Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with Gen:Trojan.Heur.TP.bmW@bCZc7ih


  • Please log in to reply
25 replies to this topic

#16 gesun

gesun
  • Topic Starter

  • Members
  • 18 posts
  • ONLINE
  •  
  • Local time:01:24 PM

Posted Yesterday, 03:53 PM

Thanks Gary,

 

here are the results of the Farbar MiniReg tool

 

MiniRegTool64 by Farbar Version:21-07-2014
Ran by AprilD (administrator) on 2017-10-21 16:45:40

====================================
"HKLM\System\CurrentControlSet\Services\AVG Antivirus" could not be deleted.
"HKLM\System\CurrentControlSet\Services\avgbIDSAgent" could not be deleted.

 

Update on Computer Behaviour:

 

It is quite a bit more responsive with internet browsing and accessing and opening documents. But I have not been using this pc much, due to this viral activity. But definite improvement.

 

Also, I didn't complete your first set of instructions after the Fixlog report due to the ransomware alert. Should I complete those instructions?

 

cheers,

April
 



BC AdBot (Login to Remove)

 


m

#17 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 34,167 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:24 AM

Posted Yesterday, 05:40 PM

Hi April,

Glad things are a bit better.

Instead of using FRST to search please do this.

===================================================

SystemLook by jpshortstuff

--------------------
  • Please download SystemLook for 64 bit systems and save it to your Desktop.
  • Right-click SystemLook.exe and select Run as administrator...
  • Copy the content of the following codebox into the main textfield:
:filefind
wow64.dll
:regfind
AVG Antivirus
avgbIDSAgent 
:service
AVG Antivirus
avgbIDSAgent
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please copy and paste the report contents in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • SystemLook log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom shall we go? You have the words that give eternal life. We believe, and know that you are the Holy One of God."

#18 gesun

gesun
  • Topic Starter

  • Members
  • 18 posts
  • ONLINE
  •  
  • Local time:01:24 PM

Posted Yesterday, 06:14 PM

Hi Gary,

 

SYstemLook Log results

 

SystemLook 30.07.11 by jpshortstuff
Log created at 18:58 on 21/10/2017 by AprilD
Administrator - Elevation successful

========== filefind ==========

Searching for "wow64.dll"
C:\WINDOWS\System32\wow64.dll    --a---- 285184 bytes    [22:36 14/03/2017]    [19:30 04/02/2017] CA4F55E38A71E24623C3EBF1EF441538
C:\WINDOWS\WinSxS\amd64_microsoft-windows-wow64_31bf3856ad364e35_6.3.9600.16384_none_58e42814ab46383d\wow64.dll    --a---- 37960 bytes    [11:40 22/08/2013]    [18:12 18/05/2015] D7BB26BA80384D9DE8172C548BAE8ED9
C:\WINDOWS\WinSxS\amd64_microsoft-windows-wow64_31bf3856ad364e35_6.3.9600.17415_none_5930c2f0ab0ca4c5\wow64.dll    --a---- 942 bytes    [13:58 25/04/2015]    [18:12 18/05/2015] 139599F9357BE7B69376F5FB4AEE135B
C:\WINDOWS\WinSxS\amd64_microsoft-windows-wow64_31bf3856ad364e35_6.3.9600.17736_none_591c2914ab1bed73\wow64.dll    --a---- 285184 bytes    [00:26 16/04/2015]    [04:10 20/03/2015] AF4309E729C1943908E1E10DAEE42413
C:\WINDOWS\WinSxS\amd64_microsoft-windows-wow64_31bf3856ad364e35_6.3.9600.17936_none_591c2ce0ab1be7c1\wow64.dll    --a---- 7189 bytes    [00:26 16/04/2015]    [19:59 10/10/2017] DED70BAB5147789CD16CC8B1EA2661FC
C:\WINDOWS\WinSxS\amd64_microsoft-windows-wow64_31bf3856ad364e35_6.3.9600.18066_none_58fb953eab346ed6\wow64.dll    --a---- 7189 bytes    [00:26 16/04/2015]    [19:59 10/10/2017] DED70BAB5147789CD16CC8B1EA2661FC
C:\WINDOWS\WinSxS\amd64_microsoft-windows-wow64_31bf3856ad364e35_6.3.9600.18146_none_591136fcab24341b\wow64.dll    --a---- 7189 bytes    [00:26 16/04/2015]    [20:00 10/10/2017] DED70BAB5147789CD16CC8B1EA2661FC
C:\WINDOWS\WinSxS\amd64_microsoft-windows-wow64_31bf3856ad364e35_6.3.9600.18258_none_5908698aab2a7fe1\wow64.dll    --a---- 7189 bytes    [00:26 16/04/2015]    [20:00 10/10/2017] DED70BAB5147789CD16CC8B1EA2661FC
C:\WINDOWS\WinSxS\amd64_microsoft-windows-wow64_31bf3856ad364e35_6.3.9600.18438_none_591e0d2eab1a424d\wow64.dll    --a---- 7189 bytes    [00:26 16/04/2015]    [20:00 10/10/2017] DED70BAB5147789CD16CC8B1EA2661FC
C:\WINDOWS\WinSxS\amd64_microsoft-windows-wow64_31bf3856ad364e35_6.3.9600.18696_none_58db30deab4cb193\wow64.dll    --a---- 285184 bytes    [22:36 14/03/2017]    [19:30 04/02/2017] CA4F55E38A71E24623C3EBF1EF441538
C:\WINDOWS\WinSxS\amd64_microsoft-windows-wow64_31bf3856ad364e35_6.3.9600.18758_none_59087308ab2a71a4\wow64.dll    --a---- 285184 bytes    [22:36 14/03/2017]    [19:30 04/02/2017] CA4F55E38A71E24623C3EBF1EF441538
C:\WINDOWS\WinSxS\amd64_microsoft-windows-wow64_31bf3856ad364e35_6.3.9600.18790_none_58d53108ab5216b0\wow64.dll    --a---- 285184 bytes    [22:36 14/03/2017]    [19:30 04/02/2017] CA4F55E38A71E24623C3EBF1EF441538
C:\WINDOWS\WinSxS\amd64_microsoft-windows-wow64_31bf3856ad364e35_6.3.9600.18821_none_5921e2acab186997\wow64.dll    --a---- 285184 bytes    [22:36 14/03/2017]    [19:30 04/02/2017] CA4F55E38A71E24623C3EBF1EF441538
C:\WINDOWS\WinSxS\Temp\InFlight\4c589f07ff41d3012f02000004068c0e\amd64_microsoft-windows-wow64_31bf3856ad364e35_6.3.9600.18589_none_58e8ffc2ab41e480\wow64.dll    --a---- 285184 bytes    [22:36 14/03/2017]    [19:30 04/02/2017] CA4F55E38A71E24623C3EBF1EF441538
C:\WINDOWS\WinSxS\Temp\InFlight\4c589f07ff41d3012f02000004068c0e\amd64_microsoft-windows-wow64_31bf3856ad364e35_6.3.9600.18685_none_58e50080ab457c4b\wow64.dll    --a---- 285184 bytes    [22:36 14/03/2017]    [19:30 04/02/2017] CA4F55E38A71E24623C3EBF1EF441538
C:\WINDOWS\WinSxS\Temp\InFlight\4c589f07ff41d3012f02000004068c0e\amd64_microsoft-windows-wow64_31bf3856ad364e35_6.3.9600.18730_none_59161090ab216f0a\wow64.dll    --a---- 285184 bytes    [22:36 14/03/2017]    [19:30 04/02/2017] CA4F55E38A71E24623C3EBF1EF441538

========== regfind ==========

Searching for "AVG Antivirus"
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe.FriendlyAppName"="AVG Antivirus"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVG Antivirus]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVG Antivirus]
"DisplayName"="AVG Antivirus"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AVG Antivirus]
"Description"="Manages and implements AVG antivirus services for this computer. This includes the real-time protection, the Quarantine and the scheduler."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVG Antivirus]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVG Antivirus]
"DisplayName"="AVG Antivirus"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVG Antivirus]
"Description"="Manages and implements AVG antivirus services for this computer. This includes the real-time protection, the Quarantine and the scheduler."
[HKEY_USERS\S-1-5-21-1465306025-3308089516-3492606411-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe.FriendlyAppName"="AVG Antivirus"
[HKEY_USERS\S-1-5-21-1465306025-3308089516-3492606411-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe.FriendlyAppName"="AVG Antivirus"

Searching for "avgbIDSAgent "
No data found.

========== service ==========

AVG Antivirus
AVG Antivirus
"Manages and implements AVG antivirus services for this computer. This includes the real-time protection, the Quarantine and the scheduler."
Current Status: Stopped
Startup Type: Automatic
Error Control: Severe
Binary: "C:\Program Files (x86)\AVG\Antivirus\AVGSvc.exe"
Group: ShellSvcGroup
SafeBoot:
Dependencies:
->avgMonFlt
->RpcSS
Dependant Services:
(none)

avgbIDSAgent
avgbIDSAgent
"Provides Identity Protection Against Cyber Crime."
Current Status: Stopped
Startup Type: Demand
Error Control: Critical
Binary: "C:\Program Files (x86)\AVG\Antivirus\x64\aswidsagenta.exe"
Group: (none)
SafeBoot:
Dependencies:
(none)
Dependant Services:
(none)

-= EOF =-



#19 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 34,167 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:24 AM

Posted Yesterday, 07:22 PM

Thank you.

Do you have a Windows Installation Disk?

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information then hit the Ctrl + C keys at the same time
Start::
cmd: sc config WinDefend start= disabled
cmd: sc config avgbIDSAgent start= disabled
End::
  • Click Fix
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Installation disk?
  • Fixlog

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom shall we go? You have the words that give eternal life. We believe, and know that you are the Holy One of God."

#20 gesun

gesun
  • Topic Starter

  • Members
  • 18 posts
  • ONLINE
  •  
  • Local time:01:24 PM

Posted Yesterday, 08:08 PM

I don't think I have an installation disk, I will have to take a better look tomorrow.

 

Should I be trying these Fix procs in Safe Mode?

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 21-10-2017
Ran by AprilD (21-10-2017 21:05:24) Run:2
Running from C:\Users\AprilD\Desktop
Loaded Profiles: AprilD (Available Profiles: AprilD)
Boot Mode: Normal
==============================================

fixlist content:
*****************
cmd: sc config WinDefend start= disabled
cmd: sc config avgbIDSAgent start= disabled

*****************


========= sc config WinDefend start= disabled =========

[SC] OpenService FAILED 5:

Access is denied.


========= End of CMD: =========


========= sc config avgbIDSAgent start= disabled =========

[SC] ChangeServiceConfig FAILED 5:

Access is denied.


========= End of CMD: =========


==== End of Fixlog 21:05:25 ====



#21 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 34,167 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:24 AM

Posted Yesterday, 08:23 PM

Yes you can do that and make sure you right click on MiniRegTool and select Run as administrator. I don't think it will work but it doesn't hurt to try.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom shall we go? You have the words that give eternal life. We believe, and know that you are the Holy One of God."

#22 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 34,167 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:24 AM

Posted Today, 12:02 PM

Hi April.

Please complete the below for me so we can gather data regarding the Malwarebytes FRST detection.

===================================================

Malwarebytes Check

--------------------
  • Please download MB-Check and save it to your Desktop
  • Right click on mb-check.exe and select Run as administrator
  • Press the Enter key on your keyboard at the black command window
  • Upon completion, click OK
  • A file named mb-check-results.zip will be saved to your Desktop
  • Please attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Attached file

Edited by Oh My!, Today, 12:03 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom shall we go? You have the words that give eternal life. We believe, and know that you are the Holy One of God."

#23 gesun

gesun
  • Topic Starter

  • Members
  • 18 posts
  • ONLINE
  •  
  • Local time:01:24 PM

Posted Today, 12:02 PM

ok, for running in Safe Mode, not sure which instructions I should run ?

 

1. AVG Remover Tool

2. MIniRegTool

3. Farbar Fix (with your last instructions)

 

Please let me know, Thank you.



#24 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 34,167 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:24 AM

Posted Today, 12:05 PM

Don't miss Post #22.

 

Regarding Safe Mode just run Post #19.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom shall we go? You have the words that give eternal life. We believe, and know that you are the Holy One of God."

#25 gesun

gesun
  • Topic Starter

  • Members
  • 18 posts
  • ONLINE
  •  
  • Local time:01:24 PM

Posted Today, 12:07 PM

OK, File for Post # 22 attached.

Attached Files



#26 gesun

gesun
  • Topic Starter

  • Members
  • 18 posts
  • ONLINE
  •  
  • Local time:01:24 PM

Posted Today, 12:23 PM

Results for Post #19 run in Safe Mode

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 21-10-2017
Ran by AprilD (22-10-2017 13:14:10) Run:3
Running from C:\Users\AprilD\Desktop
Loaded Profiles: AprilD (Available Profiles: AprilD)
Boot Mode: Safe Mode (minimal)
==============================================

fixlist content:
*****************
cmd: sc config WinDefend start= disabled
cmd: sc config avgbIDSAgent start= disabled

*****************


========= sc config WinDefend start= disabled =========

[SC] OpenService FAILED 5:

Access is denied.


========= End of CMD: =========


========= sc config avgbIDSAgent start= disabled =========

[SC] ChangeServiceConfig SUCCESS

========= End of CMD: =========


==== End of Fixlog 13:14:10 ====






4 user(s) are reading this topic

2 members, 2 guests, 0 anonymous users


    Oh My!, gesun