I CANNOT INSTALL MALWARE BYTES BECAUSE OF "system resource is in use"

[joshkmartinez]

Ok, but from what I see, even when I opened an email (like from this forum) I used to get a pop - up ad.

[joshkmartinez]

Even if my computer didn't have chrome open it would still do it on occasion.

Edited May 11, 2017 by joshkmartinez
improper grammer

[Aura]

You mean in other web browsers, like Internet Explorer and Mozilla Firefox? Which email client are you using?

[joshkmartinez]

No, I only use chrome. So if the chrome application isn't even opened, like if I am playing a game or something, would get a pop-up ad. 

Oh, would you look a,t that I just got on my first pop-up ad from 'quickprivacycheck.com' saying my computer is being tracked.

I use chrome for my email, I just go to gmail.com.

[joshkmartinez]

URL of ad:   http://quickprivacycheck.com/siv9/?voluumdata=BASE64dmlkLi4wMDAwMDAwMS1hMTBjLTQ4NTgtODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLmJkYTA0ODAwLTM2NDktMTFlNy04M2MzLThmMzhjMjg4OTYwNF9fY2FpZC4uOWZjMWIxMTYtOGU3YS00NjI1LThhNDEtMmU2YWFlNGU4MmVlX19ydC4uREpfX2xpZC4uM2YzZGNkYTMtNDlhNC00MmY1LWJkYmEtMGU3MDI5NWMxMmFhX19vaWQxLi5kNWQwOTdiNS1iMjI0LTRkNDAtYTU1Ny1jNjBiZjJmMDk4NGNfX3ZhcjEuLjc0NTc1NTI3X19yZC4uX19haWQuLl9fYWIuLl9fc2lkLi5fX2NyaS4uX19wdWIuLl9fZGlkLi5fX2RpdC4uX19waWQuLl9faXQuLl9fdnQuLjE0OTQ1MTA1MzMyNDI&pubid=74575527

 

Pic of ad so you don't have to open it:

 

[joshkmartinez]

Just got another ad 

URL: https://softwaredownloadplayer.com/campaign/airmean4/?ID=ad2k1&sub=ad2k1&subid=74575527&S2=6efd7927-c623-4ab8-b17d-86117e4dd415

Pic:

[Aura]

This is weird indeed. Alright, follow the instructions below please.

Emsisoft Emergency Kit
Follow the instructions below to run a scan using the Emsisoft Emergency Kit.

• Download the Emsisoft Emergency Kit and execute it. From there, click on the Extract button to extract the program in the EEK folder;
• Once the extraction is complete, Emsisoft Emergency Kit will open, and suggest you to run an online update before using the program. Click on Yes to launch it.
• After the update, click on Malware Scan under 2. Scan and accept to let Emsisoft Emergency Kit detect PUPs (click on Yes).
• Once the scan is complete, make sure that every item in the list is checked, and click on Quarantine selected;
  
• If it asks you for a reboot to delete some items, click on Ok to reboot automatically;
• After the restart, click on the Start Emsisoft Emergency Kit icon again on your desktop to open it;
• This time, click on Logs;
• From there, go under the Quarantine Log tab, and click on the Export button;
  
• Save the log on your desktop, then open it, and copy/paste its content in your next reply;
  

[joshkmartinez]

All of the stuff detected by EEK was the bitcoin miner that I use. Nothing else.

[Aura]

Alright. Next, I would like to see what RogueKiller can find.

RogueKiller

• Download the right version of RogueKiller for your Windows version (32 or 64-bit);
• Once done, move the executable file to your Desktop, right-click on it and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
• Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner);
• Let the scan complete;
  
• On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the buttom left corner);
• This will open the report in Notepad. Copy/paste its content in your next reply;
  

[joshkmartinez]

RogueKiller V12.10.8.0 (x64) [May  8 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : ckurl [Administrator]
Started from : C:\Users\ckurl\Desktop\RogueKiller_portable64.exe
Mode : Scan -- Date : 05/11/2017 19:01:57 (Duration : 00:54:41)

¤¤¤ Processes : 1 ¤¤¤
[VT.not-a-virus:RiskTool.MSIL.BitCoinMiner.ah] NiceHashMiner.exe(3520) -- C:\Users\ckurl\Desktop\NiceHashMiner_v1.7.5.10\NiceHashMiner.exe[7] -> Found        *

¤¤¤ Registry : 11 ¤¤¤
[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{4ABDD67C-44E3-42E0-816D-D7F0E54761DF} (C:\Program Files\BDServices\BDUpdateServiceCom.dll) -> Found
[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{65416821-217D-44BD-9C61-F53398FB1B46} (C:\Program Files\BDServices\scan.dll) -> Found
[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{6DFC0DC7-FDC5-44C2-8B80-5977BA8F8ACC} (C:\Program Files\BDServices\scan.dll) -> Found
[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{94915A56-4D71-4F85-B59C-CC040F5AC6F0} (C:\Program Files\BDServices\BDUpdateServiceCom.dll) -> Found
[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{E5AFF088-92F8-41a9-8CAB-E9CDCCE967AC} (C:\Program Files\BDServices\scan.dll) -> Found
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3379452668-3058411388-1845388906-1001\Software\Microsoft\Windows\CurrentVersion\Run | Gaijin.Net Agent : "C:\Users\ckurl\AppData\Local\Gaijin\Program Files (x86)\NetAgent\gjagent.exe" [7] -> Found                                                                         *
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3379452668-3058411388-1845388906-1001\Software\Microsoft\Windows\CurrentVersion\Run | Gaijin.Net Agent : "C:\Users\ckurl\AppData\Local\Gaijin\Program Files (x86)\NetAgent\gjagent.exe" [7] -> Found                                                                        *
[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost | bdx :  [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\klids (\??\C:\ProgramData\Kaspersky Lab\AVP16.0.1\Bases\klids.sys) -> Found       *
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.1.1 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cfe21422-8cd3-41c5-9d18-19018f8541fe} | DhcpNameServer : 10.0.1.1 ([])  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[PUP.Filefinder][Folder] C:\Users\ckurl\AppData\Roaming\Pluto TV -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MQ01ABD100 +++++
--- User ---
[MBR] 70b7a7f8df8e6d04800322b634f81da1
[BSP] c435b2756a98160cd71c93f623657a67 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 260 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 534528 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 796672 | Size: 926584 MB
3 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1898442752 | Size: 849 MB
4 - [SYSTEM] Basic data partition | Offset (sectors): 1900181504 | Size: 26043 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: PNY USB 2.0 FD USB Device +++++
--- User ---
[MBR] 0c85d70d5cec6b73c7768c62a5f422f4
[BSP] dd23538c0b876bd80f6d8290a33783c0 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 8064 | Size: 30604 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

 

 

 

 

*The lines which I have put the asterisk (*) are files that I know are safe.

plz tell me if I should remove the selected threats

[joshkmartinez]

just got another fake (but looks very real) facebook login popup ad

[Aura]

Check the following threats, and remove them.

[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{4ABDD67C-44E3-42E0-816D-D7F0E54761DF} (C:\Program Files\BDServices\BDUpdateServiceCom.dll) -> Found
[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{65416821-217D-44BD-9C61-F53398FB1B46} (C:\Program Files\BDServices\scan.dll) -> Found
[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{6DFC0DC7-FDC5-44C2-8B80-5977BA8F8ACC} (C:\Program Files\BDServices\scan.dll) -> Found
[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{94915A56-4D71-4F85-B59C-CC040F5AC6F0} (C:\Program Files\BDServices\BDUpdateServiceCom.dll) -> Found
[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{E5AFF088-92F8-41a9-8CAB-E9CDCCE967AC} (C:\Program Files\BDServices\scan.dll) -> Found
[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost | bdx :  [x] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.1.1 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cfe21422-8cd3-41c5-9d18-19018f8541fe} | DhcpNameServer : 10.0.1.1 ([])  -> Found
[PUP.Filefinder][Folder] C:\Users\ckurl\AppData\Roaming\Pluto TV -> Found

 

[joshkmartinez]

just got another pop-up ad from quickprivacycheck.com again

[joshkmartinez]

Is there a way to block these ads directly from popping up? Like in the hosts file or something? Or in u block origin?

[Aura]

There is, yes, but you need to add them one by one.

Quote

No, I only use chrome. So if the chrome application isn't even opened, like if I am playing a game or something, would get a pop-up ad. 

In which web browser would that ad open? Are you able to reproduce it? And which game(s) are you playing?

[joshkmartinez]

All of the ads open in chrome. I am not able to reproduce it because the ads would pop-up randomly, even if I wasn't playing a game.

[joshkmartinez]

got another ad:   http://onlinewebsrvy.com/us/ron/back.php

 

[Aura]

Alright let's try something. Download and execute proxexp64.exe. Close all your programs, and wait for an ad to appear. Once done, take a screenshot of the procexp64.exe window, where I can see the chrome.exe process listed, and post it here.

https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx

[joshkmartinez]

Oh, of course, its just my luck that an add doesn't pop up when I want one too. This might take while.

[Aura]

The idea here is that hopefully we'll see what process launched the chrome.exe process with the ad, and it'll give me ideas on where to look for it.

[joshkmartinez]

finally after like 24 hours

note: I was working on my PC while the ad happened. I then closed all of my tabs and then took the pic of the processes.

ad URL:   https://softwaredownloadplayer.com/campaign/sweetuncle6/?ID=ad2k1&sub=ad2k1&subid=74575527&S2=91ec0660-0789-49f4-b96d-1162062ef495

 

Edited May 16, 2017 by joshkmartinez

[joshkmartinez]

I got another

[Aura]

Alright, please provide me a frest set of FRST logs (FRST.txt and Addition.txt). Looks like I'll have to review them line by line. The chrome.exe processes seems to be normally invoked.

[joshkmartinez]

I have taken everything off of the whitelist, so the logs are quite long, so I will just attach them.

Addition.txt

FRST.txt

[Aura]

Please, leave the whitelisting off. We only uncheck these in case of extreme need. I don't think it is necessary right now. Run a scan again with the default settings.