Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Resillient virus help

  • Please log in to reply
3 replies to this topic

#1 fxzii


  • Members
  • 4 posts
  • Local time:12:53 AM

Posted 10 December 2016 - 03:48 PM

Long story short: my pc got infected with a nasty bunch of viruses, from a installer I didn't realize was fake and didn't think to scan it first


What I have done:

- ran rkill before each scan

- Scan with Kaspersky Total Security 2017 (my usual anti-virus) *

- Scan with Malwarebytes 3.0 (With rootkit scan enabled) (my usual anti-malware) *

- run adwcleaner *

- run HitmanPro *

- run JRT *

- run tdsskiller

- run zemana anti malware *

- run tweaking.com windows repair (attempt to fix issues in rkill log) *

- performed in-place upgrade of windows 10 (attempt to fix issues in rkill log)


* asterisk = Problems/malware were detected and removed by the program


And yet the problems that still persist:


Main issue that got me doing virus cleanup:

-Chrome wouldn't start anymore Even after reinstalling it. When I tried to open it after restart after each time I ran a new program from the above kaspersky detected a PUP in the temp dir.


-One of the times I ran rkill it suspended a file in temp which it classified as T-HEUR.

-The problems originally started when I logged into my user account and the screen was completely black with a little weird window in the corner. I used ctrl+alt+del to start task manager and launch explorer.exe from there.


rkill log:

Checking Windows Service Integrity: 

 * COM+ Event System (EventSystem) is not Running.
   Startup Type set to: Automatic

 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic (Delayed Start)

 * agp440 [Missing Service]
 * gagp30kx [Missing Service]
 * IEEtwCollectorService [Missing Service]
 * IoQos [Missing Service]
 * nv_agp [Missing Service]
 * TimeBroker [Missing Service]
 * uagp35 [Missing Service]
 * uliagpkx [Missing Service]
 * WcsPlugInService [Missing Service]
 * wpcfltr [Missing Service]
 * WSService [Missing Service]

 * AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
 * WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]

 * vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 * vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]

I ran sfc /scannow : it said it found problems but was unable to fix them. When I ran it again to copy the message it now said it found no violations. 


The only thing that could possibly identify this virus was that the browsers' search engines changed to something along the lines of search.com, also a shortcut was made with that name. This was removed by zemana


EDIT: I have solved the chrome not opening issue by reinstalling kaspersky, it seems to have messed stuff up when disinfecting


Edited by fxzii, 10 December 2016 - 06:06 PM.
Moved from W10 Spt to Am I Infected - Hamluis.

BC AdBot (Login to Remove)


#2 Toits


  • Members
  • 16 posts
  • Local time:03:53 AM

Posted 11 December 2016 - 01:07 AM

Why not you did System Restore?

#3 fxzii

  • Topic Starter

  • Members
  • 4 posts
  • Local time:12:53 AM

Posted 11 December 2016 - 01:07 PM

Why not you did System Restore?

Oh sorry forgot to mention that - I did do a system restore from when an update was installed. It did nothing

#4 fxzii

  • Topic Starter

  • Members
  • 4 posts
  • Local time:12:53 AM

Posted 11 December 2016 - 01:18 PM

My rkill log is identical to the person in this thread https://www.bleepingcomputer.com/forums/t/625665/rkill-shows-incorrect-paths-and-service-dlls/

And I am in fact running Windows 10 Anniversary Update so according to this the rkill log is a bug. I think I'm going to leave it for now unless something new comes up or someone replies with an explanation otherwise


From what I can tell, RKill has this bug in Windows 10 Anniversary Update. Let's see if you are running the Anniversary Update build:


Press WindowsR

Type winver and press Enter

If it says "Version 1607 (Build xxxxx.xx)" then you are running the Anniversary Update. In which case, ignore the RKill incorrect services bug. If, however, it says "Version 1511 (xxxxx.xxx)", then you are still on Windows 10 November Update.



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users