Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System infected Windows 10


  • Please log in to reply
34 replies to this topic

#1 GrimAlchemist

GrimAlchemist

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 12 April 2016 - 12:40 AM

Was trying to run windows media player for a video and had a pop-up about a new codec. Started following the prompts for what I thought was an update until I stayed receiving system messages from windows defender about detected malware several times, and then a message about a problem trying to be fixed. New programs were appearing on the desktop and pinned to the taskbar: FrivLauncher, KNCTR, Note-up. The were some other recently added programs: Onesoftperday, MobilePCStarterKit. When I went to the action center to try and see what progress windows defender was making, I had the following message "Windows Defender is turned off by group policy." The internet browser (chrome) was trying to open new tabs without my input. My computer tried to restart itself. I was able to shut it off myself and then restart in safe mode.

I'm pretty sure this is ab virus of some description, and I posted here hoping to be redirected to the correct forum.

Thanks in advance for the help.

BC AdBot (Login to Remove)

 


#2 daScholar

daScholar

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 12 April 2016 - 12:48 PM

Have you run a Malwarebytes scan? If not, download here https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ and install it and run a scan (You will probably want to uncheck the "MBAM Premium Trial").

 

Quaratine and delete anything it finds. It will require a restart and then check to see if you still get the error for windows defender. Also while Malwarebytes is running see if you can uninstall any of it from your Installed Programs List.

 

Let me know what your progress is. I'm guessing this won't clean up everything quite yet but I wanna see if you get this far without any trouble from the virus/malware you got.


If you think what I've said is helpful consider visiting my site. HelpfulDesk.Org A new site I'm building to help those with computer questions.

 

It's a brand new site. So any support you can give (inquiries, comments, visits) are appreciated immensly

 

Be awesome out there ~ daScholar


#3 GrimAlchemist

GrimAlchemist
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 12 April 2016 - 02:35 PM

Running my system in Safe Mode w/ Networking, I was able to download and install Malwarebytes, and began a scan.  

 

While it was scanning, I went to add/remove programs and checked by install date to find a large list of programs I didn't recognize and recently installed, and went through the list to attempt to uninstall all of them.  (I wrote the names of the programs if that information would be useful to the help you're providing.)

 

The scan completed with 542 threats detected, mostly Potentially Unwanted Programs, the rest were Malware.  They were all quarantined, and the system restarted to complete the removal.  (The results of the scan and the quarantine were both saved if you would like to see those.)  The system restarted, no longer in safe mode.  After a few minutes, Malwarebytes restarted the system again, with a recommendation to run an additional scan.  

 

After the second restart, and waiting several minutes, it sounded like there was a lot of activity on my system, so I checked Task Manager, and found a lot of disk usage/activity coming from 'Service Host: Local System (Network Restricted) (7)' and '... (8)', and from 'wsappx (2)'.  That could be completely harmless, but I thought to include it in case it was pertinent.

 

After a second Malwarebytes scan, 3 threats were detected.  PUPs - Registry Values and Registry Key.  Those were quarantined successfully.  A third scan detected 0 threats.

 

Checking Windows Defender found the same problem as before - 'This app is turned off by group policy.'

 

I also rechecked Add/Remove programs and found that all of the suspicious programs before had been removed/disappeared from the list, except for one - 'Net Stream 1.0'.  It doesn't seem to uninstall.

 

I restarted again and then came here to provide this progress update.  (still no longer in safe mode)


Edited by GrimAlchemist, 12 April 2016 - 02:37 PM.


#4 daScholar

daScholar

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 12 April 2016 - 03:01 PM

What kind of error are you getting when you try to uninstall Net Stream 1.0? Or does it go pretend to go through and then not go away? I haven't seen that one before but we'll get this figured out. 

 

We are gonna try to manually reset the permissions to allow Windows Defender to run.

Give this a try

1. Open Local Group Policy

Press the Windows + R keys to open the Run dialog, type gpedit.msc, and press Enter

2. In the left pane of Local Group Policy Editor, navigate to the location below.

 Computer Configuration/Administrative Templates/Windows Components/Windows Defender

3. In the right pane of Windows Defender in Local Group Policy Editor, double click/tap on the Turn off Windows Defender policy to edit it. (see screenshot above)

4. Select (dot) Not Configured (this is the default) click/tap on OK

5. When finished, you can close the Local Group Policy Editor if you like.

 

 

Edit: I've been looking around a possible solution to getting rid of the Net Stream 1.0 is this, it's a junkware removal tool also made by Malwarebytes. 

Edit 2: wsappx and the service host processes are normal, and can at times use up resources. I wouldn't worry about those


Edited by daScholar, 12 April 2016 - 03:08 PM.

If you think what I've said is helpful consider visiting my site. HelpfulDesk.Org A new site I'm building to help those with computer questions.

 

It's a brand new site. So any support you can give (inquiries, comments, visits) are appreciated immensly

 

Be awesome out there ~ daScholar


#5 GrimAlchemist

GrimAlchemist
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 12 April 2016 - 03:15 PM

When attempting to Uninstall NetStream 1.0 - used the Uninstall button > This app and its related info will be uninstalled > second Uninstall button, and then nothing seems to happen.

 

Tried to open Local Group Policy, but entering 'gpedit.msc' into the Run dialog returned "Windows cannot find 'gpedit.msc'.  Make sure you typed the name correctly, and then try again."  Checking my spelling and trying again yields the same results.

 

edit: Tried using the Junkware Removal Tool.  After successfully running it and then restarting my system, NetStream 1.0 is still on my installed programs list, but it did at least find 23 other items to be removed, so there was some help.  I have a log produced by JRT if it's something you want to see.


Edited by GrimAlchemist, 12 April 2016 - 03:41 PM.


#6 daScholar

daScholar

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 12 April 2016 - 03:59 PM

Oops forgot that gpedit.msc isn't directly available on windows 10. You can look up how to install it or a possibility is to edit the registry to re-enable Windows Defender

 

 

Download this and run it, and confirm you want the changes made. Restart your computer and see if that works.

 http://www.tenforums.com/attachments/tutorials/18531d1430935545-windows-defender-turn-off-windows-10-a-turn_on_windows_defender.reg


If you think what I've said is helpful consider visiting my site. HelpfulDesk.Org A new site I'm building to help those with computer questions.

 

It's a brand new site. So any support you can give (inquiries, comments, visits) are appreciated immensly

 

Be awesome out there ~ daScholar


#7 GrimAlchemist

GrimAlchemist
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 12 April 2016 - 04:36 PM

The registry update successfully re-enabled Windows Defender.  As soon as it was active again, it began finding malware, and then a trojan.  Over the course of 15 minutes it had me restart my computer to administer a number of fixes.  This is a link to the threat if found and seems to have handled.

 

https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Trojan%3aWin64%2fPatched.AZ.gen!dll&threatid=-2147259256&enterprise=0

 

The latest restart seems to be stable.  I am now letting Windows Defender run a scan.

 

Just to check, NetStream 1.0 is still in the installed programs.



#8 daScholar

daScholar

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 12 April 2016 - 04:50 PM

Glad to hear the progress. K this is one of the programs I use to "force" uninstall programs. It's worked for me most of the time with difficult situations - Revo Uninstaller

 

BTW I would actually like the logs of removed items I'd actually like to have them, I'm starting a website right now about troubleshooting these kind of things and having a log of what program cleans up what could come in handy. Trying to get the ball rolling and all haha


If you think what I've said is helpful consider visiting my site. HelpfulDesk.Org A new site I'm building to help those with computer questions.

 

It's a brand new site. So any support you can give (inquiries, comments, visits) are appreciated immensly

 

Be awesome out there ~ daScholar


#9 GrimAlchemist

GrimAlchemist
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 12 April 2016 - 06:23 PM

Revo uninstaller, using moderate setting, was able to remove NetStream 1.0.  During the uninstall there was a system message from Windows that Real-time Virus Protection was disabled, similar to the messages I was getting back before things were cleaned up with Malwarebytes and Windows Defender.  When I checked Windows Defender, it told me that real-time protection was on.

 

Following the uninstall of NetStream 1.0, I restarted my computer.  After the restart, I was not prompted to enter my password for my Microsoft account, and it logged into Windows on a temporary account.  Restarting to try again, I was prompted to enter my password and Windows seems to have loaded normally into my account.  I intend to give Malwarebytes and Windows Defender another scan.

 

There have been some defaults and settings changed in my browser at least that I have been working on restoring, and I expect some other lingering problems might start cropping up..  Are there any other programs/scans/services you can recommend using in the wake of this situation? 

 

Thank you for the help you've provided so far.  I'll provide those logs for you shortly.



#10 daScholar

daScholar

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 12 April 2016 - 06:54 PM

Resetting your browser is definitely the next big step. Depending on your browser check the "plugins" or "addons" list. There could be things in there you don't recognize and it's safe to say you can get rid of them.

 

The fact that you got a real time antivirus disabled message, tells me that was a particularly good thing to get rid of as it probably was trying to subvert other anti-virus efforts.

 

With Windows going into that temporary account that could have been another issue to resolve but it seems like windows was able to repair your normal account. Yay!

 

As far as removal of further malware I can't think of any. Obviously, I'm not with your computer but my gut says we've gotten rid of the big nasties that were plaguing your computer. Do you have any further concerns that you need help with?

 

Once you feel confident your computer has been scrubbed clean sufficiently my recommendations are:

1. Download CCleaner run that both on the Hard Drive Scans, and Registry Scans

2. Download Defraggler -> Defragment your hard drive

3. (Semi-Optional) Backup your system

 

If you wanna email me those logs you can send them to it@helpfuldesk.org. HelpfulDesk.org is the site I'm making that I mentioned earlier. Feel free to shoot me an email there if you ever want some help from me again.


Edited by daScholar, 12 April 2016 - 06:55 PM.

If you think what I've said is helpful consider visiting my site. HelpfulDesk.Org A new site I'm building to help those with computer questions.

 

It's a brand new site. So any support you can give (inquiries, comments, visits) are appreciated immensly

 

Be awesome out there ~ daScholar


#11 GrimAlchemist

GrimAlchemist
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 12 April 2016 - 07:56 PM

Came back and was reading this very response when things started to go awry again.  The browser closed and things started to change again.  A cmd prompt appeared, something in regards to BITSAdmin.  Did not get a chance to see what it was displaying before it closed, and new programs and changes started taking place.  'BrowserAir' was installed and appeared on my desktop and pinned to the taskbar, and also on the taskbar was Microsoft Edge (which wasn't there before) as well as something called just 'Search'.  Browser settings for Chrome were changed again, including a new homepage and search engine defaults - www-searching.com, clearly bait to try and get more malware downloaded through a 'scan now' warning flashing in the middle of the page.

 

Immediately ran a Windows Defender quick scan, which found no threats.

 

Malwarebytes yielded 304 new threats, all PUPs, and those were logged if you want to see them, and have been quarantined and removed following a restart.

 

Following the restart, BrowserAir has disappeared, but both Microsoft Edge and 'Search' remain on my taskbar, until I unpinned them.

 

As I'm writing this I have a new MWB scan running.

 

My first question is given that there was still something lurking on my system, and might still be, should I be running in Safe Mode?

 

Secondly, should I wait for some different measures to be taken in light of these new problems before running those programs you mentioned (CCleaner and Defraggler)?

 

edited for clarity


Edited by GrimAlchemist, 12 April 2016 - 08:06 PM.


#12 daScholar

daScholar

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 12 April 2016 - 08:08 PM

hmm ok, glad you caught that. The most common way malware continues after a clean is through the Task Scheduler. If you could open that then click on Task Scheduler Library in the left pane. If you feel confident going through it delete any suspicious items. If you aren't sure you can send a screenshot. The most important column I'd need to see is the Name column of all the tasks


If you think what I've said is helpful consider visiting my site. HelpfulDesk.Org A new site I'm building to help those with computer questions.

 

It's a brand new site. So any support you can give (inquiries, comments, visits) are appreciated immensly

 

Be awesome out there ~ daScholar


#13 daScholar

daScholar

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 12 April 2016 - 08:12 PM

Also here is another scanner. I didn't suggest this one at first because it's a more intense scanner and I have gotten a couple of false-positives in the past. adwcleaner


If you think what I've said is helpful consider visiting my site. HelpfulDesk.Org A new site I'm building to help those with computer questions.

 

It's a brand new site. So any support you can give (inquiries, comments, visits) are appreciated immensly

 

Be awesome out there ~ daScholar


#14 GrimAlchemist

GrimAlchemist
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 12 April 2016 - 08:23 PM

MWB scan returned 0 new threats.

 

I checked into the Task Scheduler.  I don't know enough to make any changes there myself but I did save some screenshots of the active tasks (there was nothing task status)

 

Screenshot 1

Screenshot 2

Screenshot 3

 

Edit: Woops didn't go into task scheduler library, doing that now

 

Here's the ss of the library 

 

Edit2: Tried following that adwcleaner link and got the following message:

 

This site can’t be reached

https’s server DNS address could not be found.

ERR_NAME_NOT_RESOLVED

 

Edit3: Found the correct link in the DETAILS for that message


Edited by GrimAlchemist, 12 April 2016 - 08:33 PM.


#15 daScholar

daScholar

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 12 April 2016 - 08:46 PM

K So I'll list off all the one's that seem suspicious to me... It's quite a few

 

For each task that I list if you could click on it and on the bottom pane hit the Action Tab and check to see what it's trying to run/open. If you know the program then skip it, if you don't know the action being taken take a screenshot, and if you know it's doing something bad delete the task

 

Here we go:

Ycugw

anything in the {}

mcupdate_scheduled

GyazoUpdateTaskMachineDaily

RegisterDevicePeriodic

GyazoUpdateTaskMachine

HotStart

IpAddressconflict 1 & 2

 

 

These may not be bad I'm just comparing it against what I remember and the computer I'm using. The one that stands out the most to me is "Ycugw" because it seems dodgy. The others could be normal or additionally bad stuff.

 

 
Once you get the tasks in the "Library" screen shot as well I'll look at those and see if I can determine anything there as well.
 

Edit: Late post you had it up already haha can you screen shot the action tab for the "Gyazo" stuff and the "Ycugw"


Edited by daScholar, 12 April 2016 - 08:55 PM.

If you think what I've said is helpful consider visiting my site. HelpfulDesk.Org A new site I'm building to help those with computer questions.

 

It's a brand new site. So any support you can give (inquiries, comments, visits) are appreciated immensly

 

Be awesome out there ~ daScholar





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users