[INACTIVE] NetUtils2016: PC badly affected after installing program

Hi,
I have run Malwarebytes again as requested and once again it stuck in Heuristics ananlysis for just over 6 hours.
I have come out of safe mode and have attached the screen grab here, http://www.mediafire.com/file/9ruzpu1xdmrwhf3/screenshot-newtab-2017-02-16-01-05-01.jpg.
thank you once more.

I'm going to do some investigation closer.

I will be back after several hours with the next instructions... For now, please do the following, which will help me decide what to do later:

First, Re-run Junkware Removal Tool and AdwCleaner as before and post logs from them.

---

Re-running FRST to search for any leftovers:

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on FRST icon and select Run as Administrator to start the tool.
  
• Make sure that every checkbox has a checkmark beside it! <<< NEW INSTRUCTIONS
  
• Press Scan button and wait.
  
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
  

Please include their content into your next reply.

---

Re-run SystemLook

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  :filefind
*Avg*
*McAfee*
*NetUtils*
*NetUtils2016*
*dot4*
*smw*
*smp*
*startgo123*

:folderfind
*Avg*
*McAfee*
*NetUtils*
*NetUtils2016*
*sstmp*
*dot4*
*smw*
*smp*
*startgo123*

:Regfind
NetUtils
NetUtils2016
startgo123
  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

---

WVCheck
Please download WVCheck from Latest EXE Download.

• Double click WVCheck.exe. (If you downloaded the zipped version you will need to extract it.)
  
• As indicated by the prompt, This program can take a while depending on your hard drive space.
  
• Once the program is done, copy the contents of the notepad file and send me a private message with the information. This is important since much of the information is unique to you as an individual.
  

---

OTHER NOTES:
Confirm with me whether you ran the Chrome Browser Cleanup Tool early on and Avast Browser Cleanup. If this was not done, then this has caused the reinfection.

If you have accounts on Mozilla for Firefox, and Google for Chrome and other accounts, then you can easily sync your data, and completely reinstall the profiles for each browser, which may or may not help this process. I can help you do this of course, but I want to ensure you do not lose browser settings, bookmarks, list of addons, etc., which would easily be "sync-able".

Lastly, did you create the folders on the desktop named "AAA - *" (where * is the suffix, like personal files, video, etc.)?

Hello,
 I have run FRST as requested with the new instructions and it stuck on 'Scanning Edge' for approx 5 hours with no sign of ending. I started it at 09.33and at 13.22 it is still running.
At that point I ended the scan. The FRST log is attached. The Additions log is not available as the scan did not complete.
I then ran SystemLook and the results are attached here.
WV check has run and I have sent a pm with the info.
In answer to your questions, I can confirm that I ran Avast Browser Cleanup, but i can't recall running Chrome Browser Cleanup tool unless you asked me to,in which case I have followed all of your directions.
I have synced my bookmarks for Chrome and Opera. 
The folders on my desktop named AAA are mine  and contain all kinds of personal items.
thanks

Okay, let's get on the offensive here toward the infection... Since the bookmarks and other things are synced, we would need to work out the following... In order of course:

Please download and run RKill.

Download mirror 1 - Download mirror 2 - Download mirror 3

• Save it to your Desktop.
  
• Double click the RKill desktop icon.
  
• It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
  
• Please post its log in your next reply.
  
• After it has run successfully, delete RKill.
  

Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.

---

Please download ZHPcleaner to your desktop.

• Double click on ZHPCleaner to run the tool.
  
• If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click ZHPCleaner and select "Run as Administrator".
  
• Please click
  
• Then press ''Repair'' button.
  
• Browsers will automatically shut down.
  
• A logfile will automatically open after the scan has finished.
  
• Please post the contents of that logfile with your next reply.
  

---

Scan with Shortcut Cleaner:

Please download Shortcut Cleaner to your Desktop.

Right-click on sc-cleaner.exe and select Run as Administrator >> follow the prompts and post the contents of sc-cleaner.txt in your next reply.

Note: The log can also be located at C: >> sc-cleaner.txt

Next
When completed the above, please post back the following in the order asked for:

• Shortcut Cleaner Log.
  

---

Re-run of Malwarebytes scanner
!!NEW INSTRUCTIONS: IF Malwarebytes does not work, re-run RKILL above, and try again until it does so, please.

Please re-open Malwarebytes, and press Scan. If there is an update, allow it to do so.

• When the scan is complete, if there have been detections, click Quarantines Selected button to allow the program to clean what was detected.
  
• In most cases, a restart will be required.
  
• Wait for the prompt to restart the computer to appear, then click on Yes.
  

How to get logs: (Export log to save as txt)

• After the restart once you are back at your desktop, open Malwarebytes once more.
  
• Click on the Reports tab > Scan Report. (if you have done more than one scan in the past, select the most recent that shows the Date and time of the scan just performed. Press View Report button.
  
• Click 'Export'.
  
• Click 'Text file (*.txt)'
  
• In the Save File dialog box which appears, click on Desktop.
  
• In the File name: box type a name for your scan log.
  
• A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  
• Click Ok
  
• Find the log on your Desktop and Attach that saved log to your next reply.
  

(Copy to clipboard for pasting into forum replies or tickets)

Hi,
 I have carried out your requests and have run RKill,that log is attached  
 I have run ZHP cleaner and that log is attached
 I have run shortcut cleaner and that log is attached
 Malwarebytes is currently running and i will post the log when it has finished.
thanks

Still no luck with malwarebytes. I have watched it reach Heuristics Analysis and stay searching for updates for an hour. It found 13 threats but i was unable to get any further. I ran RKill again,saved that log, deleted RKill, but then malwarebytes won't open on the desktop. I have tried to open it as administrator and also left clicking. I figure the only way to open it would be to reboot my pc but  wouldn't that just reinfect it? 
thanks

Heuristics analysis can take a very long time. 5 hours is unbelievable, yes; however, this is ridiculous.

Let's try a different approach. What we used earlier, ZHPCleaner found an object from the infection and a couple of other unrelated things; however, no luck so far. These are two different tools, to which are a seriously complete analysis... (Keep in mind that our privacy policy prevents me from ever sharing any personal information, so if you like, I can remove the link you post to me for the second tool, once I have accessed the results. No identifiable information about you will be on the tool; however, information concerning personal files and other "business" will be there, which can be a problem for some users to allow other people to see. I rarely take this method, but this is ridiculous how complicating the process is...)

This different approach is going to be an removal tool scan, which normally takes up to a few hours, but very effective (I don't like quitting):




Please click here to download Kaspersky Virus Removal Tool.

1. Double click on the file you just downloaded and let it install.
   
2. It will install to your desktop.
   
3. After that leave what is selected and put a check next to My Computer.
   
4. Click on the option that says Threat Detection and change it to Disinfect,delete if disinfection fails.
   
5. Then click on Start Scan.
   
6. Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
   
7. When the scan is done no log will be produced.
   
8. Click on the bottom where it says Report to open the report.
   
9. Then highlight of of the items found by using ctrl + a on your keyboard to select all or use your mouse to select all then right click and choose copy.
   
10. This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
    
11. You can save this on the desktop.
    
12. Post the contents of the document in your next reply.
    

Note: This tool will self uninstall when you close it so please save the log before closing it.

---

Please download the latest version of Kaspersky GetSystemInfo (GSI) from GetSystemInfo.com and save it to your Desktop. (On the website, press the download button in the top bar)

• Please close all other applications running on your system.
  
• Right click GetSystemInfo.zip and hit Extract all. Then double click on getsysteminfo.exe to run the program.
  
• Click the Settings button.
  
• Set it to Maximum
  
• IMPORTANT! Then please click Customize - choose Driver / Ports tab and
  
• Uncheck Scan Ports.
  
• Click Create Report to run it.
  
• It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to Kaspersky GSI Parser and click the Submit button.
  

Please copy and paste the url of the GSI Parser report (not the log) in your next reply.

Hello again,
I have downloaded and run the latest kaspersky virus removal tool.The version i downloaded differed to your instructions but i did run the scan and It did print a report. However i was  unable to copy it as you requested and so I had to take a screen grab of the finished report. That is available here   https://www.mediafire.com/?1vgd6dgardm3atm
I then ran Kaspersky Get System info. That program also differed from your instructions but i did run it and I uploaded the report to Kaspersky GSI Parser. 
The url is here   http://www.getsysteminfo.com/read.php?file=eec00c693762b46fe85b67eb942d521c
thank you

Thanks for the updates! Keep in mind that this infection is not detected by very many antivirus/tools, and because of this, we have difficulty.

Go to this site please: https://www.hybrid-analysis.com/

Press choose file... and find c:\windows\system32\drivers\netutils2016.sys

Allow it to scan the file and post the report URL back here when done please.

Hello,
When i try to upload the file you specified by using the page 'Payload security',  I  go 'select file' which i follow using the path you supplied until i reach  \drivers. At that point the drivers folder is open but only a handful of folders & files are visible. When i search normally myself and go my pc > Windows C > system32 > drivers , there are literally dozens of system files including the Netutils2016.sys file. How do i get this file to show when i search through the Payload Security site?
thank you.

When you're in the folder, press File > Change folder and search options... Press the tab View, and then under Advanced Settings:

-On Hidden Files and Folders, set it to Show hidden files, folders, and drives.
-Uncheck Hide extensions for known file types
-Uncheck Hide protected operating system files

Lastly, hit Apply and OK.

Once that's done, then try to browse for that file again, please, and see if it all works out this time.

Hello,
As this has taken so long to eradicate these problems, I now find that I am now at a point where i am no longer going to be at home for the foreseeable future and so i am going to leave my problem as it is and return to it when i am back here. I thank you for your advice and time in helping trying to fix a problem that obviously i have started by my use of dodgy and unsafe programs. Best regards

Thanks for letting me know. We will keep this open.

@aybsee - I appreciate if you still need time in order to get back to solving this issue; however, I did want to point out that you won an award for February: http://www.geekpolice.net/t30529-most-active-users-of-the-month-awards

We have a new award system on the forums, and it so happens that you were the most active non-staff member of our forum for February 2017.

Even though you are having an issue solved, we appreciate the contributions all of our members, staff or non-staff, make!

[adm]This topic has been judged inactive by the board administrator. Please private message any administrator or Security Officer to have it reopened. Everyone else start a new topic.[/adm]