Jump to content

Got a virus that is preventing malwarebytes from starting.


Recommended Posts

  • Replies 50
  • Created
  • Last Reply

Top Posters In This Topic

Hi PileOfDough :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Please give me a few hours to review your log and get back at you with a reply.

Link to post
Share on other sites

Thank you for waiting.

Your Malwarebytes Anti-Exploit installation is damaged, so you'll have to uninstall and reinstall it.

Do you know these files/entries? Basically there's a file called "PileOfDough Monitor.exe" being called as a task.

Task: {796FC1FD-9775-48B1-A07D-5E0ED8DB3E73} - System32\Tasks\PileOfDough Monitor => C:\Program Files (x86)\PileOfDough Monitor\PileOfDough Monitor.exe 

Next we'll start by running a simple FRST fix and see where it leads us.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;

After running the FRST fix, a .zip file with today's date as name will be located on your desktop. Upload it to the link below.

https://www.bleepingcomputer.com/submit-malware.php?channel=194

Your next reply(ies) should include:

  • Answer to my question about the files/entries listed above;
  • Copy/pasted content of FRST's fixlog.txt;
  • Confirmation that you uploaded the mentionned .zip file to the link provided above;

fixlist.txt

Link to post
Share on other sites

Hello and thank you for the swift reply. I do recognize PileOfDough Monitor.exe. That is a remote administration tool I used to have installed on my system to access it when I wasn't home. I thought I had fully uninstalled it but I guess not. 

 

Due to a family emergency I have to leave town today and will be coming back tomorrow evening. I will be able to take care of the last two tasks at that time. 

 

Hope that helps for now. Sorry about the bad timing. 

Link to post
Share on other sites

On ‎3‎/‎3‎/‎2017 at 5:58 PM, Aura said:

So I imagine you're aware of this entry and file as well?


HKLM-x32\...\Winlogon: [Userinit] userinit.exe,"C:\WINDOWS\system32\PileOfDough Backup.exe"
C:\WINDOWS\system32\PileOfDough Backup.exe

 

Yes I am aware of it. Like I said I thought it had been removed but apparently not.

 

I have attached the Fixlog.txt file, and have uploaded the zip file to the link you gave me.

 

As far as Malwarebytes anti exploit goes, I tried to uninstall it and it told me it was already uninstalled.

So I installed Malwarebytes 3.0. It installed successfully and is opening. Should I run a full scan?

Fixlog.txt

Link to post
Share on other sites

Did you quarantined all the detections from Malwarebytes? Also, it looks like you are infected with a backdoor trojan, so you should consider that system compromised.

Backdoor.LuminosityLink, C:\USERS\SPART\DESKTOP\LUMINOSITY\LUMINOSITY.EXE, No Action By User, [206], [95360],1.0.1432

 

Link to post
Share on other sites

Luminosity.exe is the GUI for Luminosity Link, a program that creates backdoors that I use to monitor my other systems. I paid for this program from a developer I trust and I only use it for its legal intended purpose on my own systems. Most antivirus considers it a backdoor and picks it up immediately so that someone cannot buy it and easily use it on someone else's system without them knowing. The creator of the program made it this way on purpose. For this, I normally have that program added as an exception on my antivirus but I forgot to do so with my fresh install of Malwarebytes 3.0. I have had this program for a long time, and thoroughly examined what it does. I am sure it is not what has caused windows defender to be disabled. I did quarantine everything else in the scan results.

Link to post
Share on other sites

https://gyazo.com/277dfa5b79ef98b313d6301be0af27a3

That is a screenshot of the popup I get when I try to run Windows Defender. Even after changing the setting in Malwarebytes.

Edit: I don't have any way to edit Group Policy settings as this is a home version of windows, so that is what leads me to believe the registry has been changed.

Edited by PileOfDough
Additional Information
Link to post
Share on other sites

Alright let's see what needs to be fixed for Windows Defender then.

Q9GdiYj.pngFarbar Service Scanner (FSS)
Follow the instructions below to run Farbar Service Scanner and provide a log.

  • Download Farbar Service Scanner and move the executable to your Desktop;
  • Right-click on FSS.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Check every options:
    • Internet Services;
    • Windows Firewall;
    • System Restore;
    • Security Center/Action Center;
    • Windows Update;
    • Windows Defender;
    • Other Services;

    KUTc3I2.png
  • Once done, click on the Scan button to launch a scan;
  • On completion, a Notepad file called FSS.txt (saved where FSS.exe was ran) will open. Copy and paste the content of this file in your next reply and post it;

Link to post
Share on other sites

I ran the scan, the results are attached.

However, upon just skimming through the text file, I can see that the scan found the "DisableAntiSpyware"=DWORD:1 key that was preventing Windows Defender from starting.
I'm familiar with this registry value from some studying I've done on how malware works, I don't know why I didn't think to check it. I guess I just had a dumb moment, but if I were smart I wouldn't be needing your help here in the first place, lol.

FSS.txt

Link to post
Share on other sites

I deleted it and Windows Defender starts now, but when I try to change any settings all of the switches are grayed out and at the top, it says, "Some settings are managed by your organization."       https://gyazo.com/0ed78c07ecc32498b8d3f73a125ea927

 

I think there are some more changes that need to be made in the registry:

 

https://gyazo.com/d7e96d981ffc01f39385d478614e135a  These look to be exclusions that I didn't set, should I delete them?

https://gyazo.com/257cd173b59082103c8c3e72c168a19c  I don't recognize these either.

 

There may be more in another location that I'm missing, but these are a start.

Link to post
Share on other sites

Let's try something.

zImGw67.pngWindows Repair All-In-One
NOTE: Before following to step below, please disable your Antivirus software or any other real-time security software that you have enabled.

  • Boot in Safe Mode with Networking;
  • Download the portable version of Windows Repair All-In-One;
  • Move the file (archive) on your Desktop, and extract it there;
  • Go in the tweaking.com_windows_repair_aio folder, then Tweaking.com - Windows Repair folder, right-click on Repair_Windows.exe and select Run as Administrator;
  • From there, click on the Next button until you are presented with an Open Repairs button and click on it;
  • Let the Registry back up complete, and move on to the check-list window;
  • Click on the Unselect All button at the bottom, then check the following items:
    • Remove Policies Set by Infections
  • Once done, click on the Start Repairs button and let the scan execute;
  • If you are being prompted with a Security Warning, allow it to go through;
  • Once the repair is complete, it'll ask you to restart your computer, please do it;

Link to post
Share on other sites

So I started the PC in Safe Mode with Networking. Installed and ran the Windows Repair All-In-One like you said. When I finished it and restarted back to normal I could change some of the settings in Windows Defender and I could run scans as well.

 https://gyazo.com/10a931ad5368bdaf027d196194e4be96

But Cloud-Based Protection and Automatic Sample Submission were still greyed out.

So I took it upon myself to look into the registry again and take another look at some of the suspicious values I found:

https://gyazo.com/257cd173b59082103c8c3e72c168a19c

and the fixer had not removed them.

I removed them myself and now have full control of Windows Defender again!

https://gyazo.com/4d7c38e4c67200796aef47351b46177f

 

I will run a full scan with Windows Defender and update this post with the results.

Link to post
Share on other sites

I looked into it and it was in fact set to Disabled.
https://gyazo.com/febd1878dd628d4888af744c2f3239f6

I changed it to Automatic and it then allowed me to start the service.
https://gyazo.com/e6be2f5908fb232cf8737d8aa624ec5c

 

I'm not noticing anything else wrong on my end. Are you seeing any other problems with the system from the logs you have?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.