Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VERY strange virus, crashes, cpu load, application turning off


  • Please log in to reply
8 replies to this topic

#1 QBsheon

QBsheon

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 09 February 2018 - 06:08 PM

So this is the most strange virus I ever seen.
I wanted to test a game before buying, so I searched for torrents I found one. It was very small, around 400kB, it downloaded exe file so i opened it. Everything was in russian I guess and there were a lot of strange characters, somehow I finished the dialog, it looked like an installator. It downloaded another torrent file (this one was proper game torrent). After this about 5 shortcuts appeared on my desktop, all affiliated with site called Mail.ru... I opened sources of shortcuts and deleted them. I notices some mail.ru extensions in chrome so I removed them too. After some time i noticed my cpu usage is more than 50% all the time. A process called svchost.exe is using stable 50%... Now the tricky part.
I readed on internet to scan pc with adwcleaner and check process with ProcessHacker, I typed in "processhacker" in the url bar in chrome and chrome crashed... I tried several times and everytime I type something containing "adw", "hacker", and "eset" in url bar and press enter, chrome crashes. So I entered safe mode and downloaded adwcleaner and ccleaner. Both didn't detected anything. I can suspend the process to stop it from loading cpu but when I try to end it bluescreen appears. I tried to type adw or hacker in internet explorer, same as in chrome. It worked in steam overlay web browser tho. When I try to open cmd, it immediately closes. I checked services and I didn't find anything suspicious. The process svchost isn't starting at windows startup, it starts about 5 minutes after boot. I downloaded ProcessHacker before it started and launched it but the ProcessHacker closed when process started... and when i open ProcessHacker proporties, explorer.exe restarts. Now when I try to turn off or reboot pc, it instantyly shows bluescreen. I checked all services, installed applications, scanned with adwcleaner and ccleaner. I tried to restore windows, but the latest restore point is after infection.
Im using Windows 7, I'm very confused.

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,885 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:06 PM

Posted 09 February 2018 - 09:02 PM

If you can boot into safe mode with Networking then try downloading and running a scan using Malwarebytes.

 

Malwarebytes - Clean Mode

  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update its database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

 

If you can't run a scan using Malwarebytes then you can scan your computer using a bootable flash drive (suggested), CD or DVD using Trend Micro Rescue Disk.

Download Trend Micro Rescue Disk - MajorGeeks


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 QBsheon

QBsheon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 10 February 2018 - 04:24 AM

Malwarebytes
www.malwarebytes.com
 
-Szczegóły raportu-
Data skanowania: 10.02.2018
Czas skanowania: 10:16
Plik raportu: 1f53acc8-0e43-11e8-ab78-d850e65428b0.json
Administrator: Tak
 
-Informacje o oprogramowaniu-
Wersja: 3.3.1.2183
Wersja komponentów: 1.0.262
Aktualna wersja pakietu: 1.0.3912
Licencja: Wersja próbna
 
-Informacje o systemie-
System operacyjny: Windows 7 Service Pack 1
Procesor: x64
System plików: NTFS
Użytkownik: QBsheon-PC\QBsheon
 
-Wyniki skanowania-
Typ skanowania: Pełne skanowanie
Wynik: Ukończono
Obiekty przeskanowane: 281919
Wykryte zagrożenia: 22
Zagrożenia poddane kwarantannie: 22
Czas, który upłynął: 1 min, 0 s
 
-Opcje skanowania-
Pamięć: Włączony
Autostart: Włączony
System plików: Włączony
Archiwa: Włączony
Rootkity: Wyłączony
Heurystyka: Włączony
PUP: Wykrywanie
PUM: Wykrywanie
 
-Szczegóły skanowania-
Proces: 0
(Nie wykryto zagrożeń)
 
Moduł: 0
(Nie wykryto zagrożeń)
 
Klucz rejestru: 4
PUP.Optional.MailRu, HKU\S-1-5-21-2595355336-4131253462-1456693534-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{FFEBBF0A-C22C-4172-89FF-45215A135AC7}, Dodano do kwarantanny, [627], [382913],1.0.3912
PUP.Optional.MailRu, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\bhjhnafpiilpffhglajcaepjbnbjemci, Dodano do kwarantanny, [627], [448286],1.0.3912
PUP.Optional.MailRu, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\hcadgijmedbfgciegjomfpjcdchlhnif, Dodano do kwarantanny, [627], [403165],1.0.3912
PUP.Optional.RussAd, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\ngdlmklkpclkhjopnhihdedhjgjmhlaa, Dodano do kwarantanny, [9], [485558],1.0.3912
 
Wartość rejestru: 3
PUP.Optional.MailRu, HKU\S-1-5-21-2595355336-4131253462-1456693534-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{FFEBBF0A-C22C-4172-89FF-45215A135AC7}|URL, Dodano do kwarantanny, [627], [382913],1.0.3912
PUP.Optional.MailRu, HKU\S-1-5-21-2595355336-4131253462-1456693534-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{FFEBBF0A-C22C-4172-89FF-45215A135AC7}|FAVICONURLFALLBACK, Dodano do kwarantanny, [627], [382913],1.0.3912
PUP.Optional.MailRu, HKU\S-1-5-21-2595355336-4131253462-1456693534-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{FFEBBF0A-C22C-4172-89FF-45215A135AC7}|SUGGESTIONSURL, Dodano do kwarantanny, [627], [382913],1.0.3912
 
Dane rejestru: 0
(Nie wykryto zagrożeń)
 
Strumień danych: 0
(Nie wykryto zagrożeń)
 
Folder: 0
(Nie wykryto zagrożeń)
 
Plik: 15
PUP.Optional.MailRu, C:\USERS\QBSHEON\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Zastąpiono, [627], [448286],1.0.3912
PUP.Optional.MailRu, C:\USERS\QBSHEON\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Zastąpiono, [627], [403165],1.0.3912
PUP.Optional.RussAd, C:\USERS\QBSHEON\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Zastąpiono, [9], [485558],1.0.3912
Adware.FileTour.BatBitRst, C:\USERS\QBSHEON\APPDATA\LOCAL\TEMP\IS-KUTHO.TMP\4F2A09B8, Dodano do kwarantanny, [14771], [482280],1.0.3912
Adware.FileTour.BatBitRst, C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Dodano do kwarantanny, [14771], [-1],0.0.0
Adware.FileTour.BatBitRst, C:\PROGRAMDATA\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Dodano do kwarantanny, [14771], [-1],0.0.0
Adware.FileTour.BatBitRst, C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Dodano do kwarantanny, [14771], [-1],0.0.0
Adware.FileTour.BatBitRst, C:\PROGRAMDATA\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Dodano do kwarantanny, [14771], [-1],0.0.0
Adware.FileTour.BatBitRst, C:\DOCUMENTS AND SETTINGS\ALL USERS\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Dodano do kwarantanny, [14771], [-1],0.0.0
Adware.FileTour.BatBitRst, C:\PROGRAMDATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Dodano do kwarantanny, [14771], [-1],0.0.0
Adware.FileTour.BatBitRst, C:\DOCUMENTS AND SETTINGS\ALL USERS\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Dodano do kwarantanny, [14771], [-1],0.0.0
Adware.FileTour.BatBitRst, C:\PROGRAMDATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Dodano do kwarantanny, [14771], [-1],0.0.0
Adware.FileTour.BatBitRst, C:\USERS\QBSHEON\APPDATA\LOCAL\TEMP\IS-KUTHO.TMP\F2D28857, Dodano do kwarantanny, [14771], [482281],1.0.3912
Adware.MailRu.BatBitRst, C:\USERS\QBSHEON\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Zastąpiono, [8169], [481467],1.0.3912
Adware.MailRu.BatBitRst, C:\USERS\QBSHEON\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Zastąpiono, [8169], [481467],1.0.3912
 
Sektor fizyczny: 0
(Nie wykryto zagrożeń)
 
 
(end)
 
Sorry for polish language


#4 buddy215

buddy215

  • BC Advisor
  • 12,885 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:06 PM

Posted 10 February 2018 - 04:37 AM

Either in Safe Mode or regular mode do this:

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of Google Chrome and Avast.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit (MBAR) to your desktop.

  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click "Next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"
  • "system-log.txt"

 

Download and run the FREE online scanner from Free Virus Scan | Online Virus Scan from ESET | ESET

  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#5 QBsheon

QBsheon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 10 February 2018 - 05:53 AM

mbar-log-2018-02-10 (10-44-45).txt

Malwarebytes Anti-Rootkit BETA 1.10.3.1001

www.malwarebytes.org
 
Database version:
  main:    v2018.02.10.02
  rootkit: v2018.01.23.01
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.18893
QBsheon :: QBSHEON-PC [administrator]
 
2018-02-10 10:44:45
mbar-log-2018-02-10 (10-44-45).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 222374
Time elapsed: 4 minute(s), 5 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 1
C:\Users\QBsheon\Desktop\Claymore\EthDcrMiner64.exe (RiskWare.BitCoinMiner) -> Delete on reboot. [8901eaf99a1d81b5d298dcb8db26c43c]
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
system-log.txt
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.10.3.1001
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.1.7601 Windows 7 Service Pack 1 x64
 
Account is Administrative
 
Internet Explorer version: 11.0.9600.18893
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 3.400000 GHz
Memory total: 8525299712, free: 5246726144
 
Downloaded database version: v2018.02.10.02
Downloaded database version: v2018.01.23.01
Downloaded database version: v2018.01.20.01
Initializing...
======================
Driver version: 4.3.0.15
------------ Kernel report ------------
     02/10/2018 10:44:42
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\system32\DRIVERS\iusb3hcs.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\avgRvrt.sys
\SystemRoot\system32\drivers\avgVmm.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\avgbuniva.sys
\SystemRoot\system32\drivers\avgbloga.sys
\SystemRoot\system32\drivers\avgbidsha.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\drivers\avgSP.sys
\SystemRoot\system32\drivers\avgSnx.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\drivers\avgRdr2.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\drivers\avgbidsdrivera.sys
\SystemRoot\system32\drivers\avgbdiska.sys
\SystemRoot\system32\drivers\avgArPot.sys
\SystemRoot\SysWow64\drivers\AsUpIO.sys
\SystemRoot\SysWow64\drivers\AsIO.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\iusb3xhc.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\TeeDriverx64.sys
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\dtlitescsibus.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\drivers\WmBEnum.sys
\SystemRoot\system32\drivers\WmXlCore.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\drivers\nvvad64v.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\nvvhci.sys
\SystemRoot\system32\DRIVERS\dtliteusbbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\nvhda64v.sys
\SystemRoot\system32\DRIVERS\iusb3hub.sys
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_msahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\athurx.sys
\SystemRoot\System32\drivers\vwifibus.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\avgMonFlt.sys
\SystemRoot\system32\drivers\avgStm.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\System32\Drivers\mbamswissarmy.sys
\SystemRoot\system32\DRIVERS\mbam.sys
\??\C:\Windows\system32\drivers\mbae64.sys
\SystemRoot\System32\Drivers\MbamChameleon.sys
\SystemRoot\system32\DRIVERS\farflt.sys
\SystemRoot\system32\DRIVERS\mwac.sys
\??\C:\Windows\system32\drivers\75764677.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
----------- End -----------
Done!
 
Scan started
Database versions:
  main:    v2018.02.10.02
  rootkit: v2018.01.23.01
 
<<<2>>>
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa8007030060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800702fb90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8007030060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8006ab5680, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa800702f060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8006f0b940, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800702f060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8006e0a060, DeviceName: \Device\Ide\IdeDeviceP1T0L0-1\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 910A5526
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 1953519616
    Partition is not bootable
    Partition file system is NTFS
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
    Partition is not bootable
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
    Partition is not bootable
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
    Partition is not bootable
 
Disk Size: 1000204886016 bytes
Sector size: 512 bytes
 
Done!
Drive 1
This is a System drive
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 92B6B49B
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800
    Partition is bootable
    Partition file system is NTFS
 
    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848  Numsec = 234231808
    Partition is not bootable
    Partition file system is NTFS
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
    Partition is not bootable
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
    Partition is not bootable
 
Disk Size: 120034123776 bytes
Sector size: 512 bytes
 
Done!
Infected: C:\Users\QBsheon\Desktop\Claymore\EthDcrMiner64.exe --> [RiskWare.BitCoinMiner]
Scan finished
Creating System Restore point...
Cleaning up...
Removal scheduling successful. System shutdown needed.
=======================================
 
 
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-1-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-1-1-206848-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-r.mbam...
Removal finished
 
eset.txt
C:\AdwCleaner\Quarantine\frAQBc8Wsa\Update Service\mrupdsrv.exe a variant of Win32/MailRu.L potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\frAQBc8Wsa\YTD Video Downloader\ytd.exe a variant of Win32/YTDDownloader.A potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\x3CF3EDNhm\MailRuUpdater\MailRuUpdater.exe a variant of Win32/MailRu.N potentially unwanted application cleaned by deleting
C:\AdwCleaner\Quarantine\x3CF3EDNhm\Update Service\mrupdsrv.exe a variant of Win32/MailRu.L potentially unwanted application cleaned by deleting
C:\Users\QBsheon\AppData\Local\Temp\27nwf943ez.exe a variant of Win32/MailRu.D potentially unwanted application cleaned by deleting
C:\Users\QBsheon\Desktop\Claymore\cuda6.5\EthDcrMiner64.exe a variant of Win64/CoinMiner.BX potentially unwanted application cleaned by deleting
C:\Users\QBsheon\Desktop\Claymore\cuda7.5\EthDcrMiner64.exe a variant of Win64/CoinMiner.BX potentially unwanted application cleaned by deleting
C:\Users\QBsheon\Desktop\Claymore\Remote manager\EthMan.exe a variant of Win32/CoinMiner.FS potentially unwanted application cleaned by deleting
C:\Users\QBsheon\Downloads\ccsetup539.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting


#6 QBsheon

QBsheon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 10 February 2018 - 06:08 AM

After all these scans nothing changed...

I guess I have to format



#7 buddy215

buddy215

  • BC Advisor
  • 12,885 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:06 PM

Posted 10 February 2018 - 06:20 AM

Are you able to boot into regular mode?

 

Are you still getting a blue screen?


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#8 QBsheon

QBsheon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 10 February 2018 - 06:31 AM

I am able to boot into regular mode.

I am getting bluescreens when trying to reboot or turn off windows and when ending process "svchost.exe" (the one that loads my cpu in 50% all time)



#9 buddy215

buddy215

  • BC Advisor
  • 12,885 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:06 PM

Posted 10 February 2018 - 06:38 AM

bit coinminers...which were showing up in the scans....can cause damage to cpu and graphics cards by their overuse and overheating.

Most use the cpu.

 

I think you should start a new topic in the malware removal forum. If it is malware that is causing the excess cpu usage....they will find it and remove.

 

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

DO NOT bump your new topic. Wait for a response from one of the Team Members.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users