Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on October 22, 2017, 02:25:28 AM
-
So. I was recently annoyed with a certain program that had ran ads. So, I download what I thought was code to block ads before they played. I was very impulsive and it has led me to this situation. The situation being, I have a virus. The virus is unlike any I have seen before. It is a file name called "cgmxkde.exe". I cannot find anything on the internet about it anywhere. In the task manager, it has a name called "Windows Program Manager" and because of that it is very difficult to search without getting results like "Windows Task Manager".
I can guarantee it is harming my computer and sapping its performance. On the task manager under processes, it uses up to 30% of my CPU at any given moment. I have been able to end the process multiple times via the taskkill command on the Command Prompt (admin) however, it simply starts again about half an hour later. I spent all of 10-19-2017 scanning my nearly 300gb of essentially video games and memes with the full virus scan. I came up with this picture showing the results of the scan.
(https://i.imgur.com/JkSgIWM.jpg)
I had suspected these files of being problems about 5 days before the scan when I went digging around after I noticed my computer being slow. This had only confirmed my suspicions.
What really gets me is the "Access Denied".
(https://i.imgur.com/l18XNqD.gif)
So, what can be done about this? I have located the files that need to be deleted, I have tried many different things and none have worked so I am swallowing my pride and coming to the experts. What can be done about this stupid virus?
If you need any other files like logs, just show me where I can find them I will have them uploaded shortly.
-
If you need any other files like logs, just show me where I can find them I will have them uploaded shortly.
as said in your other post, sticky post at top here
-
Just help me. jeez
-
Malware experts are notified. It may take hours before they are online
-
Download the latest version of TDSSKiller from here (http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe) and save it to your Desktop.
- Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
- Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
- Click the Start Scan button.
- If a suspicious object is detected, the default action will be Skip, click on Continue.
- If malicious objects are found, they will show in the Scan results and offer three (3) options.
- Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
- Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please attach this file in your reply.
-
tdsskiller will not open when I both double click or when I run as an admin
-
Please try the following instead then:
Please download Malwarebytes Anti-Rootkit from here (http://downloads.malwarebytes.org/file/mbar)
- Unzip the contents to a folder in a convenient location.
- Open the folder where the contents were unzipped and run mbar.exe
- Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
- Click on the Cleanup button to remove any threats and reboot if prompted to do so.
- Wait while the system shuts down and the cleanup process is performed.
- Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
- When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt
-
I really hate to say it, but the mbar.exe would not run either. I downloaded it and extracted it to my desktop. Open the file, double click the mbar.exe and nothing happens
-
Please download Rkill by Grinler and save it to your desktop.
- Link 1 (http://download.bleepingcomputer.com/grinler/rkill.com)
- Link 2 (http://download.bleepingcomputer.com/grinler/rkill.exe)
- Double-click on the Rkill desktop icon to run the tool.
- If using Vista, right-click on it and Run As Administrator (http://vistasupport.mvps.org/run_as_administrator.htm).
- A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
- If not, delete the file, then download and use the one provided in Link 2.
- If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
- If the tool does not run from any of the links provided, please let me know.
- Do not reboot the computer, you will need to run the application again.
Once you have successfully run RKill, please try and rerun TDSSKiller or MBAR again.
-
Here is the log from rkill:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rkill 2.9.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 10/24/2017 03:33:29 PM in x64 mode.
Windows Version: Windows 8.1 Connected
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* Windows Defender Disabled
[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001
Searching for Missing Digital Signatures:
* No issues found.
Checking HOSTS File:
* HOSTS file entries found:
Program finished at: 10/24/2017 03:34:16 PM
Execution time: 0 hours(s), 0 minute(s), and 46 seconds(s)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
rkill was unable to help start the program.
I was however able to start the program of Malwarebytes Anti-Rootkit by spamming "Start C:\Users\[My Name]\Desktop\mbar\mbar.com (I changed the application ending to make it run) into the Administrator Command Prompt and clicking "Yes" to the question that went like "Hey, this is already running, do you want to run it again".
I know, sort of a makeshift solution but it is running.
This is what my screen looked like after the scan (command prompt included as explanation for earlier)
(https://i.imgur.com/EDnPIgZ.jpg)
A window had popped up saying I needed to install a DDA Driver
(https://i.imgur.com/zl9sCw9.jpg)
I clicked yes and I then got this message
(https://i.imgur.com/6r63xd0.jpg)
What should I do now?
-
bump
-
Do you have access to a separate clean system that you can burn a boot-able disk on?
-
Yes, my grandmother managed to convince her boss to let her bring home a work computer. Sorry for such a long time before the response.
-
I thought that this was already done so excuse me but I think we need to try this before using other more extreme measures ...
Download aswMBR.exe (http://files.avast.com/files/rootkit-scanner/aswmbr.exe) ( 511KB ) to your desktop. If you already have this application, this is a new version I need you to download.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
If your computer supports Virtualization Technology, select Yes to use it for rootkit detection.
On completion of the scan click Save Log, save it to your desktop and post in your next reply
The tool will also produce a copy of the mbrdump labeled MBR.dat. Please zip that file and attach it to a reply.
-
Here is the log
aswMBR version 1.0.1.2290 Copyright(c) 2014 AVAST Software
Run date: 2017-11-01 15:15:23
-----------------------------
15:15:23.506 OS Version: Windows x64 6.2.9200
15:15:23.506 Number of processors: 2 586 0x3708
15:15:23.509 ComputerName: EVAN-PC UserName: Evan
15:16:35.958 Initialize success
15:16:36.259 VM: initialized successfully
15:16:36.262 VM: Intel CPU supported virtualized
15:16:43.468 VM: supported disk I/O storport.sys
15:16:51.399 AVAST engine defs: 17110104
15:17:06.878 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000025
15:17:06.885 Disk 0 Vendor: ST500DM002-1BD142 KC45 Size: 476940MB BusType: 11
15:17:07.552 VM: Disk 0 MBR read successfully
15:17:07.559 Disk 0 MBR scan
15:17:07.566 Disk 0 unknown MBR code
15:17:07.601 Disk 0 Partition 1 00 EE GPT 2097151 MB offset 1
15:17:08.268 Disk 0 scanning C:\Windows\system32\drivers
15:18:15.566 File: C:\Windows\system32\drivers\wieknrux.sys **SUSPICIOUS**
15:18:16.293 Disk 0 statistics 141175/0/5 @ 1.13 MB/s
15:18:16.304 Scan finished successfully
15:18:50.132 Disk 0 MBR has been saved successfully to "C:\Users\Evan\Desktop\MBR.dat"
15:18:50.139 The log file has been saved successfully to "C:\Users\Evan\Desktop\aswMBR.txt"
I tried to attach the .zip file containing the mbr.dat however these forums do not allow the posting of .zip or .dat, only jpg, png, txt, log, gif
I put the aswmbr.txt however, hopefully this works
-
I have sent you the link to the ISO file via Private Message; check for it in the MY MESSAGES menu above.
Download the following three programmes to the desktop of the clean system :
1. Rufus (http://rufus.akeo.ie/)
For 64bit systems
2. Windows 8.1 64bit RC
3. Farbar Recovery Scan Tool x64 (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/)
Insert the USB stick Then run Rufus
(https://s26.postimg.org/455vopf5l/Rufus2_16_Main_screen.png)
Select the ISO file on the desktop via the ISO icon.
Press Start Burn
Then copy FRST to the same USB
(http://dl.dropbox.com/u/73555776/frstwintoboot.JPG)
Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here (http://lifehacker.com/5991848/how-to-boot-from-a-cd-or-usb-drive-on-any-pc)
When you reboot you will see this a screen to select the language and keyboard.
Select the Trouble Shoot option.
Select Advanced option.
Select Command prompt.
At the command prompt type the following : notepad.exe
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
(https://dl.dropboxusercontent.com/u/73555776/frst.JPG)
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and attach / paste it to your reply.
-
It sucks that I had to erase the memes off the flashdrive, but I do what must be done.
Here is the FRST log
-
Thank you for that log file. Please download the attached Fixlist.txt file and add it to the USB drive. Plug the drive into the infected system and boot to the USB drive as you did before. This time, instead of clicking on SCAN, please click on FIX. The tool will run and create a Fixlog.txt file on the USB drive. Please attach that in a reply post here for my review.
Remove the USB drive and reboot (completely power down and then start the system) the infected system. Will Malwarebytes AntiRootKit run now?
-
Here is the fix log
-
What is the status of the system now? Do any of the scanners (AV / AntiMalware tools) run now?