zearthur99 Posted April 15, 2016 ID:1034316 Share Posted April 15, 2016 A few days ago I got some malware and I think that I removed most of them using Hitman PRO. I tried downloading malwarebytes anti malware but the UI does not show up. The same happens with avast. My PC also can't access most of anti-virus websites. I downloaded malwarebytes from CNET because the official download link does not work for me. I've also tried the 13 chameleons and all of them reported "Failed to start the scan". I've attached Farbar Recovery Scan Tool and the logs are attached. Any help would be appreciated. Thanks. FRST.txt Addition.txt Link to post Share on other sites More sharing options...
zearthur99 Posted April 15, 2016 Author ID:1034317 Share Posted April 15, 2016 Just an update: Windows defender found two malwares: Trojan:Win32/Posehost.A Category: Trojan Description: This program is dangerous and executes commands from an attacker. Recommended action: Remove this software immediately. Items: file:C:\Users\ze_ar\AppData\Roaming\XBox\XBLive.exe service:XBox BrowserModifier:Win32/Sasquor Category: Browser Modifier Description: This program changes various Web browser settings without adequate consent. Recommended action: Remove this software immediately. Items: taskscheduler:C:\WINDOWS\System32\Tasks\Fedaryqeule Server taskscheduler:C:\WINDOWS\System32\Tasks\Ninight Collector file:C:\Program Files (x86)\Fedaryqeule\FedaryqeuleServerSrv.exe file:C:\Program Files (x86)\Fedaryqeule\FedaryqeuleServerTsk.exe file:C:\Program Files (x86)\Ninight\NngCollector.exe file:C:\WINDOWS\System32\Tasks\Fedaryqeule Server file:C:\WINDOWS\System32\Tasks\Ninight Collector service:FedaryqeuleServerSrv Get more information about this item online. Both of them are now in the Windows Defender quarantine. Link to post Share on other sites More sharing options...
kevinf80 Posted April 16, 2016 ID:1034448 Share Posted April 16, 2016 Hello zearthur99 and welcome to Malwarebytes, My screen name is kevinf80, i`m here to help clean up your system.... Download RKill from here: http://www.bleepingcomputer.com/download/rkill/ There are three buttons to choose from with different names on, select the first one and save it to your desktop. Double-click on the Rkill desktop icon to run the tool. If using Vista or Windows 7/8/10, right-click on it and Run As Administrator. A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully. A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply. If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time. If the tool does not run from any of the links provided, please let me know. Next, Please open Malwarebytes Anti-Malware. On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits". Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button. A Threat Scan will begin. When the scan is complete Apply Actions to any found entries. Wait for the prompt to restart the computer to appear (if applicable), then click on Yes. After the restart once you are back at your desktop, open MBAM once more. To get the log from Malwarebytes do the following: Click on the History tab > Application Logs. Double click on the scan log which shows the Date and time of the scan just performed. Click Export > From export you have three options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to replyXML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… If Malwarebytes is not installed follow these instructions first: Download Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following: Launch Malwarebytes Anti-Malware A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program. Click Finish. Follow the instructions above.... Next, Download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach those logs to your reply. Let me see those logs in your reply... Thank you, Kevin... Link to post Share on other sites More sharing options...
zearthur99 Posted April 16, 2016 Author ID:1034505 Share Posted April 16, 2016 Hey, kevinf80. Thanks for your reply. I used the first rkill download link and the CMD stayed up for 5 minutes and an alert prompt has confirmed me that I should be able to run my security programs as usual. A log file called rkill.txt was generated in the desktop and I've attached it. I assume this tool has ran successfully. MBAM was installed but not running. I launched mbam.exe from its folder, a process called mbam.exe was showed in the task manager but the user interface does not show up. I'm also not able to download it again because somehow the infection has blocked most of the anti-virus websites("My browser just shows Looking up data-cdn.mbamupdates.com"). I'm also not able to run FRST anymore. I've attached a screenshot of the error. Rkill.txt Link to post Share on other sites More sharing options...
kevinf80 Posted April 16, 2016 ID:1034516 Share Posted April 16, 2016 Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/ Quit all running programs. For Windows XP, double-click to start. For Vista,Windows 7/8/8.1/10, Right-click on the program and select Run as Administrator to start and when prompted allow it to run. Read and accept the EULA (End User Licene Agreement) Click Scan to scan the system. When the scan completes select "Report",in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. log will open. Close the program > Don't Fix anything! Let me see that log, Kevin Link to post Share on other sites More sharing options...
zearthur99 Posted April 16, 2016 Author ID:1034521 Share Posted April 16, 2016 Scan done. roguekiller.txt Link to post Share on other sites More sharing options...
kevinf80 Posted April 16, 2016 ID:1034522 Share Posted April 16, 2016 Double-click RogueKiller.exe to run again. (Vista/7/8/10 right-click and select Run as Administrator) When "initializing/pre-scan” completes press the Scan button, this may take a few minutes to complete. When the scan completes open the Registry tab and locate the following detections:[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | chromebrowser : "C:\WINDOWS\chromebrowser.exe" [x] -> Found [Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WUDFRd (\SystemRoot\system32\DRIVERS\WUDFRd.sys) -> Found Make sure those entries are Checkmarked (ticked) also ensure that all other entries are not Checkmarked Open the Files tab and locate the following detections:[Tr.Generic][File] C:\ProgramData\System32\SafeGuard64.dll -> Found Make sure those entries are Checkmarked (ticked) also ensure that all other entries are not Checkmarked Hit the Delete button, when complete select "Report" in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. Let me see that log, Try FRST again please.... Link to post Share on other sites More sharing options...
zearthur99 Posted April 16, 2016 Author ID:1034531 Share Posted April 16, 2016 (edited) Hey, I just removed the 3 things you listed using Roguekiller. But, I still can't launch FRST(Same error). Should I reboot my computer? roguekiller2.txt Edited April 16, 2016 by zearthur99 Link to post Share on other sites More sharing options...
kevinf80 Posted April 16, 2016 ID:1034535 Share Posted April 16, 2016 Yes please, reboot and try FRST again.... Link to post Share on other sites More sharing options...
zearthur99 Posted April 16, 2016 Author ID:1034536 Share Posted April 16, 2016 Roguekiller asked me to reboot after clicking finish. Just started up the machine again and the same error persists with FRST. Link to post Share on other sites More sharing options...
zearthur99 Posted April 16, 2016 Author ID:1034541 Share Posted April 16, 2016 Hey, Just downloaded a newer version of FRST and it did work. I've attached both log files from the latest scan. FRST.txt Addition.txt Link to post Share on other sites More sharing options...
kevinf80 Posted April 16, 2016 ID:1034546 Share Posted April 16, 2016 Thanks for those logs, continue as follows: Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Run FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Next, Please download MBAM-clean and save it to your desktop. Right-click on mbam-clean.exe icon and select Run as Administrator to start the tool. It will ask you to reboot the machine - please do so. Run the cleaner tool again, re-boot when complete. <<<---do not miss this step Download & install the newset MBAM version. Please download Malwarebytes Anti-Malware Install the progam and select update. Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits. In the same tab, under PUP and PUM detections make sure it is set to Treat detections as malware. Click the Scan tab, choose Threat Scan is checked and click Scan Now. If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes. Upon completion of the scan (or after the reboot), click the History tab. Click Application Logs and double-click the Scan Log. At the bottom click Export and choose Text file. Save the file to your desktop and include its content in your next reply. If you have lost the activation licence key information it can be located here: http://www.cleverbridge.com/342/?scope=cusecolp Next, Download AdwCleaner by Xplode onto your Desktop. Double click on Adwcleaner.exe to run the tool. Click on the Scan in the Actions box Please wait fot the scan to finish.. When "Waiting for action.Please uncheck elements you want to keep" shows in top line.. Click on the Cleaning box. Next click OK on the "Closing Programs" pop up box. Click OK on the Information box & again OK to allow the necessary reboot After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed... Next, Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop Ensure to get the correct version for your system.... 32 Bit version:https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en 64 Bit version:https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:notepad c:\windows\debug\mrt.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Let me see those logs, also give an update on any remaining issues or concerns.... Thank you, Kevin... Fixlist.txt Link to post Share on other sites More sharing options...
zearthur99 Posted April 17, 2016 Author ID:1034554 Share Posted April 17, 2016 Now I can access anti-virus websites again!! Thank you so much! I think my computer is clean now. I've attached all the requested logs. mbamlog.txt Fixlog.txt MaliciousSoftwareRemovalToolLog.txt Link to post Share on other sites More sharing options...
kevinf80 Posted April 17, 2016 ID:1034598 Share Posted April 17, 2016 Excellent, run the following to clean up: Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down:"Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked: Remove disinfection tools Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful....Answers to Common Security Questions and best PracticesDo I need a Registry Cleaner? Take care and surf safe Kevin... Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted April 20, 2016 Root Admin ID:1035216 Share Posted April 20, 2016 Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts