Jump to content

Virus Follows?


Recommended Posts

I recently caught a virus that does not allow me to boot into normal mode. It will start into my desktop and then go into blue screen every single time. It also somehow uninstalled my Super Anti-Spyware program and Malwarebytes program. So if I go into safe mode, and I try to run these programs I will get an error message indicating that it's already running. It says "The requested resource is in use". I can't seem to run these programs. 

If I don't find an answer, I may have to resort to reformatting my computer. So if I go into Safe Mode and move my files, like Word documents and Excel files and video files and audio files into a external hard drive, can the virus follow with the transfer and damage my other files on my external hard drive?

Link to post
Share on other sites

  • Root Admin

It depends on what infection you have @Irvineboy

I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.


Post your logs back here when ready.

Thanks

 

Link to post
Share on other sites

I ended up using the Maleware Rootkit and that got rid of the virus after scanning it a few times, the virus was gone.  But today, the virus came back!  My computer automatically restarted and upon loading desktop, there were a bunch of unwanted applications like Launch System Healer and Video Abductor and KNCTR.  Then it started blue screen again and won't let me load Windows in Normal Mode.  Again, it won't let me launch Malewarebytes either "The requested resource is in use".  Stubborn virus.

Edited by Irvineboy
Link to post
Share on other sites

  • Root Admin

Please make a new System Restore Point and then run the following.

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

 

Link to post
Share on other sites

Here are results of the fixlog.  I still have a few applications that I don't know that are showing up on my desktop and my start menu.  Launch System Healer and Launch One System Care.  They don't show up in the "uninstall program" for some reason.  When I open a browser, I get www-searching.com which is a virus.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Jason (29-03-2017 21:14:42) Run:3
Running from C:\Users\Jason\Desktop
Loaded Profiles: Jason (Available Profiles: Jason)
Boot Mode: Safe Mode (with Networking)
==============================================

fixlist content:
*****************
Task: {033D8299-43DA-4642-A0E5-772C2F1E18BF} - System32\Tasks\One System CarePeriod => C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe  <==== ATTENTION 
Task: {3EE4AF6F-AB24-41C6-9D74-341D0F95EA1A} - System32\Tasks\One System Care Task => C:\PROGRA~2\ONESYS~1\SYSTEM~1.EXE  <==== ATTENTION 
Task: {59D662DB-18C6-48A4-AB18-363E41960B8B} - System32\Tasks\{7D0B0B47-090F-7A04-0E11-087F0A7A1179} => powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand IAAgACAAOwAgACAAOwAgACAAOwA7ADsAIAAgADsAIAA7ADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACIAcwB0AG8AcAAiADsAJABzAGMAPQAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAVwBhAHIAbgBpAG4AZwBQAHIA (the data entry has 9964 more characters). <==== ATTENTION 
Task: {CDBE9FA4-A2EE-4FE6-BB0D-A2588AD89A8B} - System32\Tasks\System Healer Task => C:\PROGRA~2\SYSTEM~1\RESCUE~1.EXE  <==== ATTENTION 
Task: {D259DB4A-5842-489A-B975-8790C69A5ED3} - System32\Tasks\System HealerPeriod => C:\Program Files (x86)\SystemHealer\SystemHealer.exe  <==== ATTENTION 
Task: {FB2DA1EB-6B73-4959-88B0-E758093EFFAA} - System32\Tasks\System HealerStartUp => C:\Program Files (x86)\SystemHealer\SystemHealer.exe  <==== ATTENTION 
Task: C:\Windows\Tasks\One System CarePeriod.job => C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe <==== ATTENTION 
Task: C:\Windows\Tasks\System HealerPeriod.job => C:\Program Files (x86)\SystemHealer\SystemHealer.exe <==== ATTENTION 
Task: C:\Windows\Tasks\System HealerStartUp.job => C:\Program Files (x86)\SystemHealer\SystemHealer.exe <==== ATTENTION 
HKLM-x32\...\Run: [AnonymizerGadget] => C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AGData\bin\AnonymizerLauncher.exe [349704 2017-03-29] (Jetico ltd) <===== ATTENTION 
HKLM-x32\...\Run: [AppTrailers] => C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AppTrailers\AppTrailers.exe [47835928 2017-03-10] () <===== ATTENTION 
HKLM-x32\...\Run: [WikiThemes] => C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\WikiThemes\WikiThemes.exe [47852648 2017-03-10] () <===== ATTENTION 
HKLM-x32\...\RunOnce: [wextract_cleanup0] => rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Windows\TEMP\IXP000.TMP\" <===== ATTENTION 
HKU\S-1-5-18\...\Run: [Itibiti.exe] => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe [7342080 2013-06-26] () <===== ATTENTION 
S2 5c94f427ca6a541e75713ba5123bd6b4; C:\Program Files\5c94f427ca6a541e75713ba5123bd6b4\f107708187d152b4ed103032f0a278ba.exe [14661120 2017-03-24] () [File not signed] <==== ATTENTION 
S2 Dataup; C:\Program Files (x86)\ntuserlitelist\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION 
S2 SMUpd; C:\Program Files\Common Files\Noobzo\GNUpdate\smu.exe [2989056 2017-03-29] (Search Module Ltd.) [File not signed] <==== ATTENTION 
S2 TheScreenshotProService; C:\Program Files (x86)\ScreenshotPro\1.0.0.6000090\ScreenshotProServ.exe [152688 2017-01-11] () <==== ATTENTION 
S2 windowsmanagementservice; C:\Windows\SysWOW64\config\systemprofile\AppData\Local\azjcrvpw\ct.exe [947200 2017-03-29] () [File not signed] <==== ATTENTION 
R0 drmkpro64; C:\Windows\System32\drivers\ndistpr64.sys [78112 2013-09-28] () [File not signed] <==== ATTENTION 
HKU\S-1-5-18\...\Run: [Spoutly.exe] => C:\Program Files (x86)\Spoutly\SpoutlyLauncher.exe
HKU\S-1-5-18\...\Run: [Itibiti.exe] => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe [7342080 2013-06-26] () <===== ATTENTION
HKU\S-1-5-18\...\Run: [1L2OBBN7P3] => C:\Program Files\XH54S4PPV7\IQMRG187L.exe [1065984 2017-03-29] (00P5M6RS)
HKU\S-1-5-18\...\Run: [IT3HV1YGYE] => C:\Program Files\PCX8PI5E2E\PCX8PI5E2.exe [1065984 2017-03-29] (00P5M6RS)
HKU\S-1-5-18\...\Run: [9y7HKMIExV.exe] => C:\Program Files\XH54S4PPV7\Q8VWXWTQ2D1BYWBKH079J8G3DHFZZMSZ9ABQV2L2W\9y7HKMIExV.exe [168448 2017-03-29] (tachba3)
HKU\S-1-5-18\...\Run: [VQVQ7492KB] => C:\Program Files\5VU8BUUF37\9GKARZYLQ.exe [1065984 2017-03-29] (00P5M6RS)
R1 ebcb96f81037be9a3e0ca90a17dbc11c; C:\Windows\system32\drivers\ebcb96f81037be9a3e0ca90a17dbc11c.sys [8501584 2017-03-24] (MPDV6U) <==== ATTENTION 
R1 NetUtils2016; C:\Windows\system32\drivers\NetUtils2016.sys [909944 2017-03-29] () <==== ATTENTION 
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File] 
FF Plugin HKU\S-1-5-21-616515737-2173210804-205294457-1001: @acestream.net/acestreamplugin,version=3.1.6 -> C:\Users\Jason\AppData\Roaming\ACEStream\player\npace_plugin.dll [No File] 
C:\Users\Jason\AppData\Roaming\ACEStream
C:\Windows\system32\drivers\NetUtils2016.sys
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\azjcrvpw
C:\Program Files (x86)\ntuserlitelist\dataup
C:\Windows\system32\drivers\ebcb96f81037be9a3e0ca90a17dbc11c.sys
C:\Program Files\5c94f427ca6a541e75713ba5123bd6b4
C:\Program Files (x86)\Itibiti Soft Phone
C:\Program Files (x86)\ScreenshotPro
C:\Program Files\Common Files\Noobzo
C:\Program Files (x86)\OneSystemCare
C:\Program Files (x86)\Spoutly
C:\Program Files\XH54S4PPV7
C:\Windows\TEMP\IXP000.TMP
C:\Program Files (x86)\SystemHealer
C:\Program Files\5VU8BUUF37
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\WikiThemes
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AppTrailers
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AGData\bin\AnonymizerLauncher.exe
2017-03-28 13:13 - 2017-03-28 17:37 - 0000380 _____ () C:\Users\Jason\AppData\Roaming\sp_data.sys
2017-03-28 13:13 - 2017-03-29 08:46 - 0000440 _____ () C:\ProgramData\lxebscan.log
2017-03-28 13:15 - 2017-03-28 13:15 - 0000159 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2017-03-29 08:31 - 2017-03-29 08:31 - 0327680 _____ () C:\ProgramData\smp2.exe
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AGData\bin\AnonymizerLauncher.exe
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AppTrailers\AppTrailers.exe
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\WikiThemes\WikiThemes.exe
C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
C:\ProgramData\smp2.exe
S3 semav6msr64; C:\Windows\system32\drivers\semav6msr64.sys [21984 2016-03-09] ()
C:\Windows\system32\drivers\semav6msr64.sys
S2 zigipyro; C:\Windows\SysWOW64\config\systemprofile\AppData\Local\1887E880-1490776169-81E1-2282-10BF48240C88\qnsuCB40.tmp [158720 2015-12-26] () [File not signed] 
S2 gemeloki; C:\Program Files (x86)\f6ed071c-ac2e-489b-914e-97afa5bc5edd1490801195\protf6ed071c-ac2e-489b-914e-97afa5bc5edd.tmpfs [X] 
S2 servervo; C:\Program Files (x86)\f6ed071c-ac2e-489b-914e-97afa5bc5edd1490801195\knsf6ed071c-ac2e-489b-914e-97afa5bc5edd.tmpfs [X] 
C:\Program Files (x86)\f6ed071c-ac2e-489b-914e-97afa5bc5edd1490801195
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\1887E880-1490776169-81E1-2282-10BF48240C88
CMD: bcdedit.exe /set {bootmgr} displaybootmenu Yes
CMD: bcdedit.exe /set {current} bootstatuspolicy DisplayAllFailures
CMD: bcdedit.exe /set {current} recoveryenabled Yes
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON 
CMD: ipconfig /flushdns 
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP: 
Reboot:

*****************

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{033D8299-43DA-4642-A0E5-772C2F1E18BF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{033D8299-43DA-4642-A0E5-772C2F1E18BF} => key removed successfully
C:\Windows\System32\Tasks\One System CarePeriod => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\One System CarePeriod => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3EE4AF6F-AB24-41C6-9D74-341D0F95EA1A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3EE4AF6F-AB24-41C6-9D74-341D0F95EA1A} => key removed successfully
C:\Windows\System32\Tasks\One System Care Task => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\One System Care Task => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{59D662DB-18C6-48A4-AB18-363E41960B8B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{59D662DB-18C6-48A4-AB18-363E41960B8B} => key removed successfully
C:\Windows\System32\Tasks\{7D0B0B47-090F-7A04-0E11-087F0A7A1179} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{7D0B0B47-090F-7A04-0E11-087F0A7A1179} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CDBE9FA4-A2EE-4FE6-BB0D-A2588AD89A8B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CDBE9FA4-A2EE-4FE6-BB0D-A2588AD89A8B} => key removed successfully
C:\Windows\System32\Tasks\System Healer Task => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\System Healer Task => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D259DB4A-5842-489A-B975-8790C69A5ED3} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D259DB4A-5842-489A-B975-8790C69A5ED3} => key removed successfully
C:\Windows\System32\Tasks\System HealerPeriod => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\System HealerPeriod => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{FB2DA1EB-6B73-4959-88B0-E758093EFFAA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FB2DA1EB-6B73-4959-88B0-E758093EFFAA} => key removed successfully
C:\Windows\System32\Tasks\System HealerStartUp => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\System HealerStartUp => key removed successfully
C:\Windows\Tasks\One System CarePeriod.job => moved successfully
C:\Windows\Tasks\System HealerPeriod.job => moved successfully
C:\Windows\Tasks\System HealerStartUp.job => moved successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\AnonymizerGadget => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\AppTrailers => value not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\WikiThemes => value not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\wextract_cleanup0 => value not found.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Itibiti.exe => value removed successfully
HKLM\System\CurrentControlSet\Services\5c94f427ca6a541e75713ba5123bd6b4 => key removed successfully
5c94f427ca6a541e75713ba5123bd6b4 => service removed successfully
Dataup => service not found.
HKLM\System\CurrentControlSet\Services\SMUpd => key removed successfully
SMUpd => service removed successfully
HKLM\System\CurrentControlSet\Services\TheScreenshotProService => key removed successfully
TheScreenshotProService => service removed successfully
HKLM\System\CurrentControlSet\Services\windowsmanagementservice => key removed successfully
windowsmanagementservice => service removed successfully
drmkpro64 => service not found.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Spoutly.exe => value removed successfully
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Itibiti.exe => value not found.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\1L2OBBN7P3 => value not found.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\IT3HV1YGYE => value not found.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\9y7HKMIExV.exe => value not found.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\VQVQ7492KB => value not found.
HKLM\System\CurrentControlSet\Services\ebcb96f81037be9a3e0ca90a17dbc11c => key removed successfully
ebcb96f81037be9a3e0ca90a17dbc11c => service removed successfully
HKLM\System\CurrentControlSet\Services\NetUtils2016 => key removed successfully
NetUtils2016 => service removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKU\S-1-5-21-616515737-2173210804-205294457-1001\Software\MozillaPlugins\@acestream.net/acestreamplugin,version=3.1.6 => key removed successfully
C:\Users\Jason\AppData\Roaming\ACEStream\player\npace_plugin.dll => not found.
"C:\Users\Jason\AppData\Roaming\ACEStream" => not found.
"C:\Windows\system32\drivers\NetUtils2016.sys" => not found.
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\azjcrvpw => moved successfully
C:\Program Files (x86)\ntuserlitelist\dataup => moved successfully
"C:\Windows\system32\drivers\ebcb96f81037be9a3e0ca90a17dbc11c.sys" => not found.
C:\Program Files\5c94f427ca6a541e75713ba5123bd6b4 => moved successfully
"C:\Program Files (x86)\Itibiti Soft Phone" => not found.
C:\Program Files (x86)\ScreenshotPro => moved successfully
C:\Program Files\Common Files\Noobzo => moved successfully
"C:\Program Files (x86)\OneSystemCare" => not found.
"C:\Program Files (x86)\Spoutly" => not found.
C:\Program Files\XH54S4PPV7 => moved successfully
"C:\Windows\TEMP\IXP000.TMP" => not found.
"C:\Program Files (x86)\SystemHealer" => not found.
C:\Program Files\5VU8BUUF37 => moved successfully
"C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\WikiThemes" => not found.
"C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AppTrailers" => not found.
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AGData\bin\AnonymizerLauncher.exe => moved successfully
C:\Users\Jason\AppData\Roaming\sp_data.sys => moved successfully
C:\ProgramData\lxebscan.log => moved successfully
C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc => moved successfully
C:\ProgramData\smp2.exe => moved successfully
"C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AGData\bin\AnonymizerLauncher.exe" => not found.
"C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AppTrailers\AppTrailers.exe" => not found.
"C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\WikiThemes\WikiThemes.exe" => not found.
"C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe" => not found.
"C:\ProgramData\smp2.exe" => not found.
HKLM\System\CurrentControlSet\Services\semav6msr64 => key removed successfully
semav6msr64 => service removed successfully
C:\Windows\system32\drivers\semav6msr64.sys => moved successfully
zigipyro => service not found.
gemeloki => service not found.
servervo => service not found.
C:\Program Files (x86)\f6ed071c-ac2e-489b-914e-97afa5bc5edd1490801195 => moved successfully
"C:\Windows\SysWOW64\config\systemprofile\AppData\Local\1887E880-1490776169-81E1-2282-10BF48240C88" => not found.

========= bcdedit.exe /set {bootmgr} displaybootmenu Yes =========

The operation completed successfully.

========= End of CMD: =========


========= bcdedit.exe /set {current} bootstatuspolicy DisplayAllFailures =========

The operation completed successfully.

========= End of CMD: =========


========= bcdedit.exe /set {current} recoveryenabled Yes =========

The operation completed successfully.

========= End of CMD: =========


========= netsh advfirewall reset =========

Ok.


========= End of CMD: =========


========= netsh advfirewall set allprofiles state ON =========

Ok.


========= End of CMD: =========


========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= netsh winsock reset catalog =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


========= netsh int ip reset C:\resettcpip.txt =========

Reseting Global, OK!
Reseting Interface, OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i" =========

Failed to clear log AirSpaceChannel. The requested operation cannot be performed over an enabled direct channel. The channel must first be disabled before performing the requested operation.

========= End of CMD: =========


========= Bitsadmin /Reset /Allusers =========


BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Unable to connect to BITS - 0x8007042c
The dependency service or group failed to start.


========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 4194304 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 13649096 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 170598154 B
Edge => 0 B
Chrome => 28337511 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 128 B
systemprofile32 => 103299153 B
LocalService => 0 B
NetworkService => 5010 B
Jason => 11052526 B

RecycleBin => 6324502 B
EmptyTemp: => 321.8 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 21:16:13 ====

Link to post
Share on other sites

I thought I had is the version 3.0.6 I originally had and installed and scanned to get rid of the virus before it got reinfected.  Because it said my version was latest update. I worry it goes dormant so it looks like the scan worked and comes back

Edited by Irvineboy
Link to post
Share on other sites

OK I finally got Malewarebytes Anti-Maleware to work in Safe Mode.  

I just reran Malewarebytes Anti-Maleware.  It found 936 threats and I quarantined all 936 threats.
I also scan AdwCleaner by Malewarebytes and removed 29 threats.  I will post log below.
I also ran JRT but the system restore failed.  I will post log below
I did this a few days ago and the virus was supposedly gone.  But then computer restarted out of the nowhere by itself and went to bluescreen and everything bad occurred again.  Almost seems like the trojan went dormant when the scans were being done, it showed virus free, then came back.
 
AdwCleaner Log is here
 
# AdwCleaner v6.045 - Logfile created 30/03/2017 at 06:59:24
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-03-28.2 [Local]
# Operating System : Windows 7 Home Premium Service Pack 1 (X64)
# Username : Jason - JASON-PC
# Running from : C:\Users\Jason\Desktop\Malewarbytes\adwcleaner_6.045.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
[-] Folder deleted: C:\Users\Public\Documents\Guid
[-] Folder deleted: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Itibiti
[-] Folder deleted: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tlerauic
[-] Folder deleted: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WikiThemes
[-] Folder deleted: C:\Windows\SysWOW64\sstmp
 
 
***** [ Files ] *****
 
[-] File deleted: C:\TOSTACK
[-] File deleted: C:\Windows\SysWOW64\delay.dat
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
[-] Task deleted: Lmeried
 
 
***** [ Registry ] *****
 
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}
[-] Key deleted: HKU\.DEFAULT\Software\AppDataLow\Software\WikiThemes
[#] Key deleted on reboot: HKU\S-1-5-18\Software\AppDataLow\Software\WikiThemes
[-] Key deleted: HKLM\SOFTWARE\SearchModule
[-] Key deleted: HKLM\SOFTWARE\msServer
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{730E03E4-350E-48E5-9D3E-4329903D454D}
[-] Key deleted: [x64] HKLM\SOFTWARE\SearchModule
[-] Key deleted: [x64] HKLM\SOFTWARE\HDWallpaper
[-] Key deleted: [x64] HKLM\SOFTWARE\DtsEncodeTools
[-] Key deleted: HKLM\SOFTWARE\Classes\Installer\Features\4E30E037E0535E84D9E3349209D354D4
[-] Key deleted: HKLM\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\22dab7df1273e6748e51e8e147fdb2dc
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\22dab7df1273e6748e51e8e147fdb2dc
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Installer\Features\4E30E037E0535E84D9E3349209D354D4
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC}
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1}
 
 
***** [ Web browsers ] *****
 
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [13986 Bytes] - [28/03/2017 14:08:30]
C:\AdwCleaner\AdwCleaner[C2].txt - [3290 Bytes] - [30/03/2017 06:59:24]
C:\AdwCleaner\AdwCleaner[S0].txt - [14882 Bytes] - [27/03/2017 13:10:07]
C:\AdwCleaner\AdwCleaner[S1].txt - [12735 Bytes] - [28/03/2017 13:18:40]
C:\AdwCleaner\AdwCleaner[S2].txt - [12622 Bytes] - [28/03/2017 14:00:05]
C:\AdwCleaner\AdwCleaner[S3].txt - [1458 Bytes] - [28/03/2017 17:50:43]
C:\AdwCleaner\AdwCleaner[S4].txt - [3698 Bytes] - [30/03/2017 06:59:10]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [3731 Bytes] ##########
 
 
JRT Log here
 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.2 (03.10.2017)
Operating System: Windows 7 Home Premium x64 
Ran by Jason (Administrator) on Thu 03/30/2017 at  7:16:51.30
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 9 
 
Successfully deleted: C:\Windows\wininit.ini (File) 
Successfully deleted: C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3U4MKWUY (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I82QPFC5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RWUNYEY3 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Jason\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W4H4K7UF (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3U4MKWUY (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I82QPFC5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RWUNYEY3 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W4H4K7UF (Temporary Internet Files Folder) 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 03/30/2017 at  7:17:48.33
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Link to post
Share on other sites

  • Root Admin

Well, the main infection should be gone by now and no longer preventing Malwarebytes from running. If you're having issues getting it to run then go ahead and do the Clean Removal and reinstall below. If it's working, then no need to do it.

 

Please run the Threat Scan and post back a new log and let me know how the computer is running now.

Then, I also want to get fresh NEW logs from FRST too.

 

 

Please read the following topic and then run the Malwarebytes Clean Removal tool mb-clean

https://forums.malwarebytes.com/topic/196955-malwarebytes-mb-clean-tool/

The download link for the tool is:  https://downloads.malwarebytes.com/file/mb_clean


Restart the computer when done and reinstall Malwarebytes 3 with the latest build again.

Here is the link for the latest installer
https://forums.malwarebytes.com/topic/198291-malwarebytes-306-cu4-beta-preview/


Thank you

Ron

 

 

Link to post
Share on other sites

  • Root Admin

Not sure where you got that FIXLIST file from. That is not the one that I provided for you. Please run the following.

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.