Potato1337 #1 Posted January 13, 2018 I am very careful when downloading programs, but got a virus anyway (I don't know what hit me, but I accepted a program I really thought isn't a virus), virus deleted malwarebytes and I couldn't use Windows Defender. First thing I did was downloading malwarebytes again, of course virus blocked it, I found a way to install it, but I can't start it. When I launch Malwarebytes, I get "Unable to start. Unable to connect the Service." message (this also happens when I launch it as an administrator). Does anybody know how to solve this problem? Share this post Link to post Share on other sites
Porthos #2 Posted January 13, 2018 Let's try and get some logs first so the team can review them and see if they can tell what may be causing your issues.... Please use an Administrator account when doing the following, FIRST: Create and obtain Farbar Recovery Scan Tool (FRST) logs Download FRST and save it to your desktop. Tell any program that blocks it to ignore or allow. It IS SAFE. It contains no info that can identify or harm you. NOTE: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run FRST and when the tool opens click "Yes" to the disclaimer Press the "Scan" button This will produce two files in the same location (directory) as FRST: FRST.txt and Addition.txtNOTE: These two files will be collected by the MB-Check Tool and added to the zip file for you NEXT: Create and obtain an mb-check log Download MB-Check and save to your desktop Double-click to run MB-Check and within a few second the command window will open, then click "OK" This will produce one log file on your desktop: mb-check-results.zip Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area Share this post Link to post Share on other sites
Potato1337 #3 Posted January 13, 2018 8 minutes ago, Porthos said: Let's try and get some logs first so the team can review them and see if they can tell what may be causing your issues.... Please use an Administrator account when doing the following, FIRST: Create and obtain Farbar Recovery Scan Tool (FRST) logs Download FRST and save it to your desktop. Tell any program that blocks it to ignore or allow. It IS SAFE. It contains no info that can identify or harm you. NOTE: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run FRST and when the tool opens click "Yes" to the disclaimer Press the "Scan" button This will produce two files in the same location (directory) as FRST: FRST.txt and Addition.txtNOTE: These two files will be collected by the MB-Check Tool and added to the zip file for you NEXT: Create and obtain an mb-check log Download MB-Check and save to your desktop Double-click to run MB-Check and within a few second the command window will open, then click "OK" This will produce one log file on your desktop: mb-check-results.zip Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area Hello, here are the files Addition.txt FRST.txt mb-check-results.zip Share this post Link to post Share on other sites
Porthos #4 Posted January 13, 2018 (edited) 9 minutes ago, Potato1337 said: Hello, here are the files You are correct you are infected, I will have this post moved to the malware removal section. @Aura @AdvancedSetup Edited January 13, 2018 by Porthos Share this post Link to post Share on other sites
Potato1337 #5 Posted January 13, 2018 Ok, I managed to fix the problem by myself, I downloaded Malwarebytes Chameleon and everything worked. Share this post Link to post Share on other sites
Porthos #6 Posted January 13, 2018 5 minutes ago, Potato1337 said: Ok, I managed to fix the problem by myself, I downloaded Malwarebytes Chameleon and everything worked. I would let the experts still take a look. Share this post Link to post Share on other sites
Potato1337 #7 Posted January 13, 2018 7 minutes ago, Kebinu777 said: Hello, I am having similar problems. Older versions of Malwarebytes open as well as Chameleon, but as soon as I install the latest version it won't open at all (Connect to services) I have attached the mb-check-results.zip please help me solve this. I have a two year account with Malwarebytes so I'm not sure what keeps the new version from opening in windows 10. mb-check-results.zip Now I checked and found out that only the "Chameleon" (or the older version) works. The latest version doesn't open, I still get that same error. Weird Share this post Link to post Share on other sites
Porthos #8 Posted January 13, 2018 @Potato1337 Please wait on staff to move your topic and a malware expert to get to you. @Kebinu777 I have asked staff to move your post to its own topic. Not all issues are the same. Share this post Link to post Share on other sites
Aura #9 Posted January 13, 2018 Hi Potato1337 My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state. As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry! If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off; Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely goneThis being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread This being said, it's time to clean-up some malware, so let's get started, shall we? Follow the instructions in the thread below. Make sure to download the MBAR version linked in it. Let me know if you're not able to launch it and run a scan. https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/ If you manage to run a scan, delete everything it finds, and then copy/paste the content of the mbar-log-DATE-(TIME).txt log that is located in the MBAR folder here after. Share this post Link to post Share on other sites
Potato1337 #10 Posted January 13, 2018 Hello, Yoan. I managed to run a scan, it said there are no viruses. I am really not sure if I have them on my computer or not. As I wrote in this thread, I managed to run Malwarebytes Chameleon, so I removed all the threats. Anyway, here are the mbar-log.txt file contents: Malwarebytes Anti-Rootkit BETA 1.10.3.1001 www.malwarebytes.org Database version: main: v2018.01.13.05 rootkit: v2017.10.14.01 Windows 10 x64 NTFS Internet Explorer 11.576.14393.0 Admin :: DESKTOP-L4A24CR [administrator] 14.01.2018 1:24:53 mbar-log-2018-01-14 (01-24-53).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: Objects scanned: 230101 Time elapsed: 7 minute(s), 52 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end) Share this post Link to post Share on other sites
Aura #11 Posted January 14, 2018 Good. Now follow the instructions below. Farbar Recovery Scan Tool (FRST) - Scan mode Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply. Download the right version of FRST for your system:FRST 32-bit FRST 64-bitNote: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using. Move the executable (FRST.exe or FRST64.exe) on your Desktop Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds Make sure the Addition.txt box is checked Click on the Scan button On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files Copy and paste the content of both FRST.txt and Addition.txt in your next reply Share this post Link to post Share on other sites
Potato1337 #12 Posted January 14, 2018 Hello, here are the files. Addition.txt FRST.txt Share this post Link to post Share on other sites
Aura #13 Posted January 14, 2018 Alright, follow the instructions below. Farbar Recovery Scan Tool (FRST) - Fix mode Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply. Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located) Right-click on the FRST executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Click on the Fix button On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad Copy and paste its content in your next reply fixlist.txt Share this post Link to post Share on other sites
Potato1337 #14 Posted January 14, 2018 Hello, here is the log file. Fixlog.txt Share this post Link to post Share on other sites
Aura #15 Posted January 14, 2018 Awesome! How's your system behaving now? Are there any other issues to address? Share this post Link to post Share on other sites
Potato1337 #16 Posted January 14, 2018 I don't think there is something wrong with my system now, but I still need to fix the original problem. I posted a screenshot of the error I was getting when trying to launch latest version of Malwarebytes. Of course I can use Mb Chameleon, but I want to use the latest version. Share this post Link to post Share on other sites
Aura #17 Posted January 14, 2018 Alright, can you simply uninstall and reinstall Malwarebytes, and see if that works? We removed the infection (CertLock) on your system preventing Malwarebytes from working properly, so a simple reinstall should do the trick. Share this post Link to post Share on other sites
Potato1337 #18 Posted January 14, 2018 Unfortunately, this didn't work. Same error Share this post Link to post Share on other sites
Aura #19 Posted January 15, 2018 Alright, follow the instructions below. AdwCleaner - Fix Mode Download AdwCleaner and move it to your Desktop Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply RogueKiller Download the right version of RogueKiller for your Windows version (32 or 64-bit) Once done, move the executable file to your Desktop, right-click on it and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner) Wait for the scan to complete On completion, the results will be displayed Check every single entry (threat found), and click on the Remove Selected button On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner) This will open the report in Notepad. Copy/paste its content in your next reply Your next reply(ies) should therefore contain: Copy/pasted AdwCleaner clean log Copy/pasted RogueKiller clean log Share this post Link to post Share on other sites
Potato1337 #20 Posted January 15, 2018 Hi, here is a adwcleaner log: # AdwCleaner 7.0.6.0 - Logfile created on Mon Jan 15 15:06:05 2018 # Updated on 2017/21/12 by Malwarebytes # Database: 01-11-2018.1 # Running on Windows 10 Enterprise 2016 LTSB (X64) # Mode: scan # Support: https://www.malwarebytes.com/support ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** No malicious folders found. ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious WMI found. ***** [ Shortcuts ] ***** No malicious shortcuts found. ***** [ Tasks ] ***** No malicious tasks found. ***** [ Registry ] ***** PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C} ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries. ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries. ************************* C:/AdwCleaner/AdwCleaner[C0].txt - [3061 B] - [2018/1/13 17:7:34] C:/AdwCleaner/AdwCleaner[S0].txt - [3189 B] - [2018/1/13 17:6:44] ########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt ########## And RogueKiller log: RogueKiller V12.12.0.0 (x64) [Jan 15 2018] (Free) by Adlice Software mail : http://www.adlice.com/contact/ Feedback : https://forum.adlice.com Website : http://www.adlice.com/download/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 10 (10.0.14393) 64 bits version Started in : Normal mode User : Admin [Administrator] Started from : I:\Downloads\RogueKiller_portable64.exe Mode : Delete -- Date : 01/15/2018 17:19:32 (Duration : 00:31:49) ¤¤¤ Processes : 1 ¤¤¤ **I actually need this, this isn't a virus or anything harmful** [VT.Detected] AAct.dll(8156) -- C:\Activators\AAct v3.2 Portable\AAct.dll[7] -> Found ¤¤¤ Registry : 7 ¤¤¤ [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2292250545-2329621696-241518076-1001\Software\IM -> Deleted [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2292250545-2329621696-241518076-1001\Software\IM -> Deleted [PUM.HomePage] (X64) HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Start Page : http://ovgorskiy.ru -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141) [PUM.HomePage] (X86) HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Start Page : http://ovgorskiy.ru -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141) [PUM.HomePage] (X64) HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Start Page : http://ovgorskiy.ru -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141) [PUM.HomePage] (X86) HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Start Page : http://ovgorskiy.ru -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141) [Adw.Eszjuxuan] (X64) HKEY_USERS\S-1-5-21-2292250545-2329621696-241518076-1001\Control Panel\Desktop | SCRNSAVE.EXE : C:\ProgramData\DreamScreen\DreamCompress.scr [x] -> Replaced (C:\Windows\system32\logon.scr) ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 2 ¤¤¤ **I need both of these, they aren't viruses as well** [PUP.HackTool][File] C:\Windows\KMSAuto.exe -> Not selected [PUP.uTorrentAds][File] C:\Users\Admin\AppData\Roaming\uTorrent\updates\3.5.0_43804\utorrentie.exe -> Not selected ¤¤¤ WMI : 0 ¤¤¤ ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤ ¤¤¤ Web browsers : 1 ¤¤¤ [PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://youtube.com/] -> Deleted ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: +++++ --- User --- [MBR] cf5296ad1c4b687ed4277604615018bc [BSP] 65c5ca946977dabbd5f4e7bbcdbe5e0a : Windows Vista/7/8|VT.Unknown MBR Code Partition table: 0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 500 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1026048 | Size: 113971 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] User = LL1 ... OK User = LL2 ... OK +++++ PhysicalDrive1: +++++ --- User --- [MBR] 5a024813e487fb91a452b50282bb43f7 [BSP] 303b5ff7fce5f7a645d99d7329e97e9e : Empty|VT.Unknown MBR Code Partition table: 0 - Basic data partition | Offset (sectors): 2048 | Size: 2861608 MB User = LL1 ... OK User = LL2 ... OK +++++ PhysicalDrive2: +++++ Error reading User MBR! ([15] ?????????? ?? ??????. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] ????? ?????? ?? ??????????????. ) +++++ PhysicalDrive3: +++++ Error reading User MBR! ([15] ?????????? ?? ??????. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] ????? ?????? ?? ??????????????. ) +++++ PhysicalDrive4: +++++ Error reading User MBR! ([15] ?????????? ?? ??????. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] ????? ?????? ?? ??????????????. ) +++++ PhysicalDrive5: +++++ Error reading User MBR! ([15] ?????????? ?? ??????. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] ????? ?????? ?? ??????????????. ) Share this post Link to post Share on other sites
Aura #21 Posted January 16, 2018 Alright. Are you able to launch Malwarebytes now, or are you getting the same error? Share this post Link to post Share on other sites
Potato1337 #22 Posted January 16, 2018 Unfortunately, I get the same error when trying to launch it Share this post Link to post Share on other sites
Aura #23 Posted January 16, 2018 Configure a clean boot and restart your computer. Once done, see if you can open Malwarebytes. http://www.thewindowsclub.com/what-is-clean-boot-state-in-windows Share this post Link to post Share on other sites
Potato1337 #24 Posted January 17, 2018 I did this, but I still get the same error. Share this post Link to post Share on other sites
Potato1337 #25 Posted January 18, 2018 Hello, I remember I was trying to fix the problem by myself and came across this forum https://www.technibble.com/forums/threads/malwarebytes-cannot-connect-to-the-service.76034/ where a person had the exact same problem as me, but I didn't really understand how the problem was solved. The solution says something about WMI or other services not working correctly and when trying to start the Malwarebytes service in service list, it gives a "Windows could not start the Malwarebytes service on the local computer. Error code: 1068. The dependency service or group failed to start." error. I think some services doesn't work properly so it results in an error when launching Malwarebytes. I would like to know which services must be working to launch Malwarebytes and how to fix the service not being able to run. Share this post Link to post Share on other sites