Strange Processes Slowing Me Down

One more thing.....if it is not in task manager, you can find it by going to start/run and type in %appdata% ....when it opens, add to the address bar Local. Then delete the file.

 

Now we need to reset the permissions altered by the malware on some files.

• Download this tool and save it to your Desktop: Inherit.exe
• It must be in your Desktop or the below fix will not work!

Now run the C:\MGtools\FixPerm.bat file by double clicking on it (Note: Don't double click, use right click and select Run As Administrator).

Now download ComboFix to your desktop. Turn off any AV software you have before you run it. Attach the log when finished. Do not do anything while it is running or it may stall the program.

 

Combo should have brought up a command window.

Please download the latest version of FRST the below link.
Farbar Recovery Scan Tool and save it to your Desktop.


Note: Make sure you download the proper version ( 32 bit or 64 bit ) for your PC. Only one will run, the correct one. So it you make a mistake and download the wrong one, go back and get the other.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Just in case I am not available later......after running FRST, please do this:

Open a blank Notepad. Save the command below in Bold text in the
blank Notepad as a text file so that you can copy/paste it while in safe
mode:
"%userprofile%\desktop\combofix.exe" /wow

Reboot the computer into Safe mode.

once in safe mode and logged in as an Administrator, please continue with
the instructions below:

Go to start-->run and copy/paste in the following from the Notepad you
saved and click "OK":
"%userprofile%\desktop\combofix.exe" /wow

When finished, it will produce a log for you. Save it and post that log
in your next reply.

 

Save fixlist.txt on your Desktop. Make sure you save it as a txt file.

• You should now have both fixlist.txt and FRST64/32.exe on your Desktop.
• Now I want you to disconnect your PC connection to the internet by unplugging the cable ( if it is wireless then temporarily shutdown the wireless network ).
• Run FRST64.exe by right clicking on it and selecting Run As Adminstrator
• Click the Fix button just once and wait.
• Your computer should reboot after the fix runs.
• Reconnect your internet connection after reboot so you can come back here to continue.
• The tool will make a log on the Desktop (Fixlog.txt) please attach this new log to your next reply (attach or paste)

Have you also tried Combo in safe mode? If not, do the above first then try.

 

Welcome back. If you still have Blitz on your system, let's try it one more time:

Double-click BlitzBlank.exe to open (If running Vista, Win 7, or Win 8, 10 use right-click and select Run as Administrator)
Press OK at the warning prompt.
Click the Script tab
Copy the text inside the code box below and paste it into the text-field.

Code:

DeleteFile: ReplaceWithDummy
          "C:\Users\OWNER\AppData\Local\zadtgpv"
          "C:\Users\OWNER\AppData\Local\exibrgo"
          "C:\Windows\system32\auctreg"
          "C:\Windows\CSC"

Now click the Execute Now button.
The fix will require a reboot in order to complete successfully.
Upon reboot, locate C:\blitzblank.log and upload this log to your next message.

Now let's try FRST again as directed:
Save fixlist.txt on your Desktop. Make sure you save it as a txt file.

• You should now have both fixlist.txt and FRST64.exe on your Desktop.
• Now I want you to disconnect your PC connection to the internet by unplugging the cable ( if it is wireless then temporarily shutdown the wireless network ).
• Run FRST64.exe by right clicking on it and selecting Run As Adminstrator
• Click the Fix button just once and wait.
• Your computer should reboot after the fix runs.
• Reconnect your internet connection after reboot so you can come back here to continue.
• The tool will make a log on the Desktop (Fixlog.txt) please attach this new log to your next reply (attach or paste)

Once you have rebooted, please try doing the Combo scan as described in post# 106.

 

It was worth a try. Did you do the rest?

 

Copy the following to notepad and save it to your desktop as fixlist:

Start
CloseProcesses:
RemoveDirectory: C:\Users\OWNER\AppData\Local\zadtgpv
RemoveDirectory: C:\Users\OWNER\AppData\Local\exibrgo
RemoveDirectory: C:\Windows\CSC
RemoveDirectory: C:\Windows\system32\auctreg
Reboot:
EmptyTemps:
End

 

Right click notepad and choose Run as Admin.

 

By the way, did you ever run the ESET online scan?

 

Requested log directories:
Combofix - C:\ComboFix.txt
ESET Online Scanner - C:\users\%userprofile%\appdata\local\temp\log.txt

 

NoVirusThanks Smart File Delete

Please download No Virus to your desktop.

Use the Add Files button to find and add the files you want to delete. The files will be deleted upon reboot.

C:\Users\OWNER\AppData\Local\zadtgpv
C:\Users\OWNER\AppData\Local\exibrgo
C:\Windows\CSC
C:\Windows\system32\auctreg

After reboot, if there is a log, attach it. If not, rerun FRST and attach that log.

 

Run RKill first and try again.

 

Try Unlocker
http://www.majorgeeks.com/files/details/unlocker.html

Not sure, but try right clicking the file and you should see an option to Unlock.

Once installed, you can right-click a stubborn file and select Unlocker to start the process of freeing it up. The Process Path column will tell you which program is holding onto the file, so you can close it. If that doesn’t work, check out the options at the bottom of the window. The pull-down menu on the right lets you select what happens to a file after you free it up. You can then click Unlock to make it erasable. If that doesn’t work, try Kill Process.

 

OK....we will try one last thing and if it doesn't work, I am going to suggest you do a system restore (your only available restore point is 7/20).

Please download this:

Take Ownership

Double click the zip and click on Add Take Ownership to Context menu.reg.

Once the reg hack has been installed, try deleting the files with No Virus.

 

Well, I've used everything in my bag of tricks. I can only suggest you do a system restore.

 

That's good news!

"I highly recommend it." It looks like it is not supported for Win10.

 

Merkava, can you confirm the removal by providing logs that are now clean? We are trying to formulate a fix for this rootkit.

 

I want you to try this: (it's complicated so just be as mindful as you can to the instructions)

If your computer does not have the Windows Recovery Environment installed and available you can use the following method to run the Recovery Environment from a bootable USB disk.

NOTE: This USB disk needs to be created from a clean computer. You cannot use an infected computer for this process

NOTE: An 8GB USB 2.0 stick is required or at least recommended. In some cases a USB 3.0 disk can be used but some computers have issues booting from USB 3.0 disks.

Example drive (no endorsement implied, example only) - This drive example has not been tested by me. It is an older 2015 model with many good reviews though.
Amazon: Kingston 8GB DataTraveler 101 G2 USB 2.0 Flash Drive (DT101G2/8GBZ)
NewEgg: Kingston 8GB DataTraveler 101 G2 USB 2.0 Flash Drive (DT101G2/8GBZ)


STEP 1
Download a Windows 8 ISO image from MG's.

Method A: Using the Microsoft Media Creation Tool
https://www.microsoft.com/en-gb/software-download/windows8
Download the Media Creation Tool: https://go.microsoft.com/fwlink/?LinkId=691209

Follow the instructions displayed on the tool to download the Windows 8 ISO image.

In my testing I was not prompted for a license key to download the latest Windows8 ISO image.
At the time of this writing 2017/12/21 there was only one ISO image offered. Windows 10

32-bit x86 or 64-bit x64

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

Method B: If Method A: above is not working for you then you can try the following method
Microsoft Windows and Office ISO Download Tool (this is not an authorized Microsoft tool, but appears to be legal)
http://www.majorgeeks.com/files/details/microsoft_windows_iso_download_tool.html

STEP 2
If you were unable to use the Windows Media Creation Tool in STEP 1 to create a USB disk then you can use this tool to burn the Windows 10 ISO image from STEP 1 above.

Download the Windows USB/DVD Download Tool from Gitbub and save to your computer.
English version: https://github.com/mantas-masidlaus...ws7-USB-DVD-Download-Tool-Installer-en-US.exe

Then install the Windows USB/DVD Download Tool and run it to burn a bootable USB disk from the ISO image. Browse to the location where you saved the Windows 10 ISO image in STEP 1
Note: This tool should work on XP, Vista, Windows 7, or Windows 10 - it is simply used to make a bootable USB disk. Remember, all of this needs to be done on a clean computer.

[img=[URL]https://i.imgur.com/MCWx4mf.jpg[/URL]]

[img=[URL]https://i.imgur.com/5IvFX1o.jpg[/URL]]

[img=[URL]https://i.imgur.com/1hzeggf.jpg[/URL]]

[img=[URL]https://i.imgur.com/g1iLLSH.jpg[/URL]]

[img=[URL]https://i.imgur.com/KkzebK6.jpg[/URL]]

STEP 3
Please download the Farbar Recovery Scan Tool and save it to your desktop or other location you know where it's saved to. Then copy it to the USB disk you just created.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

STEP 4
Shut down the infected computer. Do Not insert the USB disk you created until the infected computer has been shut down.
Once the computer is shut down then insert the newly created Windows 10 USB disk into the infected computer and power it back on and press the appropriate key to bring up the boot menu. The link below will help show you which key for various computers manufacturers is used to bring up the boot menu. Most will be either USB or UEFI depending on hardware and settings. If the computer boots up into the Normal Windows instead of the USB stick it may become infected and need to be completely redone again. Make sure you select the correct boot option.

How to Boot Your Computer from a USB Flash Drive

STEP 5
Once the computer starts to boot up from the USB disk, follow the screens and directions below.

[img=[URL]https://i.imgur.com/Gvt31DC.jpg[/URL]]

[img=[URL]https://i.imgur.com/wk8hs0E.jpg[/URL]]

[img=[URL]https://i.imgur.com/F2gCAoF.jpg[/URL]]

[img=[URL]https://i.imgur.com/X8NEEvb.jpg[/URL]]

You will need to open NOTEPAD.EXE to help find out which drive is your Windows drive and which drive is your USB disk drive you just created

[img=[URL]https://i.imgur.com/O27kz3e.jpg[/URL]]

[img=[URL]https://i.imgur.com/RRI6og4.jpg[/URL]]

For the more advanced user you could also use DISKPART to help locate which drive is mapped to your USB disk. In most cases the USB disk will be either D: or E: but depending on hardware the drive could be a much higher level such as H: or higher.

Example only - your hardware will look different

Code:

DISKPART> list volume

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 0     Z                       DVD-ROM         0 B  No Media
  Volume 1     C                NTFS   Partition    931 GB  Healthy    System
  Volume 2     Q   SEA-USB-4.0  NTFS   Partition   3725 GB  Healthy
  Volume 3     D                NTFS   Removable   7636 MB  Healthy

Go back to the DOS Command Prompt (if you used DISKPART type in Exit and press the Enter key) and type in the following and press the Enter key.

CD /D D: (or E: or whichever drive letter the USB stick is on)

Then type in CD\
and press the Enter key to get to the root or top of the USB disk.

Then type in FRST or FRST64 (depending on which version your computer uses) and click the Scan button.

A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply.

If all went well you should now be able to boot into Normal Mode and run Malwarebytes and run a Threat Scan to have it finish the removal process.

 

Do you still have the log from Comodo: c:\cce_linux\Logs

I would like to see it. Also....if you try running Comodo again, be sure to run MBAM as soon as you get back into windows. I would also like to see that log.

 

That's fine. Probably the easiest fix.