Erinctherinc

Done. Did what you said. I'm waiting your instructions.

I did what you said, here are results: Fixlog.txt

One more thing I said Access denied problem happened to GMER too, GMER's randomized name is 9ie2k262 in my computer. It appears at error logs in addition.txt

Another thing, I was looking to the Addition.txt and i saw that the problem that caused eset scan to stop was "Erişim Engellendi." which translates to "Access Denied" I think we are getting closer to our problem.

Things didn't go well. Here is log of junkware removal tool: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Malwarebytes Version: 8.0.6 (04.25.2016) Operating System: Windows 10 Pro x64 Ran by ahmet (Administrator) on Sal 07.06.2016 at 20:35:04,43 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ File System: 2 Successfully deleted: C:\ProgramData\productdata (Folder) Successfully deleted: C:\Users\ahmet\AppData\Roaming\productdata (Folder) Registry: 2 Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key) Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E} (Registry Key) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Sal 07.06.2016 at 20:37:04,75 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Here is the log of Adwcleaner: # AdwCleaner v5.119 - Logfile created 07/06/2016 at 20:39:35 # Updated 30/05/2016 by Xplode # Database : 2016-06-07.1 [Server] # Operating system : Windows 10 Pro (X64) # Username : ahmet - DESKTOP-OBNVP4R # Running from : C:\Users\ahmet\Desktop\Malware removal toolkit\Virüs silme pack\AdwCleaner.exe # Option : Clean # Support : http://toolslib.net/forum ***** [ Services ] ***** ***** [ Folders ] ***** ***** [ Files ] ***** ***** [ DLLs ] ***** ***** [ WMI ] ***** ***** [ Shortcuts ] ***** ***** [ Scheduled tasks ] ***** ***** [ Registry ] ***** [-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} [-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\data [-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\foxi69.tlscdn.com [-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\tlscdn.com [-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\foxi69.tlscdn.com [-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\tlscdn.com ***** [ Web browsers ] ***** ************************* :: "Tracing" keys deleted :: Winsock settings cleared ************************* C:\AdwCleaner\AdwCleaner[C1].txt - [1818 bytes] - [07/06/2016 20:39:35] C:\AdwCleaner\AdwCleaner[S13].txt - [757 bytes] - [30/01/2016 00:05:24] C:\AdwCleaner\AdwCleaner[S1].txt - [1922 bytes] - [07/06/2016 20:38:22] ########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2037 bytes] ########## At this point i started the scan of eset online AV. I have gone through your steps exactly but after the eset's scan finished (it found 7 threats but i couldn't look what are they.) It stopped working. It just stopped, the window of it turned black. Here are FRST and addition files: FRST.txt, Addition.txt Just a reminder.There are parts that are written in Turkish in the addition file.

Hello, thanks for helping by now. Here is the Rkill log, it found nothing malicious running in my system. I didn't understand what those 2 missing windows service intergrities mean. Can you please explain for me? Rkill 2.8.4 by Lawrence Abrams (Grinler) http://www.bleepingcomputer.com/ Copyright 2008-2016 BleepingComputer.com More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html Program started at: 06/07/2016 06:25:24 PM in x64 mode. Windows Version: Windows 10 Pro Checking for Windows services to stop: * No malware services found to stop. Checking for processes to terminate: * No malware processes found to kill. Checking Registry for malware related settings: * No issues found in the Registry. Resetting .EXE, .COM, & .BAT associations in the Windows Registry. Performing miscellaneous checks: * Windows Defender Disabled [HKLM\SOFTWARE\Microsoft\Windows Defender] "DisableAntiSpyware" = dword:00000001 * Windows Defender Disabled [HKLM\SOFTWARE\Policies\Microsoft\Windows Defender] "DisableAntiSpyware" = dword:00000001 Checking Windows Service Integrity: * s3cap [Missing Service] * ShellHWDetection [Missing Service] Searching for Missing Digital Signatures: * No issues found. Checking HOSTS File: * No issues found. Program finished at: 06/07/2016 06:25:40 PM Execution time: 0 hours(s), 0 minute(s), and 15 seconds(s) ------------------------------------------------------------------------- Here is the MBAM report, i activated rootkit scan as you asked me for, but also, MBAM didn't find anything either. Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 7.06.2016 Scan Time: 18:29 Logfile: Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.06.07.05 Rootkit Database: v2016.05.27.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows 10 CPU: x64 File System: NTFS User: ahmet Scan Type: Threat Scan Result: Completed Objects Scanned: 353817 Time Elapsed: 9 min, 52 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) --------------------------------------------------------------- My system looks like clear now but i don't understand why my computer rendered useless when using GMER. A windows alert popped up and said that access denied. I couldn't do anything (including closing the computer by pressing power shift) Even in safe mode, GMER said access denied. I think this is where my trouble lies because when i opened my computer those denials, it last long for it (normally, it takes 2-3 secs to open, this time it took like 15 secs) After i opened, i had to wait even longer because my desktop refreshed a couple of times, there was a loading bar beside my mouse icon, my AV said that its protection has stopped but in its GUI, it says it is working with no problem. Also, when i try to look up to recent logs in my AV, it crashes. I found what it catch at last, it was "Packed.Dromedan!ink" in my USB stick and even after AV said it removed the trojan, i plugged USB back and it found the same trojan again. I don't know if I am really infected or not right now, what do you offer? Sincerely, Erinc (I also tried using MBAR, Adwcleaner, Dr.Web Cureit, Norton Bootable Recovery, Norton Power Eraser too "before" opening this thread. They also found nothing.)

I also ran a scan with Norton Bootable Recovery, it found nothing.

I recently had my computer scanned with GMER but it stopped, it said "access denied". When i tried to stop GMER or any other software i have, they all said "access denied". I couldn't even move a finger. I tried to shut down my laptop but it didn't, even if when i clicked close button for 7 seconds or so. (I closed wifi from switch and waited for battery to run out.) Today, i encountered some other things. Firstly, there are 2 crssrs.exe's, 4 scvhost.exe's and 2 conhost.exe's are running at the background.(My computer has only one account) I opened my computer at the safe mode and scanned with GMER again, it said "access denied" but this time, only GMER stopped. Then i tried to use MBAR, it didn't work at the normal mode but worked at the safe mode. It didn't find anything. A hour ago, i scanned my pc with GMER, this time it worked well, didn't show up "access denied" (I will attach results) Also, i will attach farbar scan results. (I think you need it ?) Another thing, my desktop refreshes itself randomly. Blue loading wheel appears often even if I'm idle. GMER_results.txt FRST.txt

It came back! I opened wifi and did nothing for 10 minutes. After that i opened chrome and opened forum. While doing that i saw blackish sign of shell&services setup at process explorer. I stopped process and closed wifi. What do you suggest ?

Sorry for delay, i had struggles. 1) There were no ShellInst version 3.0.4 at geek uninstaller. 2) Chrome cleanup found nothing 3) Dr. Web Cureit found nothing 4) I deleted every registry key and entry of Shell&Services + ShellInst + netman 5) Here logs of everything: AdwCleanerC6.txt cureit (full scan).txt Fixlog.txt JRT.txt mbam safe mode scan.txt

Program runs at background, and it didnt let me stop itself at processes. Also geek uninstaller didn't work even i used force removal option. I will run mbam at safe mode for temporaliy disabling Shell&ServicesEngine Then i will use geek uninstaller at safe mode I will download Dr. Web cureit and google chrome cleanup tool to an usb from another computer. That might work i think. Thank you for your help to this point. I will post results soon.

While i was downloading dr. Web cureit, chrome web page instantly closed, when i looked to processes, Shell&ServicesEngine came back. Now i shutted down my computer to avoid ShellInst 3.0.4 to be activated. What do you suggest ?

I noticed that malwarebytes anti-malware's report is turkish, here is the english one: ENG _ malwarebytes scan.txt

I did what you asked for. Here they are. Malwarebytes scan: Malwarebytes scan Shell&Services.txt FRST: FRST.txt Addition: Addition.txt Rogue killer's report rogue killer report.txt

I have noticed that second malwarw is not Shellint version 3.0.4, it is ShellInst version 3.0.4 Also now, there are two Shell&ServicesEngine_* folders at C:/windows location. Malwarebytes scan found mintcast PUP again at the search in safe mode. (All PUP.mintcast threads have Shell&ServicesEngine string at their locations.)