Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC #2 Pretty Sure its Infected- Help Please


  • Please log in to reply
73 replies to this topic

#61 SenorSySoP

SenorSySoP
  • Topic Starter

  • Members
  • 85 posts
  • ONLINE
  •  
  • Local time:01:26 PM

Posted 05 December 2017 - 12:12 AM

OK will do. thanks.

BC AdBot (Login to Remove)

 


m

#62 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 34,813 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:26 PM

Posted 07 December 2017 - 03:06 PM

Greetings,

Before doing a Refresh, please type the below at the Recovery Command Prompt, hitting Enter after each line.
 

bcdedit /export c:\bcdbackup
bcdedit /set displaymessageoverride Recovery
bcdedit /set useplatformclock false


Attempt to boot your computer.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"The virgin will be with child and will give birth to a son, and they will call him Immanuel" - which means "God with us."

#63 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 34,813 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:26 PM

Posted 08 December 2017 - 09:32 AM

Greetings.

I know you have multiple topics you are working on but are you still interested in continuing with this one? Here is a recap of the things I am interested in. I am adding one thing and would like you to hold off on the Refresh.

-----

External monitor?

-----
 

Also, while at the Startup Settings screen attempt to boot using Enable low-resolution video


-----
 

What we want to do is boot into Safe Mode however you can then leave it. I would even suggest do that when you are done for the evening and just let it run until morning to see what happens.


-----
 

Before doing a Refresh, please type the below at the Recovery Command Prompt, hitting Enter after each line.


bcdedit /export c:\bcdbackup
bcdedit /set displaymessageoverride Recovery
bcdedit /set useplatformclock false

Attempt to boot your computer.


-----

And this is what I would like to add.

===================================================

Farbar's Recovery Scan Tool Search

--------------------
  • Boot to the System Recovery Options again and run FRST
  • Type the following in the Search Field
pending.xml
  • Click Search File(s) button
  • A Search.txt document will be saved to your USB device
  • Copy and paste the contents of that document your reply
===================================================

Please let me kinow if you want to continue with this Topic and are available to make some progress.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"The virgin will be with child and will give birth to a son, and they will call him Immanuel" - which means "God with us."

#64 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 34,813 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:26 PM

Posted 10 December 2017 - 06:38 PM

Greetings,

===================================================

Do You Still Need Help?

It has been 3 days since my last post.
  • Do you still need help with this?
  • If you have not replied within 48 hours I will assume you have abandoned the Topic and it will be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"The virgin will be with child and will give birth to a son, and they will call him Immanuel" - which means "God with us."

#65 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 34,813 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:26 PM

Posted 12 December 2017 - 09:39 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"The virgin will be with child and will give birth to a son, and they will call him Immanuel" - which means "God with us."

#66 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 34,813 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:26 PM

Posted 12 December 2017 - 09:18 PM

This topic has been re-opened at the request of the person who originally posted.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"The virgin will be with child and will give birth to a son, and they will call him Immanuel" - which means "God with us."

#67 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 34,813 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:26 PM

Posted 14 December 2017 - 09:21 PM

Greetings,

It has been 10 days since we last made any progress and although you asked me to re-open the topic 2 days ago you have not posted a reply. Please let me know if you are available to continue working on this machine.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"The virgin will be with child and will give birth to a son, and they will call him Immanuel" - which means "God with us."

#68 SenorSySoP

SenorSySoP
  • Topic Starter

  • Members
  • 85 posts
  • ONLINE
  •  
  • Local time:01:26 PM

Posted 15 December 2017 - 06:52 PM

Ok sorry for delays but having new issues even with my clean pc.  Am beginning to wonder if my router has been compromised as anything that connect to wifi starts acting werird.  Even downloading I cloud my antivirus went off and a new webpage opened to curationservices.com :80   I don't even know what that is.  So its been a struggle.

 

Ok on this pc2,  I rebooted, it went to black screen, I hit ctrl alt delete for task manager and left it alone for an hour, it finally loaded up showing 71 processes and the top process is verzeichisuberwachund und H....   wtf...   All those process running behind the black screen..  Ugh

 

I will now try the last edits you gave me to try and am online now.   I wish I could verify my router is OK or I could be reinfecting things just as fast as I fix them.

 

thanks for reopening.



#69 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 34,813 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:26 PM

Posted 15 December 2017 - 08:35 PM

Thanks for the update.

That entry is German for "trascript and H....". Make any sense to you?

Are you able to right click on suspicious processes and select End task?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"The virgin will be with child and will give birth to a son, and they will call him Immanuel" - which means "God with us."

#70 SenorSySoP

SenorSySoP
  • Topic Starter

  • Members
  • 85 posts
  • ONLINE
  •  
  • Local time:01:26 PM

Posted 15 December 2017 - 09:05 PM

OK I did the bcd edits and it said successful after each time.   reboot takes me to black screen   I made sure the  screen is only on pc only  and ran the search and it did not find any pending xml 



#71 SenorSySoP

SenorSySoP
  • Topic Starter

  • Members
  • 85 posts
  • ONLINE
  •  
  • Local time:01:26 PM

Posted 15 December 2017 - 09:08 PM

yes I can end task    the process is fabs.exe that is linked to the german process by the way.   
I do not recognize nor have firebird database going.  


Edited by SenorSySoP, 15 December 2017 - 09:09 PM.


#72 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 34,813 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:26 PM

Posted 15 December 2017 - 09:51 PM

Thanks.
 

I wish I could verify my router is OK or I could be reinfecting things just as fast as I fix them.

You could do a factory reset of the router if you want.

In Task Manager click File, Run new task, type cmd and hit Enter. Let me know if the command prompt window appears.

While still in the Task Manager screen click the Services tab, locate AppReadiness and if it shows it is running right click on it and select Restart. Let me know what happens.

Edited by Oh My!, 15 December 2017 - 10:02 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"The virgin will be with child and will give birth to a son, and they will call him Immanuel" - which means "God with us."

#73 SenorSySoP

SenorSySoP
  • Topic Starter

  • Members
  • 85 posts
  • ONLINE
  •  
  • Local time:01:26 PM

Posted Yesterday, 05:09 PM

Boot into safe mode, then task manager, about 30 minutes it came up,  file, run new task, cmd, about 5 minutes and then it came up in command window

 

notably there are two instances of many things in task manager  

 

In background process:  there are two ctf loader, 1 com surrogate,  and 2 usermode font driver host,

 

windows processes:  24 instances total  1 antimalware service executable 32mb, 2 client server runtime Process, 1 desktopwindows manager10mb

 

 

Appreadiness shows stopped.  I cant start in safemode it says

 

thanks


Edited by SenorSySoP, Yesterday, 05:10 PM.


#74 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 34,813 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:26 PM

Posted Yesterday, 08:49 PM

Greetings.

Thank you for the information.

Please attempt to do this.

===================================================

Running Rkill and FRST via Task Manager

--------------------
  • Download FRST and RKill and save it to a USB device
  • Boot into Safe Mode
  • Open Task Manager
  • Click File, Run new task, type CMD, then place a check mark in Create this task with administrative privileges
  • Click OK
  • Type Notepad and hit Enter
  • Insert the USB device into the compromised computer
  • Click File, Open, then using the Explorer screen identify the drive letter of your USB device (i.e. E:)
  • Close Notepad and return to the Command Prompt window
  • Type E:\rkill.exe -l E:\rkill-log.txt and hit Enter (replace E: with the drive letter of your USB device)
  • Once completed you should see an Rkill Complete pop up window.
  • Click OK
  • A copy of the Rkill report will be placed on your USB device
  • Type E:\FRST64.exe and hit Enter (replace E: with the drive letter of your USB device)
  • Click Scan
  • Once completed a FRST.txt and Addition.txt report will be created on your USB device
  • Copy and paste the contents of rkill-log.txt, FRST.txt, and Addition.txt in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Rkill log
  • FRST log
  • Addition log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"The virgin will be with child and will give birth to a son, and they will call him Immanuel" - which means "God with us."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users