Malwarebytes Wont Install Help Please.....malware Present

Just continue on with the Read and Run First instructions.

 

Rerun Hitman and remove everything it found. Reboot and rescan with Hitman and attach the log. See if any of the other tools now run.

 

Try right clicking it and choose Run As Admin....then see if you can remove everything.

 

Also, you did not let MGTools run to completion. Please run it again and do nothing until it tells you it is finished.

 

I can't read that screen shot. Let's see if you can run an online scan:

eSet Online Scan.

 

Download OTM by Old Timer and save it to your Desktop.

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7, Win8, or Win10 don't double click, use right click and select Run As Administrator).
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:Processes
explorer.exe
:Files
C:\Program Files\AvMVIUoBwtUn\StEEeCHtby.exe
C:\Program Files\CKCpTyVyQIE\kcHTmz0.dll
C:\Program Files\CKCpTyVyQIE\qfbsHhGAyI.exe
C:\Program Files\CKCpTyVyQIE\tXj34bC.dll
C:\Program Files\FastDataX\fastdatax.exe
C:\Program Files\ICBaloCIDxXU2\tkpzdbfixXPDo.dll
C:\Program Files\TQoarIXzU\kzbiXD.dll
C:\Program Files\3D - Andotit\3D - Andotit.dll
C:\ProgramData\Microsoft\Network\Dsq\network\sysnetwk.exe
C:\ProgramData\smp2.exe
C:\ProgramData\Windows\System32\Mswapi32.dll
C:\ProgramData\WinWGA.exe
C:\Users\Annette\AppData\Local\PCBooster\booster.exe
C:\Users\Annette\AppData\Local\Temp\09243cf91e6342afa83b493ea3cdb56c\ytab_m_1_big.exe
C:\Users\Annette\AppData\Local\Temp\13505f6e76f640cfb32314e70c81cb0e\setup.exe
:Commands
[purity]
[ResetHosts]
[createrestorepoint]
[emptytemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.
NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach that document back here in your next post.

 

Please rerun Hitman and attach the new log. Are you able to run any of the other scans?

 

Navigate to C:\_OTM\MovedFiles and delete it. Reboot and rescan with Hitman, attach the new log.

 

Please delete everything in your recycle bin. Now let's see if the Hitman log comes back clean.

 

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7, Win8, or Win10 don't double click, use right click and select Run As Administrator).
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:Processes
explorer.exe
:files
C:\Program Files (x86)\AvMVIUoBwtUn\StEEeCHtby.exe
C:\Program Files (x86)\CKCpTyVyQIE\kcHTmz0.dll
C:\Program Files (x86)\CKCpTyVyQIE\qfbsHhGAyI.exe
C:\Program Files (x86)\CKCpTyVyQIE\tXj34bC.dll
C:\Program Files (x86)\FastDataX\fastdatax.exe
C:\Program Files (x86)\ICBaloCIDxXU2\tkpzdbfixXPDo.dll
C:\Program Files (x86)\TQoarIXzU\kzbiXD.dll
C:\ProgramData\326e133250304cdd9018b2994e03314c\chipset.exe
C:\Users\Annette\AppData\Roaming\76cce9c4cc3e4891afe412379a9cc833\chipset.exe
C:\Users\Annette\AppData\Roaming\76cce9c4cc3e4891afe412379a9cc833\TIJQKHKAQE.exe
C:\Users\Annette\AppData\Roaming\excdir\acins\work.dll
C:\Users\Annette\AppData\Roaming\gplyra\gplyra.exe
C:\Users\Annette\Downloads\adobe_flash_setup_1883583091.exe
C:\Users\Annette\Downloads\adobe_flash_setup_1962693662.exe
C:\Users\Annette\Downloads\adobe_flash_setup_3041669635.exe
C:\Windows\System32\bi3.exe
C:\ProgramData\SearchModule
C:\Users\Annette\AppData\Roaming\AGData
C:\Users\Annette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
C:\Users\Annette\AppData\Roaming\System Healer
C:\Windows\System32\Tasks\System HealerPeriod
C:\Windows\System32\Tasks\System HealerStartUp
C:\Windows\System32\Tasks\SystemHealer Monitor
C:\Windows\System32\Tasks\SystemHealer Run Delay
C:\Windows\Tasks\System HealerPeriod.job
C:\Windows\Tasks\System HealerStartUp.job
:reg
[-HKU\S-1-5-21-3730457624-2241265431-985006982-1001\Software\Microsoft\Internet Explorer\MAIN\Start Page]
[-HKU\S-1-5-21-3730457624-2241265431-985006982-1001\Software\Microsoft\Internet Explorer\SearchScopes\{C0D0B124-889E-4B43-B0BE-7A0EE8352996}]
[-HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\System HealerPeriod]
[-HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\System HealerStartUp]
[-HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SystemHealer Monitor]
[-HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SystemHealer Run Delay]
[-HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564]
[-HKLM\SYSTEM\ControlSet001\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC}]
[-HKLM\SYSTEM\ControlSet001\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1}]
[-HKLM\SYSTEM\CurrentControlSet\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC}]
[-HKLM\SYSTEM\CurrentControlSet\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1}]
[-HKU\S-1-5-21-3730457624-2241265431-985006982-1001\Software\ProductSetup\1I1T1Q1S]
[-HKU\S-1-5-21-3730457624-2241265431-985006982-1001\Software\System Healer]
[-HKU\S-1-5-21-3730457624-2241265431-985006982-1001\Software\WajIEnhance]
:Commands
[purity]
[ResetHosts]
[createrestorepoint]
[emptytemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.
After running OTM, if the program has not asked for a reboot, reboot. Now navigate to the C:\_OTM\MovedFiles and delete it. Then open the Recycle Bin and delete everything there.
Again, reboot. Then rescan with Hitman and attach the new log. Hopefully it will be clean now.

 

Ok, we are getting there. Now rerun OTM and delete these:

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7, Win8, or Win10 don't double click, use right click and select Run As Administrator).
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:Processes
explorer.exe
:files
C:\Windows\a9dd7c8de385d182afa38000cd370ac2.exe
C:\Windows\System32\bi3.exe
C:\Windows\System32\Tasks\System HealerPeriod
C:\Windows\System32\Tasks\System HealerStartUp
C:\Windows\System32\Tasks\SystemHealer Monitor
C:\Windows\System32\Tasks\SystemHealer Run Delay
:reg
[-HKU\S-1-5-21-3730457624-2241265431-985006982-1001\Software\Microsoft\Internet Explorer\MAIN\Start Page]
[-HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\System HealerPeriod]
[-HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\System HealerStartUp]
[-HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SystemHealer Monitor]
[-HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SystemHealer Run Delay]
:Commands
[purity]
[ResetHosts]
[createrestorepoint]
[emptytemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.
NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach that document back here in your next post.
Now do as before.....navigate to the C:\_OTM\MovedFiles folder and delete it. Then...clean out the Recycle bin. Reboot and rescan with Hitman and attach the new log.

 

Since it is being stubborn, right click on the start menu, click on file explorer, click on This PC, Click on the "C" drive, double click on Windows, scroll down to system32, then look for and delete C:\Windows\System32\bi3.exe.

If it is in the Recycle bin, empty it. Reboot and see if you can run the other scans ( ADWCleaner, RogueKiller and again, Hitman).

 

System Healer is being a pain.

Let's see if you can download and run this:

Please download and run SuperAntispyware

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

Post the scan results from SuperAntispyware.

 

I have one other suggestion to try before it gets too late in the evening. I want you to turn off UAC and retry MBAM.\

To do this:

Click Start, and then click Control Panel.

• In Control Panel, click User Accounts.

• In the User Accounts window, click User Accounts.

• In the User Accounts tasks window, click Turn User Account Control off by sliding the bar down to never notify.

Now retry MBAM.

You can always access it by typing Control Panel in the search bar.

 

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7, Win8, or Win10 don't double click, use right click and select Run As Administrator).
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:Processes
explorer.exe
:files
C:\Program Files\McAfee Security Scan\3.11.599\McCHSvc.exe
C:\Program Files\McAfee Security Scan\3.11.599\SSScheduler.exe
C:\Program Files\TrueKey\McAfee.TrueKey.Service.exe
C:\Windows\System32\Tasks\System HealerPeriod
C:\Windows\System32\Tasks\System HealerStartUp
C:\Windows\System32\Tasks\SystemHealer Monitor
C:\Windows\System32\Tasks\SystemHealer Run Delay
C:\Program Files (x86)\Mindspark\EliteUnzip\uninstall.exe
C:\shit folder\avast_free_antivirus_setup_online_cnet2.exe
C:\Users\Annette\Desktop\Antivirus_Free_1817.exe
C:\Users\Annette\Downloads\esetonlinescanner_enu.exe
C:\Users\Annette\AppData\Local\Mindspark_Interactive_Net\EliteUnzip.exe_StrongName_gzmrfrrkrve1wghp1nel3iobez4nojnd\

:reg
[-HKLM\SYSTEM\CurrentControlSet\Services\TrueKey]
[-HKU\S-1-5-21-3730457624-2241265431-985006982-1001\Software\Microsoft\Internet Explorer\MAIN\Start Page]
[-HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\System HealerPeriod]
[-HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\System HealerStartUp]
[-HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SystemHealer Monitor]
[-HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SystemHealer Run Delay]
:Commands
[purity]
[ResetHosts]
[createrestorepoint]
[emptytemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.
Do as before....delete the C:\_OTM\MovedFiles folder and empty the Recycle Bin. Then reboot and rescan with Hitman.

Please do not do anything unless I ask you to!

 

Reboot.

Something is hidden and hooked into your system. Let's try this approach:

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7, 8 and 10 users need to right click and choose Run as Administrator

You only need to get one of them to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

1. Rkill.exe
2. Rkill.com
3. Rkill.scr
4. Rkill.pif

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7,8 or 10 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
If you are having problems running Rkill, you can download iExplore.exe or eXplorer.exe, which are renamed copies of Rkill.com, and try them instead.
* If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run then try to immediately run the following.

Now download and Run exeHelper from Raktor

• Please download exeHelper to your desktop.
• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• A log file named log.txt will be created in the directory where you ran exeHelper.com
• Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

 

As far as McAfee:

McAfee Removal Tool

 

Try again to run MBAM. If it won't ..... rerun Hitman and attach the log.

http://www.raktor.net/exeHelper/exeHelper.com
http://www.raktor.net/exeHelper/exeHelper.scr

 

Go to add/remove programs and uninstall Mindspark. Do the same for Network\Dsq.

In the meantime, I need to consult with a colleague. I will get back to you soon. Hang in there.

 

One last ditch effort:

I want to see if perhaps you can get anywhere by using Safe Mode with Command Prompt. But before trying to reboot in this mode, you first need to use another PC to download the below two files:

1. Malwarebytes Anti-Malware
2. MGtools.exe

Copying the above two files to the problem PC.

• Now copy the above two files to either a CD or flash drive.
• Put this CD or flash drive into the problem PC and see if you can use Task Manager to copy the files to the root folder of the Windows boot drive which is normally drive C. If you don't have any idea how to do this from Task Manager, try the below methods (I'll give to methods in case the 1st does not work)
  • Method 1 to Copy Files
    1. Click File, New Task (Run...) and then click the Browse button.
    2. Use the Browse windows to navigate to the CD or flash drive.
    3. Select the MGtools.exe file by clicking on it once so that it is highlighted.
    4. Then press CTRL-C to copy the file.
    5. Then navigate back to the C drive by clicking the My Computer icon in the Browse window. Select the C drive by double clicking on it.
    6. Then press CTRL-P to copy the file to the C drive root folder.
    7. Repeat the for the mbam-setup.exe file.
  • Method 2 to Copy Files
    1. Click File, New Task (Run...) and enter cmd and click OK.
    2. If the above works a command prompt window will open
    3. In the command prompt window type cd C:\ and hit the enter key. This should change the prompt in the window to C:\>
    4. Now you need to know the drive letter of the CD drive or the flash drive that you will be copying from to do the below command. I'm going to assume the drive letter is E and put that in my example command. So enter the below commands followed by the enter key:
       • copy E:\MGtools.exe
       • copy E:\mbam-setup.exe
    5. If the above copy commands work, you should get a response of 1 file copied for each command.
• Now reboot the PC by selecting the Shutdown tab in Task Manager and then select Restart to restart the PC.
• and press the F8 key to get to the boot menu.
• In the boot menu, select Safe Mode with Command Prompt
• When the PC boots up, you should eventually get a command prompt Windows to open (assuming everything works OK).
• In the command prompt window, enter the below commands (the commands are in black bold print. Other text are just comments or explanations).
• • cd C:\
  • mbam-setup.exe
    • this will attempt to install Malwarebytes. At the end of the installation procedure, just uncheck the option to update Malwarebytes but leave the option to Launch the program checked. This should automatically run the program.
    • If it installs and runs, select Perform quickscan
    • when it finishes running, make sure your fix everything it finds and then save a log.
    • Now continue on with the next commands below
  • mgtools.exe
    • wait for MGtools to finish running. When it finishes, the C:\MGlogs.zip file will exist. Now continue on to the next steps below
  • Now hit CTRL-ALT-DEL to bring up Task Manager and select the Shutdown tab and then select Restart to restart the PC. See if it will boot in normal mode now.
• If you can log in now and get to a normal Desktop, attach the C:\MGlogs.zip file and the log from Malwarebytes.

 

Yes, we are going to get this!! Hang in there.

 

I want you to try one thing before you do the above:

Type the code below into notepad and save it to your desktop. Give it any name you want but make sure you give it a .bat extension (ie. Malware.bat). Click on it twice to open and it will take just a second to run. THEN you can try running Malwarebytes Anti-Ransomeware software to remove it. Then REBOOT. Once that's finished run Malwarebytes Anti-Malware to make sure there's nothing else hiding on your system.
Code for stopping processes and deleting VMXClient:

Code:

taskkill /f /im svcmx.exe
taskkill /F /IM svcmx.exe
taskkill /f /im vmxclient.exe
taskkill /F /IM svcvmx.exe
taskkill /F /IM nvvsvc.exe
taskkill /F /IM nvxdsync.exe
taskkill /F /IM wuauclt.exe

 

Yes. If you need to, write down the instructions first.

 

Please hit I agree.....twice.