Virus but unsure which

Welcome to MajorGeeks!

I'm reviewing your logs and will post again when I have worked up a fix.

dr.m

 

Before we begin - you must set MSconfig for "Normal Startup Mode"
Use MSconfig to setup for Normal Startup Mode

This pc is in desperate need of a RAM upgrade, we recommend 3 times what is installed.

Uninstall list:
Coupon Printer for Windows
DealRunner 1.26
GamesBar 2.0.1.82
Java(TM) 6 Update 20 <--- outdated
PriceGong 2.5.1
Shop To Win

* Delete this mis-named file from your desktop: C:\Users\Krystal\Desktop\mb.exe.exe

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)​

Please download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe and select Run as administrator to run it.
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of the code box

Code:

:Processes
killallprocesses
:Files
C:\Users\Krystal\Desktop\ddmmpioijp.tmp
C:\Windows\assembly\temp\2VRX9BXD9N 
C:\Windows\assembly\temp\608OJFRAM9 
C:\Windows\assembly\temp\69PDC16EH3 
C:\Windows\assembly\temp\B752Z5YVLM 
C:\Windows\assembly\temp\CR4O6LNSGE
C:\Windows\assembly\temp\DZNSZRNSOD
C:\Windows\assembly\temp\EFZDIMLS5Y 
C:\Windows\assembly\temp\EVTHH8S093
C:\Windows\assembly\temp\H09V8ZFCAE
C:\Windows\assembly\temp\KYVEW0I963
C:\Windows\assembly\temp\QKCBNKO294
C:\Windows\assembly\temp\WDNFTFL4U3
C:\Users\Krystal\AppData\Roaming\Microsoft\Protect\S-1-5-21-530960115-2016287997-2560366090-1000
:Reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
:Commands
[purity]
[EMPTYFLASH]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow barand choose Paste.
• Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt%21.png button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Now install the latest Sun Java Runtime Environment

Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select
Run As Administrator).

Please attach these files to your next reply:

• C:\_OTM\MovedFiles.log
• JRT.txt
• C:\MGlogs.zip

* Make sure you tell me if you had any problems running this procedure; and answer this - "What malware problems are you still
experiencing?"

dr.m

 

Try making a compressed/zipped folder and attaching it.

 

Your logs are looking better - let's do abit more.

Please delete this desktop file with the double file extension. It should not named as such, no matter what it actually is.
"C:\Users\Krystal\Desktop\mb.exe.exe"


Please download AdwCleaner and save it to your Desktop.

• Double-click AdwCleaner.exe to run it. (Vista & Win7 users should right-click and "Run As Administrator")
• Click on Delete
• Your pc should now automatically re-boot
• AdwCleaner will display a log showing the files, folders, and registry entries that were removed.
• Attach this log to your next reply.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.


Run OTM again.

• Right-click OTM.exe and select Run as administrator to run it.
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of the code box

Code:

:Processes
killallprocesses
 
:Files
C:\Users\Krystal\AppData\Local\Temp\RD7DF7.tmp
C:\Users\Krystal\AppData\Local\Temp\RDBCE8.tmp
C:\Program Files\DealRunner\DealRunner.exe
 
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"DealRunner"=-
[HKEY_USERS\S-1-5-21-530960115-2016287997-2560366090-1000\Software\Microsoft\Windows\CurrentVersion\run]
"DealRunner"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{36377DD7-B3EB-42f5-986F-680BAF59BA9D}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{4FE13C31-89AB-4A65-89C0-AA98DDB64F88}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{EB1ACFDA-5951-4B89-B8D8-9C8EA2352788}]
 
:Commands
[purity]
[EMPTYFLASH]
[EmptyTemp]
[start explorer]

[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow barand choose Paste.
• Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt%21.png button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.

Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select Run As Administrator).


Please attach the below logs to your next reply:

• AdwCleaner[S1].txt
• C:\_OTM\MovedFiles mmddyyyy_hhmmss.log
• C:\MGlogs.zip

* You forgot to tell me how your machine is running.

 

That's an additional reason for an updated MGLogs.zip.

Please run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select Run As Administrator).

Then attach the updated C:\MGlogs.zip to your next reply.

 

:major

Still waiting for the updated MGLogs.zip to complete the cleaning.....

dr.m

 

Please download this file to your desktop.

BITS.reg

• Now click Start, and type regedit into the search box.
• You should see a regedit.exe and icon appear in the Programs area of the Start Menu.
• Right-click on regedit.exe and select "Run As Administrator"
• Then in the Registry Editor menu click File and select Import.
• Navigate to the BITS.reg file saved to your Desktop and double-click it. Allow it to be added to the registry.

Then reboot!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right-click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created.

 

Although you didn't give details; importing the reg file was successful as shown by your Background Intelligent Transfer Service (BITS) running and successfully attaching the file I requested.

You have quite a few processes loading at startup, please view the below link for tool links to control them. (Help deciding what is not needed is available in our Software Forum.)

Dealing with Startup Processes

*Since you have un-installed the trial McAfee software, I don't see the need for "McAfee Virtual Technician" so I recommend un-installing it also.

*Mozilla Firefox 12.0 (x86 en-US) is outdated and a security risk, the current version being 17.0.1

* If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. It provides no "real-time" protection unless you purchase it and does not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. Go back to step 6 of the READ ME and re-enable your Disk Emulation software with Defogger if you had disabled it.
3. Delete RogueKiller, HitManPro and any other miscellaneous tools we may have had you download.
4. If running Vista or Win 7, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be
   added to the registry.
5. Go to add/remove programs and uninstall HijackThis.
6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
7. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work through the below link:
   • How to Protect yourself from malware!

Safe surfing! http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif