Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The Requested Resource is in use


  • This topic is locked This topic is locked
16 replies to this topic

#1 mlev

mlev

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 28 February 2017 - 11:40 AM

Mod Edit:  Merged topics - Hamluis.

 

Almost any EXE I run shows this error
 
Ran roguekiller, and logs are attached.
 
Went into SafeMode (without networking) and the system restore points are all deleted!. SF with networking gives me the same error.
 
Attached File  The requested resource is in use.png   6.64KB   2 downloadsAttached File  Rkill.txt   2.55KB   8 downloadsAttached File  rk_206B.tmp.txt   45.78KB   9 downloadsAttached File  rk_177.tmp.txt   24.69KB   0 downloads


Sorry for double posting, as I read the rules after posting the first one.

Almost any EXE I run shows this error

 
Ran roguekiller, and logs are attached. Also ran FRST, and logs are attached
 
Went into SafeMode (without networking) and the system restore points are all deleted!. SF with networking gives me the same error.

Attached Files


Edited by hamluis, 28 February 2017 - 01:13 PM.
Moved from Win 7 to MRL - Hamluis.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:02 PM

Posted 01 March 2017 - 01:19 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
Online.io Application (x32 Version: 2.1.0 - Microleaves) Hidden <==== ATTENTION
Traffic Exchange (x32 Version: 2.1.0 - Microleaves) Hidden <==== ATTENTION
<<<>>>


xlK5Hdb.pngFarbar Recovery Scan Tool (FRST) Recovery Environment

Note: You require access to a USB drive.
Note: Please print off these instructions, or ensure you have access to them using a different device.Enter Recovery Environment (Windows 7)
  • Consult the following instructions (scroll down to "Entry points into WinRE") on how to enter the Recovery Environment in Windows 7.
  • After Reading the instructions click Repair your computer See Figure 3.
  • Continue reading the instructions up to Figure 7.
  • Select Command Prompt.
  • In the command window type notepad and press Enter on your keyboard.
  • Notepad will open. Click File followed by Open.
  • Click Computer, write down your USB drive letter on a piece of paper and close Notepad.
  • Type: x:\frst.exe / x:\frst64.exe in the command window.
    • Note: Replace letter x with the drive letter of your USB drive you wrote down earlier.
  • Press Enter on your keyboard. The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Click Fix.
  • A log (Fixlog.txt) will be saved to your USB drive. Reboot your computer. Copy the contents of Fixlog.txt and paste in your next reply
Let me know what problem persists.

Attached Files


Edited by nasdaq, 01 March 2017 - 01:20 PM.


#3 mlev

mlev
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 01 March 2017 - 04:07 PM

Thanks for the help Nasdaq.

 

1) Remove these programs in bold via the Control Panel > Programs > Programs and Features.

Online.io Application (x32 Version: 2.1.0 - Microleaves) Hidden <==== ATTENTION
Traffic Exchange (x32 Version: 2.1.0 - Microleaves) Hidden <==== ATTENTION

No such entries exist - I may have removed them after the log file was created though

2) Ran the program as instructed, though its been running for over 2 hours. Is this normal?

Thanks

 


Edited by mlev, 01 March 2017 - 04:16 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:02 PM

Posted 02 March 2017 - 08:10 AM

1) Remove these programs in bold via the Control Panel > Programs > Programs and Features.
Online.io Application (x32 Version: 2.1.0 - Microleaves) Hidden <==== ATTENTION
Traffic Exchange (x32 Version: 2.1.0 - Microleaves) Hidden <==== ATTENTION

No such entries exist - I may have removed them after the log file was created though


These may have been compromised by the infections and are not seen at the moment.

==


Stop the process if not already done. (Exit the Recovery console)

Restart the computer normally.

Run the Rkill tool and post a fresh log.

Run the Farbar tool again and post fresh FRST and Addition.txt for my review.

Let me know what problem persists.

Edited by nasdaq, 03 March 2017 - 08:11 AM.


#5 mlev

mlev
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 02 March 2017 - 03:36 PM

Rkill Log:

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 03/02/2017 03:33:19 PM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 03/02/2017 03:33:35 PM
Execution time: 0 hours(s), 0 minute(s), and 16 seconds(s)
 

Attached ar the FRST and Addition Logs

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:02 PM

Posted 03 March 2017 - 08:35 AM


We are dealing with one of the worst infection we have see in sometime.
Stay with me.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

p.s
Both of these tool should not take more the one hour each to conplete. Stop the process if your computer freezes while running them.

#7 mlev

mlev
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 03 March 2017 - 11:14 AM

1) Attached are the logs from ADWCleaner

2) Zoek has been taking a long time to process, though it usually keeps going. Now its stuck for over an hour. Here is the log so far:
 

 
Zoek.exe v5.0.0.1 Updated 27-09-2015
Tool run by Mark on Fri 03/03/2017 at  8:47:24.79.
Microsoft Windows 7 Ultimate  6.1.7601 Service Pack 1 x64
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\Mark\Desktop\zoek.exe [Scan all users] [Script inserted] 
 
===== Runcheck  8:48:55.42 =====
 
--- Create Environment Variables  8:48:56.78 
--- Create System Restore Point  8:50:58.69 
--- Checking Input  8:51:06.11 
--- AU AppData Check  8:51:15.95 
--- Remove From Windows Installer  8:51:19.28 
--- Empty Folders Check  8:52:33.87 
--- Registry HKLM Software Check  8:52:33.90 
--- Quick Launch Shortcut Check  8:52:51.38 
--- IE Startpage Check  8:52:55.54 
--- Program Files DB Check  8:53:20.19 
--- C:\Users\Default\AppData\Roaming DB Check  8:54:02.36 
--- C:\Users\Default User\AppData\Roaming DB Check  8:54:02.36 
--- C:\Users\Guest\AppData\Roaming DB Check  8:54:02.36 
--- C:\Users\Mark\AppData\Roaming DB Check  8:54:02.36 
--- C:\Users\Mark 2\AppData\Roaming DB Check  8:54:02.36 
--- C:\Windows\SysNative\config\systemprofile\AppData\Roaming DB Check  8:54:02.36 
--- C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming DB Check  8:54:02.36 
--- C:\Windows\serviceprofiles\networkservice\AppData\Roaming DB Check  8:54:02.36 
--- C:\Windows\serviceprofiles\Localservice\AppData\Roaming DB Check  8:54:02.36 
--- C:\Users\Mark DB Check  8:57:01.32 
--- C:\PROGRA~3 DB Check  9:04:55.18 
--- C:\Users\Default\AppData\Local DB Check  9:07:41.74 
--- C:\Users\Default User\AppData\Local DB Check  9:07:41.74 
--- C:\Users\Guest\AppData\Local DB Check  9:07:41.74 
--- C:\Users\Mark\AppData\Local DB Check  9:07:41.74 
--- C:\Users\Mark 2\AppData\Local DB Check  9:07:41.74 
--- C:\Users\Public\AppData\Local DB Check  9:07:41.74 
--- C:\Users\TEMP\AppData\Local DB Check  9:07:41.74 
--- C:\Windows\SysNative\config\systemprofile\AppData\Local DB Check  9:07:41.74 
--- C:\Windows\sysWoW64\config\systemprofile\AppData\Local DB Check  9:07:41.74 
--- C:\Windows\serviceprofiles\networkservice\AppData\Local DB Check  9:07:41.74 
--- C:\Windows\serviceprofiles\Localservice\AppData\Local DB Check  9:07:41.74 
--- C:\ProgramData\Microsoft\Windows\Start Menu\Programs DB Check  9:11:14.98 
--- C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs DB Check  9:11:31.64 
--- Tasks DB Check  9:11:41.93 
--- Downloads DB Check  9:11:48.56 
--- C:\Users\Guest\AppData\LocalLow DB Check  9:11:57.12 
--- C:\Users\Mark\AppData\LocalLow DB Check  9:11:57.12 
--- C:\Users\Mark 2\AppData\LocalLow DB Check  9:11:57.12 
--- C:\Users\TEMP\AppData\LocalLow DB Check  9:11:57.12 
--- C:\Windows\SysNative\config\systemprofile\AppData\LocalLow DB Check  9:11:57.12 
--- C:\Windows\sysWoW64\config\systemprofile\AppData\LocalLow DB Check  9:11:57.12 
--- C:\Windows\serviceprofiles\networkservice\AppData\LocalLow DB Check  9:11:57.12 
--- C:\Windows\serviceprofiles\Localservice\AppData\LocalLow DB Check  9:11:57.12 
--- Tasks2 DB Check  9:13:34.19 
--- Documents DB Check  9:14:09.51 
--- C:\Users\Mark\AppData\Roaming\TomTom\HOME\Profiles\uk5zy53w.default DB Check  9:14:21.85 
--- C:\Users\Public\Desktop DB Check  9:14:24.65 
--- C:\Users\Mark\Desktop DB Check  9:14:33.38 
--- Services DB Check  9:15:01.05 
--- FF prefs.js DB Check  9:16:28.00 
--- Emptyclsid  9:18:00.16 
--- Del by CLSID  9:18:11.68 
--- Delete Services  9:19:16.92 
--- Firefox Fix  9:19:21.14 
--- Batch Commands  9:19:25.04 
--- Delete files\folders  9:19:25.53 
--- Create Backups  9:19:25.96 
--- Firefox Extensions  9:41:15.86 
--- Firefox Plugins  9:41:17.94 
--- Chrome Look  9:42:53.24 
--- Create Backups 10:18:02.40 
 

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:02 PM

Posted 03 March 2017 - 01:31 PM



Please execute the fix suggested in post no. 2.

Forget about removing the 2 programs from the control panel for now.

Post the Fixlog.txt log for my review.

Let me know what problem persists.

#9 mlev

mlev
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 03 March 2017 - 02:51 PM

Cancelled Zoek. Attached is the log.

going to boot to recovery and run FRST

Attached Files



#10 mlev

mlev
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 03 March 2017 - 05:22 PM

Booted to recovery. FRST just ran without stopping. Same as before

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:02 PM

Posted 04 March 2017 - 10:12 AM

Lets see what we can find in the Registry.
I may have to give you a new Fixlist.

Farbar Recovery Scan Tool (FRST) - Registry Search
Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply.
  • Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • In the Search text area, copy and paste the following:
drmkpro64.sys;dataup.exe;svcvmx.exe;qdcomsvc.exe;splsrv.exe;ct.exe;winscr.exe;vmxclient.exe
  • Once done, click on the Search Registry button and wait for FRST to finish the search;
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply;


#12 mlev

mlev
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 04 March 2017 - 07:50 PM

Farbar Recovery Scan Tool (x64) Version: 04-03-2017
Ran by Mark (04-03-2017 19:49:47)
Running from H:\Downloads
Boot Mode: Normal
 
================== Search Registry: "drmkpro64.sys;dataup.exe;svcvmx.exe;qdcomsvc.exe;splsrv.exe;ct.exe;winscr.exe;vmxclient.exe" ===========
 
 
===================== Search result for "drmkpro64.sys" ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64]
"ImagePath"="system32\drivers\drmkpro64.sys"
 
 
===================== Search result for "dataup.exe" ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dataup]
"ImagePath"="C:\Program Files (x86)\dataup\dataup.exe"
 
 
===================== Search result for "qdcomsvc.exe" ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\qdcomsvc]
"ImagePath"=""C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe" /svc"
 
 
===================== Search result for "ct.exe" ==========
 
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-compact.resources_31bf3856ad364e35_6.1.7600.16385_en-us_29b7d82b94f046f3]
"f!compact.exe.mui"="0x63006F006D0070006100630074002E006500780065002E006D0075006900"
 
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-compact_31bf3856ad364e35_6.1.7600.16385_none_55ea2c71cf438ffc]
"f!compact.exe"="0x63006F006D0070006100630074002E00650078006500"
 
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_6.1.7600.16385_none_4926308c8bcbb063]
"f!imjpdct.exe"="0x49004D004A0050004400430054002E00450058004500"
 
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_6.1.7601.17514_none_4b57445488ba33fd]
"f!imjpdct.exe"="0x49004D004A0050004400430054002E00450058004500"
 
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-ie-iexpress.resources_31bf3856ad364e35_11.2.9600.16428_en-us_05dc98c139e16afb]
"f!wextract.exe.mui"="0x770065007800740072006100630074002E006500780065002E006D0075006900"
 
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-ie-iexpress.resources_31bf3856ad364e35_8.0.7600.16385_en-us_9a34be91b5863879]
"f!wextract.exe.mui"="0x770065007800740072006100630074002E006500780065002E006D0075006900"
 
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-ie-iexpress_31bf3856ad364e35_11.2.9600.16428_none_46d2efef53c02386]
"f!wextract.exe"="0x770065007800740072006100630074002E00650078006500"
 
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-ie-iexpress_31bf3856ad364e35_8.0.7600.16385_none_db2b15bfcf64f104]
"f!wextract.exe"="0x770065007800740072006100630074002E00650078006500"
 
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-pnphotplugui_31bf3856ad364e35_6.1.7600.16385_none_44d62330646f757a]
"f!deviceeject.exe"="0x44006500760069006300650045006A006500630074002E00650078006500"
 
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-s..on0viewer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_56684bf988e9ed3a]
"f!ui0detect.exe.mui"="0x7500690030006400650074006500630074002E006500780065002E006D0075006900"
 
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-session0viewer_31bf3856ad364e35_6.1.7600.16385_none_3ddbd9a9605f0519]
"f!ui0detect.exe"="0x5500490030004400650074006500630074002E00650078006500"
 
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-compact.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cd993ca7dc92d5bd]
"f!compact.exe.mui"="0x63006F006D0070006100630074002E006500780065002E006D0075006900"
 
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-compact_31bf3856ad364e35_6.1.7600.16385_none_f9cb90ee16e61ec6]
"f!compact.exe"="0x63006F006D0070006100630074002E00650078006500"
 
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_6.1.7600.16385_none_ed079508d36e3f2d]
"f!imjpdct.exe"="0x49004D004A0050004400430054002E00450058004500"
 
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_6.1.7601.17514_none_ef38a8d0d05cc2c7]
"f!imjpdct.exe"="0x49004D004A0050004400430054002E00450058004500"
 
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-iexpress.resources_31bf3856ad364e35_11.2.9600.16428_en-us_a9bdfd3d8183f9c5]
"f!wextract.exe.mui"="0x770065007800740072006100630074002E006500780065002E006D0075006900"
 
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-iexpress.resources_31bf3856ad364e35_8.0.7600.16385_en-us_3e16230dfd28c743]
"f!wextract.exe.mui"="0x770065007800740072006100630074002E006500780065002E006D0075006900"
 
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-iexpress_31bf3856ad364e35_11.2.9600.16428_none_eab4546b9b62b250]
"f!wextract.exe"="0x770065007800740072006100630074002E00650078006500"
 
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-ie-iexpress_31bf3856ad364e35_8.0.7600.16385_none_7f0c7a3c17077fce]
"f!wextract.exe"="0x770065007800740072006100630074002E00650078006500"
 
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-s..on0viewer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fa49b075d08c7c04]
"f!ui0detect.exe.mui"="0x7500690030006400650074006500630074002E006500780065002E006D0075006900"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Resolvers]
"SystemBinariesList"="win32k.sys:winlogon.exe:EXPLORER.EXE:CSRSS.Exe:dwm.exe:logon.scr:logonui.exe:lsass.exe:lsm.exe:ntkrpamp.exe:ntoskrnl.exe:RUNDLL32.EXE:services.exe:sppsvc.exe:smss.exe:spoolsv.exe:svchost.exe:taskeng.exe:WinInit.exe:WISPTIS.EXE:dllhost.exe:dllhst3g.exe:cscript.exe:mmc.exe:msiexec.exe:upnpcont.exe:wscript.exe:WUDFHost.exe:dfsvc.exe:dfsvc.exe:fdbs.exe:ntfsbs.exe:memdiag.exe:NETFXSBS10.exe:applaunch.exe:aspnet_compiler.exe:aspnet_regbrowsers.exe:aspnet_regiis.exe:aspnet_regsql.exe:aspnet_state.exe:aspnet_wp.exe:caspol.exe:csc.exe:CVTRES.EXE:dfsvc.exe:dw20.exe:IEExec.exe:ilasm.exe:InstallUtil.exe:jsc.exe:MSBuild.exe:mscorsvw.exe:ngen.exe:RegAsm.exe::RegSvcs.exe:vbc.exe:TrustedInstaller.exe:Aurora.scr:AutoChk.Exe:AUTOFMT.EXE:CHKDSK.EXE:CHKNTFS.EXE:consent.exe:PnPUnattend.exe:PnPutil.exe:RacAgent.exe:fsquirt.exe:Uninst.exe:updateWmc.exe:wmdc.exe:wmdsync.exe:mofcomp.exe:ScrCons.exe:smi2smir.exe:unsecapp.exe:wbemtest.exe:winmgmt.exe:wmic.exe:bfsvc.exe:Twunk_16.exe:Twunk_32.exe:wuauclt.exe:wsqmcons.exe:sapisvr.exe:WinSAT.exe:p2phost.exe:SearchProtocolHost.exe:WerFault.exe:drvinst.exe:ehshell.exe:UI0Detect.exe:ehtray.exe:HelpPane.exe:mrt.exe:SearchFilterHost.exe:mobsync.exe:Narrator.exe:SLUI.exe:taskmgr.exe:PresentationSettings.exe:vds.exe:sdclt.exe:irftp.exe:DFDWiz.exe:SndVol.exe:makecab.exe:msfeedssync.exe:unregmp2.exe:DeviceProperties.exe:rstrui.exe:MdRes.exe:netsh.exe:printui.exe:mcupdate.exe:4mmdat.sys:61883.sys:ACPI.sys:amdk7.sys:amdk8.sys:ASYNCMAC.SYS:atapi.sys:AVC.SYS:cdfs.sys:cdrom.sys:circlass.sys:cmbatt.sys:crusoe.sys:CSC.Sys:dc21x4vm.sys:disk.sys:dot4.sys:dot4usb.sys:drmkaud.sys:ecache.sys:fdc.sys:floppy.sys:hdaudbus.sys:HDAudio.sys:HIDBTH.SYS:HIDIR.SYS:i8042prt.sys:intelppm.sys:irenum.SYS:IRSIR.SYS:kbdclass.sys:kbdhid.sys:LOOP.SYS:mf.sys:monitor.sys:mouclass.sys:mouhid.sys:msisadrv.sys:msiscsi.sys:NDISWAN.SYS:nsiproxy.sys:ohci1394.sys:pci.sys:pciide.sys:powerfil.sys:processr.sys:rasl2tp.sys:raspppoe.sys:RASPPTP.SYS:RDPCDD.SYS:rfcomm.sys:sbp2port.sys:sdbus.sys:serenum.sys:serial.sys:sermouse.sys:sffdisk.sys:sffp_mmc.sys:smbios.sys:swenum.sys:tdx.sys:termdd.sys:tpm.sys:tunmp.sys:tunnel.sys:umbus.sys:update.sys:usb8023.sys:USBAudio.sys:USBCCGP.SYS:usbcir.sys:USBEHCI.sys:usbhub.sys:USBOHCI.sys:usbprint.sys:USBUHCI.sys:viac7.sys:wacompen.sys:wceusbsh.sys:winusb.sys:ws2ifsl.sys:xnacc.sys"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\Users\Mark\AppData\Local\Apps\2.0\XO7MCV4A.Q8Z\K7K36EQD.39B\dell..tion_6d0a76327dca4869_0007.0009_d84bde3ab35e468d\DellSystemDetect.exe"="DISABLEUSERCALLBACKEXCEPTION"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Interactive Services detection]
"EventMessageFile"="%SystemRoot%\System32\UI0Detect.exe"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\UI0Detect]
"DisplayName"="@%SystemRoot%\system32\ui0detect.exe,-101"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\UI0Detect]
"ImagePath"="%SystemRoot%\system32\UI0Detect.exe"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\UI0Detect]
"Description"="@%SystemRoot%\system32\ui0detect.exe,-102"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\windowsmanagementservice]
"ImagePath"="C:\Users\Mark\AppData\Local\Temp\20170228\ct.exe"
 
[HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\1C9\52C64B7E]
"@%SystemRoot%\system32\ui0detect.exe,-101"="Interactive Services Detection"
 
[HKEY_USERS\S-1-5-21-494948411-2658239134-3966290622-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"DellSystemDetect"="C:\Users\Mark\AppData\Local\Apps\2.0\XO7MCV4A.Q8Z\K7K36EQD.39B\dell..tion_6d0a76327dca4869_0007.0009_d84bde3ab35e468d\DellSystemDetect.exe 4zZn5oeQk9WMM5ZBt7fsYA=="
 
[HKEY_USERS\S-1-5-21-494948411-2658239134-3966290622-1000\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted]
"C:\Users\Mark\AppData\Local\Apps\2.0\XO7MCV4A.Q8Z\K7K36EQD.39B\dell..tion_6d0a76327dca4869_0007.0009_d84bde3ab35e468d\DellSystemDetect.exe"="512"
 
[HKEY_USERS\S-1-5-21-494948411-2658239134-3966290622-1000\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\dell...exe_6d0a76327dca4869_0007.0009_none_0689ed59e9b5d4f2\Files]
"DellSystemDetect.exe.config_c92d4eefc391542d"="0x01"
 
[HKEY_USERS\S-1-5-21-494948411-2658239134-3966290622-1000\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\dell..tion_6d0a76327dca4869_0007.0009_2d6eb2a2f138b599\dell...exe_6d0a76327dca4869_0007.0009_none_0689ed59e9b5d4f2\Files]
"DellSystemDetect.exe.config_c92d4eefc391542d"="0x01"
 
[HKEY_USERS\S-1-5-21-494948411-2658239134-3966290622-1000\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\dell..tion_6d0a76327dca4869_0007.0009_d84bde3ab35e468d\dell...exe_6d0a76327dca4869_0007.0009_none_0689ed59e9b5d4f2\Files]
"DellSystemDetect.exe.config_64a73bdcc1bf6d4d"="0x01"
 
[HKEY_USERS\S-1-5-21-494948411-2658239134-3966290622-1000\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\dell..tion_6d0a76327dca4869_0007.0009_d84bde3ab35e468d\dell..tect_none_0007.0009_none_21f122dd76fb3949\Files]
"DellSystemDetect.exe_9b2f7e127e6e6925"="0x01"
 
 
===================== Search result for "vmxclient.exe" ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\vmxclient.exe]
 
[HKEY_USERS\S-1-5-21-494948411-2658239134-3966290622-1000\Software\ATI\ACE\Settings\Graphics\PowerXpress\Px4.0\ProfilelessAppList\0]
"Filepath"="\device\harddiskvolume3\program files (x86)\svcvmx\vmxclient.exe"
 
[HKEY_USERS\S-1-5-21-494948411-2658239134-3966290622-1000\Software\ATI\ACE\Settings\Graphics\PowerXpress\Px4.0\ProfilelessAppList\2]
"Filepath"="\device\harddiskvolume2\program files (x86)\svcvmx\vmxclient.exe"
 
[HKEY_USERS\S-1-5-21-494948411-2658239134-3966290622-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\134259da_0]
""="{0.0.0.00000000}.{9f27a276-8d62-4f54-bc52-d8124ce3ac94}
\Device\HarddiskVolume4\Program Files (x86)\svcvmx\vmxclient.exe%b{00000000-0000-0000-0000-000000000000}"
 
[HKEY_USERS\S-1-5-21-494948411-2658239134-3966290622-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\84abafb9_0]
""="{0.0.0.00000000}.{9f27a276-8d62-4f54-bc52-d8124ce3ac94}
\Device\HarddiskVolume3\Program Files (x86)\svcvmx\vmxclient.exe%b{00000000-0000-0000-0000-000000000000}"
 
[HKEY_USERS\S-1-5-21-494948411-2658239134-3966290622-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\f6150598_0]
""="{0.0.0.00000000}.{9f27a276-8d62-4f54-bc52-d8124ce3ac94}
\Device\HarddiskVolume2\Program Files (x86)\svcvmx\vmxclient.exe%b{00000000-0000-0000-0000-000000000000}"
 
====== End of Search ======


#13 mlev

mlev
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 04 March 2017 - 09:57 PM

If it helps, I can remove the infected HD and use it as external/additional drive on another PC.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:02 PM

Posted 05 March 2017 - 08:15 AM

New instructions.

xlK5Hdb.pngFarbar Recovery Scan Tool (FRST) Recovery Environment

Note: You require access to a USB drive.
Note: Please print off these instructions, or ensure you have access to them using a different device.Enter Recovery Environment (Windows 7)
  • Consult the following instructions (scroll down to "Entry points into WinRE") on how to enter the Recovery Environment in Windows 7.
  • After Reading the instructions click Repair your computer See Figure 3.
  • Continue reading the instructions up to Figure 7.
  • Select Command Prompt.
  • In the command window type notepad and press Enter on your keyboard.
  • Notepad will open. Click File followed by Open.
  • Click Computer, write down your USB drive letter on a piece of paper and close Notepad.
  • Type: x:\frst.exe / x:\frst64.exe in the command window.
    • Note: Replace letter x with the drive letter of your USB drive you wrote down earlier.
  • Press Enter on your keyboard. The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Click Fix.
  • A log (Fixlog.txt) will be saved to your USB drive. Reboot your computer. Copy the contents of Fixlog.txt and paste in your next reply
---

Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Let me know what problem persists.

Also, Please run the Farbar tool one more time and post Fresh FRST and Addition.txt logs for my review.

Attached Files



#15 mlev

mlev
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 05 March 2017 - 09:44 AM

I have done both these instructions before. 1. FRST just kept running without stop (for over 10 hours at a time). 2. MalwareAntibytes doesn't open on the pc, and gets the error 'the requested resource... "




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users