run it that way?

 

You're welcome... but further investigation into the Bitfender pop-up issue requires you to monitor your system using Microsoft Process Explorer 16.21 as I posted in msg #14.

 

If you have run Process explorer and have something to report, Dr.M will get back with you.

 

Due to lack of activity, this thread is closed.