Jump to content

Impossible anti-avast/malwarebyt/mbar help!


Recommended Posts

Im running out of options, EVERYTHING anti-virus/anti-malware is unusable, I get the resource is in use screen.  Avast, malwarebytes, mbar-1.10.2.1002-nr which i think is the latest, is also unusable. ive downloaded frst and got a log, I dont know what else to do. i cant afford to buy another windows cd so a clean slate isnt an option. also somehow a new system folder called sysWOW64 came out of nowhere and is adding random processes, like net.exe*32, cmd.exe*32, and net1.exe*32, i also have a folder called Winohen in my program files folder, that creates multiple processes of the same wmprvs.exe like 8 of them and they use up lots of my cpu and memory, everytime i delete it, it comes right back after a couple hours, im at a loss now, please help!!!!

Addition.txt

FRST.txt

Link to post
Share on other sites

Hello blacksheep0023 and welcome to Malwarebytes,

See if you can complete the following:

Download PowerTool and save to your Desktop, ensure to get the correct version:

PowerTool for 64-bit systems >> https://malwarebytes.box.com/s/vnp2jdko58ww33bxabbm8zu9764u0tlh

PowerTool for 32-bit systems >> https://malwarebytes.box.com/s/f0bsa1nuzjv994neyzbtrti1au0s98yx

Please follow the instructions below:

Right click on user posted image PowerTool, Select "Run as Administrator"

Windows 10 users may see the following, if so select "More Info"

user posted image

In the next Window select "Run Anyway"

user posted image

Initially click on sq image to enlarge window to full screen (As shown in the image below)
Now click on Kernel tab (No. 1 on the image below)
Then click on Kernel Notify Routine (No. 2 on the image below)
Also click on Path so you sort the list by name (No. 3 on the image below)

user posted image

Right click anywhere on listed items under path (No. 4 on the image above) and select Export.

user posted image

Save exported file to your Desktop, zip up that file and attach to your reply....

user posted image user posted image

Thank you,

Kevin......
Link to post
Share on other sites

Hello blacksheep0023,

Run PowerTool one more time, again select the following tabs as you did previously:

  • Kernel tab
  • Kernel Notify Routine
  • Path

From the list underneath Path Right click on each of the following files shown in the attached image (usblqlrl.sys) and select "Remove Notify" Confirm with Yes. One of them maybe impossible to remove, just ignore that one.....

When complete give MBAR another try, let me know what happens...

Thank you,

Kevin....

 

 

Bad file.JPG

Edited by kevinf80
Link to post
Share on other sites

oops :wacko: wrong thread... Did you run MBAR, or Malwarebytes..?

Copy and paste the two following logs from the mbar folder:

System - log
Mbar - log   Date and time of scan will also be shown

For Malwarebytes:

To get the log from Malwarebytes do the following:

  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options: > From export you have two options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     

  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

 

Link to post
Share on other sites

haha thats ok man, i really appreciate your time. found the logs, im also still having problems with my internet settings being changed by it, my time is set hours ahead and when i attempt to adjust time/date i get windows security window displaying, These files cant be opened: your internet security settings have prevented one or more files from opening: C:\Windows\system32\rundll32.exe

mbar-log-2017-10-25 (17-28-27).txt

system-log.txt

Link to post
Share on other sites

Yes you had a nasty infection, can you run MBAR again. Post the two fresh logs.... If they come back clean there is another tool in MBAR folder that will reset certain changes made by the infection....

Included with Malwarebytes Anti-Rootkit is a tool called fixdamage.  This utility can repair some common problems which are the result of some rootkit infections.  Normally as part of the cleanup?removal process, MBAR will automatically run fixdamage for you if required, however you may run it manually if need be should any problems remain after restarting your PC after the removal process is completed such as Windows Update problems, the Windows Firewall not functioning or a lack of internet connectivity.
To run fixdamage manually, simply open MBAR's folder and open the folder called “Plugins” and then double-click on fixdamage.exe and then restart your computer, even if not prompted to do so.

Let me know what happens, this infection changes so we may encounter stuff we are unaware about...

 

Link to post
Share on other sites

Run the following scan:

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....
Link to post
Share on other sites

I`m in the UK, my current time is 22:30, I will probably catch up tomorrow... If mrt log is clear run the following:

Download Portable Windows Repair (all in one) from one of the following:

www.tweaking.com/files/setups/tweaking.com_windows_repair_aio.zip

http://www.majorgeeks.com/mg/getmirror/tweaking_com_windows_repair_portable,1.html

https://www.bleepingcomputer.com/download/windows-repair-all-in-one/

Unzip the contents into a newly created folder on your desktop.

Boot your system to Safe mode, instructions here: https://support.microsoft.com/en-gb/help/12376/windows-10-start-your-pc-in-safe-mode

Open the Tweaking.com folder, run the tool by right click on Repair_Windows (icon with red briefcase) select "Run as Administrator"

From the main GUI do the following:

Select Tab 5 to make Registry backup, use the recommended option...

user posted image

When complete select "Repairs" tab, from there select "Open Repairs" tab..

From that window select the default option and checkmarck "Select All" box. When ready select "Start Repairs" tab....

user posted image

When complete re-boot your system to Normal mode, see if there is any improvement...

Logs are saved to the Tweaking.com folder on your Desktop, the one to post is _Windows_Repair_Log.txt
 
Let me see that log, also is time issue cleared...
 
Cheers,
Kevin....
Link to post
Share on other sites

I want you to install McShield, that will protect your system when USB devices are used: http://www.mcshield.net/download.html

Next,

Regarding the time issue, read through steps at the following link, see if that helps: https://helpdeskgeek.com/windows-7/cant-change-date-and-time-in-windows-7/

Have a look at Method Five first, are your settings the same way...?

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

Next,

Please follow the instructions below for PowerTool agai:

Right click on user posted image PowerTool, Select "Run as Administrator"

Windows 10 users may see the following, if so select "More Info"

user posted image

In the next Window select "Run Anyway"

user posted image

Initially click on sq image to enlarge window to full screen (As shown in the image below)
Now click on Kernel tab (No. 1 on the image below)
Then click on Kernel Notify Routine (No. 2 on the image below)
Also click on Path so you sort the list by name (No. 3 on the image below)

user posted image

Right click anywhere on listed items under path (No. 4 on the image above) and select Export.

user posted image

Save exported file to your Desktop, zip up that file and attach to your reply....

user posted image user posted image

Thank you,

Kevin......
.

 

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.