Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unsolvable malware problem


  • This topic is locked This topic is locked
26 replies to this topic

#1 santare

santare

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 15 February 2016 - 10:15 AM

The computer is/was suffering from a rootkit infection, which is maybe deleted and there may be some remnants left. I was asked to start a new thread. The problems on this computer are:

a) the clock needs to be changed from time to time when the computer is turned on

B) a card software I have and when I play cards in that software, instead of one card moving with a click of the mouse, three cards move (this is not a set feature in the program)

c) mouse is pointing me to click ads on the webpages I visit

d) when I want to click on back button instead of getting to the page I was viewing before, I get to the page I was viewing before that

e) I am having trouble highlighting texts, I have to hold a left mouse button tight, so I can highlight it

f) when I want to delete text, it somehow highlights the text on its own

g) I don't have access to some https:// sites

h) one time when I tried (foolishly) to end services.exe, which I've never seen before in task manager, I got an error saying that

the computer is going to shut down in 60 seconds

i) this is the second thread I created here, since my malware helper like me was left out of options

 



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:00 AM

Posted 16 February 2016 - 09:06 AM

Hello

Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the Post button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
I will be analyzing your log. I will get back to you with instructions.

 

 

 

 

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 16 February 2016 - 10:13 AM

Funnily enough, today as of this writing, I had no issues with browsing, but that doesn't mean, that the problem is solved. Do you want me to report on the

condition of the computer as we go along or do I do it after we've done it all.



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:00 AM

Posted 16 February 2016 - 10:23 AM

I need you to report how the machine is running everytime you reply. I glad to hear the problem seems to be resolved. Would you care to post the Results from the FRST scan Instructions from my last post for me to take a look at?


Edited by fireman4it, 16 February 2016 - 10:23 AM.
spelling

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 16 February 2016 - 06:49 PM

Well, I had the problems again, and they sometimes occur or don't. I've sad in my post that it seems to be solved. One thing I want to mention is sometimes

when I open Internet explorer, I am disconnected from Google profile and I cannot access Google until it reconnects me again. Sometimes Internet explorer shortcut gets renamed. I still have issues with the card game. I'd like to know why did I get the message that the computer will shut down in 60 seconds after I terminated services.exe. I don't want to close this thread just yet, because I don't see the problem as being solved. Mind you, this is only today, it may be different tomorrow.

 

Attached File  FRST.txt   18.4KB   6 downloadsAttached File  Addition.txt   20.45KB   3 downloads



#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:00 AM

Posted 17 February 2016 - 01:45 PM

when I open Internet explorer, I am disconnected from Google profile and I cannot access Google until it reconnects me again

This may be a setting in IE. Not sure thats not my area of expertie.
 
 

Sometimes Internet explorer shortcut gets renamed

This may  be when you visit that site they have upgraded or changed so there symbol or look may change.
 

I still have issues with the card game.

This you will have to take up with the owner of this software.

I'd like to know why did I get the message that the computer will shut down in 60 seconds after I terminated services.exe.

Services.exe is a executable that is crucial for windows to run. This is why it shut down because you terminated a crucial service windows need to operate.
 
 
I see no signs of malware in your logs. Lets try one more scanner to see if it finds anything.
 
img=http://i.imgur.com/ZN3USrZ.png] Emsisoft Emergency Kit
  • Click here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
  • Save EmsisoftEmergencyKit.exe to your Desktop.
  • Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8 users: Accept UAC warning if it is enabled). A screen like this will appear:
    dQVDkTW.png
  • Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
  • Once the extraction is done, an icon qwL1Upn.png will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
    yEgPemv.png
  • Choose Yes, then wait for EEK to finish updating.
  • Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
  • Wait for the scan to finish.
    RUeRoi4.png
  • If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
  • If Emsisoft Emergency Kit asks to reboot, please do so immediately.
  • The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
    P7FSALs.png
  • Please Copy and Paste the contents of the scan log in your next reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 17 February 2016 - 04:09 PM

 

when I open Internet explorer, I am disconnected from Google profile and I cannot access Google until it reconnects me again

This may be a setting in IE. Not sure thats not my area of expertie.

 

A blue man next to my fool name (ie Google profile) sometimes gets signed out and reconnects me again.
 
 
 

Sometimes Internet explorer shortcut gets renamed

This may  be when you visit that site they have upgraded or changed so there symbol or look may change.

 

No, I have a shortcut on my desktop named Internet Explorer, so sometimes I see that my desktop shortcut gets renamed from Internet Explorer to musc.
 
 

I still have issues with the card game.

This you will have to take up with the owner of this software.

 

In the card game the mouse is turning too fast and I know the software and the software doesn't work like that.

I'd like to know why did I get the message that the computer will shut down in 60 seconds after I terminated services.exe.

Services.exe is a executable that is crucial for windows to run. This is why it shut down because you terminated a crucial service windows need to operate.
 
 
I see no signs of malware in your logs. Lets try one more scanner to see if it finds anything.
 
img=http://i.imgur.com/ZN3USrZ.png] Emsisoft Emergency Kit
  • Click here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
  • Save EmsisoftEmergencyKit.exe to your Desktop.
  • Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8 users: Accept UAC warning if it is enabled). A screen like this will appear:
    dQVDkTW.png
  • Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
  • Once the extraction is done, an icon qwL1Upn.png will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
    yEgPemv.png
  • Choose Yes, then wait for EEK to finish updating.
  • Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
  • Wait for the scan to finish.
    RUeRoi4.png
  • If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
  • If Emsisoft Emergency Kit asks to reboot, please do so immediately.
  • The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
    P7FSALs.png
  • Please Copy and Paste the contents of the scan log in your next reply.

 



#8 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 17 February 2016 - 04:11 PM

I still have trouble highlighting text, I have to highlight it multiple times so I can copy and paste it.



#9 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 17 February 2016 - 04:13 PM

Regarding the card game, the developer has got nothing to do with it. One card should move with a click of the mouse and not three, however when I play with keyboard none of the issues occur. If it were up to the developer, then playing with keyboard should be the same.



#10 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 17 February 2016 - 04:19 PM

I don't have access to some https:// sites. And sometimes when I view VLC player and close the window of the VLC player, the IE window that is open at the same time, closes the instant I close VLC player window. In order for IE window to close I have to click on the x, but what happens is it closes on its own, together with closing of the VLC player window.



#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:00 AM

Posted 17 February 2016 - 04:26 PM

Please run and post the Emsisoft log. These all appear not to be related to any malware.

Tweaking.com - Windows Repair All-In-One (Portable)

- Download Windows Repair All-In-One (Portable Version) from here.

- Extract tweaking.com_windows_repair_aio.zip to your Desktop.

- Disable all your antivirus and antimalware software - see how to do that here.
- Right click on QfBzvq1.png and select Run as Administrator (XP users just double click) to start Windows Repair All-In-One.
(Windows Vista/7/8 users: Accept UAC warning if it is enabled.)

- A window will appear. Click Step 2.
2f8o60N.png

- Click the Open Pre-Scan button, then click Start Scan. Wait for Windows Repair to finish scanning.

- Depending on which error Windows Repair found, click Repair Reparse Point or Repair Environment Variable accordingly. When the button changes to "Done!", click the close button to return to Windows Repair.

- Go to Step 3, then click Check in the See If Check Disk Is Needed.

- If Windows Repair stated that errors are found, click Open Check Disk At Next Boot. Choose (/R) Fixes errors on the disk also locate bad sectors and recovers readable information, then click Add To Next Boot. Reboot the computer to let Windows check the disk.
Ymy7crZ.png

- Go to Step 4, then click Do It.
zDtdN75.png

- Go to Step 5. Under System Restore click Create.
f7lEe1N.png

- Go to Repairs and click Open Repairs. Leave all checkmarks as they are, then click Start Repairs.
PGv2vtD.png

- By default Windows Repair All-In-One will create a "Logs" folder in its folder on the Desktop. Please post the contents of the log in your next reply.



How is the machine running after completing these steps?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 18 February 2016 - 10:07 AM

So, let's say you have a shortcut called mbam on your desktop and you suddenly see it renamed to mbac all by itself, you don't consider that malware? This is how I first noticed I had a rootkit on the system.



#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:00 AM

Posted 19 February 2016 - 02:46 PM

So, let's say you have a shortcut called mbam on your desktop and you suddenly see it renamed to mbac all by itself, you don't consider that malware? This is how I first noticed I had a rootkit on the system.

 

 

None of the logs are showing a Rootkit Malware. Did you run the Windows Repair tool as I requested? If not please do so now. Also run this tool and post the log also.

Download RogueKiller from one of the following links and save it to your desktop:

  • Link 1
  • Link 2
  • Close all programs and disconnect any USB or external drives before running the tool.
  • Double-click RogueKiller.exe to run the tool (Vista or 7 users: Right-click and select Run As Administrator).
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished", click the "Report" button to show the log, and then close the program. <--Don't fix anything!
  • Copy and paste the report that opens into your next reply.
  • The log can also be found in the following location: C:\ProgramData\RogueKiller\Logs\RKreport_SCN_mmddyyyy_hhmmss.log
  • >>For XP users, you must first show hidden files/folders, then the log location is here: C:\Documents and Settings\All Users\Application data\RogueKiller\Logs\RKreport_SCN_mmddyyyy_hhmmss.log

[/*]

[/*]
[/LIST]


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 santare

santare
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 20 February 2016 - 06:40 AM

I am visiting a site, which constantly asks me for a check that I'm not a robot, because I have an unusual connection. The site says if I get this often, that I should check for malware or viruses, so far it is the third time since it happened.

Repair Reparse Point or Repair Environment Variable, how do I know which one to click, if I have two options?



#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:00 AM

Posted 21 February 2016 - 03:31 PM

 

Repair Reparse Point or Repair Environment Variable,

What do you mean by this?

Can you please post the Roguekiller log?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users