Jump to content

Persistent Virus After OS Reinstall


Recommended Posts

Hello! I've been infected with this virus for some time now, and it unfortunately has been very persistent. 

A few months ago, I suspected something was wrong when I started noticing telltale signs - I'm no computer expert but come on: Restore points disappearing, bitcoin miners being installed, windows defender errors, and eventually scripts popping up occasionally after booting up my computer. I used a bunch of virus removal tools, including Malwarebytes, and accepted their fixes, but was still getting problems, and my bank account ended up getting compromised. So, I resorted to what I thought was a last resort: I reinstalled the OS, doing a clean reinstall of Windows using a recovery USB drive downloaded from a clean computer from the Lenovo website. It looked okay for a little while, but now the virus is back, taking up a ton of CPU usage, which appears for a split second when I open Task Manager and then instantly dropping as if to hide the virus. I also still see some scripts popping up for brief moments, which is super scary. I haven't made any purchases from this computer since, because I know my information will be immediately stolen. I have no idea what to do, as I thought reinstalling the OS would work. I greatly appreciate any help, and am happy to provide further info!

FRST.txt Addition.txt

Link to post
Share on other sites

Welcome smile.png
 
I'll be helping you with your computer.
 
Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.
 
Please take note of the guidelines for this fix:

  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. smile.png

Let's begin... smile.png

  • Download the enclosed file  Fixlist.txt
  • Save it in the same location as FRST64.exe
  • Start FRST (FRST64) with Administrator privileges
  • This time around Press the Fix button and wait
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply.

 

Lets give a try to Malwarebytes Antimalware and Adwcleaner to scan your computer

https://forums.malwarebytes.com/topic/304827-scan-with-malwarebytes/\

https://forums.malwarebytes.com/topic/304822-scan-with-adwcleaner/

Attach their reports.

Link to post
Share on other sites

I created a 2nd account because the previous one got blacklisted for 'spam' :(

Anyways, thank you for your response! I just have some quick questions before I begin. Firstly, I downloaded FRST to my Downloads folder, so do I put the Fixlist file in my downloads and I'm all set? Also, does starting FRST with Admin privileges mean I just run the application as an Administrator? Thank you for your patience!

Link to post
Share on other sites

(I had to make a new account again... not sure what's happening, maybe it doesn't like my VPN?)

To be honest, I'm not really sure. I'm not really noticing anything different, yet the virus has always been very quiet. I have noticed that the fix did not create a restore point like it claimed (or it was immediately deleted) and that the task manager still shows very high cpu usage with a bunch of icon-less processes for a split second before calming down. I will attach photos showing this:

IMG_8739.jpg.aeace15968dc0317db8555ae4fe7a362.jpgIMG_8740.jpg.0a914c5cfaea2aef58e995d5888cba9d.jpg

You can see on the left that the CPU usage goes all the way up to 62%, then almost immediately settles back to 8%. Is this a known thing, or is that a telltale sign that the virus is still around?

Link to post
Share on other sites

I always check your resources:

 

Quote

Process=AggregatorHost            CPU_Usage=0            Memory_Usage_(MB)=1.38            
Process=ApplicationFrameHost      CPU_Usage=0            Memory_Usage_(MB)=8.26            
Process=ElevocControlService      CPU_Usage=0            Memory_Usage_(MB)=1.22            
Process=FRST64                    CPU_Usage=0            Memory_Usage_(MB)=25.84           
Process=FnHotkeyCapsLKNumLK       CPU_Usage=0            Memory_Usage_(MB)=16.22           
Process=FnHotkeyUtility           CPU_Usage=0            Memory_Usage_(MB)=25.53           
Process=LenovoUtilityService      CPU_Usage=0            Memory_Usage_(MB)=18.85           
Process=Locator                   CPU_Usage=0            Memory_Usage_(MB)=0.41            
Process=MBAMService               CPU_Usage=0            Memory_Usage_(MB)=23.07           
Process=Memory Compression        CPU_Usage=0            Memory_Usage_(MB)=0.01            
Process=MessagingPlugin           CPU_Usage=0            Memory_Usage_(MB)=9.38            
Process=MoUsoCoreWorker           CPU_Usage=16           Memory_Usage_(MB)=4.21            
Process=MsMpEng                   CPU_Usage=16           Memory_Usage_(MB)=326.07          
Process=NVDisplay.Container       CPU_Usage=0            Memory_Usage_(MB)=23.47           
Process=NVDisplay.Container#1     CPU_Usage=0            Memory_Usage_(MB)=30.13           
Process=NVIDIA Overlay            CPU_Usage=0            Memory_Usage_(MB)=29.04           
Process=NVIDIA Overlay#1          CPU_Usage=0            Memory_Usage_(MB)=14.76           
Process=NVIDIA Overlay#2          CPU_Usage=0            Memory_Usage_(MB)=3.32            
Process=NVIDIA Overlay#3          CPU_Usage=0            Memory_Usage_(MB)=4.59            
Process=NVIDIA Overlay#4          CPU_Usage=0            Memory_Usage_(MB)=26.84           
Process=Nahimic3                  CPU_Usage=0            Memory_Usage_(MB)=22.83           
Process=NahimicService            CPU_Usage=0            Memory_Usage_(MB)=7.51            
Process=NahimicSvc32              CPU_Usage=0            Memory_Usage_(MB)=2.34            
Process=NahimicSvc64              CPU_Usage=0            Memory_Usage_(MB)=2.73            
Process=NisSrv                    CPU_Usage=0            Memory_Usage_(MB)=2.97            
Process=OfficeClickToRun          CPU_Usage=0            Memory_Usage_(MB)=11.58           
Process=Registry                  CPU_Usage=0            Memory_Usage_(MB)=13.98           
Process=RtkAudUService64          CPU_Usage=0            Memory_Usage_(MB)=3.26            
Process=RuntimeBroker             CPU_Usage=0            Memory_Usage_(MB)=4.51            
Process=RuntimeBroker#1           CPU_Usage=0            Memory_Usage_(MB)=3.57            
Process=RuntimeBroker#2           CPU_Usage=0            Memory_Usage_(MB)=2.77            
Process=SearchHost                CPU_Usage=0            Memory_Usage_(MB)=116.08          
Process=SearchIndexer             CPU_Usage=0            Memory_Usage_(MB)=15.79           
Process=SearchProtocolHost        CPU_Usage=0            Memory_Usage_(MB)=1.94            
Process=Secure System             CPU_Usage=0            Memory_Usage_(MB)=78.53           
Process=SecurityHealthService     CPU_Usage=0            Memory_Usage_(MB)=4.11            
Process=StartMenuExperienceHost   CPU_Usage=0            Memory_Usage_(MB)=38.25           
Process=System                    CPU_Usage=0            Memory_Usage_(MB)=0.02            
Process=SystemNotificationPlugin  CPU_Usage=0            Memory_Usage_(MB)=10.45           
Process=TextInputHost             CPU_Usage=0            Memory_Usage_(MB)=17.38           
Process=TiWorker                  CPU_Usage=0            Memory_Usage_(MB)=24.07           
Process=Tobii.EyeX.Engine         CPU_Usage=0            Memory_Usage_(MB)=34.73           
Process=Tobii.EyeX.Interaction    CPU_Usage=0            Memory_Usage_(MB)=42.71           
Process=Tobii.Service             CPU_Usage=0            Memory_Usage_(MB)=14.33           
Process=TrustedInstaller          CPU_Usage=0            Memory_Usage_(MB)=1.37            
Process=UDClientService           CPU_Usage=0            Memory_Usage_(MB)=15.08           
Process=VSSVC                     CPU_Usage=0            Memory_Usage_(MB)=1.33            
Process=WUDFHost                  CPU_Usage=0            Memory_Usage_(MB)=5.82            
Process=WUDFHost#1                CPU_Usage=0            Memory_Usage_(MB)=3.84            
Process=WUDFHost#2                CPU_Usage=0            Memory_Usage_(MB)=1.01            
Process=WUDFHost#3                CPU_Usage=0            Memory_Usage_(MB)=1.07            
Process=WmiApSrv                  CPU_Usage=0            Memory_Usage_(MB)=1.67            
Process=WmiPrvSE                  CPU_Usage=0            Memory_Usage_(MB)=28.2            
Process=WmiPrvSE#1                CPU_Usage=0            Memory_Usage_(MB)=15.18           
Process=WmiPrvSE#2                CPU_Usage=5            Memory_Usage_(MB)=6.2             
Process=conhost                   CPU_Usage=0            Memory_Usage_(MB)=4.84            
Process=conhost#1                 CPU_Usage=0            Memory_Usage_(MB)=5.16            
Process=conhost#2                 CPU_Usage=0            Memory_Usage_(MB)=2.41            
Process=csrss                     CPU_Usage=0            Memory_Usage_(MB)=1.61            
Process=csrss#1                   CPU_Usage=0            Memory_Usage_(MB)=1.43            
Process=ctfmon                    CPU_Usage=0            Memory_Usage_(MB)=4.04            
Process=dwm                       CPU_Usage=0            Memory_Usage_(MB)=45.7            
Process=explorer                  CPU_Usage=0            Memory_Usage_(MB)=175.32          
Process=fontdrvhost               CPU_Usage=0            Memory_Usage_(MB)=1.31            
Process=fontdrvhost#1             CPU_Usage=0            Memory_Usage_(MB)=2.91            
Process=gamingservices            CPU_Usage=0            Memory_Usage_(MB)=4.79            
Process=ipf_helper                CPU_Usage=0            Memory_Usage_(MB)=1.16            
Process=ipf_uf                    CPU_Usage=0            Memory_Usage_(MB)=1.28            
Process=ipfsvc                    CPU_Usage=0            Memory_Usage_(MB)=2               
Process=lsass                     CPU_Usage=0            Memory_Usage_(MB)=9.21            
Process=msiexec                   CPU_Usage=0            Memory_Usage_(MB)=1.41            
Process=nahimicNotifSys           CPU_Usage=0            Memory_Usage_(MB)=13.87           
Process=nvcontainer               CPU_Usage=0            Memory_Usage_(MB)=7.32            
Process=nvcontainer#1             CPU_Usage=0            Memory_Usage_(MB)=7.39            
Process=nvcontainer#2             CPU_Usage=0            Memory_Usage_(MB)=25.64           
Process=nvsphelper64              CPU_Usage=0            Memory_Usage_(MB)=3.12            
Process=platform_runtime_AY5P_service CPU_Usage=0            Memory_Usage_(MB)=6.96            
Process=powershell                CPU_Usage=0            Memory_Usage_(MB)=27.82           
Process=services                  CPU_Usage=0            Memory_Usage_(MB)=6.02            
Process=sihost                    CPU_Usage=0            Memory_Usage_(MB)=5.7             
Process=smss                      CPU_Usage=0            Memory_Usage_(MB)=0.29            
Process=spoolsv                   CPU_Usage=0            Memory_Usage_(MB)=5.42            
Process=sppsvc                    CPU_Usage=0            Memory_Usage_(MB)=3.57            
Process=svchost                   CPU_Usage=0            Memory_Usage_(MB)=8.66            
Process=svchost#1                 CPU_Usage=0            Memory_Usage_(MB)=7.61            
Process=svchost#2                 CPU_Usage=0            Memory_Usage_(MB)=2.42            
Process=svchost#3                 CPU_Usage=0            Memory_Usage_(MB)=1.21            
Process=svchost#4                 CPU_Usage=0            Memory_Usage_(MB)=4.61            
Process=svchost#5                 CPU_Usage=0            Memory_Usage_(MB)=0.87            
Process=svchost#6                 CPU_Usage=0            Memory_Usage_(MB)=1.77            
Process=svchost#7                 CPU_Usage=0            Memory_Usage_(MB)=1.39            
Process=svchost#8                 CPU_Usage=0            Memory_Usage_(MB)=2.42            
Process=svchost#9                 CPU_Usage=0            Memory_Usage_(MB)=5.16            
Process=svchost#10                CPU_Usage=0            Memory_Usage_(MB)=6.25            
Process=svchost#11                CPU_Usage=0            Memory_Usage_(MB)=1.86            
Process=svchost#12                CPU_Usage=0            Memory_Usage_(MB)=2.39            
Process=svchost#13                CPU_Usage=0            Memory_Usage_(MB)=1.54            
Process=svchost#14                CPU_Usage=0            Memory_Usage_(MB)=5.47            
Process=svchost#15                CPU_Usage=0            Memory_Usage_(MB)=5.55            
Process=svchost#16                CPU_Usage=0            Memory_Usage_(MB)=2.34            
Process=svchost#17                CPU_Usage=0            Memory_Usage_(MB)=1.35            
Process=svchost#18                CPU_Usage=0            Memory_Usage_(MB)=0.96            
Process=svchost#19                CPU_Usage=0            Memory_Usage_(MB)=1.38            
Process=svchost#20                CPU_Usage=0            Memory_Usage_(MB)=2.62            
Process=svchost#21                CPU_Usage=0            Memory_Usage_(MB)=1.26            
Process=svchost#22                CPU_Usage=0            Memory_Usage_(MB)=0.97            
Process=svchost#23                CPU_Usage=0            Memory_Usage_(MB)=8.22            
Process=svchost#24                CPU_Usage=0            Memory_Usage_(MB)=12.91           
Process=svchost#25                CPU_Usage=0            Memory_Usage_(MB)=41.54           
Process=svchost#26                CPU_Usage=0            Memory_Usage_(MB)=0.9             
Process=svchost#27                CPU_Usage=0            Memory_Usage_(MB)=1.62            
Process=svchost#28                CPU_Usage=0            Memory_Usage_(MB)=1.91            
Process=svchost#29                CPU_Usage=0            Memory_Usage_(MB)=1.44            
Process=svchost#30                CPU_Usage=0            Memory_Usage_(MB)=1.63            
Process=svchost#31                CPU_Usage=0            Memory_Usage_(MB)=1.38            
Process=svchost#32                CPU_Usage=0            Memory_Usage_(MB)=2.73            
Process=svchost#33                CPU_Usage=0            Memory_Usage_(MB)=1.02            
Process=svchost#34                CPU_Usage=0            Memory_Usage_(MB)=1.89            
Process=svchost#35                CPU_Usage=0            Memory_Usage_(MB)=1.24            
Process=svchost#36                CPU_Usage=0            Memory_Usage_(MB)=2.28            
Process=svchost#37                CPU_Usage=0            Memory_Usage_(MB)=1.54            
Process=svchost#38                CPU_Usage=0            Memory_Usage_(MB)=5.33            
Process=svchost#39                CPU_Usage=0            Memory_Usage_(MB)=2.07            
Process=svchost#40                CPU_Usage=0            Memory_Usage_(MB)=10.98           
Process=svchost#41                CPU_Usage=0            Memory_Usage_(MB)=1.35            
Process=svchost#42                CPU_Usage=0            Memory_Usage_(MB)=6.12            
Process=svchost#43                CPU_Usage=0            Memory_Usage_(MB)=20.73           
Process=svchost#44                CPU_Usage=0            Memory_Usage_(MB)=6.93            
Process=svchost#45                CPU_Usage=0            Memory_Usage_(MB)=2.27            
Process=svchost#46                CPU_Usage=0            Memory_Usage_(MB)=0.86            
Process=svchost#47                CPU_Usage=0            Memory_Usage_(MB)=3.59            
Process=svchost#48                CPU_Usage=0            Memory_Usage_(MB)=1.49            
Process=svchost#49                CPU_Usage=0            Memory_Usage_(MB)=2.26            
Process=svchost#50                CPU_Usage=0            Memory_Usage_(MB)=44.69           
Process=svchost#51                CPU_Usage=0            Memory_Usage_(MB)=5.52            
Process=svchost#52                CPU_Usage=0            Memory_Usage_(MB)=2.33            
Process=svchost#53                CPU_Usage=0            Memory_Usage_(MB)=1.55            
Process=svchost#54                CPU_Usage=0            Memory_Usage_(MB)=1.05            
Process=svchost#55                CPU_Usage=0            Memory_Usage_(MB)=4.25            
Process=svchost#56                CPU_Usage=0            Memory_Usage_(MB)=1.82            
Process=svchost#57                CPU_Usage=0            Memory_Usage_(MB)=0.7             
Process=svchost#58                CPU_Usage=0            Memory_Usage_(MB)=1.96            
Process=svchost#59                CPU_Usage=0            Memory_Usage_(MB)=1.64            
Process=svchost#60                CPU_Usage=0            Memory_Usage_(MB)=2.39            
Process=svchost#61                CPU_Usage=0            Memory_Usage_(MB)=0.83            
Process=svchost#62                CPU_Usage=0            Memory_Usage_(MB)=8.27            
Process=svchost#63                CPU_Usage=0            Memory_Usage_(MB)=6.41            
Process=svchost#64                CPU_Usage=0            Memory_Usage_(MB)=7.38            
Process=svchost#65                CPU_Usage=0            Memory_Usage_(MB)=1.34            
Process=svchost#66                CPU_Usage=0            Memory_Usage_(MB)=1.31            
Process=svchost#67                CPU_Usage=0            Memory_Usage_(MB)=1.52            
Process=svchost#68                CPU_Usage=0            Memory_Usage_(MB)=7.32            
Process=svchost#69                CPU_Usage=0            Memory_Usage_(MB)=2.44            
Process=svchost#70                CPU_Usage=0            Memory_Usage_(MB)=4.17            
Process=svchost#71                CPU_Usage=0            Memory_Usage_(MB)=2.37            
Process=svchost#72                CPU_Usage=0            Memory_Usage_(MB)=1.58            
Process=svchost#73                CPU_Usage=0            Memory_Usage_(MB)=1.15            
Process=svchost#74                CPU_Usage=0            Memory_Usage_(MB)=2.4             
Process=svchost#75                CPU_Usage=0            Memory_Usage_(MB)=4.51            
Process=svchost#76                CPU_Usage=0            Memory_Usage_(MB)=2.22            
Process=svchost#77                CPU_Usage=0            Memory_Usage_(MB)=4.46            
Process=svchost#78                CPU_Usage=0            Memory_Usage_(MB)=2.05            
Process=svchost#79                CPU_Usage=0            Memory_Usage_(MB)=2.82            
Process=svchost#80                CPU_Usage=0            Memory_Usage_(MB)=1.22            
Process=svchost#81                CPU_Usage=0            Memory_Usage_(MB)=1.2             
Process=svchost#82                CPU_Usage=0            Memory_Usage_(MB)=2.52            
Process=svchost#83                CPU_Usage=0            Memory_Usage_(MB)=3.02            
Process=svchost#84                CPU_Usage=0            Memory_Usage_(MB)=1.48            
Process=svchost#85                CPU_Usage=0            Memory_Usage_(MB)=1.39            
Process=svchost#86                CPU_Usage=0            Memory_Usage_(MB)=2.58            
Process=svchost#87                CPU_Usage=0            Memory_Usage_(MB)=0.98            
Process=svchost#88                CPU_Usage=0            Memory_Usage_(MB)=2.19            
Process=svchost#89                CPU_Usage=0            Memory_Usage_(MB)=2.92            
Process=svchost#90                CPU_Usage=0            Memory_Usage_(MB)=2.68            
Process=unsecapp                  CPU_Usage=0            Memory_Usage_(MB)=0.96            
Process=unsecapp#1                CPU_Usage=0            Memory_Usage_(MB)=0.98            
Process=unsecapp#2                CPU_Usage=0            Memory_Usage_(MB)=1.09            
Process=wininit                   CPU_Usage=0            Memory_Usage_(MB)=1.1             
Process=winlogon                  CPU_Usage=0            Memory_Usage_(MB)=1.45            

The above report is from the fixlog.txt.
 

What's important is to identify which process is depleting your resources.

Lets try an online scan.

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply
Link to post
Share on other sites

Use this application to remove tools used and their quarantined items:
 
Please download KpRm by Kernel-panik and save to your Desktop.

  • Click on KpRm.exe to run the tool.

Vista/Windows 7/8/10 users right-click and select Run As Administrator.

  • Put a check mark next to these items:

- Delete tools

- Create Restore Point

- Delete now

  • Click the "Run" button.

automatic.png

  • When the tool has finished, it will create and open a log report and delete itself.

A few final recommendations:
 
The following information will help you to keep your computer and data safer as well as improve your overall privacy

Malwarebytes Browser Guard

uBlock Origin

Cybersecurity basics & protection
 
Everything you need to know about cybercrime
https://www.malwarebytes.com/cybersecurity
 
Further reading if you'd like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/
 
Please review the following to help you better protect your computer and privacy
 
Tips to help protect from infection
 
Hopefully, we've been able to assist you with correcting your system issues.
 
Thank you for using Malwarebytes. Please tell your friends and family if they too need assistance with malware removal.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.