[SageVII]

Hi,

 

I have Malwarebytes Anti-Malware and used to have AVG.

Malwarebytes Anti-Malware did not wanted to start with windows but it ran when I clicked on the icon

 

Today MAM did not want to run and AVG was not updating and any attempt to do so brought an error window.

 

I uninstalled AVG and installed PANDA but it also does not want to run the protection services, only the GUI runs.

 

Both software runs when I start in SafeMode and even in SafeMode with Network services, which tells me that there is something in the memory that kill the processes.

Scans made while on SafeMode failed to find anything on disk.

I am anxious and I do not want to nuke this machine, but I will do so if I cannot solve this problem.

 

I was reading a previous thread and ran this program:

 

sfc /scannow.

 

These are the results, I have also attached the log file:

 

Microsoft Windows [Version 6.1.7601]

Copyright © 2009 Microsoft Corporation.  All rights reserved.

 

C:\Users\UlricK>sfc /scannow

 

Beginning system scan.  This process will take some time.

 

Beginning verification phase of system scan.

Verification 100% complete.

Windows Resource Protection found corrupt files but was unable to fix some of them.

Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For example

C:\Windows\Logs\CBS\CBS.log

 

C:\Users\UlricK>

 

 

 

This is a fairly recent problem, no more than a week or so.

 

A month ago, I found this while doing a routine check of the processes in my computer:

OBJNIG~1.exe and it said : Cat Joy Kareo Cha. FIle was deleted

 

Today I found another supicious process that was terminated and file deleted:

Avgupdated0814tb

 

What can I do?

I am desperate and will nuke this thing if i cannot find a solution in 24 hours as the latest.

 

Regards

 

Edited to add: Whatever it is, it disabled system restore so I cannot return to a previous state. It actually has blocked all options for restoring the system.

Attached Files

•  CBS.rar   171.35KB   561 downloads

Edited by SageVII, 30 August 2015 - 03:39 PM.

[Advertisements]

I was running Panda on safemode for a full scan but had to cut it short after one hour for no results and restarted the OS in normal mode.

While in safemode I was checking everything and came across an unkown profile, named UNKOWN. with 8.8 MB data. Deleted that one, since this machine should only have 1 profile: mine.

Skype crashed and then Panda loaded without problems. MABM did not load at start but did load manually.

Panda did a scan and deleted a file VSSVC.exe claiming that it was infected.

I still cannot make a system restore despite enabling it via registry and group policy.

 

Edited to add: I still do not feel safe until I can enable system restore and everything comes back as normal. I am still considering the nuclear option, but less so now.

Edited by SageVII, 30 August 2015 - 05:37 PM.

[SageVII]

I was running Panda on safemode for a full scan but had to cut it short after one hour for no results and restarted the OS in normal mode.

While in safemode I was checking everything and came across an unkown profile, named UNKOWN. with 8.8 MB data. Deleted that one, since this machine should only have 1 profile: mine.

Skype crashed and then Panda loaded without problems. MABM did not load at start but did load manually.

Panda did a scan and deleted a file VSSVC.exe claiming that it was infected.

I still cannot make a system restore despite enabling it via registry and group policy.

 

Edited to add: I still do not feel safe until I can enable system restore and everything comes back as normal. I am still considering the nuclear option, but less so now.

Edited by SageVII, 30 August 2015 - 05:37 PM.

[emeraldnzl]

Hello SageV11,

Welcome to Geekstogo,

Sorry for the delay in getting to you.
 

While in safemode I was checking everything and came across an unkown profile, named UNKOWN. with 8.8 MB data.

I am not a techie but I believe that can happen quite legitimately see here and here. The fact that you found you had a problem with Skype and MBAM supports that it may have been legitimate. Having said that it could also be caused by malware.

VSSVC.exe is to do with Volume Shadow Copies of files for backing up. It is a legitimate service of Windows. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail.

I guess your copy could have been infected in some way but more likely it was a false positive.

If you wish us to have a closer look please do the following.

Important - We ask that the tools we use be downloaded to your computers desktop.

If you are unsure about how to do that, please press the Show button beside Spoiler below to see guides for the most popular browsers:

Spoiler

For Internet Explorer (excluding IE8):

• Please press both Ctrl + J on your keyboard.
• Press Options in the lower left corner.
• Click Browse and in the shown window highlight your Desktop.
• When done, click Select Folder.
• Click OK and close the View Downloads screen.

Please note that Internet Explorer 8 doesn't support changing the downloads location. In this case, upon completion you need to navigate to the Downloads folder and transfer the tool to your Desktop.

For Mozilla Firefox:

• Click the button (upper-right corner) and select Options.
• In the General tab find the Downloads section and check Save files to.
• Click Browse, Navigate to the Desktop and click Select Folder.
• Click OK and the Window will close.

For Google Chrome:

• Click the button (upper-right corner) and select Settings.
• Scroll down and at the bottom press Show advanced settings.
• Scroll down to the Downloads section and click the Change button.
• Navigate to your Desktop and click OK.

Now

Please download Farbar Recovery Scan Tool from here and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will produce a log called (FRST.txt) in the same directory the tool is run from.
• Please copy and paste log back here.
• The first time the tool is run, it makes also another log (Addition.txt). Please also paste that into your reply.

 

[SageVII]

Hello emeraldnzl.

 

I solved my problem after 8 hours of fighting that darned virus. Yes, it was a virus. An unknown one but it was a piece of software that hid itself quite well.

 

It did the following:

 

1. Killed all processes belonging to any antivirus or antimalware software. Thus MABM not running.

2. It kept the User Interface running but it was tricked into believing that the program was up-to-date in virus definitions, etc.

3. It prevented the antivirus to connect to the internet.

4. It prevented the antivirus to update offline.

5. It disabled System Restore and deleted all the restore records. It went so far as to hid the System Restore option, not content with just disabling it.

6. It created that UNKOWN user and hid it.

 

What I did was:

1. Run to Safe Mode and try to run MABM and AVG (my former antivirus) nothing detected.

2. Restart and Run in Safe Mode with network access and Install PANDA Antivirus and let it run. It killed two programs but the report says nothing. No names, nothing whatsoever. It is as if the files never existed. But the scan reported two threats deleted and the report says nothing.

3. I checked the Task Manager to identify the processes belonging to the antivirus software.

4. Deleted the UNKNOWN user.

5. Reboot in normal mode and checked the Task Manager. The antivirus processes were there this time. MABM was again loaded with windows startup.

6. Reenabled the System Restore.

 

That required the following:

6.1. To run a registry file enabling and unhiding the System Restore processes.

6.2. Checking on the Group Policies for Windows 7 and disabling the posibility to stop System Restore.

6.3. Enabling again System Restore for all the drives.

 

At day three, everything is normal and so far I hope it will remain so.

Yesterday I had to do the same to my brother's computer that had the same virus, only this time I did it quicker since I knew the process.

 

Still I was really concerned, since the machine involved is my working machine. The one that has all my workfiles. I was seriously considering a nuke and pave, for those who do not know the jargon that means to reformat the hard disk and to reinstall everything. I didn't want to do that since it was losing 2 days of work and of course dealing with the headache of rebuilding everything. But i was willing to do that if no solution came.

 

That is when I contacted you, and to be clear I am not happy that you left me hanging up for three days. 

 

I'll let bygones be bygones. I am happy to have recovered my computer. I am still wary of any hiccup that it has but so far nothing has happened.

 

As you can see, I am quite computer literate and when I asked for help was because I was desperate and felt that nothing I did was giving me a solution.

 

I don't know what was the malware that did this. It is a piece of quite good programming, since it managed to hid from the task manager and killed everything while telling you that everything was all right.

PANDA killed it, but it remains anonymous. I believe this piece of malware probably tries to convert a computer into a zombie, enabling the UNKOWN user to use it as he sees fit, very likely as a SpamBot or a DOSBot.

 

Thanks for replying and for the apologies. I accept them and hope you can reply faster to somebody who very likely do not know what to do with his computer beyond turning it on and clicking on the software.

 

I believe you can close this thread.

[emeraldnzl]

Thank you for replying.

 

Sorry it took so long. As you know we are volunteers here and maybe people who saw your topic did not quite know what to make of it. I was unsure myself lol.

 

Interesting what you have to say. I will look out for that in future.

[SageVII]

Thank you for replying.

 

Sorry it took so long. As you know we are volunteers here and maybe people who saw your topic did not quite know what to make of it. I was unsure myself lol.

 

Interesting what you have to say. I will look out for that in future.

 

I know and understand but when you are desperate you tend to take things a little too personal.

 

I'm cool now, specially since I defeated that monster.

 

BTW, to anybody who is reading this:

If suspicious of anything, reboot into Safe Mode with Network acces and do this:

 

1. Update your antivirus, if it does not want to update (AVG I'm looking at you) ditch it, No matter how much you paid for it, it is not worth the money spent.

I got Panda based on PC Magazine recomendation, and other websites like it. That's why I installed it and let it run.

 

2. Once updated, let your antivirus scan the entire computer. No matter how many files you have. My computer scan took 10 hours! I just basically let it start and went to play World of Tanks in another machine, ate dinner, went to sleep and let the machine running the entire night. The next day voila! it has finished and killed whatever it was that needed killing.

 

3. I you are somewhat computer savvy, get to know what your computer is running. The task manager is your friend. Start it once in a while, I do it every week or so, and see what are the processes running. Very soon you will get to know them not by memory but you will get a feel when something is not as it should. Identify the most important processes, like the ones that your antivirus and other critical software uses.

This is a hard learned lesson long time ago in another job fighting a very stubborn virus in a coworkers computer.

Believe me, you will find a lot of crap that loads without your knowledge and kills your computer performance, not only virus are noxious.

 

4. Don't be shy and ask for help, even if like me you know your way around computers, there is always somebody who has a better idea than you do.

 

5. Do NOT trust USB flash drives that your son, daughter, family friend brings home to use in your computer. You never know where those drives have been and High School computers are notoriously filled with virus.

 

Anyway, thanks for at least taking an interest in my case.

 

Regards

Edited by SageVII, 03 September 2015 - 10:21 PM.

[emeraldnzl]

Your welcome. Thanks for the feed back.

[emeraldnzl]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.