Jump to content
ParallelPain

Incredibly Bad Infection Round 2

Recommended Posts

Hello,

About a month ago, my computer was hit with a particularly bad malware. It won't let me start Malwarebytes, and make my Kaspersky scan stuck at 1%. And I couldn't open iTunes or MSWord. Also every time I move/add/delete a file I would have to refresh desktop or explorer to see the results.

At the time for some reason I couldn't make an account here, so I made one in another anti-malware forum. That forum had the exact same initial posting instruction as here, so I ran FRST. However, no matter how many times I try, FRST gets stuck without completing. Both Addition and FRST text files were made, so I posted with those files anyway.

I was helped by the Admin there using a Clint Eastwood profile picture. I followed his instructions. Unfortunately though we removed some Malware, we evidently wasn't able to remove all as I still wasn't able to access Malwarebytes and the Kaspersky scan was still stuck.

The last thing I was asked to do was to run FRST in Safe Mode in the hopes that it would run to the end. Unfortunately the Malware had prevented the computer from restarting properly, and either the Malware or too many forced restarts killed the hard drive.

I asked my friend to recover the files for me, while I got a new hard drive and reinstalled windows.

My friend was able to recover my files to a new hard drive and connect it to my computer. Now the exact same problems are returning. I am currently still able to restart the computer normally (albeit probably slower than it should be) and access MSWord. However I don't know how long that will keep up.

I am posting this in Safe Mode as we speak. And FRST still gets stuck. Attached are the FRST and Addition files from the stuck run in Safe Mode.

Please help.

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites

Hello ParrallelPain

 

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

     


NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

 

First I would like you to give me a link to where you were getting help before so I can look it up and see what was done

 

I need you to download this script I have made for you --> fixlist.txt

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.


When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Gringo

 

 

Edited by gringo_pr

Share this post


Link to post
Share on other sites

This is the link.
https://malwaretips.com/threads/probably-malware-but-not-100-sure-lots-of-stuff-are-blocked.59414/

I've attached fixlog.txt. Fixlist.txt seem to have disappeared. I hope that's normal.
Computer force closed my chrome and seem to have wiped the session history. It also asked for a restart, which I did, though doesn't look like iTunes is working since it's not popping up even though I have my iPod connected.

Fixlog.txt

Edited by ParallelPain

Share this post


Link to post
Share on other sites


This tool will uninstall Malwarebytes Anti-Malware, Reinstall Malwarebytes Anti-Malware  and if Malwarebytes Antimalware was registered it will restore your existing license. It will also run our diagnostic tool, mbam-check.

.
There will be 2 restarts of your computer during this routine.
Please do not perform other functions while performing this repair.
An active internet connection is required.
Please attend your computer during this entire procedure.

.
Please download mbam-repair tool from this link and save it to your desktop.
http://downloads.malwarebytes.org/file/mbam_repair

Double click on mbam-repair.exe to run it.
Approve the UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. (not on XP systems)

.
The tool will download additional Malwarebytes tools to be used in this repair routine.
*Follow the prompt to press the Enter key when it is presented. The computer will restart.
*After restart, the UAC prompt will appear. Approve it again by clicking Continue or Yes.
*MBAM will be installed, and updated. The license will be restored.
*Wait for the update to complete, and when prompted, press the Enter key again. The computer will restart.

.
Note:
If pressing the Enter key does not restart the computer, this means the console window is not in focus. Click once inside the black mbam-repair window and then press Enter. After the restart, the UAC prompt will appear again. Approve it again by clicking Continue or Yes. Mbam-repair will perform its post-installation checks.

Our diagnostic tool, mbam-check will be run. CheckResults.txt will be presented to the screen. Close that log file. It will be located on your desktop. Once again, press the Enter key in the mbam-repair console window.
The repair is now complete.

.
Note:
The Malwarebytes Anti-Malware notification area icon will have a red triangle warning still. This should only be due to the need to run a scan. Please run a scan with MBAM and report your results from this repair routine.

If the issue is resolved, there's no need to send the CheckResults.txt log created by the tool.

If the issue is not resolved, please locate the CheckResults.txt log on your desktop and send it as an attachment.

 

Share this post


Link to post
Share on other sites

No issue have been solved. Malwarebytes still don't run.

Also at the moment the repair tool is not closing despite my pressing enter while the tool is selected.

Also, the computer is now blocked from reading stuff from USB drives. Not sure if this was the case last month.

MSWord is also blocked. The computer also won't turn off properly but goes to blue screen after a long while of trying to shut off/restart. These two I know for sure also happened last month. I can't guarantee I'll be able to go into Safe Mode now.

CheckResults attached.

CheckResults.txt

Share this post


Link to post
Share on other sites

Hello ParallelPain

The more we do the less I think this is a malware issue - this looks like it is more to do with a problem inside of windows

Download Windows Repair (all in one) from here: >> Windows Repair <<

Wait for the program to start downloading – it may take a min – just do not click on anything, when the download windows opens click on Save now and save it to your desktop.

.

  1. Double Click “tweaking.com_windows_repair_aio_setup” to begin the install
  2. select the default setting during the install
  3. when finished Windows repair will open automatically
  4. Click on “step 5:” at the top and Click on Backup and Create
  5. Click on “Step 3:”
  6. Click on Option 2 Open Check disk at Next Boot
  7. Restart the computer and allow “Check disk” to finish
  8. restart Windows Repair and go to “Step 4:”
  9. Under “Systemfile check” click on Do It
  10. once complete restart the computer and Restart Windows Repair
  11. Click on “Repairs” at the top
  12. click on “Open Repairs”
  13. Leave the default selections selected and click on Start Repairs

.
Once complete restart the computer once more and check things out and let me know how things are doing.

Share this post


Link to post
Share on other sites

I clicked Create. It took a long time. I left for work. I came home and saw it took two and a half hours to create a restore point.

After I clicked Open Check disk at Next Boot, the tool becomes stuck. I tried rebooting from this a couple of times but no windows or process that says check disk pops up. I also can't boot to Safe Mode as recommended by the tool. All restart attempts take a long time and either goes to Blue Screen or a blank black screen before booting in the normal fashion.

Should I continue to wait for the tool see if it will do anything eventually after I click Open Check disk at Next Boot? Or should I skip and go to Step 4 Systemfile check?

I think it's clear that there's something wrong with Windows. But I would still say it's a Malware or Virus that's causing this. Last month the problems didn't start until I tried to access a page warned by Kaspersky (on baidu). When I used Zemana Antimalware as instructed, it caught and deleted some malware in Internet Explorer, which I never use.

The problem this time didn't start until I got my harddrive back with all my old files. Which I assume include whatever bad program that was in the old files. Before becoming stuck, Kaspersky also picked up three warning files. But something is preventing Kaspersky from deleting them.

Share this post


Link to post
Share on other sites

Just to add I can still browse internet, use Steam and games, and Windows Media Player no problem. It seems the only things blocked right now are things that would help me remove Malware.

Share this post


Link to post
Share on other sites

The first program that I would like you to run is “Junkware Removal Tool”:

  1. Download “Junkware Removal Tool” and save it to your desktop. >> JRT.exe <<
  2. Shutdown your antivirus to avoid any conflicts.
  3. Right-mouse click “JRT.exe” and select Run as administrator
  4. If prompted by the UAC select Yes
  5. The tool will open, press Any Key to start the scanning
  6. Please be patient as this can take a while to complete.
  7. On completion, a log (“JRT.txt”) is saved to your desktop and will automatically open.
  8. Please attach “JRT.txt” to your next reply

.

The next program that I would like you to run is “AdwCleaner”:

  1. Download “AdwCleaner” and save it to your desktop.>> AdwCleaner <<
  2. Shutdown your antivirus to avoid any conflicts.
  3. Right-mouse click “AdwCleaner” and select Run as administrator
  4. Click on I Agree at the Terms Of Use
  5. When “AdwCleaner” opens I want you to click on Scan
  6. After the scan has completed I want you to click on Cleaning
  7. At the information screen click on OK
  8. Once done it will ask you to reboot, allow the reboot – it is very important
  9. After the computer restarts a report will be open, Save this report to your desktop and attach it to your next reply

.

Once both programs are complete then reply back to me with the two reports and remember to let me know how things are doing.

.
The Reports that I will be wanting are named.
JRT.txt

 

Share this post


Link to post
Share on other sites

So after Junkware Removal Tool tried for I don't know how many hours (I only watched it for the first two hours, then I had to leave, I just came back and it's been about 6 hours since I ran the tool) it gave me a message "The tool failed to create a restore point! Tool paused. If you would like to continue anyway, Press any key to continue...)

Should I continue? Do I have a choice?

 

Share this post


Link to post
Share on other sites

I went ahead and continued. Here are the logs.

It looks like they picked up and deleted some stuff.

Currently the only difference from before is that for some reason Kaspersky was able to delete the three files it picked up but was not able to delete before.

Everything else that was broken seems like they're still broken. Will keep looking around.

JRT.txt

AdwCleaner[C1].txt

Edited by ParallelPain

Share this post


Link to post
Share on other sites

So here's a list of things broken:

Kaspersky scan still stuck at 1% (or 0%).
Malwarebytes window still would not launch but the tiny icon shows in "hidden icons" (as before). Chameleons still stuck at updating.
Microsoft Office still can't launch. iTunes still can't launch.
As before, nothing seem to be able to change the shutdown/restart setting. For Tweaking.com Windows Repair, clicking Check Disk At Next Boot freezes the tool. Any attempt at shutdown or restart goes on for quite a long time before going to Blue Screen stop error. Left shift-Restart and choosing Troubleshoot to go to Safe Mode is the same, and also does not go to Safe Mode but launch Windows normally. This is as before.
Moving and adding files still won't show up until Refresh is clicked on Windows Explorer or desktop.

On the bright side I can still browse internet, run Windows Media Player, Steam play games.

Share this post


Link to post
Share on other sites

I would also like you to rerun “FRST” for me again and send me the new report for me to check over.

If you cannot find where you saved “FRST” the first time then here are the links again for you.
.

Note: You need to run the version compatible with your computer. If you are not sure which version applies to your computer, then download both of them and try to run them. Only one of them will run on your computer, and that will be the right version.

.
For 32-bit (x86) editions of Windows: >> FRST.exe <<

For 64-bit (x64) editions of Windows: >> FRST64.exe <<

.

  1. Run the “FRST” download that works on your computer
  2. When the tool opens click Yes for the disclaimer in order to continue using “FRST”.
  3. Under the section called “Whitelist” make sure all boxes are checked
  4. Under the section called “Optional Scan” I would like you to have a check mark next to “Addition.txt”
  5. Press the Scan button.
  6. When the scan is done, it will save the reports to the same location as “FRST” (if you had saved “FRST” on your desktop, then the reports will be saved on the desktop).
  7. Please attach the “FRST.txt” and the “Addition.txt” log file to your next reply to me (it is best if you do not copy and paste it into an e-mail).

.

When you reply back to me you should have Two reports for me and I need you to tell me how things are doing.
FRST.txt
Addition.txt

 

Share this post


Link to post
Share on other sites

As before, FRST gets stuck after scanning a while and making the files. I waited 2 hours in case it would unstuck.
I don't even know what it's stuck on because it already went through a lot of different stuff and created the files. When it gets stuck it doesn't say what it's doing, just scanning please wait.

On another note I found out I can't attach the files while the tool is running.

Also running mbam.exe says "Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item." Everything else looks the same.

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites

Just a note, after restarting the computer (yes blue screen again), now Malwarebytes have returned to before.

Before as in, it will run but as a tiny icon in the hidden corner, with the windows not popping up to receive commands.

Share this post


Link to post
Share on other sites

 Greetings

 

I have been going over the reports and do not see anything that is going to cause this type of problem.

There is a way you might be able to track it down

I want you to run things in selective startup, this will help pinpoint the type of problem it is
.

  1. push the “windows key” + “R” (between the “Ctrl” button and “Alt” Button)
  2. In the Open box, type msconfig and then click “OK”.
  3. Click the “services” tab in The System Configuration window.
  4. Put a checkmark in “hide all Microsofts services”.
  5. Click on the “Disable All” button.
  6. Now click on the “startup” tab
  7. Click on the “Disable All” button
  8. click on the “Apply” button

.
Restart the computer and see how things are doing, If things are doing better then repeat the process but this time, start with the services and start by adding the first half back and apply the changes

If things go bad again then you know the problem is in the services that you restarted and you can keep searching until you find the one it is

if you restart all the services and things are still ok then go back and do the same thing for the startup programs

 

 

 

Share this post


Link to post
Share on other sites

It didn't work. Tried multiple times. No improvement at all.

The following service won't stay unchecked.

Application Identity
AppX Deployment Service (AppXSVC)
Kaspersky Anti-Virus Service 16.0.0
Background Tasks Infrastructure Service
Client License Service (ClipSVC)
CoreMessaging
embeddedmode
Enterprise App Management Service.
Group Policy Client
Local Session Manager
Windows Installer
Microsoft Passport Container
Microsoft Passport
RPC Endpoint Mapper
Task Scheduler
State Repository Service
System Events Broker
Tile Data model server
Time Broker
Windows Defender Network Inspection Service
Windows Defender Service
Windows Push Notification Service
Windows Store Service (WSService)

A lot, but not all of them, are Stopped under status.

Also I have been running adwcleaner every once in a while these past couple of days. It has returned clean until just now, when it picked up a few search tool bars installed into Chrome. I don't think this is a good sign.

I am considering just reinstalling Windows 10 from disc I downloaded since it's only a month of data that could be easily backuped. But the setup won't run. Just like the other blocked stuff, it shows up on Task Manager detail view but nothing pops up.

I might try booting from disc.

Share this post


Link to post
Share on other sites

So I can't even reset Windows from troubleshoot screen (can't change reboot settings even from that screen due to Blue Screen on reboot). And I can't even boot from disc to reinstall (Windows won't pop up. I tried on other comp and it's not the disc's problem).

 

Share this post


Link to post
Share on other sites

I tried the recovery environment. Not one of the options work. Not even recovery and discard all data or roll back to previous version of windows.

I don't even get to choose versions or type passwords. After one or two clicks, the screen goes black for about 5 minutes, before giving me a Blue Screen error.

The error is DRIVER POWER STATE FAILURE and is what I see every time I try to shut down or restart the computer or go into safe mode. It's also the same error I saw last time.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.