Jump to content
cornbread342

Virus prevents any installation of virus removal or Windows defender

Recommended Posts

Hello, I recently got infected by a virus. It prevents me from installing any form of anti-virus, and it doesn't allow me to turn on defender either, saying it is managed by an organization. I have removed the virus program itself I'm pretty sure, but I know there's still files that are infected. I don't know what to do, thanks for the help.

Share this post


Link to post
Share on other sites

Hi,  :welcome:
My name is Maurice. I will be helping and guiding you, going forward on this case.   Let me know what first name you prefer to go by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible. 
  
Please only just attach   all report files, etc  that I ask for as we go along.
.

If you notice a specific file or a specific folder for this suspected "virus" then please relay the detail about that.

 

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
  
 

Share this post


Link to post
Share on other sites
Malwarebytes Anti-Rootkit BETA 1.10.3.1001
www.malwarebytes.org
Database version:
  main:    v2020.01.29.09
  rootkit: v2020.01.29.09
Windows 10 x64 NTFS
Internet Explorer 11.1069.17134.0
Leo :: ITSME [administrator]
1/29/2020 7:00:54 PM
mbar-log-2020-01-29 (19-00-54).txt
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 285983
Time elapsed: 1 hour(s), 2 minute(s), 52 second(s)
Memory Processes Detected: 13
C:\ProgramData\Logic Cramble\set.exe (Adware.Linkury) -> 2860 -> Delete on reboot. [1a5367e1d3033105d2439270798bb947]
C:\ProgramData\CloudPrinter\CloudPrinter.exe (Adware.Linkury) -> 2592 -> Delete on reboot. [6b02440433a3f4428b650f5f9f63ec14]
C:\Program Files (x86)\Materialistic\moneys.exe (Adware.DotDo.Generic) -> 4788 -> Delete on reboot. [beaf8fb96274b77f570aafac23df6799]
C:\Program Files (x86)\Materialistic\moneys.exe (Adware.DotDo.Generic) -> 6176 -> Delete on reboot. [beaf8fb96274b77f570aafac23df6799]
C:\Program Files (x86)\mushy\pathologist.exe (Adware.DotDo.Generic) -> 10032 -> Delete on reboot. [74f9242466700630124e4e96f011ac54]
C:\Program Files (x86)\Dawson\Agricultural.exe (Adware.DotDo.Generic.TskLnk) -> 9476 -> Delete on reboot. [99d4ce7afdd96dc912b4d0b5b74b3bc5]
C:\Program Files (x86)\Dawson\Sse.exe (Adware.DotDo.Generic.TskLnk) -> 8768 -> Delete on reboot. [ff6ee167d60051e5edb9f68f3ec41ae6]
C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe (Adware.OnlineIO) -> 10296 -> Delete on reboot. [e08dfc4ce3f3bf7702485ad0639d847c]
C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe (Adware.OnlineIO) -> 7136 -> Delete on reboot. [e08dfc4ce3f3bf7702485ad0639d847c]
C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe (Adware.OnlineIO) -> 6720 -> Delete on reboot. [e08dfc4ce3f3bf7702485ad0639d847c]
C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe (Adware.OnlineIO) -> 6232 -> Delete on reboot. [e08dfc4ce3f3bf7702485ad0639d847c]
C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe (Adware.OnlineIO) -> 10492 -> Delete on reboot. [e08dfc4ce3f3bf7702485ad0639d847c]
C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe (Adware.OnlineIO) -> 2416 -> Delete on reboot. [e08dfc4ce3f3bf7702485ad0639d847c]
Memory Modules Detected: 2
C:\Users\Leo\AppData\Local\ckapes.dll (Trojan.ProxyAgent) -> Delete on reboot. [1c515deb7f57fe38619e36e4709450b0]
C:\ProgramData\Logic Cramble\X86\SQLite.Interop.dll (Adware.Linkury) -> Delete on reboot. [363792b618be11253dca4ac244bc5ea2]
Registry Keys Detected: 29
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\backlh (Adware.Linkury) -> Delete on reboot. [1a5367e1d3033105d2439270798bb947]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\pgt_svc (RiskWare.ProxyGate) -> Delete on reboot. [1c51192fbb1bee484a94b1e024dd26da]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WinDefender (Trojan.Crypt.GO) -> Delete on reboot. [46273018af27b3831361e96b22e2ee12]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CHROME.EXE (Adware.DotDo.Generic) -> Delete on reboot. [90dd89bfbc1a80b68ad8c81d7a87a759]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CHROME.EXE (Adware.DotDo.Generic) -> Delete on reboot. [90dd89bfbc1a80b68ad8c81d7a87a759]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\Quoteex.exe (Adware.Linkury) -> Delete on reboot. [71fcf55334a201352d8799275ca420e0]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{2EEE6EC7-3356-479A-A10E-785CDD71DEE1} (Adware.OnlineIO) -> Delete on reboot. [b6b767e1389e66d0ecf300c678889b65]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{3FE9E01A-CD1F-4A95-9363-612A378EC564} (Adware.OnlineIO) -> Delete on reboot. [a7c6d57375619f97ba25f7cf837de719]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{78874A70-ABA7-4FB6-9835-7B7F55914E7C} (Adware.OnlineIO) -> Delete on reboot. [7cf1b692d7ff80b61ec1a91dc83813ed]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{8651E06E-E58B-48B6-9FC3-6B7500418AB8} (Adware.OnlineIO) -> Delete on reboot. [d79610381bbb2412449b735377894fb1]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{B75F8E72-253D-472D-AA34-D5A63177D787} (Adware.OnlineIO) -> Delete on reboot. [90dd4305fdd984b2ad324d790000a65a]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BEC76829-95C8-4222-8D59-4E5F1EC57545} (Trojan.Glupteba.E) -> Delete on reboot. [0f5e6ade07cfc076d1a5be06669aca36]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{F0EA4495-CB67-4F55-8727-ED213A255634} (Adware.OnlineIO) -> Delete on reboot. [1c51bb8dab2b092d5689d9ed817f0ff1]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\csrss (Trojan.Glupteba.E) -> Delete on reboot. [18553414ac2aa6900ea27556fd035ca4]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Online Application V2G1 (Adware.OnlineIO) -> Delete on reboot. [6c0137115e7843f3bd7d527ca65ab749]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Online Application V2G2 (Adware.OnlineIO) -> Delete on reboot. [1558192fc511b185e6540dc109f7d12f]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Online Application V2G3 (Adware.OnlineIO) -> Delete on reboot. [e98477d118be41f588b2517d748c659b]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Online Application V2G4 (Adware.OnlineIO) -> Delete on reboot. [1e4f1434498dce68102addf130d0dd23]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Online Application V2G5 (Adware.OnlineIO) -> Delete on reboot. [76f7ce7a71650c2ae159b11d3fc1a45c]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Online Application V2G6 (Adware.OnlineIO) -> Delete on reboot. [14596edad8fe6ec884b6a32bd12f6997]
HKLM\SOFTWARE\WOW6432NODE\Microleaves (Adware.OnlineIO) -> Delete on reboot. [620bbb8d686e072f46db59617f8115eb]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\Quoteex.exe (Adware.Linkury) -> Delete on reboot. [c7a62721af2742f413a17050817f619f]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FastDataX_is1 (Adware.FastDataX.EncJob) -> Delete on reboot. [3f2e4bfd32a49d99f08305d052ae1ce4]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Winmon (Trojan.Glupteba.E) -> Delete on reboot. [77f6a2a6825472c4ee14b93305fbc43c]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WinmonFS (Trojan.Glupteba.E) -> Delete on reboot. [17562c1ca92dc86e44bfb03ceb15f808]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WinmonProcessMonitor (Trojan.Glupteba.E) -> Delete on reboot. [5c11cf79a2344de9ff058963d32d01ff]
HKU\S-1-5-21-1008748535-89621049-631550477-1002\SOFTWARE\EpicNet Inc. (Trojan.Glupteba.E) -> Delete on reboot. [591472d6e2f463d3b28aa703ba468b75]
HKU\S-1-5-21-1008748535-89621049-631550477-1002\SOFTWARE\FastDataX (Adware.FastDataX) -> Delete on reboot. [0667ed5b894d310521538f0e2fd14bb5]
HKU\S-1-5-21-1008748535-89621049-631550477-1002\SOFTWARE\MICROSOFT\TESTAPP (Trojan.Glupteba.E) -> Delete on reboot. [07665cec785e39fdf919e7c6c13f3ac6]
Registry Values Detected: 24
HKU\S-1-5-21-1008748535-89621049-631550477-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|pathologist (Adware.DotDo.Generic) -> Data: "C:\Program Files (x86)\mushy\pathologist.exe" wvauwwvauwwvauwwvau.wvauawvauwwvaurwvau.wvaupwvauwwvau/wvauv2e0e2e0e0wvaul1l2v5vehtwvaum1glKejrnrwvauQK8PF9nOKbwvauv -> Delete on reboot. [74f9242466700630124e4e96f011ac54]
HKU\S-1-5-21-1008748535-89621049-631550477-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|ckapes (Trojan.ProxyAgent) -> Data: rundll32.exe "C:\Users\Leo\AppData\Local\ckapes.dll",ckapes -> Delete on reboot. [1c515deb7f57fe38619e36e4709450b0]
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Door (Adware.DotDo.Generic.TskLnk) -> Data: "C:\Program Files (x86)\Dawson\Agricultural.exe" wvauwwvauwwvauwwvau.wvauawvauwwvaurwvau.wvaupwvauwwvau/wvauv2e0e2e0e0wvaul1l2v5vehtwvaum1glKejrnrwvauQK8PF9nOKbwvauv -> Delete on reboot. [99d4ce7afdd96dc912b4d0b5b74b3bc5]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Rhymed (Adware.DotDo.Generic.TskLnk) -> Data: "C:\Program Files (x86)\Dawson\Agricultural.exe" wvauwwvauwwvauwwvau.wvauawvauwwvaurwvau.wvaupwvauwwvau/wvauv2e0e2e0e0wvaul1l2v5vehtwvaum1glKejrnrwvauQK8PF9nOKbwvauv -> Delete on reboot. [99d4ce7afdd96dc912b4d0b5b74b3bc5]
HKU\S-1-5-21-1008748535-89621049-631550477-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Darius (Adware.DotDo.Generic.TskLnk) -> Data: "C:\Program Files (x86)\Dawson\Agricultural.exe" wvauwwvauwwvauwwvau.wvauawvauwwvaurwvau.wvaupwvauwwvau/wvauv2e0e2e0e0wvaul1l2v5vehtwvaum1glKejrnrwvauQK8PF9nOKbwvauv -> Delete on reboot. [99d4ce7afdd96dc912b4d0b5b74b3bc5]
HKU\S-1-5-21-1008748535-89621049-631550477-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Ravenously (Adware.DotDo.Generic.TskLnk) -> Data: "C:\Program Files (x86)\Dawson\Agricultural.exe" wvauwwvauwwvauwwvau.wvauawvauwwvaurwvau.wvaupwvauwwvau/wvauv2e0e2e0e0wvaul1l2v5vehtwvaum1glKejrnrwvauQK8PF9nOKbwvauv -> Delete on reboot. [99d4ce7afdd96dc912b4d0b5b74b3bc5]
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Swampscott (Adware.DotDo.Generic.TskLnk) -> Data: "C:\Program Files (x86)\Fis\Agricultural.exe" wvauwwvauwwvauwwvau.wvauawvauwwvaurwvau.wvaupwvauwwvau/wvauv2e0e2e0e0wvaul1l2v5vehtwvaum1glKejrnrwvauQK8PF9nOKbwvauv -> Delete on reboot. [224bfd4bf8de81b55076aadb29d9c23e]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Handcrafts (Adware.DotDo.Generic.TskLnk) -> Data: "C:\Program Files (x86)\Fis\Agricultural.exe" wvauwwvauwwvauwwvau.wvauawvauwwvaurwvau.wvaupwvauwwvau/wvauv2e0e2e0e0wvaul1l2v5vehtwvaum1glKejrnrwvauQK8PF9nOKbwvauv -> Delete on reboot. [224bfd4bf8de81b55076aadb29d9c23e]
HKU\S-1-5-21-1008748535-89621049-631550477-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Anzac (Adware.DotDo.Generic.TskLnk) -> Data: "C:\Program Files (x86)\Fis\Agricultural.exe" wvauwwvauwwvauwwvau.wvauawvauwwvaurwvau.wvaupwvauwwvau/wvauv2e0e2e0e0wvaul1l2v5vehtwvaum1glKejrnrwvauQK8PF9nOKbwvauv -> Delete on reboot. [224bfd4bf8de81b55076aadb29d9c23e]
HKU\S-1-5-21-1008748535-89621049-631550477-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Aphids (Adware.DotDo.Generic.TskLnk) -> Data: "C:\Program Files (x86)\Fis\Agricultural.exe" wvauwwvauwwvauwwvau.wvauawvauwwvaurwvau.wvaupwvauwwvau/wvauv2e0e2e0e0wvaul1l2v5vehtwvaum1glKejrnrwvauQK8PF9nOKbwvauv -> Delete on reboot. [224bfd4bf8de81b55076aadb29d9c23e]
HKU\S-1-5-21-1008748535-89621049-631550477-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|stakes (Adware.DotDo.Generic.TskLnk) -> Data: "C:\Program Files (x86)\Fis\Agricultural.exe" wvauwwvauwwvauwwvau.wvauawvauwwvaurwvau.wvaupwvauwwvau/wvauv2e0e2e0e0wvaul1l2v5vehtwvaum1glKejrnrwvauQK8PF9nOKbwvauv -> Delete on reboot. [224bfd4bf8de81b55076aadb29d9c23e]
HKU\S-1-5-21-1008748535-89621049-631550477-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|IcyRiver (Trojan.MalPack.GS) -> Data: "C:\WINDOWS\rss\csrss.exe" -> Delete on reboot. [4b226edae7ef45f145a74934a95904fc]
HKU\S-1-5-21-1008748535-89621049-631550477-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|CloudNet (Trojan.Glupteba) -> Data: "C:\Users\Leo\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" -> Delete on reboot. [5c1170d81abc3ff72dd624a7da28cd33]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{2EEE6EC7-3356-479A-A10E-785CDD71DEE1}|Path (Adware.OnlineIO) -> Data: \Online Application V2G4 -> Delete on reboot. [b6b767e1389e66d0ecf300c678889b65]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{3FE9E01A-CD1F-4A95-9363-612A378EC564}|Path (Adware.OnlineIO) -> Data: \Online Application V2G2 -> Delete on reboot. [a7c6d57375619f97ba25f7cf837de719]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{78874A70-ABA7-4FB6-9835-7B7F55914E7C}|Path (Adware.OnlineIO) -> Data: \Online Application V2G1 -> Delete on reboot. [7cf1b692d7ff80b61ec1a91dc83813ed]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{8651E06E-E58B-48B6-9FC3-6B7500418AB8}|Path (Adware.OnlineIO) -> Data: \Online Application V2G6 -> Delete on reboot. [d79610381bbb2412449b735377894fb1]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{B75F8E72-253D-472D-AA34-D5A63177D787}|Path (Adware.OnlineIO) -> Data: \Online Application V2G3 -> Delete on reboot. [90dd4305fdd984b2ad324d790000a65a]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BEC76829-95C8-4222-8D59-4E5F1EC57545}|Path (Trojan.Glupteba.E) -> Data: \csrss -> Delete on reboot. [0f5e6ade07cfc076d1a5be06669aca36]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{F0EA4495-CB67-4F55-8727-ED213A255634}|Path (Adware.OnlineIO) -> Data: \Online Application V2G5 -> Delete on reboot. [1c51bb8dab2b092d5689d9ed817f0ff1]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\BACKLH|ImagePath (Adware.Linkury) -> Data: C:\ProgramData\Logic Cramble\set.exe -> Delete on reboot. [9fce95b30dc9b6802ca301e49e62a759]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES|{B72ED5D8-ADB0-4D1E-B574-D376D0E5ABAC} (Trojan.BitCoinMiner) -> Data: v2.28|Action=Allow|Active=TRUE|Dir=In|App=C:\WINDOWS\rss\csrss.exe|Name=csrss| -> Delete on reboot. [8be2a2a635a1142255f6608ae11f728e]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WINDEFENDER|ImagePath (Trojan.Agent) -> Data: C:\Windows\windefender.exe -> Delete on reboot. [5a13e761b4227fb7985937b5a35ded13]
HKU\S-1-5-21-1008748535-89621049-631550477-1002\SOFTWARE\MICROSOFT\TESTAPP|Defender (Trojan.Glupteba.E) -> Data: 1 -> Delete on reboot. [07665cec785e39fdf919e7c6c13f3ac6]
Registry Data Items Detected: 3
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHURL|Default (Adware.SonicSearch) -> Bad: (https://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoGyjt9ihJPpQjuEHDATLODqIyfWagpIapTqkKUkvAk6d0Lil9x2deCTbKpPeH_56PVQTUBDqSugVrF3ZX7pRUmQUk2top0lLFYBZrYv-tyz7u8fQ1hinWfzt62G-EMGMjseIjaoorwOBHGKGYWbgCTgWFeI_8A8-Jj_j3FlGwuqM&q={searchTerms}) Good: (www.google.com) -> Replace on reboot. [0964c4848c4af343e44f26e9887b7d83]
HKU\S-1-5-21-1008748535-89621049-631550477-1002\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Search Bar (Adware.SonicSearch) -> Bad: (https://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoGyjt9ihJPpQjuEHDATLODqIyfWagpIapTqkKUkvAk6d0Lil9x2deCTbKpPeH_56PVQTUBDqSugVrF3ZX7pRUmQUk2top0lLFYBZrYv-tyz7u8fQ1hinWfzt62G-EMGMjseIjaoorwOBHGKGYWbgCTgWFeI_8A8-Jj_j3FlGwuqM&q={searchTerms}) Good: (www.google.com) -> Replace on reboot. [da930642b224b086584025e8d82b48b8]
HKU\S-1-5-21-1008748535-89621049-631550477-1002\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|SearchAssistant (Adware.SonicSearch) -> Bad: (https://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoGyjt9ihJPpQjuEHDATLODqIyfWagpIapTqkKUkvAk6d0Lil9x2deCTbKpPeH_56PVQTUBDqSugVrF3ZX7pRUmQUk2top0lLFYBZrYv-tyz7u8fQ1hinWfzt62G-EMGMjseIjaoorwOBHGKGYWbgCTgWFeI_8A8-Jj_j3FlGwuqM&q={searchTerms}) Good: (www.google.com) -> Replace on reboot. [afbede6a597d0e28a8f197769a694fb1]
Folders Detected: 13
c:\Users\Leo\AppData\Local\Temp\csrss (Trojan.Glupteba.E) -> Delete on reboot. [e984ea5e4f87191d6930513c3dc3e21e]
C:\Users\Leo\AppData\Roaming\EpicNet Inc (Trojan.Glupteba.BITSRST) -> Delete on reboot. [70fdf1570ec8bf770683fd0dd12f58a8]
C:\Users\Leo\AppData\Roaming\EpicNet Inc\CloudNet (Trojan.Glupteba.BITSRST) -> Delete on reboot. [70fdf1570ec8bf770683fd0dd12f58a8]
C:\ProgramData\Logic Cramble (Adware.Linkury) -> Delete on reboot. [363792b618be11253dca4ac244bc5ea2]
C:\ProgramData\Logic Cramble\X64 (Adware.Linkury) -> Delete on reboot. [363792b618be11253dca4ac244bc5ea2]
C:\ProgramData\Logic Cramble\X86 (Adware.Linkury) -> Delete on reboot. [363792b618be11253dca4ac244bc5ea2]
C:\Users\Leo\AppData\Roaming\Microleaves (Adware.OnlineIO) -> Delete on reboot. [5f0e36128353d6603507eb2119e726da]
C:\Users\Leo\AppData\Roaming\Microleaves\Online Application 2.7.0 (Adware.OnlineIO) -> Delete on reboot. [5f0e36128353d6603507eb2119e726da]
C:\Users\Leo\AppData\Roaming\Microleaves\Online Application 2.7.0\install (Adware.OnlineIO) -> Delete on reboot. [5f0e36128353d6603507eb2119e726da]
C:\Users\Leo\AppData\Roaming\Microleaves\Online Application 2.7.0\install\CFCBAA1 (Adware.OnlineIO) -> Delete on reboot. [5f0e36128353d6603507eb2119e726da]
C:\Program Files (x86)\Microleaves (Adware.OnlineIO) -> Delete on reboot. [e08dfc4ce3f3bf7702485ad0639d847c]
C:\Program Files (x86)\Microleaves\Online Application (Adware.OnlineIO) -> Delete on reboot. [e08dfc4ce3f3bf7702485ad0639d847c]
C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0 (Adware.OnlineIO) -> Delete on reboot. [e08dfc4ce3f3bf7702485ad0639d847c]
Files Detected: 75
C:\WINDOWS\SYSTEM32\drivers\Winmon.sys (Trojan.Glupteba) -> Delete on reboot. [69989105f151015c16a2f422f5722590]
C:\WINDOWS\SYSTEM32\drivers\WinmonFS.sys (Trojan.Glupteba) -> Delete on reboot. [c6100c067d1e619b730bf23ab4045b17]
C:\WINDOWS\SYSTEM32\drivers\WinmonProcessMonitor.sys (Trojan.Glupteba) -> Delete on reboot. [290389e59ca9fe99ce1779f41f26d645]
C:\ProgramData\Logic Cramble\set.exe (Adware.Linkury) -> Delete on reboot. [1a5367e1d3033105d2439270798bb947]
C:\ProgramData\CloudPrinter\CloudPrinter.exe (Adware.Linkury) -> Delete on reboot. [6b02440433a3f4428b650f5f9f63ec14]
C:\Program Files (x86)\Materialistic\moneys.exe (Adware.DotDo.Generic) -> Delete on reboot. [beaf8fb96274b77f570aafac23df6799]
C:\Program Files (x86)\mushy\pathologist.exe (Adware.DotDo.Generic) -> Delete on reboot. [74f9242466700630124e4e96f011ac54]
C:\Users\Leo\AppData\Local\ckapes.dll (Trojan.ProxyAgent) -> Delete on reboot. [1c515deb7f57fe38619e36e4709450b0]
C:\Program Files (x86)\Dawson\Agricultural.exe (Adware.DotDo.Generic.TskLnk) -> Delete on reboot. [99d4ce7afdd96dc912b4d0b5b74b3bc5]
C:\Program Files (x86)\Dawson\Sse.exe (Adware.DotDo.Generic.TskLnk) -> Delete on reboot. [ff6ee167d60051e5edb9f68f3ec41ae6]
C:\Program Files (x86)\Fis\Agricultural.exe (Adware.DotDo.Generic.TskLnk) -> Delete on reboot. [224bfd4bf8de81b55076aadb29d9c23e]
c:\Windows\rss\csrss.exe (Trojan.MalPack.GS) -> Delete on reboot. [4b226edae7ef45f145a74934a95904fc]
C:\Users\Leo\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe (Trojan.Glupteba) -> Delete on reboot. [5c1170d81abc3ff72dd624a7da28cd33]
C:\Program Files (x86)\ProxyGate\MainService.exe (RiskWare.ProxyGate) -> Delete on reboot. [1c51192fbb1bee484a94b1e024dd26da]
c:\Windows\windefender.exe (Trojan.Crypt.GO) -> Delete on reboot. [46273018af27b3831361e96b22e2ee12]
C:\Users\Leo\AppData\Local\Agricultural.exe (Adware.DotDo.Generic.TskLnk) -> Delete on reboot. [492412366c6aa88e9135721345bd17e9]
C:\Users\Leo\AppData\Local\SilHome.exe (Adware.Linkury) -> Delete on reboot. [dd90b98f12c40d296f81412da85a36ca]
C:\Users\Leo\AppData\Local\Sse.exe (Adware.DotDo.Generic.TskLnk) -> Delete on reboot. [36371632ecea95a14462bacb36ccc739]
C:\Users\Leo\AppData\Local\VaiaQuofresh.exe (Adware.Linkury) -> Delete on reboot. [105d06427066c571dd13640a986ace32]
C:\Users\Leo\AppData\Local\1xCorp N.V\1xWin\serviceupdate.exe (Spyware.PredatorTheThief) -> Delete on reboot. [d09d88c0fbdbbd792a11331a0df67e82]
C:\Users\Leo\AppData\Local\Temp\gj9oo958ocx5hre.exe (RiskWare.ProxyGate) -> Delete on reboot. [28453c0c26b0e650462c600528d9867a]
c:\Users\Leo\AppData\Local\Temp\csrss\cloudnet.exe (Trojan.Glupteba) -> Delete on reboot. [630ac880b1250f2740c3ffcc53aff907]
c:\Users\Leo\AppData\Local\Temp\csrss\profile-6.exe (Trojan.Glupteba) -> Delete on reboot. [0f5e98b0ede9b97d2cdfdeb457aac739]
C:\Users\Leo\AppData\Local\Temp\1887343\ic-0.39501a925a185.exe (Trojan.Crypt) -> Delete on reboot. [5b125deb1db90c2a70ed7c1af40f19e7]
C:\Users\Leo\AppData\Local\Temp\1887343\ic-0.88fcd1eea4f8c.exe (Trojan.MalPack.GS) -> Delete on reboot. [7eef64e490468caaffedd0addd253cc4]
C:\Users\Leo\AppData\Local\Temp\1887343\ic-0.9a3ef57f2efc78.exe (Adware.Linkury) -> Delete on reboot. [e4891335934383b33fb192dc89797a86]
C:\Program Files (x86)\Fis\Agricultural.dll (Adware.DotDo.Generic.TskLnk) -> Delete on reboot. [7bf24701b5214ee8c5010085bf43817f]
C:\Program Files (x86)\Fis\Fis.exe (Adware.DotDo.Generic.TskLnk) -> Delete on reboot. [7df093b55f77e94d05c13550bb477f81]
C:\Program Files (x86)\laggards\laggards.exe (Adware.DotDo.Generic.TskLnk) -> Delete on reboot. [dd9076d2b620e452cfb42e71986a54ac]
C:\Program Files (x86)\ProxyGate\ProxyGate.exe (RiskWare.ProxyGate) -> Delete on reboot. [4a232a1efed878be5b703b0220e117e9]
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Adware.DotDo.Generic) -> Delete on reboot. [90dd89bfbc1a80b68ad8c81d7a87a759]
C:\Users\Leo\AppData\Local\Temp\Rar$EXa7916.28021\Football Manager 2020 - InstallShield Wizard\football_manager_2020_-_installshield_wizard.exe (Trojan.IStartSurf) -> Delete on reboot. [77f69fa965719b9b653789c7f210e61a]
C:\Windows\horta.exe (Adware.DotDo.Generic.TskLnk) -> Delete on reboot. [3d3097b1f3e3ac8abe08562fa35f12ee]
C:\Users\Leo\AppData\Local\SilHome.tst (Adware.Linkury.Generic) -> Delete on reboot. [5f0e1f29ebeba88e118f085ddf216a96]
C:\Users\Leo\AppData\Local\VaiaQuofresh.tst (Adware.Linkury.Generic) -> Delete on reboot. [28454305e9edaa8c5e42c79eca362dd3]
C:\Users\Leo\AppData\Local\ApplicationHosting.dat (Trojan.Agent) -> Delete on reboot. [b1bc73d54e88ca6ca84bf372758b53ad]
C:\Users\Leo\AppData\Local\agent.dat (Adware.Linkury.Generic) -> Delete on reboot. [2449d67233a362d4ea18d88e718f60a0]
C:\Users\Leo\AppData\Local\installer.dat (Adware.Linkury) -> Delete on reboot. [5e0f0d3bd105c274e5d3fa720bf502fe]
C:\Users\Leo\AppData\Local\lobby.dat (Trojan.Agent) -> Delete on reboot. [333a4dfbab2b4fe71dc3e3894eb2dc24]
C:\Users\Leo\AppData\Local\Main.dat (Adware.Linkury.Generic) -> Delete on reboot. [f37ae860ab2b52e4905a6dff7888f50b]
C:\Users\Leo\AppData\Local\md.xml (Adware.Linkury.Generic) -> Delete on reboot. [551870d85a7cb284c1896a03bd439868]
C:\Users\Leo\AppData\Local\noah.dat (Adware.Linkury.Generic) -> Delete on reboot. [0865e0687561a88e2f35d59834cc1ce4]
C:\Users\Leo\AppData\Local\uninstall_temp.ico (Adware.Linkury.Generic) -> Delete on reboot. [09643d0bb02659dd97d083ebb34d37c9]
C:\Windows\System32\Tasks\csrss (Trojan.Glupteba.E) -> Delete on reboot. [462755f3fbdb7abcff414242709023dd]
C:\Windows\System32\Tasks\Online Application V2G1 (Adware.OnlineIO) -> Delete on reboot. [145985c316c03bfba1128502a957db25]
C:\Windows\System32\Tasks\Online Application V2G2 (Adware.OnlineIO) -> Delete on reboot. [c7a645038c4aaa8c981bbdcab749de22]
C:\Windows\System32\Tasks\Online Application V2G3 (Adware.OnlineIO) -> Delete on reboot. [b6b7c0885b7b191dd8dbc3c48c74d927]
C:\Windows\System32\Tasks\Online Application V2G4 (Adware.OnlineIO) -> Delete on reboot. [fa73e95f785e1323149f4f38e31dfa06]
C:\Windows\System32\Tasks\Online Application V2G5 (Adware.OnlineIO) -> Delete on reboot. [94d95bed6f67a492edc65730718f8e72]
C:\Windows\System32\Tasks\Online Application V2G6 (Adware.OnlineIO) -> Delete on reboot. [9ad31632b2248da9aa095a2d44bcb44c]
c:\Users\Leo\AppData\Local\Temp\csrss\scheduled.exe (Trojan.Glupteba.E) -> Delete on reboot. [e984ea5e4f87191d6930513c3dc3e21e]
c:\Users\Leo\AppData\Local\Temp\csrss\routersdns.exe (Trojan.Glupteba.E) -> Delete on reboot. [e984ea5e4f87191d6930513c3dc3e21e]
C:\Windows\Tasks\Online Application V2G1.job (Adware.OnlineIO) -> Delete on reboot. [93daac9ca03694a287470d8a24dcaa56]
C:\Windows\Tasks\Online Application V2G2.job (Adware.OnlineIO) -> Delete on reboot. [610cb89029adbf77cd0197007a8623dd]
C:\Windows\Tasks\Online Application V2G3.job (Adware.OnlineIO) -> Delete on reboot. [e18c2e1a488e61d59a34cacdce32728e]
C:\Windows\Tasks\Online Application V2G4.job (Adware.OnlineIO) -> Delete on reboot. [b1bcfa4e01d52511438b1780df21629e]
C:\Windows\Tasks\Online Application V2G5.job (Adware.OnlineIO) -> Delete on reboot. [5c114800f5e1d066dbf36a2d7090f40c]
C:\Windows\Tasks\Online Application V2G6.job (Adware.OnlineIO) -> Delete on reboot. [b6b7b98f03d39d99814dc6d1c040a858]
C:\ProgramData\Logic Cramble\Config.json (Adware.Linkury) -> Delete on reboot. [363792b618be11253dca4ac244bc5ea2]
C:\ProgramData\Logic Cramble\set.exe.config (Adware.Linkury) -> Delete on reboot. [363792b618be11253dca4ac244bc5ea2]
C:\ProgramData\Logic Cramble\System.Data.SQLite.dll (Adware.Linkury) -> Delete on reboot. [363792b618be11253dca4ac244bc5ea2]
C:\ProgramData\Logic Cramble\System.Data.SQLite.Linq.dll (Adware.Linkury) -> Delete on reboot. [363792b618be11253dca4ac244bc5ea2]
C:\ProgramData\Logic Cramble\System.Data.SQLite.xml (Adware.Linkury) -> Delete on reboot. [363792b618be11253dca4ac244bc5ea2]
C:\ProgramData\Logic Cramble\X64\SQLite.Interop.dll (Adware.Linkury) -> Delete on reboot. [363792b618be11253dca4ac244bc5ea2]
C:\ProgramData\Logic Cramble\X86\SQLite.Interop.dll (Adware.Linkury) -> Delete on reboot. [363792b618be11253dca4ac244bc5ea2]
C:\Users\Leo\AppData\Roaming\Microleaves\Online Application 2.7.0\install\CFCBAA1\Basic Installer with memory detection.msi (Adware.OnlineIO) -> Delete on reboot. [5f0e36128353d6603507eb2119e726da]
C:\Program Files (x86)\Microleaves\Online Application\Online Application Updater.exe (Adware.OnlineIO) -> Delete on reboot. [e08dfc4ce3f3bf7702485ad0639d847c]
C:\Program Files (x86)\Microleaves\Online Application\Online Application Updater.ini (Adware.OnlineIO) -> Delete on reboot. [e08dfc4ce3f3bf7702485ad0639d847c]
C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe (Adware.OnlineIO) -> Delete on reboot. [e08dfc4ce3f3bf7702485ad0639d847c]
C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online.io EULA.url (Adware.OnlineIO) -> Delete on reboot. [e08dfc4ce3f3bf7702485ad0639d847c]
C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online.io Privacy.url (Adware.OnlineIO) -> Delete on reboot. [e08dfc4ce3f3bf7702485ad0639d847c]
C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Uninstall Online Application.lnk (Adware.OnlineIO) -> Delete on reboot. [e08dfc4ce3f3bf7702485ad0639d847c]
C:\Users\Leo\AppData\Local\Config.xml (Adware.Linkury.Generic) -> Delete on reboot. [501d9eaa7d59ac8a65543c3491738b75]
C:\Users\Leo\AppData\Local\InstallationConfiguration.xml (Adware.Linkury.TskLnk) -> Delete on reboot. [dd904bfd993dde58037c02715fa50af6]
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\InstallationConfiguration.xml (Adware.Linkury.TskLnk) -> Delete on reboot. [0865390f894dad89321d2a4a2bd939c7]
Physical Sectors Detected: 0
(No malicious items detected)
(end)
 
When I restarted this after the Cleanup process (as it prompted me to), it restarted in Windows safe mode, and I'm not sure if it affected anything, but after the scan it said there was 159 malware items.
 
There has been sounds coming from the sound source Sse (shown in picture below) which I suspect is malware. After the scan and restart, however, it didn't seem to be running.

A6E54858-6979-4B4B-A621-210011349FC3.jpeg

Share this post


Link to post
Share on other sites

Good morning.

The MBAR tool found a large number of adwares, as well as several trojans.   There will be much more to do later.

 

Please remember to always attach report files as we go along.   The forum allows for attaching files with a reply.

When you are making a reply-post, Look down at the trailing sections.   There is a " choose files" spot where you click nd begin the task of attaching a file to the reply.

  • To save attachments please click the link as shown below. Then browse to where your file is located and select it and click the Open button.

_mb_attach.jpg

 

I would like to have you run a report tool known as FRST. This has no personal information. It is a well-known & widely used &safe.
FRST will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run FRST.


1: Please download FRST from the link below and save it to your desktop:

"Download link for 64-Bit Version Windows"

Please wait and look toward the top or bottom of your browser for the option to Run or Save.
Click Save to save the file version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Run report with FRST64

Right-click on FRST64 icon and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.

_Windows 8 or 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._
Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.


The tool will produce 2  logfiles on your desktop: FRST.txt , Addition.txt 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.
Thank you.
.
 

Edited by AdvancedSetup
updated link

Share this post


Link to post
Share on other sites

Hi,   Thanks very much for the FRST reports.  These help a lot.   I have a custom fix script for you.

Please Close and Save any open work you may have open.

Please close as many un-needed app-windows that you yourself may have open at this point.   So you can have a clear field of view.

 

This custom script is for  CORNBREAD342   only / for this machine only.

Close and save any open work files before starting this procedure. 

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  DESKTOP  folder

The tool named FRST64.exe   tool    is already on the Downloads folder

Start the Windows Explorer and then, to the Desktop.


RIGHT click on  FRST64    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

 

FRST_Fixl.png.c4c1c0dddcc49b11fa400590f070bd5e.png

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

[    2    ]

Keep going with the next 2 sections, no matter what.   I expect after the fix above that Windows Defender will be usable.

 

Windows 10 has the Microsoft Windows Defender which can run the Windows Defender Offline scan.
Windows Defender Offline in Windows 10 can be run directly from within Windows, without having to create bootable media.

Click the Windows Start menu button on the Taskbar, select Settings icon. Then choose Update and Security.
 
In Windows Settings  >>> click on Windows Security from the left side list.
Next, In Windows Security section:  Click on the grey button Open Windows Security
next click on the blue Scan options
Look down the options list.  Tick on Windows Defender Offline scan.   Then click the grey "Scan now" button.

and let it scan the system.

Keep in mind that the design and what is scanned by Windows Defender is a whole different design from Malwarebytes. But do let me know how this scan goes and what the result is.
.
[    3    ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system. 
The download links & the how-to-run-the tool are at this link at Microsoft 
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
  
Let me know the result of this.
The log is named MSERT.log  
the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is
C:\Windows\debug\msert.log
Please attach that log with your reply.
 

Sincerely,

Maurice

Fixlist.txt

Share this post


Link to post
Share on other sites

Hello, I did get the Fixlog attached below, but was unable to do the Windows Defender Offline Scan. I tried running it in various ways in and out of administrator mode, but I would click on it and nothing would happen. I have tried clean booting, manually doing the offline scan, etc. but nothing would work. Windows Defender now works though. I suspect that the malware is preventing this, is there anyway to bypass this, what should I do? Thank you!

Fixlog.txt

Share this post


Link to post
Share on other sites

Hi.  Thanks for the Fixlog report.  The custom fix-run did do good. 4 boogers set to auto-run have been quashed & Windows Defender is able to be run.

 

You ought to go ahead and do the last step that I outlined before.

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system. 
The download links & the how-to-run-the tool are at this link at Microsoft 
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
  
Let me know the result of this.
The log is named MSERT.log  
the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is
C:\Windows\debug\msert.log
Please attach that log with your reply.
 

Sincerely,

Maurice

 

Edited by AdvancedSetup
corrected font issue

Share this post


Link to post
Share on other sites

Hi,

The Microsoft Safety Scanner found and removed 2 trojans.

 

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Click on the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Share this post


Link to post
Share on other sites

Thanks for the log-report.  That is a worthwhile run & good cleanup.

.

The Windows 10 is currently at build 1803.  That is the one from Spring 2019.  I very much recommend you get it updated to the November 2019 build.

I recommend that you do 1 windows Restart just before proceeding with this,  This needs much patience all thru it  and I would allocate 4 to 5 hours for it.

I would suggest  to upgrade to the Windows 10 build 1909 ( or November 2019 build).  You should be able to manually get it thru Windows Update.

It may take repeated tries with Windows Update till your pc is able to see that Update.  You should make a try each day, from here on out, till you see it offered.

The suggestion I have is to go to the Start menu, click the Windows Settings icon. Select Update & Security.  Click on Windows Update.

The Windows Update ( eventually) will have a display like this when it shows up.

Note that the display will show the new build in a new way, in the middle of the display.  You will need to click on the blue line marked "Download and install now"  when ready.

image.png.3f65456f6f9a831daa40f463dc6ac034.png

 

Getting that Windows build update will put this pc in a better position for a more secure operating system.

Share this post


Link to post
Share on other sites

Hello, when I went to update it gave me this error:

There were some problems installing updates, but we'll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x80070424)

I have looked to find workarounds and I believe it's simply because I do not have the Windows update service. 

Share this post


Link to post
Share on other sites

Hello Maurice, sorry for forgetting to introduce myself, I completely missed the first part of your first message.

My name is Max, and thank you so much for helping me thus far.

Share this post


Link to post
Share on other sites

Hi Max.

On the latter, you only just have some "hiccup" error.   But this Windows does have the Windows Update function.

You need to find the "error"  from the windows update history    ( and later on, I will like you point you to the SYSNATIVE forum for help with Windows Update.

Do you see the Windows Update sample screen ( above ).

You need to go back in there and click on View Update History   and write down the Error code.   Usually they are like 0X...........

Share this post


Link to post
Share on other sites

doubt if that is a "virus"

When did you first see it ?   where does it show exactly ?

If you could find where this is stored on disk ....you can upload the EXE file for analysis.

Using your web browser,  

Go to the link https://www.virustotal.com/gui/home/upload

 

You will see Choose file button.   Click that as a first step.   You will then see a dialog grid from Windows.

If you could, attach each VT report with next reply. 

Share this post


Link to post
Share on other sites

For the error from the windows update history, I found the "View Update History" screen completely blank. I tried getting the error with systeminfo in command prompt and Powershell, but next to the line Hotfix(s), it says N/A. 

I am currently trying to find the folder that the virus I suspected is located in.

Share this post


Link to post
Share on other sites

Once we settle this case here,  I will strongly encourage you to seek Windows Update help at Sysnative forum.

Share this post


Link to post
Share on other sites

Hi Max,

I had not heard from you in a few days.  Wanted to touch bass with you regarding the "nativedesktopmedia".

I would like to resume searching for it.  Lets do these next steps, please.

[  1  ]

What follows is a first step to have Windows 10 show all files and folder. Do not let this spook you out.

There is a how-to at Tenforums. Use either option one or two or three

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 

[    2    ]

Please download Rkill from one of the following links and save to your Desktop:

One, Two,Three or Four

 

  • Double click on Rkill.
  • A command window will open then disappear upon completion, this is normal.
  • Please post the log

 

Note: If your security software warns about Rkill, please ignore and allow the download to continue.

But whatever happens, be sure you go ahead and do the following report for sure.   Thanks.

 

[   3   ]

Delete the previous file I had you save named FIXLIST.txt

I have a new  custom  script for you.

Please Close and Save any open work you may have open.

Please close as many un-needed app-windows that you yourself may have open at this point.   So you can have a clear field of view.

 

This custom script is for  CORNBREAD342   only / for this machine only.

Close and save any open work files before starting this procedure. 

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  DESKTOP  folder

The tool named FRST64.exe   tool    is already on the Downloads folder

Start the Windows Explorer and then, to the Desktop.


RIGHT click on  FRST64    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

 

FRST_Fixl.png.c4c1c0dddcc49b11fa400590f070bd5e.png

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

Fixlist.txt

Share this post


Link to post
Share on other sites

Thanks for the reports.   By the way, NativeDesktopMedia  was not found.

How is the overall situation on this machine at this point ?

 

Run a scan with Malwarebytes.
Start Malwarebytes from the Windows  Start menu.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the SECURITY  tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color

Now click the small X  to get back to the main menu window.


Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed.    Let it remove what it has detected.

 

 

Share this post


Link to post
Share on other sites

Huh, that's weird. It says that there are 0 threats, just like the previous logs. NativeDesktopMediaService is still on my computer however, and on certain websites it still creates popups. It is not as bad as before though, as I have just seen a popup on a website for the first time in a while today. I can't find it running in the processes and the folder of this is nowhere to be seen. I am still trying to make the updates work.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.