Jump to content

Recommended Posts

Hello Malwarebytes. I recently got attacked by a virus, installing over 10 applications on my computer at one go. Part of the virus messes with my windows defender settings and ever since, my windows defender is unable to turn on.

I check my running processes and always find a g***.tmp.exe process, and it runs everytime i start the windows up. I did not see this file prior to this virus attack. I have removed and cleaned the registry of what i already know, but my windows defender, still isn't able to be turned on. The error is "Windows defender is turned off by group policy". My workaround is i go to regedit and edit the value of "disableantispyware" and windows defender will be able to run normally. BUT this is only a temporary fix and everytime i restart my computer, it goes back to "Windows defender is turned off by group policy". I also noticed in my permissions of my files, there are "All Application Packages" and "Trusted Installer". Are these supposed to be there? 

Here are my .txt files from FRST.

 

Best Regards,

Raphael 

Addition.txt

FRST.txt

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malware Removal for Windows Help forum. Being infected is not fun and can be very frustrating to resolve, but don't worry because we have a team of experts here help you!!

Note: Please be patient. When the site is busy it can take up to 48 hours before a malware removal helper can assist you. If no one has replied to your new topic after 48 hours please contact an Administrator to let them know.

First, if you haven't done so, please run a Threat Scan with the latest version of Malwarebytes. This may resolve your malware infection issue without the need for additional support. Click "Reveal Hidden Contents" below for details:

Spoiler

Malwarebytes can detect and remove most malware with no further actions required for free.

If you do not have Malwarebytes, please download it here and install. Be sure to post back the log as shown below.

  1. Open Malwarebytes for Windows
  2. To the left, click Scan > Scan Types.

    auto-reply-scan-types2.jpg.86e24e955a95d
     
  3. Select Threat Scan. Threat Scan is the most thorough and recommended scan method available.

    auto-reply-scan-types1.jpg.f4eee0e0c9375
     
  4. Click Start Scan
     

Next, if you're still experiencing issues after running Malwarebytes, then technical logs will be required to assist you. Click "Reveal Hidden Contents" below and follow the instructions to run the Farbar Recovery Scan Tool:

Spoiler

Don't use any temporary file cleaners unless requested - this can cause data loss and make a recovery difficult.

Please download the Farbar Recovery Scan Tool here and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  1. Double-click to run it. When the tool opens click Yes to the disclaimer.
  2. Press the Scan button.

    _frst_scan.jpg.d79beccbb6e66628e557f6c28
     
  3. It will make a log (FRST.txt) in the same directory the tool is run. Please attach or copy and paste it to your reply.
  4. The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually.
     

Finally, attach the Malwarebytes Threat Scan, FRST.txt and Additional.txt logs to your reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:   notify me.jpeg
 

Click "Reveal Hidden Contents" below for details on how to add attachments to your post.
Note: If you are unable to attach files, please copy and past the contents of the requested files in your Reply instead. 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

mb_attach.jpg.220985d559e943927cbe3c078b
 

Please Note the Following:

  • One of our expert helpers will give you one-on-one assistance when one becomes available.
  • Refrain from making any further changes to your computer (such as Install/Uninstall programs, using special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.
  • Do not 'bump' or add a reply to your topic once it is started. Topics which appear to have replies are considered to have a helper assisting them and may be overlooked, resulting in a longer waiting period for help
  • If you're using Peer 2 Peer software such as uTorrent or similar, please completely disable it from running while being assisted here.

Troubleshooting Tips

 

 

Link to post
Share on other sites

Hello raphaelchia and welcome to Malwarebytes,

Continue with the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:
    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your reply, also tell me if there are any remaining issues or concerns...

Thank you,

Kevin...

fixlist.txt

Link to post
Share on other sites

Hello Kevin, 

Thank you so much for taking your time to reply. I did everything you said, except for the malwarebytes anti-malware part because i have no idea where can i download it. I downloaded "malwarebytes" from this website, but it wouldn't open after installing on my PC.

Here are the .txt file from FRST, MSRT and AdwCleaner.

Another issue i just realized, is that, now windows will constantly(once every few hours) prompt me to activate my windows online. But when i click activate online, it says can't be activated.

Best Regards

Raphael

mrt.log

Fixlog.txt

AdwCleaner[C08].txt

Link to post
Share on other sites

It is beneficial to install and run Malwarebytes as follows:

If you do not have Malwarebytes installed do the following:

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Report tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Thank you,

Kevin....

 

Link to post
Share on other sites

Hi Kevin, sure thing, this is the log copy pasted.

 

Best Regards

Raphael

 

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 6/17/18
Scan Time: 9:16 PM
Log File: a91365f6-7230-11e8-a035-025041000001.json
Administrator: Yes

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.374
Update Package Version: 1.0.5518
License: Free

-System Information-
OS: Windows 8.1
CPU: x64
File System: NTFS
User: RaphaelHome\Raphael

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 268296
Threats Detected: 45
Threats Quarantined: 45
Time Elapsed: 2 min, 7 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 1
Trojan.Dropper.Generic, C:\PROGRAM FILES (X86)\WINDOWSPOWERSHELL\CONFIGURATION\REGISTRATION\SVHOST.EXE, Quarantined, [9352], [355568],1.0.5518

Module: 1
Trojan.Dropper.Generic, C:\PROGRAM FILES (X86)\WINDOWSPOWERSHELL\CONFIGURATION\REGISTRATION\SVHOST.EXE, Quarantined, [9352], [355568],1.0.5518

Registry Key: 13
Trojan.BitCoinMiner, HKLM\SOFTWARE\SystemaRev, Quarantined, [524], [527865],1.0.5518
Adware.Tuto4PC, HKU\S-1-5-21-565711948-550684545-2360004682-1001\SOFTWARE\MICROSOFT\EWMON, Quarantined, [2791], [411543],1.0.5518
PUP.Optional.MyBestPrice.ChrPRST, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\FJAFBDENABBENBLDJLAJGGPICGONIEKJ, Quarantined, [2123], [523713],1.0.5518
PUP.Optional.MyBestPrice.ChrPRST, HKU\S-1-5-21-565711948-550684545-2360004682-1001\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\fjafbdenabbenbldjlajggpicgoniekj, Quarantined, [2123], [523713],1.0.5518
PUP.Optional.MSoft.ChrPRST, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\HKDMIHDCLHHOGHPOJIIFKLMEGJNJKDLH, Quarantined, [2090], [522789],1.0.5518
PUP.Optional.MSoft.ChrPRST, HKU\S-1-5-21-565711948-550684545-2360004682-1001\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\hkdmihdclhhoghpojiifklmegjnjkdlh, Quarantined, [2090], [522789],1.0.5518
PUP.Optional.GadgetDeal.ChrPRST, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\MCMGPHDKOINPPODFIPMDJKLLFJAIFKMK, Quarantined, [2152], [524111],1.0.5518
PUP.Optional.GadgetDeal.ChrPRST, HKU\S-1-5-21-565711948-550684545-2360004682-1001\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\mcmgphdkoinppodfipmdjkllfjaifkmk, Quarantined, [2152], [524111],1.0.5518
Adware.ICLoader, HKLM\SOFTWARE\MICROSOFT\campaign9961, Quarantined, [500], [518478],1.0.5518
Adware.ICLoader, HKLM\SOFTWARE\MICROSOFT\multitimercampaign84170, Quarantined, [500], [518476],1.0.5518
Trojan.CoreBot, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\btlr, Quarantined, [4516], [515824],1.0.5518
Trojan.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{4A0D29CD-7A99-4F5F-B81B-115A5BB25EC4}, Quarantined, [524], [530713],1.0.5518
Trojan.Dropper.Generic, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\mchlidn, Quarantined, [9352], [355568],1.0.5518

Registry Value: 8
Adware.Tuto4PC, HKU\S-1-5-21-565711948-550684545-2360004682-1001\SOFTWARE\MICROSOFT\EWMON|PARTNER, Quarantined, [2791], [411543],1.0.5518
Trojan.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{4A0D29CD-7A99-4F5F-B81B-115A5BB25EC4}|INSTALLLOCATION, Quarantined, [524], [530713],1.0.5518
Trojan.BitCoinMiner, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES|{23D7D98B-3566-4D7B-A7DB-EDE598CFD8E2}, Quarantined, [524], [446017],1.0.5518
Trojan.BitCoinMiner, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES|{0B5B162E-2A9C-428C-AC36-BA6D8F5AE880}, Quarantined, [524], [446017],1.0.5518
Trojan.BitCoinMiner, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES|{E4FC8AF6-01DC-43F8-B890-2F71B194A200}, Quarantined, [524], [528292],1.0.5518
Trojan.BitCoinMiner, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES|{8315F82C-169C-48A4-8AAE-E6F4E99AD232}, Quarantined, [524], [446017],1.0.5518
Trojan.BitCoinMiner, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES|{D529FCDE-E0C9-4A45-B504-C70445E328B9}, Quarantined, [524], [446017],1.0.5518
Trojan.BitCoinMiner, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES|{E5E85DFC-3E43-4410-997D-9033A737D908}, Quarantined, [524], [446017],1.0.5518

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 4
PUP.Optional.SystemTable.Generic, C:\Users\Raphael\AppData\Local\Google\Chrome\User Data\Default\SystemTable\1.2_0\icon, Quarantined, [4637], [509531],1.0.5518
PUP.Optional.SystemTable.Generic, C:\Users\Raphael\AppData\Local\Google\Chrome\User Data\Default\SystemTable\1.2_0\js, Quarantined, [4637], [509531],1.0.5518
PUP.Optional.SystemTable.Generic, C:\Users\Raphael\AppData\Local\Google\Chrome\User Data\Default\SystemTable\1.2_0, Quarantined, [4637], [509531],1.0.5518
PUP.Optional.SystemTable.Generic, C:\USERS\RAPHAEL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\SYSTEMTABLE, Quarantined, [4637], [509531],1.0.5518

File: 18
Adware.Wajam, C:\WINDOWS\System32\drivers\MWM5YT.sys, Quarantined, [444], [531752],0.0.0
Adware.Wait3Sec, C:\USERS\RAPHAEL\DOWNLOADS\PLAY WARFRAME.ICO, Quarantined, [4500], [526086],1.0.5518
Adware.Wait3Sec, C:\USERS\RAPHAEL\DOWNLOADS\WIN IPHONE X.ICO, Quarantined, [4500], [526084],1.0.5518
Adware.Wait3Sec, C:\USERS\RAPHAEL\DOWNLOADS\ADULT DATING.ICO, Quarantined, [4500], [526087],1.0.5518
PUP.Optional.SystemTable.Generic, C:\USERS\RAPHAEL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\SYSTEMTABLE\1.2_0\manifest.json, Quarantined, [4637], [509531],1.0.5518
PUP.Optional.SystemTable.Generic, C:\Users\Raphael\AppData\Local\Google\Chrome\User Data\Default\SystemTable\1.2_0\icon\icon128.png, Quarantined, [4637], [509531],1.0.5518
PUP.Optional.SystemTable.Generic, C:\Users\Raphael\AppData\Local\Google\Chrome\User Data\Default\SystemTable\1.2_0\icon\icon16.png, Quarantined, [4637], [509531],1.0.5518
PUP.Optional.SystemTable.Generic, C:\Users\Raphael\AppData\Local\Google\Chrome\User Data\Default\SystemTable\1.2_0\icon\icon24.png, Quarantined, [4637], [509531],1.0.5518
PUP.Optional.SystemTable.Generic, C:\Users\Raphael\AppData\Local\Google\Chrome\User Data\Default\SystemTable\1.2_0\icon\icon32.png, Quarantined, [4637], [509531],1.0.5518
PUP.Optional.SystemTable.Generic, C:\Users\Raphael\AppData\Local\Google\Chrome\User Data\Default\SystemTable\1.2_0\js\background.js, Quarantined, [4637], [509531],1.0.5518
Adware.Wait3Sec, C:\USERS\RAPHAEL\DOWNLOADS\PLAY CROSSOUT.ICO, Quarantined, [4500], [526085],1.0.5518
PUP.Optional.MyBestPrice.ChrPRST, C:\USERS\RAPHAEL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [2123], [523713],1.0.5518
PUP.Optional.MyBestPrice.ChrPRST, C:\DOCUMENTS AND SETTINGS\ALL USERS\NTUSER.POL, Quarantined, [2123], [-1],0.0.0
PUP.Optional.MyBestPrice.ChrPRST, C:\PROGRAMDATA\NTUSER.POL, Quarantined, [2123], [-1],0.0.0
PUP.Optional.MyBestPrice.ChrPRST, C:\USERS\RAPHAEL\NTUSER.POL, Quarantined, [2123], [-1],0.0.0
PUP.Optional.MyBestPrice.ChrPRST, C:\USERS\RAPHAEL(ADMIN)\NTUSER.POL, Quarantined, [2123], [-1],0.0.0
PUP.Optional.MSoft.ChrPRST, C:\USERS\RAPHAEL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [2090], [522789],1.0.5518
Trojan.Dropper.Generic, C:\PROGRAM FILES (X86)\WINDOWSPOWERSHELL\CONFIGURATION\REGISTRATION\SVHOST.EXE, Quarantined, [9352], [355568],1.0.5518

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Hey there Kevin, yes, the issue is that now windows constantly prompt me to activate my windows online. This had never happened before the virus attack. As of this reply, Windows is still prompting me to acticate my windows online. It interrupts all my current activity to open up this window asking me to activate it. It says i have to be the administrator to activate, but im signed in using an admin account. But i cannot activate windows. "Windows cannot be activated now please try again later"

 

Best Regards,

Raphael

Link to post
Share on other sites

Hiya Raphael,

Open an an elevated command prompt, from the prompt type or copy paste the following:

DISM.exe /Online /Cleanup-image /Restorehealth

When complete hit the enter key, when the command finishes type or copy/paste the following

exit

Hit the enter key, when complete reboot your system. Does activation prompt still happen...?

Thanks,

Kevin

Link to post
Share on other sites

Hello Kevin, i received error 0x800f0906. I have searched online for solutions only to be stopped by more errors and i found out that my windows update is completely grayed out. I went online to search once more, they gave me the solution to manually change registry key to allow windows update. This is when i found out, my whole windows update registry key is missing.

 

Any idea on that?

 

Best regards

Raphael

Link to post
Share on other sites

Hiya raphael,

Open an elevated command prompt, at the prompt type or copy/paste the following command:

sfc /scannow then hit the enter key..

Wait for the scan to finish - make a note of any error messages - and then reboot. Is the issue fixed...?

If the issue remains do the following;

Please download VEW by Vino Rosso from HERE and save it to your Desktop.
 
  • Double-click VEW.exe. to start, Vista and Windows 7/8/10 users Right Click and select "Run as Administrator"
  • Under 'Select log to query...check the boxes for both Application and System.
  • Under 'Select type to list... select both Error and Critical.
  • Click the radio button for 'Number of events...Type 15 in the 1 to 20 box.
  • Then click the Run button.
  • Notepad will open with the output log. It will take a couple of minutes to generate the log, please be patient.


Please post the Output log in your next reply.

Thank you,

Kevin..

 

Link to post
Share on other sites

Hi kevin thank you very much for all your help, but i decided to reformat my computer. It is too much hassle to try and get everything back to before the virus started. I appreciate all the effort put in to trying to help me solve my issue. You guys are awesome.

 

Sincerely

Raphael

Link to post
Share on other sites

Hello Raphael,

Thanks for the update, yes I agree, format and reinstall removes all doubt about an infected system....

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.