Suspect Malware or Trojan

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:​

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com/?ctid=CT3...M=2&UP=SP8F3757AD-60B0-4B11-87B0-66CBF61DE7BD
R3 - URLSearchHook: (no name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
O4 - HKLM\..\Run: [SearchProtectAll] C:\Program Files (x86)\SearchProtect\bin\cltmng.exe
O4 - HKCU\..\Run: [SearchProtect] C:\Users\Owner\AppData\Roaming\SearchProtect\bin\cltmng.exe
O23 - Service: Search Protect by Conduit Updater (CltMngSvc) - Conduit - C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe​

After clicking Fix, exit HJT.​

Now uninstall the below software:
Search Protect by conduit​

Please download OTM by Old Timer and save it to your Desktop.

• Run it by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C

• 
  
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of ​
  
  the code box

Code:

[LEFT]:Processes
[LEFT]explorer.exe[/LEFT]
 
[LEFT]:Services
CltMngSvc[/LEFT]
 
[LEFT]:Files
C:\Program Files (x86)\ExpressFiles\ExpressFiles.exe
C:\Users\Public\Desktop\Express Files.lnk
C:\Program Files (x86)\ExpressFiles
C:\ProgramData\Microsoft\Windows\Start Menu\ExpressFiles
C:\ProgramData\Microsoft\Windows\Start Menu\ExpressFiles
C:\Users\Public\Desktop\Express Files.lnk
C:\Windows\System32\Tasks\Express FilesUpdate
C:\Users\Owner\AppData\Roaming\ExpressFiles
C:\Program Files\SearchProtect
C:\Program Files (x86)\SearchProtect
C:\Users\Owner\AppData\Roaming\SearchProtect
C:\Users\Owner\AppData\Local\teeveewatchSA
C:\Users\Owner\AppData\Local\Temp\*.*[/LEFT]
 
[LEFT]:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SearchProtect"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"HP Software Update"=-
"SearchProtectAll"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"HP Software Update"=-
"SearchProtectAll"=-
[HKEY_USERS\S-1-5-21-1237201107-3247922475-322830314-1000\Software\Microsoft\Windows\CurrentVersion\run]
"SearchProtect"=-
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot][/LEFT]
[/LEFT]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar

• 
  
  ) and choose Paste.​
• Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

​

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be

saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.​

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator). ​

Then attach the below logs:

• the C:\_OTM\MovedFiles log
• C:\MGlogs.zip

Make sure you tell me how things are working now!
​

 

You're welcome.

Simply put, the junk we removed in the last fix. No trojans! Just junk. But your OTM logs seems to show there were problems running OTM. It may be a good idea to rerun the last OTM fix in safe mode and then reboot to normal mode to get the new MGlogs.zip file and reattach the new logs.

I already tried to delet it in my last fix, but as stated above, seems that OTM had a problem running. Make sure you run in safe boot mode and make sure you use Run As Administrator.

 

Your OTm log is still showing a problem occurred trying to run it. Based on what I see. It looks like you are not copying and pasting in the plain text fix properly. Perhaps you are loading into some other editing program first. You need to make sure that the fix is copied exactly as it is shown in plain text form. Do not load it into a program like the Word or Wordpad...etc.

Nothing from the fix is working because of this and that is why you still have a problem.

 

That's much better.

Now we need the follow up MGtools log.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator). ​

Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're logs are clean.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
5. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 6 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!