Problems After Removing "ntuser.vbe"

Dear Major Geeks,

First, a short descritpion what happened before. I detected "ntuser.vbe", both on a USB-pendrive and on my PC (the latter in C:\Users\MyUserAccount). By the way, I have a Windows 8, 64-bit system. As the file was recreated each time I was erasing it on USB, I tried to be smart and quickly pulled the USB-drive out of the computer just after erasing it - in other words, I tried to be faster than the recreation process. It seemed to work, as I have noticed when plugged the USB-drive to a Macbook -> no "ntuser.vbe" detected. Aferwards, I removed the file from my PC with Malwarebytes scan.

Since then, I noticed some changes in the behavior of my computer, including:

- I cannot open Outlook -> when I do that I get the message that Outlook is unable to open my ".ost"-file (in "C:\Users\MyUserAccount\AppData\Local\Microsoft\Outlook"). This is followed by the message that Outlook cannot be started, the Outlook window cannot be opened, the folder group could not be opened, client operation failed.

- I cannot save any data on my Desktop. I get the message that I do not have the permission to save in this location and should contact the administrator to obtain the permission (when I save a text file with Notepad)

- When I try to opne a new Excel sheet, I get the message that Excel cannot open or save any additional additional files because there is not enough memory or hard drive space available.

- When I try to start File Explorer by right-clicking on the Windows icon (the one in the bottom left) and selecting "Explorer", nothing happens.

- I cannot view pictures with Windows Photo Viewer, as it says that I do not have the correct permissions to access the file location.

I performed the scans with AdwCleaner, Malwarebytes, Rougekiller, HitmanPro and MGTools. The logs for the first four scans are attached. MGTool was not able to create a log, so I pasted the console output to the text file and attached it to the message - I could paste only the content I saw in the console, so the initial messages are not included there.

If needed I can provide you with the Malwarebytes log from the previous scan, when "ntuser.vbe" was removed.

The User Account Control was disabled before performing the scans. It is still disabled now.

My internet browser (Firefox) seems to be OK. I create this post from the infected PC. My whole system is set in German, so I translated the dialog messages given above by myself.

I would humbly request for your help to bring my computer back to the initial state, Sir/Ma'am...


Best regards

 

Thank you for the quick reply!

I am sorry for not running the MGTools.exe correctly. I just clicked on the icon of the MGTools.exe file, as suggested in "Using MGtools"-thread (for Windows 8 user) and the things just happened...

I ran now the GetLogs.txt as instructed. The zip file is attached to this message. By the way, I could not attach the zip file on the infected PC - nothing happened when I clicked on "Upload a File" button. I typed this post on another computer.

Best regards

 

Thank you for your reply. I am sorry for the delayed answer, I just spent a nice weekend without any computers...

I proceeded as instructed and allow me to share the following remarks:

- during cleaning the Temp-directory, I had to close some programs before removing those. The only one left was FXSAPIDebugLogFile.txt which was reported to be open in Windows Explorer. Although I found some ways in Google how to remove it, I let it stay. Do you mean I should remove it as well?

- I ran sfc /scannow (instead of /runnow which was not found) in Command Prompt (admin mode) rather than over run - the latter just popped up the Command Prompt window which disappeared right away. I took this way around (Command Prompt in admin mode) as suggested by Google.

- sfc returned the following message "Windows Resource Protection found corrupt files but was unable to fix some of them. Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. Note that logging is currently not supported in offline servicing scenarios.". I found this cbs.log file, which is of around 1 MB size. Do you wish me to upload it here?

I would like to ask you if dealing with the sfc-reported problem is beyond your/this-forum-section responsibility. If this is the case, I am going to proceed with the 7 steps from your last post and bother your colleagues in the software forum, as suggested. Otherwise, I am eager to get more instructions from you.

Best regards

 

Thank you very much for your advice and patience. God bless you.

Best regards

 

Eeehhhmmmmmm... Just wanted to mention that running EnableUAC.reg did NOT result in switching the UAC to the initial state. I did click on Yes in the appearing Registry Editor window (the one with the long text: Adding information can unintentionally change or delete values and cause components to stop working correctly. If you do not trust the source of this information in C:\MGtools\EnableUAC.reg, do not add it to the registry. Are sure you want to continue?) which was followed by the next Registry Editor window claiming that The keys and values contained in C:\MGtools\EnableUAC.reg have been successfully added to the registry. Maybe it is because of my corrupted Windows... Anyway, I switched UAC to the previous state manually (over Control Panel).

MGclean.bat did the job as expected.

Thank you once again!

Best regards