monkeymii Posted January 27, 2017 ID:1096578 Share Posted January 27, 2017 (edited) Hey, A couple weeks ago I came back to my pc which was left on the desktop over night showing nothing but a Black screen, a popup advert and internet explorer opened on some ad site (I can't remember fully). I powered down and came back the next morning to attempt to fix it, disconnecting my wireless connection to the internet and ctrl-shift-esc opening task manager, PING.exe kept being sent over processes as well as a few other strange processes which I shut down. Then ended and restarted explorer.exe which brought back my desktop instead of the blank black screen and proceeded to do scans with malewarebytes. I had little luck for a while. Continuously restarting/deleting quarantined files/repeat as new threats were being picked up seemingly with every restart. Now I gave up after that couple of days and have come back yesterday to try and give it another shot. I acquired malewarebytes 3.0 and it finally seemed to have picked up everything (I believe) although I've been doing scans all day today and every so often it will pick something new up as if it wasn't there before. I had a hijacked hosts file most notably yesterday and most sites were being redirected to something else. It's worth noting that last week I was fed up with how slow the system was running with the viruses and so I went into msconfig (probably stupidly) and disabled a lot of startup programs that I thought might have something to do with them. Since this has happened I've run another couple of scans (cut them short as for whatever reason they have seemed to be taking at least 4x longer than what they usually have been) and things have been clean however when I start up the system I still have a black screen and have to manually restart explorer.exe as well as any programs that are supposed to be running on startup. So I believe there's still something there and am expecting that eventually it will spread again to what it was in those first couple scans (Somewhere around 2400+ threats) as well as this annoying issue of having to restart explorer.exe to make the system functional after each startup. Addition.txt FRST.txt Edited January 27, 2017 by monkeymii Link to post Share on other sites More sharing options...
kevinf80 Posted January 28, 2017 ID:1096759 Share Posted January 28, 2017 Hello monkeym11 and welcome to Malwarebytes, Run the following and post the produced logs... Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Next, Open Malwarebytes, select > "settings" > "protection tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan Scan within Archives are both on.... Leave all other settings to default.. Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply... Next, Download AdwCleaner by Xplode onto your Desktop. Double click on Adwcleaner.exe to run the tool. Click on the Scan in the Actions box Please wait fot the scan to finish.. When "Waiting for action.Please uncheck elements you want to keep" shows in top line.. Click on the Cleaning box. Next click OK on the "Closing Programs" pop up box. Click OK on the Information box & again OK to allow the necessary reboot After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed... Next, Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Let me see those logs in your reply, also tell me if there are any remaining issues or concerns.... Thank you, Kevin.... fixlist.txt Link to post Share on other sites More sharing options...
monkeymii Posted January 28, 2017 Author ID:1096776 Share Posted January 28, 2017 Hey Kevin, I did the first step as asked, FRST updated itself and then when fix was pressed it got hung up after about 5 minutes of seemingly running fine. The window won't move as if it's not responding and nothing can be pressed. Attaching screenshot... Link to post Share on other sites More sharing options...
kevinf80 Posted January 28, 2017 ID:1096778 Share Posted January 28, 2017 Close FRST through Taskmanager, see if a log is produced when closed. If not on your Desktop check here: C:\FRST\Logs Link to post Share on other sites More sharing options...
monkeymii Posted January 28, 2017 Author ID:1096779 Share Posted January 28, 2017 Yep it created a log on pressing fix I believe. Should I proceed to the other steps now? Fixlog.txt Link to post Share on other sites More sharing options...
kevinf80 Posted January 28, 2017 ID:1096801 Share Posted January 28, 2017 Yes please, continue with the other steps.... Link to post Share on other sites More sharing options...
monkeymii Posted January 28, 2017 Author ID:1096808 Share Posted January 28, 2017 okay, I got to the Sophos step and the scan has been running for about an hour now. Is there an estimate on how long it should take to complete? Link to post Share on other sites More sharing options...
kevinf80 Posted January 28, 2017 ID:1096815 Share Posted January 28, 2017 Time of scan depends on the size of your system, amount of data, number of drives etc... Can take many hours, i`m unable to predict exactly.. Link to post Share on other sites More sharing options...
monkeymii Posted January 28, 2017 Author ID:1096871 Share Posted January 28, 2017 Okay I've finished all of the steps, going to now attach all the log files before restarting and checking to see if I still get a black screen on startup. Here is the Sophos Log: 2017-01-28 13:30:48.003 Sophos Virus Removal Tool version 2.5.6 2017-01-28 13:30:48.003 Copyright (c) 2009-2016 Sophos Limited. All rights reserved. 2017-01-28 13:30:48.003 This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them. 2017-01-28 13:30:48.003 Windows version 6.1 SP 1.0 Service Pack 1 build 7601 SM=0x300 PT=0x1 WOW64 2017-01-28 13:30:48.006 Checking for updates... 2017-01-28 13:30:50.303 Update progress: proxy server not available 2017-01-28 13:30:53.973 Option all = no 2017-01-28 13:30:53.973 Option recurse = yes 2017-01-28 13:30:53.973 Option archive = no 2017-01-28 13:30:53.973 Option service = yes 2017-01-28 13:30:53.973 Option confirm = yes 2017-01-28 13:30:53.973 Option sxl = yes 2017-01-28 13:30:53.973 Option max-data-age = 35 2017-01-28 13:30:53.973 Option vdl-logging = yes 2017-01-28 13:30:53.976 Customer ID: 094260ca9b3af99f9d4a3909fc47a743 2017-01-28 13:30:53.976 Machine ID: 0394deeb5ee6467fad1fc3026435e611 2017-01-28 13:30:53.982 Component SVRTcli.exe version 2.5.6 2017-01-28 13:30:53.982 Component control.dll version 2.5.6 2017-01-28 13:30:53.982 Component SVRTservice.exe version 2.5.6 2017-01-28 13:30:53.982 Component engine\osdp.dll version 1.44.1.2270 2017-01-28 13:30:53.983 Component engine\veex.dll version 3.67.0.2270 2017-01-28 13:30:53.983 Component engine\savi.dll version 9.0.5.2270 2017-01-28 13:30:53.983 Component rkdisk.dll version 1.5.31.1 2017-01-28 13:30:53.983 Version info: Product version 2.5.6 2017-01-28 13:30:53.983 Version info: Detection engine 3.67.0 2017-01-28 13:30:53.983 Version info: Detection data 5.32 2017-01-28 13:30:53.983 Version info: Build date 04/10/2016 2017-01-28 13:30:53.983 Version info: Data files added 722 2017-01-28 13:30:53.983 Version info: Last successful update (not yet updated) 2017-01-28 13:30:58.028 Downloading updates... 2017-01-28 13:30:58.029 Update progress: [I96736] sdds.svrt_10: adding primary package C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED baseVersion=1 2017-01-28 13:30:58.029 Update progress: [I95020] sdds.svrt_10: looking for packages included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path= 2017-01-28 13:30:58.029 Update progress: [I22529] sdds.svrt_10: looking for supplements included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path= 2017-01-28 13:30:58.029 Update progress: [I49502] sdds.savi0910.xml: found supplement SAVIW32 LATEST path= baseVersion= [included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=] 2017-01-28 13:30:58.029 Update progress: [I95020] sdds.savi0910.xml: looking for packages included from product SAVIW32 LATEST path= 2017-01-28 13:30:58.029 Update progress: [I22529] sdds.savi0910.xml: looking for supplements included from product SAVIW32 LATEST path= 2017-01-28 13:30:58.029 Update progress: [I49502] sdds.data0910.xml: found supplement IDE536 LATEST path= baseVersion= [included from product SAVIW32 LATEST path=] 2017-01-28 13:30:58.029 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE536 LATEST path= 2017-01-28 13:30:58.029 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE536 LATEST path= 2017-01-28 13:30:58.029 Update progress: [I49502] sdds.data0910.xml: found supplement IDE537 LATEST path= baseVersion= [included from product IDE536 LATEST path=] 2017-01-28 13:30:58.029 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE537 LATEST path= 2017-01-28 13:30:58.029 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE537 LATEST path= 2017-01-28 13:30:58.029 Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path= 2017-01-28 13:30:58.080 Update progress: [I19463] Syncing product SAVIW32 LATEST path= 2017-01-28 13:30:58.080 Update progress: [I19463] Product download size 156130248 bytes 2017-01-28 13:31:04.909 Update progress: [I19463] Syncing product IDE536 LATEST path= 2017-01-28 13:31:04.909 Update progress: [I19463] Product download size 3527452 bytes 2017-01-28 13:31:05.150 Update progress: [I19463] Syncing product IDE537 LATEST path= 2017-01-28 13:31:05.150 Update progress: [I19463] Product download size 1431537 bytes 2017-01-28 13:31:05.263 Installing updates... 2017-01-28 13:31:05.866 Error level 1 2017-01-28 13:31:07.067 Update successful 2017-01-28 13:31:11.630 Option all = no 2017-01-28 13:31:11.631 Option recurse = yes 2017-01-28 13:31:11.631 Option archive = no 2017-01-28 13:31:11.631 Option service = yes 2017-01-28 13:31:11.631 Option confirm = yes 2017-01-28 13:31:11.631 Option sxl = yes 2017-01-28 13:31:11.631 Option max-data-age = 35 2017-01-28 13:31:11.631 Option vdl-logging = yes 2017-01-28 13:31:11.633 Customer ID: 094260ca9b3af99f9d4a3909fc47a743 2017-01-28 13:31:11.633 Machine ID: 0394deeb5ee6467fad1fc3026435e611 2017-01-28 13:31:11.636 Component SVRTcli.exe version 2.5.6 2017-01-28 13:31:11.636 Component control.dll version 2.5.6 2017-01-28 13:31:11.636 Component SVRTservice.exe version 2.5.6 2017-01-28 13:31:11.636 Component engine\osdp.dll version 1.44.1.2280 2017-01-28 13:31:11.636 Component engine\veex.dll version 3.68.0.2280 2017-01-28 13:31:11.636 Component engine\savi.dll version 9.0.7.2280 2017-01-28 13:31:11.636 Component rkdisk.dll version 1.5.31.1 2017-01-28 13:31:11.636 Version info: Product version 2.5.6 2017-01-28 13:31:11.637 Version info: Detection engine 3.68.0 2017-01-28 13:31:11.637 Version info: Detection data 5.35 2017-01-28 13:31:11.637 Version info: Build date 10/01/2017 2017-01-28 13:31:11.637 Version info: Data files added 300 2017-01-28 13:31:11.637 Version info: Last successful update 28/01/2017 13:31:07 2017-01-28 13:31:33.764 Warning: rootkit scan failed to open volume "\\?\Volume{7b9fdd7b-2d87-11e0-b7df-90fba62eaf4f}" (5) 2017-01-28 15:10:57.970 >>> Virus 'Mal/Generic-S' found in file C:\$Recycle.Bin\S-1-5-21-1746493775-819686441-3300315000-1000\$RHU2GCJ.exe 2017-01-28 15:10:57.970 >>> Virus 'Mal/Generic-S' found in file C:\$Recycle.Bin\S-1-5-21-1746493775-819686441-3300315000-1000\$RHU2GCJ.exe 2017-01-28 15:10:57.970 >>> Virus 'Mal/Generic-S' found in file C:\$Recycle.Bin\S-1-5-21-1746493775-819686441-3300315000-1000\$RHU2GCJ.exe 2017-01-28 15:10:57.970 >>> Virus 'Mal/Generic-S' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 15:10:57.970 >>> Virus 'Mal/Generic-S' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 15:11:47.953 >>> Virus 'Mal/Generic-S' found in file C:\FRST\Quarantine\C\Program Files (x86)\ScreenShared\uninstaller.exe 2017-01-28 15:11:47.953 >>> Virus 'Mal/Generic-S' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 15:11:47.953 >>> Virus 'Mal/Generic-S' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 15:11:50.340 >>> Virus 'Mal/Generic-S' found in file C:\FRST\Quarantine\C\Program Files (x86)\Wuposmujopy\drhcnf.dll 2017-01-28 15:11:50.340 >>> Virus 'Mal/Generic-S' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 15:11:50.340 >>> Virus 'Mal/Generic-S' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 15:11:57.079 >>> Virus 'Mal/Generic-S' found in file C:\FRST\Quarantine\C\Users\monkeymii\AppData\Local\Ogics\gtgh7.exe 2017-01-28 15:11:57.079 >>> Virus 'Mal/Generic-S' found in file C:\FRST\Quarantine\C\Users\monkeymii\AppData\Local\Ogics\gtgh7.exe 2017-01-28 15:11:57.079 >>> Virus 'Mal/Generic-S' found in file C:\FRST\Quarantine\C\Users\monkeymii\AppData\Local\Ogics\gtgh7.exe 2017-01-28 15:11:57.079 >>> Virus 'Mal/Generic-S' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 15:11:57.079 >>> Virus 'Mal/Generic-S' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 15:11:58.998 Could not open C:\hiberfil.sys 2017-01-28 15:12:12.882 Could not open C:\pagefile.sys 2017-01-28 15:18:04.678 >>> Virus 'Mal/VMProtBad-A' found in file C:\Program Files (x86)\Square Enix\Sleeping Dogs\buddha.dll 2017-01-28 15:18:04.678 >>> Virus 'Mal/VMProtBad-A' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 15:18:04.678 >>> Virus 'Mal/VMProtBad-A' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 15:23:14.307 Could not open C:\System Volume Information\{185f59a2-e55d-11e6-a381-b27a9b23d12d}{3808876b-c176-4e48-b7ae-04046e6cc752} 2017-01-28 15:23:14.307 Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} 2017-01-28 15:23:14.307 Could not open C:\System Volume Information\{f9af837b-e4c8-11e6-9898-df24315ce86e}{3808876b-c176-4e48-b7ae-04046e6cc752} 2017-01-28 15:23:14.307 Could not open C:\System Volume Information\{f9af83ea-e4c8-11e6-9898-df24315ce86e}{3808876b-c176-4e48-b7ae-04046e6cc752} 2017-01-28 15:25:08.265 Password protected file C:\Users\monkeymii\Documents\Restaraunttest.xls 2017-01-28 15:27:22.379 Could not open C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb 2017-01-28 15:27:22.379 Could not open C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb 2017-01-28 15:27:22.956 Could not open C:\Windows\System32\config\RegBack\DEFAULT 2017-01-28 15:27:22.956 Could not open C:\Windows\System32\config\RegBack\SAM 2017-01-28 15:27:22.956 Could not open C:\Windows\System32\config\RegBack\SECURITY 2017-01-28 15:27:22.956 Could not open C:\Windows\System32\config\RegBack\SOFTWARE 2017-01-28 15:27:22.956 Could not open C:\Windows\System32\config\RegBack\SYSTEM 2017-01-28 15:37:17.993 >>> Virus 'Mal/VMProtBad-A' found in file D:\Games\rimworld\RimWorldAlpha15cWin\RimWorldWin_Data\Plugins\steam_api.dll 2017-01-28 15:37:17.993 >>> Virus 'Mal/VMProtBad-A' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 15:37:17.993 >>> Virus 'Mal/VMProtBad-A' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 15:37:20.333 >>> Virus 'Mal/VMProtBad-A' found in file D:\Games\rimworld\RimWorldAlpha15cWin\steam_api.dll 2017-01-28 15:37:20.333 >>> Virus 'Mal/VMProtBad-A' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 15:37:20.333 >>> Virus 'Mal/VMProtBad-A' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 15:38:39.799 >>> Virus 'Mal/Generic-S' found in file D:\Games\Stronghold crusader 2\Stronghold Crusader 2\bin\win32_release\Crusader2.exe 2017-01-28 15:38:39.799 >>> Virus 'Mal/Generic-S' found in file D:\Games\Stronghold crusader 2\Stronghold Crusader 2\bin\win32_release\Crusader2.exe 2017-01-28 15:38:39.799 >>> Virus 'Mal/Generic-S' found in file D:\Games\Stronghold crusader 2\Stronghold Crusader 2\bin\win32_release\Crusader2.exe 2017-01-28 15:38:39.799 >>> Virus 'Mal/Generic-S' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 15:38:39.799 >>> Virus 'Mal/Generic-S' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 15:42:43.987 >>> Virus 'Mal/Generic-S' found in file F:\Program Files\Windows Multimedia Platform\Services and Controller app.exe 2017-01-28 15:42:43.987 >>> Virus 'Mal/Generic-S' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 15:42:43.987 >>> Virus 'Mal/Generic-S' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 15:42:46.280 >>> Virus 'Mal/Generic-S' found in file F:\Program Files\Windows Multimedia Platform\System.exe 2017-01-28 15:42:46.280 >>> Virus 'Mal/Generic-S' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 15:42:46.280 >>> Virus 'Mal/Generic-S' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 15:59:44.525 >>> Virus 'Mal/VMProtBad-A' found in file F:\Program Files (x86)\Square Enix\Sleeping Dogs\buddha.dll 2017-01-28 15:59:44.525 >>> Virus 'Mal/VMProtBad-A' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 15:59:44.525 >>> Virus 'Mal/VMProtBad-A' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 17:11:37.684 >>> Virus 'Mal/HiBrowLnk-A' found in file F:\Users\monkeymii\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk 2017-01-28 17:12:10.179 >>> Virus 'Mal/HiBrowLnk-A' found in file F:\Users\monkeymii\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk 2017-01-28 17:19:06.154 >>> Virus 'Mal/Generic-S' found in file F:\Users\monkeymii\Desktop\desktop\Dwarf fortress lazy newb\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfunreveal.exe 2017-01-28 17:19:06.154 >>> Virus 'Mal/Generic-S' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 17:19:06.154 >>> Virus 'Mal/Generic-S' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 17:25:18.574 Password protected file F:\Users\monkeymii\Documents\Restaraunttest.xls 2017-01-28 17:25:44.813 >>> Virus 'Mal/Generic-L' found in file F:\Users\monkeymii\Downloads\CyberGate v1.07.5\CyberGate v1.07.5.exe 2017-01-28 17:25:44.813 >>> Virus 'Mal/Generic-L' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 17:25:44.813 >>> Virus 'Mal/Generic-L' found in file HKU\S-1-5-21-1746493775-819686441-3300315000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208 2017-01-28 18:19:56.919 Could not open LOGICAL:000A:00000000 2017-01-28 18:19:56.919 Could not open K:\ 2017-01-28 18:19:56.919 Could not open LOGICAL:0010:00000000 2017-01-28 18:19:56.919 Could not open Q:\ 2017-01-28 18:19:57.044 The following items will be cleaned up: 2017-01-28 18:19:57.044 Mal/Generic-S 2017-01-28 18:19:57.044 Mal/VMProtBad-A 2017-01-28 18:19:57.044 Mal/Generic-L 2017-01-28 18:19:57.044 Mal/HiBrowLnk-A 2017-01-28 18:19:57.044 Mal/HiBrowLnk-A 2017-01-28 18:24:48.141 Threat 'Mal/Generic-S' has been cleaned up. 2017-01-28 18:24:48.141 File "C:\$Recycle.Bin\S-1-5-21-1746493775-819686441-3300315000-1000\$RHU2GCJ.exe" belongs to malware 'Mal/Generic-S'. 2017-01-28 18:24:48.141 File "C:\$Recycle.Bin\S-1-5-21-1746493775-819686441-3300315000-1000\$RHU2GCJ.exe" has been cleaned up. 2017-01-28 18:24:48.141 File "C:\FRST\Quarantine\C\Program Files (x86)\ScreenShared\uninstaller.exe" belongs to malware 'Mal/Generic-S'. 2017-01-28 18:24:48.141 File "C:\FRST\Quarantine\C\Program Files (x86)\ScreenShared\uninstaller.exe" has been cleaned up. 2017-01-28 18:24:48.141 File "C:\FRST\Quarantine\C\Program Files (x86)\Wuposmujopy\drhcnf.dll" belongs to malware 'Mal/Generic-S'. 2017-01-28 18:24:48.141 File "C:\FRST\Quarantine\C\Program Files (x86)\Wuposmujopy\drhcnf.dll" has been cleaned up. 2017-01-28 18:24:48.141 File "C:\FRST\Quarantine\C\Users\monkeymii\AppData\Local\Ogics\gtgh7.exe" belongs to malware 'Mal/Generic-S'. 2017-01-28 18:24:48.141 File "C:\FRST\Quarantine\C\Users\monkeymii\AppData\Local\Ogics\gtgh7.exe" has been cleaned up. 2017-01-28 18:24:48.141 File "D:\Games\Stronghold crusader 2\Stronghold Crusader 2\bin\win32_release\Crusader2.exe" belongs to malware 'Mal/Generic-S'. 2017-01-28 18:24:48.141 File "D:\Games\Stronghold crusader 2\Stronghold Crusader 2\bin\win32_release\Crusader2.exe" has been cleaned up. 2017-01-28 18:24:48.141 File "F:\Program Files\Windows Multimedia Platform\Services and Controller app.exe" belongs to malware 'Mal/Generic-S'. 2017-01-28 18:24:48.141 File "F:\Program Files\Windows Multimedia Platform\Services and Controller app.exe" has been cleaned up. 2017-01-28 18:24:48.141 File "F:\Program Files\Windows Multimedia Platform\System.exe" belongs to malware 'Mal/Generic-S'. 2017-01-28 18:24:48.141 File "F:\Program Files\Windows Multimedia Platform\System.exe" has been cleaned up. 2017-01-28 18:24:48.141 File "F:\Users\monkeymii\Desktop\desktop\Dwarf fortress lazy newb\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfunreveal.exe" belongs to malware 'Mal/Generic-S'. 2017-01-28 18:24:48.141 File "F:\Users\monkeymii\Desktop\desktop\Dwarf fortress lazy newb\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfunreveal.exe" has been cleaned up. 2017-01-28 18:24:48.141 Removal successful 2017-01-28 18:24:55.988 Threat 'Mal/VMProtBad-A' has been cleaned up. 2017-01-28 18:24:55.988 File "C:\Program Files (x86)\Square Enix\Sleeping Dogs\buddha.dll" belongs to malware 'Mal/VMProtBad-A'. 2017-01-28 18:24:55.988 File "C:\Program Files (x86)\Square Enix\Sleeping Dogs\buddha.dll" has been cleaned up. 2017-01-28 18:24:55.988 File "D:\Games\rimworld\RimWorldAlpha15cWin\RimWorldWin_Data\Plugins\steam_api.dll" belongs to malware 'Mal/VMProtBad-A'. 2017-01-28 18:24:55.988 File "D:\Games\rimworld\RimWorldAlpha15cWin\RimWorldWin_Data\Plugins\steam_api.dll" has been cleaned up. 2017-01-28 18:24:55.988 File "D:\Games\rimworld\RimWorldAlpha15cWin\steam_api.dll" belongs to malware 'Mal/VMProtBad-A'. 2017-01-28 18:24:55.988 File "D:\Games\rimworld\RimWorldAlpha15cWin\steam_api.dll" has been cleaned up. 2017-01-28 18:24:55.988 File "F:\Program Files (x86)\Square Enix\Sleeping Dogs\buddha.dll" belongs to malware 'Mal/VMProtBad-A'. 2017-01-28 18:24:55.988 File "F:\Program Files (x86)\Square Enix\Sleeping Dogs\buddha.dll" has been cleaned up. 2017-01-28 18:24:55.988 Removal successful 2017-01-28 18:24:58.281 Threat 'Mal/Generic-L' has been cleaned up. 2017-01-28 18:24:58.281 File "F:\Users\monkeymii\Downloads\CyberGate v1.07.5\CyberGate v1.07.5.exe" belongs to malware 'Mal/Generic-L'. 2017-01-28 18:24:58.281 File "F:\Users\monkeymii\Downloads\CyberGate v1.07.5\CyberGate v1.07.5.exe" has been cleaned up. 2017-01-28 18:24:58.281 Removal successful 2017-01-28 18:24:58.406 >>> Virus 'Mal/HiBrowLnk-A' found in file F:\Users\monkeymii\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk 2017-01-28 18:24:58.406 Disinfection successful 2017-01-28 18:24:58.499 >>> Virus 'Mal/HiBrowLnk-A' found in file F:\Users\monkeymii\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk 2017-01-28 18:24:58.515 Disinfection successful 2017-01-28 18:24:58.983 Error level 0 2017-01-28 18:25:20.448 Scan completed. 2017-01-28 18:25:20.448 ------------------------------------------------------------ MalbamLog.txt AdwCleaner[C0].txt Fixlog.txt Link to post Share on other sites More sharing options...
monkeymii Posted January 28, 2017 Author ID:1096873 Share Posted January 28, 2017 Okay I just restarted the system and I am still getting the black screen on login and having to manually close and restart exlorer.exe. Did the virus I have perhaps change some sort of setting to make this happen? As it seems to be some side effect of what it was trying to do? (Make the system useless other than to view ads) Link to post Share on other sites More sharing options...
kevinf80 Posted January 28, 2017 ID:1096905 Share Posted January 28, 2017 Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. fixlist.txt Link to post Share on other sites More sharing options...
monkeymii Posted January 28, 2017 Author ID:1096907 Share Posted January 28, 2017 Thanks, attached Fixlog.txt Link to post Share on other sites More sharing options...
kevinf80 Posted January 28, 2017 ID:1096925 Share Posted January 28, 2017 mmm Shell and userinit registry values are correct, continue and run the following: Click on Start > All Programs > Accessories: Right-click on the Command Prompt entry Select "Run as Administrator" accept the UAC prompt - the Elevated Command Prompt window should pop up. At the Command prompt, typeCHKDSK C: /R hit the Enter key. You will get a message that the drive cannot be locked, but that the command can be scheduled to run at the next boot - hit the Y key, press Enter, and then reboot. The CHKDSK may take a few hours depending on the size of the drive, so be patient! After the CHKDSK has run use the following instructions to find the log: Check Disk report: Press the WindowsKey + R on your keyboard at the same time. Type eventvwr into the run box and click OK. In the left panel, expand Windows Logs and then click on Application. Now, on the right side, click on Filter Current Log. Under Event Sources, check only Wininit and click OK. You mayl be presented with one or multiple Wininit logs. Click on an entry corresponding to the date and time of the disk check. On the top main menu, click Action > Copy > Copy Details as Text. Paste the contents into your next reply. Next, Now run SFC. SFC -System File Checker - Instructions Click on Start > All Programs > Accessories Right-click on the Command Prompt entry Select "Run as Administrator" accept the UAC prompt - the Elevated Command Prompt window should pop up. At the Command prompt, typeSFC /SCANNOW hit the Enter key Wait for the scan to finish - make a note of any error messages - and then reboot. Copy the CBS.log file created (C:\Windows\Logs\CBS\CBS.log) to your desktop (you can't manipulate it directly) and then compress the copy and upload the zip file to your reply. Link to post Share on other sites More sharing options...
monkeymii Posted January 28, 2017 Author ID:1096935 Share Posted January 28, 2017 Here is the CHKDSK log, will post the next part when it's done: Log Name: Application Source: Microsoft-Windows-Wininit Date: 28/01/2017 23:20:07 Event ID: 1001 Task Category: None Level: Information Keywords: Classic User: N/A Computer: monkeymii-PC Description: Checking file system on C: The type of the file system is NTFS. Volume label is Main Drive. A disk check has been scheduled. Windows will now check the disk. CHKDSK is verifying files (stage 1 of 5)... 1225728 file records processed. File verification completed. 3596 large file records processed. 0 bad file records processed. 0 EA records processed. 79 reparse records processed. CHKDSK is verifying indexes (stage 2 of 5)... 1499214 index entries processed. Index verification completed. 0 unindexed files scanned. 0 unindexed files recovered. CHKDSK is verifying security descriptors (stage 3 of 5)... 1225728 file SDs/SIDs processed. Cleaning up 1699 unused index entries from index $SII of file 0x9. Cleaning up 1699 unused index entries from index $SDH of file 0x9. Cleaning up 1699 unused security descriptors. CHKDSK is compacting the security descriptor stream 136744 data files processed. CHKDSK is verifying Usn Journal... 34199792 USN bytes processed. Usn Journal verification completed. CHKDSK is verifying file data (stage 4 of 5)... 1225712 files processed. File data verification completed. CHKDSK is verifying free space (stage 5 of 5)... 17085683 free clusters processed. Free space verification is complete. CHKDSK discovered free space marked as allocated in the master file table (MFT) bitmap. Correcting errors in the Volume Bitmap. Windows has made corrections to the file system. 482036735 KB total disk space. 411828136 KB in 759101 files. 522936 KB in 136747 indexes. 0 KB in bad sectors. 1342931 KB in use by the system. 65536 KB occupied by the log file. 68342732 KB available on disk. 4096 bytes in each allocation unit. 120509183 total allocation units on disk. 17085683 allocation units available on disk. Internal Info: 00 b4 12 00 65 ab 0d 00 49 7e 18 00 00 00 00 00 ....e...I~...... 33 0a 00 00 4f 00 00 00 00 00 00 00 00 00 00 00 3...O........... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Windows has finished checking your disk. Please wait while your computer restarts. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" /> <EventID Qualifiers="16384">1001</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2017-01-28T23:20:07.000000000Z" /> <EventRecordID>403763</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>monkeymii-PC</Computer> <Security /> </System> <EventData> <Data> Checking file system on C: The type of the file system is NTFS. Volume label is Main Drive. A disk check has been scheduled. Windows will now check the disk. CHKDSK is verifying files (stage 1 of 5)... 1225728 file records processed. File verification completed. 3596 large file records processed. 0 bad file records processed. 0 EA records processed. 79 reparse records processed. CHKDSK is verifying indexes (stage 2 of 5)... 1499214 index entries processed. Index verification completed. 0 unindexed files scanned. 0 unindexed files recovered. CHKDSK is verifying security descriptors (stage 3 of 5)... 1225728 file SDs/SIDs processed. Cleaning up 1699 unused index entries from index $SII of file 0x9. Cleaning up 1699 unused index entries from index $SDH of file 0x9. Cleaning up 1699 unused security descriptors. CHKDSK is compacting the security descriptor stream 136744 data files processed. CHKDSK is verifying Usn Journal... 34199792 USN bytes processed. Usn Journal verification completed. CHKDSK is verifying file data (stage 4 of 5)... 1225712 files processed. File data verification completed. CHKDSK is verifying free space (stage 5 of 5)... 17085683 free clusters processed. Free space verification is complete. CHKDSK discovered free space marked as allocated in the master file table (MFT) bitmap. Correcting errors in the Volume Bitmap. Windows has made corrections to the file system. 482036735 KB total disk space. 411828136 KB in 759101 files. 522936 KB in 136747 indexes. 0 KB in bad sectors. 1342931 KB in use by the system. 65536 KB occupied by the log file. 68342732 KB available on disk. 4096 bytes in each allocation unit. 120509183 total allocation units on disk. 17085683 allocation units available on disk. Internal Info: 00 b4 12 00 65 ab 0d 00 49 7e 18 00 00 00 00 00 ....e...I~...... 33 0a 00 00 4f 00 00 00 00 00 00 00 00 00 00 00 3...O........... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Windows has finished checking your disk. Please wait while your computer restarts. </Data> </EventData> </Event> Link to post Share on other sites More sharing options...
monkeymii Posted January 28, 2017 Author ID:1096937 Share Posted January 28, 2017 Attached CBS.zip CBS.zip Link to post Share on other sites More sharing options...
kevinf80 Posted January 28, 2017 ID:1096939 Share Posted January 28, 2017 Any improvement...? Link to post Share on other sites More sharing options...
monkeymii Posted January 28, 2017 Author ID:1096940 Share Posted January 28, 2017 Just restarted and none right now. Still getting the black screen and having to manually restart explorer.exe as well as starting up programs that normally would be starting up. Link to post Share on other sites More sharing options...
monkeymii Posted January 28, 2017 Author ID:1096942 Share Posted January 28, 2017 I just restarted to show exactly what's happening, printscreen on login after bringing the task manager up: Link to post Share on other sites More sharing options...
kevinf80 Posted January 29, 2017 ID:1096946 Share Posted January 29, 2017 How do you restart, is it From Taskmanager select > File > Run new task > then type explorer.exe into the "Open" box > then select OK...? Link to post Share on other sites More sharing options...
monkeymii Posted January 29, 2017 Author ID:1096947 Share Posted January 29, 2017 (edited) If I do nothing it stays black so I end the process there and then proceed to do what you said, yes. Edited January 29, 2017 by monkeymii Link to post Share on other sites More sharing options...
kevinf80 Posted January 29, 2017 ID:1096949 Share Posted January 29, 2017 Run FRST one more time: Type the following in the edit box after "Search:". explorer.exe Click Search Files button and post the log (Search.txt) it makes to your reply Link to post Share on other sites More sharing options...
monkeymii Posted January 29, 2017 Author ID:1096950 Share Posted January 29, 2017 Here you are: Search.txt Link to post Share on other sites More sharing options...
monkeymii Posted January 29, 2017 Author ID:1096951 Share Posted January 29, 2017 I just remembered something I did in the beginning last week that may be relevant. When I tried to change the startup programs I put it in diagnostic startup from msconfig to run malwarebytes scans. This messed up all my services even when I changed it back to normal startup and the standard services weren't even in the checklist for me to choose from so I had no sound running, network capabilities etc. I panicked a bit and searched about and found going into services.msc you can manually re-enable them. I didn't know which ones were supposed to be on and was getting frustrated with some working while others required others to be active so I spent a long time just going down the list and telling them all to come on at startup and could not find anywhere that would simply just restore it to it's default properties. So essentially I just messed with services.msc to start 90% of the things in the list. This made my sound and network work again which I was glad about. Link to post Share on other sites More sharing options...
kevinf80 Posted January 29, 2017 ID:1096953 Share Posted January 29, 2017 Does your system boot ok in Safe mode....? Link to post Share on other sites More sharing options...
monkeymii Posted January 29, 2017 Author ID:1096957 Share Posted January 29, 2017 Just tried it and yes it does. Explorer working. Link to post Share on other sites More sharing options...
Recommended Posts