Jump to content
nicodin

Help. I am infected

Recommended Posts

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

If you have obfuscated the original log.

Before you do anything. Open the Fixlist.txt  log attached with Notepad.


All entries showing nooooooooooooooo should be edited to reflect the exact location/user.
C:\Users\nooooooooooooooo\AppData\Local\upixsel and others....

When done save the file and run the fix as suggested below.

====

Remove this program in bold via the Control Panel > Programs > Programs and Features.
IDM Crack 6.28 build 9 (HKLM-x32\...\IDM Crack 6.28 build 9) (Version: build 9 - Crackingpatching.com Team)
<<<>>>

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

McAfee was removed but it does not let go easy.
Download and run their uninstaller tool from this site.
http://mcafee-removal-tool.com/

Restart the computer when the removal is completed.
------

Please post the Fixlog.txt and let me know what problem persists.

p.s.
Did you install Chromium and are you using it it.

fixlist.txt

Share this post


Link to post
Share on other sites

Good evening.

"If you have obfuscated the original log.

Before you do anything. Open the Fixlist.txt  log attached with Notepad.

All entries showing nooooooooooooooo should be edited to reflect the exact location/user.

C:\Users\nooooooooooooooo\AppData\Local\upixsel and others....

When done save the file and run the fix as suggested below."

^

^Do I need to do anything with this part? 

Update

1. when I click uninstall on IDM  a message popup saying the software already uninstalled and then I click OK. then program deleted from control panel

 

2.I downloaded the fixlist.txt -> the file became fixlist.txt (1)

-> I tried to change the name to fixlist but could not because its required permission

-> I tried to give it permission but still not able to do it so have to Save as another .txt file and run the fix as instructed.

-> I ran the fix but computer didnot restart and it was so fast I thought I did something wrong so I rerun it and result are the same.

Still have the same problem

3. Chromium was installed by virus before and I though I already got rid of that so please help me get rid of it.

4. I am trying to uninstall Mcafee right now and seem like it stuck while uninstalling.

 

Thanks.

 

Fixlog.txt

Share this post


Link to post
Share on other sites

Hi,

 downloaded the fixlist.txt -> the file became fixlist.txt (1)

You probably have downloaded the file twice.

Can you open either of the file with Notepad?

Make the change to the user name (ooooo...) and save the file.

If unable to save the file let me know what user name you with to use to replace the (ooo...)

I will submit a fresh Fixlist.txt with the all the Chromium entries to be removed.

---

1. when I click uninstall on IDM  a message popup saying the software already uninstalled and then I click OK. then program deleted from control panel

It may now just be a reference in the Registry. Leave it alone for now.

Share this post


Link to post
Share on other sites

Hi,

I can open the downloaded fixlist(1) then Save as -> rename it to fixlist.  So I tried to run fixlist.txt in Safemode and the result is the attached file.

I have change my user name from "nooooo..." to Hello

 

Thanks.

 

Fixlog.txt

Share this post


Link to post
Share on other sites

Hi,

Is the problem solved?

If not please run the Farbar program in normal mode and post fresh logs for my review.

Share this post


Link to post
Share on other sites

FRST.txtAddition.txt

Hi,

I realized that even though I already change my account user name in Control Panel the folder in C still the same as "nooo...". I tried to rename it by right click but would not let me.

Attached file is the log. 

Thanks.

Share this post


Link to post
Share on other sites

Hi,

These are you accounts
==================== Accounts: =============================

Administrator (S-1-5-21-3241335442-3507146994-1691591573-500 - Administrator - Disabled)


DefaultAccount (S-1-5-21-3241335442-3507146994-1691591573-503 - Limited - Disabled)
Guest (S-1-5-21-3241335442-3507146994-1691591573-501 - Limited - Disabled)
nooooooooooooooo (S-1-5-21-3241335442-3507146994-1691591573-1004 - Administrator - Enabled) => C:\Users\nooooooooooooooo
WDAGUtilityAccount (S-1-5-21-3241335442-3507146994-1691591573-504 - Limited - Disabled)

Restart the computer withe the Administrator account to run the Farbar program only.

Since the account is disabled follow the instructions one this page to enable it. DO NOT FORGET TO CLICK THE APPLY BUTTON.
https://www.itechtics.com/enable-administrator-account-windows-10/

Run the Farbar program and post fresh FRST.TXT and Addition.txt logs for my review.

Use that account from now own to do all you have to do.

When the computer is clean will talk about creating a new Account/Profile with th Administrator rights.
I do not trust this oooo. account.

The current Administrator account will have to be disabled then.
Will do all that when all is well.

Share this post


Link to post
Share on other sites

Hi,

I created another Adminitrator account and run Farbar Attached file is the result.

p/s: After the run completed, the addition.txt and FRST.txt was not save show up in folder. It only pop up in notepad and I need to Save as another file to be able to upload on here

 

Thanks.

Addition.txt FRST.txt

Share this post


Link to post
Share on other sites

Hi,

Lets hope that this will be better.

The Farbar program is in the folder in bold. Place the Fixlist.txt in the same folder.
 C:\Users\Administrator\AppData\Local\Temp

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

The computer should have restarted after the Fix.

Please post the Fixlog.txt and let me know what problem persists.

Do not attempt to change anything just yet.

fixlist.txt

Share this post


Link to post
Share on other sites

Hi, 

So Everything was supposed in a folder that I created in in Desktop C:\Users\Administrator\Desktop\New folder and this is where I ran the Farbar tool from.

Im not sure why it became C:\Users\Administrator\AppData\Local\Temp 

Attached file is the fixlog from running Fixlist in both folder.

Since Running Fixlist from both folder (normal mode) does not make and progress(attached file)

 

I tried to run fixlist from desktop folder(Safemode) and the tool did run and restart after process completed

 

Thanks.

Fixlog(normal mode).txt Fixlog(safe mode).txt Fixlog(desktop folder).txt

Share this post


Link to post
Share on other sites

Hi,

Run these programs.

How to use Malwarebytes Anti-Rootkit to remove rootkits

Read the instructions on how to proceed on the link below.
Download the program using the link on the page.

http://www.malwareremovalguides.info/how-to-use-malwarebytes-anti-rootkit-to-remove-rootkits/
 
Run the application as suggested.
----

--RogueKiller--

  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED  
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.


=======


Post the logs for my review.

Share this post


Link to post
Share on other sites

Hi,

This is possibly from a previous McAfee installation.
You are presently using AVast.
I suggest you remove all traces of McAfee.

[Suspicious.Path (Potentially Malicious)] \McAfee Cleanup -- C:\Users\NOOOOO~1\AppData\Local\Temp\MCPR\mccleanup.exe [-p StopServices,MFSY,PEF,MXD,CSP,Sustainability,MOCP,MFP,APPSTATS,Auth,EMproxy,FWdiver,HW,MAS,MAT,MBK,MCPR,McProxy,McSvcHost,VUL,MHN,MNA,MOBK,MPFP,MPFPCU,MPS,SHRED,MPSCU,MQC,MQCCU,MSAD,MSHR,MSK,MSKCU,MWL,NMC,RedirSvc,VS,REMEDIATION,MSC,YAP,TRUEKEY,LAM,PCB,Symlink,SafeConnect,MGS,WMIRemover,RESIDUE -silent -uipipe McAfeeCleanupUIMessagePipe9229 -s -silent] -> Found

You should also remove this.

Remove this program in bold via the Control Panel > Programs > Programs and Features.
McAfee WebAdvisor (HKLM-x32\...\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}) (Version: 4.0.7.203 - McAfee, Inc.)

===

The other two others are known as µTorrent Web belongs to software uTorrent Web or uTorrent by BitTorrent.
This is a P2P program. It's your call to keep it or not.

===

If the issue persists run the Farbar program in normal mode and post fresh logs for my review.

Share this post


Link to post
Share on other sites

Hi,

Im trying to remove all Mcafee but the tool get stuck at somepoint. I left it running overnight but no progress.

I cannot find McAfee WebAdvisor in Program and Feature.

I removed both TorrentWeb and utorrent.

I run Farbar and upload the new logs for review.

Thanks.

Addition.txt FRST.txt

Share this post


Link to post
Share on other sites

Hi,

You used this profile as you did in the your first post.
nooooooooooooooo (S-1-5-21-3241335442-3507146994-1691591573-1004 - Administrator - Enabled) => C:\Users\nooooooooooooooo

Also a number of processes cannot be Accessed.
This is normally seen when the Farbar program is not using an Administrator account.
In your case it seems that  you are in an Administrator account. Strange.

I will give you a fix but if it fails you will have not other choice but to delete that profile later. Do not use it again.
----

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

If the problem persists restart the computer in the Administrator account nor the ooooooo.....
Run the Fix again in that account.
Post the log for my review.

Let me know what problem persists.

 

p.s.

When you start the computer in the Administrator account do you have the same problem?

fixlist.txt

Edited by nasdaq

Share this post


Link to post
Share on other sites

Hi,

1. So I manage to remove McAfee with their removal tool.

 

2. I am using Administrator to download the fixlist. Same problem as before. The file become fixlist(1) and I cannot rename it. I have to open the file and Save as fixlist.

-I run fixlist in normal mode but I guess it not able to run(attached file). No restart or anything. Just fixlog created and close.

-I run in Safemode to see if there is any different and yes, after run complete I need to restart(attached file).

 

3. Since I removed all McAfee, I run Farbar again and attach new log for you to review. (FRST & Addition are after complete remove McAfee).

 

"When you start the computer in the Administrator account do you have the same problem? "

 - Yes. The same problem for both Administrator and nooooo...

p/s When I start computer, before entering destop screen,  there is a message said              " Scanning and repairing disk ". This happen around 2-3 week ago.

I tried to run defragment but could not as well.

 

Thanks.

 

Fixlog(normal mode).txt Fixlog(safemode).txt FRST.txt Addition.txt

Share this post


Link to post
Share on other sites

Hi,

When I start computer, before entering destop screen,  there is a message said              " Scanning and repairing disk ". This happen around 2-3 week ago.


The Check disk (CHKDSK)  as interrupted before it was completely finished running.

Navigate to this page and follow the instructions in section 4/
https://www.datanumen.com/blogs/6-solutions-stuck-scanning-repairing-drive-issue-windows-10/

4. Disable CHKDSK on Booting
Follow the Step 1 to 3 in the above solution to trigger command prompt.
Then, input “bcdedit” and hit “Enter”.
Next, in the displaying list, find the “resumeobject” and write down the long number next to it.
Afterwards, type “bcdedit /set (the long number) reocveryenabled No”.
When seeing the message prompting success, type “Exit” and reboot your PC.

p.s.
Let if finish it may take sometime.
Do not closed or power off the computer when running.

When completed run the Farbar program and post fresh logs.
 

Share this post


Link to post
Share on other sites

Hi,

Good work.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

p.s
Please run Malwarebytes and clean all the items that are found.

fixlist.txt

Share this post


Link to post
Share on other sites

Hi,

So I just found out that fixlist.txt cannot be save on my computer. that is why whenever I try to download it from your reply it automaticly become fixlist(1).

To confirm, I create a new Text Document and save it under the name fixlist but cannot. A message popup said I need permission. I have attached a screenshot of it.

Can only run fixlist on Safemode.

Fixlog.txt is attached

Thanks

Capture.PNG

Fixlog.txt

Share this post


Link to post
Share on other sites

Hi,

You are running the Farbar program from this folder in bold.

The profile Administrator.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02-02-2020 02
Ran by Administrator (administrator) on DESKTOP-IE1R0FK (Gigabyte Technology Co., Ltd. GA-78LMT-S2) (05-02-2020 18:33:21)
Running from C:\Users\Administrator\Downloads
Loaded Profiles: Administrator (Available Profiles: nooooooooooooooo & Administrator)
===

Can you not use the same profile and save the attached Fixlist.txt to the folder in bold. (Download)?

If not create a new fixlist.txt from my file and save it to the download folder.
Make sure Notepad will save it in that location.
Then run the fix with Farbar in Normal Mode. post the Fixlog.
.

P.S.
Where does the DESTOP-IE1ROFK\Administrator comes from.
This is new to me.

Share this post


Link to post
Share on other sites

Hi,

New Fixlog attached. 

I can save fixlist anywhere but except folder with Farbar..

"Where does the DESTOP-IE1ROFK\Administrator comes from."

This happen to both user Administration and Noooo... I cannot rename or save fixlist is Download. Other location is fine.

Thanks

 

Fixlog.txt

Share this post


Link to post
Share on other sites

Hi,

Lets try something else.

Open FRST on the compromised computer:

copy/paste the following inside the text area of FRST. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop. Attach it in your next reply.

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End::

http://i121.photobucket.com/albums/o239/kevinf80/Farbar%20Tools/frst%20b.jpg&key=98f8e4fa906452a8ed54423fd0407a3d120fe6064437244ca29c06ed5f968755]

On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
Copy and paste its content in your next reply.

Wait for further instructions.
<<<>>>

Share this post


Link to post
Share on other sites

Hi.

So yesterday after running the fixlist. my computer was able to update Window 10 version 1903. Im having problem with install new update for a while until now, not sure if we make any progress here.

After the update, my Wifi USB need to reinstall the driver. not sure if this is normal.

 

p.s I cannot see what in the link you posted in your reply

 

Fixlog Information.

Fix result of Farbar Recovery Scan Tool (x64) Version: 02-02-2020 02
Ran by Administrator (09-02-2020 13:09:20) Run:21
Running from C:\Users\Administrator\Downloads
Loaded Profiles: Administrator (Available Profiles: nooooooooooooooo & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes

*****************


========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========

The operation completed successfully.

========= End of CMD: =========


========= bcdedit.exe /set {default} recoveryenabled yes =========

The operation completed successfully.

========= End of CMD: =========


==== End of Fixlog 13:09:23 ====

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.