Jump to content

Win10 infection (or former infection?)


tostada
 Share

Recommended Posts

Hi,

I had some infections previously.  When I try to install the current version of MBAM, I'm unable to do so.  However, I was able to download version 1.75, update the virus database, and run that (and it removed some infections).  However, I still can't run the current version, so your team suggested in this post that I post here.  "The logs show the computer is infected or was at one time and was not fully cleaned up. The BITS service is damaged it looks like as well and our program is crashing for some reason as well. "

From that thread, they had asked me to run mbam-check and I'm not able to do that either.  I'm attaching the logs from the Farbar tool that I just ran.  Current status is I have MBAM 1.75 installed and running (no infections found).  

You guys are awesome for helping a poor user such as myself out, so thank you!

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Root Admin

Hello and :welcome:

Please read the following and post back the logs when ready and we'll see about getting you cleaned up.

Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed, please print out these instructions.

  • Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
  • If the log is too large, then you can use attachments by clicking on the More Reply Options button.
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
  • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
  • Removing malware can be unpredictable, it is unlikely, but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive
  • Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
  • The removal of malware is not instantaneous; please be patient. Often we are also in a different Time Zone.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
  • You can check here if you're not sure if your computer is 32-bit or 64-bit
  • Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners.
  • When we are done, I'll give you instructions on how to clean up all the tools and logs
  • Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
  • Your topic will be closed if you haven't replied within 3 days
  • (If I have not responded within 24 hours, please send me a Private Message as a reminder)

 

STEP 01
Please run a Threat Scan with MBAM. If you're unable to run or complete the scan as shown below, please see the following:
MBAM Clean Removal Process 2x
When reinstalling the program, please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

Link to post
Share on other sites

Thank you for the assistance.  I ran mbam-clean 2.3.0.1001.exe and rebooted the computer.  I then re-installed using mbam setup 2.2.1.1043.exe.  It completed the setup, created the desktop icon, but the program would not actually open.  When I try to run the program from the desktop icon, same thing (both as a user and as administrator).  Looking at task manager, I can see the mbam.exe process appear, and then disappear after a second or two.  So I cannot get the current version of the program to open at this point.

 

Link to post
Share on other sites

  • Root Admin

Okay, please run the following for me please.

Please restart the computer first and then run the following steps and post back the logs when ready.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

adwcleaner_new.png Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites

I don't believe that's the case, for a couple of reasons.  First, I only implemented a new whitelisting policy a few days ago (in part due to having gotten infected before), and the problem existed before I started whitelisting.  Second, although it's not set up by a professional IT support, just me, here's what I did.  I implemented a Local Security Policy that disables all programs unless they are specifically authorized (instead of default setup of allowing all programs to run).  However, in doing the testing for running MBAM, I knew that might be an issue so I turn off the security (re-enabling all programs to run and returning to the default) whenever I'm doing any of the tests/programs you have me do (and farbar, sophos, adaware cleaner etc all ran fine even though they are not whitelisted).  I'm sure you see the apps I've whitelisted to run in the logs, but that list is not actually being used when I try to install/run MBAM.  

As a sidenote, if it helps, when I try to run mbam I do get an error that shows in the Events Viewer -> Local -> Windows Logs -> Application that says 

Faulting application name: mbam.exe, version: 2.3.173.0, time stamp: 0x56e065b4
Faulting module name: mbam.exe, version: 2.3.173.0, time stamp: 0x56e065b4
Exception code: 0xc0000005
Fault offset: 0x001d3bba
Faulting process id: 0x2b5c
Faulting application start time: 0x01d24107db34dd7c
Faulting application path: C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
Faulting module path: C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
Report Id: 596ac168-81da-44f7-a0c9-7274c42a0926
Faulting package full name: 
Faulting package-relative application ID: 

Probably not helpful but thought I would throw it out there in case it was.

Link to post
Share on other sites

When I run in safe mode minimal, I was able to finally open the program (but of course not update the database since there's no networking).  Ran the scan (without of course updating the database since there's no network connection), no infections found.  When I tried again in safe mode with networking, the program would not open (same with when I returned to normal mode).  Any thoughts/suggestions on why this would be the case?

Link to post
Share on other sites

Note:  This is running the command prompt as administrator, not sure if that makes a difference or not.


C:\WINDOWS\system32>tracert data-cdn.mbamupdates.com

Tracing route to user-att-107-197-136-0.e4280.g.akamaiedge.net [23.72.207.141]
over a maximum of 30 hops:

  1     1 ms    <1 ms    <1 ms  homeportal [192.168.1.254]
  2    27 ms    24 ms    22 ms  107-197-140-1.lightspeed.irvnca.sbcglobal.net [107.197.140.1]
  3    32 ms    20 ms    19 ms  64.148.105.62
  4     *        *        *     Request timed out.
  5    22 ms    21 ms    31 ms  12.83.38.205
  6    33 ms    42 ms    34 ms  cts1.scaca.ip.att.net [12.122.114.41]
  7     *        *        *     Request timed out.
  8    41 ms    38 ms    37 ms  12.120.183.64
  9    33 ms    31 ms    30 ms  a23-72-207-141.deploy.static.akamaitechnologies.com [23.72.207.141]

Trace complete.

Link to post
Share on other sites

Same thing happens.  When I run the program (either normal or as admin), the MS popup opens saying do I want to allow this app to make changes to my device, I hit Yes.  The "thinking" spinning icon appears for a second or two, mbam.exe shows up in task manager, and then mbam.exe disappears from task manager and nothing happens.  Sorry to be such a pain, thank you for all of your assistance to date!

Link to post
Share on other sites

Here you go.  Previously I was not able to actually run the mbam-check program, but this time it did finally run.  The forum software isn't allowing me to upload it, so I'm copy/pasting it below since it's fairly short, hope that's ok.  In my original post https://forums.malwarebytes.org/topic/190087-unable-to-updaterun-mbam-221/ (where I thought it was just an install problem rather than malware), the person helping me mentioned that the BITS service was damaged, not sure what exactly that means or if it's relevant, just trying to be helpful!

 

mbam-check result log version:     2.3.2.0
========================================

User Account type:                 Administrator
DomainComputer:                    No
OS:                                Windows 10  64 bit Operating System
Current Version and Build:         10.0.14393 OS Product Info: Professional


mbam-check result log version: 2.3.2.0

Date Log Created: 11/23/16
Time Log Created: 09:21:00


User Information for Local System:
===========================================
User Account: Administrator
    Account Level: Admin
User Account: DefaultAccount
    Account Level: Guest
User Account: Gary
    Account Level: Admin
User Account: Guest
    Account Level: Guest
User Account: server2012
    Account Level: Limited User
User Account: User2
    Account Level: Admin
Total # of user entries: 6

UAC Settings:
===================
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
    DWORD    1    Status: ON
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
    DWORD    5    Status: ON

AntiVirus Information:
===================
AntiVirus Software Installed:    "Windows Defender"

FireWall Information:
===================
NO 3rd Party Firewall Software Installed

AntiSpyware Information:
===================
AntiSpyware Software Installed:    "Windows Defender"

 

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Root Admin

You have a lot of software restriction policies in place that are designed to stop or alter running of applications. I'd think that many of your apps don't run correctly based on those entries. At first I thought it was one of the policies in place to prevent encryption malware but looking closer it doesn't look like it is.

Please run the following. Then restart the computer, then see if you can run MBAM or not now and let me know.

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Sorry for the long non-response, we were closed for the holidays.  Unfortunately your fix above did not change the behavior, the program still doesn't run.  I am going to try deleting the software restrictions completely to eliminate that as a possible cause, give me a day or so to do so and I will re-run the logs.  Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.