System Progressive Protection Virus

[chaswr]

CURRENT ISSUES:

I followed all of your procedures to eliminate the "System Progressive Protection" virus and after everything showed the problem was corrected I noticed the following after rebooting:

My task manager is showing 4 open IE windows but I have not started any IE sessions. According to task manager, the sites are constantly changing, I cannot "switch" to those IE windows and I can not terminate them.

After noticing the infection, I googled "system progressive protection" and found your site. I read through the instructions, rebooted into safe mode with networking, downloaded "rkill", let it do what it needed to do. It opened a command prompt window, it scanned, then opened a log file. I had already had malwarebytes anti-malware installed on my system, I started that program, updated the definitions, then ran the program. It found the "system progressive protection" problem and I let malwarebytes fix the problem. When it was done, it prompted me to reboot. On the reboot, I once again rebooted into safe mode with networking, went to your site, ran rkill again, it found no problems, ran malwarebytes, that found no problems, and to be safe, I decided to download the hitmanpro program and run that as well. Hitmanpro did find a bunch of cookies and another "system progressive protection" problem, which when the himanpro scan was done, I let it fix the problem. After the next reboot, I again entered safe mode with networking and malwarebytes again. It still showed no problem found and that is when I noticed the problem in TASK MANAGER with the IE entry.

What can I do at this point?

Thank you,
Charles

 

[Fiery]

Hi and welcome to MalwareTips!

My name is Fiery and I would gladly assist you in removing the malware on your computer.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>

Download OTL by Old Timer from here and save it to your Desktop.

• Double click on OTL.exe to run it.
• Click the Scan All Users checkbox.
• Change Standard Registry to All
• Check the boxes beside LOP Check and Purity Check
• Click on Run Scan at the top left hand corner.
• When done, two Notepad files will open.
  • OTListIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Please post the contents of these 2 Notepad files in your next reply.

---

1. Download aswmbr.exe from the below link:
   aswMBR DOWNLOAD LINK <em>(This link will automatically download aswMBR on your computer)</em>
2. Double click the aswMBR.exe to run it.
   
3. Click the [Scan] button to start scan
   
   
4. On completion of the scan click [Save log], save it to your desktop and post in your next reply.
   
   

 

[chaswr]

Do I copy and past those files?

 

[Fiery]

I prefer you attach them in your reply as they can be really long and won't fit in one reply

 

[chaswr]

Guess I didn't look hard enough. Ok, here are the 3 files attachments.

 

[chaswr]

Sorry about that. I was in the process of copying and pasting, then noticed that it didn't get all down.

I don't see an option for file attachments. I am not used to posting to forums and I just don't see a spot where I can attach the files. Can you point me in the right direction? Just in case you are wondering, I am not a complete newbie with pc's, just unfamiliar with forums.

Charles

 

[Fiery]

Hi,

Click New Reply. Scroll down and you should see the Attachment section

 

[chaswr]

I did scroll down, still didn't see it. I ended up going to my post that I had already copied and pasted, deleted the body of the message, and saw where I can attach files. Now the files are a few post above. Sorry again about this.

Charles

 

[Fiery]

Hi,

Please uninstall the following programs before we continue as they can interfere with the tools we will use. Also please note that having more than 1 antivirus is hazardous for your PC.

Uninstall:
Spybot search & destroy
ad-aware
spyware blaster
AVG with AVG remover

---

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
O3 - HKU\S-1-5-21-1672155566-3592108443-2913857138-1000\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O4 - HKU\S-1-5-21-1672155566-3592108443-2913857138-1000..\Run: [mlegsp] C:\Users\Charles\AppData\Roaming\mlegsp.dll ()
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.233.217.5 64.233.217.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6E24409E-A34A-4D00-AC4C-39F45C50C0E2}: DhcpNameServer = 64.233.217.5 64.233.217.2
@Alternate Data Stream - 111 bytes -> C:\ProgramData\TEMP:5C321E34


:Files
C:\ProgramData\C20BBCC0E9218FBB0000C20AFABD9764
C:\Users\Charles\AppData\Roaming\mlegsp.dll
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
[RESETHOSTS]
[reboot]

Then click Run Fix. Post the log afterwards.

---

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
• Click delete
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt

Download & SAVE to your Desktop RogueKiller or from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select Run as Administrator to start
• Wait until Prescan has finished, then click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click delete and wait until it saids deleting finished
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

 

[chaswr]

I only have 1 antivirus program installed on my system and that is avg free. The other 3 programs you listed to install are all anti spyware. Do you still want me to uninstall my 1 and only antivirus program as well as the 3 anti spyware programs?

 

[Fiery]

Hi,

Your logs show you have remnants of McAfee product also so let's remove those first. You can keep AVG in that case. Please run the tool here: http://www.bleepingcomputer.com/download/mcafee-consumer-products-removal-tool/

I would advice you to remove the other anti spyware since they are extremely ineffective. After we clean your PC, I'll suggest a better security setup for you.

 

[chaswr]

The McAfee may have been trying to run an online scan that wasn't successful. Anyway....

I should copy the text that you said to copy into OTL. Then you say to post the log. Question. Once I copy and run the fix, is another log automatically generated or do I have to run the OTL again like I did at the beginning? Do you want me to run the OTL fix, post the log, then run the other 2 programs, or do all three then post the logs?

 

[Fiery]

Hi,

Once you run the OTL script, your PC will reboot. After, a new log will automatically be created. You won't have to do a OTL scan again like before.

 

[chaswr]

Ok, ran the OTL script, pc rebooted. Up and running in safe mode with networking still. If the new log was created, where should I expect to find it? I don't see a new file saved to my desktop and am unsure where to look.

 

[chaswr]

Ahhh, restarted OTL and the log automatically popped up. Here it is then....

 

[Fiery]

Good

Proceed to adwClenaer and RogueKiller. Those shouldn't take too long.

 

[chaswr]

It says to close all programs, which I will do. Do you want me to run adwcleaner 1st, post the log, then run roguekiller, then post that log, or do them both one after the other then post the logs?

 

[Fiery]

You can run both scans then post the logs all at once.

 

[chaswr]

Dumb question...

What area are in you and what is your local time? I really appreciate all the help you have given me and I know we are still not quite done, but I just want to make sure you are not doing an all night thing here for me. If it makes a difference, I am in the US, eastern time zone (9:35pm), or -5GMT.

---

Okay, will close down everything, run the scans, then get back here to repost.

 

[Fiery]

No worries, I'm also in the same time zone as you