Hello I am sorry to bother everyone but I have a very nasty virus/malware/rootkit problem I have tried for 3 or 4 days to remove this infection but I cannot download and run most antivirus spyware or malware removal application and the ones that it will allow to run cannot remove this virus. I have done a system restore, ran the window malicious software tool, I cannot run any MacAfee or Norton product I cannot run Malwarebytes even with the standalone rootkit remover I am completely dejected at this point as this has been an all consuming situation especially seeing that I am not very computer savvy or competent can someone please help me??
Trojan: Win32/Rundas.a The Requested Resource is in use" not ab
#1
Posted 07 April 2017 - 01:12 AM
#2
Posted 07 April 2017 - 05:22 AM
Welcome to GeeksToGo!
Please follow the instructions below:
Malwarebytes Anti-Rootkit (MBAR)
- Please download Malwarebytes Anti-Rootkit and save the file to your Desktop.
- Right-Click MBAR.exe and select Run as administrator to run the installer.
- Select your Desktop as the location to extract the contents and click OK. The programme should open upon completion.
- Click Next, followed by Update. Upon update completion, click Next.
- Ensure Drivers, Sectors & System are checked and click Scan.
- Note: Do not use your computer during the scan.
- Upon completion:
- If no infection is found, close the MBAR window.
- If an infection is found, ensure Create Restore Point is checked and click Cleanup. Reboot when prompted.
- Two logs (mbar-log.txt and system-log.txt) will be created. Copy the contents of both logs and paste in your next reply. Both logs can be found in the MBAR folder.
Donna
#3
Posted 07 April 2017 - 02:46 PM
Donna you are a genius, cyber goddess, and my very favorite person!!!!
Attached Files
#4
Posted 07 April 2017 - 03:19 PM
That was good timing, by the way. I just got home from work and logged in to check up on you. Perfect timing!!
Looks like MBAR did get the rootkit. I am going to have you follow the same instructions again that I posted above just to see if anything was overlooked on the first run. Please post the mbar-log that it produces the second time around.
Once that is complete:
I am going to have you run JRT to see if there are any remnants left over, then we'll grab a fresh set of FRST logs as well.
Junkware Removal Tool (JRT)
- Download Junkware Removal Tool (JRT) and move it to your Desktop;
- Right-click on JRT.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
- Press on any key to launch the scan and let it complete;
Credits : BleepingComputer.com - Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
Farbar Recovery Scan Tool (FRST) - Scan mode
- Right click on FRST.exe and select Run as Administrator
- Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
- Click on the Scan button;
- On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files;
- Copy and paste the content of both FRST.txt and Addition.txt in your next reply;
#5
Posted 07 April 2017 - 08:46 PM
HI Donna I am sorry it took me so long to provide these scans!!
Attached Files
#6
Posted 07 April 2017 - 10:06 PM
No need to apologize.
Looks like MBAR cleaned you up pretty good there.
Download AdwCleaner from here. Save the file to the desktop.
NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.
Close all open windows and browsers.
- XP users: Double click the AdwCleaner icon to start the program.
- Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
You will see the following console:
- Click the Scan button and wait for the scan to finish.
- After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
- Click the Clean button.
- Everything checked will be moved to Quarantine.
- When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this
- On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt
#7
Posted 07 April 2017 - 11:27 PM
I hoped all of these viruses were gone but I thought I saw Malewarebytes say that it found 56 infections I hope I was wrong about that.
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-04-06.1 [Server]
# Operating System : Windows 10 Home (X64)
# Username : Sean - LAPTOP-NMPDR74D
# Running from : C:\Users\Sean\Desktop\adwcleaner_6.045.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support
***** [ Folders ] *****
[-] Folder deleted: C:\Users\Sean\.AnonymizerLauncher
[-] Folder deleted: C:\Users\Sean\AppData\Local\AnonymizerLauncher
[-] Folder deleted: C:\Users\Sean\AppData\Local\llssoft
[-] Folder deleted: C:\Users\Sean\AppData\Roaming\ParetoLogic
[#] Folder deleted on reboot: C:\Users\Sean\AppData\Roaming\PARETOLOGIC
[-] Folder deleted: C:\ProgramData\ParetoLogic
[-] Folder deleted: C:\ProgramData\SlimWare Utilities, Inc
[#] Folder deleted on reboot: C:\ProgramData\PARETOLOGIC
[#] Folder deleted on reboot: C:\ProgramData\Application Data\ParetoLogic
[#] Folder deleted on reboot: C:\ProgramData\Application Data\SlimWare Utilities, Inc
[#] Folder deleted on reboot: C:\ProgramData\Application Data\PARETOLOGIC
[-] Folder deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
[-] Folder deleted: C:\Program Files (x86)\S5
[-] Folder deleted: C:\Program Files (x86)\SlimCleaner
[-] Folder deleted: C:\Program Files (x86)\AnonymizerGadget
[-] Folder deleted: C:\Users\Sean\AppData\Roaming\AGData
[-] Folder deleted: C:\quardata
***** [ Files ] *****
[#] File deleted: C:\Users\Sean\AppData\Local\uninstallro.exe
***** [ DLL ] *****
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{65416821-217D-44BD-9C61-F53398FB1B46}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{4ABDD67C-44E3-42E0-816D-D7F0E54761DF}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{34F4FEAF-4921-4B5D-8BE5-CA384BFFC2CE}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{39A37965-0A96-43A3-870E-821FE5C84B0B}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}
[-] Key deleted: HKU\S-1-5-21-3944881690-2465539413-2922067820-1001\Software\ParetoLogic
[-] Key deleted: HKU\S-1-5-21-3944881690-2465539413-2922067820-1001\Software\PRODUCTSETUP
[-] Key deleted: HKU\S-1-5-21-3944881690-2465539413-2922067820-1001\Software\SlimWare Utilities Inc
[-] Key deleted: HKU\S-1-5-21-3944881690-2465539413-2922067820-1001\Software\csastats
[#] Key deleted on reboot: HKCU\Software\ParetoLogic
[#] Key deleted on reboot: HKCU\Software\PRODUCTSETUP
[#] Key deleted on reboot: HKCU\Software\SlimWare Utilities Inc
[#] Key deleted on reboot: HKCU\Software\csastats
[-] Key deleted: HKLM\SOFTWARE\SLIMWARE UTILITIES, INC.
[-] Key deleted: HKLM\SOFTWARE\ParetoLogic
[-] Key deleted: HKLM\SOFTWARE\SlimWare Utilities Inc
[-] Key deleted: HKLM\SOFTWARE\Microleaves
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0187837F-FA61-437D-9647-EE1E86233276}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverUpdate
[#] Key deleted on reboot: [x64] HKCU\Software\ParetoLogic
[#] Key deleted on reboot: [x64] HKCU\Software\PRODUCTSETUP
[#] Key deleted on reboot: [x64] HKCU\Software\SlimWare Utilities Inc
[#] Key deleted on reboot: [x64] HKCU\Software\csastats
[-] Key deleted: [x64] HKLM\SOFTWARE\Microleaves
[-] Key deleted: HKU\S-1-5-21-3944881690-2465539413-2922067820-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data restored: HKU\S-1-5-21-3944881690-2465539413-2922067820-1001\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[#] Key deleted on reboot: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data restored: HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data restored: HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes [DefaultScope] {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data restored: [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data restored: [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes [DefaultScope] {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
***** [ Web browsers ] *****
:: Winsock settings cleared
C:\AdwCleaner\AdwCleaner[S0].txt - [4837 Bytes] - [07/04/2017 22:12:59]
#8
Posted 08 April 2017 - 05:11 AM
How is your computer behaving now?
AdwCleaner removed quite a bit, helping to trim down some of the stuff I was going to include in my script fix for FRST.
We used Malwarebytes Anti-Rootkit above. The first scan removed a huge amount of the infection. The second scan found only one trojan. Now I am going to have you download the following version of Malwarebytes to see what, if anything it finds.I hoped all of these viruses were gone but I thought I saw Malwarebytes say that it found 56 infections I hope I was wrong about that.
Scan with Malwarebytes
Please note: If you already have Malwarebytes Anti-Malware installed, do not download it again. Skip to the next line.
- Download Malwarebytes Anti-Malware by clicking here.
- Start the program and select Update
- Once it has updated select Settings > Detection and Protection
- Tick Scan for rootkits
- Go back to the Dashboard and select Scan Now
- If threats are detected, click the Apply Actions button, MBAM will ask for a reboot.
- On completion of the scan (or after the reboot), start MBAM,
- Click History, then Application Logs, then check the Select box by the first Scan Log in the list and then click on the log to highlight it.
- Click Export, select text file and save to the desktop as MBAM.txt and post in your next reply.
One more set of FRST/Addition logs to see what is left to remove.
- Right click on the FRST.exe and choose Run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- Under Optional Scan place a checkmark in the box for Addition.txt to ensure it creates that 2nd log.
- Press Scan button.
- Please post both logs directly into your next reply.
#9
Posted 08 April 2017 - 09:08 AM
I hope every thing is okay now??
www.malwarebytes.com
Scan Date: 4/8/17
Scan Time: 5:10 AM
Logfile:
Administrator: Yes
Version: 3.0.6.1469
Components Version: 1.0.96
Update Package Version: 1.0.1686
License: Trial
OS: Windows 10
CPU: x64
File System: NTFS
User: LAPTOP-NMPDR74D\Sean
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 387323
Time Elapsed: 13 min, 16 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Process: 0
(No malicious items detected)
(No malicious items detected)
(No malicious items detected)
(No malicious items detected)
(No malicious items detected)
(No malicious items detected)
(No malicious items detected)
(No malicious items detected)
(No malicious items detected)
(end)
Attached Files
#10
Posted 08 April 2017 - 06:46 PM
Sorry for the delay.
Please go to your Control Panel > Programs and Features and uninstall the following two programs:
Digital Care Solutions
Trojan Remover
I have a feeling they were downloaded and installed in your time of desperation. The Malwarebytes version 3 that I had you download is a much better alternative. Make sure to keep MBAM 3.0 installed and run it often. If you feel safer, they do offer the Pro version that runs in real time as a second layer of protection though there is a yearly subscription cost involved.
The developers of Malwarebytes recently released Malwarebytes v3.0 which is an antivirus replacement, as with all previous Pro versions the newly released Malwarebytes 3.0 was designed to support compatibility if you choose to use a third-party antivirus or other security software alongside Malwarebytes 3.0. Meaning, you can run McAfee along side MBAM V3.0 and they will not cause conflict as other multiple AV's will. You can read more about that here if you like.
Yes. Every thing is shaping up very nicely. We do have a some loose ends to clean up.I hope every thing is okay now??
After you uninstall the two programs that I mentioned above, please do as follows:
- Open notepad (Start orb > type notepad into Start Search > chose notepad from list.
- Please copy the entire contents of the code box below, including the words start and end
(To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). - Save it to your desktop as fixlist.txt.
start CloseProcesses: CreateRestorePoint: HKLM-x32\...\Run: [TrojanScanner] => C:\Program Files (x86)\Trojan Remover\Trjscan.exe [3656248 2017-03-02] (Simply Super Software) HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-3944881690-2465539413-2922067820-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X] R3 gzflt; C:\Program Files\BDServices\gzflt.sys [161592 2017-03-15] (BitDefender LLC) R3 Trufos; C:\WINDOWS\System32\DRIVERS\Trufos.sys [485512 2017-03-15] (BitDefender S.R.L.) 2017-03-29 14:49 - 2017-04-07 13:31 - 00000000 ____D C:\Users\Sean\AppData\Local\drutkycvq 2017-03-29 14:49 - 2017-03-30 17:25 - 00000000 ____D C:\Users\Sean\AppData\Local\lpzahjqu 2017-03-29 14:49 - 2017-03-29 14:49 - 00000000 ____D C:\Users\Sean\AppData\Roaming\c 2017-03-29 14:49 - 2017-03-29 14:49 - 00000000 ____D C:\Users\Default\AppData\Local\AdvinstAnalytics 2017-03-29 14:49 - 2017-03-29 14:49 - 00000000 ____D C:\Users\Default User\AppData\Local\AdvinstAnalytics 2017-03-16 11:43 - 2017-03-16 11:43 - 40622592 _____ () C:\Program Files (x86)\Digital Care Solutions 2017-04-05 23:37 - 2017-04-06 01:09 - 00002303 _____ C:\Users\Sean\Desktop\Digital Care.lnk 2017-04-05 23:37 - 2017-04-05 23:38 - 00000584 _____ C:\WINDOWS\Tasks\Digital Care Startup.job 2017-04-05 23:37 - 2017-04-05 23:37 - 00003148 _____ C:\WINDOWS\System32\Tasks\Digital Care Startup 2017-04-05 23:37 - 2017-04-05 23:37 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Digital Care Solutions 2017-04-05 23:35 - 2017-04-05 23:35 - 00000000 ____D C:\ProgramData\Digital Care Solutions 2017-04-05 23:24 - 2017-04-05 23:24 - 00000000 ____D C:\Users\Sean\AppData\Local\DBG 2017-04-05 23:21 - 2017-04-06 15:41 - 00042362 _____ C:\WINDOWS\system32\bddel.dat 2017-04-05 23:03 - 2017-04-06 04:12 - 00000000 ____D C:\Program Files\BDServices 2017-04-04 04:25 - 2017-04-06 01:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Trojan Remover 2017-04-04 04:25 - 2017-04-04 04:25 - 00000000 ____D C:\Users\Sean\Documents\Simply Super Software 2017-04-04 04:25 - 2017-04-04 04:25 - 00000000 ____D C:\Users\Sean\AppData\Roaming\Simply Super Software 2017-04-04 04:25 - 2017-04-04 04:25 - 00000000 ____D C:\ProgramData\Simply Super Software 2017-04-04 04:24 - 2017-04-06 01:53 - 64936608 _____ (Simply Super Software ) C:\Users\Sean\Downloads\trjsetup695.exe 2017-04-04 04:23 - 2017-04-04 04:24 - 01884832 _____ ( ) C:\Users\Sean\Downloads\Trojan_Remover_6.9.5.exe C:\Program Files (x86)\Trojan Remover Task: {8F984A00-2F47-439A-9931-CE754DB28AA9} - System32\Tasks\Digital Care Startup => C:\Program Files (x86)\Digital Care Solutions\Digital Care\DC_Launcher.exe [2017-03-16] (Digital Care Solutions) Task: C:\WINDOWS\Tasks\Digital Care Startup.job => C:\Program Files (x86)\Digital Care Solutions\Digital Care\DC_Launcher.exe BootExecute: autocheck autochk * bddel.exe AlternateDataStreams: C:\WINDOWS\system32\Drivers\nfntibvj.sys:changelist [448] Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state Off CMD: ipconfig /flushdns Emptytemp: end
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system - Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
- The tool will make a log (Fixlog.txt) which you will find where you saved FRST. Please post it to your reply.
- fixlog.txt
- How is the computer behaving now?
#11
Posted 09 April 2017 - 03:36 AM
Hi Donna my computer is working great I was thinking of doing a factory reset so that all 3rd party apps and unecessary adware would be removed off of my computer what is your opinion on that??
Attached Files
#12
Posted 09 April 2017 - 05:31 AM
Woo Hoo! Excellent news! So glad your computer is behaving much better..
My opinion? Totally unnecessary! Only time I would suggest resetting a computer back to factory is as a last resort. I can introduce you to a program that you can use that will audit your system and will display which programs that you can choose from that can be safely uninstalled without effecting the performance of your computer. Some of the scans I had you run cleansed any adware so you should be good to go in that department.I was thinking of doing a factory reset so that all 3rd party apps and unnecessary adware would be removed off of my computer what is your opinion on that??
Before I remove the tools used and provide a couple of safety tips to prevent this from happening again, let's perform one more overall scan to ensure nothing is lurking in the shadows.
Please do as follow:
Emisoft Emergency Kit
- Download the Emsisoft Emergency Kit and execute it. From there, click on the Extract button to extract the program in the EEK folder;
- Once the extraction is complete, Emsisoft Emergency Kit will open, and suggest you to run an online update before using the program. Click on Yes to launch it.
- After the update, click on Malware Scan under 2. Scan and accept to let Emsisoft Emergency Kit detect PUPs (click on Yes).
- Once the scan is complete, make sure that every item in the list is checked, and click on Quarantine selected;
- If it asks you for a reboot to delete some items, click on Ok to reboot automatically;
- After the restart, click on the Start Emsisoft Emergency Kit icon again on your desktop to open it;
- This time, click on Logs;
- From there, go under the Quarantine Log tab, and click on the Export button;
- Save the log on your desktop, then open it, and copy/paste its content in your next reply;
#13
Posted 09 April 2017 - 06:04 AM
hip hip hooray no potentially unwanted files or malware detected Donna thank you thank you thank you thank you and thank you AGAIN!!!!!!
#14
Posted 09 April 2017 - 06:28 AM
Tool Removal with Delfix and Creation of a clean restore point
- Download Delfix from here
- Ensure Remove disinfection tools is ticked
Also tick:- Create registry backup
- Purge system restore
- Reset System Settings
- Click Run
- You can uninstall Emisoft Emergency Kit at this time.
- I recommend keeping Malwarebytes Anti-Malware installed. Make sure to update it and run it at least once a week. If it finds things such as PUP's (Potentially Unwanted Programs) you can delete those with no worries. However, if it finds something like a trojan, come see us.
If you have any questions or concerns, don't hesitate to ask.
#15
Posted 09 April 2017 - 06:42 AM
Donna you are so nice and smart how come you were the only person on the internet that new how to solve my problem?? Microsoft nor Mcafee had absolutely now clue
# Updated 26/04/2015 by Xplode
# Username : Sean - LAPTOP-NMPDR74D
# Operating System : Windows 10 Home (64 bits)
Deleted : C:\AdwCleaner
Deleted : C:\Users\Sean\Desktop\mbar
Deleted : C:\Users\Sean\Desktop\Addition.txt
Deleted : C:\Users\Sean\Desktop\adwcleaner_6.045.exe
Deleted : C:\Users\Sean\Desktop\Fixlog.txt
Deleted : C:\Users\Sean\Desktop\FRST.txt
Deleted : C:\Users\Sean\Desktop\FRST64.exe
Deleted : C:\Users\Sean\Desktop\JRT.exe
Deleted : C:\Users\Sean\Desktop\JRT.txt
Deleted : C:\Users\Sean\Desktop\Rkill.txt
Deleted : RP #3 [4/6/17 | 04/06/2017 11:05:23]
Deleted : RP #6 [JRT Pre-Junkware Removal | 04/08/2017 01:37:50]
Deleted : RP #7 [JRT Pre-Junkware Removal | 04/08/2017 02:14:50]
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users