Jump to content

I'm not sure what it is, maybe wow.dll

Recommended Posts

I'm working on my mom's computer.  She's been getting random redirects to annoying ads and pages when she's online, so I did a scan using MSE and Malwarebytes.  It found Alureon.gq and supposedly fixed it, but now I'm getting popups with "There was a problem starting.....Local\Temp\sylexrv\sbrccuo\wow.dll The Specified Module Could Not Be Found." 


I ran both scans again and neither found anything else. 


I ran AVG - the free version - and it found Trojan Horse Crypt_s.BFL but it can't remove it. 


I ran the TDSSkiller that I found mentioned here, it didn't find anything. 


I ran the Malwarebytes Anti Rootkit that was mentioned, and it didn't find anything. 


Can you help me?


Thanks so much!



Link to post
Share on other sites

  • Root Admin

Hello and :welcome:

Please run the following scans and post back the logs and we'll see if we can get you fixed up and running well again.


Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.
  • Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

    STEP 02

    Please download Malwarebytes Anti-Rootkit from HERE

    • Unzip the contents to a folder in a convenient location.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt
    STEP 03

    Please download Junkware Removal Tool to your desktop.

    • Shutdown your antivirus to avoid any conflicts.
    • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next reply message
    • When completed make sure to re-enable your antivirus
    STEP 04

    Please download AdwCleaner by Xplode to your desktop.

    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool.
    • If prompted by the User Account Control click Yes to allow it to run.
    • Under Actions click on the Delete button.
    • Click OK on all prompts.
    • You will be prompted to restart your computer. A text file will open after the restart.
    • Please post the entire contents of that logfile to your next reply.
    • You can find the logfile at C:\AdwCleaner[s1].txt where the number in brackets indicates how often it was run.
    STEP 05


    Please go here to run the online antivirus scannner from ESET.

    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked
    • Click on Advanced Settings and ensure these options are ticked:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
    • Click Scan
    • Wait for the scan to finish
    • If any threats were found, click the 'List of found threats' , then click Export to text file....
    • Save it to your desktop, then please copy and paste that log as a reply to this topic.
Link to post
Share on other sites

Okay, I went through the steps, and here are the logs.  I'm cutting and pasting, hope that's okay?


Anti Root Kit Logs:


Malwarebytes Anti-Rootkit BETA

Database version: v2013.06.27.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Carolyn :: CAROLYN-LAPTOP [administrator]

6/27/2013 11:30:01 AM
mbar-log-2013-06-27 (11-30-01).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 236918
Time elapsed: 14 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)



2nd Log:



Malwarebytes Anti-Rootkit BETA


© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 8.0.7601.17514

Java version: 1.6.0_17

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.194000 GHz
Memory total: 2947440640, free: 1370193920

Downloaded database version: v2013.06.27.08
------------ Kernel report ------------
     06/27/2013 11:29:54
------------ Loaded modules -----------
----------- End -----------
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa8003103630
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xfffffa8003085680
Lower Device Driver Name: \Driver\atapi\
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa8003103630, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8003104040, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8003103630, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8003085680, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Device number: 0, partition: 2
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\windows\system32\drivers...
Device number: 0, partition: 2
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: D002DA7E

Partition information:

    Partition 0 type is Other (0x27)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 3072000
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 3074048  Numsec = 466100224

    Partition 2 type is HIDDEN (0x17)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 469174272  Numsec = 19222528
    Partition is not bootable
Hidden partition VBR is not infected.

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 250059350016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-488377168-488397168)...
Read File:  File "c:\programdata\avg2013\chjw\508a06968a0678ac.dat:61ecd17a-dfaa-4f5f-b142-972be8381965" is sparse (flags = 32768)
Read File: File "c:\Users\Carolyn\AppData\Local\Avg2013\log\avgcfg.log.1" is compressed (flags = 1)
Read File: File "c:\Users\Carolyn\AppData\Local\Avg2013\log\avgui.log.1" is compressed (flags = 1)
Read File: File "c:\Users\Carolyn\AppData\Local\Avg2013\log\avgcfg.log.1" is compressed (flags = 1)
Read File: File "c:\Users\Carolyn\AppData\Local\Avg2013\log\avgui.log.1" is compressed (flags = 1)
Scan finished

Removal queue found; removal started
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_0_2048_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_2_469174272_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
Removal finished


JRT Log:


Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows 7 Home Premium x64
Ran by Carolyn on Thu 06/27/2013 at 14:15:33.88


~~~ Services


~~~ Registry Values


~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\cr_installer
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\installedbrowserextensions
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\Software\crossrider
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CrossriderApp0021804.BHO
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CrossriderApp0021804.BHO.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CrossriderApp0021804.Sandbox
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CrossriderApp0021804.Sandbox.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\classes\CrossriderApp0021804.BHO
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\classes\CrossriderApp0021804.BHO.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\classes\CrossriderApp0021804.Sandbox
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\classes\CrossriderApp0021804.Sandbox.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\clsid\{11111111-1111-1111-1111-110211181104}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\clsid\{22222222-2222-2222-2222-220222182204}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110211181104}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\wow6432node\clsid\{11111111-1111-1111-1111-110211181104}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\wow6432node\clsid\{22222222-2222-2222-2222-220222182204}


~~~ Files


~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\partner"
Successfully deleted: [Folder] "C:\Users\Carolyn\AppData\Roaming\pccustubinstaller"
Successfully deleted: [Folder] "C:\Users\Carolyn\appdata\local\coupon companion plugin"
Successfully deleted: [Folder] "C:\Users\Carolyn\appdata\local\updater21804"
Successfully deleted: [Folder] "C:\Program Files (x86)\coupon companion plugin"
Failed to delete: [Folder] "C:\Program Files (x86)\pc checkup"


~~~ Chrome

Successfully deleted: [Folder] C:\Users\Carolyn\appdata\local\Google\Chrome\User Data\Default\Extensions\jneaojaoiajhnemidnjhoempalnidbhj


~~~ Event Viewer Logs were cleared



Scan was completed on Thu 06/27/2013 at 14:22:23.36
End of JRT log


ADWCleaner Log:


# AdwCleaner v2.303 - Logfile created 06/27/2013 at 14:28:25
# Updated 08/06/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Carolyn - CAROLYN-LAPTOP
# Boot Mode : Normal
# Running from : C:\Users\Carolyn\Desktop\AdwCleaner.exe
# Option [Delete]

***** [services] *****

***** [Files / Folders] *****


ESET Online Scanner Log:


C:\Users\Carolyn\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000030 Win32/DownloadAdmin.G application
C:\Users\Carolyn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4D8JO90L\metrics[1].htm HTML/Iframe.B.Gen virus
C:\Users\Carolyn\Downloads\cbsidlm-tr1_10a-BullZip_PDF_Printer-ORG-85827 (1).exe Win32/DownloadAdmin.G application
C:\Users\Carolyn\Downloads\cbsidlm-tr1_10a-BullZip_PDF_Printer-ORG-85827.exe Win32/DownloadAdmin.G application



Thank you!

***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Software

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Google Chrome v27.0.1453.116

File : C:\Users\Carolyn\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.


AdwCleaner[R1].txt - [832 octets] - [27/06/2013 14:27:29]
AdwCleaner[s1].txt - [768 octets] - [27/06/2013 14:28:25]

########## EOF - C:\AdwCleaner[s1].txt - [827 octets] ##########

Link to post
Share on other sites

  • Root Admin

Great, looking much better. 


Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop

Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr or dds.com to run the tool.
Click the Run button if prompted with an Open File - Security Warning dialog box.
A black DOS console should open and run for a moment. 

    When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply as an attachment: DDS.txt and Attach.txt
    You can ignore the note about zipping the Attach.txt file




Next, download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.




How is the computer running now?  Are there still any signs of an infection?

Link to post
Share on other sites

Here are the newest log files:




DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7601.17514
Run by Carolyn at 18:16:32 on 2013-06-27
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2811.1226 [GMT -5:00]
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
============== Running Processes ===============
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k GPSvcGroup
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\PC Checkup\SymcPCCULaunchSvc.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\\ccSvcHst.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\\ccSvcHst.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\AVG\AVG2013\avgui.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\windows\System32\svchost.exe -k swprv
C:\windows\system32\svchost.exe -k defragsvc
C:\Program Files (x86)\AVG\AVG2013\avgcfgex.exe
============== Pseudo HJT Report ===============

uProxyOverride = <local>
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

TCP: NameServer =
TCP: Interfaces\{C50A4352-CE1B-4EA5-8B3F-80BCA94D1A6B} : DHCPNameServer =
TCP: Interfaces\{C50A4352-CE1B-4EA5-8B3F-80BCA94D1A6B}\341627F6C697E6 : DHCPNameServer =
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [smartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t
x64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
x64-Run: [smoothView] C:\Program Files (x86)\Toshiba\SmoothView\SmoothView.exe
x64-Run: [00TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
x64-Run: [smartFaceVWatcher] C:\Program Files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
x64-Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe
x64-Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
x64-Run: [TosNC] C:\Program Files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
x64-Run: [TosReelTimeMonitor] C:\Program Files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [intelliType Pro] "c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe"
x64-Run: [intelliPoint] "c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe"
x64-SSODL: WebCheck - <orphaned>
============= SERVICES / DRIVERS ===============
R0 AVGIDSHA;AVGIDSHA;C:\windows\System32\drivers\avgidsha.sys [2013-2-8 71480]
R0 Avgloga;AVG Logging Driver;C:\windows\System32\drivers\avgloga.sys [2013-2-8 311096]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\windows\System32\drivers\avgmfx64.sys [2013-2-8 116536]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\windows\System32\drivers\avgrkx64.sys [2013-2-8 45880]
R0 MpFilter;Microsoft Malware Protection Driver;C:\windows\System32\drivers\MpFilter.sys [2013-1-20 230320]
R1 AVGIDSDriver;AVGIDSDriver;C:\windows\System32\drivers\avgidsdrivera.sys [2013-3-29 246072]
R1 Avgldx64;AVG AVI Loader Driver;C:\windows\System32\drivers\avgldx64.sys [2013-2-8 206136]
R1 Avgtdia;AVG TDI Driver;C:\windows\System32\drivers\avgtdia.sys [2013-3-21 240952]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\System32\atiesrxx.exe [2010-10-14 202752]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [2013-4-18 283136]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-6-14 398184]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-6-8 682344]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;C:\Program Files (x86)\PC Checkup\SymcPCCULaunchSvc.exe [2012-11-28 132056]
R2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\\ccSvcHst.exe [2010-10-14 126392]
R3 FwLnk;FwLnk Driver;C:\windows\System32\drivers\FwLnk.sys [2010-10-14 9216]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\System32\drivers\L1C62x64.sys [2011-4-20 169584]
R3 MBAMProtector;MBAMProtector;C:\windows\System32\drivers\mbam.sys [2013-6-8 24176]
R3 PGEffect;Pangu effect driver;C:\windows\System32\drivers\PGEffect.sys [2010-10-14 35008]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-10-14 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]
S2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [2013-5-14 4937264]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 NisDrv;Microsoft Network Inspection System;C:\windows\System32\drivers\NisDrvWFP.sys [2012-3-20 130008]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-1-27 379360]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\windows\System32\drivers\rdpvideominiport.sys [2013-2-17 19456]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2010-10-14 232992]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2013-2-17 57856]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2010-12-21 1255736]
=============== Created Last 30 ================
2013-06-27 21:11:18 9552976 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C24B63D0-F785-47C5-84A1-F5F3BF3F18E3}\mpengine.dll
2013-06-27 19:41:09 -------- d-----w- C:\Program Files (x86)\ESET
2013-06-27 19:15:31 -------- d-----w- C:\windows\ERUNT
2013-06-27 19:15:09 -------- d-----w- C:\JRT
2013-06-27 13:51:37 -------- d-----w- C:\Users\Carolyn\AppData\Roaming\AVG2013
2013-06-27 13:50:29 -------- d-----w- C:\Users\Carolyn\AppData\Roaming\TuneUp Software
2013-06-27 13:49:03 -------- d--h--w- C:\$AVG
2013-06-27 13:49:02 -------- d-----w- C:\ProgramData\AVG2013
2013-06-27 13:48:00 -------- d-----w- C:\Program Files (x86)\AVG
2013-06-27 13:44:59 -------- d--h--w- C:\ProgramData\Common Files
2013-06-27 13:44:59 -------- d-----w- C:\Users\Carolyn\AppData\Local\MFAData
2013-06-27 13:44:59 -------- d-----w- C:\Users\Carolyn\AppData\Local\Avg2013
2013-06-27 13:44:59 -------- d-----w- C:\ProgramData\MFAData
2013-06-27 13:03:27 964552 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{88B59817-6003-4B20-847A-42E6116C78D8}\gapaengine.dll
2013-06-15 03:48:03 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-06-14 22:14:07 9460464 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-06-13 16:28:54 903168 ----a-w- C:\windows\SysWow64\certutil.exe
2013-06-13 16:28:54 1192448 ----a-w- C:\windows\System32\certutil.exe
2013-06-13 16:28:53 1464320 ----a-w- C:\windows\System32\crypt32.dll
2013-06-13 16:28:53 1160192 ----a-w- C:\windows\SysWow64\crypt32.dll
2013-06-13 16:28:52 52224 ----a-w- C:\windows\System32\certenc.dll
2013-06-13 16:28:52 43008 ----a-w- C:\windows\SysWow64\certenc.dll
2013-06-13 16:28:52 184320 ----a-w- C:\windows\System32\cryptsvc.dll
2013-06-13 16:28:52 140288 ----a-w- C:\windows\SysWow64\cryptsvc.dll
2013-06-13 16:28:52 139776 ----a-w- C:\windows\System32\cryptnet.dll
2013-06-13 16:28:52 103936 ----a-w- C:\windows\SysWow64\cryptnet.dll
2013-06-08 19:29:06 -------- d-----w- C:\Users\Carolyn\AppData\Roaming\Malwarebytes
2013-06-08 19:27:51 -------- d-----w- C:\ProgramData\Malwarebytes
2013-06-08 19:27:47 24176 ----a-w- C:\windows\System32\drivers\mbam.sys
2013-06-08 19:27:46 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
==================== Find3M  ====================
2013-06-12 14:25:10 71048 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-12 14:25:10 692104 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2013-05-17 06:14:05 1188864 ----a-w- C:\windows\System32\wininet.dll
2013-05-16 18:21:48 981504 ----a-w- C:\windows\SysWow64\wininet.dll
2013-05-16 17:10:29 1638912 ----a-w- C:\windows\System32\mshtml.tlb
2013-05-16 16:44:21 1638912 ----a-w- C:\windows\SysWow64\mshtml.tlb
2013-05-10 05:49:27 30720 ----a-w- C:\windows\System32\cryptdlg.dll
2013-05-10 03:20:54 24576 ----a-w- C:\windows\SysWow64\cryptdlg.dll
2013-05-08 06:39:01 1910632 ----a-w- C:\windows\System32\drivers\tcpip.sys
2013-05-02 15:29:56 278800 ------w- C:\windows\System32\MpSigStub.exe
2013-04-26 05:51:36 751104 ----a-w- C:\windows\System32\win32spl.dll
2013-04-26 04:55:21 492544 ----a-w- C:\windows\SysWow64\win32spl.dll
2013-04-13 05:49:23 135168 ----a-w- C:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49:19 350208 ----a-w- C:\windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49:19 308736 ----a-w- C:\windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49:19 111104 ----a-w- C:\windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45:16 474624 ----a-w- C:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15 2176512 ----a-w- C:\windows\apppatch\AcGenral.dll
2013-04-12 14:45:08 1656680 ----a-w- C:\windows\System32\drivers\ntfs.sys
2013-04-10 06:01:54 265064 ----a-w- C:\windows\System32\drivers\dxgmms1.sys
2013-04-10 06:01:53 983400 ----a-w- C:\windows\System32\drivers\dxgkrnl.sys
2013-04-10 03:30:50 3153920 ----a-w- C:\windows\System32\win32k.sys
============= FINISH: 18:16:42.91 ===============




DDS (Ver_2012-11-20.01)
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 12/20/2010 2:09:20 PM
System Uptime: 6/27/2013 4:08:59 PM (2 hours ago)
Motherboard: TOSHIBA |  | Portable PC
Processor: AMD Athlon II P340 Dual-Core Processor | Socket S1G4 | 2200/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 222 GiB total, 174.559 GiB free.
==== Disabled Device Manager Items =============
Class GUID: {4d36e965-e325-11ce-bfc1-08002be10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMTSSTCORP_CDDVDW_TS-L633C________________TF20____\5&22999ED2&0&1.0.0
Manufacturer: (Standard CD-ROM drives)
Name: TSSTcorp CDDVDW TS-L633C ATA Device
PNP Device ID: IDE\CDROMTSSTCORP_CDDVDW_TS-L633C________________TF20____\5&22999ED2&0&1.0.0
Service: cdrom
==== System Restore Points ===================
RP117: 4/8/2013 1:57:05 PM - Windows Update
RP118: 4/24/2013 9:03:03 PM - Windows Update
RP119: 4/26/2013 1:22:53 AM - Windows Update
RP120: 5/2/2013 12:53:25 PM - Windows Update
RP121: 5/7/2013 4:13:07 PM - Windows Update
RP122: 5/22/2013 9:18:11 PM - Windows Update
RP123: 5/24/2013 9:38:37 AM - Windows Update
RP124: 5/28/2013 12:27:34 PM - Windows Update
RP125: 6/6/2013 11:13:44 AM - Windows Update
RP126: 6/8/2013 11:28:33 AM - Restore Operation
RP127: 6/11/2013 10:37:56 PM - Windows Update
RP129: 6/14/2013 4:53:14 PM - Microsoft Antimalware Checkpoint
RP130: 6/14/2013 4:55:49 PM - Windows Update
RP131: 6/27/2013 8:00:48 AM - Windows Update
RP132: 6/27/2013 8:47:36 AM - Installed AVG 2013
RP133: 6/27/2013 8:48:18 AM - Installed AVG 2013
==== Installed Programs ======================
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.5.4
Amazon Links
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
Atheros Driver Installation Program
ATI Catalyst Install Manager
AVG 2013
Bejeweled 2 Deluxe
Build-a-lot 2
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Chuzzle Deluxe
Conexant HD Audio
Coupon Companion Plugin
ERUNT 1.1j
ESET Online Scanner v3
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Java 6 Update 17
Jewel Quest - Heritage
Junk Mail filter update
Label@Once 1.0
Malwarebytes Anti-Malware version
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Mouse and Keyboard Center
Microsoft Office 2010
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Norton PC Checkup
Plants vs. Zombies
PlayReady PC Runtime amd64
Polar Bowler
Quickbooks Financial Center
Realtek USB 2.0 Card Reader
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Skype Launcher
Synaptics Pointing Device Driver
Toshiba App Place
TOSHIBA Application Installer
Toshiba Book Place
TOSHIBA Bulletin Board
TOSHIBA Disc Creator
TOSHIBA Face Recognition
TOSHIBA Hardware Setup
Toshiba Laptop Checkup
TOSHIBA Media Controller
TOSHIBA Media Controller Plug-in
Toshiba Online Backup
TOSHIBA Quality Application
TOSHIBA Recovery Media Creator
TOSHIBA Service Station
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
TOSHIBA Web Camera Application
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Virtual Villagers 4 - The Tree of Life
Visual Studio 2010 x64 Redistributables
Wheel of Fortune 2
WildTangent Games
WildTangent ORB Game Console
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Zuma's Revenge
==== Event Viewer Messages From Past Week ========
6/27/2013 2:30:43 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  cdrom
6/27/2013 2:29:31 PM, Error: Service Control Manager [7006]  - The ScRegSetValueExW call failed for FailureActions with the following error:  Access is denied.
==== End Of File ===========================




 Results of screen317's Security Check version 0.99.68 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
AVG AntiVirus Free Edition 2013  
Microsoft Security Essentials    
 Antivirus out of date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 
 Out of date Malwarebytes Anti-Malware installed!
 Java 6 Update 17 
 Java version out of Date!
 Adobe Flash Player 11.7.700.224 
 Adobe Reader 9 Adobe Reader out of Date!
 Google Chrome 27.0.1453.110 
 Google Chrome 27.0.1453.116 
````````Process Check: objlist.exe by Laurent```````` 
 Norton ccSvcHst.exe
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 AVG avgwdsvc.exe
 Malwarebytes' Anti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````


The computer is running faster, and I'm not getting redirected or the ads on IE anymore or the popup error on startup about the wow.dll, but AVG is still showing the dialog about the Trojan Horse Crypt_s.bfl and is unable to apply the fix because "Access is Denied." 


On another note:  What would be your recommendation for a good anti-virus software?  This computer is used by my 76 year old mom and she needs something super easy to use that doesn't require much interaction from her.  I live an hour away so I can be of some help as far as updating and such.


Thank you!


Link to post
Share on other sites

  • Root Admin

Need to look and fix a few items.


Please remove ALL versions of JAVA and restart the computer.


Need to check for updates to MBAM as it's running an older version.  You need to install the newer version and again check for updates.

Is this a paid PRO version of MBAM or just the Free version?


You currently have 2 antivirus programs installed and you can only have one.  Not sure why AVG cannot remove it as it might be due to another application conflicting with it.


For now let's try doing a clean removal of AVG.   Then download their installer for the latest version.

Then once you have the installer remove AVG and reboot.  Then uninstall MSE antivirus and again reboot.





Then re-install AVG antivirus and update it and scan again and see if it still sees it and if it can remove it now.


You also need to update your Adobe Reader program.

Link to post
Share on other sites

I did all of those things, and I'm still getting the Crypt_s.bfl notification and AVG still can't remove it. 


I clicked on "details" and under "Extended element information" it says Process Name:  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe.


Is that relevant at all?


I am running the Pro Version of Malwarebytes.



Link to post
Share on other sites

  • Root Admin

arg... That is our program file.  You would think by now that AVG would stop targeting our program for removal.  They certainly wouldn't be happy if we tried to remove their program.


Okay so basically you need to exclude the following files from AVG



  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbampt.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe



Set Exclusions for Malwarebytes' Anti-Malware in AVG in Windows Vista and Windows 7:

  • Open AVG and close the pop-up ad that shows up on the bottom of the screen then double-click on Resident Shield
  • Click on Tools at the top and select Advanced settings...
  • Click on Excluded Items under Resident Shield
  • Click on the Add Path button on the right
  • Click on the + next to Computer in the Browse For Folder window
  • Click on the + next to your system drive (usually C:)
  • Click on the + next to Program Files Note: This should be Program Files (x86) for 64 bit Windows versions.
  • Click once on the Malwarebytes' Anti-Malware folder so that it is highlighted and click on OK
  • Click on the Add Path button on the right
  • Click on the + next to Computer in the Browse For Folder window
  • Click on the + next to your system drive (usually C:)
  • Click on the + next to ProgramData
  • Click once on the Malwarebytes folder so that it is highlighted and click on OK
  • Click on the Add File button on the right and click on Computer on the left
  • Double-click on your system drive (usually C:)
  • Double-click on Windows
  • Scroll to the right until you find the System32 folder and double-click on it
  • Double-click on the drivers folder
  • Scroll to the right until you find mbam.sys and double-click on it
  • Click on the Apply button at the bottom of the program window and then click on OK
  • Close the AVG window



Set Exclusions for AVG in Malwarebytes' Anti-Malware:

  • Open Malwarebytes' Anti-Malware and click on the Ignore List tab
  • Click on the Add button
  • In the small browse window that opens, navigate to C:\Program Files and click once on AVG and click OK
  • Close Malwarebytes' Anti-Malware
Link to post
Share on other sites

My (free) version of AVG didn't work exactly as you described for adding exclusions, but I was able to figure out how to do it.  When I tried to exclude mbam.sys I could not see the file within AVG when I browsed for it, even though I can see it when I browse through Windows Explorer.  I was able to add the other exclusions, and excluded AVG in Malwarebytes. 


I'm still getting the alert for crypt_s.bfl in AVG, and it still can't be removed because Access is Denied. 


Thanks so much for all your continued help.

Link to post
Share on other sites

  • Root Admin

Because its not an infection it is our program.  Well I'm not familiar with the latest interface for AVG 2013 so I'll need to check or set that up and then post back to let you know what I find.


You can ignore that error for now and I'll try to get back to you in a day or so once I've had time to locate or set this up myself.



Link to post
Share on other sites

  • 2 weeks later...
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.