AVG Antivirus disabled, Trojan.Multi.GenAutorunReg.a Detected by KVRT

[AdvancedSetup]

It needs to be done from the clean computer, not from the infected one.

Yes, the USB should be fine to copy from. If it deletes it from the USB stick let me know.

It's very late for me so I'm heading out. Will check back on you again tomorrow.

Ron

 

[digitalcapibara]

I inserted my USB to the infected computer and ran FRST from it.  I then opened my browser and sent you this msg from infected with the log files attached.

The FRST exe file was not deleted from my USB after the scan.

Thanks,

Chris

Addition.txt

FRST.txt

[AdvancedSetup]

Okay, for now, let's get your hosts file back to the original one (I'll have FRST restore the original one). Then let's review your MSCONFIG again. You have a ton of stuff there. My suggestion, if you don't use or need it then uninstall the application. If you want the application but never want it to start up then just permanently remove the startup entry. Only reason to really use a startup program is if you want to easily turn it off and on again many times.

Please read the following article concerning the use of MSCONFIG
Msconfig Is Not A Startup Manager

Set MSCONFIG back to Normal and reboot. Run MSCONFIG again and make sure it's still on Normal.

 

Please uninstall the following for now. You can reinstall if you like once we're done here and the computer is working well again.
AVG Web TuneUp
Ad-Aware Browsing Protection
Bonjour
Java 8 Update 144
PeerBlock 1.1
Spybot - Search & Destroy (this is a very old version anyways)
 

 

Please try to run this FIX from Windows Normal Mode (using FRST and this attached fix file from your USB stick)

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks and let me know if you run into any issues.

Ron

 

 

 

Edited February 28, 2018 by AdvancedSetup

[digitalcapibara]

Ron: I set MSCONFIG to normal and upon reboot, it was back at Selective startup.  I tried it again and same thing.

At each reboot, 2 popup program application errors showed: RPLauncher.exe and STService.exe could not start.

I have gone no further than this.  Your thoughts?

[AdvancedSetup]

We can fix the other items. Not an issue.

How is the computer running in general? Is it running better now? Is it able to connect to the Internet?

 

[digitalcapibara]

OK, then should I continue with the uninstallation of those listed programs and your other instructions?

Regarding the computer experience presently:

• I checked my IE functionality.  The issue described last night (not being able to connect to the forum) has gone away.
• Still cannot open Outlook (pst file not recognized as a pst file).
• Irfanview photo viewer still not working, along with other programs.
• Things seem about the same as when I originated this topic.

[AdvancedSetup]

Yes, please proceed and do the removals. Then let's try running these other scans again and make sure they all work. Then we'll do another FRST and see if it completes this time or not.

After the removals please run the following.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

• If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• If you don't have Malwarebytes 3 installed yet please download it from here and install it.
• Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Right-click on the program and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan.
• When finished, please click Clean.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
• Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

[digitalcapibara]

REMOVALS: Two programs were not removed:

1. AVG WebUpdater: uninstall starts, is approved, AVG screen comes up, select Uninstall, seconds later it dies, unfinished.  Program remains in my list.
2. Spybot: error popup attached.

MALWAREBYTES SCAN: no threats, see attached 

AdwCLEANER: downloaded OK, but could not open the program; see attached error msg (same message as Post #1 docs file).

Should I move on to Step 3 (reboot and FRST scan) without running AdwCleaner?

Chris

 

MB scan7 18 0228.txt

[AdvancedSetup]

Yes, please restart the computer and run a new FRST scan and post those logs.

Thanks

 

[digitalcapibara]

Here are the FRST logs...

Many thanks.  Who knew this would be so challenging.  I truly appreciate all of the effort you have put into helping me with it, Ron.  Amazing.

Chris

Addition.txt

FRST.txt

[AdvancedSetup]

Please try to run the AVG Removal Tool again and let me know how that goes.

 

In post #6 I asked you to reset your browsers. The logs show that was not successful.

Please make sure you log into Google Chrome and disable the SYNC - with sync on it automatically puts back all the junk we remove.

Here it is again. Please try to reset all your browsers again now.

 

Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Microsoft Edge
How to Reset Microsoft Edge in Windows 10

Firefox
Click on Help / Troubleshooting Information then click on the Refresh Firefox button.

Chrome
Reset Chrome back to defaults to completely clear out issues with Chrome.

• First, go to >> Google Sync << and sign into your account. Make sure you know your password as this will clear it from the browser.
• Scroll down until you see the   "reset sync" button to clear your data from the server and remove your passphrase.
• Now, close all Chrome windows. Chrome cannot be running for the next step. If needed, print this information or use another browser to read the information.
• Press the Windows key + R at the same time, to bring up the run dialog box.
  • 
• Type in (or copy/paste) the following and press Enter:     %localappdata%\Google\Chrome\User Data\Default\

1. Press Ctrl + A to select all the files and folders.
2. Hold down Ctrl + A and click once on the files "Bookmarks" and "Bookmarks.bak". This will unselect them.
3. With all the files selected (except for your Bookmarks), press the Delete key and click Yes to delete the files and folders.
4. Example of all files and folders selected, except Bookmarks

 

 

 

NEXT - Run the following fix.

NOTE: This will will also run a Full Disk Check on reboot, which may take a few hours to run depending on the speed of your computer. It should take at least 10 minutes to complete. Let it run please.

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

Ron

 

 

 

Edited March 1, 2018 by AdvancedSetup

[digitalcapibara]

I reset all browsers and again stopped Google sync on all google accounts associated with the computer.  

Next, I deleted all the User Data files in Chrome.  There were no folders for Bookmarks, in fact, there was only one folder that came up at all.

Then ran the FRST Fix with file attached.  The computer did go through a restart.

Unfortunately, I am now unable to connect to/search the internet via Edge, the browser I have been using all through my posting.  Firefox seems OK, but I am afraid to open Chrome.

This msg is being sent via my "clean" computer.  Fixlog carried over from infected computer via the USB. I scan the USB when I plug into my clean computer (with Kaspersky Endpoint Security 10).   Do you see any danger or risk in shuttling the USB between the infected computer and other ones?

Fixlog.txt

Edited March 1, 2018 by digitalcapibara

[AdvancedSetup]

20 hours ago, AdvancedSetup said:

Please try to run the AVG Removal Tool again and let me know how that goes.

Were you able to run the AVG Removal Tool without any issues this time?

Please try restarting the computer one more time, then let me know how it's working in general. You should be able to run Chrome now without an issue (at least in theory)

Thank you

Ron

 

[digitalcapibara]

I was unable to run the AVG Remover tool.  (Sorry, I had written that in a reply that didn't post, maybe from another device.)

The computer is worse now than ever, actually.  Edge is not allowing me to connect to anything.  Firefox has only let me connect to my online email.  No links, urls or even searches work.  The browser spins and eventually times out in all cases.

I tried the Remover just now and no dice.  Same message.

At restart, the Boot Manager came up, with a single selection option of "Windows 10".  I chose that.  The 2 popups (RPlLauncher and STService.exe) appeared again.

Edge is now working and Firefox is quick to respond.

Still same problems with the other programs (Outlook, irfanview etc)

[AdvancedSetup]

Please see if these web pages can help you to fix, repair the startup selection

Windows 10 Won’t Boot? Fix it with Startup Repair and BootRec Commands
https://www.groovypost.com/howto/fix-windows-10-wont-boot-startup-repair-bootrec/

How to Rebuild the BCD in Windows
Rebuild the Boot Configuration Data to Fix Some Windows Startup
https://www.lifewire.com/how-to-rebuild-the-bcd-in-windows-2624508

Please do a repair install for Microsoft Office and Irfanview

 

[digitalcapibara]

I successfully used option 2 and now Windows starts normally.  

9 hours ago, AdvancedSetup said:

How to Rebuild the BCD in Windows
Rebuild the Boot Configuration Data to Fix Some Windows Startup
https://www.lifewire.com/how-to-rebuild-the-bcd-in-windows-2624508

However, the 2 popups (RPLauncher and STService.exe) continue to appear

I attempted to Repair Office, but got the error that it did not complete:

Irfanview only allows uninstall, so I removed it, planning to reinstall later.

I then began to look through my other programs (remembering your advice to get rid of unused programs).  The first I chose was BlockSmart.  After selecting Uninstall, the following popup showed:

Of course, I had not selected to install any other programs and had not opened any, so thought you should know about this.

That's as far as I gone.  What would you advise next?

Do your diagnostics show that the infection is gone, or do we need to run additional?

AVG uninstall still needed?

You mentioned that Chrome should be OK now.  Can we re-sync with accounts as well?

Thanks.

Edited March 2, 2018 by digitalcapibara

[AdvancedSetup]

RPLauncher appears to be a game maybe?

The STservice.exe file is from Dell DataSafe Local Backup by Dell. If you're not using that then reboot the computer and see if you can uninstall it.

I am not convinced that the computer is in good shape. Based on so many ongoing issues it would really be better to backup your  data, fdisk, format, and reinstall Windows if at all possible. Then ensure you keep good backups and Restore Points going forward.

If you can't really reinstall Windows then please run the following for me. Try it from both Safe Mode and Normal Mode of Windows.

 

[digitalcapibara]

Well, the mbar program could not be run, even when I download and extract the zip files.

I will try in Safe Mode

Edited March 3, 2018 by digitalcapibara

[digitalcapibara]

Safe mode did not work either.

[AdvancedSetup]

See, that's odd. Not seeing anything that should be stopping it from running.

Please boot from the Windows 10 USB disk as in post #19 and run a new FRST scan please and post it back here as an attachment.

Ron

 

[digitalcapibara]

Thanks for the plan.  I created a brand new USB boot drive and a fresh install of FRST64.

Here is the FRST log attached.

FRST.txt

[AdvancedSetup]

Yeah, nothing found there in that log. Based on the issues you're having and us not being able to locate an obvious reason it isn't prudent to fix all the programs one by one by reinstalling and fixing as we go. I would recommend a fresh clean reinstall of Windows.

Backup all your data then using a full installer for Windows remove all partitions, format, and reinstall Windows. Then restore your documents from backup.

This is only like about the 4th computer I've told someone to reinstall Windows. Normally we can find the cause and fix it but so far we're not finding a cause.

 

[digitalcapibara]

Ah well.  I guess I can take pride in knowing that I am quite unique in this world.  Sort of like that time I went skydiving and my parachute didn't open.  Doesn't happen to many people.  Fortunately, like that day, we have a backup parachute.

Can you direct me to some solid DIY instructions for doing as you recommend?

[AdvancedSetup]

Do you have a Full licensed version of Windows 10 or was the computer bought with Windows 10 on it already or was this an upgrade to Windows 10 from a previous version of Windows?

 

 

[digitalcapibara]

Online upgrade from Vista, I believe.