Jump to content

I CANNOT INSTALL MALWARE BYTES BECAUSE OF "system resource is in use"


Recommended Posts

  • Replies 167
  • Created
  • Last Reply

Top Posters In This Topic

Alright, disable your active Rainmeter theme, and run the following FRST fix.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Right-click on your Desktop, select New and click on Text Document. Name it fixlist (make sure it's a .txt file) and press on Enter;
  • Open the file you just created and copy/paste the content below in it, then save it (Ctrl + S);
    CloseProcesses:
    HKU\S-1-5-21-3379452668-3058411388-1845388906-1001\...\Winlogon: [Shell] C:\windows\explorer.exe [4674360 2017-04-27] (Microsoft Corporation) <==== ATTENTION
    
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;

Link to post
Share on other sites

Here is the fix log (it dint open upon the reboot but i found it):

Fix result of Farbar Recovery Scan Tool (x64) Version: 14-05-2017
Ran by ckurl (17-05-2017 15:29:23) Run:2
Running from F:\iAmInfected\FRST64
Loaded Profiles: ckurl (Available Profiles: ckurl)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
HKU\S-1-5-21-3379452668-3058411388-1845388906-1001\...\Winlogon: [Shell] C:\windows\explorer.exe [4674360 2017-04-27] (Microsoft Corporation) <==== ATTENTION
*****************

Processes closed successfully.
HKU\S-1-5-21-3379452668-3058411388-1845388906-1001\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value removed successfully


The system needed a reboot.

==== End of Fixlog 15:29:24 ====

 

 

UPON REBOOT MY LOCK SCREEN WALLPAPER CHANGED TO THE DEFAULT WINDOWS ONE

Link to post
Share on other sites

This is normal. Basically we removed the patched explorer.exe (most likely patched by Rainmeter). I want to see if you still get ads after this, so do not re-enable Rainmeter for now.

Link to post
Share on other sites
4 minutes ago, joshkmartinez said:

Even when I installed rainmeter when I just got my PC I never got ads.

Alright, that I didn't know.

In case I didn't ask (yet), when did the ads start?

Link to post
Share on other sites

Well, I have an idea, but it would require a cloud storage service to work. Do you have a Google Drive, OneDrive or Dropbox account? Even Mega works.

Link to post
Share on other sites

Yes, you can re-enable it. Basically we'll take a trace of your system using ProcMon, which monitors everything going on the system. We'll wait for an ad to pop-up (like we did with ProcExp), and from there you'll send me the trace and I'll analyze it. It should allow me to identify what launched that ad. However, every programs needs to be closed while the trace is running, and the file it creates can end up being a few GBs, hence the need to transfer it via a cloud sharing service.

Link to post
Share on other sites

Sorry for the delay. Download and extract ProcessMonitor.zip on your system, then launch procmon.exe

https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx

Once done, it'll start monitoring your system automatically. Wait for a pop-up to occur. Once it appears, click on the little magnifying glass in the top left corner to stop the capture.

WUyeY9t.png

After that, click on the File menu, followed by Save and save the file somewhere easily accessible (like your desktop). Once done, upload that file to Google Drive, and give me a public download URL for it (you can PM me it if you want).

Link to post
Share on other sites

If possible, try not to open Google Chrome. Otherwise, you can. If you see that the log end up being way too big, then restart the experiment without using your computer. 

I'm sorry, it's a bothersome step, but in your case, I think it is necessary to get more information.

Link to post
Share on other sites

I should have asked this before but do you remember that domain or website that was displayed in the ad?

Link to post
Share on other sites

Please uninstall Hotspot Shield (and uninstall the Hotspot Shield VPN Proxy - Unblock Sites Chrome extension as well), and uninstall the Unlimited Free VPN Chrome extension. 

HotspotShield produces ads.

https://support.hotspotshield.com/hc/en-us/articles/202438954-Why-do-I-see-extra-ads-when-browsing-with-Hotspot-Shield-

Unlimited Free VPN has been reviewed as an adware on the Chrome Web Store.

https://chrome.google.com/webstore/detail/uniimitеd-frее-vрn/bkghdibcmhbcaogjpdjonpcddpcnjelj/reviews?hl=en-US

Also, please do not install any other program, extension, etc. during the clean-up. These programs and extensions were installed after you started your thread. If you do that, it's harder for me to keep track of what's going on your system.

Once done, run the following FRST fix.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;

 

fixlist.txt

Link to post
Share on other sites

Fix result of Farbar Recovery Scan Tool (x64) Version: 14-05-2017
Ran by ckurl (19-05-2017 16:46:54) Run:3
Running from C:\Users\ckurl\Desktop\FRST
Loaded Profiles: ckurl (Available Profiles: ckurl)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:

HKU\S-1-5-21-3379452668-3058411388-1845388906-1001\...\StartupApproved\Run: => "KeepVidMusicService"

S3 KvAppService; C:\Program Files (x86)\Keepvid\KAF\2.4.2.222\KvAppService.exe [474824 2017-03-10] (Keepvid)

C:\Program Files (x86)\Keepvid
C:\Users\ckurl\AppData\Local\LLSSOFT.del
C:\Users\ckurl\AppData\Local\NTUSERLITELIST.del
C:\Users\ckurl\AppData\Local\GVPGIOZPG.del

EmptyTemp:
*****************

Processes closed successfully.
HKU\S-1-5-21-3379452668-3058411388-1845388906-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\KeepVidMusicService => value removed successfully
HKU\S-1-5-21-3379452668-3058411388-1845388906-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\KeepVidMusicService => value not found.
HKLM\System\CurrentControlSet\Services\KvAppService => key removed successfully
KvAppService => service removed successfully
C:\Program Files (x86)\Keepvid => moved successfully
C:\Users\ckurl\AppData\Local\LLSSOFT.del => moved successfully
C:\Users\ckurl\AppData\Local\NTUSERLITELIST.del => moved successfully
C:\Users\ckurl\AppData\Local\GVPGIOZPG.del => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 79496848 B
Java, Flash, Steam htmlcache => 138240 B
Windows/system/drivers => 1675838 B
Edge => 1685 B
Chrome => 55633133 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 22962 B
NetworkService => 0 B
ckurl => 4283055 B

RecycleBin => 20127739722 B
EmptyTemp: => 18.9 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 16:47:02 ====

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.