Author Topic: Virus that just won't go away  (Read 646 times)

0 Members and 1 Guest are viewing this topic.

May 15, 2017, 12:42:18 am

prophecy

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Virus that just won't go away
« on: May 15, 2017, 12:42:18 am »
I got a virus today that nothing will remove. I've tried RKill, Zemana,HitmanPro, ESET, and it doesn't allow me to start MBAM or TDSSKiller.

It's also blocking other applications from accessing the internet, like gaming chat systems (discord) or my antiviruses and also has disabled my recovery for windows so i can't recover to an earlier recovery point.

(got Malwarebytes to work using MBAM Chameleon but it failed to fix the problem.)

Here are my logs from ADW and RogueKiller, I also ran a scan on FRST and attached the logs it gave me below.

it also says ntuserlitelist was removed at reboot but if I scan again all the "threats" are still there that were detected before the reboots.

ADW:
# AdwCleaner v6.046 - Logfile created 14/05/2017 at 18:39:55
# Updated on 24/04/2017 by Malwarebytes
# Database : 2017-05-14.2 [Server]
# Operating System : Windows 8.1  (X64)
# Username : Dee - DANTE
# Running from : C:\Users\Dee\Downloads\AdwCleaner.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

Service Found:  Dataup
Service Found:  windowsmanagementservice
Service Found:  drmkpro64
Service Found:  dataup


***** [ Folders ] *****

No malicious folders found.


***** [ Files ] *****

No malicious files found.


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

Key Found:  HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Dataup
Key Found:  [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Dataup
Key Found:  HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\dataup
Key Found:  [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\dataup
Value Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [cpx]


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [3270 Bytes] - [14/05/2017 17:24:19]
C:\AdwCleaner\AdwCleaner[S0].txt - [3040 Bytes] - [14/05/2017 17:23:52]
C:\AdwCleaner\AdwCleaner[S1].txt - [1812 Bytes] - [14/05/2017 17:28:28]
C:\AdwCleaner\AdwCleaner[S2].txt - [1639 Bytes] - [14/05/2017 18:39:55]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1712 Bytes] ##########


RogueKiller:

RogueKiller V12.10.8.0 (x64) [May  8 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : Dee [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 05/14/2017 18:00:51 (Duration : 00:32:26)

Processes : 0

Registry : 25
[Adw.Yelloader|Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | cpx : "C:\Users\Dee\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup
  • -> ERROR [5]
[Adw.Yelloader|Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | svcvmx : "C:\Users\Dee\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe" -starup
  • -> ERROR [5]
[PUP.Gen0|Adw.Yelloader|Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dataup (C:\Users\Dee\AppData\Local\ntuserlitelist\dataup\dataup.exe) -> ERROR [5]
[PUP.BetterAds] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srcsrv (C:\Windows\src_srv\winsrcsrv.exe) -> Deleted
[PUP.Gen0|Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\windowsmanagementservice (C:\Users\Dee\AppData\Local\gvvcoovf\ct.exe) -> ERROR [5]
[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Replaced (0)
[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Replaced (0)
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Replaced (0)
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Replaced (0)
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Replaced (0)
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Replaced (0)
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Replaced (0)
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Not selected
[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:8003  -> Deleted
[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:8003  -> ERROR [2]
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:8003  -> Deleted
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:8003  -> ERROR [2]
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:8003  -> Deleted
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:8003  -> ERROR [2]
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:8003  -> ERROR [2]
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : 127.0.0.1:8003  -> ERROR [2]
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-3449829512-4136246939-2097004572-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Replaced (http://search.msn.com/spbasic.htm)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-3449829512-4136246939-2097004572-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Replaced (http://search.msn.com/spbasic.htm)
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Replaced (2)
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Replaced (2)

Tasks : 0

Files : 2
[PUP.OnlineIO][File] C:\Windows\SysWOW64\splsrv.exe -> Deleted
[Adw.Yelloader][Folder] C:\Users\Dee\AppData\Local\ntuserlitelist -> Removed at reboot [91]
[Adw.Yelloader][Folder] C:\Users\Dee\AppData\Local\ntuserlitelist\dataup -> Removed at reboot [5]
[Adw.Yelloader][Folder] C:\Users\Dee\AppData\Local\ntuserlitelist\svcvmx\locales -> Removed at reboot [5]
[Adw.Yelloader][Folder] C:\Users\Dee\AppData\Local\ntuserlitelist\svcvmx -> Removed at reboot [5]

WMI : 0

Hosts File : 0

Antirootkit : 0 (Driver: Loaded)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: KINGSTON SHSS37A120G +++++
--- User ---
[MBR] 48378fa5e95500ad47092173ba34b1eb
[BSP] 018f41e5de38c296417a82b1e7e378f3 : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 300 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 616448 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 821248 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1083392 | Size: 113944 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive1: TOSHIBA DT01ACA100 SCSI Disk Device +++++
--- User ---
[MBR] a9f1c4e643a2095827a7dc39cbccb5b8
[BSP] b3c6e248b3df8214aa3de5bf383ab0da : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )


« Last Edit: May 15, 2017, 01:29:45 am by prophecy »

Reply #1May 15, 2017, 04:49:53 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 1863
  • Reputation:
    68
    • View Profile
Re: Virus that just won't go away
« Reply #1 on: May 15, 2017, 04:49:53 pm »
Hi prophecy,

Welcome to Adlice.com Forum.

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

How is the computer running now ?

Regards.

Note : This thread has been moved to the "Malware removal help" section for clarity.