Jump to content
michaelmt

Suspecious Malware or Registry Virus Still Infected after window restore

Recommended Posts

Hi Malwarebytes,

 I've infected from KMSPico Installation.

Very sure of infected signs. (Unfortunately, just after a day, noticed about Malwares and Virus.)

So, I've clean restored window. And the window was activated by digital signature activation from my cooperation.

But, After check by FRST, I'm still suspecting some are still infected.

Please check about my attached FRST log.

Since, I've no idea, what kind of virus still infecting my system files.

Please kindly help me?

Any kinds of support are much appreciate.

FRST.txt

Share this post


Link to post
Share on other sites
1 hour ago, michaelmt said:

Hi Malwarebytes,

 I've infected from KMSPico Installation.

Very sure of infected signs. (Unfortunately, just after a day, noticed about Malwares and Virus.)

So, I've clean restored window. And the window was activated by digital signature activation from my cooperation.

But, After check by FRST, I'm still suspecting some are still infected.

Please check about my attached FRST log.

Also there are so many processes consuming CPU, and cannot verify company. And also don't have permission to check detail of this process.

Please refer attached process capture img.

Since, I've no idea, what kind of virus still infecting my system files.

Please kindly help me?

Any kinds of support are much appreciate.

FRST.txt

 

process capture.PNG

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

I need to see the whole picture.

Please attach the addition.txt log that was created by the Farbar program.

It should be in the same folder as the FRST.TXT log.

Share this post


Link to post
Share on other sites

Hello nasdaq,

Thanks for still waiting along my reply.

since I'm away from my PC and I'm on working hour, I cannot get back your concern.

So, you need addition log.

But, I've scanned from safe mode and there is no addition log was saved.

If you need it, I'll rescan and revise. Pls wait just a moment.

Share this post


Link to post
Share on other sites

Hello Nasdaq,

 Please refer this attached as latest. and run in window normal mode.

Note- I've activated KIS and already installed some usual apps.

And lastly I installed Viber for desktop, and My KIS said, some DLL file is need to action, so i deleted it.

After that Viber cannot start-up.

That's all. Others, nothing was configured.

 

FRST_09-02-2019 20.22.52.txt

Addition_09-02-2019 20.22.52.txt

Share this post


Link to post
Share on other sites

Hi,

Remove this program in bold via the Control Panel > Programs > Programs and Features.
IDM Crack 6.31 build 3 (HKLM-x32\...\IDM Crack 6.31 build 3) (Version: 6.31 build 3 - Crackingpatching.com Team)

Cracked/warez versions of programs

Cracked/warez versions of programs sound "good" and "cheap", but they can cause all sorts of headaches for you and damage to your computer.  No reputable forum will support any method of cracking, warez, workarounds, providing any methods, tools, or posting of links designed for this express purpose. 

There are people who have spent a great deal of money on developing and testing hardware and software, marketing and distributing it, and then on education and support for it. They have spent long, tedious, difficult and brain-numbing days/nights on their endeavor. They are attempting to make an honest living and feed their families. 

Let's not support the thieves who rip them off and cheat them out of the fruits of their labor.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Viber does not give up that easy.
I suggest you download and run their uninstaller.
How to:
https://support.viber.com/customer/en/portal/articles/2899645-clean-uninstall-and-reinstall-on-viber-for-desktop

Restart the computer when completed.
===

Please post the Fixlog.txt and let me know if the problem persists.

fixlist.txt

Edited by nasdaq

Share this post


Link to post
Share on other sites

Dear Nasdaq,

 Much appreciate for your kind advice and support.

(1) First, I do apologize for using crack version of IDM.

 And I'll remove as soon as possible just after my download of my "cloud properties" into offline storage, before all log in securities are restore securely.  I'm promise and guarantee this.

And  (2) Please kindly refer attached fixlog as per your concern.

 

And Finally, (3) I've uninstalled as per their official site say.

And reinstalled it. After that, still crash, cannot load up the apps in start up.

So, I was uninstalled again. Already. Make me sweated.

 

Am I infected, Still? after window was reinstalled?

 

Best Regards,

Fixlog.txt

Share this post


Link to post
Share on other sites

Hi

Let me know exactly what is the problem with  this computer.

And Finally, (3) I've uninstalled as per their official site say.

And reinstalled it. After that, still crash, cannot load up the apps in start up.

Is viper crashing Or what?

Share this post


Link to post
Share on other sites

Dear Nasdaq,

Firstly, I'm so sorry for very very late reply.

As I've on a business short trip apart from my city.

So, there is three portion need to reply your concern.

(1) Since, I've posted in firstly, I'm just suspicious. Suspicious about:

-some auto run services run by window are not originally services which need to be run by window.

- As I'm administrator of this PC, I still don't have full permission on some system files.Like credentials registry of previous window user.

(as I've reinstalled very fresh window with fully format the disk. Why those credentials registry are still left in disk boot sector?)(And I've noted that, some system files are not give full permission even to administrator.) 

- And suspicious,that window's system files and services are not originally from Microsoft. Those are might be replaced by virus scripts.Not the whole file. (e.g RDP service might be infected.)

-Suspicious,that window background service host was automatically run and hiding some malicious activities.(e.g encrypted,packed the information, and remotely controlled to synchronize with virus server.)

IS IT POSSIBLE, after fully format the disk and reinstall new window?

 

(2) Usually, I'm occasionally delete the temp files and recent files myself from Window Run Box.

(By running from Run box, Temp,%temp%,recent,prefetch, and delete all files in those folders. in order to smooth PC performance and track clearance as privacy.)

But after fixed by FRST, with your provided fixlist, I can only run temp,%temp%, and prefetch.

I cannot run "Recent".Is denied for permission.

Is there any problem?, I don't want other users to see what recent files are opened when open This PC.

How can I solve?

 

(3) For Viber,

Yes viber is crash, when I've installed the app and run by double click the icon on desktop, nothing happen until a couple of minutes.

Hoping your reply.

Thanks much.

Best Regards,  

Share this post


Link to post
Share on other sites

Hi,

Quote

-some auto run services run by window are not originally services which need to be run by window.

What services are you talking about.?

===

If after a full uninstall of Viper you should restart the computer normally.
It might just be that Kaspersky is blocking the full installation

Check to see if all is well.

If you want to reinstall Viper disable Kaspersky before the installation

https://support.viber.com/customer/en/portal/articles/2899645-clean-uninstall-and-reinstall-on-viber-for-desktop

It's not suggested that both of these programs be enabled in real life.

So do not enable them together.
===

As I'm administrator of this PC, I still don't have full permission on some system files.Like credentials registry of previous window user.

These files are possibly protected by the Operating System.
===

- And suspicious,that window's system files and services are not originally from Microsoft. Those are might be replaced by virus scripts

The Farbar logs shows if the files and from Microsoft, other supplier and if Signed or not.
===

As for the BIOS this is not my forte.
Lets get this computer clean of malware and will take it from there.

===

I would like to see fresh FRST.TXT and addition.txt logs.
Please post them. 

Share this post


Link to post
Share on other sites

Dear Nasdaq,

 

 For first concern, please refer attached picture. Is this services regarding to RDP are do necessarily running all the time and  consume this amount of RAM?

(Sorry, I'm not and IT guy, so this just my suspicious. Not proving.) 

 

For second concern, everything fine. Since Fusion.dll was blocked by Kaspersky because it was detected in my external hardisk which include window back up image with infected system files..Now Viber is ok to run. SOLVED

 

For third concern and most important concern.  

 I really do want to get clear this as for my knowledge. If this is happen like this all the way, practically "100% new window install" on a old corrupted window OS disk is IMPOSSIBLE ?

the technology is like this?

If so, this protected system files are infected, what should we do?

 

For fourth concern. I really much appreciate about your confidence on your organization product.

Regarding to this confidence you have, I'm also reply this thing on you from now on. SOLVED.

 

 For fifth concern, I've solved this by restarting the window. And need to assign permission back to administrator for all activities for "User/Appdata/". (May not true, but its just my opinion this is root cause of admin cannot access to user's recent data.And after making this, Administrator can access this user's recent files.)  SOLVED.

 

For last concern, I'm still downloading iTunes's data and appleID data. And also downloading all my 4 years old 3 gmail account data.

Offline better than online. just my proverb.

After this, I'll uninstall IDM and scan FRST. And will be provide back to you.

 

Anyway, even this your answers all the way, helped me alots already.

Your making another armature to become enthusiastic in IT Technics.

May GOD bless you friend. 

 

Capture1.PNG

Share this post


Link to post
Share on other sites

Hi,

Quote

For first concern, please refer attached picture. Is this services regarding to RDP are do necessarily running all the time and  consume this amount of RAM?

Remote Procedure Call (RPC)
Read about it.
https://searchmicroservices.techtarget.com/definition/Remote-Procedure-Call-RPC

If you need the service leave it alone.
It's only using 0.3 % of your CPU.

Your virtual memory will be used if more RAM is needed by the operating system.
===

Quote

 I really do want to get clear this as for my knowledge. If this is happen like this all the way, practically "100% new window install" on a old corrupted window OS disk is IMPOSSIBLE ?

Can you clarify what you are trying to do.
===

Quote

For last concern, I'm still downloading iTunes's data and appleID data. And also downloading all my 4 years old 3 gmail account data.
Offline better than online. just my proverb.
After this, I'll uninstall IDM and scan FRST. And will be provide back to you.

I keep everything important on a external Hard Drive.
I do not let it connected/mounted.
If you get a Worm, or A Ransomware  infection the HD will be compromised also.

Share this post


Link to post
Share on other sites

Dear Nasdaq,

 Much glad and thanks for your answer and link for first concern.

Second one is, I would like to mean for window reset/refresh/restore/reinstall whatever on a same disk, which already run window 10 (which is infected or corrupted to bootsec.)

I want to reinstall a very very new window. But most appropriate choice is," reinstall from official window bootable disc" with format the disk. But after I've reinstalled new window, there some data/credentials/registries of previous corrupted window was still left.

(This infected or corrupted data/registry/system files whatever are still left and show it in new installed window as "some unidentified data").

Actually, I want 100% total new window. So, why this kind of data are still left in disk?

why I cannot format the disk "TOTALLY"? When I format this disk as a external drive, also this is happen. 

So, this kind of data/files are how stored in this disk.

How can I get a very very new window OS? which like installing window OS on a SDD, just manufactured from factory.

 

conclusion, I don't want to see any previous data concern with window, after reinstall window OS.

 

For last concern:

So, how did you manage the data in this disk, without connect to any device?

I was inspired by your method. Please kindly share me.

Thanks much always, Mr.expert.

 

Share this post


Link to post
Share on other sites


Hi,

After a Format the HD should be cleaned.

If something is restored from the previous installation I'm not aware of that.
I suggest you start a new topic in the Windows 10 Forum at BleepingComputer.
https://www.bleepingcomputer.com/forums/f/229/windows-10-support/

An expert with your Operating system will be able to advise your.
This is not caused by malware and not my forte.

So, how did you manage the data in this disk, without connect to any device?

If you manage the data on the other disk in real life so that the data in the computer is immediately changed on the other disk  then I understand that it must be connected.
Otherwise disconnect the external drive when the updates are completed.

Again this is something you can check with the Windows 10 experts.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.