Win10: Mpgear.dll Error At Startup

Greetings and welcome to the Major Geeks Malware Forum.

While I review what you have posted please do this.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------

• Download Farbar Recover Scan Tool for 64 bit systems and save(or copy and paste) the file onto your Desktop
• Right click on the icon and select Run as administrator
• Note: If you receive any warning about the download it is a false positive and you can ignore it. Click on More info to get the Run anyway option
• Click Yes to the disclaimer
• Click Scan and allow the program to run
• Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
• 2 Notepad documents should now be open on your desktop.
• Please attempt to copy and paste each report in a separate reply. If unable to do so attach both reports.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:

• FRST.txt
• Addition.txt

 

Thank you for the information. This appears to be a system corruption issue.

Shockwave Player is a security vulnerability so I would like to remove it.

Please do this.

===================================================

Uninstalling Programs Using Revo Uninstaller Free Portable

--------------------

• Download Revo Uninstaller Free Portable and save it to your Desktop
• Right click on the folder and select Extract All..., then click Extract
• Double click on the RevoUninstaller-Portable folder
• Right click on RevoUPort and select Run as administrator
• Click OK on the License Agreement
• From the list of programs double click on the listed program(s), or anything similar, to remove it (if it exists)

Code:

Adobe Shockwave Player 12.3

• If the program's uninstaller appears work through the steps to remove the program(s)
• Be sure the Advanced option is selected then click Scan
• For each window that may appear identifying leftover items click Select All, Delete, then confirm the deletion
• Once done click Finish
• Reboot your computer

===================================================

Farbar Recovery Scan Tool - Run Fix Using Attached File

--------------------

• Download the attached file and save it in the same location as FRST.exe (example, Desktop, USB device) <<< Important
• Right click on FRST and select Run as administrator
• Click Fix and once completed your computer will reboot
• The tool will create a log on the desktop called Fixlog.txt
• Attach the file to your reply

===================================================

Farbar Recovery Scan Tool SearchAll

--------------------

• Right click on FRST and select Run as administrator
• Copy/paste the following in the Search: box

Code:

SearchAll: MpGear.dll

• Click Search Files button
• When completed click OK and a Search.txt document will open on your desktop
• Attach the file to your reply

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.

• Shockwave Player removed?
• Attached Fixlog
• Download link
• Search.txt

 

Thank you.

Please do this.

===================================================

Farbar Recovery Scan Tool Fix

--------------------

• Right click on the FRST64 icon and select Run as administrator
• Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
• There is no need to paste the information anywhere, FRST64 will do it for you

Code:

Start::
ExportKey: HKLM\SOFTWARE\Microsoft\ Windows Advanced Threat Protection
Powershell: Set-ExecutionPolicy Unrestricted
Powershell: Get-AppxPackage Microsoft.SecHealthUI -AllUsers | Reset-AppxPackage
End::

• Click Fix
• When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.

• Fixlog

 

That wasn't helpful, please do this.

===================================================

Autoruns

--------------------

• Please download Autoruns and save it to your Desktop
• Right click on the autoruns64 icon on your Desktop and select Run as administrator
• Wait until the lower left hand corner of the window shows Ready
• Hit the Ctrl + S key at the same time
• Save the file onto your Desktop using the default File name:
• Please zip and attach the file to your reply

===================================================

Process Monitor Boot Log

--------------------

• Download Process Monitor and save it to your Desktop
• Right click on Procmon and select Run as administrator
• Agree to any permission requests
• Hit Ctrl + E to stop capturing events
• Hit Ctrl + X at the same time to clear the display
• Click Options then Enable Boot Logging
• Place a check mark in Generate thread profiling events
• Click OK
• Close Process Monitor
• Close any open programs and shut down your computer
• Start your computer and allow the boot up process to complete, including logging in if you use a password
• Wait 15 minutes before doing anything further
• Right click on Process Monitor and select Run as administrator
• Click Yes on the next window that appears and save the boot-time activity log onto your desktop using the default name
• Please zip and upload the file to GoFile or the file hosting site of your choice and send me a Personal Message with the download link

===================================================

Things I would like to see in your next reply.

• Attached autoruns zip file
• Download link via Personal Message

 

Thanks for the extra effort. Let's see of we can manage without the Bootlog.

Please do these things.

===================================================

Farbar Recovery Scan Tool Fix

--------------------

• Right click on the FRST64 icon and select Run as administrator
• Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
• There is no need to paste the information anywhere, FRST64 will do it for you

Code:

Start::
File: C:\Users\PC\AppData\Roaming\pPNwqdKXV52U1X7\SenseCE.exe
Folder: C:\Users\PC\AppData\Roaming\pPNwqdKXV52U1X7
End::

• Click Fix
• When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.

===================================================

Farbar Recovery Scan Tool Search

--------------------

• Launch FRST
• Type the following in the Search: box

Code:

SenseCE.exe;MsSense.exe

• Click Search Files button
• When completed click OK and a Search.txt document will open on your desktop
• Copy and paste the contents of that document your reply

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.

• Fixlog
• Search.txt

 

Thank you.

Please do this.

===================================================

Farbar Recovery Scan Tool Fix

--------------------

• Right click on the FRST64 icon and select Run as administrator
• Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
• There is no need to paste the information anywhere, FRST64 will do it for you

Code:

Start::
SystemRestore: On
CreateRestorePoint:
CloseProcesses:
Zip: C:\Users\PC\AppData\Roaming\pPNwqdKXV52U1X7\premed.mkv
C:\Users\PC\AppData\Roaming\pPNwqdKXV52U1X7
C:\Users\PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\browseui.lnk					
End::

• Click Fix
• When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply
• The tool will create a zipped folder in the same location from where FRST was run with today's date, example: 07.30.2023_13.24.50.zip. Please upload the file to my BleepingComputer Channel here
• Upon automatic reboot check for the MpGear.dll error

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.

• Fixlog
• Uploaded zip file
• Error?

 

Great.

Please do this.

===================================================

Farbar Recovery Scan Tool Fix

--------------------

• Right click on the FRST64 icon and select Run as administrator
• Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
• There is no need to paste the information anywhere, FRST64 will do it for you

Code:

Start::
Zip: C:\FRST\Quarantine\C\Users\PC\AppData\Roaming\pPNwqdKXV52U1X7\premed.mkv.xBAD
Reboot:
End::

• Click Fix
• When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
• The tool will create a zipped folder in the same location from where FRST was run with today's date, example: 07.30.2023_13.24.50.zip. Upload it to the file hosting site of your choice and send me a Personal Message with the download link Do not post the link on this topic.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.

• Fixlog
• Download link via PM

 

Can you manually look to see if that file exists?

 

Hmmm. Can you zip that, upload it to a web hosting site then send me a PM with the download link?

 

Thank you, I am evaluating it now.

 

Thanks for your patience.

My testing concluded the premed.mkv was malicious. A few Virustotal vendors flagged it and ESET Online Scanner detected it as well on my computer.

Let's run ESET. Please do this.

===================================================

ESET Online Scanner

--------------------

Note: You can expect this process to take a long time, up to several hours or more.

• Download ESET Free Online Scanner and save it to your Desktop
• Right click on esetonlinescanner_enu.exe and select Run as administrator
• NOTE: If the program immediately crashes rename esetonlinescanner_enu.exe to ESET.exe and attempt it again
• Click Computer Scan
• Click Full scan
• Select Enable ESET to detect and quarantine potentially unwanted applications
• Click Start scan
• Once completed click View detailed results
• Review the list of detected items for things you don't want to remove (sometimes Potentially Unwanted Applications)
• If there entries you would like to keep click Restore cleaned files
• Place a check mark in each entry you would like to restore then click Restore files then confirm the action
• Click Finish
• Save scan log and save it to your Desktop as ESETScan.txt
• Click Continue then finally click Close
• Copy and paste the ESETScan.txt file contents in your reply

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:

• ESET report

 

No need.

Things look good. Are there any remaining questions or concerns you might have before I post some tool/log clean up instructions and other information for you to consider going forward?

 

Very good.

Here is our final step and some additional information to consider.

===================================================

KpRm by Kernel-panik

--------------

• Download KpRm and save it to your Desktop (see here if you must use Chrome)
• Note: If the file is detected as malware it is not and it is safe to download. The detection is a false positive.
• Right click on the icon and select Run as administrator
• Click Yes on the Disclaimer
• Place a check mark in Delete Tools, Create Restore Point, and Delete in 7 days
• Click Run
• Click OK on All operations are completed
• KpRm will delete itself from you Desktop and you can either save or remove the report that is generated
• You are free to remove any other tools/reports still remaining

===================================================

All Clean!

--------------

Your computer is now clean. Please consider this going forward.

===================================================

Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean.

• Have you Been Hacked? 10 Indicators That Say Yes
• So How did I get infected?
• How to Spot the Real Download Button on Websites
• Pirated Software is All Fun and Games Until Your Data is Stolen
• Do You Need Anti-Ransomware Software for Your PC?
  How Browser Extensions Turn Into Malware
• Why You Should Update All Your Software
• How Safe Are Password Managers?
• Whats the Best Way to Back Up My Computer?
• Why Is My Internet So Slow?

Thank you for placing your trust in Major Geeks. It was a pleasure serving you.

 

Always my pleasure, my friend.