Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

vmxclient.exe: can't get malwarebytes to run


  • Please log in to reply
160 replies to this topic

#1 EarthwormJim

EarthwormJim

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 12 August 2017 - 04:16 PM

Posted the below under "Am I Infected" forum, and was instructed by buddy215 run FRST (2 files of results attached) and to start thread here. This is the background from my original post:

 

Windows 10

 

Repeatedly kept getting a popup window saying vmxclient.exe won't run and error code 0xc0000008.

 

Tried to run a scan with my McAfee, won't open.

 

Tried to run a scan with Windows Defender. Opens, but hangs up on 0 files scanned.

 

vmxclient.exe and srcvmx.exe show they are running in task manager. vmxclient I can end task, but it reopens a second later. srcvmx I can't get to end.

 

Tried to delete vmxclient.exe, says I don't have rights to do that even though I'm the administrator. (Tried some ways around that I found on the internet to no avail)

 

Booted in safe mode, which kept vmxclient amd srcvmx from loading in task manager, but didn't solve any other problems

 

Tried to follow directions for removing vmxclient here:

 

https://www.bleepingcomputer.com/virus-removal/remove-winvmx-client-and-vmxclient.exe-pup

 

But every piece of software I download I get a message that "requested resource is in use" when I click on it. Tried rkill too, same story.

 

Found this current thread:

 

https://www.bleepingcomputer.com/forums/t/653926/svcvm

 

This sounds very similar to my problem. However, I couldn't get the first step, installing MBAR, to work. I download and says it's installing when I click on it, but no window for it ever opens up. It shows it is running in Task Manager, but I can't see it.

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:48 AM

Posted 12 August 2017 - 04:57 PM

Welcome :)
 

  • Please download Malwarebytes Anti-Rootkit and save the file to your Desktop.
  • Right-Click MBAR.exe and select AVOiBNU.jpgRun as administrator to run the installer.
  • Select your Desktop as the location to extract the contents and click OK. The programme should open upon completion.
  • Click Next, followed by Update. Upon update completion, click Next.
  • Ensure Drivers, Sectors & System are checked and click Scan.
  • Note: Do not use your computer during the scan.
  • Upon completion:
    • If no infection is found, close the MBAR window.
    • If an infection is found, ensure Create Restore Point is checked and click Cleanup. Reboot when prompted.
  • Two logs (mbar-log.txt and system-log.txt) will be created. Copy the contents of both logs and paste in your next reply. Both logs can be found in the MBAR folder.

Edited by JSntgRvr, 12 August 2017 - 04:57 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 EarthwormJim

EarthwormJim
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 12 August 2017 - 09:07 PM

Thank you for your help!

 

MBAR installed, updated, and began to run. And it definitely found a lot of malware: 1828 at the time it hung up and I got a "not responding" message. I waited over half an hour, and it was still not responding and showing 1828 malware found. However, even though it didn't finish, it still created a system-log.txt file, but no mbar-log.txt file. I tried to cut and paste it here, but I think it was too big. I'll try it in short segments below.

 

I'll also try running MBAR again. Was I supposed to run it in safe mode? Because I didn't.



#4 EarthwormJim

EarthwormJim
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 12 August 2017 - 09:11 PM

Even 1/4 of it was too long. i got a "post too big" message.

 

I'm assuming that's a very bad sign, if other people's problem logs normally aren't too big.


Edited by EarthwormJim, 12 August 2017 - 09:13 PM.


#5 EarthwormJim

EarthwormJim
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 12 August 2017 - 09:15 PM

I can try attaching it, though you specifically said not to do that.

Attached Files



#6 EarthwormJim

EarthwormJim
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 12 August 2017 - 09:26 PM

Rebooted, and when I try to run MBAR it says it's currently in use. So I looked at task manager, and isn't listed as running.



#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:48 AM

Posted 13 August 2017 - 01:41 AM

This program take a lot of time to run. What is important is that you do not attempt to use the computer. Any movement of the mouse will make the program stall. Open the MBAR foler. You will see two MBAR application. One has an .exe extension, the other a .cmd extension. Click on the MBAR.CMD and let the program run unhindered. Once completed, follow these steps:

  • Highlight the entire content of the quote box below.

Start::
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
HKLM-x32\...\Run: [cpx] => "C:\Users\Etsebsan Montero\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <==== ATTENTION
HKU\S-1-5-21-3091493251-316294414-1769386316-1001\...\Run: [sirecd] => rundll32.exe "C:\Users\Etsebsan Montero\AppData\Local\sirecd.dll",sirecd <==== ATTENTION
HKU\S-1-5-18\...\Run: [WinResSync] => C:\WINDOWS\system32\regsvr32.exe /s "C:\Users\Etsebsan Montero\AppData\Roaming\Microsoft\Protect\5210877f-08c4-4085-b597-eb61ff80eeb3.rs" <==== ATTENTION
HKU\S-1-5-18\...\RunOnce: [WinResSync] => C:\WINDOWS\system32\regsvr32.exe /s "C:\Users\Etsebsan Montero\AppData\Roaming\Microsoft\Protect\5210877f-08c4-4085-b597-eb61ff80eeb3.rs" <==== ATTENTION
C:\WINDOWS\system32\Drivers\drmkpro64
C:\Users\Etsebsan Montero\AppData\Local\ntuserlitelist
C:\Users\Etsebsan Montero\AppData\Local\fvxah
C:\windows\system32\tprdpw64.exe
C:\WINDOWS\system32\ravcpdkz.exe
R2 Dataup; C:\Users\Etsebsan Montero\AppData\Local\ntuserlitelist\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
R2 windowsmanagementservice; C:\Users\Etsebsan Montero\AppData\Local\fvxah\pafohceo\ct.exe [689664 2017-05-30] () [File not signed] <==== ATTENTION
CloudExtender (HKU\S-1-5-21-3091493251-316294414-1769386316-1001\...\CloudExtender) (Version: - AltoCloud) <==== ATTENTION
DragonBoost (HKU\S-1-5-21-3091493251-316294414-1769386316-1001\...\119) (Version: - ) <==== ATTENTION
Online Application (HKLM-x32\...\{5266F634-7B7D-4537-BDDC-98DD6CFCBAA1}) (Version: 2.6.0 - Microleaves) Hidden <==== ATTENTION
Task: {5132C842-F7CB-42ED-BBCE-EC6D9A80C815} - System32\Tasks\8b506632e4c3eaf8766efb736e7fd1b0 => sc start 8b506632e4c3eaf8766efb736e7fd1b0 <==== ATTENTION
Task: {8E840C6E-036F-43DF-848B-449C89CCC51B} - System32\Tasks\SVC Update => C:\WINDOWS\explorer.exe "hxxp://sh.st/AeotZ" <==== ATTENTION
Task: C:\WINDOWS\Tasks\Updater_Online_Application.job => C:\Program Files (x86)\Microleaves\Online Application\Online Application Updater.exe <==== ATTENTION
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [No File]
HKLM-x32\...\Run: [cpx] => "C:\Users\Etsebsan Montero\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <==== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Users\Etsebsan Montero\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe [884224 2017-08-02] ()
R2 Dataup; C:\Users\Etsebsan Montero\AppData\Local\ntuserlitelist\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
FirewallRules: [{D2627861-B638-460B-823E-2A75A3DFDB48}] => (Allow) C:\Users\Etsebsan Montero\AppData\Local\Temp\Temp1_WGCheck_EN.zip\WGCheck.exe
FirewallRules: [{2D76BBB6-D0B6-43C5-B142-94B3076E49F9}] => (Allow) C:\Users\Etsebsan Montero\AppData\Local\Temp\Temp1_WGCheck_EN.zip\WGCheck.exe
2017-04-06 15:11 - 2017-04-06 15:11 - 000000048 ____H () C:\Program Files (x86)\e1uiugxmbo.dat
2017-07-29 10:25 - 2017-07-29 10:25 - 000011568 _____ () C:\Users\Etsebsan Montero\AppData\Local\InstallationConfiguration.xml
2017-07-29 10:25 - 2017-07-29 10:25 - 000140800 _____ () C:\Users\Etsebsan Montero\AppData\Local\installer.dat
2017-07-29 10:25 - 2017-07-29 10:25 - 001847296 _____ () C:\Users\Etsebsan Montero\AppData\Local\po.db
2017-05-17 11:32 - 2017-05-17 11:32 - 000125952 _____ () C:\Users\Etsebsan Montero\AppData\Local\report
2017-07-29 10:20 - 2017-07-29 10:20 - 000019968 _____ () C:\Users\Etsebsan Montero\AppData\Local\sirecd.dll
2017-07-29 10:20 - 2017-07-29 10:20 - 000003072 _____ () C:\Users\Etsebsan Montero\AppData\Local\uninstallce.exe
HOSTS:
Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.
 

Please remove the following programs if present from your computer:

 

CloudExtender
DragonBoost

Online Application

 

Please download Junkware Removal Tool to your Desktop.

  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.

Download AdwCleaner from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8/10 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

65MBhLLb.png

  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this

adwcleaner_delete_restart.jpg

  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

Edited by JSntgRvr, 13 August 2017 - 01:42 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:48 AM

Posted 13 August 2017 - 09:03 PM

Any progress?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 EarthwormJim

EarthwormJim
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 14 August 2017 - 04:41 PM

Sorry, i was out of town yesterday. I'll get to work on it now.

 

Thanks for the advice on not moving the mouse. I wasn't using any programs, but I didn't realize moving the mouse was a problem too.



#10 EarthwormJim

EarthwormJim
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 14 August 2017 - 07:04 PM

So far so good. MBAR ran fine this time. I thought it was hung up for the longest time, but after 2.5 hours it was done.

 

FRST also ran fine, and here is the fixlog as requested:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 12-08-2017
Ran by Etsebsan Montero (14-08-2017 19:57:53) Run:1
Running from C:\Users\Etsebsan Montero\Downloads
Loaded Profiles: Etsebsan Montero (Available Profiles: defaultuser0 & Etsebsan Montero)
Boot Mode: Normal
==============================================

fixlist content:
*****************

S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
HKLM-x32\...\Run: [cpx] => "C:\Users\Etsebsan Montero\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <==== ATTENTION
HKU\S-1-5-21-3091493251-316294414-1769386316-1001\...\Run: [sirecd] => rundll32.exe "C:\Users\Etsebsan Montero\AppData\Local\sirecd.dll",sirecd <==== ATTENTION
HKU\S-1-5-18\...\Run: [WinResSync] => C:\WINDOWS\system32\regsvr32.exe /s "C:\Users\Etsebsan Montero\AppData\Roaming\Microsoft\Protect\5210877f-08c4-4085-b597-eb61ff80eeb3.rs" <==== ATTENTION
HKU\S-1-5-18\...\RunOnce: [WinResSync] => C:\WINDOWS\system32\regsvr32.exe /s "C:\Users\Etsebsan Montero\AppData\Roaming\Microsoft\Protect\5210877f-08c4-4085-b597-eb61ff80eeb3.rs" <==== ATTENTION
C:\WINDOWS\system32\Drivers\drmkpro64
C:\Users\Etsebsan Montero\AppData\Local\ntuserlitelist
C:\Users\Etsebsan Montero\AppData\Local\fvxah
C:\windows\system32\tprdpw64.exe
C:\WINDOWS\system32\ravcpdkz.exe
R2 Dataup; C:\Users\Etsebsan Montero\AppData\Local\ntuserlitelist\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
R2 windowsmanagementservice; C:\Users\Etsebsan Montero\AppData\Local\fvxah\pafohceo\ct.exe [689664 2017-05-30] () [File not signed] <==== ATTENTION
CloudExtender (HKU\S-1-5-21-3091493251-316294414-1769386316-1001\...\CloudExtender) (Version: - AltoCloud) <==== ATTENTION
DragonBoost (HKU\S-1-5-21-3091493251-316294414-1769386316-1001\...\119) (Version: - ) <==== ATTENTION
Online Application (HKLM-x32\...\{5266F634-7B7D-4537-BDDC-98DD6CFCBAA1}) (Version: 2.6.0 - Microleaves) Hidden <==== ATTENTION
Task: {5132C842-F7CB-42ED-BBCE-EC6D9A80C815} - System32\Tasks\8b506632e4c3eaf8766efb736e7fd1b0 => sc start 8b506632e4c3eaf8766efb736e7fd1b0 <==== ATTENTION
Task: {8E840C6E-036F-43DF-848B-449C89CCC51B} - System32\Tasks\SVC Update => C:\WINDOWS\explorer.exe "hxxp://sh.st/AeotZ" <==== ATTENTION
Task: C:\WINDOWS\Tasks\Updater_Online_Application.job => C:\Program Files (x86)\Microleaves\Online Application\Online Application Updater.exe <==== ATTENTION
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [No File]
HKLM-x32\...\Run: [cpx] => "C:\Users\Etsebsan Montero\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <==== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Users\Etsebsan Montero\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe [884224 2017-08-02] ()
R2 Dataup; C:\Users\Etsebsan Montero\AppData\Local\ntuserlitelist\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
FirewallRules: [{D2627861-B638-460B-823E-2A75A3DFDB48}] => (Allow) C:\Users\Etsebsan Montero\AppData\Local\Temp\Temp1_WGCheck_EN.zip\WGCheck.exe
FirewallRules: [{2D76BBB6-D0B6-43C5-B142-94B3076E49F9}] => (Allow) C:\Users\Etsebsan Montero\AppData\Local\Temp\Temp1_WGCheck_EN.zip\WGCheck.exe
2017-04-06 15:11 - 2017-04-06 15:11 - 000000048 ____H () C:\Program Files (x86)\e1uiugxmbo.dat
2017-07-29 10:25 - 2017-07-29 10:25 - 000011568 _____ () C:\Users\Etsebsan Montero\AppData\Local\InstallationConfiguration.xml
2017-07-29 10:25 - 2017-07-29 10:25 - 000140800 _____ () C:\Users\Etsebsan Montero\AppData\Local\installer.dat
2017-07-29 10:25 - 2017-07-29 10:25 - 001847296 _____ () C:\Users\Etsebsan Montero\AppData\Local\po.db
2017-05-17 11:32 - 2017-05-17 11:32 - 000125952 _____ () C:\Users\Etsebsan Montero\AppData\Local\report
2017-07-29 10:20 - 2017-07-29 10:20 - 000019968 _____ () C:\Users\Etsebsan Montero\AppData\Local\sirecd.dll
2017-07-29 10:20 - 2017-07-29 10:20 - 000003072 _____ () C:\Users\Etsebsan Montero\AppData\Local\uninstallce.exe
HOSTS:
Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:

*****************

HKLM\System\CurrentControlSet\Services\gupdate => key removed successfully
gupdate => service removed successfully
HKLM\System\CurrentControlSet\Services\gupdatem => key removed successfully
gupdatem => service removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\cpx => value could not remove.
HKU\S-1-5-21-3091493251-316294414-1769386316-1001\Software\Microsoft\Windows\CurrentVersion\Run\\sirecd => value removed successfully
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\WinResSync => value removed successfully
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\WinResSync => value removed successfully
"C:\WINDOWS\system32\Drivers\drmkpro64" => not found.

"C:\Users\Etsebsan Montero\AppData\Local\ntuserlitelist" folder move:

Could not move "C:\Users\Etsebsan Montero\AppData\Local\ntuserlitelist" => Scheduled to move on reboot.

C:\Users\Etsebsan Montero\AppData\Local\fvxah => moved successfully
Could not move "C:\windows\system32\tprdpw64.exe" => Scheduled to move on reboot.
"C:\WINDOWS\system32\ravcpdkz.exe" => not found.
Dataup => Unable to stop service.
HKLM\System\CurrentControlSet\Services\Dataup => key could not remove, key could be protected
windowsmanagementservice => Unable to stop service.
HKLM\System\CurrentControlSet\Services\windowsmanagementservice => key could not remove, key could be protected
CloudExtender (HKU\S-1-5-21-3091493251-316294414-1769386316-1001\...\CloudExtender) (Version: - AltoCloud) <==== ATTENTION => Error: No automatic fix found for this entry.
DragonBoost (HKU\S-1-5-21-3091493251-316294414-1769386316-1001\...\119) (Version: - ) <==== ATTENTION => Error: No automatic fix found for this entry.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5266F634-7B7D-4537-BDDC-98DD6CFCBAA1}\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{5132C842-F7CB-42ED-BBCE-EC6D9A80C815} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5132C842-F7CB-42ED-BBCE-EC6D9A80C815} => key removed successfully
C:\WINDOWS\System32\Tasks\8b506632e4c3eaf8766efb736e7fd1b0 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\8b506632e4c3eaf8766efb736e7fd1b0 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8E840C6E-036F-43DF-848B-449C89CCC51B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8E840C6E-036F-43DF-848B-449C89CCC51B} => key removed successfully
C:\WINDOWS\System32\Tasks\SVC Update => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SVC Update => key removed successfully
C:\WINDOWS\Tasks\Updater_Online_Application.job => moved successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3 => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9 => key removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\cpx => value could not remove.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\svcvmx => value could not remove.
Dataup => Unable to stop service.
HKLM\System\CurrentControlSet\Services\Dataup => key could not remove, key could be protected
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D2627861-B638-460B-823E-2A75A3DFDB48} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2D76BBB6-D0B6-43C5-B142-94B3076E49F9} => value removed successfully
C:\Program Files (x86)\e1uiugxmbo.dat => moved successfully
C:\Users\Etsebsan Montero\AppData\Local\InstallationConfiguration.xml => moved successfully
C:\Users\Etsebsan Montero\AppData\Local\installer.dat => moved successfully
C:\Users\Etsebsan Montero\AppData\Local\po.db => moved successfully
C:\Users\Etsebsan Montero\AppData\Local\report => moved successfully
C:\Users\Etsebsan Montero\AppData\Local\sirecd.dll => moved successfully
C:\Users\Etsebsan Montero\AppData\Local\uninstallce.exe => moved successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-3091493251-316294414-1769386316-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-3091493251-316294414-1769386316-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully


========= End of RemoveProxy: =========


========= netsh advfirewall reset =========

Ok.


========= End of CMD: =========


========= netsh advfirewall set allprofiles state ON =========

Ok.


========= End of CMD: =========


========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= netsh winsock reset catalog =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


========= netsh int ip reset C:\resettcpip.txt =========

Resetting Compartment Forwarding, OK!
Resetting Compartment, OK!
Resetting Control Protocol, OK!
Resetting Echo Sequence Request, OK!
Resetting Global, OK!
Resetting Interface, OK!
Resetting Anycast Address, OK!
Resetting Multicast Address, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Potential, OK!
Resetting Prefix Policy, OK!
Resetting Proxy Neighbor, OK!
Resetting Route, OK!
Resetting Site Prefix, OK!
Resetting Subinterface, OK!
Resetting Wakeup Pattern, OK!
Resetting Resolve Neighbor, OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , failed.
Access is denied.

Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i" =========

Failed to clear log AirSpaceChannel. The requested operation cannot be performed over an enabled direct channel. The channel must first be disabled before performing the requested operation.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
Failed to clear log Microsoft-Windows-LiveId/Analytic. Access is denied.
Failed to clear log Microsoft-Windows-LiveId/Operational. Access is denied.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.

========= End of CMD: =========


========= Bitsadmin /Reset /Allusers =========


BITSADMIN version 3.0
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 7364608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 62396831 B
Java, Flash, Steam htmlcache => 50524168 B
Windows/system/drivers => 22058439 B
Edge => 2737753 B
Chrome => 51696058 B
Firefox => 396777843 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 218538 B
systemprofile32 => 0 B
LocalService => 18894 B
NetworkService => 39362 B
defaultuser0 => 0 B
Etsebsan Montero => 296137704 B

RecycleBin => 8415812178 B
EmptyTemp: => 8.7 GB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 14-08-2017 20:00:07)

C:\Users\Etsebsan Montero\AppData\Local\ntuserlitelist => Is moved successfully
"C:\windows\system32\tprdpw64.exe" => Could not move

Result of scheduled keys to remove after reboot:

HKLM\System\CurrentControlSet\Services\Dataup => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\windowsmanagementservice => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\Dataup => key could not remove, key could be protected

==== End of Fixlog 20:00:07 ====

 

 

I'll continue with your next steps now.



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:48 AM

Posted 14 August 2017 - 07:28 PM

The report above indicates the rootkit is still active.
 
Run these tools in the order given.
 
:step1: Remove your current Malwarebytes Anti-Rootkit

  • Please download the latest Malwarebytes Anti-Rootkit and save the file to your Desktop.
  • Right-Click MBAR.exe and select AVOiBNU.jpgRun as administrator to run the installer.
  • Select your Desktop as the location to extract the contents and click OK. The programme should open upon completion.
  • Click Next, followed by Update. Upon update completion, click Next.
  • Ensure Drivers, Sectors & System are checked and click Scan.
  • Note: Do not use your computer during the scan.
  • Upon completion:
    • If no infection is found, close the MBAR window.
    • If an infection is found, ensure Create Restore Point is checked and click Cleanup. Reboot when prompted.
  • Two logs (mbar-log.txt and system-log.txt) will be created. Copy the contents of both logs and paste in your next reply. Both logs can be found in the MBAR folder.
  • Highlight the entire content of the quote box below.

:step2:

Start::
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
HKLM-x32\...\Run: [cpx] => "C:\Users\Etsebsan Montero\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <==== ATTENTION
HKU\S-1-5-21-3091493251-316294414-1769386316-1001\...\Run: [sirecd] => rundll32.exe "C:\Users\Etsebsan Montero\AppData\Local\sirecd.dll",sirecd <==== ATTENTION
HKU\S-1-5-18\...\Run: [WinResSync] => C:\WINDOWS\system32\regsvr32.exe /s "C:\Users\Etsebsan Montero\AppData\Roaming\Microsoft\Protect\5210877f-08c4-4085-b597-eb61ff80eeb3.rs" <==== ATTENTION
HKU\S-1-5-18\...\RunOnce: [WinResSync] => C:\WINDOWS\system32\regsvr32.exe /s "C:\Users\Etsebsan Montero\AppData\Roaming\Microsoft\Protect\5210877f-08c4-4085-b597-eb61ff80eeb3.rs" <==== ATTENTION
C:\WINDOWS\system32\Drivers\drmkpro64
C:\Users\Etsebsan Montero\AppData\Local\ntuserlitelist
C:\Users\Etsebsan Montero\AppData\Local\fvxah
C:\windows\system32\tprdpw64.exe
C:\WINDOWS\system32\ravcpdkz.exe
R2 Dataup; C:\Users\Etsebsan Montero\AppData\Local\ntuserlitelist\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
R2 windowsmanagementservice; C:\Users\Etsebsan Montero\AppData\Local\fvxah\pafohceo\ct.exe [689664 2017-05-30] () [File not signed] <==== ATTENTION
CloudExtender (HKU\S-1-5-21-3091493251-316294414-1769386316-1001\...\CloudExtender) (Version: - AltoCloud) <==== ATTENTION
DragonBoost (HKU\S-1-5-21-3091493251-316294414-1769386316-1001\...\119) (Version: - ) <==== ATTENTION
Online Application (HKLM-x32\...\{5266F634-7B7D-4537-BDDC-98DD6CFCBAA1}) (Version: 2.6.0 - Microleaves) Hidden <==== ATTENTION
Task: {5132C842-F7CB-42ED-BBCE-EC6D9A80C815} - System32\Tasks\8b506632e4c3eaf8766efb736e7fd1b0 => sc start 8b506632e4c3eaf8766efb736e7fd1b0 <==== ATTENTION
Task: {8E840C6E-036F-43DF-848B-449C89CCC51B} - System32\Tasks\SVC Update => C:\WINDOWS\explorer.exe "hxxp://sh.st/AeotZ" <==== ATTENTION
Task: C:\WINDOWS\Tasks\Updater_Online_Application.job => C:\Program Files (x86)\Microleaves\Online Application\Online Application Updater.exe <==== ATTENTION
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [No File]
HKLM-x32\...\Run: [cpx] => "C:\Users\Etsebsan Montero\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <==== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Users\Etsebsan Montero\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe [884224 2017-08-02] ()
R2 Dataup; C:\Users\Etsebsan Montero\AppData\Local\ntuserlitelist\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
FirewallRules: [{D2627861-B638-460B-823E-2A75A3DFDB48}] => (Allow) C:\Users\Etsebsan Montero\AppData\Local\Temp\Temp1_WGCheck_EN.zip\WGCheck.exe
FirewallRules: [{2D76BBB6-D0B6-43C5-B142-94B3076E49F9}] => (Allow) C:\Users\Etsebsan Montero\AppData\Local\Temp\Temp1_WGCheck_EN.zip\WGCheck.exe
2017-04-06 15:11 - 2017-04-06 15:11 - 000000048 ____H () C:\Program Files (x86)\e1uiugxmbo.dat
2017-07-29 10:25 - 2017-07-29 10:25 - 000011568 _____ () C:\Users\Etsebsan Montero\AppData\Local\InstallationConfiguration.xml
2017-07-29 10:25 - 2017-07-29 10:25 - 000140800 _____ () C:\Users\Etsebsan Montero\AppData\Local\installer.dat
2017-07-29 10:25 - 2017-07-29 10:25 - 001847296 _____ () C:\Users\Etsebsan Montero\AppData\Local\po.db
2017-05-17 11:32 - 2017-05-17 11:32 - 000125952 _____ () C:\Users\Etsebsan Montero\AppData\Local\report
2017-07-29 10:20 - 2017-07-29 10:20 - 000019968 _____ () C:\Users\Etsebsan Montero\AppData\Local\sirecd.dll
2017-07-29 10:20 - 2017-07-29 10:20 - 000003072 _____ () C:\Users\Etsebsan Montero\AppData\Local\uninstallce.exe
HOSTS:
Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.

:step3: Please remove the following programs if present from your computer:

CloudExtender
DragonBoost

Online Application

:step4: Please download Junkware Removal Tool to your Desktop.

  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.

:step5: Download AdwCleaner from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8/10 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

65MBhLLb.png

  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this

adwcleaner_delete_restart.jpg

  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 EarthwormJim

EarthwormJim
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 14 August 2017 - 07:29 PM

Possible problem: Online Application seemed to uninstall OK. CloudExtender I clicked the uninstall button in Apps and Features, and it just keeps saying "uninstalling". But a search for a file named CloudExtender finds nothing. DragonBoost is listed there too, but it says "Unavailable" beneath the name and the uninstall and modify buttons are grayed out. A file search for "Dragon" finds nothing.

 

I think they are gone, so I'm proceeding. But I'm not certain.

 

BTW, you had me highlight and copy the text in the quote box of your reply, but didn't have me paste it anywhere.



#13 EarthwormJim

EarthwormJim
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 14 August 2017 - 07:32 PM

Just saw you're latest reply. Back to do the newest mbar version



#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:48 AM

Posted 14 August 2017 - 07:50 PM

BTW, you had me highlight and copy the text in the quote box of your reply, but didn't have me paste it anywhere.

 

 

Once you copy the highlighted text, the information is saved in a place called the clipboard. FRST will process the information out of the clipboard.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 EarthwormJim

EarthwormJim
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 15 August 2017 - 05:42 AM

Ran MBAR again, the the log-txt file is to big to post via copy/paste. I'll attach for now, unless you have some other suggestion to post such a large amount of data.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users