Aggressive Malware still infected

[Punishere]

Hello I ran a scan and removal with Malware but they keep coming back. I have uploaded the two files requested.

FRST.txt

Addition.txt

[AdvancedSetup]

Hello @Punishere and

 

Please run the following steps and post back the logs as an attachment when ready. It's quite late for me, so I'm heading out, but will check back on you again sometime tomorrow.

STEP 01

• If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• If you don't have Malwarebytes 3 installed yet please download it from here and install it.
• Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Right-click on the program and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan.
• When finished, please click Clean.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Copy its content into your next reply.

 

Reboot the computer if Step 2 did not do so for you so that we can get new FRST logs.

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
• Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

[Punishere]

When I do a google search with chrome I get redirected by "extension.whitesmoke" that sends me to yahoo search. I'm not sure if that will help but that is what I'm noticing.

(Step 01)

I re-downloaded the latest version of Malwarebytes and ran the software. The Scan report is labeled, "Malwarereport.txt"

(step 02)

I downloaded and ran adwcleaner and removed what it found The scan report is labeled "AdwCleaner[S1].txt"

(Step 03)

Downloaded the Farbar recovery scanner tool. The Scan report is labeled." FRST.txt" and "Addition.txt"

I appreciate the help Ron!

 

Malwarereport.txt

FRST.txt

Addition.txt

AdwCleaner[S1].txt

Edited September 21, 2017 by Punishere

[Punishere]

8 hours ago, Punishere said:

When I do a google search with chrome I get redirected by "extension.whitesmoke" that sends me to yahoo search. I'm not sure if that will help but that is what I'm noticing.

(Step 01)

I re-downloaded the latest version of Malwarebytes and ran the software. The Scan report is labeled, "Malwarereport.txt"

(step 02)

I downloaded and ran adwcleaner and removed what it found The scan report is labeled "AdwCleaner[S1].txt"

(Step 03)

Downloaded the Farbar recovery scanner tool. The Scan report is labeled." FRST.txt" and "Addition.txt"

I appreciate the help Ron!

 

Malwarereport.txt

FRST.txt

Addition.txt

AdwCleaner[S1].txt

 

[Punishere]

I've now ran Mbam several times. Entries constantly reappear. Ill wait for analysis but seems like this one is a losing battle. 

[AdvancedSetup]

You appear to possibly have a rootkit. Please run the following and post back all logs as an attachment.

 

Thanks

 

[Punishere]

This is the error I get when I try to run the scan. I make sure I only had "Drivers" checked. My drive isn't encrypted.... 

[AdvancedSetup]

Okay, please hang in there. We are researching a new fix for this. The infection has morphed and is now blocking a couple of other fixes as well, even using other tools.

 

[AdvancedSetup]

Please follow the directions here and create a bootlog and attach it when ready.

https://www.tenforums.com/tutorials/78150-enable-disable-boot-log-windows.html

Thank you

 

[Punishere]

8 minutes ago, AdvancedSetup said:

Okay, please hang in there. We are researching a new fix for this. The infection has morphed and is now blocking a couple of other fixes as well, even using other tools.

 

Alright, Thanks Ron, I'll be here.

 

[Punishere]

I have created the bootlog and have included it as an attachment.

ntbtlog.txt

[AdvancedSetup]

Pease download Farbar Recovery Scan Tool and save it to a USB flash drive.

Note: You need to run the version compatible with your system.

You can check here if you're not sure if your computer is 32-bit or 64-bit

Plug the flash drive into the infected PC and start the computer into the Recovery Options for Command Prompt.

Windows Vista, 7

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

Windows 8, 8.1
Please see
How to use the Windows 8 System Recovery Environment Command Prompt

Windows 10
Please see
How to Start Windows 10 in Safe Mode with Command Prompt

How to Boot to Advanced Startup Options in Windows 10

Note: In case you can not enter System Recovery Options by using F8 method, you can use a Windows installation disc, or make a repair disc.
Any Windows installation disc or a repair disc made on another computer can be used.
Choose one of the options below to download and create a Windows Repair Disk or Installation Disk. Either one can be used.

How to Create a Windows 7 System Repair Disc
How to Create a System Repair Disc in Windows 10
Microsoft Windows and Office ISO Download Tool

You may also download from Microsoft but you will need to input your license key first. The above links do not require your key

Download Windows 7 Disc Images (ISO Files)
Download Windows 8.1
Download Windows 10

 

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• Startup Repair
• System Restore
• Windows Complete PC Restore
• Windows Memory Diagnostic Tool
• Command Prompt
• Select Command Prompt

Once in the Command Prompt:

• In the command prompt, type notepad and press on Enter
• Notepad will open. Click on the File menu and select Open
• Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
• In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
• Note: Replace the letter e with the drive letter of your USB Flash Drive
• FRST will open
• Click on Yes to accept the disclaimer
• Click on the Fix button and wait for the scan to complete
• A log called fixlog.txt will be saved on your USB Flash Drive. Attach it in your next reply

 

fixlist.txt

Thanks

Ron

 

 

[Punishere]

Restarted Windows 10 in safe mode with command prompt, ran Farbar ran fix using fixlist.txt provided. Generated, Fixlog as attatchment.

Fixlog.txt

Multiple prompts about windows defender and Malwarebytes disabling automatically.

Edited September 21, 2017 by Punishere

[AdvancedSetup]

There were some folders that could not be moved which is odd when run from the Recovery Environment. Let's do a full disk check and try again.

NOTE: This can take a few hours to complete depending on the speed of your system.

 

 

Please follow the directions below to get into Windows 10 Safe Mode at a Command Prompt

If needed, here is another link with 7 ways to boot into Safe Mode in Windows 10

Please print out these instructions, or view them from another computer.

On the affected computer please log off by right click over the Start button and select Log Off.

Then, at the Login screen press and hold the shift key on the keyboard and click the power button on screen and select Restart. Do not let go of the Shift key until it reboots

After the Restart it will come up with a screen as shown below. Click on the Troubleshoot button.

Then you'll have another menu like below. Click on the Advance options button.

Now click on the Command Prompt button

 

You should probably see a screen similar to below, getting the command prompt ready.

Select your Account

Type in your Password

Now, type in NOTEPAD and press the Enter key

Click File - Open inside of Notepad to see what drive Windows is on.

Now type in CHKDSK  C: /R  {make sure you use your disk letter, which may be D: or E: etc.}

The disk check should run and look similar to below. From this Safe Mode the drive cannot be locked and should not ask for any reboot. It should just run like shown below.

Please try that and if you have issue, take some pictures with your phone and post them back so we can see what's going on.

Thank you

Ron

 

 

[Punishere]

Ran check disk in command prompt by going to advance options (dual os system) and selecting recovery environment. This is the finished check. C drive is the drive infected. Samsung ssd.

Edited September 21, 2017 by Punishere

[AdvancedSetup]

Yes it almost always says that in DOS. Please run the other command in Windows to grab the log

Press the Windows + R keys to open the Run dialog, type powershell.exe, and press Enter.

In PowerShell, copy and paste the command below, and press Enter

get-winevent -FilterHashTable @{logname="Application"; id="1001"}| ?{$_.providername –match "wininit"} | fl timecreated, message | out-file Desktop\CHKDSKResults.txt

CHKDSKResults.txt file will be created on your desktop, that is the log file of your chkdsk scan results from Event Viewer.

Please upload that file on your next reply

 

Edited September 21, 2017 by AdvancedSetup

[Punishere]

Here it is. CHKDSKResults.txt

[AdvancedSetup]

My fault. When you run from the RE it cannot log the results to the Event Logs so you won't have that entry.

Okay, please run a fresh FRST scan for me and include the Additions.txt too

Try to run Malwarebytes and check for updates. Then do a Custom Scan and include rootkit scanning and scan your drive and post back the new log.

Thanks

Ron

 

[Punishere]

Alright Checked for updates.

 

Checked Rootkits

 

FRST.txt Addition.txt

Malwarebytesreport.txt

[AdvancedSetup]

The Malwarebytes log shows you did not chose to have the program remove the found threats.

Please run the scan again, or check for another log that shows you chose the removal.

I also see this computer was upgraded from Windows 7 as I see Combofix was run on it (meaning the computer was infected at some point when it was on Windows 7 and the tool was not run correctly and removed) then junk, changes, malware were simply upgraded into Windows 10.

Is this a Business Computer?

Ron

 

[Punishere]

I don't think this was upgraded from windows 7 to 10, There are 2 OS's on this machine on two different drives. I'm using windows 7 as a "backup OS" This is no longer a business machine. If this doesn't work ill just wipe the SSD. 

As far as showing deleting the files in the text log.... Mbam quarantines them and then I go and delete them after. I just ran it again and deleted what I saw.

Malwarescan2.txt

Now its hanging.  It might be because I said delete manually? 

Edited September 22, 2017 by Punishere

[AdvancedSetup]

When you say this computer has 2 OS's on it. With 2 different drives. Do you dual boot using a boot up config or program to change OS?

 

So what is the program?

Startup: C:\Users\Punishere\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outsell.lnk [2017-09-20]
ShortcutTarget: outsell.lnk -> C:\Program Files (x86)\Unseasonable\deadpan.exe (Deadpan)

Google search does not find this folder so pretty rare to have folders that no one else does for programs.

 

In your log from Post #19 it shows the following.

PUP.Optional.CrossRider, C:\QOOBOX\QUARANTINE\C\PROGRAM FILES (X86)\ADOBE\5077EF7D-0CAF-4DE6-A9C8-A6300DE3BDDE.DLL.VIR, No Action By User, [219], [301026],1.0.2859

This folder C:\QOOBOX cannot exist on a Windows 10 computer. The program will not run on Windows 10 so at some point the computer or this disk drive is/was a Windows 7 or Windows 8 drive.

 

[Punishere]

The computer has several drives. Windows 10 is on one drive and Windows 7 is on another drive. I assume the MBR is keeping record of two separate operating systems on one of the drives. A boot manager appears when you start the machine. I'm not exactly sure what that program or folder is or the history of the drive. Also this machine needs to be up and running soon. So what I will probably do is get any personal files from the machine and do a destructive format on the infected drive. It will be quicker this way. I apologize Ron, I really did appreciate your help. This is just one of those times its easier to just start over.

Edited September 22, 2017 by Punishere

[AdvancedSetup]

Not a problem. I fully understand, and in the long run a clean install would be better. Often people don't have the means to do so and are forced to do some type of cleanup.

Just boot from the Windows 10 installation media and delete all partitions. Then let Windows install on the remaining partition. (if you have multiple physical drives, you might want to disconnect them first to make sure you don't accidentally choose one of them).

The complexity of finding, preventing, and cleanup from malware