Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus prevents security tools from running, SuperAntiSpyware / Spybot get 0 hits


  • Please log in to reply
3 replies to this topic

#1 virushatersal

virushatersal

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 05 August 2018 - 07:52 AM

Allright guys,

 

I am usually an extremely cautious guy. However,after many years of peace, I finally got hit by a virus. And it's a doozy.

 

 

I got the virus after I did something extremely foolish in haste. I opened a word document from a USB I plugged into my computer (the USB's long-gone now).

The file immediately opened this webpage on chrome: xmrmsft (dot) com/hive. I immediately realize I had just messed up. The browser was already running btw.

 

Now, I have been using Windows 7 since it came out and have made do with just one kind of security software: SpyBot S&D.

I update SpyBot and run a System scan but it shows no errors. So I proceed to install MalwareBytes Antimalware. It installs fine but refuses to run. Nothing happens when I double click it. I try running it as an administrator and I get the very generic 'Malwarebytes has stopped working' error window. Same story after reinstalling it.

 

Panicked, I restart my computer. (deadly mistake #2).

Now, I see that all the folders on my external HDD have turned into shortcuts. I immediately disconnect said external HDD. I need to look into how I can clean the external HDD too.

 

I try running msconfig, but it immediately closes. I try running resmon but it instantly closes too.

 

I download Hijackthis, but it crashes immediately with an error message. The error message disappears soon after.

I download DDS, but it crashed with a very similar error message as well!

I download Rkill. This thankfully works however, but finds no errors. At all.

 

So I finally download SUPERAntiSpyware. I have never used it before but it appeared to work fine. I do a complete system scan. All it does it catch a few tracking cookies, but that's it. No infected files, nothing in memory, nada!

 

Anyways, I soon discover that if I run Hijackthis while the DDS error message is on display, I can find just enough time to run the scan and save the logfile. I try it with DDS and I mange to get an attach.txt as well.

 

Rkill.txt: 

Attached File  Rkill.txt   3.59KB   49 downloads

 
DDS attach.txt: 
Attached File  attach.txt   255.73KB   46 downloads
 
Hijackthis.log: 
Attached File  hijackthis.log   9.18KB   47 downloads
 
EDIT:  Added dds.txt :
Attached File  dds.txt   19.1KB   47 downloads
 
EDIT: Also added FRST Reports:
 
FRST.txt
Attached File  FRST.txt   35.68KB   51 downloads
 
Addition.txt:

Attached File  Addition.txt   61.6KB   49 downloads

 

Here's the Hijackthis/DDS error message:

(Note: the id= field changes every time I run them.

Application has generate an exception that could not be handled;

Process id=0xef5a8e(15686286), Thread id=0xef84ef (15697135).

CLick OK to terminate the application.
Click CANCEL to debut the application.

Here's the error message details from the Malwarebytes crash:

Problem signature:
  Problem Event Name: APPCRASH
  Application Name: mbam.exe
  Application Version: 3.0.0.1523
  Application Timestamp: 5b2a6dfb
  Fault Module Name: Qt5Core.dll
  Fault Module Version: 5.6.3.0
  Fault Module Timestamp: 5a61293e
  Exception Code: c0000005
  Exception Offset: 001aa816
  OS Version: 6.1.7601.2.1.0.256.1
  Locale ID: 1033
  Additional Information 1: 0a9e
  Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
  Additional Information 3: 0a9e
  Additional Information 4: 0a9e372d3b4ad19135b953a78882e789

 

 

 

 

Any help I can get would be appreciated. This is my first time joining a forum btw.


Edited by virushatersal, 05 August 2018 - 08:21 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:47 PM

Posted 06 August 2018 - 07:28 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

(Microsoft Corporation) C:\Users\Salman\AppData\Roaming\coxpqmx\qtkhlkklu32.exe
(Microsoft Corporation) C:\Users\Salman\AppData\Roaming\coxpqmx\qtkhlkklu32.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Start.lnk [2018-08-05]
ShortcutTarget: Start.lnk -> C:\Users\Salman\AppData\Roaming\coxpqmx\qtkhlkklu32.exe (Microsoft Corporation)
Startup: C:\Users\Salman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Start.lnk [2018-08-05]
GroupPolicy\User: Restriction ? <==== ATTENTION
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Users\Salman\Downloads\IDM\IDMIECC64.dll => No File
FF user.js: detected! => C:\Users\Salman\AppData\Roaming\Mozilla\Firefox\Profiles\q8evvnfq.default\user.js [2018-08-05]
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Users\Salman\Downloads\IDM\IDMGCExt.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [jmolcgpienlcieaajfkkdamlngancncm] - C:\Users\Salman\Downloads\IDM\IDMGCExt.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Users\Salman\Downloads\IDM\IDMGCExt.crx <not found>

C:\Users\Salman\AppData\Roaming\coxpqmx
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Start.lnk
C:\Users\Salman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Start.lnk

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please run Malwarebytes and clean everything that will be identified.

If unable to run please follow these instructions.
Download and run the Malwarebytes Cleanup Utility
https://support.malwarebytes.com/docs/DOC-1112

When completed restart the computer normally to reset the registry.

Reinstall the Malwarebytes and scan the computer. Remove all the entries that will be found.

===

Let me know what problem persists.

#3 virushatersal

virushatersal
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 06 August 2018 - 03:33 PM

Thank you so much for your time nasdaq! Much appreciated!

 

I'll come clean though. I got a little impatient and tried my luck with a few more antivirus program myself first.

Eset and Kaspersky seemed to finally work and got rid of the virus (although it appears, not completely).

 

Anyways, I ran the FRST fix, and it seems to have successfully removed remaining traces of the malware.

The Malwarebytes scan confirms that my computer is now malware free! Everything is working fine now, including the external HDD.

 

Here's the content FRST Fixlog.txt, as requested.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 02.08.2018
Ran by Salman (06-08-2018 20:31:10) Run:1
Running from C:\Users\Salman\Desktop
Loaded Profiles: Salman (Available Profiles: Salman)
Boot Mode: Normal
==============================================


fixlist content:
*****************
start


CreateRestorePoint:
CloseProcesses:


(Microsoft Corporation) C:\Users\Salman\AppData\Roaming\coxpqmx\qtkhlkklu32.exe
(Microsoft Corporation) C:\Users\Salman\AppData\Roaming\coxpqmx\qtkhlkklu32.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Start.lnk [2018-08-05]
ShortcutTarget: Start.lnk -> C:\Users\Salman\AppData\Roaming\coxpqmx\qtkhlkklu32.exe (Microsoft Corporation)
Startup: C:\Users\Salman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Start.lnk [2018-08-05]
GroupPolicy\User: Restriction ? <==== ATTENTION
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Users\Salman\Downloads\IDM\IDMIECC64.dll => No File
FF user.js: detected! =>
C:\Users\Salman\AppData\Roaming\Mozilla\Firefox\Profiles\q8evvnfq.default\user.js [2018-08-05]
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Users\Salman\Downloads\IDM\IDMGCExt.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [jmolcgpienlcieaajfkkdamlngancncm] - C:\Users\Salman\Downloads\IDM\IDMGCExt.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Users\Salman\Downloads\IDM\IDMGCExt.crx <not found>


C:\Users\Salman\AppData\Roaming\coxpqmx
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Start.lnk
C:\Users\Salman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Start.lnk


Reboot:


End
*****************


Restore point was successfully created.
Processes closed successfully.
C:\Users\Salman\AppData\Roaming\coxpqmx\qtkhlkklu32.exe => Could not close process
C:\Users\Salman\AppData\Roaming\coxpqmx\qtkhlkklu32.exe => Could not close process
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Start.lnk" => not found
"C:\Users\Salman\AppData\Roaming\coxpqmx\qtkhlkklu32.exe" => not found
"C:\Users\Salman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Start.lnk" => not found
C:\Windows\system32\GroupPolicy\User => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}" => removed successfully
"HKLM\Software\Classes\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}" => removed successfully
"FF user.js: detected! =>" => not found
"C:\Users\Salman\AppData\Roaming\Mozilla\Firefox\Profiles\q8evvnfq.default\user.js [2018-08-05]" => not found
"HKLM\SOFTWARE\Google\Chrome\Extensions\ngpampappnmepgilojfohadhhmbhlaek" => removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jmolcgpienlcieaajfkkdamlngancncm" => removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ngpampappnmepgilojfohadhhmbhlaek" => removed successfully
"C:\Users\Salman\AppData\Roaming\coxpqmx" => not found
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Start.lnk" => not found
"C:\Users\Salman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Start.lnk" => not found




The system needed a reboot.


==== End of Fixlog 20:31:24 ====


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:47 PM

Posted 07 August 2018 - 05:52 AM

Hi,

Glad we could help.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users