Solved Trouble

Stingray

New Member
Thread author
Jul 16, 2018
7
Hello, My basic issue is it looks like someone has created a ghost(?) account and messed up my permissions and ownership ability. I cant run certain .exe files, altho it let me run your required scan. It has changed most of my C: drive & all of my USB backup drives to read only, and I cant change any of the folders back. I tried an elevated command prompt command suggested by MS (secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose ) which didnt fix my problem, but I have included that log as well.
I spent yesterday in Safe Mode, trying everything I could...I tried a reg fix from MS to reset the .exe back to default..no luck. My system restore doesnt work, but I presume it might be comprised as well. I have run multiple scans with Malwarebytes, the last one showing no issues.
Im at a loss here. My internet works but too many other things arent right. Appreciate any help and/or advice.
Thank you.

EDIT: I am adding a current Malwarebytes scan...seems my system restore is infected. Scan was clear yesterday.
 

Attachments

  • FRST.txt
    32.7 KB · Views: 54
  • Addition.txt
    82.2 KB · Views: 50
  • scesrv.log
    300.5 KB · Views: 48
  • MWB scan 16 JUL2018.txt
    1.3 KB · Views: 49
Last edited:

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Hello,

You are infected with a Rootkit.


Please download Farbar Recovery Scan Tool x64 and save it to a flash drive.
  • Plug the flashdrive into the infected PC.
  • Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer
  • Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.
  • In the Choose Recovery Tool menu select Command Prompt.
  • You will see a big black window with a blinking cursor (command prompt).



    notepad.png
    Access the notepad and identify your USB drive

    In the Command Prompt please type in:
    Code:
    notepad
    and press Enter.
  • When the notepad opens, go to File menu.
  • Select Open.
  • Go to Computer and search there for your USB drive letter.
  • Note down the letter and close the notepad.



    FRST.gif
    Scan with Farbar Recovery Scan Tool

    Once back in the command prompt window, please do the following:
  • Type in e:\frst64.exe and press Enter.
    You need to replace e with the letter of your USB drive taken from notepad!
  • FRST will start to run. Give him a minute or so to load itself.
  • Click Yes to Disclaimer.
  • In the main console, please click Scan and wait.
  • When finished it will produce a logfile named FRST.txt in the root of your pendrive and display it. Close that logfile.

    Transfer it to your clean machine and include it in your next reply.
 

Stingray

New Member
Thread author
Jul 16, 2018
7
Thank you for the reply. All steps completed, file is attached. I am curious as I was reading up on rootkits, is it possible this has infected both my USB backup drives? Or is the C: drive just controlling the permissions which are preventing me from changing the read only settings in the folders on those drives?

I thank you again and await your response.
 

Attachments

  • FRST.txt
    20.9 KB · Views: 48

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
I am not sure about USB, but this one shouldn't tamper with them.

Now, please run FRST scan from Normal mode and attach both reports.
 

Stingray

New Member
Thread author
Jul 16, 2018
7
Well now I have a bigger problem. As soon as I read your reply, my system I got the BSOD 4 times, the PC restarting each time, and now its caught in a loop, starting and shutting down, with no info going to the monitor. Powers up for 10 secs and shuts down and repeats.
Was working fine this morning.
 
Last edited:

Stingray

New Member
Thread author
Jul 16, 2018
7
Nope..No info ever reaches the monitor.

Any chance this is salvageable, or do I need to to a reinstall?
 
Last edited:

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
If there's nothing on the monitor when you turn it on, then this is a hardware problem and simple reinstall won't fix it.
 

Stingray

New Member
Thread author
Jul 16, 2018
7
OK, my PC booted this morning with the message it recovered from a critical error. I have attached the 2 files you requested.

Thank you.
 

Attachments

  • Addition.txt
    84.8 KB · Views: 47
  • FRST.txt
    33.4 KB · Views: 47

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
FRST.gif
Fix with Farbar Recovery Scan Tool

icon_exclaim.gif
This fix was created for this user for use on that particular machine.
icon_exclaim.gif

icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
icon_exclaim.gif

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on
    FRST.gif
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.



How is the situation now?
 

Attachments

  • fixlist.txt
    5.8 KB · Views: 51

Stingray

New Member
Thread author
Jul 16, 2018
7
I followed the instructions and ran the FRST w/fix file. It seemed to hangup at
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
I left and came back and everything had stopped, PC was shutdown ....I waited a bit, and then restarted the PC and have included the fixlog file.
The suspicious folders that were in the AppData area and locked are now gone.
 

Attachments

  • Fixlog.txt
    12.9 KB · Views: 49

Stingray

New Member
Thread author
Jul 16, 2018
7
Sorry, I have been out of town. Seems to boot fine, but I am having that issue when it sits idle I lose signal. This started the exact same time the aforementioned issue did, so I am having a hard time believing its a hardware issue, but I guess its possible.
If you have any thoughts/advice concerning that I would love to hear it. If not, thank you for your time and effort. The original issue appears to be solved.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top