Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sysnetwk.exe virus warning


  • This topic is locked This topic is locked
23 replies to this topic

#1 rkrijo

rkrijo

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India, Kerala
  • Local time:10:36 PM

Posted 26 November 2016 - 02:31 PM

Iam facing sysnetwk.exe virus warning from avast frequently & each time avast blocks it , but after restart of laptop it shows the warning  again and i also recieve the warning that security center cannot be started,which is also reccuring each time .that is okay i i can manually start at services. But plz someone help me with sysnetwk.exe virus warning , i will upload a log of scan using FSS.EXE . dunno if it is the correct way of using it so someone help me :bowdown: Attached File  FSS.txt   3.11KB   4 downloads



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,854 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:06 PM

Posted 26 November 2016 - 04:20 PM

Hello rkrijo and welcome to the Bleeping Computer forum.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please run these in the order given in the instructions.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

Please download Junkware Removal Tool to your desktop.

  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
  • the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next message.

===================================================

Run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.


Download RogueKiller to your desktop

  • close all running programs
  • for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on Report and copy/paste the content in your next post
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.

Please post the contents of the RKreport.txt in your next reply.

Logs to include with next post:

AdwCleaner log
RKreport.txt
JRT.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 rkrijo

rkrijo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India, Kerala
  • Local time:10:36 PM

Posted 27 November 2016 - 02:43 AM

hey satchfan ,thanks for ur reply , here are the log files...

Attached File  AdwCleanerS3.txt   4.16KB   7 downloads

Attached File  JRT.txt   1.07KB   8 downloads

Attached File  rk.txt   13.95KB   8 downloads


Edited by rkrijo, 27 November 2016 - 02:45 AM.


#4 satchfan

satchfan

  • Malware Response Team
  • 2,854 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:06 PM

Posted 27 November 2016 - 09:06 AM

That showed up the culprit.

Run RogueKiller

IMPORTANT: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run RogueKiller again

  • close all programs
  • double-click RogueKiller.exe - Windows 7: right-click the program and select Run as Administrator'
  • after it has completed it's prescan, click on Scan
  • click on the click on the ‘Registry’ tab
  • make sure the following entries there are checked:


    [PUP] (X86) HKEY_LOCAL_MACHINE\Software\SkypeUpdateEx -> Found
    [PUP] (X64) HKEY_USERS\S-1-5-21-1619147549-658269054-398094364-1001\Software\IM -> Found
    [PUP] (X86) HKEY_USERS\S-1-5-21-1619147549-658269054-398094364-1001\Software\IM -> Found
    [PUP|Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WindowsSecurity (C:\ProgramData\Windows Security\winsecurity.exe) -> Found
    [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-1619147549-658269054-398094364-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8080;https=127.0.0.1:8080  -> Found
    [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-1619147549-658269054-398094364-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8080;https=127.0.0.1:8080  -> Found
    [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1619147549-658269054-398094364-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://lenovo13.msn.com/?pc=LCJB  -> Found
    [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1619147549-658269054-398094364-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://lenovo13.msn.com/?pc=LCJB  -> Found
    [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-1619147549-658269054-398094364-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
    [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-1619147549-658269054-398094364-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
    [Suspicious.Path|VT.HW64.packed.B6E3] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {43B59B38-CA54-4A13-BF2B-18A418806614} : v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|App=C:\ProgramData\Microsoft\Network\Dsq\network\sysnetwk.exe|Name=System Network Control|Desc=System Network Control|EmbedCtxt=System Network Control| [-] -> Found
     

  • click on the ‘Files’ tab make sure the following entry is checked:


    [PUP][Folder] C:\ProgramData\Windows Security -> Found
    [Tr.Generic][File] C:\Users\user\AppData\Roaming\uTorrent\updates\3.4.5_41865\utorrentie.exe -> Found
    [Tr.Generic][File] C:\Users\user\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe -> Found
    [Tr.Generic][File] C:\Users\user\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe -> Found
    [Tr.Generic][File] C:\Users\user\AppData\Roaming\uTorrent\updates\3.4.8_42449\utorrentie.exe -> Found
    [Tr.Generic][File] C:\Users\user\AppData\Roaming\uTorrent\updates\3.4.8_42576\utorrentie.exe -> Found
    [Tr.Generic][File] C:\Users\user\AppData\Roaming\uTorrent\updates\3.4.9_42606\utorrentie.exe -> Found
    [Tr.Generic][File] C:\Users\user\AppData\Roaming\uTorrent\updates\3.4.9_42923\utorrentie.exe -> Found
    [Tr.Generic][File] C:\Users\user\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe -> Found
    [PUP][Folder] C:\ProgramData\Windows Security -> Found
     

  • then press the Delete button and post the log it produces.

===================================================

Run Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • press Scan button
  • it will produce a log called Frst.txt in the same directory the tool is run from
  • please copy and paste log back here.
  • the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the Frst.txt into your reply.

================================================

Logs to include with next post:

RogueKiller fix log
Frst.txt
Addition.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 rkrijo

rkrijo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India, Kerala
  • Local time:10:36 PM

Posted 27 November 2016 - 11:24 AM

here are the log files after the above steps..

Attached File  rk1.txt   15.86KB   1 downloads

Attached File  FRST.txt   43.17KB   2 downloads

Attached File  Addition.txt   41.56KB   2 downloads

 



#6 satchfan

satchfan

  • Malware Response Team
  • 2,854 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:06 PM

Posted 27 November 2016 - 04:17 PM

Thanks for the logs.

 

Sundays are are a bit busy with family so I'll check them as soon as I can and get back.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 rkrijo

rkrijo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India, Kerala
  • Local time:10:36 PM

Posted 27 November 2016 - 10:39 PM

no problem, take your time...



#8 satchfan

satchfan

  • Malware Response Team
  • 2,854 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:06 PM

Posted 28 November 2016 - 04:26 AM

P2P - I see you have P2P software, ( BitTorrent and uTorrent) installed on your machine.

We are not here to pass judgment on file-sharing as a concept but we will warn you that engaging in this activity will always make your computer very susceptible to infection and re-infection.

If your computer is infected, it almost certainly contributed to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are more often than not, infected. Those who write malware use P2P file-sharing as a major vehicle to spread their wares.

Please see this topic for more information:

P2P File Sharing Risks.

I would strongly recommend that you uninstall it now. You can do so via Control Panel, Programs, and then Programs and Features.

Should you decide to keep it, please don’t use it until we have finished up here.

================================================

You need to move Farbar Recovery Scan Tool to your desktop otherwise fixes will not work.

  • go to your Downloads folder and locate Farbar Recovery Scan Tool
  • right click and select Cut
  • go to an empty spot on your desktop, right click and select Paste

Farbar Recovery Scan Tool should now be on your desktop.

================================================

Run Farbar Recovery Scan Tool

Open notepad. Please copy the contents of the code box below and paste it into Notepad.

CloseProcesses:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
2016-11-23 20:58 - 2016-11-27 09:23 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2016-11-05 03:26 - 2016-09-24 11:30 - 00000200 _____ C:\WINDOWS\system32\{EC94D02F-D200-4428-9531-05AF7F9799CB}.bat
2016-11-05 03:24 - 2016-07-16 17:06 - 00000000 ____D C:\WINDOWS\CbsTemp
CustomCLSID: HKU\S-1-5-21-1619147549-658269054-398094364-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1619147549-658269054-398094364-1001_Classes\CLSID\{724FE766-71C2-4E6E-8379-CD0EF5E51BDD}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.28.17\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1619147549-658269054-398094364-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1619147549-658269054-398094364-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll (Google Inc.)
Task: {02B11BA0-A5FD-4C7A-944B-25FACAD0FFA6} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {05C103AF-06F5-4B12-A442-C0E7A1B3AE44} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {0744BEE9-9885-44B7-B602-98083A29D023} - System32\Tasks\McAfeeLogon => C:\PROGRA~1\COMMON~1\McAfee\Platform\McUICnt.exe
Task: {1112B6DD-BFE5-4D18-A604-6CA3013BE48A} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {1F89D225-3F90-4B98-8775-4E132CD5D418} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {226EC453-3AB0-4EE9-9E5A-D5CC6528DF95} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {2BA3DC81-78D4-43FA-9E5D-0D1F3EF3B715} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {341FD10F-A6E2-48BC-9A74-5A3A00B1E804} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {479401EC-ACD0-460F-99DE-93B0E598E2E8} - System32\Tasks\McAfee\McAfee Auto Maintenance Task Agent
Task: {631CC22E-C46D-4F1A-9CDA-37DDB0401E00} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {712B5B4B-7EAA-48B6-8E75-68A66E3CD9F2} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {8170013E-A8A8-4E47-952C-50DF4130AD1C} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {89F5DEC7-9860-4BD6-A78D-2D65190A7908} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {A20A0FA0-3F71-4891-8623-E51E4623D01D} - \McAfee\McAfee Idle Detection Task -> No File <==== ATTENTION
Task: {A4A11777-6B30-48DB-A9F2-B7AABF140920} - System32\Tasks\McAfee Remediation (Prepare) => C:\Program Files\Common Files\AV\McAfee Anti-Virus And Anti-Spyware\upgrade.exe [2015-11-03] (McAfee, Inc.)
Task: {B2CBC8ED-D475-4751-9C20-8D5A4ACF9BF9} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {C327A048-7AC2-4387-ACE0-BB1C84DE65D0} - \WPD\SqmUpload_S-1-5-21-1619147549-658269054-398094364-1001 -> No File <==== ATTENTION
Task: {E007BEC6-9704-4F93-BD9E-71F4AFC1552D} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
C:\Users\user\AppData\Local\Temp\dllnt_dump.dll
C:\Users\user\AppData\Local\Temp\gusetup9.exe
C:\Users\user\AppData\Local\Resmon.ResmonCfg
C:\ProgramData\DP45977C.lfl
C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc
C:\ProgramData\settings.cfg
Hosts:
EmptyTemp:

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST64 then click Fix just once and wait
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

===================================================

Run McAfee removal tool

There were some remnants of McAfee showing in one of the logs and we need to remove them.

Download and run McAfee Removal Tool

================================================

Run CKScanner

Download CKScanner by askey127 from here & save it to your Desktop.

  • double-click CKScanner.exe then click Search For Files
  • when the cursor hourglass disappears, click Save List To File
  • a message box will verify the file saved
  • double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply.

Logs to include with next post:

Fixlog.txt
CKFiles.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 rkrijo

rkrijo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India, Kerala
  • Local time:10:36 PM

Posted 28 November 2016 - 07:36 AM

i have some pending downloads using utorrent, i may uninstall it afterwards.....

Attached File  Fixlog.txt   14.17KB   1 downloads

Attached File  ckfiles.txt   99.22KB   3 downloads



#10 satchfan

satchfan

  • Malware Response Team
  • 2,854 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:06 PM

Posted 28 November 2016 - 07:45 AM

You have illegal software on your system, which is probably how your computer became infected.

Besides being illegal, cracks/keygens are the most certain means of infecting your system, as ALL illegal software contains some form of malicious code.

This forum, as well as all the other top malware removal forums, does not condone the use of illegal software and does not offer support unless it is for the removal of it.

Continuing to help you could be viewed as supporting/condoning this.

If you want to continue, I need you to uninstall all the illegal software that you have downloaded and installed.

When you have done this, run CKScanner again and post a new log.

If I don’t hear back from you in 24 hours I'll close this thread.

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 rkrijo

rkrijo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India, Kerala
  • Local time:10:36 PM

Posted 28 November 2016 - 08:04 AM

i had deleted the files i thought was illegal ,

here is the log of csk : Attached File  ckfiles.txt   127bytes   2 downloads

please let me know if any problem arises from my part...

thank you



#12 satchfan

satchfan

  • Malware Response Team
  • 2,854 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:06 PM

Posted 28 November 2016 - 08:33 AM

Well done - that looks better.

Run Zemana AntiMalware

Download Zemana AntiMalware:

  • open the program and without changing any options, press Scan
  • after the scan is finished, if threats are detected press Next to remove them

Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.

  • open Zemana AntiMalware again and locate the latest report
  • please paste the contents into your reply.

===================================================

Please download Malwarebytes Anti-Malware to your desktop.

  • double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program
  • at the end, be sure a checkmark is placed next to the following
    • Launch Malwarebytes Anti-Malware
    • a 14 day trial of the Premium features is pre-selected: deselect this if you don’t want it, (it won’t diminish the scanning and removal capabilities of the program.
  • click Finish.
  • on the Dashboard, click Update Now
  • after the update completes, click the Scan Now' button.
  • if an update is available, clicking the Update Now button will update it
  • a Threat Scan will begin.
  • when the scan is complete, if malware has been detected, click Apply Actions to allow MBAM to clean what was found
  • when the prompt to restart the computer appears, click Yes.
  • after the restart once you are back at your desktop, open MBAM once more
  • click on the “History” tab, the “Application Logs”
  • double-click on the scan log which shows the date and time of the scan just performed.
  • click Copy to Clipboard
  • please paste the contents of the clipboard into your reply.

Logs to include with the next post:

Zemana log
Mbam.txt


Can you tell me how things are now.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#13 rkrijo

rkrijo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India, Kerala
  • Local time:10:36 PM

Posted 28 November 2016 - 09:03 AM

earlier while i was using firefox i suddenly got a warning from avast about a utorrentie virus, is it related to p2p software..



#14 satchfan

satchfan

  • Malware Response Team
  • 2,854 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:06 PM

Posted 28 November 2016 - 09:13 AM

It seems to be an advert helper application for uTorrent. When you uninstall uTorrent that should disappear.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#15 rkrijo

rkrijo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India, Kerala
  • Local time:10:36 PM

Posted 28 November 2016 - 09:30 AM

ok ,thanks for the info, here are the logs

Attached File  Zemana AntiMalware.txt   2.03KB   4 downloads

Attached File  mbam scan.txt   5.04KB   3 downloads

 

 

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users