Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The requested resource is in use - cannot run exe files to clean trojan


  • This topic is locked This topic is locked
15 replies to this topic

#1 Oldschl

Oldschl

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 02 April 2017 - 07:33 AM

I unleashed a very nasty trojan on this Win10 laptop. Initially it installed a lot of adware, and I was able to clean most of that off, but after 2 days of cleaning, I still cannot run an anti-malware or rootkit cleaner natively from Windows. Whenever I run the exe from most of the popular malware cleaners, Windows gives me the error message "The requested resource is in use" and will not allow me to run the software. I cannot run rkill from Windows.

 

I have used Trinity Rescue Kit to try and clean it, and it is stating that the hard drive is clean. I've run a few other LiveCD cleaners and they're all now reporting that it's clean, but I still cannot run any exe files. I was able to get Windows Defender back up and running, and did a complete scan, and it says the computer has no problems, as well as the Microsoft Safety Scanner both say the computer is clean. That obviously is not the case.

 

I would prefer not to reset this PC using the Windows recovery because there's a lot of settings that get lost when you reset a Win10 machine, and it takes a while to recover fully from this procedure. I'm probably close to the end of the cleaning capabilities though, so I understand that it might be my last resort. I thought I would ask here for assistance before I use the nuclear option.

 

https://www.bleepingcomputer.com/forums/t/640656/unable-to-run-exes/page-2 - I tried running Zemana the same way, but I still get the resource is in use error when i try to install it.

 

 



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:37 PM

Posted 02 April 2017 - 10:57 AM

Hi Oldschl :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Follow the instructions in the article below to download and run a scan with MBAR. Make sure to click on the "Update" button to update the database prior to launching the scan.

https://support.malwarebytes.com/customer/portal/articles/2097176?b_id=6400

Once the scan complete, and the computer rebooted, grab the log in the MBAR folder (it starts with mbar-log) and copy/paste its content here.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Oldschl

Oldschl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 02 April 2017 - 03:46 PM

Thanks for the help! I downloaded the file and unzipped it. When I double-clicked the mbar.cmd file, a command prompt window opened for a second and then immediately closed. Nothing else was shown in the screen.



#4 Oldschl

Oldschl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 02 April 2017 - 03:50 PM

When I open a command window and navigate to the folder/file and run it, It again gives me an Windows error prompt that says "The requested resource is in use."


And then it says:

 

\AppData\Local\Temp\mbar.vbs

Access is denied.



#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:37 PM

Posted 02 April 2017 - 05:44 PM

In that case, please run TFC first to clean the temporary files, then try to launch MBAR again.

3DPGbxe.pngTemp File Cleaner (TFC)
  • Download Temp File Cleaner (TFC) and move it to your Desktop;
  • Right-click on TFC.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Simply click on Start to launch the clean-up and wait until it completes;
    s5yB2E8.png
  • Depending on which processes are running, all your programs will be closed and explorer.exe (your Windows shell) will be killed, it will however be relaunched shortly after so do not panic;
  • There's no log to give for this tool;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 Oldschl

Oldschl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 03 April 2017 - 03:53 PM

OK, I was able to successfully run TFC, and I rebooted the machine. I still cannot run mbar.



#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:37 PM

Posted 04 April 2017 - 06:59 AM

Alright. Let's a try a special version of Zemana that was put together to deal with that particuliar installation. Download it, then run a scan, delete everything it finds and copy/paste the content of the log here after.

http://dl12.zemana.com/tmp/Zemana.AntiMalware.Portable-unsigned.exe

If you cannot run it, let me know.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 Oldschl

Oldschl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 04 April 2017 - 05:32 PM

Well, there's some progress. Thank you for the unsigned version of the antivirus. I was able to download and run the program, but when it starts, it gives me a large error message saying it found Rootkit:WinNT/AdClicker! and wants me to reboot the computer to start cleaning. After it reboots, it gives me the same prompt in an infinite loop (I get the message, I reboot, and I get the message again). I closed the Rootkit Detected message and cleaned the computer, and it found a lot of stuff, but I still have the Rootkit detected without it being cleaned.



#9 Oldschl

Oldschl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 04 April 2017 - 05:54 PM

Zemana AntiMalware 2.72.2.388 (Portable)
-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2017/4/4
Operating System       : Windows 10 64-bit
Processor              : 4X Intel® Core™ i3-3110M CPU @ 2.40GHz
BIOS Mode              : UEFI
CUID                   : 122812902C7EC1C661FA63
Scan Type              : System Scan
Duration               : 2m 38s
Scanned Objects        : 89931
Detected Objects       : 1
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2
Detected Objects
-------------------------------------------------------
ndistpr64.sys
Status             : Scanned
Object             : NE->c:\windows\system32\drivers\ndistpr64.sys
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Trojan:Win32/CTProxy.A!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)

Cleaning Result
-------------------------------------------------------
Cleaned               : 1
Reported as safe      : 0
Failed                : 0

Zemana AntiMalware 2.72.2.380 (Portable)
-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2017/4/4
Operating System       : Windows 10 64-bit
Processor              : 4X Intel® Core™ i3-3110M CPU @ 2.40GHz
BIOS Mode              : UEFI
CUID                   : 122812902C7EC1C661FA63
Scan Type              : System Scan
Duration               : 2m 8s
Scanned Objects        : 89790
Detected Objects       : 1
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2
Detected Objects
-------------------------------------------------------
ndistpr64.sys
Status             : Scanned
Object             : NE->c:\windows\system32\drivers\ndistpr64.sys
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Trojan:Win32/CTProxy.A!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)

Cleaning Result
-------------------------------------------------------
Cleaned               : 1
Reported as safe      : 0
Failed                : 0

Zemana AntiMalware 2.72.2.380 (Portable)
-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2017/4/4
Operating System       : Windows 10 64-bit
Processor              : 4X Intel® Core™ i3-3110M CPU @ 2.40GHz
BIOS Mode              : UEFI
CUID                   : 122812902C7EC1C661FA63
Scan Type              : System Scan
Duration               : 2m 32s
Scanned Objects        : 89854
Detected Objects       : 47
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2
Detected Objects
-------------------------------------------------------
Internet Explorer Search
Status             : Scanned
Object             : Web Search - http://search.coupons.com
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Internet Explorer Search
Upromise RewardU Toolbar
Status             : Scanned
Object             : %appdata%\mozilla\firefox\profiles\966zpyct.default\extensions\{b9871413-95b7-01c4-69cf-961a01420158}.xpi
MD5                : AE0714239FFAAA0A1A3D6522F9EA6D6A
Publisher          : -
Size               : 205903
Version            : -
Detection          : PUA.FirefoxExt!Gr
Cleaning Action    : Repair
Related Objects    :
                Browser Extension - Upromise RewardU Toolbar
                File - %appdata%\mozilla\firefox\profiles\966zpyct.default\extensions\{b9871413-95b7-01c4-69cf-961a01420158}.xpi
Upromise TurboSaver
Status             : Scanned
Object             : %appdata%\mozilla\firefox\profiles\966zpyct.default\extensions\fftoolbar@upromise.xpi
MD5                : D6785DBA6540FE7C59110A53E6F47296
Publisher          : -
Size               : 455818
Version            : -
Detection          : PUA.FirefoxExt!Gr
Cleaning Action    : Repair
Related Objects    :
                Browser Extension - Upromise TurboSaver
                File - %appdata%\mozilla\firefox\profiles\966zpyct.default\extensions\fftoolbar@upromise.xpi
Upromise RewardU Toolbar
Status             : Scanned
Object             : %localappdata%\google\chrome\user data\default\extensions\ddpocmpoechljihmgemoaahhmadaenbc
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : PUA.ChromeExt!Gr
Cleaning Action    : Repair
Related Objects    :
                Browser Extension - Upromise RewardU Toolbar
Security Center Disabled
Status             : Scanned
Object             : HKLM\SYSTEM\CurrentControlSet\services\wscsvc\DelayedAutoStart
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Potentially Unwanted Modification
Cleaning Action    : Repair
Related Objects    :
                Registry Entry - HKLM\SYSTEM\CurrentControlSet\services\wscsvc\DelayedAutoStart = disabled
Proxy Server (User)
Status             : Scanned
Object             : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Potentially Unwanted Modification
Cleaning Action    : Delete
Related Objects    :
                Registry Entry - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer = 127.0.0.1:8003
NetUtils2016.dll
Status             : Scanned
Object             : %systemroot%\system32\netutils2016.dll
MD5                : F158978B71F1EECB0371AA763E6628F5
Publisher          : Kuiting Chen
Size               : 625272
Version            : 1.0.28.16
Detection          : PUA:Win32/HDWallPaper-DJ!Ep
Cleaning Action    : Quarantine
Related Objects    :
                File - %systemroot%\system32\netutils2016.dll
                DLL - 436 - C:\Windows\System32\winlogon.exe
npMozCouponPrinter.dll
Status             : Scanned
Object             : %programfiles%\mozilla firefox\browser\plugins\npmozcouponprinter.dll
MD5                : 924366CBEDB044930207A40A5404FF7E
Publisher          : Coupons, Inc.
Size               : 248192
Version            : 4.0.2.0
Detection          : Adware:Win32/Coupons!Ep
Cleaning Action    : Quarantine
Related Objects    :
                File - %programfiles%\mozilla firefox\browser\plugins\npmozcouponprinter.dll
6cc6e2274700f424832e9f239fb83754.sys
Status             : Scanned
Object             : %systemroot%\system32\drivers\6cc6e2274700f424832e9f239fb83754.sys
MD5                : 23232DCCCE49AFC4102E7EC4D879EFD0
Publisher          : technologielaunton.com
Size               : 8501584
Version            : 11.13.1.60
Detection          : Adware:Win32/Wajam
Cleaning Action    : Quarantine
Related Objects    :
                File - %systemroot%\system32\drivers\6cc6e2274700f424832e9f239fb83754.sys
                Registry Entry - HKLM\System\CurrentControlSet\Services\6cc6e2274700f424832e9f239fb83754\@ = C:\WINDOWS\System32\drivers\6cc6e2274700f424832e9f239fb83754.sys
                Registry Entry - HKLM\System\CurrentControlSet\Services\6cc6e2274700f424832e9f239fb83754\ImagePath = \??\C:\WINDOWS\system32\drivers\6cc6e2274700f424832e9f239fb83754.sys
PIP267_AVR8_.exe
Status             : Scanned
Object             : %userprofile%\downloads\pip267_avr8_.exe
MD5                : 8B5A8C4549CD5EC4FCF27080B46DD5DC
Publisher          : Ask.com
Size               : 797384
Version            : 2.6.7.0
Detection          : Adware:Win32/AskBrowserHijack!Ep
Cleaning Action    : Quarantine
Related Objects    :
                File - %userprofile%\downloads\pip267_avr8_.exe
NetUtils2016.sys
Status             : Scanned
Object             : %systemroot%\system32\drivers\netutils2016.sys
MD5                : 9EE21F7D46BD2B0F128E0907BABC7D28
Publisher          : Kuiting Chen
Size               : 909944
Version            : 1.0.28.16
Detection          : PUA:Win32/HDWallPaper-DJ!Ep
Cleaning Action    : Quarantine
Related Objects    :
                File - %systemroot%\system32\drivers\netutils2016.sys
                Registry Entry - HKLM\System\CurrentControlSet\Services\NetUtils2016\@ = C:\WINDOWS\System32\drivers\NetUtils2016.sys
                Registry Entry - HKLM\System\CurrentControlSet\Services\NetUtils2016\ImagePath = \??\C:\WINDOWS\system32\drivers\NetUtils2016.sys
microleaves
Status             : Scanned
Object             : NE->c:\program files (x86)\microleaves
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : PUA:Win32/Traffic Exchange.A!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
055d489d-28f7-0
Status             : Scanned
Object             : NE->c:\programdata\055d489d-28f7-0
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/DNSUnlocker.E!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
bita8fb.tmp
Status             : Scanned
Object             : NE->c:\programdata\055d489d-28f7-0\bita8fb.tmp
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/DNSUnlocker.A!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
055d489d-5a27-1
Status             : Scanned
Object             : NE->c:\programdata\055d489d-5a27-1
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/DNSUnlocker.E!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
055d489d-7191-1
Status             : Scanned
Object             : NE->c:\programdata\055d489d-7191-1
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/DNSUnlocker.E!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
bita8cc.tmp
Status             : Scanned
Object             : NE->c:\programdata\055d489d-7191-1\bita8cc.tmp
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/DNSUnlocker.A!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
ask
Status             : Scanned
Object             : NE->c:\programdata\ask
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/AskToolbar.G!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
microleaves
Status             : Scanned
Object             : NE->c:\programdata\microleaves
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : PUA:Win32/Traffic Exchange.C!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
advinstanalytics
Status             : Scanned
Object             : NE->c:\users\default\appdata\local\advinstanalytics
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : PUA:Win32/Traffic Exchange.E!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
apptrailers
Status             : Scanned
Object             : NE->c:\users\katie\appdata\local\apptrailers
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : PUA:Win32/AppTrailers.A!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
bandwidthstat_388
Status             : Scanned
Object             : NE->c:\users\katie\appdata\local\crashrpt\unsentcrashreports\bandwidthstat_388
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/BandwidthStat.C!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
logs
Status             : Scanned
Object             : NE->c:\users\katie\appdata\local\crashrpt\unsentcrashreports\bandwidthstat_388\logs
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/BandwidthStat.C!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
interstatnogui_388
Status             : Scanned
Object             : NE->c:\users\katie\appdata\local\crashrpt\unsentcrashreports\interstatnogui_388
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/InterStat.D!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
logs
Status             : Scanned
Object             : NE->c:\users\katie\appdata\local\crashrpt\unsentcrashreports\interstatnogui_388\logs
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/InterStat.D!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
uninstallro.exe
Status             : Scanned
Object             : NE->c:\users\katie\appdata\local\uninstallro.exe
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/REOptimizer.B!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
qdcomsvc.exe
Status             : Scanned
Object             : NE->c:\users\katie\appdata\local\uugyutu\qdcomsvc.exe
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/CTProxy.I!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
agdata
Status             : Scanned
Object             : NE->c:\users\katie\appdata\roaming\agdata
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/Anonymizer.D!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
c
Status             : Scanned
Object             : NE->c:\users\katie\appdata\roaming\c
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/InterStat.E!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
installationconfiguration.xml
Status             : Scanned
Object             : NE->c:\users\katie\appdata\roaming\installationconfiguration.xml
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/Linkury.A!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
interstatnogui
Status             : Scanned
Object             : NE->c:\users\katie\appdata\roaming\interstatnogui
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/InterStat.C!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
microleaves
Status             : Scanned
Object             : NE->c:\users\katie\appdata\roaming\microleaves
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : PUA:Win32/Traffic Exchange.B!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
note-up
Status             : Scanned
Object             : NE->c:\users\katie\appdata\roaming\note-up
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/Note-up.B!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
screenshot pro
Status             : Scanned
Object             : NE->c:\users\katie\appdata\roaming\screenshot pro
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : PUA:Win32/ScreenshotPro.B!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
reimage.ini
Status             : Scanned
Object             : NE->c:\windows\reimage.ini
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : PUA:Win32/Reimage.F!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
accept_cert.exe
Status             : Scanned
Object             : NE->c:\windows\src_srv\accept_cert.exe
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/BetterAds.A!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
ionic.zip.dll
Status             : Scanned
Object             : NE->c:\windows\src_srv\ionic.zip.dll
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/BetterAds.A!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
rootcert.pfx
Status             : Scanned
Object             : NE->c:\windows\src_srv\rootcert.pfx
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/BetterAds.A!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
trusted.web.proxy.dll
Status             : Scanned
Object             : NE->c:\windows\src_srv\trusted.web.proxy.dll
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/BetterAds.A!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
winsrcsrv.exe
Status             : Scanned
Object             : NE->c:\windows\src_srv\winsrcsrv.exe
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/BetterAds.A!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
ndistpr64.sys
Status             : Scanned
Object             : NE->c:\windows\system32\drivers\ndistpr64.sys
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Trojan:Win32/CTProxy.A!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
tmplog.log
Status             : Scanned
Object             : NE->c:\windows\system32\tmplog.log
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/HDWallPaper.F!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
screenshot pro
Status             : Scanned
Object             : NE->c:\windows\syswow64\config\systemprofile\appdata\roaming\screenshot pro
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : PUA:Win32/ScreenshotPro.C!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
driverscanner.exe
Status             : Scanned
Object             : %userprofile%\downloads\driverscanner.exe
MD5                : 236850B87977A791A6929018DD727768
Publisher          : Uniblue Systems
Size               : 5653304
Version            : 4.0.11.0
Detection          : Scareware:Win32/NonBeneficialWindowsOptimizer!Ep
Cleaning Action    : Quarantine
Related Objects    :
                File - %userprofile%\downloads\driverscanner.exe
CouponPrinter(1).exe
Status             : Scanned
Object             : %userprofile%\downloads\couponprinter(1).exe
MD5                : 71A77632CC2E23CF30399F66FEAC8B94
Publisher          : Coupons, Inc.
Size               : 1858464
Version            : 5.0.0.3
Detection          : Adware:Win32/Coupons!Ep
Cleaning Action    : Quarantine
Related Objects    :
                File - %userprofile%\downloads\couponprinter(1).exe
couponprinter_x64.ocx
Status             : Scanned
Object             : %systemroot%\couponprinter_x64.ocx
MD5                : 084D588FBA799735C41247AF960870DF
Publisher          : Coupons, Inc.
Size               : 652160
Version            : 4.0.2.0
Detection          : Adware:Win32/Coupons!Ep
Cleaning Action    : Quarantine
Related Objects    :
                File - %systemroot%\couponprinter_x64.ocx
                Registry Entry - HKLM\SOFTWARE\Classes\CLSID\{A85A5E6A-DE2C-4F4E-99DC-F469DF5A0EEC}\InprocServer32\@ = C:\Windows\couponprinter_x64.ocx
                Registry Entry - HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A53AD8B-D0B9-4E7F-88E4-50C07A65F2DC}\@ = C:\Windows\couponprinter_x64.ocx
                Registry Entry - HKLM\SOFTWARE\Classes\CLSID\{1A53AD8B-D0B9-4E7F-88E4-50C07A65F2DC}\InprocServer32\@ = C:\Windows\couponprinter_x64.ocx
CouponPrinter.ocx
Status             : Scanned
Object             : %systemroot%\couponprinter.ocx
MD5                : DA780AC96C7BE9C65B6AD203374A3B4C
Publisher          : Coupons, Inc.
Size               : 440704
Version            : 4.0.2.0
Detection          : Adware:Win32/Coupons!Ep
Cleaning Action    : Quarantine
Related Objects    :
                File - %systemroot%\couponprinter.ocx
                Registry Entry - HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}\@ = C:\Windows\CouponPrinter.ocx

Cleaning Result
-------------------------------------------------------
Cleaned               : 47
Reported as safe      : 0
Failed                : 0


#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:37 PM

Posted 04 April 2017 - 06:00 PM

That's good news. Now, follow the instructions in the thread below. You should be able to run MBAR without any problem (make sure to download the MBAR version linked in the thread, not the one you already have downloaded).

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

Copy/paste the content of the "mbar-log-TODAY'S-DATE.txt" log that will be located in the MBAR folder once it's done scanning.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 Oldschl

Oldschl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 04 April 2017 - 06:05 PM

When I try to run it, Windows says Windows SmartScreen prevented an unrecognized app from starting, and doesn't allow me to run the program.



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:37 PM

Posted 04 April 2017 - 06:07 PM

If you click on "More Information" in the bottom left corner, it'll give you the option to "Run it anyway". Please do so.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 Oldschl

Oldschl
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 04 April 2017 - 06:50 PM

Excellent! I was able to clean it and now I'm able to run other software that was blacklisted before. It found 90+ items on the second scan, and once the laptop rebooted, I was able to install other software.

 

Thank you SO much! You are a lifesaver!!



#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:37 PM

Posted 04 April 2017 - 06:59 PM

Good news :) Are you able to provide me the log? There's still things I need to check-up as this infection do leave a lot of leftovers behind and I want to help you clean all of it :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:37 PM

Posted 07 April 2017 - 10:40 AM

Hi Oldschl,

Are you still with me?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users