Jump to content
brandonm121

registry entry keeps reappearing

Recommended Posts

Hello all!

I am having quite a difficult time getting this virus out of my system. I "think" its a wmi infection but I'm unsure. a registry entry in windows\current version\run keeps reinstalling itself and i dont know how. Below are a list of cleaners i have ran to see if i can fix the issue. 

1. malewarebytes (detects and quarantines it, but it returns within a day or so.... even with out a reboot it comes back)

2.Superantispyware

3. kaspersky TDSS killer 

4. rkill

5. eset nod 32 (default anti-virus) 

6. adwcleaner

7.hijackthis

8. MBAR 

Share this post


Link to post
Share on other sites
Hello brandonm121 and welcome to Malwarebytes,

Continue with the following:

If you do not have Malwarebytes installed do the following:

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Report tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....

Share this post


Link to post
Share on other sites

Hello brandonm121 and welcome to Malwarebytes,

Open an elevated command prompt, type or copy/paste the following command:

winmgmt /verifyrepository

Hit enter key, what result do you get...?

Thank you,

Kevin

 

Edited by kevinf80
instruction change

Share this post


Link to post
Share on other sites

Malwarebytes log was clean, FRST logs show no evidence of Malware or Infection.. Do you have a log from Malwarebytes showing what was removed..

Share this post


Link to post
Share on other sites

I HAVE MAE A DISCOVERY! There are a set of services that change their name after every reboot. These are the source of the issue, but i cant remove them. I have tried sc delete as an admin in safe mode, also navigated to the services in the registry and deleted them, but they keep coming back. Here a few examples of the names. 

CDPUserSvc_23d6fd8b

ContactData_23d6fd8b

and a few others that follow the same naming structure. After reboot, the number tagged at the end changes to something else random. 

Share this post


Link to post
Share on other sites
12 minutes ago, kevinf80 said:

Malwarebytes log was clean, FRST logs show no evidence of Malware or Infection.. Do you have a log from Malwarebytes showing what was removed..

the only thing removed is/was trojan Mirai virus located in HKlocalmachine\software\microsoft\currentcontrolset\run. a program masking itself as bgclients is the culprit. This has been reoccuring for a bit now, itll be back in a few days after removal. 

Share this post


Link to post
Share on other sites
Please download Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit...

Next,

Hold down the Shift key and boot your PC. Windows should open to the "Choose an Option" window....

From that window select "Troubleshoot" from the next window select "Advance Options" from there select "Command Prompt" ensure to plug the flash drive into an open USB port...

Continue with the following:
 
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64 or e:\frst depending on your version. Press Enter Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Thanks,

Kevin...

Share this post


Link to post
Share on other sites

You`ve ran FRST from safemode, I want scan done from Recovery Environment.... Also can you check the following:

Upload a File to Virustotal

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file D:\vintermodal\Weblink\WebAppImportService\WebAppImportService.exe
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.

Share this post


Link to post
Share on other sites

Hiya brandonm121,

Thanks for that log, still no evidence of Malware or Infection or any potential loaders...  One policy is unusual, i assume you have set that up...?

HKLM\...\Policies\Explorer: [ShowSuperHidden] 1

Try a scan with Windows Defender Offline, use option 3 from the link below:

https://www.tenforums.com/tutorials/42305-windows-defender-offline-scan-windows-10-a.html

The link also shows how to retrieve the log..

Thanks,

Kevin..

 

Share this post


Link to post
Share on other sites

Im guessing because it is server and not windows 10 it looks different... I dont see an option for an offline scan. 

defender.JPG

Share this post


Link to post
Share on other sites

I do not believe a server makes any difference if you are running windows 10...

Open search function next to start flag, type or copy/paste Virus and threat protection into the search box, select that from best match, in the new window select scan optiion in the new window scroll to and select Windows Defender Offline Scan then select scan now

Share this post


Link to post
Share on other sites

Do not open the normal Windows Defender interface, offline scan is not available that way... Quick question, is this a business system...?

Share this post


Link to post
Share on other sites

Hello again brandonm121,

Can you go here: https://support.malwarebytes.com/docs/DOC-2396

Run that tool and attach the produced zip file to your next reply..

Next,

You mention earlier that Malwarebytes did remove the issue you descibed, I would like to see that log...

Open Malwarebytes, select > Reports > then checkmark (tick) the appropriate "Scan Report" entry > then select "View Report" > "Export" > Text File (*.txt) name and save that file to Desktop or somewhere of your choice, attach to your reply...

Next,

Couple of links for you to read, these maybe exactly what you are experiencing...

https://borncity.com/win/2017/11/19/windows10-server-2016-issues-with-cdpusersvc/

https://social.technet.microsoft.com/Forums/en-US/c165a54a-4a69-441c-94a7-b5712b54385d/what-is-the-cdpusersvc-for-?forum=win10itprogeneral

https://docs.microsoft.com/en-us/windows/application-management/per-user-services-in-windows

Thanks,

Kevin

 

Edited by kevinf80
typo

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.