Persistent infection even after reinstall pls help

[sparta]

using win 10 x64 pro. malwarebytes 3.2

it started few weeks back when i used some privacy tools from "https://fdossena.com/?p=w10debotnet/index_1703.frag" to stop win 10 privacy.
then nothing happend for few days but suddenly winlogon.exe was detacted as malware unwanted by comodo internet security. Afterwards kaspersky antivirus components got demaged by own.
I have the comodo firewall as well with password for settings.
suddenly autostart apps failed to start except few. malwarebytes did not find anything on scan but kept using high cpu.
once even malware bytes stopped running access to the folder deined etc error.
so reinstalled windows. but d drive with downloads exe msi was not formattted.

works ok for few days then again same isses as above.
suddenly the password of comdo is reset automatically it does not ask for any password to change settings.
so installed avast antivirus but it also did not detect an=thing run usb scan from bitfender it found some "Rusy" virus but wheni updated definetions and scan again it did not find any thing.
internet also stopped working started network troubleshooting wizard. it said windows firewall is blocking.
so installed windows firewall control and removed all the entries from firewall and disabled it using windows firewall control. still dns service and dhcp service use high cpu. disabled dns service but dhcp still uses high cpu when connecting to internet. and internet does not work.

So reinstalled the windows again.
now isntalled outpost firewall and made rules for svchost etc in firewall.
it blocks some connections  logs are as under
SVCHOST.EXE OUT UDP 239.255.255.250 1900 
VIVALDI.EXE OUT TCP Logan 1001 
SVCHOST.EXE IN UDP 192.168.0.1 1901
N/A IN IGMP 192.168.0.1 * Block IGMP 0 36
SVCHOST.EXE OUT UDP 224.0.0.252 5355
SVCHOST.EXE OUT TCP 157.56.77.140 443 Blocked by IP Blocklist 0 0
SVCHOST.EXE OUT TCP 157.55.240.89 443 Blocked by IP Blocklist 0 0

Attack detection log is as below:-

Init log session

2017/09/13 10:32:20   attack detection: enabled
2017/09/13 10:32:20   IDS level: Low Security
2017/09/13 10:54:01   IDS level: Maximum Security
2017/09/13 11:22:34   detected scan packet: 50124; packet recv TCP 74.120.8.14:443 -> 192.168.0.12:50124 (40) [ ACK ]
2017/09/13 11:22:34   Attack SINGLE_SCAN_PORT (50124) detected from 74.120.8.14 {host not blocked} [00000000]
2017/09/13 11:22:36   detected port scanning: 50124, 50131, 50123; packet recv TCP 74.120.8.14:443 -> 192.168.0.12:50123 (40) [ ACK ]
2017/09/13 11:22:36   Attack SCAN (50124, 50131, 50123) detected from 74.120.8.14 {host blocked for 5 min} [000000CB]
2017/09/13 11:22:36   Show PROTECT alert sound: C:\PROGRA~1\Agnitum\OUTPOS~1\warning.wav
2017/09/13 11:27:36   intruder 74.120.8.14 unblocked [000000CB]
2017/09/13 11:34:27   IDS level: Optimal Protection
2017/09/13 13:07:16   [~] deinit data...
-------------------------------------------------------------------------------
Init log session

2017/09/13 13:09:43   attack detection: enabled
2017/09/13 13:09:43   IDS level: Optimal Protection
2017/09/13 14:00:57   detected scan packet: 49747; packet recv TCP 74.120.8.12:443 -> 192.168.0.12:49747 (40) [ ACK ]
2017/09/13 14:44:46   detected scan packet: 50124; packet recv TCP 172.217.7.3:443 -> 192.168.0.12:50124 (95) [ PSH ACK ]
2017/09/13 19:08:24   detected scan packet: 51256; packet recv TCP 172.217.10.227:443 -> 192.168.0.12:51256 (52) [ SYN ACK ]
2017/09/13 19:13:01   detected scan packet: 51313; packet recv TCP 107.167.110.216:443 -> 192.168.0.12:51313 (40) [ ACK ]
2017/09/13 19:21:07   detected scan packet: 51435; packet recv TCP 172.217.11.34:80 -> 192.168.0.12:51435 (52) [ SYN ACK ]
2017/09/13 20:12:36   detected scan packet: 51597; packet recv TCP 54.192.38.92:443 -> 192.168.0.12:51597 (71) [ PSH ACK ]
2017/09/13 20:12:39   detected scan packet: 51603; packet recv TCP 54.192.38.67:443 -> 192.168.0.12:51603 (71) [ PSH ACK ]
2017/09/13 20:12:41   detected scan packet: 51587; packet recv TCP 54.230.38.179:443 -> 192.168.0.12:51587 (71) [ PSH ACK ]
2017/09/13 20:12:55   detected port scanning: 51603, 51605, 51604, 51607, 51606, 51624, 51627; packet recv TCP 54.192.38.67:443 -> 192.168.0.12:51627 (71) [ PSH ACK ]
2017/09/13 20:12:55   Attack SCAN (51603, 51605, 51604, 51607, 51606, 51624, 51627) detected from 54.192.38.67 {host blocked for 60 min} [000002DE]
2017/09/13 20:12:55   Show PROTECT alert sound: C:\PROGRA~1\Agnitum\OUTPOS~1\warning.wav
2017/09/13 20:13:01   detected scan packet: 51615; packet recv TCP 117.18.237.29:80 -> 192.168.0.12:51615 (40) [ FIN ACK ]
2017/09/13 20:53:06   [~] deinit data...
2017/09/13 20:53:06   intruder 54.192.38.67 unblocked [000002DE]
2017/09/13 20:53:22   [~] deinit...
-------------------------------------------------------------------------------
Init log session

2017/09/14 08:57:45   attack detection: enabled
2017/09/14 08:57:45   IDS level: Optimal Protection
-------------------------------------------------------------------------------
Init log session

2017/09/14 09:01:51   attack detection: enabled
2017/09/14 09:01:51   IDS level: Optimal Protection
2017/09/14 10:13:41   detected scan packet: 60411; packet recv UDP 176.103.130.131:53 -> 192.168.0.12:60411 (98)
2017/09/14 10:13:41   detected scan packet: 57089; packet recv UDP 176.103.130.130:53 -> 192.168.0.12:57089 (122)
2017/09/14 12:06:19   detected scan packet: 54269; packet recv TCP 216.58.220.14:80 -> 192.168.43.221:54269 (748) [ PSH ACK ]
2017/09/14 12:06:20   detected scan packet: 54224; packet recv TCP 204.79.197.200:443 -> 192.168.43.221:54224 (40) [ RST ACK ]
2017/09/14 12:09:17   detected scan packet: 54220; packet recv TCP 62.128.100.108:443 -> 192.168.43.221:54220 (40) [ RST ACK ]
2017/09/14 12:09:18   detected scan packet: 54219; packet recv TCP 38.113.165.68:443 -> 192.168.43.221:54219 (40) [ RST ACK ]
2017/09/14 12:17:54   detected scan packet: 54447; packet recv TCP 45.33.17.126:443 -> 192.168.0.12:54447 (78) [ PSH ACK ]
2017/09/14 12:19:03   detected scan packet: 54468; packet recv TCP 172.217.7.195:443 -> 192.168.0.12:54468 (95) [ PSH ACK ]

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
now i have made a standard account in windows and use it instaed of admin account.

now kaspersky as earlier says components have corrupted full scan does not detect any thing also malwarebytes does not detect any thing.comodo does not detect any thing, avast does not detect any thing but does not start full system scan even after 30 min of initiation.

Also after infection installed ubuntu in dual boot with windows 10 using windows bootloader.

pls help me fix this persistent infection.

 

 

Addition.txt

FRST.txt

Edited September 19, 2017 by sparta
spelling mistake

[Porthos]

4 minutes ago, sparta said:

so reinstalled windows.

So you added these to your host file?? They need to be removed.

Quote

2017-09-03 19:39 - 2017-09-15 11:55 - 000000925 ____R C:\WINDOWS\system32\Drivers\etc\hosts

0.0.0.0                   keystone.mwbsys.com
0.0.0.0                   telemetry.malwarebytes.com

 

 

[sparta]

29 minutes ago, Porthos said:

So you added these to your host file?? They need to be removed.

 

 

Ho Porthos thanks for replying. yes reinstalled from the image backup of windows partition have removed those entries now have premium trial running threat scan will post log in few minutes.

malwarebyteslog.txt

Edited September 19, 2017 by sparta

[Porthos]

Also, you need to remove some protection products. 1 AV and 1 firewall if you feel that is needed plus Malwarebytes.

Quote

V: Avast Antivirus (Enabled - Up to date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
AV: Kaspersky Anti-Virus (Enabled - Up to date) {86367591-4BE4-AE08-2FD9-7FCB8259CD98}
AV: COMODO Antivirus (Enabled - Up to date) {0C515E80-E355-69BD-3445-A511E5C186FD}
AV: Malwarebytes (Disabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: COMODO Advanced Protection (Enabled - Up to date) {B730BF64-C56F-6633-0EF5-9E639E46CC40}
AS: Malwarebytes (Disabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Kaspersky Anti-Virus (Enabled - Up to date) {3D579475-6DDE-A186-1569-44B9F9DE8725}
AS: Avast Antivirus (Enabled - Up to date) {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402}
FW: COMODO Firewall (Disabled) {346ADFA5-A93A-68E5-1F1A-0C241B12C186}
FW: Outpost Firewall Pro (Enabled) {BFD97B08-B281-A36A-4414-803D4491AB1D}

 

 

 

[sparta]

yes I have removed  Kaspersky antivirus and comodo internet security now. only avast antivirus & outpost firewall +Malwarebytes trial left. what to do next?

[sparta]

After reboot Malwarebytes did not respond nor did it run but in taskmanager it takes 50 % cpu. so reinstalled Kaspersky antivirus removed avast removed Malwarebytes and reinstalled Malwarebytes. now it runs but does not detect any thing. pls let me know further steps to fix .waiting for reply......

[AdvancedSetup]

Okay, I'm going to move your topic to the Malware Removal Forum.

 

[AdvancedSetup]

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

• If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• If you don't have Malwarebytes 3 installed yet please download it from here and install it.
• Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Right-click on the program and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan.
• When finished, please click Clean.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Copy its content into your next reply.

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
• Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

[sparta]

I have same issue as mentioned above . also now the internet only works in safe mode using ethernet not on wifi and on normal boot internet does not work on ethernet or wifi. diagnostics say wifi/etehrnet does not have valid ip configuration.Also some usoclient.exe runs in command promt for split second after logon in normal mode.
have to update malwarebytes and kav in safe mode and then use in normal mode. also the frst.exe was updated in safe mode and then run scan as administrator in safe mode.

 

pls let me know how to fix this malware or trojan whatever this is. pls give me all steps.waiting for reply.

Addition.txt

AdwCleaner[C0].txt

AdwCleaner[S0].txt

FRST.txt

Malwarebytes log29092017.txt

[AdvancedSetup]

I'm going to be on the road but please run the following and post back. I'll check back and help you sometime this weekend

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List content of Hosts
• List IP configuration
• List Winsock Entries
• List last 10 Event Viewer log
• List Installed Programs
• List Devices
• List Users, Partitions and Memory size.
• List Minidump Files
  

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.

 

[sparta]

Thanks a lot for replying but computer stopped working at all had to delete every thing and install new.

Installed bitdefender av and outpost firewall with custom rules.

Internet works now but the dhcp service uses 50% cpu when connected to internet. if i disable the firewall dhcp usage comes down to zero. Also no dhcp cpu usage when internet is not connected.

Any thoughts on this. Sorry for replying after long time as i was trying to fix pc.

[AdvancedSetup]

Hello @sparta

I'm sorry for the delay. My wife was hospitalized for emergency surgery. I've been out of work until recently and trying to catch up on my old topics. Did you still need help with this?

Ron

 

[sparta]

Thanks for replying back let almighty heal her faster, about the issue i had one rule to allow udp for dns for svchost.exe and another rule to block all other udp connections for svchost except for dns one when i disable 2nd rule dhcp client stops high cpu usage also installed bitdefender and it detected rusy virus in windows/temp after that system is running fine. Thanks for response again.

Edited October 28, 2017 by sparta
e

[AdvancedSetup]

Okay, glad to hear that all is working well again for you @sparta

I'll go ahead then and close your topic now, but if you do need further assistance please let us know.

Take care and thanks for the kind words.

Ron

 

[AdvancedSetup]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.