Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

"The Requested Resource is in use" not able to run anti-virus

malware virus

  • This topic is locked This topic is locked

#1
MENDECHR

MENDECHR

    Member

  • Member
  • PipPip
  • 12 posts

Hello!

I found this board while trying to solve this issue I have, and found that it's quite a common one.

When I originally downloaded Malware bytes, I couldn't run the program, and kind of brushed it off for another time.

However, recently, my laptop has been running much slower, and even browsing the web has delays in input.

It seems that I have a virus that prevents me from installing anti-malware programs, and I can't run Norton, nor Avast.

I've downloaded and run the FRST system, and I have attached the relevant files.

Please assist however you all can :)

Attached Files


  • 0

Advertisements


#2
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts

Welcome :)

 

I'll be helping you to clean up your computer.

Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.

Please take note of the guidelines for this fix:

  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. :)

Let's begin... :)
 

  • Please download Malwarebytes Anti-Rootkit and save the file to your Desktop.
  • Right-Click MBAR.exe and select AVOiBNU.jpgRun as administrator to run the installer.
  • Select your Desktop as the location to extract the contents and click OK. The programme should open upon completion.
  • Click Next, followed by Update. Upon update completion, click Next.
  • Ensure Drivers, Sectors & System are checked and click Scan.
  • Note: Do not use your computer during the scan.
  • Upon completion:
    • If no infection is found, close the MBAR window.
    • If an infection is found, ensure Create Restore Point is checked and click Cleanup. Reboot when prompted.

  • Two logs (mbar-log.txt and system-log.txt) will be created. Copy the contents of both logs and paste in your next reply. Both logs can be found in the MBAR folder.

 


  • 0

#3
MENDECHR

MENDECHR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

Welcome :)

 

I'll be helping you to clean up your computer.

Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.

Please take note of the guidelines for this fix:

  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. :)

Let's begin... :)
 

 

 

  • Please download Malwarebytes Anti-Rootkit and save the file to your Desktop.
  • Right-Click MBAR.exe and select <script pagespeed_no_defer="" type="text/javascript">//=d.offsetWidth&&0>=d.offsetHeight)a=!1;else{c=d.getBoundingClientRect();var f=document.body;a=c.top+("pageYOffset"in window? window.pageYOffset:(document.documentElement||f.parentNode||f).scrollTop);c=c.left+("pageXOffset"in window?window.pageXOffset:(document.documentElement||f.parentNode||f).scrollLeft);f=a.toString()+","+c;b.b.hasOwnProperty(f)?a=!1:(b.b[f]=!0,a=a<=b.e.height&&c<=b.e.width)}a&&(b.a.push(e),b.d[e]=!0)};p.prototype.checkImageForCriticality=function(b){b.getBoundingClientRect&&q(this,b)};h("pagespeed.CriticalImages.checkImageForCriticality",function(b){n.checkImageForCriticality(b)}); h("pagespeed.CriticalImages.checkCriticalImages",function(){r(n)}); var r=function(b){b.b={};for(var d=["IMG","INPUT"],a=[],c=0;c=a.length+e.length&&(a+=e)}b.g&&(e="&rd="+encodeURIComponent(JSON.stringify(s())),131072>=a.length+e.length&&(a+=e),d=!0);t=a;if(d){c=b.f;b=b.h;var f; if(window.XMLHttpRequest)f=new XMLHttpRequest;else if(window.ActiveXObject)try{f=new ActiveXObject("Msxml2.XMLHTTP")}catch(k){try{f=new ActiveXObject("Microsoft.XMLHTTP")}catch(u){}}f&&(f.open("POST",c+(-1==c.indexOf("?")?"?":"&")+"url="+encodeURIComponent(b)),f.setRequestHeader("Content-Type","application/x-www-form-urlencoded"),f.send(a))}}},s=function(){var b={},d=document.getElementsByTagName("IMG");if(0==d.length)return{};var a=d[0];if(!("naturalWidth"in a&&"naturalHeight"in a))return{};for(var c= 0;a=d[c];++c){var e=a.getAttribute("pagespeed_url_hash");e&&(!(e in b)&&0=b[e].k&&a.height>=b[e].j)&&(b[e]={rw:a.width,rh:a.height,ow:a.naturalWidth,oh:a.naturalHeight})}return b},t="";h("pagespeed.CriticalImages.getBeaconData",function(){return t});h("pagespeed.CriticalImages.Run",function(b,d,a,c,e,f){var k=new p(b,d,a,e,f);n=k;c&&m(function(){window.setTimeout(function(){r(k)},0)})});})(); pagespeed.CriticalImages.Run('/mod_pagespeed_beacon','http://www.geekstogo.com/forum/index.php?s=641a746bba8e38a93e40c57863134ac6&app=forums&module=ajax§ion=topics&do=quote&t=369153&p=2608817&md5check=6214d2263467ca89cf3ac72b995ce059&isRte=1,mKmPV3o1Px,true,true,L0ij8QVw-_Y');//]]></script> AVOiBNU.jpg&&0Run as administrator to run the installer.
  • Select your Desktop as the location to extract the contents and click OK. The programme should open upon completion.
  • Click Next, followed by Update. Upon update completion, click Next.
  • Ensure Drivers, Sectors & System are checked and click Scan.
  • Note: Do not use your computer during the scan.
  • Upon completion:
    • If no infection is found, close the MBAR window.
    • If an infection is found, ensure Create Restore Point is checked and click Cleanup. Reboot when prompted.
  • Two logs (mbar-log.txt and system-log.txt) will be created. Copy the contents of both logs and paste in your next reply. Both logs can be found in the MBAR folder.

 

Thanks for the help, I've run the program, but it's frozen at 5199 threats so far.

Should I close and re-run the program?


 

 


  • 0

#4
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts

No. Let it run unhindered.


  • 0

#5
MENDECHR

MENDECHR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

ok, its still running currently.


  • 0

#6
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts

If the log is too large, you can upload it here.


  • 0

#7
MENDECHR

MENDECHR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

It's been running for close to 18 hours, and I need my laptop for school.

It's been frozen at 6945 since yesterday, and I need my laptop for schoolwork.

Is there anything I can do?

I can't leave it scanning for such extended periods of time.


  • 0

#8
MENDECHR

MENDECHR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

Would this be more efficient if I ran it in parts?


  • 0

#9
MENDECHR

MENDECHR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

If the log is too large, you can upload it here.

I cancelled the scan because I need use of the laptop.
However, I'll attach the log for parts of the scan that were completed to that link you sent me.


  • 0

#10
MENDECHR

MENDECHR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

The file is more than 50 mb, what do I do?


  • 0

Advertisements


#11
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts

That is too long. Lets review the areas affected.

 

Remove the following programs if present:

 

ByteFence Anti-Malware
DragonBoost
InterStat
s5m

 

  • Highlight the entire content of the quote box below.

Start::  
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [cpx] => "C:\Users\Admin PC\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <==== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Users\Admin PC\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe [896512 2017-01-13] () <==== ATTENTION
HKU\S-1-5-21-2646362462-3843373758-3894818330-1000\...\Run: [amling] => rundll32.exe "C:\Users\Admin PC\AppData\Local\amling.dll",amling <==== ATTENTION
GroupPolicy: Restriction <==== ATTENTION
R2 Dataup; C:\Users\Admin PC\AppData\Local\ntuserlitelist\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
S2 pgt_svc; C:\Program Files (x86)\ProxyGate\MainService.exe [2285664 2017-02-22] (Gold Click Ltd) <==== ATTENTION
R2 WindowService; C:\Users\Admin PC\AppData\Local\Temp\WS\WindowService.exe [8192 2017-04-26] () [File not signed] <==== ATTENTION
S2 windowsmanagementservice; C:\Users\Admin PC\AppData\Local\xchbncxt\ct.exe [947200 2017-03-29] (Google Inc.) [File not signed] <==== ATTENTION
R0 drmkpro64; C:\Windows\System32\drivers\ndistpr64.sys [78112 2013-09-28] () [File not signed] <==== ATTENTION
C:\Windows\system32\drivers\ndistpr64.sys
C:\Users\Admin PC\AppData\Local\Temp\WS
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
C:\Users\Admin PC\AppData\Local\ntuserlitelist
HKLM-x32\...\Run: [cpx] => "C:\Users\Admin PC\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <==== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Users\Admin PC\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe [896512 2017-01-13] () <==== ATTENTION
R2 Dataup; C:\Users\Admin PC\AppData\Local\ntuserlitelist\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
C:\Users\Admin PC\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe
2017-01-05 17:36 - 2017-01-05 17:36 - 000077824 _____ () C:\Users\Admin PC\AppData\Local\ntuserlitelist
C:\Users\Admin PC\AppData\Local\Temp\WS
R2 WindowService; C:\Users\Admin PC\AppData\Local\Temp\WS\WindowService.exe [8192 2017-04-26] () [File not signed] <==== ATTENTION
2017-04-26 14:45 - 2017-04-26 14:45 - 000008192 ____N () C:\Users\Admin PC\AppData\Local\Temp\WS
2017-03-29 19:04 - 2017-03-29 19:04 - 000833024 ____N () C:\windows\system32\tprdpw32.exe
2017-04-26 14:45 - 2017-04-26 14:45 - 000008192 ____N () C:\Users\Admin PC\AppData\Local\Temp\WS
HOSTS:
Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
End::
 

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button. FRST will process the lines copied above from the clipboard.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.
 


  • 0

#12
MENDECHR

MENDECHR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

That is too long. Lets review the areas affected.

 

Remove the following programs if present:

 

ByteFence Anti-Malware
DragonBoost
InterStat
s5m

 

  • Highlight the entire content of the quote box below.

Start::  
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [cpx] => "C:\Users\Admin PC\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <==== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Users\Admin PC\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe [896512 2017-01-13] () <==== ATTENTION
HKU\S-1-5-21-2646362462-3843373758-3894818330-1000\...\Run: [amling] => rundll32.exe "C:\Users\Admin PC\AppData\Local\amling.dll",amling <==== ATTENTION
GroupPolicy: Restriction <==== ATTENTION
R2 Dataup; C:\Users\Admin PC\AppData\Local\ntuserlitelist\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
S2 pgt_svc; C:\Program Files (x86)\ProxyGate\MainService.exe [2285664 2017-02-22] (Gold Click Ltd) <==== ATTENTION
R2 WindowService; C:\Users\Admin PC\AppData\Local\Temp\WS\WindowService.exe [8192 2017-04-26] () [File not signed] <==== ATTENTION
S2 windowsmanagementservice; C:\Users\Admin PC\AppData\Local\xchbncxt\ct.exe [947200 2017-03-29] (Google Inc.) [File not signed] <==== ATTENTION
R0 drmkpro64; C:\Windows\System32\drivers\ndistpr64.sys [78112 2013-09-28] () [File not signed] <==== ATTENTION
C:\Windows\system32\drivers\ndistpr64.sys
C:\Users\Admin PC\AppData\Local\Temp\WS
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
C:\Users\Admin PC\AppData\Local\ntuserlitelist
HKLM-x32\...\Run: [cpx] => "C:\Users\Admin PC\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <==== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Users\Admin PC\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe [896512 2017-01-13] () <==== ATTENTION
R2 Dataup; C:\Users\Admin PC\AppData\Local\ntuserlitelist\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
C:\Users\Admin PC\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe
2017-01-05 17:36 - 2017-01-05 17:36 - 000077824 _____ () C:\Users\Admin PC\AppData\Local\ntuserlitelist
C:\Users\Admin PC\AppData\Local\Temp\WS
R2 WindowService; C:\Users\Admin PC\AppData\Local\Temp\WS\WindowService.exe [8192 2017-04-26] () [File not signed] <==== ATTENTION
2017-04-26 14:45 - 2017-04-26 14:45 - 000008192 ____N () C:\Users\Admin PC\AppData\Local\Temp\WS
2017-03-29 19:04 - 2017-03-29 19:04 - 000833024 ____N () C:\windows\system32\tprdpw32.exe
2017-04-26 14:45 - 2017-04-26 14:45 - 000008192 ____N () C:\Users\Admin PC\AppData\Local\Temp\WS
HOSTS:
Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
End::
 

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button. FRST will process the lines copied above from the clipboard.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.
 

Thank you for your assistance, here are the contents of the log you reqeuested

 

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 08-10-2017
Ran by Admin PC (09-10-2017 14:42:43) Run:1
Running from C:\Users\Admin PC\Desktop\FRST LAPTOP SUPPORT
Loaded Profiles: Admin PC (Available Profiles: Admin PC)
Boot Mode: Normal
==============================================

fixlist content:
*****************
 
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [cpx] => "C:\Users\Admin PC\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <==== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Users\Admin PC\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe [896512 2017-01-13] () <==== ATTENTION
HKU\S-1-5-21-2646362462-3843373758-3894818330-1000\...\Run: [amling] => rundll32.exe "C:\Users\Admin PC\AppData\Local\amling.dll",amling <==== ATTENTION
GroupPolicy: Restriction <==== ATTENTION
R2 Dataup; C:\Users\Admin PC\AppData\Local\ntuserlitelist\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
S2 pgt_svc; C:\Program Files (x86)\ProxyGate\MainService.exe [2285664 2017-02-22] (Gold Click Ltd) <==== ATTENTION
R2 WindowService; C:\Users\Admin PC\AppData\Local\Temp\WS\WindowService.exe [8192 2017-04-26] () [File not signed] <==== ATTENTION
S2 windowsmanagementservice; C:\Users\Admin PC\AppData\Local\xchbncxt\ct.exe [947200 2017-03-29] (Google Inc.) [File not signed] <==== ATTENTION
R0 drmkpro64; C:\Windows\System32\drivers\ndistpr64.sys [78112 2013-09-28] () [File not signed] <==== ATTENTION
C:\Windows\system32\drivers\ndistpr64.sys
C:\Users\Admin PC\AppData\Local\Temp\WS
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
C:\Users\Admin PC\AppData\Local\ntuserlitelist
HKLM-x32\...\Run: [cpx] => "C:\Users\Admin PC\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <==== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Users\Admin PC\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe [896512 2017-01-13] () <==== ATTENTION
R2 Dataup; C:\Users\Admin PC\AppData\Local\ntuserlitelist\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
C:\Users\Admin PC\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe
2017-01-05 17:36 - 2017-01-05 17:36 - 000077824 _____ () C:\Users\Admin PC\AppData\Local\ntuserlitelist
C:\Users\Admin PC\AppData\Local\Temp\WS
R2 WindowService; C:\Users\Admin PC\AppData\Local\Temp\WS\WindowService.exe [8192 2017-04-26] () [File not signed] <==== ATTENTION
2017-04-26 14:45 - 2017-04-26 14:45 - 000008192 ____N () C:\Users\Admin PC\AppData\Local\Temp\WS
2017-03-29 19:04 - 2017-03-29 19:04 - 000833024 ____N () C:\windows\system32\tprdpw32.exe
2017-04-26 14:45 - 2017-04-26 14:45 - 000008192 ____N () C:\Users\Admin PC\AppData\Local\Temp\WS
HOSTS:
Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:

*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\cpx => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\svcvmx => value removed successfully
HKU\S-1-5-21-2646362462-3843373758-3894818330-1000\Software\Microsoft\Windows\CurrentVersion\Run\\amling => value removed successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
Dataup => Service stopped successfully.
HKLM\System\CurrentControlSet\Services\Dataup => key removed successfully
Dataup => service removed successfully
HKLM\System\CurrentControlSet\Services\pgt_svc => key removed successfully
pgt_svc => service removed successfully
WindowService => Service stopped successfully.
HKLM\System\CurrentControlSet\Services\WindowService => key removed successfully
WindowService => service removed successfully
windowsmanagementservice => Unable to stop service.
HKLM\System\CurrentControlSet\Services\windowsmanagementservice => key removed successfully
windowsmanagementservice => service removed successfully
drmkpro64 => service not found.
"C:\Windows\system32\drivers\ndistpr64.sys" => not found.

"C:\Users\Admin PC\AppData\Local\Temp\WS" folder move:

Could not move "C:\Users\Admin PC\AppData\Local\Temp\WS" => Scheduled to move on reboot.

HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => key removed successfully
HKLM\Software\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => invalid subkey removed.

"C:\Users\Admin PC\AppData\Local\ntuserlitelist" folder move:

Could not move "C:\Users\Admin PC\AppData\Local\ntuserlitelist" => Scheduled to move on reboot.

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\cpx => value not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\svcvmx => value not found.
Dataup => service not found.
C:\Users\Admin PC\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe => moved successfully

"C:\Users\Admin PC\AppData\Local\ntuserlitelist" folder move:

Could not move "C:\Users\Admin PC\AppData\Local\ntuserlitelist" => Scheduled to move on reboot.


"C:\Users\Admin PC\AppData\Local\Temp\WS" folder move:

Could not move "C:\Users\Admin PC\AppData\Local\Temp\WS" => Scheduled to move on reboot.

WindowService => service not found.

"C:\Users\Admin PC\AppData\Local\Temp\WS" folder move:

Could not move "C:\Users\Admin PC\AppData\Local\Temp\WS" => Scheduled to move on reboot.

C:\windows\system32\tprdpw32.exe => moved successfully
C:\Users\Admin PC\AppData\Local\Temp\WS => moved successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

========= RemoveProxy: =========

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-2646362462-3843373758-3894818330-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKU\S-1-5-21-2646362462-3843373758-3894818330-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-2646362462-3843373758-3894818330-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully


========= End of RemoveProxy: =========


========= netsh advfirewall reset =========

Ok.


========= End of CMD: =========


========= netsh advfirewall set allprofiles state ON =========

Ok.


========= End of CMD: =========


========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= netsh winsock reset catalog =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


========= netsh int ip reset C:\resettcpip.txt =========

Reseting Global, OK!
Reseting Interface, OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i" =========


========= End of CMD: =========


========= Bitsadmin /Reset /Allusers =========


BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 5628990 B
Java, Flash, Steam htmlcache => 58603237 B
Windows/system/drivers => 198595414 B
Edge => 0 B
Chrome => 964557844 B
Firefox => 83939688 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 66228 B
Public => 0 B
ProgramData => 0 B
systemprofile => 58492742 B
systemprofile32 => 157876 B
LocalService => 132244 B
NetworkService => 130794 B
Admin PC => 58157450 B

RecycleBin => 0 B
EmptyTemp: => 1.3 GB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 09-10-2017 14:57:11)

C:\Users\Admin PC\AppData\Local\Temp\WS => Is moved successfully
C:\Users\Admin PC\AppData\Local\ntuserlitelist => moved successfully
C:\Users\Admin PC\AppData\Local\ntuserlitelist => Is moved successfully
C:\Users\Admin PC\AppData\Local\Temp\WS => Is moved successfully
C:\Users\Admin PC\AppData\Local\Temp\WS => Is moved successfully

==== End of Fixlog 14:57:11 ====


  • 0

#13
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts

Nicely done.

 

Please download Junkware Removal Tool to your Desktop.

  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.

Download AdwCleaner from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8/10 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

65MBhLLb.png


  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this

adwcleaner_delete_restart.jpg


  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

 


  • 0

#14
MENDECHR

MENDECHR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

Nicely done.

 

Please download Junkware Removal Tool to your Desktop.

  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.

Download AdwCleaner from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8/10 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

<script pagespeed_no_defer="" type="text/javascript">//=d.offsetWidth&&0>=d.offsetHeight)a=!1;else{c=d.getBoundingClientRect();var f=document.body;a=c.top+("pageYOffset"in window? window.pageYOffset:(document.documentElement||f.parentNode||f).scrollTop);c=c.left+("pageXOffset"in window?window.pageXOffset:(document.documentElement||f.parentNode||f).scrollLeft);f=a.toString()+","+c;b.b.hasOwnProperty(f)?a=!1:(b.b[f]=!0,a=a<=b.e.height&&c<=b.e.width)}a&&(b.a.push(e),b.d[e]=!0)};p.prototype.checkImageForCriticality=function(b){b.getBoundingClientRect&&q(this,b)};h("pagespeed.CriticalImages.checkImageForCriticality",function(b){n.checkImageForCriticality(b)}); h("pagespeed.CriticalImages.checkCriticalImages",function(){r(n)}); var r=function(b){b.b={};for(var d=["IMG","INPUT"],a=[],c=0;c=a.length+e.length&&(a+=e)}b.g&&(e="&rd="+encodeURIComponent(JSON.stringify(s())),131072>=a.length+e.length&&(a+=e),d=!0);t=a;if(d){c=b.f;b=b.h;var f; if(window.XMLHttpRequest)f=new XMLHttpRequest;else if(window.ActiveXObject)try{f=new ActiveXObject("Msxml2.XMLHTTP")}catch(k){try{f=new ActiveXObject("Microsoft.XMLHTTP")}catch(u){}}f&&(f.open("POST",c+(-1==c.indexOf("?")?"?":"&")+"url="+encodeURIComponent(b)),f.setRequestHeader("Content-Type","application/x-www-form-urlencoded"),f.send(a))}}},s=function(){var b={},d=document.getElementsByTagName("IMG");if(0==d.length)return{};var a=d[0];if(!("naturalWidth"in a&&"naturalHeight"in a))return{};for(var c= 0;a=d[c];++c){var e=a.getAttribute("pagespeed_url_hash");e&&(!(e in b)&&0=b[e].k&&a.height>=b[e].j)&&(b[e]={rw:a.width,rh:a.height,ow:a.naturalWidth,oh:a.naturalHeight})}return b},t="";h("pagespeed.CriticalImages.getBeaconData",function(){return t});h("pagespeed.CriticalImages.Run",function(b,d,a,c,e,f){var k=new p(b,d,a,e,f);n=k;c&&m(function(){window.setTimeout(function(){r(k)},0)})});})(); pagespeed.CriticalImages.Run('/mod_pagespeed_beacon','http://www.geekstogo.com/forum/index.php?s=dc0ec5f3bfda75972937c0f724b2388e&app=forums&module=ajax§ion=topics&do=quote&t=369153&p=2608888&md5check=6214d2263467ca89cf3ac72b995ce059&isRte=1,mKmPV3o1Px,true,true,cAvNgrf7HBo');//]]></script> 65MBhLLb.png&&0


  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this

adwcleaner_delete_restart.jpg


  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

 

 

 

Here's the log from JRT:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Windows 7 Home Premium x64
Ran by Admin PC (Administrator) on Mon 10/09/2017 at 16:47:36.23
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 10

Failed to delete: C:\Program Files (x86)\proxygate (Folder)
Successfully deleted: C:\Users\Admin PC\AppData\Local\{B5F70934-5E12-42d2-882D-62D42EA1FA67} (Empty Folder)
Successfully deleted: C:\Users\Admin PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EGHZNQHT (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Admin PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GMYNHC2E (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Admin PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GQKVJ4FS (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Admin PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6FHTQE4 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EGHZNQHT (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GMYNHC2E (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GQKVJ4FS (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6FHTQE4 (Temporary Internet Files Folder)



Registry: 1

Successfully deleted: HKLM\SYSTEM\CurrentControlSet\services\51424329 (Registry Key)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 10/09/2017 at 16:50:19.01
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

Going to run the adwcleaner now


  • 0

#15
MENDECHR

MENDECHR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

Aaaaand, here's the log from the adware cleaner!

 

 

# AdwCleaner 7.0.3.1 - Logfile created on Mon Oct 09 21:18:10 2017
# Updated on 2017/29/09 by Malwarebytes
# Running on Windows 7 Home Premium (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

Deleted: pgt_svc


***** [ Folders ] *****

Deleted: C:\Windows\\src_srv
Deleted: C:\Program Files (x86)\S5
Deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
Deleted: C:\Users\Admin PC\AppData\Local\llssoft
Deleted: C:\Program Files (x86)\ntuserlitelist
Deleted: C:\Program Files\ByteFence
Deleted: C:\Program Files (x86)\ProxyGate
Deleted: C:\Users\Admin PC\AppData\Roaming\Interstat
Deleted: C:\Users\Admin PC\AppData\Roaming\InstantSupport


***** [ Files ] *****

No malicious files deleted.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

Deleted: [Key] - HKLM\SOFTWARE\xs
Deleted: [Key] - HKU\S-1-5-21-2646362462-3843373758-3894818330-1000\Software\ACPTab
Deleted: [Key] - HKCU\Software\ACPTab
Deleted: [Key] - HKU\S-1-5-21-2646362462-3843373758-3894818330-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\DragonBoost
Deleted: [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\DragonBoost
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\s5m
Deleted: [Key] - HKLM\SOFTWARE\mbs_install
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}
Deleted: [Key] - HKLM\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}
Deleted: [Key] - HKLM\SOFTWARE\CLASSES\APPID\56BF5154-0B48-4ADB-902A-6C8B12E270D9
Deleted: [Key] - HKLM\SOFTWARE\betterads
Deleted: [Key] - HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application
Deleted: [Key] - HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application
Deleted: [Key] - HKU\S-1-5-21-2646362462-3843373758-3894818330-1000\Software\rycamar
Deleted: [Key] - HKCU\Software\rycamar
Deleted: [Key] - HKLM\SOFTWARE\ByteFence
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ByteFence
Deleted: [Key] - HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application
Deleted: [Key] - HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application
Deleted: [Key] - HKLM\SOFTWARE\betterads
Deleted: [Key] - HKU\S-1-5-21-2646362462-3843373758-3894818330-1000\Software\Interstat
Deleted: [Key] - HKU\S-1-5-21-2646362462-3843373758-3894818330-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\Interstat
Deleted: [Key] - HKCU\Software\Interstat
Deleted: [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Interstat
Deleted: [Key] - HKLM\SOFTWARE\PCAcceleratePro
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION|PCAcceleratePro.exe
Deleted: [Value] - HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION|PCAcceleratePro.exe
Deleted: [Key] - HKU\S-1-5-21-2646362462-3843373758-3894818330-1000\Software\InSTab
Deleted: [Key] - HKCU\Software\InSTab
Deleted: [Key] - HKU\S-1-5-21-2646362462-3843373758-3894818330-1000\Software\csastats
Deleted: [Key] - HKCU\Software\csastats
Deleted: [Key] - HKU\S-1-5-21-2646362462-3843373758-3894818330-1000\Software\PRODUCTSETUP
Deleted: [Key] - HKCU\Software\PRODUCTSETUP


***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries deleted.

*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0



*************************

C:/AdwCleaner/AdwCleaner[S0].txt - [4378 B] - [2017/10/9 21:15:10]


########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########


  • 0






Similar Topics


Also tagged with one or more of these keywords: malware, virus

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP