Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winvmx Clietn Virus (w/ FRST logs)


  • This topic is locked This topic is locked
8 replies to this topic

#1 xViviDx

xViviDx

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 06 April 2017 - 08:17 PM

I've been battling this nasty bug for days.  I found a suspicious file in my regitry and deleted it and shortly after windows defender said it had found some malware and removed it, but unfortunatly it didn't get all of it; or maybe it was a different one.  I had tried to download every single antivirus and antimalware progrom out there, but I always get the "this requested resource is in use".  It's becoming a problem that I can't fix it so I must hask the experts for help.  So please help me.

 

I have not went any further than looking at the keys and values and placing the ones that said attention in a separate "Fixit.txt" log. I have not nor will not run that log, I just wanted to compile a list of what I saw.  I am also unsure if I have the syntax correct to delete those files.

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:57 PM

Posted 06 April 2017 - 09:23 PM

Welcome. :)

 

Please follow the instructions below to remove the infection.

  • Download version 1.09.4.1001 of Malwarebytes Anti Rootkit (MBAR)

  • Run the exe.

  • After extraction MBAR should start. Click next.

  • Update by hitting the update button.

  • After the update completes hit next.

  • Hit the scan button. Please let it finish the scan. This rootkit may slow your machine down but MBAR will continue to scan.

  • Once the scan is complete, press the cleanup button and allow MBAR to remove what is found and allow your computer to restart

  • Malwarebytes functionality should be restored.

Post the log produced in the MBAR folder as mbar-log-TODAY'S-DATE.txt.


Edited by JSntgRvr, 06 April 2017 - 09:25 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 xViviDx

xViviDx
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 07 April 2017 - 04:30 AM

Here you go Sir.

 

I see no sign of it anywhere.  It has yet to pop up in my task manager , but will check back in a few hours.

 

Thank you for all your help so far.

Attached Files



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:57 PM

Posted 07 April 2017 - 09:18 AM

Download the attached file and save it in the same directory FRST64 is saved.

  • Start FRST64 with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.

Please download Junkware Removal Tool to your Desktop.

  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.

Download AdwCleaner from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

iO5EZayK.png

  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this

adwcleaner_delete_restart.jpg

  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 xViviDx

xViviDx
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 07 April 2017 - 03:31 PM

After getting your last message and running the root kit, i have ran every anti malware/adware/virus I could find.  

 

I did download your FRST file, but have since ran a bunch of other pro grams and none of them seem to encounter any issues.

 

I have included the Adwcleaner txt for you reference.  If there's anything else that you think i should run do not hesitate to let me know. 

 

 

 

# AdwCleaner v6.045 - Logfile created 07/04/2017 at 16:21:04
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-04-06.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Ethan - DESKTOP-HRE8URH
# Running from : C:\Users\Owner\Downloads\adwcleaner_6.045.exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
[-] Folder deleted: C:\Users\Owner\AppData\Local\llssoft
[-] Folder deleted: C:\Users\Owner\AppData\Roaming\Microleaves
[#] Folder deleted on reboot: C:\Users\Owner\AppData\Local\llssoft
[#] Folder deleted on reboot: C:\Users\Owner\AppData\Roaming\Microleaves
 
 
***** [ Files ] *****
 
[-] File deleted: C:\Users\Owner\AppData\Roaming\Installer.dat
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[-] Key deleted: HKU\S-1-5-21-1684843648-169458778-1613013108-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\AdVPN
[-] Key deleted: HKLM\SOFTWARE\Microleaves
[#] Key deleted on reboot: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AdVPN
[-] Key deleted: [x64] HKLM\SOFTWARE\Reimage
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AdVPN
[-] Value deleted: HKU\S-1-5-21-1684843648-169458778-1613013108-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [WinResSync]
 
 
***** [ Web browsers ] *****
 
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [1637 Bytes] - [07/04/2017 16:21:04]
C:\AdwCleaner\AdwCleaner[S0].txt - [1848 Bytes] - [07/04/2017 16:12:49]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1783 Bytes] ##########


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:57 PM

Posted 07 April 2017 - 03:34 PM

How is the computer doing?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 xViviDx

xViviDx
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 07 April 2017 - 07:15 PM

So far so good.  I haven't noticed anything popping up in my task manager eating up all my CPU. I will continue to monitor and let you know.  

 

Thank you, I don't know how the rootkit managed to download though. I had tried that exact same software before and it wouldn't let me run it.  



#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:57 PM

Posted 07 April 2017 - 07:22 PM

It usually comes bundled with another software.

 

So, congratulations. Lets perform a cleanup.

 

Please download DelFix by Xplode and save to your Desktop.

  • Double-click on delfix.exe to run the tool.
    Vista/Windows 7/8/10 users right-click and select Run As Administrator.
  • Put a check mark next to these items:
    - Remove disinfection tools
    - Create registry backup
    delfix.jpg
    .
  • Click the "Run" button.
  • When the tool has finished, it will create and open a log report (DelFix.txt)

I will leave the topic opened for a few days.

 

Best wishes.  :hello:


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:57 PM

Posted 10 April 2017 - 10:40 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users