Windows Mal Soft Rem Tool doesn't know if I'm infected or not!

Discussion in 'Malware Help (A Specialist Will Reply)' started by ulrichburke, Jan 16, 2014.

  1. ulrichburke

    ulrichburke Private E-2

    Dear Anyone.

    So my computer developed random freezes, everything slowed down to a crawl. I downloaded the Windows Malicious Software Removal Tool, was VERY patient for almost 8 hours while it scanned my system and on the way through it clocked up 14 infected files on a 2T drive. Great, thought I, I'll get rid of those at the end....

    Then it reached the end of the scan and told me my computer wasn't infected with anything - AFTER clocking up 14 infected files on the way through! I've got no idea where/what the files were, I blithely thought, never having used the tool b4, it would offer to delete/fix/quarantine the files it had found at the end of its scanning.

    So what do I do next? I've scanned it once with Super Anti Spyware, found 3 infections and killed them. Once with Avast Free, found 1 more infection and killed that. Now Windows Malicious Software Removal Tool says I've got 14 more hiding somewhere - then tells me I'm clean! Everything's still as slow as it was before the scan so I'm pretty sure they're still out there somewhere - desktop still freezes too. What do I do next - re-run the Malicious Software Removal Tool and stop it before the end and clean the 14 files it's going to find (it must do because they haven't been changed.)

    Or can you recommend another tool - freeware/cheap(ish!)ware - if it's brilliant and consistent I'll consider forking out bucks for it - that'll find the viruses Windows Malicious Software Removal Tool found at one point, then lost again!?!

    Yours hopefully

    Chris.
     
    ulrichburke, Jan 16, 2014
    #1
  2. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Welcome to MajorGeeks!

    Let's run another set of tools -

    Please follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and then attach the requested logs to your next reply when you finish these instructions.
    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.
    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes, you could use a flash drive too, but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run RogueKiller, Malwarebytes, HitmanPro and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    * Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated - our system works the oldest threads FIRST.
     
    dr.moriarty, Jan 16, 2014
    #2
  3. ulrichburke

    ulrichburke Private E-2

    Dear Dr. Moriarty.

    Here's the files you wanted - hopefully - never tried attaching files this way before! If I make any dumbasses, just tell me and I'll re-attach. I selected them all, chose UPLOAD and closed the window - I HOPE that was the right thing(s) to do.

    Yours with great thanks

    Chris.
     

    Attached Files:

    ulrichburke, Jan 16, 2014
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs were from safe boot mode. You should be in normal boot mode not safe mode.

    Uninstall the below programs. If you do not find them or they will not uninstall, just keep going.
    AVG SafeGuard toolbar
    File Type Assistant
    PutLockerDownloader

    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
D:\Documents and Settings\Chris Burke\Application Data\AVG SafeGuard toolbar
D:\Documents and Settings\Chris Burke\Local Settings\Application Data\AVG SafeGuard toolbar
D:\Documents and Settings\Chris Burke\Local Settings\Application Data\Conduit
D:\Documents and Settings\Chris Burke\Local Settings\Application Data\PutLockerDownloader v7.0
D:\Documents and Settings\All Users\Application Data\AVG SafeGuard toolbar
D:\Documents and Settings\Chris Burke\Desktop\PutLockerDownloader.lnk
D:\Documents and Settings\Chris Burke\Start Menu\Programs\PutLockerDownloader.com
D:\Program Files\AVG
D:\Program Files\Common Files\AVG Secure Search
D:\Program Files\PutLockerDownloader v7.0
D:\WINXP\Temp\*.*
D:\Documents and Settings\Chris Burke\Local Settings\Temp\*.*
 
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{c9a6357b-25cc-4bcf-96c1-78736985d413}"=-
"{95B7759C-8C7F-4BF1-B163-73684A933233}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
"gupdatem"=-
"gupdate"=-
"SkypeUpdate"=-
"gusvc"=-
"Yontoo Desktop Updater"=-
"vToolbarUpdater17.0.12"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Allmyapps]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Allmyapps Update]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DivXUpdate]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IDMan]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NextLive]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QtraxNotification]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vProt]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinampAgent]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2216F0C2-4A43-4640-8D22-A6EA476CF518}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{955561A8-A76E-421E-BB37-EA8254CD69E4}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXTlog
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jan 19, 2014
    #4
  5. ulrichburke

    ulrichburke Private E-2

    Dear Chaslang et al.

    For starters - thanks for all your help. You asked me to tell you how the computer's feeling - it seems groggy but better. I'm attaching as many of the logs you wanted as I could find - but there's a couple of things to watch out for because the logs don't seem to mention them.

    When JRT was scanning the Registry, it hit a pile - about 30 - CLSIDs that came up 'access denied'. I tried doing a screenshot of the DOS page but the screenshot didn't 'take', when I tried to paste it into PAINT nothing happened and they were scrolling by too fast for me to copy-type them. But there was nothing mentioned about 'access denied' CLSIDs in the JRT log. I had to find/download the .SCR version of Old timer's program because something wasn't letting anything with a .EXE onto the computer at that point. There wasn't a MOVE IT button, but a FIX IT one so I clicked on that and a whole pile of things came up as 'successfully moved' so I hope I did the right thing. And the line wasn't yellow, it was blue, but there was an obvious box to paste the data into, so I did that before starting things. It froze solid when it tried to scan the Recycle bin. There's something in there that won't delete for love nor money, it just comes up as locked and even Unlocker won't unlock it. (Unlocker THINKS it's unlocked it until you try to delete it then it says it's locked again.) And there's a very peculiar last problem that's just started.

    I now seem to be connected to the internet TWICE. The official connection's a Rhine III connection, 100mbps. But there's another one that's 10mbps and if you try to disable it, it says 'It is not possible to disconnect at this time. The system is busy with a connect or disconnect operation'. The link in 'Network Connections' on Control Panel just says: 'Internet Connection. Connected. Internet Connection.' And you get the same error message if you try to delete that. That's why I was in SAFE mode the first time, I was trying to clear/kill this mysterious second connection. It CAN'T (surely) be an I386 job because I've disabled that in BIOS. AND checked to make sure it's still disabled there (it is). Dunno if this second connection's the reason but I can't stream video any more - 3 seconds, stop. Dead stop. No video downloading to watch offline, no streaming, zilcho. I'm on Virgin, got 100mbps main connection (I know about contention but that's what the system THINKS I've got) and it WAS streaming pretty well at one point, few days back. Could this weird second connection be the reason?

    Just to finish off - I do NOT d/l porn (or watch it - I have too much respect for women) Dodgy software - I have a ton of soundfonts which I write music with (on legit software, Quick Score Elite Level 2, which I bought) but that's about it and the SF2s were mainly from sites like Hammer sound and Home Musician. I'll own up - I got a cracked copy of Cubase but I've never actually installed that because it's too much for my poor brain till I can find real-life lessons.

    Is Streambit Video Accelerator safe, got that to try to get my streaming back, I like watching online sport (NOT porn, just sport, movies, narrowstep TV on sites like Zattoo, things like that.) I use Firefox and Streambit hasn't made THAT much difference yet, TBH.

    It's saying I've attached the MGLogs in the last E_mail so it's not letting me attach them again, but I'm willing to E-mail them to you.


    Thanks again for all your help. Looking forwards to your reply.

    Chris.
     

    Attached Files:

    • OTL.Txt
      File size:
      174.2 KB
      Views:
      3
    • JRT.txt
      File size:
      7.5 KB
      Views:
      0
    ulrichburke, Jan 19, 2014
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not follow the instructions given. You need to run the GetLogs.bat program as instructed first.

    Also I did not ask you to run a scan with OTL. My instructions gave you a fix and you needed to run OTM. Please follow instructions properly. You actually need to follow them all over again since you did not follow them properly. You don't have to rerun JRT though. Just OTM and then the GetLogs.bat programs.
     
    chaslang, Jan 19, 2014
    #6
  7. ulrichburke

    ulrichburke Private E-2

    Dear ChasLang.

    Very sorry I downloaded the wrong program to begin with. Had to d/l the oldtimer program from an Internet cafe computer because mine flat wasn't letting anything with .EXE on the end be downloaded.

    I ran it, now I'm running the Get Logs program and I'm not sure if I've hit a problem or not. It's NWKTST.bat. I know it says 'be patient' and I am being patient but it's sat Checking Local Loopback Ping (its words) for the last 6-7 hours so far. Nothing else appears to be going on much. How long does it normally take (you're allowed to say 'days' if you want to and I'll just leave it going. Would it be OK to do my computer work around it though, just leave it in its own window doing its own thing?)

    The Oldtimer program hit a problem - the stubborn, invisible folder in my Recycle bin. No matter what hits it, it says 'Can't remove Folder DD622 - Access is Denied!' It's survived all your lovely software AND Avast Free, SuperAntiSpyware and Spybot Search and Destroy (used before coming to your forum.) In fact that's the reason I was in Safe Mode originally, I thought that would immobilise whatever was creating that folder and let something actually wipe it. I've tried the 'show all hidden files' settings and that's not working so I can't rename it to delete it. Dunno if it's got anything to do with this mysterious second Internet connection I've got, or if it's the mysterious second connection that's holding up the ping thing, but NwkTest (got the capitalisation right that time) is just sitting there, minding its own business, not seeming to be doing much.... I'll leave the computer on with it running until you tell me otherwise (or not) but I'd like to know how long it usually takes (in hours/days/hopefully not weeks...) Still can't stream video, any stream lasts less than 2 seconds now and I was getting a full minute! I'm SURE it was streaming pretty well a week or so back, haven't been in this apartment long (or used the computer THAT much) but I'm sure it was.

    Could the lack of streaming be the fact I have to be on Virgin Internet, because they're monopolising my building (I live in England and Virgin are the only people with lines going to this building, so can't easily be with anyone else!) I'm on a theoretical 100mbps. I dunno....

    Thanks for your help so far. Sorry I used the wrong software, thought it was the same thing renamed to be downloadable.

    Yours respectfully

    Chris.
     

    Attached Files:

    ulrichburke, Jan 20, 2014
    #7
  8. ulrichburke

    ulrichburke Private E-2

    Dear Chaslang et al.

    It's been many hours - ten or 11 - since I started running Get Logs and very slowly everything's been getting harder and harder to access - websites won't load, forget streaming video, aint gonna happen, music software's developed EXTREME weird sound probs (I'm trying to learn to write computer music from online videos - sad, no! -) so I'm gonna take a chance and restart the computer and re-run Get Logs.

    I'm doing this at my own risk, I know, I won't blame you if the computer dies on restart. It's just I've gotta TRY to get this piece finished by tomorrow. And I dunno what else to do - sound's SO quiet even on max now I can't hear what I'm writing. And I can no longer watch my tutorials.

    Yours respectfully

    Chris.
     
    ulrichburke, Jan 20, 2014
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Are you able to run the GetLogs.bat in safe mode? :confused
     
    Kestrel13!, Jan 24, 2014
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sounds to me like you are blocking some items in your protection software. Could even be your firewall. You may be blocking the ping command or some others. Shutdown all protection software including your firewall while you run GetLogs.bat and see what happens.

    We will worry about his later. May not even be a malware related item.
     
    chaslang, Jan 24, 2014
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds