cannot open any security or anti virus programs due to running resource mes

[Mikey1]

Sorry thought you meant this one, you asked if the FRST worked to move driver and I replied yes and then you said to do the Malicious software removal tool scan which is above  I had the scan reults from RKiller still open on desktop so deleted them from there. but running RKiller again.

Edited September 17, 2017 by Mikey1
missed something

[kevinf80]

OK Mike, just post fresh RK log....

[Mikey1]

Fix result of Farbar Recovery Scan Tool (x64) Version: 16-09-2017
Ran by Micke (17-09-2017 14:58:33) Run:6
Running from F:\Data\Desktop\New folder
Loaded Profiles: Micke (Available Profiles: defaultuser0 & Micke)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CloseProcesses:
CreateRestorePoint:
FF user.js: detected! => C:\Users\Micke\AppData\Roaming\Mozilla\Firefox\Profiles\0knd2vyl.default\user.js [2017-09-08]
S3 dbx; system32\DRIVERS\dbx.sys [X]
C:\Windows\system32\drivers\rdpxaxnt.sys
C:\Windows\system32\Drivers\B331E1EE.sys
CMD: ipconfig /flushdns
EmptyTemp:
end

*****************

Processes closed successfully.
Restore point was successfully created.
C:\Users\Micke\AppData\Roaming\Mozilla\Firefox\Profiles\0knd2vyl.default\user.js => moved successfully
HKLM\System\CurrentControlSet\Services\dbx => key removed successfully
dbx => service removed successfully
Could not move "C:\Windows\system32\drivers\rdpxaxnt.sys" => Scheduled to move on reboot.
C:\Windows\system32\Drivers\B331E1EE.sys => moved successfully

========= ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

=========== EmptyTemp: ==========

BITS transfer queue => 32768 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 74877845 B
Java, Flash, Steam htmlcache => 379 B
Windows/system/drivers => 15867103 B
Edge => 0 B
Chrome => 0 B
Firefox => 264752228 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 80754 B
NetworkService => 0 B
defaultuser0 => 0 B
Micke => 240059795 B

RecycleBin => 0 B
EmptyTemp: => 568.1 MB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 17-09-2017 14:59:53)

"C:\Windows\system32\drivers\rdpxaxnt.sys" => Could not move

==== End of Fixlog 14:59:53 ====

[Mikey1]

Kevin I just did the Rogue Killer scan again and it didn't give me a log but I went into history and there were 35 virus's inc yellowloader all Quarantined so I deleted them all

[Mikey1]

I was able to run Adwcleaner and this is the log I also have been able to download and run Malwarebytes and that is scanning at the moment

 

# AdwCleaner 7.0.2.1 - Logfile created on Sun Sep 17 17:10:53 2017
# Updated on 2017/29/08 by Malwarebytes
# Database: 09-15-2017.1
# Running on Windows 10 Pro (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

PUP.Optional.AdvancedSystemCare, C:\ProgramData\IObit\Advanced SystemCare
PUP.Optional.AdvancedSystemCare, C:\Windows\System32\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare
PUP.Optional.AdvancedSystemCare, C:\Program Files (x86)\Common Files\IObit\Advanced SystemCare
PUP.Optional.AdvancedSystemCare, C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare
PUP.Optional.AdvancedSystemCare, C:\Users\All Users\IObit\Advanced SystemCare
PUP.Optional.AdvancedSystemCare, C:\Users\Micke\AppData\LocalLow\IObit\Advanced SystemCare
PUP.Optional.AdvancedSystemCare, C:\Users\Micke\AppData\Roaming\IObit\Advanced SystemCare
PUP.Optional.Legacy, C:\ProgramData\IObit\ASCDownloader
PUP.Optional.Legacy, C:\Users\All Users\IObit\ASCDownloader

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.AdvancedSystemCare, [Key] - HKLM\SOFTWARE\IOBIT\ASC
PUP.Optional.AdvancedSystemCare, [Key] - HKLM\SOFTWARE\CLASSES\DIRECTORY\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare
PUP.Optional.AdvancedSystemCare, [Key] - HKLM\SOFTWARE\CLASSES\DRIVE\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare
PUP.Optional.AdvancedSystemCare, [Key] - HKLM\SOFTWARE\CLASSES\LNKFILE\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare
PUP.Optional.AdvancedSystemCare, [Key] - HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.ascplugin.protect
PUP.Optional.Legacy, [Key] - HKU\RK_USUARIO_ON_L_6FF9\Software\UpgSvr
PUP.Optional.Legacy, [Key] - HKU\RK_USUARIO_ON_L_6FF9\Software\PopWnd
PUP.Optional.Legacy, [Key] - HKU\RK_USUARIO_ON_L_6FF9\Software\Yahoo\Companion
PUP.Optional.Legacy, [Key] - HKU\RK_USUARIO_ON_L_6FF9\Software\AppDataLow\Software\Yahoo\Companion
PUP.Optional.Legacy, [Key] - HKU\RK_USUARIO_ON_L_6FF9\Software\fitlr
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\s5m
PUP.Optional.Legacy, [Key] - HKU\S-1-5-21-1683162545-4236984137-2836460707-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\CloudExtender
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\CloudExtender
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
PUP.Optional.Legacy, [Value] - HKU\S-1-5-21-1683162545-4236984137-2836460707-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run | Advanced SystemCare 10
PUP.Optional.Wajam, [Key] - HKLM\SOFTWARE\CLASSES\APPID\56BF5154-0B48-4ADB-902A-6C8B12E270D9
PUP.Optional.WindowService, [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MeOptimum_x86
PUP.Optional.SwytShop, [Key] - HKU\S-1-5-21-1683162545-4236984137-2836460707-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\SwytShop_Pkg2_is1
PUP.Optional.SwytShop, [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SwytShop_Pkg2_is1
PUP.Optional.Downloader, [Key] - HKU\RK_USUARIO_ON_L_6FF9\Software\dlr
PUP.Optional.DragonBranch, [Key] - HKU\S-1-5-21-1683162545-4236984137-2836460707-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\119
PUP.Optional.DragonBranch, [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\119
PUP.Optional.WeatherAlerts, [Key] - HKU\RK_USUARIO_ON_L_6FF9\Software\Microsoft\{cc6eb6d8-85b7-435p-8b86-51e4d16ea76d}

***** [ Firefox (and derivatives) ] *****

PUP.Optional.Legacy, Plugin found: SwytShop - SwytShop

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************

 

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt ##########

[kevinf80]

Looks like we are finally making progress, post malwarebytes log whenever you`re ready...

[Mikey1]

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 9/17/17
Scan Time: 7:11 PM
Log File: 4c71bd7a-9bcb-11e7-ac12-bc5ff49cca3a.json
Administrator: Yes

-Software Information-
Version: 3.2.2.2029
Components Version: 1.0.188
Update Package Version: 1.0.2826
License: Trial

-System Information-
OS: Windows 10 (Build 14393.1715)
CPU: x64
File System: NTFS
User: DESKTOP-BLBF82Q\Micke

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 395275
Threats Detected: 17
Threats Quarantined: 17
Time Elapsed: 3 min, 47 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 7
Adware.REOptimizer, HKU\S-1-5-21-1683162545-4236984137-2836460707-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CloudExtender, Quarantined, [7013], [412223],1.0.2826
PUP.Optional.SwytShop, HKU\S-1-5-21-1683162545-4236984137-2836460707-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SwytShop_Pkg2_is1, Quarantined, [2872], [375414],1.0.2826
Adware.REOptimizer, HKU\S-1-5-21-1683162545-4236984137-2836460707-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\119, Quarantined, [7013], [417947],1.0.2826
PUP.Optional.Wajam, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\56BF5154-0B48-4ADB-902A-6C8B12E270D9, Quarantined, [83], [170024],1.0.2826
PUP.Optional.Wajam, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, Quarantined, [83], [-1],0.0.0
PUP.Optional.Wajam, HKLM\SOFTWARE\CLASSES\APPID\56BF5154-0B48-4ADB-902A-6C8B12E270D9, Quarantined, [83], [170024],1.0.2826
PUP.Optional.Wajam, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\56BF5154-0B48-4ADB-902A-6C8B12E270D9, Quarantined, [83], [170024],1.0.2826

Registry Value: 5
Adware.REOptimizer, HKU\S-1-5-21-1683162545-4236984137-2836460707-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\119|DISPLAYNAME, Quarantined, [7013], [417947],1.0.2826
PUP.Optional.Wajam, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [83], [-1],0.0.0
PUP.Optional.Wajam, HKU\S-1-5-21-1683162545-4236984137-2836460707-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [83], [-1],0.0.0
PUP.Optional.Wajam, HKU\S-1-5-21-1683162545-4236984137-2836460707-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYOVERRIDE, Quarantined, [83], [-1],0.0.0
PUP.Optional.Wajam, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [83], [-1],0.0.0

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 2
PUP.Optional.SwytShop, C:\Users\Micke\AppData\Roaming\Mozilla\Firefox\Profiles\0knd2vyl.default\jetpack\323D625D490FE8DD@ext.u\simple-storage, Quarantined, [2872], [375413],1.0.2826
PUP.Optional.SwytShop, C:\USERS\MICKE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\0KND2VYL.DEFAULT\JETPACK\323D625D490FE8DD@ext.u, Quarantined, [2872], [375413],1.0.2826

File: 3
PUP.Optional.OnlineIO, C:\WINDOWS\INSTALLER\SOURCEHASH{5266F634-7B7D-4537-BDDC-98DD6CFCBAA1}, Quarantined, [551], [391431],1.0.2826
PUP.Optional.SwytShop, C:\USERS\MICKE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\0KND2VYL.DEFAULT\EXTENSIONS\323D625D490FE8DD@ext.u.xpi, Quarantined, [2872], [375412],1.0.2826
PUP.Optional.SwytShop, C:\Users\Micke\AppData\Roaming\Mozilla\Firefox\Profiles\0knd2vyl.default\jetpack\323D625D490FE8DD@ext.u\simple-storage\store.json, Quarantined, [2872], [375413],1.0.2826

Physical Sector: 0
(No malicious items detected)

(end)

Looks like we've (you've)cracked it windows defender is also running now.

[Mikey1]

I am also going to upgrade my tempory free premium Antimalwarebytes to a full sub

[kevinf80]

Lets run another scan with FRST, see what a fresh set of logs show:

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

 

[Mikey1]

FRST.txt

Addition.txt

[kevinf80]

Thanks for those logs Mike, continue as follows:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Let me see that log, also tell me if there are any remaining issues or concerns..

Thanks,

Kevin....

fixlist.txt

[Mikey1]

Hi Kevin I think everything is looking good mate Thanks so much for all your help and time.

Fixlog.txt

[kevinf80]

You`re very welcome Mike, run the following to clean up:

Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down: "Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked:   Remove disinfection tools <----- this will remove tools we may have used. Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful.... Answers to Common Security Questions and best Practices Do I need a Registry Cleaner? Take care and surf safe Kevin...

[kevinf80]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!