Hidden supervirus?

[mikeanti]

Dear Helpers,
Never had a virus. Couple days ago I went to a movie streaming site. AVG reacted a couple times (like 8 times same trojan/virus). Computer got slow, cant open .exe files, log in wallpaper changed, cant open taskmanager, cant update Malwarebytes. Scanned with AVG and Malwarebytes cant find anything. Scanned with ESET online scanner nothing, HouseCall Trend Micro nothing. Went into safe mode installed Avast and ADW Cleaner nothing. Discovered this site...
Have Windows 10 64bit, AVG, Malwarebytes.

I cant do step 2 of the Malware removal guide and you said too stop and ask. So i stopped and am asking... what to do?

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
What happens when you try to run MBAM? Please run a complete scan with AVG. Please go to Start, Control Panel, Program and Features to see if there are any new programs installed since the problem began.
*************************************************************

Download Security Check by screen317 from the following link and save it to your desktop.

Security Check

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

[mikeanti]

Thanks Dave for taking the time to help me out.
I noticed some strange things in the mean time 1 that the icon of the garbage bin changed to the icon in safe mode (square instead of round). 2 recommended youtube videos extremely diff from what i normally watch  3 the screen sometimes get gray and loads the desktop again (like it gets stuck).

I couldnt run the .exe (not bat??) file of security check in normal mode. Error appears with couldnt find file and the path C:/... to file.
So installed and scanned from save mode.

 Results of screen317's Security Check version 1.014 --- 12/23/15 
   x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled! 
Avast Antivirus   
Windows Defender   
AVG Antivirus     
 Antivirus up to date!  (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````[/u]
 Secunia PSI (3.0.0.7011)   
 AVG Web TuneUp   
 Duplicate Cleaner Free 3.2.6 
 Adobe Flash Player    29.0.0.113 
 Google Chrome (65.0.3325.181)
 Google Chrome (SetupMetrics...)
````````Process Check: objlist.exe by Laurent````````[/u] 
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````[/u]

[SuperDave]

The Security log shows you have multiple AV's active on your computer. Windows Defender is the resident AV for with Windows 10. You should uninstall AVG and Avast because there is a good chance that they will cause conflicts.You should take the time to back-up your important data just in case we do a recovery. Please check to see if you have a Restore Point prior to this event and run the Restore. Do you have the installation disk (s) for Windows 10 or is there a Recovery on a separate partition of your harddrive?

[mikeanti]

Thats because i couldnt find anything the 2nd time with AVG so installed Avast instead. AVG for real time protection, Avast is only set up for passive virus scanning. AVG found the virus the first time just after the visited website but I think couldnt remove it. Anyways, will remove AVG and Avast if you say so. I do not have a fairly new backup. If i start backing up now on a usb stick; wouldnt the virus migrate to the usb and therefore to the new OS install?

I get an error if i want to see if i have a restore point. Same .exe file error like the other one. I think the OS is factory set in a seperate partition on my hdd. Is it possible the system kicked me out of administrator settings? Also if the virus is operating within the system could i with a Linux bootable USB scan my hdd without letting the virus get active? Sorry for the dumb questions. What to do next?

[spankBot]

Your comment has been removed. Please do not post malware advice, or post here in the malware forum, unless you need help.Superdave.

[SuperDave]

Anyways, will remove AVG and Avast if you say so.

It is my opinion that AVG and Avast give a lot of false-positives. You're better off with Windows Defender.

I do not have a fairly new backup. If i start backing up now on a usb stick; wouldnt the virus migrate to the usb and therefore to the new OS install?

What I meant by back-up was your important data such as pictures, videos, music and other important documents; not the whole OS

I get an error if i want to see if i have a restore point. Same .exe file error like the other one. I think the OS is factory set in a seperate partition on my hdd. Is it possible the system kicked me out of administrator settings? Also if the virus is operating within the system could i with a Linux bootable USB scan my hdd without letting the virus get active? Sorry for the dumb questions. What to do next?

What does the error say? Have you tried in Safe Mode? You can check your harddrive by clicking on My Computer or This PC. You should see the additional partition. Please run a scan with Windows Defender to see if it finds anything. This is not acting like a virus but something may have messed the OS.

[mikeanti]

What I meant by back-up was your important data such as pictures, videos, music and other important documents; not the whole OS I meant the same thing. If I back these pics up in a usb, wouldnt a virus migrate with those pics to the usb and to the clean install later on?

What does the error say? Have you tried in Safe Mode? You can check your harddrive by clicking on My Computer or This PC. You should see the additional partition. Please run a scan with Windows Defender to see if it finds anything. This is not acting like a virus but something may have messed the OS.
It says, translated from my native language: Can not find the file C:\WINDOWS\system32\ RecoveryDrive.exe. Check that you have entered the correct name and then try again.

It took extremely long to scan with Windows Defender. But found Trojan:Win32/Dynamer!rfn . Tried to remove it with Defender. Also took some time. Decided to scan again just to be sure. Found the same trojan in the same folder again. Deleted again. I guess its still there and cant be deleted somehow. It was in the guest account. Tried to log in and let Defender scan only that file to make it faster to delete it instead of doing the whole scan of 40 hours again. Guest account desktop couldnt be loaded. Got the error: Shell InfrastructureHost doesnt work. Opened task manager > processes > there were 69 processes with the name svchost.exe. Dont know what that is.

Anyway the found Trojan in that folder was there a long time ago. So it couldnt be the new virus i got a couple days ago. I know this for sure because: 1. my brother downloaded that program like more then 4 years ago and it was in guest account 2. Problems started right after i went to the movie streaming site and AVG reacted to that.  What should I do next since Defender cant find anything?

[SuperDave]

It was in the guest account.

Try to delete that guest account and create a new one if needed.

Problems started right after i went to the movie streaming site and AVG reacted to that.

You will need to uninstall AVG. Windows Defender is your resident AV.

ESET Online Scanner
Note : If you use Internet Explorer to get the ESET Online Scanner, you won't have to download, nor install the tool, as everything will be ran in a contextual (pop-up) window of Internet Explorer. However, for every other browsers, you will have to download and install ESET Online Scanner. In this set of instruction, I'll use Google Chrome to download it and run it (since a lot of people will do it), however, except for the download and installation procedure, the same instructions applies if you use Internet Explorer. Please note that two or three prompts will appear if you use Internet Explorer asking you to reload the page, authorize the application, execute it, etc. Accept all of them in order to run ESET Online Scanner.

    Download and execute ESET OnlineScan (on this window, click on ESET Smart Installer to trigger the download). People accessing this URL via Internet Explorer will start the integration process of ESET Online Scanner in their browser;
    Once the installation is done (it requires Admin Rights), check the following settings (two of them are under Advanced Settings, click on it to display them) :

        Enable detection of potentially unwanted applications;
        Scan archives;
        Scan for potentially unsafe applications;
        Optional : If you want to scan more drives, click on Change... and select the drives you want to include in the scan;

   

    After you're done checking these options, click on Start and ESET Online Scanner will download it's virus signature database before starting the scan;
   

    Once done, the scan will start automatically. Detections will appear at the bottom of the window. ESET Online Scanner can have an extremely long scan time that can last between 2 or 3 hours. So if you start the scan, do not interrupt it, let it complete until the end;
   

    After the scan is finished, a summary window will appear to give you the information about the scan. Then you'll have to the option to see what threads were found and to manage the threats that were quarantined;
   


    Click on List of found threats, it'll display every threat identified during that scan, their type and what action was taken against them. Click on Copy to clipboard to copy these results on our clipboard and post them in your next reply;
   


    Once you're done, click on the Back button;
    Check both checkboxes at the bottom: Uninstall application on close and Delete quarantined files before clicking on the Finish button;

[mikeanti]

I cant delete the guest account because I dont longer have administrator rights. Also cant change my account to administrator via configurations screen.
Also cant acces the hidden WIN 10 Administrator account via REGEDIT and HKEY_LOCAL_MACHINE. I get the following error:
No program is associated with the specified file for this operation. INSTALL a program or, if this is installed,
create a link in the Default Programs section of the control panel.
C: \ Users \ AppData \ Local \ Microsoft \ Windows \ WinX \ Group3 \ 01 - Command Prompt.Ink

Already uninstalled AVG.

When i start the ESET Online Scanner it says: Warning ESET Online Scanner is not bein run with administrator privileges, and may not be able to remove all threats. We advise you to run it again with administrator privileges.

Should i run it anyway. I used it before and couldnt find anything.

[SuperDave]

Yes, run it again. I just want to be sure that the computer is clean before we start dealing with those other issues.

[mikeanti]

Scanned with ESET scanner. Couldnt find anything. But yesterday Windows Defender reacted again with the same trojan i reported earlier in the guest account. I think it cannot delete it or it keeps coming back. Also, cant delete the guest account.
What to do next?

[SuperDave]

Also, cant delete the guest account.

What sort of error do you receive? Can you try running MBAM and post the log.

Please download AdwareCleaner onto your Desktop. AdwCleaner

Before starting AdwCleaner, close all open programs and internet browsers, then double-click on the AdwCleaner icon.



If Windows prompts you as to whether or not you wish to run AdwCleaner, please allow it to run.
When the AdwCleaner program will open, click on the Scan button as shown below.



AdwCleaner will now start to search for malicious files that may be installed on your computer.
To remove the files that were detected in the previous step, please click on the Clean button.



AdwCleaner will now prompt you to save any open files or data as the program will need to reboot the computer. Please do so and then click on the OK button. AdwCleaner will now delete all detected adware from your computer. When it is done it will display an alert that explains what PUPs (Potentially Unwanted Programs) and Adware are. Please read through this information and then press the OK button. You will now be presented with an alert that states AdwCleaner needs to reboot your computer.
Please click on the OK button to allow AdwCleaner reboot your computer.A log will be produced. Please copy and paste this log in your next reply.

[mikeanti]

# -------------------------------
# Malwarebytes AdwCleaner 7.1.1.0
# -------------------------------
# Build:    04-27-2018
# Database: 2018-04-24.1
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start:    05-10-2018
# Duration: 00:00:53
# OS:       Windows 10 Home
# Scanned:  40734
# Detected: 2


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.Legacy             HKLM\Software\Wow6432Node\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

PUP.Optional.Legacy             mysearch.avg.com



########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########

# -------------------------------
# Malwarebytes AdwCleaner 7.1.1.0
# -------------------------------
# Build:    04-27-2018
# Database: 2018-04-24.1
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    05-10-2018
# Duration: 00:00:01
# OS:       Windows 10 Home
# Cleaned:  1
# Failed:   1


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted       HKLM\Software\Wow6432Node\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

Not Deleted   mysearch.avg.com


*************************

• Delete Tracing Keys
• Reset Winsock

*************************

I couldnt start ADWcleaner in normal mode. Scanned in Safe mode. In the first log it said it deleted the Adware in the HKEY. But then scanned again and still the HKEY adware popped up so delete it again. I believe it still there.

[SuperDave]

Does the computer operate in Normal Mode?