System Restore/Windows Defender/No antivirus/Permissions Problem

clement1214 · Jun 4, 2014

Hello!

Just like the title of this thread, I am having several problems in my PC. I do not know how it started, but it started three days ago. I downloaded an unknown zip file or something (I am not sure what it is) unknowingly, and saved it on the desktop and run it and my system crashed. I was able to boot my laptop and run it smoothly without having a trace of any problem.

I first noticed the problem on the desktop, the zip file was gone and some other things changed and gone. My first instinct was to restore the system from the earlier point in time. However, as i clicked the system restore icon on "Start", a notice appeared which still says "Windows cannot find C:\Windows\system32\rstrui.exe Make sure you typed the name correctly and try again."

After reading the notice, I turned to my Microsoft security essentials and tried to open it. I could not run it or even open it, and its my only antivirus in my system. I have forgotten if I uninstalled it after or just deleted itself(i really do not know), but if I uninstalled it, it was for in favor of other antivirus, namely Avast. But the problem is, I could not install it or even run the installer. I tried Bitdefender, but failed to run it again.

I kind of panicked, and tried to search for any problems on my laptop or any changes I could have possibly and unknowingly made. And i turned to my windows defender and found out that I could not access it. I opened the "Services" and i saw that I do not have the System Restore and Windows Defender.

I tried to do anything about it, downloaded things and tried to fix things. I downloaded the Windows Defender form windows and it was kind of successful. I still cannot access it but it appeared in the "Services" and I was able to start it. Moreover, I discovered that I was able to run the System Restore while booting and clicking F8. However, i cannot restore the system to any time before the problems occurred. It seems that any restore point before that damn zip file was deleted.

Then there's this problem about permissions and administrator privileges. I'm not really an expert to any computer stuff but I try to do my best and avoid the worst. However, whenever I try to install any security-related softwares or even software that allows me to make changes to the system, notices and warnings popped up that says that I could not do anything because of "permission" problems and "administrator privileges". But I am the only user of this laptop and I am the only administrator. I also have problems with paths and things that I do not know of.
And there's this application that cannot run as I open my laptop. It's just a notice after I boot. I do not know the application, it just says that it fails to run as an startup programs.

I ran the sfc /scannow and check disk multiple times, and discovered nothing. I ran the startup repair and found something but cannot fix it. I am able to use my laptop smoothly with no changes in speed.

Problems:
No antivirus and cannot install one
System restore
Windows Defender
Some other Windows Services missing (possible) that I still haven't discovered yet
Permissions/Administrator privileges
Really high possibility I have a Malware problem

I am quite absorbed to the fact that I am having a malware problem for the reason that I have found on the net. I am currently following the "Malware Removal guide" thread.
Note: I have windows 7 home premium system, X64 bit

I was able to install and run MBRCheck Rogue Killer, TDSSkiller, Hitman Pro and MGtools. The malwarebytes fails to install (ERROR 5: Access is denied).The logs are attached below.

Note: I was able to run ROgueKiller for 3 times, but the logs are not saved in the desktop. I do not know where it is. I clicked the Report button but was denied access. It was able to find some things and I attached the photos of it below.

chaslang · Jun 4, 2014

Welcome to Major Geeks!

Whatever website you were on when you did this, you need to stay away from this site as you installed a lot of malware.

Look for the RogueKiller log in C:\ProgramData\RogueKiller

You need to run MGtools.exe again as the log is extremely incomplete. Make sure you use Right Click and select Run As Administrator and then make sure you wait for it to finish. It will tell you when finished. Attach the new MGlogs.zip file.

chaslang · Jun 4, 2014

After attaching the new MGlogs.zip ( or even it you cannot get it to run properly ) then run the below procedure.

Be patient while doing the below. The fixes can sometimes take quite awhile to run. Especially the permissions repairs. It may be best to kick it off and goto bed or do something else. It is better not to run anything while the repairs are going on.

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)

Now select the Start Repairs tab.

The click the Start button.

Create a System Restore point if prompted.

On the next screen, click the Unselect All button to first deselect all repairs.

Now select the following repair options:

Reset Registry Permissions

Reset File Permissions

Register System Files

Repair WMI

Repair Windows Firewall

Remove Policies Set By Infections

Repair Winsock & DNS Cache

Repair Proxy Settings

Repair Windows Updates

Set Windows Services To Default Startup

Now on the lower right side check the box to Restart/Shutdown System When Finished

Then make sure the Restart System radio button is enabled.

Shutdown any other programs that you are running now before continuing.

Now click the Start button.

Be patient while the tool repairs the selected items.

It should reboot automatically when finished.

Please download OTM by Old Timer and save it to your Desktop.

Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
(or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
the code box
Code:
:Processes
explorer.exe
 
:Files
C:\Program Files (x86)\RichMediaViewV1
C:\Program Files (x86)\Windows Services\wservice.exe
C:\Windows\SysWOW64\Microsoft.com
C:\Windows\SysWOW64\Google.com
C:\Program Files (x86)\WS.Booster
C:\Program Files (x86)\WSSvc.dll
C:\ProgramData\InstallMate
C:\Users\Lenovo\AppData\Local\genienext
C:\Users\Lenovo\AppData\Roaming\newnext.me
C:\Users\Lenovo\AppData\Roaming\OpenCandy
C:\Windows\explorer_2.exe
C:\Windows\explorer_3.exe
C:\PROGRA~2\WS_X64~1.BOO
C:\Users\Lenovo\AppData\Local\Google\Chrome\User Data\Default\Web Data
C:\Program Files (x86)\Conduit
C:\ProgramData\Babylon
C:\Users\Lenovo\AppData\Local\Conduit
C:\Users\Lenovo\AppData\Local\Google\Chrome\User Data\Default\Web Data
C:\Users\Lenovo\AppData\Local\Mobogenie
C:\Users\Lenovo\AppData\LocalLow\Conduit
C:\Users\Lenovo\AppData\LocalLow\Delta
C:\Users\Lenovo\AppData\Roaming\OpenCandy
C:\Windows\Tasks\AmiUpdXp.job

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{af27e98a-2581-4a0a-858f-2b1ee125d4a9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{af27e98a-2581-4a0a-858f-2b1ee125d4a9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{aa58db42-f509-495b-b66c-2359064e5035}]
[-HKEY_USERS\S-1-5-21-3717358745-752588727-3217761893-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af27e98a-2581-4a0a-858f-2b1ee125d4a9}]
[-HKEY_USERS\S-1-5-21-3717358745-752588727-3217761893-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WindowsUpdate]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Prod.cap\ (Claro)
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A0EE0278-2986-4E5A-884E-A3BF0357E476}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Updater.AmiUpd.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Updater.AmiUpd]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67BD9EEB-AA06-4329-A940-D250019300C9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{A0EE0278-2986-4E5A-884E-A3BF0357E476}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MobogenieAdd]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Babylon]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Conduit]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DataMngr]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\MobogenieAdd]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
[-HKEY_USERS\S-1-5-21-3717358745-752588727-3217761893-1001\Software\1ClickDownload]
[-HKEY_USERS\S-1-5-21-3717358745-752588727-3217761893-1001\Software\AppDataLow\Software\Conduit]
[-HKEY_USERS\S-1-5-21-3717358745-752588727-3217761893-1001\Software\AppDataLow\Software\SmartBar]
[-HKEY_USERS\S-1-5-21-3717358745-752588727-3217761893-1001\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}]
[-HKEY_USERS\S-1-5-21-3717358745-752588727-3217761893-1001\Software\Microsoft\Internet Explorer\TabbedBrowsing\bProtectNewTabPageShow]
[-HKEY_USERS\S-1-5-21-3717358745-752588727-3217761893-1001\Software\Microsoft\Internet Explorer\TabbedBrowsing\bProtectShowTabsWelcome]
[-HKEY_USERS\S-1-5-21-3717358745-752588727-3217761893-1001\Software\Softonic]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
) and choose Paste.

Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.

If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

Now please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.

Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.

The tool will open and start scanning your system.

Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Attach JRT.txt to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

the C:\_OTM\MovedFiles log

the JRT.TXT log

C:\MGlogs.zip

Make sure you tell me how things are working now!

clement1214 · Jun 4, 2014

Ok, I found the RK log and renewed the MGlogs.zip.

Regarding the MGTools.exe, are there any processes involved after it opened the cmd.exe (it closes involuntarily, by the way, I forgot to tell you that it's also one of the problems I am experiencing). The MGlogs.zip is different from the one I attached but I do not know if it is complete. Also, I ran onto a permissions problem with the RKlog, but I was able to edit the permissions when it clearly stated that no groups or users were permitted to access it.

Anyway, I'm really thankful to you for replying to this thread. =)

clement1214 · Jun 5, 2014

Hello! I am back.

I was able to complete the "Tweaking" repair process. However, after I rebooted, this message appeared again just like before:

"The application has encountered an unexpected error"

I do not know what application it is.

I completed the "OTM" process. However, there is no .log file created. Just a 06052014_112412 folder. I planned on compressing it to zip, but I discovered that it has the size of 41 mb and I cannot upload it here. I searched for a .log file inside but it just contains series of folders. I attached a screenshot below.

The "JRT" process is not completed. The command promt closes automatically after a minute or two. I repeated five more times to no avail. Then, just now, it went back to this notice again:

"Windows cannot access the specified device,path or file. You may not have the appropriate permissions to access this item."

No JRT.txt was saved.

Note, every .exe mentioned in the instructions are on the desktop.

I continued on to your instructions, I ran the C:\MGtools\GetLogs.bat file. I read on the cmd(while it was opened) that the log is saved on the "MGTools\GetUnkey" and I included it below, just in case. The MGlogs.zip is attached below.

chaslang · Jun 5, 2014

MGtools and GetLogs.bat are still not running properly. The MGlogs.zip file would be much larger and would have a large number of files in it. And since OTM did not run properly, we have not gotten very far. Please see if you can boot into safe boot mode and then run the fix with OTM.

clement1214 · Jun 6, 2014

Hello!

After hours and hours of looking for ways to force cmd to stay up, I finally found a way to get around it. The OTM log is below as well as the MGlogs.zip.
What am I going to do next?

Again, thanks for helping me. =)

clement1214 · Jun 6, 2014

Hello again!

I was able to run the JRT. Here's the log.=)

chaslang · Jun 6, 2014

You're welcome.

RUn the below fix. Use safe mode again only if necessary for the fix.
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan
only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://websearch.oversearch.info/?pid=298&r=2013/09/23&hid=13878247811299739271&lg=EN&cc=PH&unqvl=36
F3 - REG:win.ini: load=C:\Windows\system32\Microsoft.com
O4 - HKCU\..\RunOnce: [WindowsUpdate] C:\Program Files (x86)\Windows Services\wservice.exe -rundll32 /SYSTEM32 "C:\Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows"
O4 - Startup: start.lnk
O20 - AppInit_DLLs: c:\windows\syswow64\nvinit.dll,c:\windows\syswow64\nvinit.dll c:\progra~2\ws6ca1~1.boo

After clicking Fix, exit HJT.

Please download OTM by Old Timer and save it to your Desktop.

Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
(or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
the code box
Code:
:Processes
explorer.exe

:Services
Bandoo Coordinator
IEPro
KService
 
:Files
C:\Users\Lenovo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk
C:\Program Files (x86)\GUMF5B3.tmp
C:\Program Files (x86)\GUTF5C4.tmp
C:\Program Files (x86)\MediaPlayerV1
C:\Program Files (x86)\MediaViewV1
C:\Program Files (x86)\MediaWatchV1
C:\Program Files (x86)\REgularDDeealls
C:\Program Files (x86)\VideoPlayerV3
C:\Program Files (x86)\weeBsave
C:\Program Files (x86)\Windows Services
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\Torntv V6.0-firefoxinstaller.job
C:\Windows\tasks\Torntv V6.0-updater.job
C:\Users\Lenovo\AppData\Local\Temp\*.*
 
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WindowsUpdate"=-
[HKEY_USERS\S-1-5-21-3717358745-752588727-3217761893-1001\Software\Microsoft\Windows\CurrentVersion\runonce]
"WindowsUpdate"=-
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Shell"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="c:\windows\syswow64\nvinit.dll,c:\windows\syswow64\nvinit.dll"
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\gupdate]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\gupdatem]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\gusvc]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\Update SecretSauce
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\Util SecretSauce]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\test]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
) and choose Paste.

Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.

If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

Now reboot into Normal Boot mode to do the below.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

the C:\_OTM\MovedFiles log

C:\MGlogs.zip

Make sure you tell me how things are working now!

If you could not boot into normal mode to get the new MGlogs.zip then use safe mode but please explain why you could not use normal mode.

clement1214 · Jun 6, 2014

Hello!

I was able to run the fix and the OTM using the normal mode. But I couldn't with the Getlogs.bat because the command prompt won't stay up. I tried the cmd /k and it doesn't seem to work way past the actxprxy.dll (?). So I ran it using the "Safe Mode with Command Prompt". The log and the zip file is attached below.

Again, thank you!

chaslang · Jun 7, 2014

Did you have a problem with Hijackthis last time? I still see the below showing in your HijackThis log. Try fixing them again.

F3 - REG:win.ini: load=C:\Windows\system32\Microsoft.com
O4 - HKCU\..\RunOnce: [WindowsUpdate] "C:\Program Files (x86)\Windows Services\wservice.exe"
O4 - Startup: start.lnk

The OTM.exe file on your Desktop is showing that it is not a full download. It shows as 0 bytes insize.
Please redownload and save to your Desktop again.

User Revo uninstalled that I see you have installed, to uninstall the below
SecretSauce
WS.Sustainer 1.80

Check for each of the below files and folders and if you see any, right click on them and select Delete. Tell me the results.
C:\Program Files (x86)\Windows Services
C:\Windows\system32\Microsoft.com
C:\Program Files (x86)\SecretSauce
C:\ProgramData\Alwil Software
C:\ProgramData\REgularDDeealls
C:\Windows\bat_starter.exe
C:\Windows\explorer_1.exe
C:\Windows\uninstall_cp.bat

Now reboot in normal mode and double check for the above. Did any of them come back?

Now please click Start, and type rcmd into the search box.

You should see a cmd.exe and icon appear in the Programs area of the Start Menu.

Right click on cmd.exe and select Run As Administrator

Then in the command prompt window type cd C:\MGools and hit enter.

This should change to prompt to show that you are in the MGtools folder.

Now type GetLogs.bat and hit enter. Let's see if it runs to completion without closing the command prompt window.

Attach the new MGlogs.zip file it it ran.

clement1214 · Jun 8, 2014

Hello!

I didn't encounter any problem with Hijack last time until now that you mentioned it. No matter how many times I fix those three, it keeps coming back...

I encountered this notice while I was uninstalling WS.Sustainer 1.80:

"There was a problem starting C:\PROGRA~2\WS6CA1~1.BOO
The specified module could not be found"

I selected the advanced mode and deleted the one Revo said I should delete. I do not know if it was uninstalled completely but it never appeared again on Revo. Moreover, I didn't see any SecretSauce on Revo, but I remember it appearing on Revo sometime ago. I have forgotten whether I uninstalled it or not.

On the other hand,out of the eight files and folders you told me to delete, I only managed to delete five. I couldn't do anything with the first two ones (Windows Service and Microsoft) and the other one I couldn't find (SecretSauce, perhaps it doesn't exist?).
I kept having those permissions notice. I tried changing the permissions on the Security tab but it kept on denying the change. It was sooooo stubborn. It kept on asking for the "administrator" or the "owner". I really do not know how to get around it anymore.

NOTE: The Microsoft folder is named as it is. There is no file or folder named "Microsoft.com". Nevertheless, I still couldn't delete it.

And to add to my frustration, the command prompt won't stay up. No matter how many times I use it to run the getlogs.bat, it closes automatically while on normal mode. I booted to Safe mode with CMD and run the GetLogs.bat.
The zip file is attached below if you need it.

Again, thank you for helping me.

chaslang · Jun 8, 2014

You're welcome.

Please do the below so that we can boot to System Recovery Options to run a scan.

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options from the Advanced Boot Options:

Restart the computer.

As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.

Use the arrow keys to select the Repair your computer menu item.

Select US as the keyboard language settings, and then click Next.

Select the operating system you want to repair, and then click Next.

Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
Click to expand...

Select Command Prompt

In the command window type in notepad and press Enter.

The notepad opens. Under File menu select Open.

Select "Computer" and find your flash drive letter and close the notepad.

In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.

The tool will start to run.

When the tool opens click Yes to disclaimer.

Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)

clement1214 · Jun 8, 2014

Hello!

The FRST.txt is attached below.

chaslang · Jun 9, 2014

Download this >> View attachment fixlist.txt

Save fixlist.txt to your flash drive.

You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows and continue with the below.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

Fixlog.txt

C:\MGlogs.zip

Make sure you tell me how things are working now!

clement1214 · Jun 9, 2014

Hello!

You're amazing. The command prompt works now. I was able to do the instructions smoothly. The files are attached below.

Thank you!

chaslang · Jun 9, 2014

You're welcome. Now that you can run in normal boot mode, we have a little more to do.

Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
(or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
the code box
Code:
:Processes
explorer.exe
 
:Files
C:\Users\Lenovo\AppData\Roaming\newnext.me\nengine.dll
C:\Program Files (x86)\SecretSauce
C:\Users\Lenovo\AppData\Local\Temp\*.*

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SecretSauce]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\gupdate]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\gupdatem]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\gusvc]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\Update SecretSauce]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\Util SecretSauce]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe ARM]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NextLive]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\test]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
) and choose Paste.

Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.

If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

Now please run MSConfig and put your PC into normal startup mode. You should not be using like this to disable so many startup processes and sevices. It was not deigned to be a long term startup manager. Read this to better understand why not to use MSconfig: Dealing with Startup Process

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

the C:\_OTM\MovedFiles log

C:\MGlogs.zip

Make sure you tell me how things are working now!

clement1214 · Jun 10, 2014

Hello!

I encountered a problem with the start up programs. I clicked the normal start-up mode several times but it went to "selective start-up" after i had clicked the "apply" button. I checked the "services" and "startup" tab and found a program that refuses to be enabled.

OneNote 2010 Screen Clipper and Launcher

It's just a shortcut, I do not know if I should delete it or not. Nevertheless, all of the programs and services and drivers should be working after I rebooted.
Then, there's this notice after the reboot:

"There was a problem starting
C:\Users\Lenovo\AppData\Roaming\newnext.me\nengine.dll
The specified module could not be found"

The OTM log and the MGtools.zip are attached below.

Thank you!

chaslang · Jun 10, 2014

Okay let's see if we can fix these issues you had and also remove a few unnecessary startup items.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\Update SecretSauce]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\Util SecretSauce]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^Lenovo^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SecretSauce]
Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [test] C:\Windows\bat_starter.exe
O4 - HKCU\..\Run: [NextLive] C:\Windows\SysWOW64\rundll32.exe "C:\Users\Lenovo\AppData\Roaming\newnext.me\nengine.dll",EntryPoint -m l
O4 - HKCU\..\Run: [Facebook Update] "C:\Users\Lenovo\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe

After clicking Fix, exit HJT.

Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
(or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
the code box
Code:
:Processes
explorer.exe

:Services
gupdate
gupdatem
gusvc

:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"test"=-
"NextLive"=-
"Facebook Update"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"HP Software Update"=-
"Adobe ARM"=-
[HKEY_USERS\S-1-5-21-3717358745-752588727-3217761893-1001\Software\Microsoft\Windows\CurrentVersion\run]
"test"=-
"NextLive"=-
"Facebook Update"="-
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
) and choose Paste.

Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.

If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

Now please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.

Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.

The tool will open and start scanning your system.

Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Attach JRT.txt to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

the C:\_OTM\MovedFiles log

C:\MGlogs.zip

Make sure you tell me how things are working now!

clement1214 · Jun 10, 2014

Hello!

Things are running smoothly. I received a success message when I merged it to the registry. The files you need are attached below.

Thank you.

chaslang · Jun 11, 2014

You're welcome.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.

Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.

Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.

If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:

Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore

What we want you to do is to first disable System Restore to flush restore points some of which could be infected.

Then we want you to Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

clement1214 · Jun 12, 2014

Hello!

System Restore and Windows Defender are working now. And, I was able to install an antivirus, Avira, and scanned my with no problems at all.

However, I tried to install the Malwarebytes but this notice pops up:

Setup was unable to create the directory
"C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware".

Error 5: Access is denied

What do I need to do to install it? Are there any problems exiting with it?

chaslang · Jun 12, 2014

Rerun the Windows Repair by Tweaking.com instructions I gave you a number of messages back.

Then uninstall Malwarebytes and then reboot your PC.

After reboot delete the below folders if they still exist:
C:\Users\Lenovo\AppData\Roaming\Malwarebytes
C:\ProgramData\Malwarebytes

Now redownload Malwarebytes ( if necessary ) and try reinstalling.

System Restore/Windows Defender/No antivirus/Permissions Problem

clement1214 Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

clement1214 Private E-2

Attached Files:

clement1214 Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

clement1214 Private E-2

Attached Files:

clement1214 Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

clement1214 Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

clement1214 Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

clement1214 Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

clement1214 Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

clement1214 Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

clement1214 Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

clement1214 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member