Jump to content

Recommended Posts

Hello everyone, I am new here.

I am using a HP pavilion DM4, with windows 7 home premium, and about 20 days ago (7/8/2019, I got a black screen with a cursor only after logging into my Admin Account, even on safemode.

 

the day before this issue occurred (7/7/2019), I had turned off my AVG, while trying to run a malwarebytes scan, to do so, I changed its (AVGs) permissions to EVERYONE and I also set the AVG off, and restarted my computer, Lo and Behold, I couldn't get back on my ADMIN main user!, I am currently writing this on the same laptop, but on the account of a secondary user.

 

I can only open a few Antivirus programs such as malwarebytes and AVG, however I cannot run Roguekiller or MSERT as they freeze. Ive done many test and NONE concluded malware, except a Malware bytes Anti Rootkit scan which detected 4 trojan files located in C:$\recyclebin (system recycle bin?). I've since removed them and I am currently attempting all my options.

 

The crazy thing is, I actually fixed the problem, via system restore, and all was good! however I became stupid in thinking and decided to RE-RESTORE the system, because I was upset that my google chrome had updated!!!, and thus the problem had returned, and the old restore points have vanished since!.

I would really love some help because I am sure something has taken over the admin privileges of the system, and is running SVCHOST.EXE and CONSENT.EXE upon start. Ive studied the strings and the threads and they run at 25% CPUs, jamming the system up. Ive also noticed something keeps closing antiviruses and services.exe when i try to open them.  

(I see all this via PROCESSEXPLORER from the second account with admin privileges).

I cannot run SERVICES.EXE, but i can run regedit, msconfig, task manager, etc. Ive done SFC/scan as well as CHKDSK and it found some corrupt files and "fixed them", but the issue persist. 

Ive downloaded FRST, roguekiller, combofix, adwcleaner,. I have not run them, I am awaiting assistance (from you guys).

 

please help me!!!! thank you in advance!

Share this post


Link to post
Share on other sites
Hello ARINEEDSHELP and welcome to Malwarebytes,

Run the following:

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

Thank you,

Kevin

Share this post


Link to post
Share on other sites

Hello Kevin! a pleasure meeting you, hope all is well. I appreciate your response!

I tried to run it with admin privileges but the CPU usage jumps to 25% and FRST becomes non responsive / freezes.

I run it from this account (non admin) and it works fine and doesnt freeze, what should I do?

Share this post


Link to post
Share on other sites

Kevin, a non-admin scan has completed, I will upload them under this response just for documentational purposes, I know you likely NEED the scan run with Admin privilege. hopefully you see something? Please let me know how to continue, in the meantime I will continue to try to run the scan as admin

Addition.txt FRST.txt

Share this post


Link to post
Share on other sites

I keep trying to start it and somethings spiking it (shooting up the CPU, rendering frozen) from running in HP (my main account / admin account). Ive investigated the spike via process explorer and found something interesting??? This is the stack thread :

0x0000000000000000
ntdll.dll!ZwOpenKey+0xa
KERNELBASE.dll!NlsWriteEtwEvent+0x23b
KERNELBASE.dll!NlsEventDataDescCreate+0x29a
KERNELBASE.dll!NotifyRedirectedStringChange+0x72
KERNELBASE.dll!SystemTimeToTzSpecificLocalTimeEx+0x56ac
KERNELBASE.dll!LoadStringByReference+0x134
kernel32.dll!RegLoadMUIStringW+0x18e
Crypt32.dll!CertCreateCertificateChainEngine+0x15fd
Crypt32.dll!CertCreateCertificateChainEngine+0x1366
Crypt32.dll!CryptEnumOIDFunction+0x930
Crypt32.dll!CertCreateCertificateChainEngine+0x1174
Crypt32.dll!CryptFindOIDInfo+0x62
WINTRUST.DLL!CryptSIPCreateIndirectData+0xe1
WINTRUST.DLL!CryptCATAdminCalcHashFromFileHandle+0x1f5
WINTRUST.DLL!WVTAsn1SpcPeImageDataEncode+0x175
WINTRUST.DLL!CryptSIPCreateIndirectData+0x6a
Crypt32.dll!CryptSIPCreateIndirectData+0xaa
WINTRUST.DLL!CryptCATAdminCalcHashFromFileHandle2+0x1a4
WINTRUST.DLL!IsCatalogFile+0x43b6
FRST64.exe+0x26384
0x0000000000000000
kernel32.dll!HeapFree+0xa
0x0000000000000000
FRST64.exe+0x92a90
FRST64.exe+0x120f2
FRST64.exe+0x1039b
FRST64.exe+0xc21b
FRST64.exe+0x744e
FRST64.exe+0x4d8b4
FRST64.exe+0x1039b
FRST64.exe+0xc21b
FRST64.exe+0x744e
FRST64.exe+0xc458
FRST64.exe+0x744e
FRST64.exe+0x45f75
FRST64.exe+0xfa4d
FRST64.exe+0xfd3e
FRST64.exe+0xc11f
FRST64.exe+0x1acae
FRST64.exe+0x19e20
FRST64.exe+0x2fabc
kernel32.dll!BaseThreadInitThunk+0xd
ntdll.dll!RtlUserThreadStart+0x1d

 

Share this post


Link to post
Share on other sites

forgive my frequent responses, ive also noticed the security permissions for these high cpu files i try to open are controlled by "Account Unknown(S-1-5-5-0-132729)" according to addition.txt, S-1-5-5-0 is not one of my users!

Share this post


Link to post
Share on other sites
Posted (edited)

Thanks for those replies ARINNEEDSHELP,

FRST must be run from an Admin account or we do not see all of the information we need. One clear issue from the logs you have posted is evidence that the hard drive is showing signs of failure...

The hard drive should be checked asap and all important data backed up.. https://carrona.org/hddiag.html

Edited by kevinf80
typo

Share this post


Link to post
Share on other sites

also how do i back it up? and how can i run FRST from the CMD?

 

update Kevin! just checked hard drive, it checked out as OK (good).

Share this post


Link to post
Share on other sites

im not sure..., should i try to make a new user with admin rights? when i click run as admin, (from the accessible user) the CPU shoots up too 100%, and the FRST process says not responding, i will try to re-download (FRST) and update you, thanks,

P.S, would NTBtLOG (Start up drivers) help ? ill attach it, let me know if you see anything please! (im on safe mode with networking)

 

 

 

 

ntbtlog.txt

Share this post


Link to post
Share on other sites

See if you can access the hidden admin account and run FRST from there..

Open an elevated command prompt...

At the prompt type or copy paste net user administrator /active:yes select enter.

Close out and reboot, you will see a new account "Administartor" select it and follow the prompts through.

Share this post


Link to post
Share on other sites

perfect suggestion Kevin! , I ran the scan in the hidden admin account and it worked! attached below

I am also able to scan with roguekiller now and MSERT, so far roguekiller has scanned 40,000 files and found 1 problem (HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\NPF), i will let it finish and update you with results, I appreciate it!!! , looking forward to your reviewed response of the uploaded files

Addition.txt FRST.txt

Share this post


Link to post
Share on other sites

Thanks for those logs, continue:

Run RogueKiller again....
 
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Checkmark all found entries:
  • click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply....

Next,

Open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:

    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open Malwarebytes once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…



Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Let me see those logs in your reply...

Kevin..

 

Share this post


Link to post
Share on other sites

Can I see the Malwarebytes log please:

Open Malwarebytes, select > Reports > then checkmark (tick) the relevent "Scan Report" entry > then select "View Report" > "Export" > Text File (*.txt) name and save that file to Desktop or somewhere of your choice, attach to your reply...

Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....
 
Next,
 
Copy the following folder to your Desktop, then zip up and attach to your reply..
 
C:\Windows\Minidump

Thank you,

Kevin..

 

fixlist.txt

Share this post


Link to post
Share on other sites

Hello Kevin, I am still here, trying to download this, but my home WiFi is temporarily down! 😤, will update when it’s finished

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.