Jump to content

Malware in Registry Key (with logs)

GoneInsane

By GoneInsane
in Resolved Malware Removal Logs

 Share

Recommended Posts

GoneInsane

GoneInsane

Posted
  • Author
Posted

Hi. Last Thursday got a Browser Redirect Virus, Cloudscout, and my Internet kept dropping. After trying several different Anti-Virus Programs in safe mode (with which I found MANY viruses Trojans, PUM, PUPs etc). I tried (and purchased) Trojan Killer, which found Malware.rpl.gen.bot in one of my Registry Keys. 

 

Also 9-Labs found it as well. 

 

I believe it was the source of the Browser Redirect Virus and it has been constantly downloading new viruses since I found it. I have tried quarentine it, and even manually removing the Key but it just comes back after reboot out of safe mode. If I not in safe mode it returns within a minute.

 

 

I have tried everything and am going slowly insane trying to get it out of my computer. I found this forum post of a similar case. https://forums.malwarebytes.org/index.php?/topic/152888-in-desperate-need-of-help/. 

 

I have run the Malwarebytes (which cant see it) plus Rogue Killer, and FARBAR which I will include logs for. 

 

Please help!

 

P.S. Please feel free to delete my old previous post in the forums.

https://forums.malwarebytes.org/index.php?/topic/172370-malwarerplgenbot/

9lab-log-2015-09-05 (00-16-42).txt

FRST 9-6-2015 Safe Mode.txt

Addition 9-6-2015 Safe Mode.txt

Malwarebytes 9-6-2015 Safe Mode.txt

RogueKiller 9-6-2015 Safe Mode.txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

Run FRST.exe/FRST64.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

==========================

Lets check for any adware/spyware now:

Please download AdwCleaner from HERE or HERE to your desktop.

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program that may have been targeted by mistake.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are either adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
Next..................

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Next.........

Please Update and run a Threat Scan (Malwarebytes)

Click on settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine All that's found

MrC

fixlist.txt

Link to post
Share on other sites
GoneInsane

GoneInsane

Posted
  • Author
Posted

First of all Thank you for the quick reply and help it is greatly appreciated. 

 

Just so you know I am doing this all in Safe Mode.

 

I ran Farbar again and am attaching the log. It restarted me out of Safe Made and I got a black screen of death. I went back into Safe mode and ran AdwCleaner and Junk Removal Tools, and Malwarebytes and am attaching logs as well.

 

Malwarebytes didn't seem to find that Malware.rpl.gen.bo,t but it didn't find it before so that is not new. Should I run 9-Labs or Trojan Killer to see if it is still there

 

Also quick question should I have removed the PUPs and PUM that Rogue Killer found last night.

 

 

Fixlog.txt

AdwCleanerS1.txt

JRT.txt

Malwarebytes Log.txt

Link to post
Share on other sites
GoneInsane

GoneInsane

Posted
  • Author
Posted

First of all Thank you for the quick reply and help it is greatly appreciated. 

 

Just so you know I am doing this all in Safe Mode.

 

I ran Farbar again and am attaching the log. It restarted me out of Safe Made and I got a black screen of death. I went back into Safe mode and ran AdwCleaner and Junk Removal Tools, and Malwarebytes and am attaching logs as well.

 

Malwarebytes didn't seem to find that Malware.rpl.gen.bo,t but it didn't find it before so that is not new. Should I run 9-Labs or Trojan Killer to see if it is still there

 

Also quick question should I have removed the PUPs and PUM that Rogue Killer found last night.

 

Fixlog.txt

AdwCleanerS1.txt

JRT.txt

Malwarebytes Log.txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Should I run 9-Labs or Trojan Killer to see if it is still there

No

Also quick question should I have removed the PUPs and PUM that Rogue Killer found last night.

No

=============================

You can't boot into normal mode????

Please re-scan with FRST and Make sure the Addition Box is checked.
http://www.fixitpc.pl/picasso/images/malware/tools/frst/frst_win05.png
Post or attach the 2 logs FRST.txt and Addition.txt

MrC

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Should I be running FRST in Normal mode?

 

If you could

 

==========================

 

When did the BSOD start????

 

This looks like the reason for your BSOD errors:

 

Error: (09/06/2015 03:04:38 PM) (Source: SideBySide) (EventID: 78) (User: )

Description: Activation context generation failed for "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest1".Error in manifest or policy file "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest2" on line C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest3.

A component version required by the application conflicts with another component version already active.

Conflicting components are:.

Component 1: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest.

Component 2: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_a9edf09f013934e0.manifest.

 

 

=========================================

 

Did you run ESET Online Scanner and did it find anything????  Log??

 

================

 

I see you ran TDSSKiller, did it find anything???  Logs???

 

==============

 

I suggest you uninstall these if possible: 

9-lab Removal Tool (HKLM-x32\...\9-lab Removal Tool) (Version:  - )

Trojan Killer 

HitmanPro

Spybot - Search & Destroy

Adaware

SpyHunter

WiseCleaner

and any other junk you installed besides ESET and Malwarebytes.

 

MrC (be back in the AM)

Link to post
Share on other sites
GoneInsane

GoneInsane

Posted
  • Author
Posted

Ok I ran FRST in normal mode and am attaching the logs. 

 

The Black screen (when it comes up) is after i load in. Its like I can't see the Desktop but Stopzilla Splash screen comes up(loads automatically) and if I control alt delete I go to the Task Manager screen where i can reboot into safe mode or 'sometimes' if i press esc it will then load the desktop. 

 

After your last post when I booted into normal mode Stopzilla Antimalware showed this.

 

Quarantined

Systemp Policies.DisableRegistryTools

hkus\S-1-5-21-2069095907-3351469989-3210406979-1001\software\microsoft\windows\currentversion\policies\system\DisableRegistryTools
 
System Policies.DisableTaskMgr
hkus\S-1-5-21-2069095907-3351469989-3210406979-1001\software\microsoft\windows\currentversion\policies\system\DisableTaskMgr
 
Eset and TDSSKiller shows nothing.

FRST.txt

Addition.txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Download and run rkill (post the log):

http://www.bleepingcomputer.com/download/rkill/dl/132/

============================

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

Run FRST.exe/FRST64.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

===========================

Let me know.....MrC

fixlist.txt

Link to post
Share on other sites
GoneInsane

GoneInsane

Posted
  • Author
Posted

ok reset was quicker but Stopzilla says its re-quarantine the same keys.

Also before reboot HKEY_CURRENT_USER\Software\Classes\.exe only had a default key before reboot.

After reboot it now it has two again default and application/x-msdownload. (this is where 9-labs said malware.rpl.gen.bot was)

 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe also has two.

Link to post
Share on other sites
GoneInsane

GoneInsane

Posted
  • Author
Posted

Ok. Apparently Stopzilla Antimalware ran a check while I was watching tv and found this

 

Active Desktop Policies
value="NoChanging Wallpaper" path="VR32lhkus\s-1-5-21-2069095907-3351469989-3210406979-1001\software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" which it quarantined.
 

After that I had trouble rebooting. It showed that "System" was preventing reboot then I got this error message. "explorer.exe - Application Error" This instruction at 0xc499a02f referenced memory at 0xa2a09538. The memory could not be read. Click ok to terminate the program.

 

when i clicked ok. It tried and failed to reboot. Just kept saying "rebooting" for several minutes till I finally held done the power button to shut it down. Turned it on again and when it loaded I could not open any files. So rebooted again, so now I am going to run Malwarebytes again. Ill let you know what I find

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted
Active Desktop Policies

value="NoChanging Wallpaper" path="VR32lhkus\s-1-5-21-2069095907-3351469989-3210406979-1001\software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" which it quarantined.

 

That's just a PUM, you can read about it here:

https://support.malwarebytes.org/customer/portal/articles/1834897-what-are-pum-detections-are-they-threats-and-should-they-be-deleted-?b_id=6438

===================================

I'm not a fan of Stopzilla, it's not a program that we recommend.

===================================

You have several restore points available if needed, the last time you ran a FRST fix, one was created.

MrC

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.