Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with winvmx help needed


  • This topic is locked This topic is locked
26 replies to this topic

#1 Auchaser

Auchaser

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 20 April 2017 - 01:29 AM

Hello as the title states I have been infected with the pesky winvmx virus and would appreciate help I have ran frst as the guide states and attached the logs my main problem is mbar tool stops responding even after i run rkill although i do not know if i am doing something wrong 

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,763 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:04 PM

Posted 20 April 2017 - 12:17 PM

Welcome: :)

 

  • Please download Malwarebytes Anti-Rootkit and save the file to your Desktop.
  • Right-Click MBAR.exe and select AVOiBNU.jpgRun as administrator to run the installer.
  • Select your Desktop as the location to extract the contents and click OK. The programme should open upon completion.
  • Click Next, followed by Update. Upon update completion, click Next.
  • Ensure Drivers, Sectors & System are checked and click Scan.
  • Note: Do not use your computer during the scan.
  • Upon completion:
    • If no infection is found, close the MBAR window.
    • If an infection is found, ensure Create Restore Point is checked and click Cleanup. Reboot when prompted.

  • Two logs (mbar-log.txt and system-log.txt) will be created. Copy the contents of both logs and paste in your next reply. Both logs can be found in the MBAR folder.

 

Attention:

 

Once the program has begun scanning, do not use the computer or click on it. That will make the program stall.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Auchaser

Auchaser
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 20 April 2017 - 01:41 PM

Hi I have done what you asked but after it gets to the folder where the virus is located and begins to scan it stalls out even if I left it alone for 5 hours, should I just do it again? thank you for the help by the way



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,763 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:04 PM

Posted 20 April 2017 - 09:22 PM

That is a very nasty trojan that readjusts to our tools. Please re-run Malwarebytes Anti-Rootkit once again. Make sure to leave it running unhindered.

If still unable to run, we will need to run a fix under the recovery environment.

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Please also download the attached file and save it in the same location FRST64 is saved. (flash drive)

Insert the USB drive in the infected computer.

Boot to the Recovery Console's Command prompt. For instructions see here.

Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button.
  • It will make a log (Fixlog.txt) in the flash drive. Please copy and paste it to your reply.

Upon reboot, attempt Malwarebytes Anti-Rootkit once again, and post its logs.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,763 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:04 PM

Posted 23 April 2017 - 01:03 PM

Are you still with us?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 Auchaser

Auchaser
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 23 April 2017 - 08:25 PM

Are you still with us?

yes sorry I just went and bought the drive i am now going to try the steps you suggested



#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,763 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:04 PM

Posted 23 April 2017 - 08:34 PM

Very well.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 Auchaser

Auchaser
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 26 April 2017 - 12:09 AM

Hello a little update whenever I try to boot into recovery nothing happens I tried the first option and 7th should I just call it quits and re install windows?

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,763 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:04 PM

Posted 26 April 2017 - 12:39 AM

No. It may be due to the rootkit. Open Frst, and make sure List BCD is checked and click on Scan. Post the new Frst report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 Auchaser

Auchaser
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 27 April 2017 - 12:01 AM

Okay on my way home now will do as told and provide updates thank you

#11 Auchaser

Auchaser
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 27 April 2017 - 12:52 AM

here are the new frst and addition files as requested

Attached Files



#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,763 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:04 PM

Posted 27 April 2017 - 09:22 AM

I will change the Boot menu to legacy to enable the F8 feature in Windows.

 

Download the attached file and save it in the same directory FRST64 is saved.

  • Start FRST64 with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.

 

Restart the computer and immediately after the BIOS splash logo, start tapping on F8 until you get to the advanced menu. By pressing F8, you may be able to reach the Advanced Menu, Throughout the Troubleshooting options you may be able to reach the Command Prompt option. From there, follow the instructions above to run the Fix.
 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 Auchaser

Auchaser
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 28 April 2017 - 12:44 AM

Fix result of Farbar Recovery Scan Tool (x64) Version: 27-04-2017
Ran by Steven (28-04-2017 01:43:39) Run:1
Running from C:\Users\Steven\Desktop
Loaded Profiles: Steven (Available Profiles: Steven)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CMD: bcdedit /set {current} bootmenupolicy Legacy
CMD: bcdedit.exe /set {bootmgr} displaybootmenu Yes
*****************
 
 
========= bcdedit /set {current} bootmenupolicy Legacy =========
 
The operation completed successfully.
 
========= End of CMD: =========
 
 
========= bcdedit.exe /set {bootmgr} displaybootmenu Yes =========
 
The operation completed successfully.
 
========= End of CMD: =========
 
 
==== End of Fixlog 01:43:40 ====
 
 
 
this is the log you requested


#14 Auchaser

Auchaser
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 28 April 2017 - 01:08 AM

Fix result of Farbar Recovery Scan Tool (x64) Version: 19-04-2017
Ran by Steven (28-04-2017 01:59:50) Run:2
Running from f:\
Loaded Profiles: Steven (Available Profiles: Steven)
Boot Mode: Safe Mode (minimal)
==============================================
 
fixlist content:
*****************
HKLM-x32\...\Run: [cpx] => C:\Program Files (x86)\cpx\cpx.exe [649216 2017-01-05] () <===== ATTENTION 
HKLM-x32\...\Run: [svcvmx] => C:\Program Files (x86)\svcvmx\svcvmx.exe [896512 2017-01-13] ()
C:\Program Files (x86)\cpx
C:\Program Files (x86)\svcvmx
IFEO\SppExtComObj.exe: [Debugger] SppExtComObjPatcher.exe
R2 Dataup; C:\Users\Steven\AppData\Local\ntuserlitelist\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION 
R2 qdcomsvc; C:\Users\Steven\AppData\Local\ntuserlitelist\qdcomsvc\qdcomsvc.exe [756224 2017-03-10] (qdcomsvc Inc.) [File not signed] <==== ATTENTION 
S2 WindowService; C:\Users\Steven\AppData\Local\Temp\WS\WindowService.exe [8192 2017-02-19] () [File not signed] <==== ATTENTION 
R2 windowsmanagementservice; C:\Users\Steven\AppData\Local\Temp\20170219\ct.exe [722432 2017-02-19] (ct Corp.) [File not signed] <==== ATTENTION <==== ATTENTION 
R1 drmkpro64; C:\WINDOWS\System32\drivers\drmkpro64.sys [53832 2012-01-31] () [File not signed] <==== ATTENTION 
Online.io Application (x32 Version: 2.1.0 - Microleaves) Hidden <==== ATTENTION 
Popcorn Time (HKLM-x32\...\Popcorn Time_is1) (Version: 5.5.1.2 - Popcorn Time) <==== ATTENTION 
s5mark (HKLM-x32\...\s5mark) (Version: 2.0.2 - s5mark) <==== ATTENTION 
Task: {3A20D43A-77AF-41DA-AE64-F9B048AD85FF} - System32\Tasks\Online Application v2 Guard => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe [2016-11-22] (Microleaves LTD) <==== ATTENTION 
Task: {44BC588E-C1CC-4756-BD07-858A9D8331A5} - System32\Tasks\Online Application v2 Guardian => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe [2016-11-22] (Microleaves LTD) <==== ATTENTION 
Task: {7FABE777-9C3C-40D6-89E7-20553D36C7F4} - System32\Tasks\Online Application Updater => C:\Program Files (x86)\Microleaves\Online.io Application\Online Application Updater.exe [2017-02-15] (Microleaves) <==== ATTENTION 
Task: {AF3B5C66-0225-4C4F-8445-BDBC77429362} - System32\Tasks\Online Application => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian.exe [2016-08-17] (Microleaves LTD) <==== ATTENTION 
Task: {B07A39C0-A3D2-45FF-AB91-4F464210F81D} - System32\Tasks\Online Application v209 Guard => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe [2017-02-07] (Microleaves LTD) <==== ATTENTION 
Task: {BCC44EC5-C83A-4074-9EB8-956824A9ED37} - System32\Tasks\Online Application v209 => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe [2017-02-07] (Microleaves LTD) <==== ATTENTION 
Task: {C5E9B7BA-D9E2-4932-A5FF-9B4A024568E1} - System32\Tasks\Online Application Guard => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian.exe [2016-08-17] (Microleaves LTD) <==== ATTENTION 
Task: {EC77058C-7D04-4D25-B70E-905B220B14DF} - System32\Tasks\Online Application v209 Guardian => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe [2017-02-07] (Microleaves LTD) <==== ATTENTION 
Task: {EE80933E-2F5D-4D0B-8072-8246DB8B1EE4} - System32\Tasks\Online Application v2 => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe [2016-11-22] (Microleaves LTD) <==== ATTENTION 
Task: {FA886980-A31E-47EF-B800-EDCA9E5AAE8A} - System32\Tasks\Online Application Guardian => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian.exe [2016-08-17] (Microleaves LTD) <==== ATTENTION 
Task: C:\WINDOWS\Tasks\Online Application Updater.job => C:\Program Files (x86)\Microleaves\Online.io Application\Online Application Updater.exe <==== ATTENTION 
Task: C:\WINDOWS\Tasks\Online Application v2 Guard.job => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe <==== ATTENTION 
Task: C:\WINDOWS\Tasks\Online Application v2 Guardian.job => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe <==== ATTENTION 
Task: C:\WINDOWS\Tasks\Online Application v2.job => C:\Program Files (x86)\Microleaves\Online.io Application\OnlineGuardian-v2.exe <==== ATTENTION 
Task: C:\WINDOWS\Tasks\Online Application v209 Guard.job => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe <==== ATTENTION 
Task: C:\WINDOWS\Tasks\Online Application v209 Guardian.job => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe <==== ATTENTION 
Task: C:\WINDOWS\Tasks\Online Application v209.job => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe <==== ATTENTION 
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [No File] 
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [No File] 
(ct Corp.) C:\Users\Steven\AppData\Local\Temp\20170219\ct.exe 
(Microleaves) C:\Windows\Temp\2eb9ee42e12d953bcdf487c7c30f4a51\Online Application Updater.exe 
S2 WindowService; C:\Users\Steven\AppData\Local\Temp\WS\WindowService.exe [8192 2017-02-19] () [File not signed] <==== ATTENTION 
R2 windowsmanagementservice; C:\Users\Steven\AppData\Local\Temp\20170219\ct.exe [722432 2017-02-19] (ct Corp.) [File not signed] <==== ATTENTION <==== ATTENTION 
2017-04-13 02:06 - 2016-07-16 07:36 - 00000000 ____D C:\WINDOWS\CbsTemp 
2017-04-07 03:42 - 2017-04-07 03:42 - 14456872 _____ (Microsoft Corporation) C:\Users\Steven\AppData\Local\Temp\vc_redist.x86.exe 
2017-03-05 14:24 - 2017-03-05 14:24 - 30533688 _____ () C:\Users\Steven\AppData\Local\Temp\vlc-2.2.4-win32.exe 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) 
Ansel (Version: 378.66 - NVIDIA Corporation) Hidden 
AudioFXSetup (Version: 1.2.201 - Nahimic) Hidden 
Battery Calibration (x32 Version: 1.0.1505.2901 - Micro-Star International Co., Ltd.) Hidden 
BurnRecovery (x32 Version: 5.0.1507.1301 - Application) Hidden 
CheckDevicesConfigurator (Version: 1.2.201 - Nahimic) Hidden 
Dragon Gaming Center (x32 Version: 1.0.1501.2801 - Micro-Star International Co., Ltd.) Hidden 
Google Update Helper (x32 Version: 1.3.21.115 - Google Inc.) Hidden 
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden 
Herramientas de correcci¢n de Microsoft Office 2016: espa¤ol (Version: 16.0.4266.1001 - Microsoft Corporation) Hidden 
Intel® Chipset Device Software (x32 Version: 10.1.1.8 - Intel® Corporation) Hidden 
Killer Bandwidth Control Filter Driver (Version: 1.1.54.1095 - Rivet Networks) Hidden 
Killer E220x Drivers (Version: 1.1.54.1095 - Rivet Networks) Hidden 
Killer Network Manager (Version: 1.1.54.1095 - Rivet Networks) Hidden 
LauncherSetup (Version: 1.2.201 - Nahimic) Hidden 
League of Legends (x32 Version: 3.0.1 - Riot Games) Hidden 
MSI Remind Manager (x32 Version: 1.0.1506.0801 - Micro-Star International Co., Ltd.) Hidden 
NahimicSettingsConfigurator (Version: 1.2.201 - Nahimic) Hidden 
NvNodejs (Version: 3.4.0.70 - NVIDIA Corporation) Hidden 
NvTelemetry (Version: 2.3.16.0 - NVIDIA Corporation) Hidden 
NvvHci (Version: 2.02.0.5 - NVIDIA Corporation) Hidden 
Online.io Application (x32 Version: 2.1.0 - Microleaves) Hidden <==== ATTENTION 
Outils de v‚rification linguistique 2016 de Microsoft Officeÿ- Fran‡ais (Version: 16.0.4266.1001 - Microsoft Corporation) Hidden 
ProductDaemonSetup (Version: 1.2.201 - Nahimic) Hidden 
SHIELD Streaming (Version: 7.1.0351 - NVIDIA Corporation) Hidden 
SHIELD Wireless Controller Driver (Version: 3.4.0.70 - NVIDIA Corporation) Hidden 
UIInstallUpgrade (Version: 1.2.201 - Nahimic) Hidden 
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON 
CMD: ipconfig /flushdns 
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP: 
Reboot:
 
*****************
 
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\cpx => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\svcvmx => value removed successfully
C:\Program Files (x86)\cpx => moved successfully
C:\Program Files (x86)\svcvmx => moved successfully
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\SppExtComObj.exe => key removed successfully
HKLM\System\CurrentControlSet\Services\Dataup => key removed successfully
Dataup => service removed successfully
HKLM\System\CurrentControlSet\Services\qdcomsvc => key removed successfully
qdcomsvc => service removed successfully
HKLM\System\CurrentControlSet\Services\WindowService => key removed successfully
WindowService => service removed successfully
HKLM\System\CurrentControlSet\Services\windowsmanagementservice => key removed successfully
windowsmanagementservice => service removed successfully
HKLM\System\CurrentControlSet\Services\drmkpro64 => key removed successfully
drmkpro64 => service removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0847AE0-465A-4D7B-A555-AABB43B550F0}\\SystemComponent => value removed successfully
Popcorn Time (HKLM-x32\...\Popcorn Time_is1) (Version: 5.5.1.2 - Popcorn Time) <==== ATTENTION => Error: No automatic fix found for this entry.
s5mark (HKLM-x32\...\s5mark) (Version: 2.0.2 - s5mark) <==== ATTENTION => Error: No automatic fix found for this entry.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3A20D43A-77AF-41DA-AE64-F9B048AD85FF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3A20D43A-77AF-41DA-AE64-F9B048AD85FF} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application v2 Guard => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application v2 Guard => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{44BC588E-C1CC-4756-BD07-858A9D8331A5} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{44BC588E-C1CC-4756-BD07-858A9D8331A5} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application v2 Guardian => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application v2 Guardian => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7FABE777-9C3C-40D6-89E7-20553D36C7F4} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7FABE777-9C3C-40D6-89E7-20553D36C7F4} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application Updater => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application Updater => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AF3B5C66-0225-4C4F-8445-BDBC77429362} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AF3B5C66-0225-4C4F-8445-BDBC77429362} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B07A39C0-A3D2-45FF-AB91-4F464210F81D} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B07A39C0-A3D2-45FF-AB91-4F464210F81D} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application v209 Guard => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application v209 Guard => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BCC44EC5-C83A-4074-9EB8-956824A9ED37} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BCC44EC5-C83A-4074-9EB8-956824A9ED37} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application v209 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application v209 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C5E9B7BA-D9E2-4932-A5FF-9B4A024568E1} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C5E9B7BA-D9E2-4932-A5FF-9B4A024568E1} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application Guard => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application Guard => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EC77058C-7D04-4D25-B70E-905B220B14DF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EC77058C-7D04-4D25-B70E-905B220B14DF} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application v209 Guardian => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application v209 Guardian => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EE80933E-2F5D-4D0B-8072-8246DB8B1EE4} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EE80933E-2F5D-4D0B-8072-8246DB8B1EE4} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application v2 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application v2 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FA886980-A31E-47EF-B800-EDCA9E5AAE8A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FA886980-A31E-47EF-B800-EDCA9E5AAE8A} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application Guardian => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application Guardian => key removed successfully
C:\WINDOWS\Tasks\Online Application Updater.job => moved successfully
C:\WINDOWS\Tasks\Online Application v2 Guard.job => moved successfully
C:\WINDOWS\Tasks\Online Application v2 Guardian.job => moved successfully
C:\WINDOWS\Tasks\Online Application v2.job => moved successfully
C:\WINDOWS\Tasks\Online Application v209 Guard.job => moved successfully
C:\WINDOWS\Tasks\Online Application v209 Guardian.job => moved successfully
C:\WINDOWS\Tasks\Online Application v209.job => moved successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3 => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9 => key removed successfully
C:\Users\Steven\AppData\Local\Temp\20170219\ct.exe => No running process found
C:\Windows\Temp\2eb9ee42e12d953bcdf487c7c30f4a51\Online Application Updater.exe => No running process found
WindowService => service not found.
windowsmanagementservice => service not found.
C:\WINDOWS\CbsTemp => moved successfully
C:\Users\Steven\AppData\Local\Temp\vc_redist.x86.exe => moved successfully
C:\Users\Steven\AppData\Local\Temp\vlc-2.2.4-win32.exe => moved successfully
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) => Error: No automatic fix found for this entry.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Ansel\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AFD4102D-0D35-4975-A817-1903BF06AC97}\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{634AC01E-49DB-4AD2-B87C-90D4DCC6AFA1}\\SystemComponent => value not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{92A6B009-1343-4C44-AFB1-8849137CA3F0}\\SystemComponent => value not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7744FCC8-29DC-43C9-A861-5FA81B4F9376}\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{965B16C7-0778-4C45-B7D1-83A59E6FBBCB}\\SystemComponent => value not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\\SystemComponent => value not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\SystemComponent => value not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{c6cff78a-cccb-49d5-be68-ae0ec5f0d48a}\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{74351A4C-172D-47DF-9ED5-3243C2E56310}\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1F9C1993-4706-4A72-B231-B092CF517C1D}\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{196988EC-1E8E-4BDD-BF58-AB7C14338BDD}\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{46B7FC00-4225-4A55-97A7-CF6CF2778B92}\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\League of Legends 3.0.1\\SystemComponent => value not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{3E23F267-3E35-40F9-B6BF-BC034D214717}\\SystemComponent => value not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79875E1A-1B2F-40C0-8F96-6396D3E97357}\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NvNodejs\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NvTelemetry\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NvvHci\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0847AE0-465A-4D7B-A555-AABB43B550F0}\\SystemComponent => value not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\SystemComponent => value not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FD4A186-3CC3-45FF-B5D3-319A0176C5AA}\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_GFExperience.NvStreamSrv\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_ShieldWirelessController\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0D036C5F-A96F-434E-B8C1-6229515DEF70}\\SystemComponent => value removed successfully
 
========= netsh advfirewall reset =========
 
 
An error occurred while attempting to contact the  Windows Firewall service. Make sure that the service is running and try your request again.
 
 
========= End of CMD: =========
 
 
========= netsh advfirewall set allprofiles state ON =========
 
 
An error occurred while attempting to contact the  Windows Firewall service. Make sure that the service is running and try your request again.
 
 
========= End of CMD: =========
 
 
========= ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Could not flush the DNS Resolver Cache: Function failed during execution.
 
 
========= End of CMD: =========
 
 
========= netsh winsock reset catalog =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
========= netsh int ip reset C:\resettcpip.txt =========
 
There's no user specified settings to be reset.
 
 
========= End of CMD: =========
 
 
========= FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i" =========
 
Failed to clear log AirSpaceChannel. The requested operation cannot be performed over an enabled direct channel. The channel must first be disabled before performing the requested operation.
Failed to clear log Microsoft-RMS-MSIPC/Debug. The requested operation cannot be performed over an enabled direct channel. The channel must first be disabled before performing the requested operation.
Failed to clear log Microsoft-Windows-LiveId/Analytic. Access is denied.
Failed to clear log Microsoft-Windows-LiveId/Operational. Access is denied.
Failed to clear log Microsoft-Windows-USBVideo/Analytic. The instance name passed was not recognized as valid by a WMI data provider.
 
========= End of CMD: =========
 
 
========= Bitsadmin /Reset /Allusers =========
 
 
BITSADMIN version 3.0
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
Unable to connect to BITS - 0x8007043c
This service cannot be started in Safe Mode
 
 
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 15412096 B
Java, Flash, Steam htmlcache => 454251296 B
Windows/system/drivers => 209583607 B
Edge => 1524768 B
Chrome => 723616380 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 2478 B
NetworkService => 3252844 B
Steven => 599536403 B
 
RecycleBin => 0 B
EmptyTemp: => 1.9 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 02:01:32 ====
 
 
this is after command prompt reboot was done will now proceed to try the anti rootkit tool again


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,763 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:04 PM

Posted 28 April 2017 - 09:55 AM

Outstanding! Let me reverse the menu policies:

 

Download the attached file and save it in the same directory FRST64 is saved.

  • Start FRST64 with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.

 

Restart the computer. Lets try MBAR once again.

 

 

  • Please download Malwarebytes Anti-Rootkit and save the file to your Desktop.
  • Right-Click MBAR.exe and select AVOiBNU.jpgRun as administrator to run the installer.
  • Select your Desktop as the location to extract the contents and click OK. The programme should open upon completion.
  • Click Next, followed by Update. Upon update completion, click Next.
  • Ensure Drivers, Sectors & System are checked and click Scan.
  • Note: Do not use your computer during the scan.
  • Upon completion:
    • If no infection is found, close the MBAR window.
    • If an infection is found, ensure Create Restore Point is checked and click Cleanup. Reboot when prompted.
  • Two logs (mbar-log.txt and system-log.txt) will be created. Copy the contents of both logs and paste in your next reply. Both logs can be found in the MBAR folder.

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users