Resolved Malware nightmare

[Jay Pfoutz]

Please download OTL to your Desktop. (If you already have it downloaded, then just follow the instructions below).

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Copy the code below in the quotebox, go back to OTL and paste it in the Custom Scans/Fixes box:
  
  

  DRIVES
  SHOWHIDDEN
  msconfig
  activex
  drivers32
  netsvcs
  CreateRestorePoint
  %systemroot%\system32\sysprep
  c:\*.xpi /s /md5
  %systemroot%\Downloaded Program Files\
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %systemroot%\system32\drivers\*.sys /90
  %SYSTEMDRIVE%\*.exe /md5
  "%WinDir%\$NtUninstallKB*$." /30
  %systemdrive%\Program Files\Common Files\ComObjects\*.* /s
  %systemroot%\*. /mp /s
  %systemroot%\*. /rp /s
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\Installer\ /s
  %systemroot%\system32\Cache\ /s
  %systemroot%\system32\config\systemprofile\Application Data /s
  %appdata%\*.*
  /md5start
  volsnap.sys
  services.exe
  userinit.exe
  afd.sys
  ipnathlp.dll
  winlogon.exe
  atapi.sys
  explorer.exe
  /md5stop

• Click the Run Scan button. The scan will not take long.
  • When the scan completes, it usually opens two notepad windows. OTL.Txt (Displayed on screen) and Extras.Txt (minimized). These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) and paste (Edit->Paste) the contents of OTL.txt and paste it to your next reply. I will let you know if I need the Extras.txt.

Note: in the event that OTL fails to run, please use alternate download links to try again:

http://oldtimer.geekstogo.com/OTL.com
http://oldtimer.geekstogo.com/OTL.scr

 

[tstadt]

Merry Christmas!
There was no Extras.txt. OTL.txt was too big to paste and post so I have attached it.

 

[Jay Pfoutz]

OTL Fix

Please run OTL

• Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:
  
  

  :OTL
  IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=102&q={searchTerms}
  IE - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}
  [2012/12/24 18:10:01 | 000,159,608 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe.fcbe.deleteme
  [2012/12/21 19:16:33 | 000,000,000 | ---D | C] -- C:\found.003
  
  :files
  ipconfig /flushdns /c
  
  :commands
  [emptytemp]
  [reboot]

• Then click the Run Fix button at the top.
• Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
• Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
  Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)

Once done, tell me how it went.

 

[tstadt]

The fix took about 2 seconds to run and I rebooted as requested (log posted below). It doesn't seem to have fixed anything however. Same as before, if I try to run any programs such as Malwarebytes, RogueKiller, TuneUp Utilities etc. it comes back with program not found.I also still have that MRI-DISABLED window opening when it boots up.

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}\ not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
C:\Windows\System32\mfevtps.exe.fcbe.deleteme moved successfully.
C:\found.003\dir0001.chk folder moved successfully.
C:\found.003\dir0000.chk folder moved successfully.
C:\found.003 folder moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\AdministratorTB\Desktop\cmd.bat deleted successfully.
C:\Users\AdministratorTB\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: AdministratorTB

User: All Users

User: Default

User: Default User

User: Public

User: User

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 216312 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 12262012_181751

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

 

[Jay Pfoutz]

Let me know if the problem resolves after this:

Download Windows Repair (all in one) from this site

Install the program then run it.

Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

Go to Step 4 and under "System Restore" click on Create button:

Go to Start Repairs tab and click Start button.

Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

Click on box next to the Restart System when Finished. Then click on Start.

 

[tstadt]

I down loaded and ran Step 2 from Safe Mode. Message stated that it may not totally work from Safe Mode but it won't run at all from normal mode. The system rebooted and I'm not sure Step 2 even completed. After numerous attempts I finally was able to log back into Safe Mode. I ran Step 3 and it stopped before completing. The log file is attached. The file was there but now is missing.

 

[tstadt]

Here is the log file

 

[Jay Pfoutz]

SystemLook x86 scan

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :regfind
  mri-disabled

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[tstadt]

SystemLook 30.07.11 by jpshortstuff
Log created at 12:22 on 28/12/2012 by AdministratorTB
Administrator - Elevation successful

========== regfind ==========

Searching for "mri-disabled"
No data found.

-= EOF =-

 

[tstadt]

I changed the search for MRI only and got these results:

SystemLook 30.07.11 by jpshortstuff
Log created at 12:24 on 28/12/2012 by AdministratorTB
Administrator - Elevation successful

========== regfind ==========

Searching for "mri"
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-font-truetype-miriam_31bf3856ad364e35_none_963f1bbe72a27c80\f256!mriam.ttf]
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-font-truetype-miriam_31bf3856ad364e35_none_963f1bbe72a27c80\f256!mriamc.ttf]
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_en-us_d1ba072ce8bde1da\f256!mrinfo.exe.mui]
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_none_e2e61401d5327d4f\f256!mrinfo.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{56E2294F-69ED-4629-A869-AEA72C0DCC2C}]
@="IWMPCdromRip"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\MRI_DISABLED]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\0F78997E43E0CC248BFFC668A0EE2BA6\Features]
"tt_1033"="6OI'^MRns9O*$8Wg2DTc)-ZBx+fN0?EE2IHD?MWiZqwwimQlp?HN2q!&[=1&S2kjNxDxG=?@g(`}X`)T9LI4Uul?2AL&6[[42rqMD+fo,}~-AAG2'18Fo,*D?Wi.*drxi9($HA-yUPM2Z]^TZiGZu@?W=P4ifJxFyAbMgMQsI@j{K?)qMD*?gh13I!.Vm=N^qF`jB~+7{6ai'qL15?J_x3meV0gYocUrF._y2@U!0I=Pptq*Xs+5YPe{,@ZLz3+D&18ah74f??N6G90(,xdjkNYFYk!K0v,]$?I}J$N_}*7slh2'bYeOT9pn!p@}(UM`kme$Y,O?p8oQ(IpwSB'UWJkWI}t_N?Qf(zmB^AWt@^!Rp$HC1?mDSzuhaNFmZMDSV6U=t?lUt*H5e4.FufIvl0n0L?3T1_]9XoYnA!i5ptQ}J=thAtQWy}HKX*xl2(?ZNAZg{X,Tqs!=}PkI*@C*8=X'P2)Eq01_eq$~^}eoZ9,A)[areGTY,i7]5ckW8@rmG`O$9@7^QXZQCl&H'=o~tIv{KdM_CB2}?,[y~9Su7*@`I$']b$ALX%PRc@=T@hi}LDq3]7*~YfPDw?sFZt*X(P^d_+9C%%N`h?W]!o[~uASC]C(w(iykT=GH&e$']03LvL}XL@p'c8ml_}Kaw@a5-?~Qoeq9U=F!(cI_^F0T^jRia~5P{=?5JEb~q?]*Ra~nxkP)@=T&siC?fu)$=y-s1Ndya9!y0-,i5At-L=@uq[.3K?8fx`LXU14R[EOOv7O]g8l~*`Yu8DkrzHYBp3Z9Y?qB]hSvfk&z8Y6DW$F_P9Vz^7il-E57sf*_[F--?==8$,[_7x_sg~Ecaqou@Aq?[uEDf!0f(c{=$`$jM?
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\20441E9C136328143B77B6D0BFC13093\Features]
"QuickTimeEssentials"="TD_.UDBXu9BWe%xw`*tdY(M'Oa8YX?JlP@zA]?dPU'[}?D]p_8aFZU26(O)[hD8f.KZhu?&dw?G7u'fPzfo.6e(KeAg$b)n.g0eYg!k!9TzPM@)}t+*JIz1i4z2ey8W`a?D]ELG3@5.sz{wUL^qGU9+V'pFBY167$8!_Ybs}-?.O0CEPt)N@kFEf,EBz29xq[ai?&N^9*wdErlmYS9+*yq?_IkZ!fx]&I`tLc?e@(-c[U,Tp3xCRE$sf??9s4rg{{amE9@pQtORFU9&N5+$Z7WNRdA*0[DkQS9~j=6,?!GhQr&yS?)jd2=s4qL'&K&]DA[hddxHdg=T$[77]0RY(Pq8G!DDJ+?XUH52f{V.h@=UBE4J}W@((MkkP8^GfMqkwbm~Rq8%Xk!`%M'$Y?s]I^Eh$4=V0~{Irc5!(LSq@vvIH(?E=5m3sDcoY`5uXN,k-}?yq[nA^NJK*OU-WKewhJAW+cnwVo8~Gi?iObgW!Y@Kt%dM.{HTu4Zi4U$vly9[eA(A3zHmm$jm8[TD!C?ZGQvISNfy^e$h)4K2}]@PnN.ONtwG320p4YymJ+=^jfLO9!NbRWfNVY4!3cA-F6n2-atXtQ[[w?O[Ft?I+]O!&C?toqHQLl~S?P?&zn*j^s![%s$WU*D`[R=W%PnUfuFIs}RG*ZF5,)@O@9N@378'mg2O@l!Y!b9!DZ[LuVLHI9iRW^FgfN@4PdUWvj+jb~%VFt.4f%=$tPK_sK!J!)4b`kql0s953rb(Db`8OoWoeg,hav9vN@0AONU9qqoSpK4E[+?cvk'J6O0`zY[Ek*[Q1T=w^kOYi_KixF9C=MOE939a_]$1p?@xuaVPlpCF1E@Nn+UsCq{
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-font-truetype-miriam_31bf3856ad364e35_none_963f1bbe72a27c80\f256!mriam.ttf]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-font-truetype-miriam_31bf3856ad364e35_none_963f1bbe72a27c80\f256!mriamc.ttf]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_en-us_d1ba072ce8bde1da\f256!mrinfo.exe.mui]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_none_e2e61401d5327d4f\f256!mrinfo.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"Miriam (TrueType)"="mriam.ttf"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"Miriam Fixed (TrueType)"="mriamc.ttf"
[HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTP\Defaults]
"BottomRightCornerPlugInID"="SynTP"
[HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTPCpl\Controls\2Tapping\Tap Zones\Bottom right action\Action List]
"TPZone"="TP_ZoneID_BottomRight"
[HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTPCpl\Pages\Gestures\Bottom Right Action]
"TPZone"="TP_ZoneID_BottomRight"

-= EOF =-

 

[Jay Pfoutz]

OTL Fix

Please run OTL

• Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:
  
  

  :reg
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\MRI_DISABLED]
  
  :commands
  [emptytemp]
  [reboot]

• Then click the Run Fix button at the top.
• Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
• Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
  Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)

Let me know if the message disappears.

 

[tstadt]

The computer froze up on reboot. Should I do a hard boot?

 

[tstadt]

I did the hard boot and the MRI_DISABLED window still came up. Here is the log:
All processes killed
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\MRI_DISABLED\ deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: AdministratorTB

User: All Users

User: Default

User: Default User

User: Public

User: User

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 57995 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 12292012_181821

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

 

[Jay Pfoutz]

Next script for SystemLook:

:regfind
MRI_DISABLED

:filefind
*MRI*
*DISABLED*

 

[tstadt]

Log file attached

 

[Jay Pfoutz]

Download, install, and run Whats Running.
Click on Take snapshot in the left pane.
New pop-up window will open.
Click on Save snapshot, and save the file as snap (.xml extension will be added automatically) to know location.

Zip the file, and attach it to your next reply.

 

[tstadt]

Sorry, I didn't see your reply. Here is the file.
Happy New Year!

 

[tstadt]

Not sure if previous attachment was correct so I am attaching this file

 

[Jay Pfoutz]

Download Autoruns for Windows: http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx
No installation required.
Simply unzip Autoruns.zip file, and double click on autoruns.exe file to run the program.
Go File>Save, and save it as AutoRuns.txt file to know location.
You must select Text from drop-down menu as a file type:
Attach the file to your next reply.

 

[tstadt]

File attached

 

[Jay Pfoutz]

Found it.

OTL Fix

Please run OTL

• Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:
  
  

  :files
  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MRI_DISABLED
  
  :commands
  [emptytemp]
  [reboot]

• Then click the Run Fix button at the top.
• Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
• Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
  Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)

Let me know if it pops up on reboot, please.

 

[tstadt]

Thank you, that got rid of the MRI_DISABLED. Now we are back to the original problem.

All processes killed
========== FILES ==========
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MRI_DISABLED folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: AdministratorTB

User: All Users

User: Default

User: Default User

User: Public

User: User

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 36890 bytes
RecycleBin emptied: 139264 bytes

Total Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 01022013_153911

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

 

[Jay Pfoutz]

Please explain in detail any other issues.

I'll be out for the remainder of the day. Got an anniversary dinner to go to. Be back in the morning (ET).

 

[tstadt]

In Normal Mode all original problems continue to exist. If I try to run any programs such as Malwarebytes, RogueKiller, TuneUp Utilities etc. it comes back with program not found. System Restore not working. The Volume Shadow Copy Service not working.

Enjoy your dinner. Tomorrow I will be back at work during the day and will be out in the evening. I won't be able to act on anything until late.

 

[Jay Pfoutz]

• Please download VEW by Vino Rosso from here and save it to your desktop
• Double click it to start it Note: If running Windows Vista or Windows 7 you will need to right click the file and select Run as administrator and click Continue or Allow at the User Account Control Prompt.
• Click the check boxes next to Application and System located under Select log to query on the upper left
• Under Select type to list on the right click the boxes next to Error and Warning Note: If running Windows Vista or Windows 7 also click the box next to Critical (not XP).
• Under Number or date of events select Number of events and type 20 in the box next to 1 to 20 and click Run
• Once it finishes it will display a log file in notepad
• Please copy and paste its entire contents into your next reply