Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Smart Service Trojan problem?


  • This topic is locked This topic is locked
23 replies to this topic

#1 Blaze340

Blaze340

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL
  • Local time:07:55 AM

Posted 23 August 2017 - 08:48 PM

I believe I recently downloaded this bug through bloatware that came along with software (AVG PC Tuneup). My intentions for downloading PC Tuneup was due to another problem I was having that was preventing me from deleting a particular folder created from unzipping/extracting it from an archive file (Every time I attempted to delete said folder, it would say the folder is no longer located in the directory its sitting in). But that's another story. I have AVG installed on my computer and instead of installing PC Tuneup through there, I decided to be a rebel/rogue and download it from a third party site. Credentials seemed legit except for the many adware and extras that was tagging along with the file. Normally, I'm very careful about these thing but I guess this time I slipped up and unknowingly installed extra software.

 

First symptoms was opening software called jdownloader 2 caused Windows to crash whenever I tried initializing it (Blue Screen of Death. Never had that problem before but decided to uninstall it anyway to be safe. Even doing that caused Windows to crash. File that appear to be causing that issue is: vmrqqpge.sys)

 

Second symptom was not being able to open AVG's interface despite boxes popping up ever so often saying that it caught several viruses and action needs to be taken . I manage to get it working by repairing it but the problem is its protection has been disabled due to a component called "Software Analyzer" not starting. I'm actually able to perform virus scans (even done a deep scan) but it hasn't been able to find the issue. Even a scan with Windows Defender hasn't been helpful.

 

Third symptom would be downloading and attempting to initialize tdsskiller, malwarebytes, or other malware removal software all gave me a "The requested resource is in use" error box.

 

Here are steps I already taken attempting to fix my problem:

 

Went into programs to locate all suspicious software I don't recall installing or that got installed recently. (There's one I'm having extreme difficult removing, which is call Dragonboost. Both the uninstall/modify buttons have been greyed out so nothing can be done to remove it from the program list. Actually was able to download and start up HitmanPro without getting some error box showing up, scanned, and removed all problems it found. No luck there. EDIT: Errr....nevermind. Going into my registry and removing all entrees that had to do with Dragonboost did the trick)

AVG and Windows Defender scan

Scan memory with Windows Memory Diagnostic tool

Scanned with HitmanPro.

Attempted to use Kaspersky Rescue Disk but having issues getting it to run on my laptop

Performed a disk and registry cleanup with AVG's PC Tuneup Tool

 

And that's it. I'm using Windows 10 64-bit btw. Here's the logs I got from Farbar recovery scan tool:

Attached Files


Edited by Blaze340, 23 August 2017 - 09:08 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,465 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:55 AM

Posted 24 August 2017 - 12:55 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

ATTENTION: System Restore is disabled
Turn System Restore On for Drives in Windows 10
http://www.tenforums.com/tutorials/4533-system-protection-turn-off-drives-windows-10-a.html
===

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
Extended Update (HKU\S-1-5-21-667826694-88005462-4060237046-1001\...\UpdaterEX) (Version: - Extended Update) <==== ATTENTION
VidsqaurE (HKLM-x32\...\{A97606DF-0FE1-4390-B0DD-ADA8B303AE61}_is1) (Version: 1.4 - ) <==== ATTENTION
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(TOSHIBA CORPORATION) C:\Windows\Temp\msnxcapsrv.exe
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
HKU\S-1-5-21-667826694-88005462-4060237046-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.bing.com/?pc=COSP&ptag=D062817-AB130A7715E&form=CONMHP&conlogo=CT3335649
SearchScopes: HKU\S-1-5-21-667826694-88005462-4060237046-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?pc=COSP&ptag=D062817-AB130A7715E&form=CONBDF&conlogo=CT3335649&q={searchTerms}
Toolbar: HKLM - No Name - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -  No File
Toolbar: HKLM-x32 - No Name - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -  No File
FF NewTab: Mozilla\Firefox\Profiles\f9ujd3du.default -> hxxp://www.bing.com/?pc=COSP&ptag=D062817-AB130A7715E&form=CONMHP&conlogo=CT3335649
FF DefaultSearchUrl: Mozilla\Firefox\Profiles\f9ujd3du.default -> hxxps://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [No File]
CHR NewTab: Default ->  Active:"chrome-extension://jddmnkdeojnommcapgiojabnpecbpage/newtab/newtab.html"
CHR DefaultSearchURL: Default -> hxxps://www.searchencrypt.com/encsearch?q={searchTerms}
CHR DefaultSearchKeyword: Default -> se
CHR Extension: (Screen Addict) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\jddmnkdeojnommcapgiojabnpecbpage [2017-08-23]
CHR Extension: (Chrome Web Store Payments) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-23]
CHR Extension: (Chrome Media Router) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-08-23]
S2 4vUMsZiCdrDc Updater; C:\Program Files (x86)\4vUMsZiCdrDc Updater\4vUMsZiCdrDc Updater.exe [X]
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers1: [MagicISO] -> {DB85C504-C730-49DD-BEC1-7B39C6103B7A} =>  -> No File
ContextMenuHandlers3: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers4: [MagicISO] -> {DB85C504-C730-49DD-BEC1-7B39C6103B7A} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} =>  -> No File
ContextMenuHandlers6: [MagicISO] -> {DB85C504-C730-49DD-BEC1-7B39C6103B7A} =>  -> No File
Task: {56281AA6-A160-4D7B-A605-3C7D1AAB098F} - \AutoKMS -> No File <==== ATTENTION
Task: {67737AF3-6D07-4191-B051-6FFBD2665AFF} - System32\Tasks\4vUMsZiCdrDc => 4vumszicdrdc.exe
DNS Servers: 82.163.142.8 - 95.211.158.136
HKLM\...\StartupApproved\Run32: => "lsalskj.exe"
C:\Program Files (x86)\4vUMsZiCdrDc
C:\Windows\System32\Tasks\4vUMsZiCdrDc
C:\Windows\Temp\msnxcapsrv.exe

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old versions of Java via the Control Panel > Programs > Programs and Features.
Java 8 Update 111 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)
---

Please let me know what problem persists with this computer.

#3 Blaze340

Blaze340
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL
  • Local time:07:55 AM

Posted 24 August 2017 - 09:37 PM

I was able to uninstall VidsqaurE (Though I got a popup claiming that program could not be found when its uninstaller tool popped up), but Extended Update is refusing to go away because it says Windows is unable to find its execution file, which I actually checked its file path and sure enough its not where it says it is (File path looks like this: C:\Users\User\AppData\Roaming\UpdaterEX\UpdateProc\UpdateTask.exe. The .exe I'm assuming is suppose to be the uninstall file for Extended Update isn't there but there are 2 .dat files in the UpdaterProc folder).

 

So, proceed with dealing with everything else anyway or do something about Extended Update first?

 

Side note: Sorry, but before your reply, since I didn't get a reply for hours, I had already performed some of the actions you mentioned, attempting to fix my problem. So I actually already reset my Firefox settings, downloaded a Java removal tool and completely uninstalled Java from my computer (It wouldn't uninstall either one of the Java versions through Programs as I kept getting a error message so I had to go use the removal tool). I also uninstalled other software that kept showing errors in my event viewer logs such as my Garmin GPS software.

 

Edit: I went on ahead and use Fabar again. Here's the fix log:

 

Oh and I'm still unable to get any anti-malware software to work (tdsskiller, Malwarebytes). Still getting a error stating "The request resource is still in use". AVG protection is also still disabled...

Attached Files


Edited by Blaze340, 25 August 2017 - 02:20 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,465 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:55 AM

Posted 25 August 2017 - 07:14 AM

Malwarebytes Anti-Rootkit

Please download Anti-Rootkit BETA and save it to your Desktop.
  • Right-click on the icon and select Run as administrator to start the extraction of the program;
  • Click Yes to accept the security warning that may appear;
  • Click OK to extract it to your Desktop (MBAR will be launched shortly after the extraction);
  • Click on Next, and then on the Update button to let it update its database. Once the database has been successfully updated, click on Next;
  • Make sure all the checkboxes are checked, then click on the Scan button, and let it completes its scan (this can take a while);
  • Once the scan is done, if threats are found, make sure that every item is checked, and click on the Cleanup button (a reboot might be required);
  • After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt;
  • Please copy and paste the entire content of that log in your next reply;
If you have any problems running either one come back and let me know.
===

If successful please run the Farbar program and post a fresh FRST log for my review.

Let me know what problem persists.

#5 Blaze340

Blaze340
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL
  • Local time:07:55 AM

Posted 25 August 2017 - 10:16 AM

Unsuccessful. Again, I'm unable to get malwarebytes to work. It doesn't even give me the action to extract anything from said file. As soon as I double click on "mbar-1.09.3.1001.exe" downloaded from Malwarebytes, I get a "requested resource is in use" error box.

 

At the moment, I'm eying two files that may be the culprit. The first file is called etwproviderinstall.vbs and its location is C:\$Windows.~WS\Sources\Windows\support\logging\etwproviderinstall.vbs (From my understanding, this file isn't suppose to be in that location) and vmrqqpge.sys located C:\Windows\System32\drivers\vmrqqpge.sys (Its the source of some of the crashing I'm experiencing when attempting to open up certain applications and I can't seem to find what this file is associated with. It's showing that its been created by an unknown source, but that it was created back in 2013)


Edited by Blaze340, 25 August 2017 - 11:04 AM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,465 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:55 AM

Posted 25 August 2017 - 12:57 PM

Hi.
===


Rename the mbar-1.09.3.1001.exe to svchost.exe

Try to run it as an Administrator.

===

If not joy.

Lets see what we can find in the Registry.

Farbar Recovery Scan Tool (FRST) - Registry Search
Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply.
  • Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • In the Search text area, copy and paste the following:
vmrqqpge.sys
  • Once done, click on the Search Registry button and wait for FRST to finish the search;
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply;
Run the Search again but this time select the Search Files button

Post both logs.

===

Lets check for a rootkit infection.

We will check your BIOS and Master boot record.

Read carefully and follow these steps.
TDSS
  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  • ===

    Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
    • Click the "Scan" button to start scan.
    • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
    • Please paste the contents of that log in your next reply.
    There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
    ===

    Wait for further instructions.


#7 Blaze340

Blaze340
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL
  • Local time:07:55 AM

Posted 25 August 2017 - 03:07 PM

Alrighty.....

 

Renaming that Malware Byte file didn't work. Same "Requested resource is in use" message box...

 

Here's the results from the registry scan:

_____________________

 

Farbar Recovery Scan Tool (x64) Version: 20-08-2017
Ran by User (25-08-2017 14:32:08)
Running from C:\Users\User\Downloads
Boot Mode: Normal

================== Search Registry: "vmrqqpge.sys" ===========


====== End of Search ======

 

___________________________

 

I already said TDSSKiller suffers the same problem as Malware Byte did. And no, renaming it HoolaHoop.exe didn't make a difference.

 

And when I attempted to scan my PC with that Avast scan tool, I ended up getting the blue screen of death (aswMBR.exe, that Avast tool, being the cause). Interestingly enough though, when the scan got into my Windows folder and ran into vmrqqpge.sys, it highlighted that file yellow and had the words "Locked" on the end. Scanner went just a little further down the list before BSOD occurred...


Edited by Blaze340, 25 August 2017 - 03:18 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,465 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:55 AM

Posted 26 August 2017 - 07:35 AM


Hi,

===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

Unlock: C:\Windows\System32\drivers\vmrqqpge.sys
C:\Windows\System32\drivers\vmrqqpge.sys

Reboot:


End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Run the Fargar tool and post a fresh FRST log for my review.

#9 Blaze340

Blaze340
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL
  • Local time:07:55 AM

Posted 26 August 2017 - 11:11 AM

Here's the fixlog.txt:

I also manage to take a picture of that Avast scan before the BSOD popped up. Sorry if a bit blurry. Took the picture with my phone since my computer doesn't stay up long enough for me to snapshot with the computer screen itself due to the BSOD popping up soon after. I actually see service hggbjb is associated with vmyqqpge.sys. Think I'm gonna take a look into it...

 

Edit 2: I actually manage to reel off a picture of the very last file the scan hits before my PC crashes. This is the very last thing shown on-screen before the BSOD occurs:

Attached Files


Edited by Blaze340, 26 August 2017 - 12:28 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,465 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:55 AM

Posted 26 August 2017 - 12:56 PM

Hi,

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

Unlock: C:\Windows\System32\drivers\vmrqqpge.sys
unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\hggbjb
reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\hggbjb" /f
Unlock: hggbjb; C:\Windows\System32\drivers\vmrqqpge.sys
C:\Windows\System32\drivers\vmrqqpge.sys

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

If you cannot run the Malwarebytes program please run the Farbar program and post a fresh FRST.txt log for my review.

p.s.
It may just be that a new driver may be spawned at boot time.

#11 Blaze340

Blaze340
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL
  • Local time:07:55 AM

Posted 26 August 2017 - 04:57 PM

Still unable to open Malwarebytes or TDSSKiller. Here are all the logs you requested:

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,465 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:55 AM

Posted 27 August 2017 - 08:33 AM

The Malwarebytes Anti rootkit has been updated.
Delete the BETA version I had you downloaded previously. See post no. 4.

Get the latest from this topic. and run it.
https://www.bleepingcomputer.com/download/malwarebytes-anti-rootkit/
====

If run successful please run their Malwarebytes Anti-malware and post the log.

Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
===

IF ALL FAILS execute this. No need to DO IT if all is well.
 

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 

Start

CloseProcesses:

(TOSHIBA CORPORATION) C:\Windows\Temp\msnxcapsrv.exe
() C:\Users\User\AppData\Local\uninstallce.exe
GroupPolicy: Restriction <==== ATTENTION
2017-08-23 11:17 - 2017-08-23 11:17 - 004922400 _____ (AO Kaspersky Lab) C:\Users\User\Desktop\SVhost.exe
2017-08-23 09:32 - 2017-08-23 16:58 - 000000000 ____D C:\Users\User\AppData\Local\llssoft
2017-08-23 09:26 - 2017-08-23 09:52 - 000000000 ____D C:\Program Files (x86)\s5
2017-08-23 09:26 - 2017-08-23 09:26 - 000000000 ____D C:\WINDOWS\SysWOW64\utcwxlb
2017-08-23 09:26 - 2017-08-23 09:26 - 000000000 ____D C:\WINDOWS\system32\utcwxlb
2017-08-23 09:13 - 2017-08-23 09:13 - 000003072 _____ C:\Users\User\AppData\Local\uninstallce.exe
2017-08-23 09:13 - 2017-08-23 09:13 - 000000002 _____ C:\END
2017-08-23 09:13 - 2017-08-23 09:13 - 000003072 _____ () C:\Users\User\AppData\Local\uninstallce.exe
C:\Windows\Temp\msnxcapsrv.exe
C:\Users\User\Desktop\SVhost.exe
C:\Users\User\AppData\Local\llssoft
C:\Program Files (x86)\s5
C:\WINDOWS\SysWOW64\utcwxlb
C:\WINDOWS\system32\utcwxlb
C:\Users\User\AppData\Local\uninstallce.exe
C:\END

HOSTS:
Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.


Please let me know what problem persists with this computer.

#13 Blaze340

Blaze340
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL
  • Local time:07:55 AM

Posted 27 August 2017 - 12:19 PM

The new Malware Bytes Anti-Rootkit extraction tool actually opened up! Soon as it got done extracting, a MalwareBytes anti-rootkit interface window popped up. I tried downloading and installing their anti-malware software from their website (I'm assuming THAT particular file name is mb3-setup.exe?), but I got the "resource is in use" error when that happened. Since the anti-rootkit program was up and running, I tried using that. I updated the Rootkit database and attempted to scan. Got a message saying the DDA driver was not installed and that I should restart my computer. Went ahead and restarted my computer but still got the same message saying DDA Driver was unable to install so its unable to perform the scan. I closed the Anti-Rootkit interface window, open the MBAR folder that was create from that extraction tool, and tried re-opening the Anti-Rootkit software. Now I'm getting that "requested resource is in use" message from that too. Trying to open ANY execution file inside that folder gives me the same message. I'm able to get the Anti-Rootkit interface to come back up though by deleting that MBAR folder and re-extracting it from that MB Anti-Rootkit extracting tool, whatever good that does...

 

This was done before using the FARBAR tool again. Will be back to edit this post with the results once I restart my computer again...

Edit: here's the fix log:

 

Oh and nothing changed. Still the same problem.

 

Edit 2: Thinking it would benefit if I backtrack and found out what Bloatware that got install that may have contained the virus in the first place. Here are the names of all the bloatware that was included in software I was installing prior to that possible rootkit getting on my system:

 

Swytshop

Search Awesome

OnlineApp

Interstat

 

Those are the names of the programs that were included....

Attached Files


Edited by Blaze340, 27 August 2017 - 01:38 PM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,465 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:55 AM

Posted 27 August 2017 - 01:31 PM



Which version of MalwareBytes anti-rootkit

I just downloaded version 1.093.1001 with not problems

I also downloaded the 1.094.1001 and my Norton is telling me that it's a virus. (may be a false positive, it's a new version.)


I will check with the owned once I know your version.

#15 Blaze340

Blaze340
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL
  • Local time:07:55 AM

Posted 27 August 2017 - 01:50 PM

I edited my last post in case that information may be useful.

 

I downloaded mbar-1.09.4.1001, which actually somewhat worked unlike the other version I had. Its window looks like this:

 

The previous one that I was having problems with was 1.093.1001....

 

Edit: Errrr....heh heh heh. I guess that was a pretty bad idea redownloading the same software that infected my computer in the first place. Kinda like making a mistake of ingesting poison but instead letting doctors do their job, you go "Oh hey! Let me confirm what type of poison I just ingested by drinking more poison!". That PC Tuneup file itself was infected which means I didn't have to do anything other than simply run it. Ended up reacquiring some of the infection I cleaned when I ran that .exe file to confirm what extra bloatware may have gotten downloaded, but AVG took care of it. I actually decided to scan the .exe file and sure enough, it has two separate doses of Win32:Malware-Gen infection...

Attached Files


Edited by Blaze340, 28 August 2017 - 02:02 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users