Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Cannot access Safe Mode, System Restore and (most) anti-malware progra


  • Please log in to reply

#31
playwiffme

playwiffme

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts

***Note***

Another pesky thing that is occurring since acquiring this virus/malware issue -

 

Whenever I right click on an item/folder/etc to utilize the copy or open option,

the Windows Installer box opens and reads as such...

 

Windows Installer

The feature you are trying to use is on a
network resource that is unavailable

Click OK to try again, or enter an alternate path to a
folder containing the installation package
"Shredder64.msi" in the box below.

C:\Users\Administrator\AppData\Local\Downloaded Installations\
{45DE3BB5-15C7-489B-458F80-82349413953E}


  • 0

Advertisements


#32
playwiffme

playwiffme

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts

***UPDATE***

 

When I rebooted awhile ago, I forgot to once again turn off Zemana AntiMalware - well it just finished another round and here are the results -

 

1) temp   Adware:Win32/Ghokswa.A!Neng
    c:\program files (x86) temp

2) colorframe.dat   Adware:Win32/Ghokswa.B!Neng
    c:\users\public\documents\pearlmountain\picturecollagemakerpro\frame\colorframe.dat

3) ct.exe   Adware:Win32/CTProxy.G!Neng
    c:\users\thomas]appdata\local\microlabs\ct.exe

4) ndstpr64.sys   Trojan:Win32/CTProxy.A!Neng
    c:\windows\system32\drivers\ndstpr64.sys

5) tprdpw32.exe   Adware:Win32/CTProxy.J!Neng
    c:\windows\system32\tprdpw32.exe

 

Zemana wants to quarantine these items but I'm waiting to hear from you first as this will require another re-boot should they be quarantined.


  • 0

#33
playwiffme

playwiffme

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts

I was a bit puzzled over the re-established #3 / ct.exe (microlabs) as this had been gone for the past day or so but has suddenly re-appeared again.

Went and looked into the folder and yep, it's there.


  • 0

#34
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP

c:\users\thomas]appdata\local\microlabs\ct.exe

 

Is that a typo or does it really say thomas]appdata?

If it's real then that's probably why you are getting two logons.  Probably a typo from when we made the folder.

 We made a folder with the name ct.exe and it's possible that zemana is triggering on the folder.  If it's a folder then leave it.

 

 Can you just delete 1 & 2?

 

4 & 5 are our old friends and FRST says they have undone our good work.  

 

"Dataup" => service was unlocked. <===== ATTENTION

"drmkpro64" => service was unlocked. <===== ATTENTION
"windowsmanagementservice" => service was unlocked. <===== ATTENTION

 


So may come back with a reboot unless you go back in to regedit and take ownership again.  I think there is something running that we can't see.  Let's see if GMER will run:

 

Download GMER from http://www.gmer.net/download.php Note the file's name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on http://www.bleepingc...opic114351.html to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.
  •  
    It might also help if you have a USB drive with FRST on it and can run it at the next boot per the instruction I gave you.

    • 0

    #35
    playwiffme

    playwiffme

      Member

    • Topic Starter
    • Member
    • PipPip
    • 61 posts

    1) Re: c:\users\thomas]appdata\local\microlabs\ct.exe - My apologies, this was a typo - should have read

               c:\users\thomas\appdata

     

    2) Yes, I think I can quarantine just #'s 1 and 2

     

    3) I know ideally, we'd like to start with RKill (root killer) but...

        UPDATE!!! - I have been for 2 days trying to get Malwarebytes Anti-Root Kit Beta v1.09.3.1001 to open and run and have finally done so -

    It is currently running, and I have no clue how long it will take but is this a possible replacement for RKill??? So far it has already found our friend -

    ndistpr64.sys and hopefully will find more. No way I'm gonna re-boot until I hear back from you.

     

    4) Can't address your GMER project until Malwarebytes Anti-Root kit finishes to run...


    • 0

    #36
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 20,029 posts
    • MVP

    Latest version of MBAM is supposed to eat this bug so hopefully it updated before it ran.  If not update it and run it again.


    • 0

    #37
    playwiffme

    playwiffme

      Member

    • Topic Starter
    • Member
    • PipPip
    • 61 posts

    In case you were wondering, YES I updated Malwarebytes Anti-Root Kit Beta v1.09.3.1001 once it was opened.


    • 0

    #38
    playwiffme

    playwiffme

      Member

    • Topic Starter
    • Member
    • PipPip
    • 61 posts

    ***MAJOR UPDATE***

     

    Got RKill to finally open and run - it's currently running and I have no clue what to do with it when it finishes!


    • 0

    #39
    playwiffme

    playwiffme

      Member

    • Topic Starter
    • Member
    • PipPip
    • 61 posts

    RKill Results...

     

    Rkill 2.8.4 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2017 BleepingComputer.com
    More Information about Rkill can be found at this link:
     http://www.bleepingc...opic308364.html

    Program started at: 03/29/2017 04:10:52 PM in x64 mode.
    Windows Version: Windows 7 Home Premium Service Pack 1

    Checking for Windows services to stop:

     * No malware services found to stop.

    Checking for processes to terminate:

     * No malware processes found to kill.

    Checking Registry for malware related settings:

     * No issues found in the Registry.

    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
      * HKCU\SOFTWARE\Classes\.exe "@" exists and is set to exefile!
      * HKCU\SOFTWARE\Classes\.exe has been deleted!

    Performing miscellaneous checks:

     * No issues found.

    Checking Windows Service Integrity:

     * TBS [Missing Service]

    Searching for Missing Digital Signatures:

     * No issues found.

    Checking HOSTS File:

     * HOSTS file entries found:

      0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
      0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
      0.0.0.0 media.opencandy.com
      0.0.0.0 cdn.opencandy.com
      0.0.0.0 tracking.opencandy.com
      0.0.0.0 api.opencandy.com
      0.0.0.0 api.recommendedsw.com
      0.0.0.0 installer.betterinstaller.com
      0.0.0.0 installer.filebulldog.com
      0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
      0.0.0.0 inno.bisrv.com
      0.0.0.0 nsis.bisrv.com
      0.0.0.0 cdn.file2desktop.com
      0.0.0.0 cdn.goateastcach.us
      0.0.0.0 cdn.guttastatdk.us
      0.0.0.0 cdn.inskinmedia.com
      0.0.0.0 cdn.insta.oibundles2.com
      0.0.0.0 cdn.insta.playbryte.com
      0.0.0.0 cdn.llogetfastcach.us
      0.0.0.0 cdn.montiera.com

      20 out of 35 HOSTS entries shown.
      Please review HOSTS file for further entries.

    Program finished at: 03/29/2017 04:30:47 PM
    Execution time: 0 hours(s), 19 minute(s), and 55 seconds(s)
     


    • 0

    #40
    playwiffme

    playwiffme

      Member

    • Topic Starter
    • Member
    • PipPip
    • 61 posts

    Malwarebytes Anti-Root Kit Log - There are 5 items listed to be removed upon reboot - I have NOT rebooted yet, waiting on you...

     

    Malwarebytes Anti-Rootkit BETA 1.9.3.1001
    www.malwarebytes.org

    Database version:
      main:    v2017.03.29.06
      rootkit: v2017.03.11.01

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 11.0.9600.18499
    Thomas :: THOMAS-PC [administrator]

    3/29/2017 3:00:23 PM
    mbar-log-2017-03-29 (15-00-23).txt

    Scan type: Quick scan
    Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
    Scan options disabled:
    Objects scanned: 412810
    Time elapsed: 1 hour(s), 52 minute(s), 56 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 3
    HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\drmkpro64 (Rootkit.Agent.PUA) -> Delete on reboot. [765456796f3976c08899e8d7ca37d32d]
    HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\DATAUP (Trojan.Clicker) -> Delete on reboot. [6169339c961245f10fa9b1ccdd241ce4]
    HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Dataup (Trojan.Clicker) -> Delete on reboot. [b11907c8901849ed52682f4de31ef50b]

    Registry Values Detected: 1
    HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\DATAUP|ImagePath (Trojan.Clicker) -> Data: C:\Users\Thomas\AppData\Local\NTUSER~1\dataup\dataup.exe -> Delete on reboot. [6169339c961245f10fa9b1ccdd241ce4]

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\WINDOWS\SYSTEM32\drivers\ndistpr64.sys (Rootkit.Agent.PUA) -> Delete on reboot. [b82af19ea4f351ab70ceeeec014dcc62]

    Physical Sectors Detected: 0
    (No malicious items detected)

    (end)
     


    • 0

    Advertisements


    #41
    playwiffme

    playwiffme

      Member

    • Topic Starter
    • Member
    • PipPip
    • 61 posts

    This appears to be the SmartService Trojan...


    • 0

    #42
    playwiffme

    playwiffme

      Member

    • Topic Starter
    • Member
    • PipPip
    • 61 posts

    Ran a quick scan with Reason Core Security -

    Found 1 threat - quarantined, no reboot
    TrojanDownloader.Agent - Threat Level - High
    C:\Users\thomas\appdata\roaming\35-1q.exe

     

    I am now running a DEEP SCAN with this...


    • 0

    #43
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 20,029 posts
    • MVP

    Was MBAM able to remove the stuff it found?


    • 0

    #44
    playwiffme

    playwiffme

      Member

    • Topic Starter
    • Member
    • PipPip
    • 61 posts

    Don't know...I've been waiting to hear from you...if you read the report, said it would be deleted upon reboot...


    • 0

    #45
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 20,029 posts
    • MVP

    reboot and run MBAM again.


    • 0






    Similar Topics

    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users

    As Featured On:

    Microsoft Yahoo BBC MSN PC Magazine Washington Post HP