Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - prophecy

Pages: [1]
1
Malware removal help / Virus that just won't go away
« on: May 15, 2017, 12:42:18 AM »
I got a virus today that nothing will remove. I've tried RKill, Zemana,HitmanPro, ESET, and it doesn't allow me to start MBAM or TDSSKiller.

It's also blocking other applications from accessing the internet, like gaming chat systems (discord) or my antiviruses and also has disabled my recovery for windows so i can't recover to an earlier recovery point.

(got Malwarebytes to work using MBAM Chameleon but it failed to fix the problem.)

Here are my logs from ADW and RogueKiller, I also ran a scan on FRST and attached the logs it gave me below.

it also says ntuserlitelist was removed at reboot but if I scan again all the "threats" are still there that were detected before the reboots.

ADW:
# AdwCleaner v6.046 - Logfile created 14/05/2017 at 18:39:55
# Updated on 24/04/2017 by Malwarebytes
# Database : 2017-05-14.2 [Server]
# Operating System : Windows 8.1  (X64)
# Username : Dee - DANTE
# Running from : C:\Users\Dee\Downloads\AdwCleaner.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

Service Found:  Dataup
Service Found:  windowsmanagementservice
Service Found:  drmkpro64
Service Found:  dataup


***** [ Folders ] *****

No malicious folders found.


***** [ Files ] *****

No malicious files found.


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

Key Found:  HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Dataup
Key Found:  [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Dataup
Key Found:  HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\dataup
Key Found:  [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\dataup
Value Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [cpx]


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [3270 Bytes] - [14/05/2017 17:24:19]
C:\AdwCleaner\AdwCleaner[S0].txt - [3040 Bytes] - [14/05/2017 17:23:52]
C:\AdwCleaner\AdwCleaner[S1].txt - [1812 Bytes] - [14/05/2017 17:28:28]
C:\AdwCleaner\AdwCleaner[S2].txt - [1639 Bytes] - [14/05/2017 18:39:55]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1712 Bytes] ##########


RogueKiller:

RogueKiller V12.10.8.0 (x64) [May  8 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : Dee [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 05/14/2017 18:00:51 (Duration : 00:32:26)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 25 ¤¤¤
[Adw.Yelloader|Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | cpx : "C:\Users\Dee\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup
  • -> ERROR [5]
[Adw.Yelloader|Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | svcvmx : "C:\Users\Dee\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe" -starup
  • -> ERROR [5]
[PUP.Gen0|Adw.Yelloader|Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dataup (C:\Users\Dee\AppData\Local\ntuserlitelist\dataup\dataup.exe) -> ERROR [5]
[PUP.BetterAds] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srcsrv (C:\Windows\src_srv\winsrcsrv.exe) -> Deleted
[PUP.Gen0|Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\windowsmanagementservice (C:\Users\Dee\AppData\Local\gvvcoovf\ct.exe) -> ERROR [5]
[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Replaced (0)
[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Replaced (0)
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Replaced (0)
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Replaced (0)
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Replaced (0)
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Replaced (0)
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Replaced (0)
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Not selected
[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:8003  -> Deleted
[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:8003  -> ERROR [2]
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:8003  -> Deleted
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:8003  -> ERROR [2]
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:8003  -> Deleted
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:8003  -> ERROR [2]
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:8003  -> ERROR [2]
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:8003  -> ERROR [2]
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-3449829512-4136246939-2097004572-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Replaced (http://search.msn.com/spbasic.htm)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-3449829512-4136246939-2097004572-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Replaced (http://search.msn.com/spbasic.htm)
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Replaced (2)
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Replaced (2)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 2 ¤¤¤
[PUP.OnlineIO][File] C:\Windows\SysWOW64\splsrv.exe -> Deleted
[Adw.Yelloader][Folder] C:\Users\Dee\AppData\Local\ntuserlitelist -> Removed at reboot [91]
[Adw.Yelloader][Folder] C:\Users\Dee\AppData\Local\ntuserlitelist\dataup -> Removed at reboot [5]
[Adw.Yelloader][Folder] C:\Users\Dee\AppData\Local\ntuserlitelist\svcvmx\locales -> Removed at reboot [5]
[Adw.Yelloader][Folder] C:\Users\Dee\AppData\Local\ntuserlitelist\svcvmx -> Removed at reboot [5]

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: KINGSTON SHSS37A120G +++++
--- User ---
[MBR] 48378fa5e95500ad47092173ba34b1eb
[BSP] 018f41e5de38c296417a82b1e7e378f3 : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 300 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 616448 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 821248 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1083392 | Size: 113944 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive1: TOSHIBA DT01ACA100 SCSI Disk Device +++++
--- User ---
[MBR] a9f1c4e643a2095827a7dc39cbccb5b8
[BSP] b3c6e248b3df8214aa3de5bf383ab0da : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )



Pages: [1]