Jump to content

I have a virus. The same pop up keeps coming every time I close it.


Recommended Posts

Hey everyone,

I've attached a screenshot of the pop-up window. It won't go away and my fans are blaring at full speed constantly every since this virus came in. It wouldn't even let me install MalwareBytes. The setup would close automatically every time I ran it. I managed to download the offline installer and install it in safe mode but it won't run not even in safe mode, I'm also attaching the error I get when opening malwayrebytes. I'm completely lost about what to do now. Help is greatly appreciated.

Screenshot 2024-09-05 095938.png

error.png

Link to post
Share on other sites

@Awais_Afzal I understand that you can't run Malwarebytes at this time but do everything else in the following.

 

Although I will not be directly assisting you, a malware removal expert will be along to assist after you do the following.

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes: Please pay close attention the the instructions in all of the following links.

  • If you have not done so already - Enable System Protection and create a NEW System Restore Point  <<<<< Important.
  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
  • Disable-Fast-Startup   Windows 8 and newer only <<<<< Important.
  • Show-Hidden-Folders-Files-Extensions

Please run the following scans: Please pay close attention the the instructions in all of the following links.

  1. Click the following link and run a  Scan with AdwCleaner
  2. Click the following link and run a  Scan with Malwarebytes
       RESTART the computer <<<<< Important.
  3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 

Example image of where to click to attach files when posting your reply

image.thumb.png.e208c182ff570799c53bcf57

Then be patient for the next expert to take your case. <<<<< Important.

 

Thank you

Link to post
Share on other sites

2 minutes ago, Porthos said:

I have attached FRST for you. Unzip it to your desk top and run it with previous instructions.

FRST64English.zip 1.76 MB · 0 downloads

Thank you for this. Farber automatically closes everytime I run it just like the malwareBytes setup initially. The virus is too strong! . Will farber work in safe mode?

Link to post
Share on other sites

  • Root Admin

Thank you for the logs @Awais_Afzal

Please follow the steps below

[ 1 ]

 

The GUEST account is enabled on this system. That is dangerous and the account needs to be disabled

 

For security reasons, the built-in Guest account is disabled by default. This prevents users from having an option to log on to the system as Guest.

It can only be enabled from the administrator account. However since it is enabled, disable it following these steps.

  1. Press Windows Key + X on the Keyboard
  2. Click on Control Panel
  3. Click on the User Accounts and Family Safety
  4. Click on User Accounts
  5. Click on the Manage another account
  6. If prompted by User Account Control (UAC), then click on Yes
  7. Click on the listed Guest account
  8. If prompted by User Account Control (UAC), then click on Yes
  9. Click on the listed Guest account
  10. Click on the Turn off the Guest account link

 

You can also click on Start and type in CMD.EXE and when it shows right-click and select "Run as administrator" then copy and paste or type into the window and press the Enter key

 

net user guest /active:no

 

 

[ 2 ]

Please go to Control Panel, Programs, Programs and Features, Uninstall a program (it may not allow you to do this in Safe Mode, once step 3 is done you can go back to Normal Mode)

Then right-click and uninstall the following

All versions of Java (these are all old versions and possibly compromised

Java 8 Update 251 (64-bit)
Java 8 Update 251
Java(TM) SE Development Kit 19.0.2 (64-bit)

 

[ 3 ]

The Farbar (FRST) program is located here in your Desktop folder:   C:\Users\awais\OneDrive\Desktop\FRSTEnglish.exe

Please follow the process below to perform a fix in Safe Mode

 

Start in Safe mode:

  • Press the Windows icon on the keyboard together with the letter I, to get into the Settings.
  • Choose Update and Security.
  • From the menu at the left, choose Recovery.
  • Under the title Advanced startup at the right, choose Restart now.
  • From the window that will appear choose Troubleshoot and then Advanced options.
  • Choose Startup Settings and then Restart.
  • Press number 5, for choosing Safe mode with networking.
  • You will know that you are in Safe mode, if the background is black and Safe mode is written at the four corners of the screen.


After that:

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

 

Start::
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction
GroupPolicy: Restriction
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKU\S-1-5-21-3366070857-1315125604-2358455227-1001\...\StartupApproved\Run: => "MicrosoftEdgeAutoLaunch_C8C5F14D9F939581B027DE5D572E5264"
HKLM\...\Run: [Realtek HD Audio] => C:\ProgramData\ReaItekHD\taskhostw.exe [27418640 2024-08-17] (Realtek Semiconductor) [File not signed] <==== ATTENTION
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [646776 2020-03-12] (Oracle America, Inc. -> Oracle Corporation)
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center: Restriction <==== ATTENTION
HKU\S-1-5-21-3366070857-1315125604-2358455227-1001\...\Run: [MicrosoftEdgeAutoLaunch_C8C5F14D9F939581B027DE5D572E5264] => "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start [3741248 2024-09-03] (Microsoft Corporation -> Microsoft Corporation)
HKU\S-1-5-21-3366070857-1315125604-2358455227-1001\...\Run: [BitTorrent] => C:\Users\awais\AppData\Roaming\BitTorrent\BitTorrent.exe [2261512 2024-05-01] (BitTorrent Inc -> BitTorrent Limited)
HKU\S-1-5-21-3366070857-1315125604-2358455227-1001\...\Run: [bt] => C:\Users\awais\AppData\Roaming\BitTorrent\BitTorrent.exe [2261512 2024-05-01] (BitTorrent Inc -> BitTorrent Limited)
HKU\S-1-5-21-3366070857-1315125604-2358455227-1001\...\MountPoints2: {a1074b90-c62e-11ed-b2e4-68545a456293} - "F:\setup.exe" 
IFEO\mpcmdrun.exe: [Debugger] C:\WINDOWS\System32\systray.exe
GroupPolicy: Restriction ? <==== ATTENTION
hosts:
Task: {AC48A64E-1801-463E-9641-614613B9110E} - System32\Tasks\Microsoft\Windows\CheckGlobalB\RecoveryHosts => C:\ProgramData\Microsoft\MapData\vrsAgB5MbpqeG\CheckGlobalB.bat [2078 2024-09-03] () [File not signed] <==== ATTENTION
Task: {0BD7261F-4C72-4287-A1B5-B94544E920DB} - System32\Tasks\Microsoft\Windows\CheckGlobalB\vrsAgB5MbpqeG => C:\Programdata\ReaItekHD\taskhost.exe [20832784 2024-08-17] (Microsoft Corporation) [File not signed] <==== ATTENTION
Task: {4CE51B30-A2D4-4AED-B377-2E9875BF2632} - System32\Tasks\Microsoft\Windows\WindowsBackup\BackUpFiles => C:\Programdata\ReaItekHD\taskhost.exe [20832784 2024-08-17] (Microsoft Corporation) [File not signed] <==== ATTENTION
Task: {2B0B1218-43F7-4097-B311-F9004FAEEF7B} - System32\Tasks\Microsoft\Windows\WindowsBackup\ManagerService => C:\Programdata\ReaItekHD\taskhostw.exe [27418640 2024-08-17] (Realtek Semiconductor) [File not signed] <==== ATTENTION
Task: {A467FC81-6B7D-4EE0-A01E-81A3F045A28F} - System32\Tasks\Microsoft\Windows\WindowsBackup\OnlogonCheck => C:\Programdata\ReaItekHD\taskhostw.exe [27418640 2024-08-17] (Realtek Semiconductor) [File not signed] <==== ATTENTION
Task: {F3D75F9F-6CD1-4748-B859-1BC8B225B3BE} - System32\Tasks\Microsoft\Windows\WindowsBackup\SysFiles => C:\Windows\SysWOW64\unsecapp.exe [13683216 2023-08-07] (Microsoft Corporation) [File not signed] <==== ATTENTION
Task: {EA08A148-4968-4C0C-ACBF-9395BCEF4FEE} - System32\Tasks\Microsoft\Windows\WindowsBackup\WinlogonCheck => C:\Programdata\ReaItekHD\taskhost.exe [20832784 2024-08-17] (Microsoft Corporation) [File not signed] <==== ATTENTION
Task: {EC0E83E3-EE81-43E5-B79D-DBE2C2BC2A01} - System32\Tasks\Microsoft\Windows\Wininet\winser => C:\ProgramData\Windows Tasks Service\winserv.exe [10675712 2021-05-28] (tox) [File not signed] -> Task Service\winserv.exe <==== ATTENTION
Task: {A2E0E7FF-66AD-4E79-AEBB-6E21D8B6D5F3} - System32\Tasks\Microsoft\Windows\Wininet\winsers => C:\ProgramData\Windows Tasks Service\winserv.exe [10675712 2021-05-28] (tox) [File not signed] -> Task Service\winserv.exe <==== ATTENTION
C:\ProgramData\Windows Tasks Service
Task: {16D1E88A-985B-4873-BF3F-987068476D0F} - System32\Tasks\Service\Data => "C:\Users\awais\AppData\Roaming\ServiceData\Tavokedag.exe"  -> "C:\Users\awais\AppData\Roaming\ServiceData\Tavokedag.jpg"
zip: C:\Users\awais\AppData\Roaming\ServiceData;C:\Program Files\RDP Wrapper
ProxyServer: [S-1-5-21-3366070857-1315125604-2358455227-1001] => 127.0.0.1:8892
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
S3 TermService; C:\Program Files\RDP Wrapper\rdpwrap.dll [116736 2024-09-03] (Stas'M Corp.) [File not signed] <==== ATTENTION (no ServiceDLL)
S1 WinSetupMon; system32\DRIVERS\WinSetupMon.sys [X]
End::

 

  • Right-click on FRSTEnglish in your Downloads folder, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in your Downloads folder or where you have the Farbar program located.
  • Attach that log in your next reply.
 
Thank you
 
 
Link to post
Share on other sites

  • Root Admin

Thank you for the log @Awais_Afzal

That should have cleaned enough to get you back into Windows Normal mode.

Please run the following scans now and we'll see what else is left over to clean up

 

 

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/


Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/


Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/


Scan with Malwarebytes
https://forums.malwarebytes.com/topic/304827-scan-with-malwarebytes/


Scan with AdwCleaner
https://forums.malwarebytes.com/topic/304822-scan-with-adwcleaner/

 

Thank you

 

 

 

 

Link to post
Share on other sites

Here are all the logs I've managed to get. MalwareBytes till won't run and gives me the same error as before (Screenshot attached in my first message of the post). I tried uninstalling malwarebytes so I could reinstall it but I can't uninstall either.
 

When going through the pre-required steps for AdwCleaner I couldn't create a system restore point. I'm getting the same error message as when I tried before. The screenshot is in an earlier message. Not sure if I should proceed with the rest of the steps for running the scan without the precautions.

FRST.txt Addition.txt FSS.txt SecurityCheck.txt

Link to post
Share on other sites

  • Root Admin

Thank you for the logs @Awais_Afzal

It will take a few fixes to get the system cleaned up again

 

Please run the following

 

AV Block Remover:

  • Download the utility archive from one of these links: AV block remover or from a mirror
  • Extract the archive to any folder on your computer (the executable file should be in a subfolder with a random name, not on the desktop or in the Downloads folder)
  • Rename the file AVBR.exe (for example: AV_b_r.exe), or use a version with a random filename
  • Right-click the renamed AVBR.exe file and run as an administrator
  • Wait for the utility to finish; the computer will be automatically be restarted.
  • If this method doesn't work, run this tool from another folder, NOT from your Desktop or Downloads folder (use any other folder
  • If the malware still blocks the utility, then try to run it in Safe Mode with Networking
  • In the utility folder, a file named AV_block_remove_date-time.log will be created
  • Attach that file in your next reply

 

 

  • Like 1
Link to post
Share on other sites

  • Root Admin

Great, thank you for the log @Awais_Afzal

Please run the following now

 

 

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply

 

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.