Impossible anti-avast/malwarebyt/mbar help!

[blacksheep0023]

Im running out of options, EVERYTHING anti-virus/anti-malware is unusable, I get the resource is in use screen.  Avast, malwarebytes, mbar-1.10.2.1002-nr which i think is the latest, is also unusable. ive downloaded frst and got a log, I dont know what else to do. i cant afford to buy another windows cd so a clean slate isnt an option. also somehow a new system folder called sysWOW64 came out of nowhere and is adding random processes, like net.exe*32, cmd.exe*32, and net1.exe*32, i also have a folder called Winohen in my program files folder, that creates multiple processes of the same wmprvs.exe like 8 of them and they use up lots of my cpu and memory, everytime i delete it, it comes right back after a couple hours, im at a loss now, please help!!!!

Addition.txt

FRST.txt

[blacksheep0023]

i also realized that at first when i download mbar, it will not let me install, it just says that the resource is in use, i saw that the trojan has a namelist, so i changed the name of the exe, it ran and installed and then once i get to the mbar folder to run it, it once again says the resource is in use. idk.....

 

[kevinf80]

Hello blacksheep0023 and welcome to Malwarebytes,

See if you can complete the following:

Download PowerTool and save to your Desktop, ensure to get the correct version: PowerTool for 64-bit systems >> https://malwarebytes.box.com/s/vnp2jdko58ww33bxabbm8zu9764u0tlh PowerTool for 32-bit systems >> https://malwarebytes.box.com/s/f0bsa1nuzjv994neyzbtrti1au0s98yx Please follow the instructions below: Right click on PowerTool, Select "Run as Administrator" Windows 10 users may see the following, if so select "More Info" In the next Window select "Run Anyway" Initially click on sq image to enlarge window to full screen (As shown in the image below) Now click on Kernel tab (No. 1 on the image below) Then click on Kernel Notify Routine (No. 2 on the image below) Also click on Path so you sort the list by name (No. 3 on the image below) Right click anywhere on listed items under path (No. 4 on the image above) and select Export. Save exported file to your Desktop, zip up that file and attach to your reply.... Thank you, Kevin......

[blacksheep0023]

ok, here it is. really curious on what this is, and what it does. and how it will solve this that way i know for future reference.

notify.zip

[kevinf80]

Hello blacksheep0023,

Run PowerTool one more time, again select the following tabs as you did previously:

• Kernel tab
• Kernel Notify Routine
• Path

From the list underneath Path Right click on each of the following files shown in the attached image (usblqlrl.sys) and select "Remove Notify" Confirm with Yes. One of them maybe impossible to remove, just ignore that one.....

When complete give MBAR another try, let me know what happens...

Thank you,

Kevin....

 

 

Edited October 25, 2017 by kevinf80

[blacksheep0023]

Malwarebyte is back on its feet, I updated and scanned. What were those in kernel?

[kevinf80]

That is the crux of the infection, rootkit drivers.... As that infection has changed over time we see more and more hidden rootkits with that tool. That fix with PowerTool is attributed to @TwinHeadedEagle

Can I see the log from Malwarebytes, also give an update on how your PC is behaving....

Thank you,

Kevin...

[blacksheep0023]

Where do I get the log?

[kevinf80]

Log will be on usb flashdrive..

[blacksheep0023]

Mbar was on my desktop, I have a kaspersky Bootable usb in the system right now are you sure?

[kevinf80]

oops wrong thread... Did you run MBAR, or Malwarebytes..?

Copy and paste the two following logs from the mbar folder:

System - log
Mbar - log   Date and time of scan will also be shown

For Malwarebytes:

To get the log from Malwarebytes do the following:

• Click on the Reports tab > from main interface.
• Double click on the Scan log which shows the Date and time of the scan just performed.
• Click Export > From export you have two options: > From export you have two options:

    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
   

• Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…
  

 

[blacksheep0023]

haha thats ok man, i really appreciate your time. found the logs, im also still having problems with my internet settings being changed by it, my time is set hours ahead and when i attempt to adjust time/date i get windows security window displaying, These files cant be opened: your internet security settings have prevented one or more files from opening: C:\Windows\system32\rundll32.exe

mbar-log-2017-10-25 (17-28-27).txt

system-log.txt

[kevinf80]

Yes you had a nasty infection, can you run MBAR again. Post the two fresh logs.... If they come back clean there is another tool in MBAR folder that will reset certain changes made by the infection....

Included with Malwarebytes Anti-Rootkit is a tool called fixdamage.  This utility can repair some common problems which are the result of some rootkit infections.  Normally as part of the cleanup?removal process, MBAR will automatically run fixdamage for you if required, however you may run it manually if need be should any problems remain after restarting your PC after the removal process is completed such as Windows Update problems, the Windows Firewall not functioning or a lack of internet connectivity.
To run fixdamage manually, simply open MBAR's folder and open the folder called “Plugins” and then double-click on fixdamage.exe and then restart your computer, even if not prompted to do so.

Let me know what happens, this infection changes so we may encounter stuff we are unaware about...

 

[blacksheep0023]

here is the last log im going to restart and everything seems normal so far, cpu usage idles at 0-4% and i no longer have a ton of processes.

mbar-log-2017-10-25 (19-12-40).txt

[kevinf80]

Did you run "Fixdamage" tool....?

[blacksheep0023]

Yes then did a restart. I still cannot change time. Same windows security window with rundll32.exe

[kevinf80]

Run the following scan:

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop Ensure to get the correct version for your system.... 32 Bit version: https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en 64 Bit version: https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\mrt.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

[blacksheep0023]

Ok thanks so much for your help, I have to leave for work, I will be back at 1am to give updates

[kevinf80]

I`m in the UK, my current time is 22:30, I will probably catch up tomorrow... If mrt log is clear run the following:

Download Portable Windows Repair (all in one) from one of the following: www.tweaking.com/files/setups/tweaking.com_windows_repair_aio.zip http://www.majorgeeks.com/mg/getmirror/tweaking_com_windows_repair_portable,1.html https://www.bleepingcomputer.com/download/windows-repair-all-in-one/ Unzip the contents into a newly created folder on your desktop. Boot your system to Safe mode, instructions here: https://support.microsoft.com/en-gb/help/12376/windows-10-start-your-pc-in-safe-mode Open the Tweaking.com folder, run the tool by right click on Repair_Windows (icon with red briefcase) select "Run as Administrator" From the main GUI do the following: Select Tab 5 to make Registry backup, use the recommended option... When complete select "Repairs" tab, from there select "Open Repairs" tab.. From that window select the default option and checkmarck "Select All" box. When ready select "Start Repairs" tab.... When complete re-boot your system to Normal mode, see if there is any improvement... Logs are saved to the Tweaking.com folder on your Desktop, the one to post is _Windows_Repair_Log.txt   Let me see that log, also is time issue cleared...   Cheers, Kevin....

[blacksheep0023]

Ok sorry, didn't give correct time format, it's currently 7:55 pm U.Saturday central time. I'll follow given instructions once I get home from work at 1am

[kevinf80]

Thanks for the update, catch up later...

[blacksheep0023]

ok, i did everything, restarted etc, the time is still unchangable due to windows security, internet security preventing rundll32.exe from opening.

_Windows_Repair_Log.txt

[blacksheep0023]

oh and when ever a new drive/usb/phone is plugged in i get like 8 windows security saying the same thing but its dinotify.exe

[kevinf80]

I want you to install McShield, that will protect your system when USB devices are used: http://www.mcshield.net/download.html

Next,

Regarding the time issue, read through steps at the following link, see if that helps: https://helpdeskgeek.com/windows-7/cant-change-date-and-time-in-windows-7/

Have a look at Method Five first, are your settings the same way...?

Next,

Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status...   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Next, Please follow the instructions below for PowerTool agai: Right click on PowerTool, Select "Run as Administrator" Windows 10 users may see the following, if so select "More Info" In the next Window select "Run Anyway" Initially click on sq image to enlarge window to full screen (As shown in the image below) Now click on Kernel tab (No. 1 on the image below) Then click on Kernel Notify Routine (No. 2 on the image below) Also click on Path so you sort the list by name (No. 3 on the image below) Right click anywhere on listed items under path (No. 4 on the image above) and select Export. Save exported file to your Desktop, zip up that file and attach to your reply.... Thank you, Kevin...... .

 

 

 

[blacksheep0023]

my settings regarding the time issue, are exactly the same as shown, idk man. but heres the kernal log, what are you looking for in it? i would really like to lean as much as possible from these situations.

notify.csv