Comrade_Smartass
-
Posts
9 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by Comrade_Smartass
-
-
Well, someone didn't read my post... ?
I did look again though and fixlog is apparently placed inside the same folder as FRST, not on the desktop.
I've attached the file below. Thanks for the help so far! -
It should be noted that I'm not seeing the occasional popup, website closing, or fake process any longer.
-
The tool did not restart or generate a Fixlog after restart. Do I need to run it again?
-
-
Sure thing. I'm assuming you want me to do this in safe mode with networking? As I'm sure you read in my post, I can't visit your website or run Malwarebytes on my desktop while running in normal mode. Anyways, I installed the program and ran a scan, then quarantined the selected threats. I was not prompted to reboot but did anyways, into normal mode.
While I was able to boot and reopen Malwarebytes, in closed and refused to reopen several seconds later. The fake SvcHost process is still there as well. The log is posted below.
Also, may I ask how this relates to what I was told to do with FRST?
QuoteMalwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 9/11/18
Scan Time: 9:45 AM
Log File: e66d4bac-b5c8-11e8-96aa-309c239d99d8.json
-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.441
Update Package Version: 1.0.6771
License: Trial
-System Information-
OS: Windows 10 (Build 17134.228)
CPU: x64
File System: NTFS
User: DESKTOP-B18Q53N\Comrade
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 289255
Threats Detected: 11
Threats Quarantined: 11
Time Elapsed: 1 min, 3 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 7
PUP.Optional.SearchManager, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\NAHHMPBCKPGDIDFNMFKFGIFLPJIJILCE, Quarantined, [250], [440037],1.0.6771
PUP.Optional.SearchManager, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\NAHHMPBCKPGDIDFNMFKFGIFLPJIJILCE, Quarantined, [250], [440037],1.0.6771
PUP.Optional.SearchManager, HKU\S-1-5-21-3317883210-2360311007-2641292243-1003\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\nahhmpbckpgdidfnmfkfgiflpjijilce, Quarantined, [250], [440037],1.0.6771
PUP.Optional.SearchManager, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\PILPLLOABDEDFMIALNFCHJOMJMPJCOEJ, Quarantined, [250], [183362],1.0.6771
PUP.Optional.SearchManager, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\PILPLLOABDEDFMIALNFCHJOMJMPJCOEJ, Quarantined, [250], [183362],1.0.6771
PUP.Optional.SearchManager, HKU\S-1-5-21-3317883210-2360311007-2641292243-1003\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\pilplloabdedfmialnfchjomjmpjcoej, Quarantined, [250], [183362],1.0.6771
PUP.Optional.WinYahoo, HKU\S-1-5-21-3317883210-2360311007-2641292243-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{518b33ae-375d-712d-6742-d1fe0400268d}, Quarantined, [230], [413444],1.0.6771
Registry Value: 1
PUP.Optional.WinYahoo, HKU\S-1-5-21-3317883210-2360311007-2641292243-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{518b33ae-375d-712d-6742-d1fe0400268d}|URL, Quarantined, [230], [413444],1.0.6771
Registry Data: 1
PUP.Optional.WinYahoo, HKU\S-1-5-21-3317883210-2360311007-2641292243-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [230], [413442],1.0.6771
Data Stream: 0
(No malicious items detected)
Folder: 0
(No malicious items detected)
File: 2
PUP.Optional.SearchManager, C:\USERS\COMRADE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [250], [440037],1.0.6771
PUP.Optional.SearchManager, C:\USERS\COMRADE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [250], [183362],1.0.6771
Physical Sector: 0
(No malicious items detected)
WMI: 0
(No malicious items detected)
(end)
-
Not to rush you, but can I expect a solution today? I definitely don't want this virus on my PC longer than necessary.
-
Hi Nasdaq. I took your suggestion and ran it in safe mode and got an error:
QuoteError saving file
C:\FRST\HIVES\DRIVERS !
Continue with the next file?
[ RegCreateKeyEx: 87 - The parameter is incorrect ]I selected yes and then ran the Scan. I've attached the generated files below.
P.s: Windows Safe Mode doesn't play nice with extra-wide monitors. lol -
Hey guys, I need help removing what I think is an SvcHost virus.
I recently started having adware tabs pop up on my PC and then after searching for solutions found that whenever I opened a Malwarebytes (or similar website) page, my browser would immediately crash. This happens in Chrome, IE, and Tor. I found this thread which seems to be a very similar virus and after reading a few others, I downloaded MalwareBytes, Rkill, adwcleaner, FRST64, tdsskiller, and aswMBR. (I'm typing this on my other PC btw. Downloaded the files on it and emailed them in a .RAR to my desktop.)
This lead to me finding a few things:
-I restarted my PC and immediately opened the Task manager to find an unnamed task using 50+% of my CPU. If I look at its properties, it says it's Svchost and is located in SysWOW64 where it takes up 44kb.
-I can kill this process, but it doesn't stop the virus from opening apps or closing browsers.
-I do not have permission to delete the application from SysWOW64. I need "TrustedInstaller" permission, which I know can be a legit Windows thing.
-The MB3-setup exe will not run.
-If I run Rkill then attempt to run the MB3 exe, it logs the following:QuotePerforming miscellaneous checks:
* Reparse Point/Junctions Found (Most likely legitimate)! *
C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 => C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\INetCache\IE [Dir]-I deleted the INetCache folder which appeared to be empty. Nothing changed.
-adwcleaner and FRST64 won't run.
-tdsskiller doesn't find anything
-I ran aswMBR and my PC blue-screened with the following support infoQuoteStop code: PAGE _FAULT_IN_NONPAGED_AREA
What failed: aswVmm.sysThis is where I am currently and I would appreciate any help anyone can give me.
Need Help Removing SvcHost Virus
in Resolved Malware Removal Logs
Posted
Yeah. As far as I can tell, I don't have any more issues. Thanks for the help!