Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojen or Adware drmkpro64.sys- Unable to install Anti-Virus


  • This topic is locked This topic is locked
19 replies to this topic

#1 Mukesh_Talwar

Mukesh_Talwar

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 24 March 2017 - 03:06 AM

Hi there,

 

First of all I would like to say that you guys are doing really amazing job by helping people. I have recently got my laptop attacked with series with of Trojen and Adwares, which I think I have got from installing unknown .exe file. My current anti virus (Avast Free) is not working and I am unable to install any other Anti-Virus Software as well. I am still getting Below message

 

"the requested resource is in use" 

 

I tried to follow instructions mentioned and able to delete most of the adwares and Trojen with Zemana Sofware. But I am still getting one error in Zemana and it's not 

 

 
drmkpro64.sys
Status             : Scanned
Object             : NE->c:\windows\system32\drivers\drmkpro64.sys
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/CTProxy.C!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
 
Right Now I am only able open Zemana But I am still getting the same message "the requested resource is in use" for other softwares such as Adwcleaner, HitMan Pro, Malwarebyte Anti Root Kit etc.

 
I will really appreciate your assistance with this. Please let me know if you require more information. 

"the requested resource is in use" 



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,714 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:24 AM

Posted 24 March 2017 - 06:20 AM

Hello Mukesh_Talwar and welcome to the Bleeping Computer forum.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.


Download RogueKiller to your desktop

  • close all running programs
  • for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on Report and copy/paste the content in your next post
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.

Please post the contents of the RKreport.txt in your next reply.

Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 Mukesh_Talwar

Mukesh_Talwar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 24 March 2017 - 12:45 PM

Dear Satchfan,

 

Thanks a lot for your swift reply. Please find the attached report for your referenceAttached File  RKreport.txt   8.2KB   5 downloads. Please let me know if you require anything else from my end.

 

I look forward to hearing from you soon.

 

And, once again I really appreciate your support. 

 

Have a great day ahead.

 

Mukesh 

 

 



#4 satchfan

satchfan

  • Malware Response Team
  • 2,714 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:24 AM

Posted 24 March 2017 - 05:31 PM

I really appreciate your support

You're welcome - that's what we do. :thumbup2:

Let’s clear up what the last scan showed and look at what’s left.

Run RogueKiller

IMPORTANT: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run RogueKiller again

  • close all programs
  • double-click RogueKiller.exe - Windows 7/8/10: right-click the program and select Run as Administrator'
  • after it has completed it's prescan, click on Scan
  • click on the click on the ‘Processes’ tab
  • make sure the following entries are checked:


    [VT.Trojan.Win32.FakeAV.snjs] ZAM.exe(2076) -- C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[-] -> Found
    [VT.Trojan.Win32.FakeAV.snjs] ZAM.exe(760) -- C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe[-] -> Found
    [PUP.OnlineIO] (SVC) drmkpro64 -- \SystemRoot\system32\drivers\drmkpro64.sys[x] -> Found

     

  • click on the click on the ‘Registry’ tab
  • make sure the following entries there are checked:


    [VT.Trojan.Win32.FakeAV.snjs] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | ZAM : "C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe" /minimized [-] -> Found
    [PUP.OnlineIO|PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | cpx : "C:\Program Files (x86)\cpx\cpx.exe" -starup [x] -> Found
    [PUP.OnlineIO] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | svcvmx : "C:\Program Files (x86)\svcvmx\svcvmx.exe" -starup [x] -> Found
    [PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dataup (C:\PROGRA~2\dataup\dataup.exe) -> Found
    [PUP.OnlineIO] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\drmkpro64 (system32\drivers\drmkpro64.sys) -> Found
    [Suspicious.Path|Tr.Gen0] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\realtek_amd64 ("C:\Users\Mukesh Talwar\AppData\Local\Temp\WS\realtek_amd64.exe") -> Found
    [PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Dataup (C:\PROGRA~2\dataup\dataup.exe) -> Found
    [PUP.OnlineIO] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\drmkpro64 (system32\drivers\drmkpro64.sys) -> Found
    [Suspicious.Path|Tr.Gen0] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\realtek_amd64 ("C:\Users\Mukesh Talwar\AppData\Local\Temp\WS\realtek_amd64.exe") -> Found
    [PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Found
    [PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Found
    [PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Found
    [PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Found
    [PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:8003  -> Found
    [PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:8003  -> Found
    [PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:8003  -> Found
    [PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:8003  -> Found

     

  • then press the Delete button and post the log it produces.

===================================================

Run Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • press Scan button
  • it will produce a log called Frst.txt in the same directory the tool is run from
  • please copy and paste log back here.
  • the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the Frst.txt into your reply.

================================================

Logs to include with next post:

RK log
Frst.txt
Addition.txt


Thanks

Satchfa
 


Edited by satchfan, 24 March 2017 - 05:32 PM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 Mukesh_Talwar

Mukesh_Talwar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 26 March 2017 - 11:03 PM

Dear Satchfan

 

Thanks for your prompt reply.

 

I have deleted the below mentioned entries from RogueKiller Scan.

 

 

 

Please find the attached 3 reports you asked for. Kindly let me know anything else is required from my end.

Attached File  Addition.txt   29.9KB   1 downloads

Attached File  FRST.txt   42.19KB   3 downloads

Attached File  RKreport2.txt   7.16KB   3 downloads

 

Kind regards

 

Mukesh

 



#6 satchfan

satchfan

  • Malware Response Team
  • 2,714 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:24 AM

Posted 27 March 2017 - 03:53 AM

There are definitely infections on your computer but you may have illegal software on it and, besides being illegal, cracks/keygens are the most certain means of infecting your system, as ALL illegal software contains some form of malicious code. If that is the case, that is probably how it became infected.

If you DO have illegal software, continuing to help you could be viewed as supporting/condoning this so if you want to continue, I need you to uninstall any illegal software that you have downloaded and installed. When you have done that, do the following:

Run CKScanner

Download CKScanner by askey127 from here & save it to your Desktop.

  • double-click CKScanner.exe then click Search For Files
  • when the cursor hourglass disappears, click Save List To File
  • a message box will verify the file saved
  • double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 Mukesh_Talwar

Mukesh_Talwar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 27 March 2017 - 01:50 PM

HI Satchfan

 

Thanks for your reply.

 

I am not able to see any unknown/malicious Software in "program and Features" section. All the software are genuine, however, my friend tried to install one unknown .exe file. There is no unwanted or suspicious software which I could find.

 

Please find the below text from cskfiles

 

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.JNAAJ0
 ----- EOF -----
 

 

Is there anyway I can check which software is infected because right now only genuine software are showing up.

 

I look forward to hearing from you soon.

 

Kind regards

 

Mukesh



#8 satchfan

satchfan

  • Malware Response Team
  • 2,714 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:24 AM

Posted 27 March 2017 - 05:00 PM

Is there anyway I can check which software is infected because right now only genuine software are showing up.

 

I don't understand what you mean - "only genuine software are showing up" - where are they showing up and how do you know they're genuine?

 

Can you please also tell me if you installed anything recently and, if so, from which site.

 

I'll send you a 'fix ' for what I've found so far but the answers to my questions would be helpful before I do that.

 

Thanks Mukesh

 

Nina


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 Mukesh_Talwar

Mukesh_Talwar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 27 March 2017 - 10:37 PM

HI Nina 

 

Thanks for your reply. 

 

By genuine I meant to say that software were downloaded from their official websites. However, I just come to know that my friend was trying to download one crack for Adobe CS6. I think this whole mess up is because of this file only. He downloaded it from the Torrent. 

 

Let me know if you want me to share the file. 

 

I am not having antivirus on my laptop right now and I am unable to use laptop for work because of its vulnerability.

 

I tried to do the RogueKiller Scan and it is still showing the same Threats as shown first time, even after Removal as you advised.

 

Is there any other way we can sort these issues out. 

 

I look forward to hear from you.

 

Kind regards

 

Mukesh 



#10 Mukesh_Talwar

Mukesh_Talwar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 28 March 2017 - 01:05 AM

Hi Nina 

 

I would like to inform you that I have managed to clear the threats now. Thank god everything is back to normal. 

 

As you know this virus was not allowing to open any Anti-Malware software because of the description mentioned in these software. I found a way to edit the description for Malwarebyte-Anti-Rootkit and able to open it and scan the Laptop. Luckily  it worked and I managed to delete all the threats which scan showed earlier. 

 

And, now I am back on Avast Antivirus :)

 

I really appreciate all your and Satchfans efforts. 

 

Have a great day ahead. 

 

regards

 

Mukesh 



#11 satchfan

satchfan

  • Malware Response Team
  • 2,714 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:24 AM

Posted 28 March 2017 - 02:06 AM

I really appreciate all your and Satchfans efforts.

 

Hi Mukesh

Satchfan and Nina are both me :) . Satchfan is my username for the forums but Nina is my real name.

I’m pleased that things have improved but it doesn’t mean that it is definitely clean so let's have another look.

Please run Rogue Killer again and post a new FRST scan and make sure there is a checkmark next to "Addition.txt" before you hit ‘Scan’.

Logs to include with next post:

New Rogue Killer log
New Frst.txt
New Addition.txt


Thanks

Nina


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#12 Mukesh_Talwar

Mukesh_Talwar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 28 March 2017 - 12:21 PM

Hi Nina

 

Thanks for your prompt reply. I thought I was liaising with two different people :)

 

You're right. RogueKiller is still showing some threats. I have herewith attached the log reports you asked for. please let me know what else needs to be done from my end.

Attached File  New Addition.txt   32.82KB   1 downloads

Attached File  New FRST.txt   39.12KB   4 downloads

Attached File  New RogueKiller Log.txt   5.17KB   4 downloads

 

Have a great day ahead!!!

 

Kind regards

 

Mukesh  



#13 satchfan

satchfan

  • Malware Response Team
  • 2,714 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:24 AM

Posted 28 March 2017 - 05:03 PM

Hi Mukesh

 

Yes, this is a problem but it is known and solvable.

 

Just had a long day so won't reply until the morming, (11pm GMT here now).

 

Reply as soon as I can.

 

Nina


Edited by satchfan, 28 March 2017 - 05:04 PM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#14 Mukesh_Talwar

Mukesh_Talwar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 28 March 2017 - 06:30 PM

Thanks Nina.

 

I can imagine how busy you must have been. You can reply at your convenience. At least I am having the antivirus running now.

 

Good Night:)

 

regards

 

Mukesh 



#15 satchfan

satchfan

  • Malware Response Team
  • 2,714 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:24 AM

Posted 29 March 2017 - 05:40 AM

That’s looking much better and what Rogue Killer showed up is not a problem as it has been dealt with.

Let’s clear up what was left and have a final look.


You need to move Farbar Recovery Scan Tool to your desktop otherwise fixes will not work.

  • go to your Downloads folder and locate Farbar Recovery Scan Tool
  • right click and select Cut
  • go to an empty spot on your desktop, right click and select Paste

Farbar Recovery Scan Tool should now be on your desktop.

================================================

Run Farbar Recovery Scan Tool

Open notepad. Please copy the contents of the code box below and paste it into Notepad.

CloseProcesses:
HKU\S-1-5-18\...\Run: [] => [X]
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]
2017-03-28 00:53 - 2017-03-28 00:53 - 00000000 ____D C:\Users\Mukesh Talwar\AppData\Local\Tempzxpsignb80628d9e402bac8
2017-03-28 00:53 - 2017-03-28 00:53 - 00000000 ____D C:\Users\Mukesh Talwar\AppData\Local\Tempzxpsign9b982c49e80839f1
2017-03-15 00:33 - 2017-03-15 00:33 - 00000000 ____D C:\Users\Mukesh Talwar\AppData\Local\Tempzxpsign92a64cff720489c3
2017-03-15 00:18 - 2017-03-15 00:18 - 00000000 ____D C:\Users\Mukesh Talwar\AppData\Local\Tempzxpsignd6541be2db3ff960
2017-03-15 00:18 - 2017-03-15 00:18 - 00000000 ____D C:\Users\Mukesh Talwar\AppData\Local\Tempzxpsigna08ded8c5b66b465
2017-03-09 03:02 - 2017-03-09 03:02 - 00000000 ____D C:\Users\Mukesh Talwar\AppData\Local\Tempzxpsign26f337bbd32ad49c
2017-03-09 02:59 - 2017-03-09 02:59 - 00000000 ____D C:\Users\Mukesh Talwar\AppData\Local\Tempzxpsigne09dec56185fcdac
2017-03-09 02:59 - 2017-03-09 02:59 - 00000000 ____D C:\Users\Mukesh Talwar\AppData\Local\Tempzxpsigna4b94cae27fd2f1a
2017-03-09 02:54 - 2017-03-09 02:54 - 00000000 ____D C:\Users\Mukesh Talwar\AppData\Local\Tempzxpsignaf87447e1b70b0b9
2017-03-09 02:54 - 2017-03-09 02:54 - 00000000 ____D C:\Users\Mukesh Talwar\AppData\Local\Tempzxpsign607a81fb0b35808d
2017-03-06 22:33 - 2017-03-06 22:33 - 00000000 ____D C:\Users\Mukesh Talwar\AppData\Local\Tempzxpsign1ebf91d2f4648a83
2017-03-06 22:28 - 2017-03-06 22:28 - 00000000 ____D C:\Users\Mukesh Talwar\AppData\Local\Tempzxpsigne14be177380119b0
2017-03-06 22:28 - 2017-03-06 22:28 - 00000000 ____D C:\Users\Mukesh Talwar\AppData\Local\Tempzxpsigncdd4fba09b68e1e5
2017-03-06 22:28 - 2017-03-06 22:28 - 00000000 ____D C:\Users\Mukesh Talwar\AppData\Local\Tempzxpsign6d6bb09f1e89cc43
2017-03-06 22:20 - 2017-03-06 22:20 - 00000000 ____D C:\Users\Mukesh Talwar\AppData\Local\Tempzxpsignd2f8c1b2e6e29285
2017-03-06 22:20 - 2017-03-06 22:20 - 00000000 ____D C:\Users\Mukesh Talwar\AppData\Local\Tempzxpsign81cf007b2ccbae2a
2017-03-06 22:20 - 2017-03-06 22:20 - 00000000 ____D C:\Users\Mukesh Talwar\AppData\Local\Tempzxpsign50c3b1fc9ffff5c2
2017-03-06 22:20 - 2017-03-06 22:20 - 00000000 ____D C:\Users\Mukesh Talwar\AppData\Local\Tempzxpsign1b206581ade03856
C:\Users\Mukesh Talwar\AppData\Local\Temp\dllnt_dump.dll
CMD: ipconfig /flushdns
CMD: ipconfig /release
CMD: ipconfig /renew
EmptyTemp:

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST64 then click Fix just once and wait
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

================================================

Run Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).

  • after extraction, double-click on the new Start Emsisoft Emergency Kit icon on your desktop
  • the first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates: click Yes so that it downloads the latest database updates
  • when update the is complete, click Malware Scan. When asked if you want the scanner to scan for Potentially Unwanted Programs, click Yes. Emsisoft Emergency Kit will start scanning.
  • when the scan has completed click Quarantine selected objects. Note, this option is only available if malicious objects were detected during the scan
  • when the threats have been quarantined, click the View report button in the lower-right corner and the scan log will open in Notepad
  • please save the Notepad log on your desktop and post the contents in your next reply
  • when you close Emsisoft Emergency Kit it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.

Logs to include with next post:

Fixlog.txt
Emsisoft  report


Thanks

Nina

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users