1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Strange Processes Slowing Me Down

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Merkava, Nov 10, 2017.

  1. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    One more thing.....if it is not in task manager, you can find it by going to start/run and type in %appdata% ....when it opens, add to the address bar Local. Then delete the file.
     
  2. Merkava

    Merkava Private First Class

    Access denied. If you're referring to Startup under msconfig, it doesn't show up. If you're talking about Task Manager, I'm guessing the fact that I'm running Windows 7 means there is no Startup tab under TaskMgr. When I right click on the process and choose "Open File Location" it says Access denied again.
     
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now we need to reset the permissions altered by the malware on some files.
    • Download this tool and save it to your Desktop: Inherit.exe
    • It must be in your Desktop or the below fix will not work!
    Now run the C:\MGtools\FixPerm.bat file by double clicking on it (Note: Don't double click, use right click and select Run As Administrator).

    Now download ComboFix to your desktop. Turn off any AV software you have before you run it. Attach the log when finished. Do not do anything while it is running or it may stall the program.
     
  4. Merkava

    Merkava Private First Class

    I assumed I was to run inherit.exe. FixPerm brought up a CMD prompt. ComboFix didn't appear to do anything. No gui, no confirmation messages, nothing. Not sure where a log might be.

    I have Avast on, and I looked up how to turn it off and the consensus was that turning off the shields would be sufficient. Otherwise, I'll have to uninstall. Recommendation?
     
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Combo should have brought up a command window.

    Please download the latest version of FRST the below link.
    Farbar Recovery Scan Tool and save it to your Desktop.


    Note: Make sure you download the proper version ( 32 bit or 64 bit ) for your PC. Only one will run, the correct one. So it you make a mistake and download the wrong one, go back and get the other.
    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
     
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Just in case I am not available later......after running FRST, please do this:

    Open a blank Notepad. Save the command below in Bold text in the
    blank Notepad as a text file so that you can copy/paste it while in safe
    mode:
    "%userprofile%\desktop\combofix.exe" /wow

    Reboot the computer into Safe mode.

    once in safe mode and logged in as an Administrator, please continue with
    the instructions below:

    Go to start-->run and copy/paste in the following from the Notepad you
    saved and click "OK":
    "%userprofile%\desktop\combofix.exe" /wow

    When finished, it will produce a log for you. Save it and post that log
    in your next reply.
     
  7. Merkava

    Merkava Private First Class

    FRST logs.
     

    Attached Files:

  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Save fixlist.txt on your Desktop. Make sure you save it as a txt file.
    • You should now have both fixlist.txt and FRST64/32.exe on your Desktop.
    • Now I want you to disconnect your PC connection to the internet by unplugging the cable ( if it is wireless then temporarily shutdown the wireless network ).
    • Run FRST64.exe by right clicking on it and selecting Run As Adminstrator
    • Click the Fix button just once and wait.
    • Your computer should reboot after the fix runs.
    • Reconnect your internet connection after reboot so you can come back here to continue.
    • The tool will make a log on the Desktop (Fixlog.txt) please attach this new log to your next reply (attach or paste)

    Have you also tried Combo in safe mode? If not, do the above first then try.
     

    Attached Files:

  9. Merkava

    Merkava Private First Class

    Sorry been away so long. Holiday stuff and life stuff. Here's the fixlog, and a periodic re-thank you for all of this effort at helping me get this mess fixed! :)
     

    Attached Files:

  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome back. If you still have Blitz on your system, let's try it one more time:

    Double-click BlitzBlank.exe to open (If running Vista, Win 7, or Win 8, 10 use right-click and select Run as Administrator)
    Press OK at the warning prompt.
    Click the Script tab
    Copy the text inside the code box below and paste it into the text-field.
    Code:
    DeleteFile: ReplaceWithDummy
              "C:\Users\OWNER\AppData\Local\zadtgpv"
              "C:\Users\OWNER\AppData\Local\exibrgo"
              "C:\Windows\system32\auctreg"
              "C:\Windows\CSC"
    
    Now click the Execute Now button.
    The fix will require a reboot in order to complete successfully.
    Upon reboot, locate C:\blitzblank.log and upload this log to your next message.

    Now let's try FRST again as directed:
    Save fixlist.txt on your Desktop. Make sure you save it as a txt file.
    • You should now have both fixlist.txt and FRST64.exe on your Desktop.
    • Now I want you to disconnect your PC connection to the internet by unplugging the cable ( if it is wireless then temporarily shutdown the wireless network ).
    • Run FRST64.exe by right clicking on it and selecting Run As Adminstrator
    • Click the Fix button just once and wait.
    • Your computer should reboot after the fix runs.
    • Reconnect your internet connection after reboot so you can come back here to continue.
    • The tool will make a log on the Desktop (Fixlog.txt) please attach this new log to your next reply (attach or paste)


    Once you have rebooted, please try doing the Combo scan as described in post# 106.
     

    Attached Files:

    Last edited: Nov 28, 2017
  11. Merkava

    Merkava Private First Class

    Blitz still gives syntax error.
     
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It was worth a try. Did you do the rest?
     
  13. Merkava

    Merkava Private First Class

    I can't get Fixlist to DL for some reason. I tried "Open", then "Save As" in notepad, but no dice. Might need a reboot? Dunno. Going to try again in a bit. Trying to multitask somewhat. Or should I skip to the Combo scan?
     
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Copy the following to notepad and save it to your desktop as fixlist:

    Start
    CloseProcesses:
    RemoveDirectory: C:\Users\OWNER\AppData\Local\zadtgpv
    RemoveDirectory: C:\Users\OWNER\AppData\Local\exibrgo
    RemoveDirectory: C:\Windows\CSC
    RemoveDirectory: C:\Windows\system32\auctreg
    Reboot:
    EmptyTemps:
    End
     
  15. Merkava

    Merkava Private First Class

    Can't even name it Fixlist without a permissions error!
     
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Right click notepad and choose Run as Admin.
     
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    By the way, did you ever run the ESET online scan?
     
  18. Merkava

    Merkava Private First Class

    It didn't reboot, so I'll post this then restart and do the Combo scan.
     

    Attached Files:

  19. Merkava

    Merkava Private First Class

    The Combo scan didn't produce a log that I can see. Would it go somewhere other than desktop?

    I had, but I think there were other things going on and it got lost in the shuffle. Doing it again now (No "Scan Archive" option, btw. Newer version?)
     
  20. Merkava

    Merkava Private First Class

    I'm thinking ESET might've shut down prematurely, caused a reboot, or something.
     
  21. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Requested log directories:
    Combofix - C:\ComboFix.txt
    ESET Online Scanner - C:\users\%userprofile%\appdata\local\temp\log.txt
     
  22. Merkava

    Merkava Private First Class

    ESET is finished and found a few things. Combofix wasn't installed and the installer won't run.
     

    Attached Files:

  23. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    NoVirusThanks Smart File Delete

    Please download No Virus to your desktop.

    Use the Add Files button to find and add the files you want to delete. The files will be deleted upon reboot.

    C:\Users\OWNER\AppData\Local\zadtgpv
    C:\Users\OWNER\AppData\Local\exibrgo
    C:\Windows\CSC
    C:\Windows\system32\auctreg

    After reboot, if there is a log, attach it. If not, rerun FRST and attach that log.
     
  24. Merkava

    Merkava Private First Class

    Access denied when trying to add those for deletion.
     
  25. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Run RKill first and try again.
     
  26. Merkava

    Merkava Private First Class

    Did. No luck.
     
  27. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Try Unlocker
    http://www.majorgeeks.com/files/details/unlocker.html

    Not sure, but try right clicking the file and you should see an option to Unlock.

    Once installed, you can right-click a stubborn file and select Unlocker to start the process of freeing it up. The Process Path column will tell you which program is holding onto the file, so you can close it. If that doesn’t work, check out the options at the bottom of the window. The pull-down menu on the right lets you select what happens to a file after you free it up. You can then click Unlock to make it erasable. If that doesn’t work, try Kill Process.
     
  28. Merkava

    Merkava Private First Class

    The options and layout are different from your description. I click on "Start Unlocker", then it gives me a navigation window to find the file. In several instances it says "No locking handle found", but it gives a drop-down with No Action, Delete, Rename, Move. Upon choosing delete there are still instances where it says it can't be deleted, but it will perform deletion at next boot. Tried twice - even with RKill, and they don't disappear or they come back(the ones that are reported deleted at first attempt).
     
  29. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    OK....we will try one last thing and if it doesn't work, I am going to suggest you do a system restore (your only available restore point is 7/20).

    Please download this:

    Take Ownership

    Double click the zip and click on Add Take Ownership to Context menu.reg.

    Once the reg hack has been installed, try deleting the files with No Virus.
     
  30. Merkava

    Merkava Private First Class

    Access still denied.
     
  31. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Well, I've used everything in my bag of tricks. I can only suggest you do a system restore. :(
     
  32. Merkava

    Merkava Private First Class

    Okay, long time no reply.

    I finally figured I should use my Comodo Rescue Disk, booting from DVD drive, and BOOM. Looks like it's gone.

    I highly recommend it. :cool:
     
  33. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    That's good news!

    "I highly recommend it." It looks like it is not supported for Win10.
     
    Last edited: Jan 6, 2018
  34. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Merkava, can you confirm the removal by providing logs that are now clean? We are trying to formulate a fix for this rootkit.
     
  35. Merkava

    Merkava Private First Class

    Alas, however, and alack, the infection came back. IT's really embedded itself, making folders nd files inaccessible for deletion. :/
     
  36. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I want you to try this: (it's complicated so just be as mindful as you can to the instructions)

    If your computer does not have the Windows Recovery Environment installed and available you can use the following method to run the Recovery Environment from a bootable USB disk.

    NOTE: This USB disk needs to be created from a clean computer. You cannot use an infected computer for this process

    NOTE: An 8GB USB 2.0 stick is required or at least recommended. In some cases a USB 3.0 disk can be used but some computers have issues booting from USB 3.0 disks.

    Example drive (no endorsement implied, example only) - This drive example has not been tested by me. It is an older 2015 model with many good reviews though.
    Amazon: Kingston 8GB DataTraveler 101 G2 USB 2.0 Flash Drive (DT101G2/8GBZ)
    NewEgg: Kingston 8GB DataTraveler 101 G2 USB 2.0 Flash Drive (DT101G2/8GBZ)


    STEP 1
    Download a Windows 8 ISO image from MG's.

    Method A: Using the Microsoft Media Creation Tool
    https://www.microsoft.com/en-gb/software-download/windows8
    Download the Media Creation Tool: https://go.microsoft.com/fwlink/?LinkId=691209

    Follow the instructions displayed on the tool to download the Windows 8 ISO image.

    In my testing I was not prompted for a license key to download the latest Windows8 ISO image.
    At the time of this writing 2017/12/21 there was only one ISO image offered. Windows 10

    32-bit x86 or 64-bit x64

    Note: You need to run the version compatible with your system.
    You can check here if you're not sure if your computer is 32-bit or 64-bit

    Method B: If Method A: above is not working for you then you can try the following method
    Microsoft Windows and Office ISO Download Tool (this is not an authorized Microsoft tool, but appears to be legal)
    http://www.majorgeeks.com/files/details/microsoft_windows_iso_download_tool.html

    STEP 2
    If you were unable to use the Windows Media Creation Tool in STEP 1 to create a USB disk then you can use this tool to burn the Windows 10 ISO image from STEP 1 above.

    Download the Windows USB/DVD Download Tool from Gitbub and save to your computer.
    English version: https://github.com/mantas-masidlaus...ws7-USB-DVD-Download-Tool-Installer-en-US.exe

    Then install the Windows USB/DVD Download Tool and run it to burn a bootable USB disk from the ISO image. Browse to the location where you saved the Windows 10 ISO image in STEP 1
    Note: This tool should work on XP, Vista, Windows 7, or Windows 10 - it is simply used to make a bootable USB disk. Remember, all of this needs to be done on a clean computer.

    [img=[URL]https://i.imgur.com/MCWx4mf.jpg[/URL]]

    [img=[URL]https://i.imgur.com/5IvFX1o.jpg[/URL]]

    [img=[URL]https://i.imgur.com/1hzeggf.jpg[/URL]]

    [img=[URL]https://i.imgur.com/g1iLLSH.jpg[/URL]]

    [img=[URL]https://i.imgur.com/KkzebK6.jpg[/URL]]

    STEP 3
    Please download the Farbar Recovery Scan Tool and save it to your desktop or other location you know where it's saved to. Then copy it to the USB disk you just created.

    Note: You need to run the version compatible with your system.
    You can check here if you're not sure if your computer is 32-bit or 64-bit

    STEP 4
    Shut down the infected computer. Do Not insert the USB disk you created until the infected computer has been shut down.
    Once the computer is shut down then insert the newly created Windows 10 USB disk into the infected computer and power it back on and press the appropriate key to bring up the boot menu. The link below will help show you which key for various computers manufacturers is used to bring up the boot menu. Most will be either USB or UEFI depending on hardware and settings. If the computer boots up into the Normal Windows instead of the USB stick it may become infected and need to be completely redone again. Make sure you select the correct boot option.

    How to Boot Your Computer from a USB Flash Drive

    STEP 5
    Once the computer starts to boot up from the USB disk, follow the screens and directions below.

    [img=[URL]https://i.imgur.com/Gvt31DC.jpg[/URL]]

    [img=[URL]https://i.imgur.com/wk8hs0E.jpg[/URL]]

    [img=[URL]https://i.imgur.com/F2gCAoF.jpg[/URL]]

    [img=[URL]https://i.imgur.com/X8NEEvb.jpg[/URL]]

    You will need to open NOTEPAD.EXE to help find out which drive is your Windows drive and which drive is your USB disk drive you just created

    [img=[URL]https://i.imgur.com/O27kz3e.jpg[/URL]]

    [img=[URL]https://i.imgur.com/RRI6og4.jpg[/URL]]

    For the more advanced user you could also use DISKPART to help locate which drive is mapped to your USB disk. In most cases the USB disk will be either D: or E: but depending on hardware the drive could be a much higher level such as H: or higher.

    Example only - your hardware will look different
    Code:
    DISKPART> list volume
    
      Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
      ----------  ---  -----------  -----  ----------  -------  ---------  --------
      Volume 0     Z                       DVD-ROM         0 B  No Media
      Volume 1     C                NTFS   Partition    931 GB  Healthy    System
      Volume 2     Q   SEA-USB-4.0  NTFS   Partition   3725 GB  Healthy
      Volume 3     D                NTFS   Removable   7636 MB  Healthy
    Go back to the DOS Command Prompt (if you used DISKPART type in Exit and press the Enter key) and type in the following and press the Enter key.

    CD /D D: (or E: or whichever drive letter the USB stick is on)

    Then type in CD\
    and press the Enter key to get to the root or top of the USB disk.

    Then type in FRST or FRST64 (depending on which version your computer uses) and click the Scan button.

    A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply.

    If all went well you should now be able to boot into Normal Mode and run Malwarebytes and run a Threat Scan to have it finish the removal process.
     
  37. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Do you still have the log from Comodo: c:\cce_linux\Logs

    I would like to see it. Also....if you try running Comodo again, be sure to run MBAM as soon as you get back into windows. I would also like to see that log.
     
  38. Merkava

    Merkava Private First Class

    Ooh, sorry. It's been completely reformatted. Unfortunately I also forgot to upload a few other files as I intended. They weren't too important, though.
     
  39. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    That's fine. Probably the easiest fix. :)
     

Share This Page


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


<