Jump to content
joscrete

MBAM Web Protection Disabled and ServiceHost Virus

Recommended Posts

I am new to this and I am desperate for some help. I have been dealing with the same, or some type of "virus" on every computer, phone and router I have, for at least 3 years now. The more research I do, the more I am starting to think it is a Rootkit. There is so much going wrong, that I don't even know where to begin describing it. I saw someone else wrote about the Web Protection not staying on, which is the most recent issue I've had, so figured I would start there.

Please help me resolve whatever it is that has been infecting my devices forever! I appreciate all the help I can get...

Thanks,

Lianne

Share this post


Link to post
Share on other sites

Hello @joscrete and :welcome:

Let's do some scans and see what we find.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Share this post


Link to post
Share on other sites

Hi Ron,

I apologize for the delay -- (my Malwarebytes Scan took 5 hours!).  But anways -- I have attached logs for Steps 1 and 2. And I will work on 3 right now. Actually... regarding the FRST -- last time I tried downloading that program it had given me problems. I will PrintScreen the  errors and attach as well.

I took notes while running the scans... and this is what I got...

1. while running Step 1. I got a notification saying " Unauthorized changes blocked controlled folder access blocked C:\Program file...\mbam.exe from making changes to the folder %desktopdirectory%\.

Real time protection off --  (wont stay on)

2. Downloaded program, no Terms of Use to accept... I think I might have already had this program installed. When I scanned it... there were 2 logs. S1 and C1. Trying to attach both.

 

Thank you for all your help! Its been a long time since I've been this hopeful that my computer will be clean and working properly!!

Thanks,

Lianne

Please let me know if something didn't upload properly or if I did something wrong. (like I said I am kind of new to forums). :) 

 

AdwCleaner[C1]Step 2 of 3.txt

AdwCleaner[S1]- Step 2 of 3.txt

Malwarebytes Step 1 of 3.txt

Edited by joscrete
More text and upload docs

Share this post


Link to post
Share on other sites

Hi Lianne,

The scan took so long as you chose a Custom scan with all the options enabled. We normally only need the normal Threat Scan to be run for this, but now that it has been ran. Yes, as you see., nothing found.

So, at this point we really need to get both of the logs from FRST program.

The other log shows you're running on Windows 10 Home (X64) so you would download the 64-bit version of FRST. Save it to your download folder then close your browser and run FRST.

You may need to disable Smartscreen in order to download it.

https://www.howtogeek.com/75356/how-to-turn-off-or-disable-the-smartscreen-filter-in-windows-8/

Or, you may need to temporarily disable Windows Defender

https://support.microsoft.com/en-us/help/4027187/windows-turn-off-windows-defender-antivirus

Once done running the FRST scan and posting your logs you can re-enable both Smartscreen and Defender if they were previously enabled.

 

This link shows how to run FRST and attach logs - you don't need to create a new topic, just reply back to this one.

Thank you

Ron

 

 

 

 

Share this post


Link to post
Share on other sites

Hi Ron,

So, I am 99% sure that I am using the "reply to this topic" button so if this doesn't show up as a reply - please accept my apology ahead of time.

Anyways - it took me a little while to get the txt files to actually save because I just noticed that I have 3 different "desktop" locations... they are showing as Desktop, User HP Desktop, and User JosCrete Desktop...  I know that when Staples setup my computer they had set up the User HP -- and we asked them to make it JosCrete. So, I am unsure why there are multiple users... ( I am assuming this results from the issues we are looking for... )

Anyways, I finally got them to show up. And have attached them for your review.  

Please let me know what you find.


Thank you!

Lianne

FRST.txt

Addition.txt

Share this post


Link to post
Share on other sites

Thanks Lianne

The logs look pretty good too. Nothing really showing a drastic issue. Our program is crashing though for some reason. Let's try doing a clean removal and reinstall and see if that fixes it.

Please follow these directions to do a clean removal and reinstall of Malwarebytes

Then update it and reboot a second time and let me know what issues you're still having.

Thanks

Ron

 

Share this post


Link to post
Share on other sites

I am attaching the Log from the Clean Removal --

If you haven't found anything through the logs, can I copy paste my "Task Manager" for you to check out? Because I have a ton of things running without anything open... even the task manager is multiple pages long... so idk even how to Print Screen it on one page... so I will try it now.

 

mb-clean-results.txt

Task Mgr 2.png

Task Mgr 3.png

Task Mgr 4.png

Task Mgr.png

Share this post


Link to post
Share on other sites

Other issues I have noticed are... these Accounts - what are they, and why are they on my Computer? I don't believe these are normal? Tell me if I am wrong...

The only account I should have isn't listed...

 

==================== Accounts: =============================

Administrator (S-1-5-21-3850544036-2227188579-1660965557-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-3850544036-2227188579-1660965557-503 - Limited - Disabled)
Guest (S-1-5-21-3850544036-2227188579-1660965557-501 - Limited - Disabled)
HP (S-1-5-21-3850544036-2227188579-1660965557-1001 - Administrator - Enabled) => C:\Users\HP
josli (S-1-5-21-3850544036-2227188579-1660965557-1002 - Limited - Disabled)
WDAGUtilityAccount (S-1-5-21-3850544036-2227188579-1660965557-504 - Limited - Disabled)

Share this post


Link to post
Share on other sites

Yes, so far all the screen shots look to be normal, and yes Windows 10 runs a LOT more processes than other previous versions of Windows, but that does not indicate any issue.

The FRST log shows those processes already, but take a look at your screen shots. The CPU and Memory use are very low.

All of the accounts are normal. Your account is HP and has Admin rights. You have a JOSLI account that I'm guessing is someone in your household and that account has limited rights, and does not have Admin rights. The other accounts are built-in accounts and are very normal. All Windows 10 computers that are up to date have those similar accounts. Nothing to worry about there.

 

So far you are not showing anything that is not normal on most computers.

 

Are you using a Paid version of Malwarebytes? The screen shot shows an expiration ending soon is why I ask.

Ron

 

Share this post


Link to post
Share on other sites

One thing you can do is do a full hard reset of your router to ensure it is not compromised.

Please reveiw the following website and read it before continuing and then do a Hard Reset back to Factory Defaults for your router.
This information is only for resetting the router DO NOT erase, install, or update the firmware, just reset your router to factory defaults.

Reset And Reboot

Hard reset or 30/30/30

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.