Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RECURRING VIRUSES


  • This topic is locked This topic is locked
16 replies to this topic

#1 testingsigh

testingsigh

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 25 May 2017 - 01:02 PM

Hello, I stumbled upon your website through google while searching for ways to remove viruses that keeps coming back.

 

Recently, ive been getting viruses, malware, Trojan, adware and all that crap even though I've removed it using Malwarebytes,adwkiller,malwarebytes rookit, hitmanpro, tdsskiller,roguekiller and  even emisoft emergency toolkit.

 

I was extremely frustrated till the point that i went to upgrade my antivirus hoping that itll help somehow. Instead, I'm now affected by riskware as well and still getting attacked. 

 

These are  a few out of 45 or more viruses that i cant get rid off.

 

BIT.DLL

WINSAP.DLL

BIGFARM

MIQOSHZESETION

JOPETIONDIPAS

 

Please help I'm extremely sick of this.

 

 

 

Attached Files


Edited by testingsigh, 25 May 2017 - 01:18 PM.


BC AdBot (Login to Remove)

 


#2 testingsigh

testingsigh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 25 May 2017 - 11:32 PM

Anybody ??

#3 testingsigh

testingsigh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 27 May 2017 - 04:32 AM

Affected by mystarting123 redirect virus now aswell.. 



#4 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:17 AM

Posted 30 May 2017 - 06:52 AM


:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic ‘til you get the “all clean” post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Please download Security Analysis by Rocket Grannie from here
  • Save it to your Desktop.
  • Close your security software to avoid potential conflicts.
  • Double click RGSA.exe
  • Click OK on the copyright-disclaimer
  • When finished, a Notepad window will open with the results of the scan.
  • The log named SALog.txt can also be found on the Desktop or in the same folder from where the tool is run if installed elsewhere.
  • Please copy and paste the contents of that log in this topic.
  • Note:
If you get a Warning from Windows about running the program, click on More info and then click Run Anyway to run it even though Windows says it might put your PC at risk.

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step3: Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 testingsigh

testingsigh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 30 May 2017 - 03:30 PM

Hello Jo, thank you so much for your reply and assistance. In regards to your instructions,

 

STEP1 Security Analysis by Rocket Grannie cant be downloaded (Cant access webpage)

 

STEP2 MALWAREBYTES ANTIROOTKIT (no virus found)

 

STEP3 ADWCLEANER (no virus found)

 

However,

 

Prior to your reply i did a Malwarebytes antimalware scan as my computer got infected again.  I've attached the latest log file for your reference. 

 

Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 31/5/2017
Scan Time: 1:16 AM
Logfile: malware.txt
Administrator: Yes
Version: 2.2.1.1043
Malware Database: v2017.05.30.05
Rootkit Database: v2017.05.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
OS: Windows 10
CPU: x64
File System: NTFS
User: Asus
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 296133
Time Elapsed: 22 min, 37 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 1
Adware.Elex, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\terana, , [6de01e00a0095bdb6c8128a9a35ece32],
Registry Values: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Folders: 3
Adware.Elex.Generic, C:\Users\Asus\AppData\Local\terana, , [f756081628816ec8d025e8e94fb231cf],
Adware.Elex, C:\Cosusp, , [400dce5044657cba2397ca107889bf41],
Adware.Elex, C:\Pipisy, , [aca150cec4e5dc5a6358f8e25fa238c8],
Files: 3
Adware.Elex.Generic, C:\Users\Asus\AppData\Local\terana\terana.dll, , [f756081628816ec8d025e8e94fb231cf],
Adware.Elex, C:\Cosusp\Aramory.lqe, , [400dce5044657cba2397ca107889bf41],
Adware.Elex, C:\Pipisy\Aramory.lqe, , [aca150cec4e5dc5a6358f8e25fa238c8],
Physical Sectors: 0
(No malicious items detected)

(end)


#6 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:17 AM

Posted 30 May 2017 - 04:12 PM

These are  a few out of 45 or more viruses that i cant get rid off.
 
BIT.DLL
WINSAP.DLL
BIGFARM
MIQOSHZESETION
JOPETIONDIPAS

How do you know, that you have these viruses?

---

Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#7 testingsigh

testingsigh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 31 May 2017 - 01:29 AM

Bigfarm icon on my desktop + antivirus prompt + malwarebytes antimalware scan lets me know that ive been affected by those viruses. Just yesterday ive got attacked again without executing any programs.  Maybe why those viruses scan shows up as no viruses was found is because ive removed those viruses when i started this thread. Anyway, in regards to your instructions, the content is shown below.

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 10 Home x64
Ran by Asus (Administrator) on Wed 31/05/2017 at 14:05:55.66
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

File System: 1
Successfully deleted: C:\WINDOWS\wininit.ini (File)
 
Registry: 0
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 31/05/2017 at 14:11:51.04
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Edited by testingsigh, 31 May 2017 - 01:29 AM.


#8 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:17 AM

Posted 31 May 2017 - 01:51 AM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt
 
Start
CreateRestorePoint:
CloseProcesses:
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
SearchScopes: HKU\S-1-5-21-2425028335-1350672996-34887134-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02&pc=UE00
FF Plugin-x32: @ogplanet.com/npOGPPlugin -> C:\WINDOWS\system32\npOGPPlugin.dll [No File]
FF Plugin-x32: @t.garena.com/garenatalk -> C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [No File]
CHR Extension: (Chrome Media Router) - C:\Users\Asus\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-20]
R2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=nb -dt=60000 -ad -bt=0 [X]
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
Task: {02A6FFFA-B4E7-4E03-8E2C-0D2498119B65} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {03EF1C18-B55E-4E83-8B9A-0B05DED66C9D} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {1BC4F6B8-1C13-4B4A-AFD5-B14D0FC91053} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {2ED14E1A-8841-4027-9706-6252BBA2B245} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {3E53FDC7-D880-449C-874C-22726837977E} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {7E612637-6D7E-4E3B-86C0-2824612999DA} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {802CF4DC-C1C5-4FD7-9FEB-49777ABDCC60} - \Thwentfhution -> No File <==== ATTENTION
Task: {8603B8D2-DCBB-4456-B278-799969D38957} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {A7885E1D-0B56-4243-B236-278C0A03FC44} - \WPD\SqmUpload_S-1-5-21-2425028335-1350672996-34887134-1001 -> No File <==== ATTENTION
Task: {B830BCFC-4DCF-4B8B-9191-7AEA65FE3507} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {D64E365A-EA3E-4298-AA99-0613C9C21E3A} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {E632B698-BA56-437B-A5CD-D36035FEB9B3} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {F278EBA1-C6E8-4193-BC35-65A6B65C00F1} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
End

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST / FSRT64 again as Administrator like we did before but this time press the Fix button just once and wait.

The tool will make a log (Fixlog.txt) please post it to your reply.


How the computer is running now?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#9 testingsigh

testingsigh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 31 May 2017 - 02:56 AM

Hello Jo, thank you so much for your help. As instructed, 

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 28-05-2017
Ran by Asus (31-05-2017 15:50:53) Run:4
Running from C:\Users\Asus\Desktop
Loaded Profiles: Asus (Available Profiles: Asus)
Boot Mode: Normal
==============================================
fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
SearchScopes: HKU\S-1-5-21-2425028335-1350672996-34887134-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02&pc=UE00
FF Plugin-x32: @ogplanet.com/npOGPPlugin -> C:\WINDOWS\system32\npOGPPlugin.dll [No File]
FF Plugin-x32: @t.garena.com/garenatalk -> C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [No File]
CHR Extension: (Chrome Media Router) - C:\Users\Asus\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-20]
R2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=nb -dt=60000 -ad -bt=0 [X]
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
Task: {02A6FFFA-B4E7-4E03-8E2C-0D2498119B65} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {03EF1C18-B55E-4E83-8B9A-0B05DED66C9D} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {1BC4F6B8-1C13-4B4A-AFD5-B14D0FC91053} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {2ED14E1A-8841-4027-9706-6252BBA2B245} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {3E53FDC7-D880-449C-874C-22726837977E} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {7E612637-6D7E-4E3B-86C0-2824612999DA} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {802CF4DC-C1C5-4FD7-9FEB-49777ABDCC60} - \Thwentfhution -> No File <==== ATTENTION
Task: {8603B8D2-DCBB-4456-B278-799969D38957} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {A7885E1D-0B56-4243-B236-278C0A03FC44} - \WPD\SqmUpload_S-1-5-21-2425028335-1350672996-34887134-1001 -> No File <==== ATTENTION
Task: {B830BCFC-4DCF-4B8B-9191-7AEA65FE3507} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {D64E365A-EA3E-4298-AA99-0613C9C21E3A} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {E632B698-BA56-437B-A5CD-D36035FEB9B3} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {F278EBA1-C6E8-4193-BC35-65A6B65C00F1} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
End
*****************
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw => key not found.
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found.
HKU\S-1-5-21-2425028335-1350672996-34887134-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@ogplanet.com/npOGPPlugin => key not found.
HKLM\Software\Wow6432Node\MozillaPlugins\@t.garena.com/garenatalk => key not found.
C:\Users\Asus\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
Amsp => Unable to stop service.
HKLM\System\CurrentControlSet\Services\Amsp => key could not remove, key could be protected
ZAM => service not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{02A6FFFA-B4E7-4E03-8E2C-0D2498119B65} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{03EF1C18-B55E-4E83-8B9A-0B05DED66C9D} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1BC4F6B8-1C13-4B4A-AFD5-B14D0FC91053} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2ED14E1A-8841-4027-9706-6252BBA2B245} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3E53FDC7-D880-449C-874C-22726837977E} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7E612637-6D7E-4E3B-86C0-2824612999DA} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{802CF4DC-C1C5-4FD7-9FEB-49777ABDCC60} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Thwentfhution => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8603B8D2-DCBB-4456-B278-799969D38957} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A7885E1D-0B56-4243-B236-278C0A03FC44} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WPD\SqmUpload_S-1-5-21-2425028335-1350672996-34887134-1001 => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B830BCFC-4DCF-4B8B-9191-7AEA65FE3507} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D64E365A-EA3E-4298-AA99-0613C9C21E3A} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E632B698-BA56-437B-A5CD-D36035FEB9B3} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F278EBA1-C6E8-4193-BC35-65A6B65C00F1} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d => key not found.
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 31-05-2017 15:53:01)

Result of scheduled keys to remove after reboot:
HKLM\System\CurrentControlSet\Services\Amsp => key removed successfully
==== End of Fixlog 15:53:01 ====


#10 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:17 AM

Posted 31 May 2017 - 03:45 AM

Hello again,

:step1: Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 5 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7/8/10 users need to right click and choose Run as Administrator
You only need to get one of them to run, not all of them.Do not reboot your computer after running rkill as the malware programs will start again.


---


:step2: Malwarebytes' Anti-Malware
If this program is already installed: Skip the installation and run only the scan!
Download and install: Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
How to get logs: (Export log to save as txt)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.
(Copy to clipboard for pasting into forum replies or tickets)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

---


:step3:
ZN3USrZ.png Emsisoft Emergency Kit
  • Click here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
  • Save EmsisoftEmergencyKit.exe to your Desktop.
  • Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8 users: Accept UAC warning if it is enabled). A screen like this will appear:
    dQVDkTW.png
  • Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
  • Once the extraction is done, an icon qwL1Upn.png will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
    yEgPemv.png
  • Choose Yes, then wait for EEK to finish updating.
  • Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
  • Wait for the scan to finish.
    RUeRoi4.png
  • If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
  • If Emsisoft Emergency Kit asks to reboot, please do so immediately.
  • The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
    P7FSALs.png
  • Please Copy and Paste the contents of the scan log in your next reply.

***


:step4: How the computer is running now?


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#11 testingsigh

testingsigh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 31 May 2017 - 08:08 AM

Malwarebytes Anti-Malware
www.malwarebytes.org

Update, 31/5/2017 1:14 AM, SYSTEM, PC, Manual, Rootkit Database, 2017.4.2.1, 2017.5.27.1,
Update, 31/5/2017 1:14 AM, SYSTEM, PC, Manual, IP Database, 2017.5.26.2, 2017.5.30.2,
Update, 31/5/2017 1:14 AM, SYSTEM, PC, Manual, Domain Database, 2017.5.26.5, 2017.5.30.4,
Update, 31/5/2017 1:14 AM, SYSTEM, PC, Manual, Malware Database, 2017.5.27.2, 2017.5.30.5,
Scan, 31/5/2017 3:30 AM, SYSTEM, PC, Manual, Start:31/5/2017 1:16 AM, Duration:22 min 37 sec, Threat Scan, Completed, 14 Malware Detections, 0 Non-Malware Detections,
Update, 31/5/2017 5:25 PM, SYSTEM, PC, Manual, IP Database, 2017.5.30.2, 2017.5.30.4,
Update, 31/5/2017 5:25 PM, SYSTEM, PC, Manual, Domain Database, 2017.5.30.4, 2017.5.31.1,
Update, 31/5/2017 5:25 PM, SYSTEM, PC, Manual, Malware Database, 2017.5.30.5, 2017.5.31.4,
Scan, 31/5/2017 5:50 PM, SYSTEM, PC, Manual, Start:31/5/2017 5:25 PM, Duration:24 min 53 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,
(end)

 

EMISOFT (RAN CUSTOM SCAN INSTEAD AS WHEN ATTEMPTED TO EXCUTE MALWARESCAN THERE WAS NO PROMPT TO ACTIVATE PUP DETECTION)

 

 

Emsisoft Emergency Kit - Version 2017.4
Last update: 31/5/2017 6:48:36 PM
User account: PC\Asus
Computer name: PC
OS version: Windows 10x64
Scan settings:
Scan type: Custom Scan
Objects: Rootkits, Memory, Traces, C:\, D:\
Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Direct disk access: Off
Scan start: 31/5/2017 6:50:38 PM
C:\AdwCleaner\Quarantine\files\zkorunszkusefihpekxipxsxmjbbxgpx\Snare.dll  detected: Application.Elex.IY ( B) [krnl.xmd]
Scanned 361257
Found 1
Scan end: 31/5/2017 8:22:59 PM
Scan time: 1:32:21
C:\AdwCleaner\Quarantine\files\zkorunszkusefihpekxipxsxmjbbxgpx\Snare.dll  Application.Elex.IY ( B)
Quarantined 1

Edited by testingsigh, 31 May 2017 - 08:09 AM.


#12 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:17 AM

Posted 31 May 2017 - 08:26 AM

ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Open the scan log and copy and paste the content to your next reply.
 

***


Can you tell me how your computer is running now and if there are any remaining malware related problems.


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#13 testingsigh

testingsigh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 31 May 2017 - 11:41 AM

So far my computer is functioning well there isn't any viruses and I'm not getting redirected to any webpages. In the past few hours, i have not been attacked as well.

 

Exported txt file from ESET Online Scanner

 

C:\Users\Asus\AppData\Local\754A5C3C_stp\TaskScheduler.dll a variant of Win32/InstallCore.ACL potentially unwanted application cleaned by deleting
C:\Windows\SECOH-QAD.dll Win64/HackKMS.D potentially unsafe application cleaned by deleting
 


Edited by testingsigh, 31 May 2017 - 01:38 PM.


#14 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:17 AM

Posted 01 June 2017 - 01:33 AM

***


It Appears That Your Pc Is Clean!


***


Clean up:


***


Right-click AdwCleaner.exe and select Run As Administrator.
  • Click on the Uninstall button.
  • A window will open, press the Confirm button.
  • AdwCleaner will uninstall now.

***


Clean up with delfix:
  • please download delfix to your desktop.
  • Close all other programms and start delfix.
  • Please check all the boxes and run the tool.
  • delfix will now delete all found traces of our removal process

***


Delete the log files our tools created; they are located at your desktop or at the
"c:\users\{.......}\Downloads" folder.
Highlight them, and press the del or delete key on the keyboard.
You can browse to the location of the file or folder using either My Computer or Windows Explorer.

===================================

Here are some Preventive tips to reduce the potential for spyware infection in the future

:step1: Make sure you keep your Windows OS current.
  • Windows Vista / 7 / 8 users can update via
    Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane).
:step2: Avoid P2P
  • If you think you're using a "safe" P2P program, only the program is safe, not the data.
  • You will share files from unsafe sources, and these may be infected.
  • Some bad guys use P2P filesharing as an important chanel to spread their wares.
:step3: Use only one anti-virus software and keep it up-to-date.

:step4: Firewall
Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

:step5: Backup regularly
You never know when your PC will become unstable or become so infected that you can't recover it.

:step6: Use Strong passwords!

:step7: Email attachments
Do not open any unknown email attachments, which you received without asking for it!


Extra note:
Keep your Browser, Java, pdf Reader and Adobe Flash Up to Date.
And you could install Malwarebytes Anti-Exploit to run alongside your traditional anti-virus or anti-malware products.

Make sure your programs are up to date - because older versions may contain Security Leaks.


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#15 testingsigh

testingsigh
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 01 June 2017 - 06:40 AM

Thats awesome! thank you so much for your help! and is it a must for me to to delete those programs? (adwcleaner)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users