Jump to content

Virus disabled privileges and is immune to Malwarebytes


Recommended Posts

I accidentally infected my computer last week. I immediately updated Malwarebytes, unplugged my ethernet and completed a scan. Many items were removed as you will see in my initial scan. I restarted my computer and performed the scan again but a pattern appear no matter how many times I restarted my computer.

  • PUP.Optional.Trotux is always found and reappears.
  • My taskbar is largely non-responsive apart from my ability to close and open windows e.g. Windows 10 start button, volume control and the notifications button are all inactive. If I try and use them nothing happens and occasionally a Windows 10 system sound is made if I keep trying. This Windows 10 system sound is also made at random intervals whilst I use my computer.
  • The 'Photos' app doesn't open, if I'm viewing a photo for instance. I'm required to use another program.
  • Another user's account has appeared on the logon screen. This account is a local administator, cannot be deleted and has the same limited taskbar functionality that my user account does. I am still an administrator but appear to be more restricted in the overall hierarchy than the other local administrator.
  • Despite clearing Chrome's settings, clearing all browser data, reinstalling the browser - it uses an automated system to login to my Facebook account.

I have attached my logs from Farbar, along with my initial virus scan after getting the virus, and finally the standard virus scan I receive now that the problems above still occur despite PUP.Optional.Trotux reappearing.

Any guidance would be very much appreciated

JF - FRST.txt

JF - Addition.txt

LOG after first scan following virus.txt

LOG of a typical scan now.txt

Link to post
Share on other sites

  • Root Admin

Hello @AGuyCalledJack

Please run the following and post back the logs

 

Please restart the computer first and then run the following steps and post back the logs when ready.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

adwcleaner_new.png Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites

Many thanks for the intial information, I've completed the steps above and posted/attached the logs. Sadly the symptoms mentioned in my original message are persisting.

Log from Junkware Removal Tool

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.9 (09.30.2016)
Operating System: Windows 10 Home x64 
Ran by Jack (Administrator) on 30-Nov-16 at 23:40:08.64
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

File System: 2 

Successfully deleted: C:\Users\Jack\AppData\Local\crashrpt (Folder) 
Successfully deleted: C:\Users\Jack\AppData\Roaming\9595 (Folder) 

Registry: 0 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 30-Nov-16 at 23:44:45.42
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Log from AdwCleaner

# AdwCleaner v6.030 - Logfile created 30/11/2016 at 23:48:19
# Updated on 19/10/2016 by Malwarebytes
# Database : 2016-11-29.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Jack - JACK-PC
# Running from : C:\Users\Jack\Desktop\AdwCleaner.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

No malicious folders found.


***** [ Files ] *****

No malicious files found.


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

No malicious registry entries found.


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\Jack\AppData\Local\Google\Chrome\User Data\Default\Web data] - uk.ask.com
Chrome pref Found:  [C:\Users\Jack\AppData\Local\Google\Chrome\User Data\Profile 1\Web data] - uk.ask.com

*************************

Log from Sophos

2016-12-01 09:29:47.665    Sophos Virus Removal Tool version 2.5.6
2016-12-01 09:29:47.665    Copyright (c) 2009-2016 Sophos Limited. All rights reserved.

2016-12-01 09:29:47.665    This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2016-12-01 09:29:47.665    Windows version 6.2 SP 0.0  build 9200 SM=0x300 PT=0x1 WOW64
2016-12-01 09:29:47.665    Checking for updates...
2016-12-01 09:29:47.681    Update progress: proxy server not available
2016-12-01 09:29:51.228    Downloading updates...
2016-12-01 09:29:51.228    Update progress: [I96736] sdds.svrt_10: adding primary package C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED baseVersion=1
2016-12-01 09:29:51.228    Update progress: [I95020] sdds.svrt_10: looking for packages included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2016-12-01 09:29:51.228    Update progress: [I22529] sdds.svrt_10: looking for supplements included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2016-12-01 09:29:51.228    Update progress: [I49502] sdds.savi0910.xml: found supplement SAVIW32 LATEST path= baseVersion= [included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=]
2016-12-01 09:29:51.228    Update progress: [I95020] sdds.savi0910.xml: looking for packages included from product SAVIW32 LATEST path=
2016-12-01 09:29:51.244    Update progress: [I22529] sdds.savi0910.xml: looking for supplements included from product SAVIW32 LATEST path=
2016-12-01 09:29:51.244    Update progress: [I49502] sdds.data0910.xml: found supplement IDE533 LATEST path= baseVersion= [included from product SAVIW32 LATEST path=]
2016-12-01 09:29:51.244    Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE533 LATEST path=
2016-12-01 09:29:51.244    Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE533 LATEST path=
2016-12-01 09:29:51.244    Update progress: [I49502] sdds.data0910.xml: found supplement IDE534 LATEST path= baseVersion= [included from product IDE533 LATEST path=]
2016-12-01 09:29:51.244    Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE534 LATEST path=
2016-12-01 09:29:51.244    Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE534 LATEST path=
2016-12-01 09:29:51.244    Update progress: [I49502] sdds.data0910.xml: found supplement IDE535 LATEST path= baseVersion= [included from product IDE534 LATEST path=]
2016-12-01 09:29:51.244    Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE535 LATEST path=
2016-12-01 09:29:51.244    Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE535 LATEST path=
2016-12-01 09:29:51.244    Update progress: [I49502] sdds.data0910.xml: found supplement IDE536 LATEST path= baseVersion= [included from product IDE535 LATEST path=]
2016-12-01 09:29:51.244    Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE536 LATEST path=
2016-12-01 09:29:51.244    Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE536 LATEST path=
2016-12-01 09:29:51.244    Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2016-12-01 09:29:51.275    Update progress: [I19463] Syncing product SAVIW32 LATEST path=
2016-12-01 09:29:51.306    Update progress: [I19463] Syncing product IDE533 LATEST path=
2016-12-01 09:29:51.322    Update progress: [I19463] Syncing product IDE534 LATEST path=
2016-12-01 09:29:51.353    Update progress: [I19463] Syncing product IDE535 LATEST path=
2016-12-01 09:29:51.353    Update progress: [I19463] Syncing product IDE536 LATEST path=
2016-12-01 09:29:51.431    Installing updates...
2016-12-01 09:29:58.854    Option all = no
2016-12-01 09:29:59.682    Option recurse = yes
2016-12-01 09:29:59.682    Option archive = no
2016-12-01 09:29:59.682    Option service = yes
2016-12-01 09:29:59.682    Option confirm = yes
2016-12-01 09:29:59.682    Option sxl = yes
2016-12-01 09:29:59.682    Option max-data-age = 35
2016-12-01 09:29:59.682    Option vdl-logging = yes
2016-12-01 09:29:59.682    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-12-01 09:29:59.682    Machine ID:    dfca7e97d9aa4c8bbdd5aa8aff4de363
2016-12-01 09:29:59.682    Component SVRTcli.exe version 2.5.6
2016-12-01 09:29:59.682    Component control.dll version 2.5.6
2016-12-01 09:29:59.682    Component SVRTservice.exe version 2.5.6
2016-12-01 09:29:59.682    Component engine\osdp.dll version 1.44.1.2270
2016-12-01 09:29:59.682    Component engine\veex.dll version 3.67.0.2270
2016-12-01 09:29:59.682    Component engine\savi.dll version 9.0.5.2270
2016-12-01 09:29:59.682    Component rkdisk.dll version 1.5.31.1
2016-12-01 09:29:59.682    Version info:    Product version    2.5.6
2016-12-01 09:29:59.682    Version info:    Detection engine    3.67.0
2016-12-01 09:29:59.682    Version info:    Detection data    5.32
2016-12-01 09:29:59.682    Version info:    Build date    04/10/2016
2016-12-01 09:29:59.682    Version info:    Data files added    428
2016-12-01 09:29:59.682    Version info:    Last successful update    01/12/2016 09:28:41
2016-12-01 09:29:59.682    Error level 1
2016-12-01 09:30:00.323    Update successful
2016-12-01 09:30:11.324    Option all = no
2016-12-01 09:30:11.324    Option recurse = yes
2016-12-01 09:30:11.324    Option archive = no
2016-12-01 09:30:11.324    Option service = yes
2016-12-01 09:30:11.324    Option confirm = yes
2016-12-01 09:30:11.324    Option sxl = yes
2016-12-01 09:30:11.324    Option max-data-age = 35
2016-12-01 09:30:11.324    Option vdl-logging = yes
2016-12-01 09:30:11.324    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-12-01 09:30:11.324    Machine ID:    dfca7e97d9aa4c8bbdd5aa8aff4de363
2016-12-01 09:30:11.324    Component SVRTcli.exe version 2.5.6
2016-12-01 09:30:11.324    Component control.dll version 2.5.6
2016-12-01 09:30:11.324    Component SVRTservice.exe version 2.5.6
2016-12-01 09:30:11.324    Component engine\osdp.dll version 1.44.1.2270
2016-12-01 09:30:11.324    Component engine\veex.dll version 3.67.0.2270
2016-12-01 09:30:11.324    Component engine\savi.dll version 9.0.5.2270
2016-12-01 09:30:11.324    Component rkdisk.dll version 1.5.31.1
2016-12-01 09:30:11.324    Version info:    Product version    2.5.6
2016-12-01 09:30:11.324    Version info:    Detection engine    3.67.0
2016-12-01 09:30:11.324    Version info:    Detection data    5.32
2016-12-01 09:30:11.324    Version info:    Build date    04/10/2016
2016-12-01 09:30:11.324    Version info:    Data files added    428
2016-12-01 09:30:11.324    Version info:    Last successful update    01/12/2016 09:30:00

2016-12-01 10:59:10.755    Could not open C:\hiberfil.sys
2016-12-01 11:00:28.969    Could not open C:\pagefile.sys
2016-12-01 11:15:29.177    Could not open C:\swapfile.sys
2016-12-01 11:15:29.395    Could not open C:\System Volume Information\{21750ed2-b5e3-11e6-aa41-f04da25f222a}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-12-01 11:15:29.395    Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-12-01 11:15:29.395    Could not open C:\System Volume Information\{b26bf214-b755-11e6-aa42-f04da25f222a}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-12-01 11:18:16.862    >>> Virus 'Mal/Phish-A' found in file C:\Users\Jack\AppData\Local\Mozilla\Firefox\Profiles\4a7va4aj.default\cache2\entries\EA515B6FE69E3193E393A07CA3BFBE0DF2F14A46
2016-12-01 11:18:16.862    >>> Virus 'Mal/Phish-A' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
2016-12-01 11:18:16.862    >>> Virus 'Mal/Phish-A' found in file HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
2016-12-01 11:18:16.862    >>> Virus 'Mal/Phish-A' found in file HKU\S-1-5-21-2762593419-3716735177-4266425204-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2103
2016-12-01 11:18:16.862    >>> Virus 'Mal/Phish-A' found in file HKU\S-1-5-21-2762593419-3716735177-4266425204-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2103
2016-12-01 11:18:16.862    >>> Virus 'Mal/Phish-A' found in file HKU\S-1-5-21-2762593419-3716735177-4266425204-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208
2016-12-01 11:18:16.862    >>> Virus 'Mal/Phish-A' found in file HKU\S-1-5-21-2762593419-3716735177-4266425204-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208
2016-12-01 12:05:57.189    Could not open C:\Windows\System32\config\BBI
2016-12-01 12:05:57.282    Could not open C:\Windows\System32\config\DRIVERS
2016-12-01 12:05:57.345    Could not open C:\Windows\System32\config\RegBack\DEFAULT
2016-12-01 12:05:57.360    Could not open C:\Windows\System32\config\RegBack\SAM
2016-12-01 12:05:57.360    Could not open C:\Windows\System32\config\RegBack\SECURITY
2016-12-01 12:05:57.360    Could not open C:\Windows\System32\config\RegBack\SOFTWARE
2016-12-01 12:05:57.360    Could not open C:\Windows\System32\config\RegBack\SYSTEM
2016-12-01 12:24:49.298    The following items will be cleaned up:
2016-12-01 12:24:49.298    Mal/Phish-A

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Root Admin


Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

 

Link to post
Share on other sites

 I've completed the process above and below is the log. Sadly the symptoms mentioned in my original message are persisting.

Fix result of Farbar Recovery Scan Tool (x64) Version: 02-12-2016
Ran by Jack (03-12-2016 02:57:09) Run:1
Running from C:\Users\Jack\Desktop
Loaded Profiles: Jack (Available Profiles: Jack & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:
RemoveProxy:
hosts:
EmptyTemp:
Reboot:

*****************

Processes closed successfully.
Restore point was successfully created.

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-2762593419-3716735177-4266425204-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-2762593419-3716735177-4266425204-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully


========= End of RemoveProxy: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 1353368536 B
Java, Flash, Steam htmlcache => 506 B
Windows/system/drivers => 50111606 B
Edge => 1523939 B
Chrome => 460900586 B
Firefox => 86212946 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 21274 B
NetworkService => 88624 B
Jack => 1048481740 B
Administrator => 21550361 B

RecycleBin => 738571037 B
EmptyTemp: => 3.5 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 03:11:02 ====

Link to post
Share on other sites

  • Root Admin

Hi Jack,

We simply made sure no ongoing infections are on the system. As for permissions having been modified (rarely seen in most infections) would need to manually be restored. If it's really an issue that is difficult to reset I'd try to create a new user profile with Admin rights and ensure it works well. Then if all is working well move your data from the old profile to the new one.

For programs like your photo app, try doing a repair reinstall from the Control Panel, or if needed the main installer. Most apps can do a repair install from the Control Panel, Programs.

If there is something else I can assist you with please let me know.

The complexity of finding, preventing, and cleanup from malware

 

Ron

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.