LeBag Trojan

You need to disable UAC as requested and then you need to download and use the current version of MGtools also as requested and attach the new log. You should not be keeping old versions of MGtools around. You should have complete final instructions last time which includes removing anything related to MGtools.

 

You're welcome.

You only need to download and run the current version of MGtools and attach the new log.

You're right. I went back and look at your last thread and you were never given final instructions so that was not your fault. However, for future reference, you should always download and use current versions of tools anytime you have a problem.

 

I'm sorry but there are two issues with doing this:

1. You need to run the cleaning process/scans on the user account that is having problems so that we can see the problems. There are no signs of problems in the admin account.
2. You must keep UAC disabled until we finish any cleanup otherwise it will just keep getting in the way and you will have to keep disabling it and rebooting after disabling in order for the change to take effect. And you will have to keep doing this before ever fix we provide. Thus it is easier to just keep it disabled.

However we will attempt some cleanup anyway. But before doing this, temporarily change the "Ron" user account into an admin account and then reboot and log into the Ron user account to do the below.

If UAC is enabled, you will have to disabled it and reboot again into the Ron account.

Please download OTM by Old Timer and save it to your Desktop.

• Run it by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe
 
:Files
C:\Windows\amdkyf.txt
C:\Windows\azypjit.txt
C:\Windows\is-71VBC.exe
C:\Windows\is-71VBC.lst
C:\Windows\is-71VBC.msg
C:\Users\Ron\AppData\Local\pbxgppoo\xhpsapuf.exe
C:\Users\Ron\AppData\Local\Temp\pmnnfrwl.exe
C:\Users\Ron\AppData\Local\Temp\xhpsapuf.exe
C:\Users\Ron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xhpsapuf.exe
C:\Users\Ron\AppData\Local\pbxgppoo
C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
C:\ProgramData\mlkjqdtd.log
C:\Windows\TEMP\*.*
C:\Users\Admin\AppData\Local\Temp\*.*

:Reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnce]
"InnoSetupRegFile.0000000001"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\RunOnce]
"InnoSetupRegFile.0000000001"=-
[HKEY_USERS\S-1-5-21-3965089189-2858296701-1019616836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XhpSapuf"=-
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the C:\_OTM\MovedFiles log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

It's MGlogs.zip not MGtools.zip Did you use Right Click and select Run As Administrator to run GetLogs.bat ?

It puts in in both locations. ( the desktop of the account that ran it and the root folder and it is MGlogs.zip ). The one on the Desktop could not exist if the one in C:\MGlogs.zip does not exist because that is where it is copied from.

 

Right click on C:\MGtools\ReZip.bat and select Run As Administrator, then look in the C:\MGtools folder for a slightly different zip file named MGlogsR.zip Attach it to your next message.

 

Your logs look good. Are you having any more problems?

 

See if following the below reenables it.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
5. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 6 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!