Loosing battle :(

[REDACTED]

So a few days ago, I bought a new pc, and like a moron I installed this freeware program without reading the fine print, as soon as I clicked "Next" on install, it began to barrage my computer with installs, it was non-stop installing viruses and even hijacked my browser and disabled all my anti-viruses...so I thought I would outsmart it and just do System Restore just before I installed that software, that seemed to work...for a day, then randomly this cmd window popped up and saying "BITSADMIN is deprecated" and then it closed, right after that the barrage began again,  I unplugged my ethernet immideatly, luckily I had a shitty laptop laying around so I did some research on this forum, from what I understand BITSADMIN is sort of like teamviewer? does that mean someone has control of my computer? I read on here that I could use Adwcleaner and Malware Bytes, after running AdwCleaner in safe mode, it seemed to be fixed...finally got my browser back, but I ran it again just to make sure, and again it listed viruses, so does Malware, I just been on this endless loop of scanning, findind viruses, deleting them, restarting, scanning again, finding more...

What do I do guys? I bought this computer used so I can not really resintall windows as they did not give me install DVD...I hope there is a way to fix this without having to go out and buy windows, any help? Thanks alot

[dbrisendine]

Please follow the directions for scans in this topic and attach as many of the logs as you can run.
Logs to assist in cleaning malware

FRST.txt, Addition.txt, Malwarebytes Anti-Malware log and aswMBR.txt.  Thanks.

For Malwarebytes, please make sure that is the latest scan that found malware.  Also, attach the AdwCleaner scan log.  Thanks again.

[REDACTED]

Here you go kind sir...

# AdwCleaner v5.201 - Logfile created 12/07/2016 at 23:49:45
# Updated 30/06/2016 by ToolsLib
# Database : 2016-07-12.1 [Local]
# Operating system : Windows 8.1 Enterprise N  (X64)
# Username : GM Otomon - OTOMON
# Running from : C:\Users\GM Otomon\Downloads\AdwCleaner.exe
# Option : Scan
# Support : https://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLL ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

Key Found : HKLM\SYSTEM\CurrentControlSet\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC}
Key Found : HKLM\SYSTEM\CurrentControlSet\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1}

***** [ Web browsers ] *****


*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [6280 bytes] - [12/07/2016 22:17:01]
C:\AdwCleaner\AdwCleaner[C2].txt - [1443 bytes] - [12/07/2016 22:23:55]
C:\AdwCleaner\AdwCleaner[C3].txt - [1665 bytes] - [12/07/2016 23:21:06]
C:\AdwCleaner\AdwCleaner[C4].txt - [1811 bytes] - [12/07/2016 23:41:06]
C:\AdwCleaner\AdwCleaner[S1].txt - [6597 bytes] - [12/07/2016 22:15:09]
C:\AdwCleaner\AdwCleaner[S2].txt - [1263 bytes] - [12/07/2016 22:21:54]
C:\AdwCleaner\AdwCleaner[S3].txt - [1465 bytes] - [12/07/2016 22:27:19]
C:\AdwCleaner\AdwCleaner[S4].txt - [1346 bytes] - [12/07/2016 22:42:08]
C:\AdwCleaner\AdwCleaner[S5].txt - [1419 bytes] - [12/07/2016 22:43:23]
C:\AdwCleaner\AdwCleaner[S6].txt - [1491 bytes] - [12/07/2016 23:13:54]
C:\AdwCleaner\AdwCleaner[S7].txt - [1637 bytes] - [12/07/2016 23:27:31]
C:\AdwCleaner\AdwCleaner[S8].txt - [1631 bytes] - [12/07/2016 23:49:45]

########## EOF - C:\AdwCleaner\AdwCleaner[S8].txt - [1704 bytes] ##########

[dbrisendine]

You have BrowserAir on your system as your default web browser.  Did you mean to do this?

Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter.  Please copy the contents of the Code box below.  To do this highlight the contents of the box by clicking [Select] next to Code: , then right click on any of the highlighted text and select copy.  Paste this into the open notepad. Save it to your desktop as fixlist.txt
 

Code: [Select]

Start
CreateRestorePoint:
CloseProcesses:
File: C:\Windows\KMS\KMS.exe
File: C:\Windows\KMS\WinDivert.sys
(BitTorrent Inc.) C:\Users\GM Otomon\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe
C:\Users\GM Otomon\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe
HKU\S-1-5-21-1966097368-975875318-1287009969-1001\...\MountPoints2: {59e3f8d1-0b06-11e3-9bf5-c86000bbff85} - "E:\StartUp.exe"
HKU\S-1-5-21-1966097368-975875318-1287009969-1001\...\MountPoints2: {61b6a6f0-46e4-11e6-9bf7-c86000bbff85} - "V:\Autorun.exe"
CHR DefaultSearchURL: Default -> hxxp://www-searching.com/search.aspx?site=shdefault1&prd=smw&pid=s&shr=d&q={searchTerms}&s=G7Czftpbl0cshmoAR,dc879e8c-872a-4527-b2c8-d5aa2be874e3,
CHR DefaultSearchKeyword: Default -> www-searching.com
CHR DefaultSuggestURL: Default -> hxxp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}
CHR Extension: (Google Drive) - C:\Users\GM Otomon\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-07-10]
CHR Extension: (Adblock for Youtube™) - C:\Users\GM Otomon\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmedhionkhpnakcndndgjdbohmhepckk [2016-07-10]
CHR Extension: (Chrome Web Store Payments) - C:\Users\GM Otomon\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-07-10]
R2 KMS; C:\Windows\KMS\KMS.exe [32256 2014-01-04] () [File not signed]
R3 WinDivert1.1; C:\Windows\KMS\WinDivert.sys [35376 2013-12-03] (Basil Projects)
C:\Windows\KMS
2016-07-11 23:02 - 2016-07-11 15:31 - 0036494 ___SH () C:\Users\GM Otomon\AppData\Roaming\aXgUWTQBFaKfhPETIhc
2016-07-11 23:02 - 2016-07-11 15:31 - 0936960 ___SH (AutoIt Team) C:\Users\GM Otomon\AppData\Roaming\aXgUWTQBFaKfhPETIhchU.txt
2016-07-11 23:02 - 2016-07-11 15:31 - 0653328 ___SH () C:\Users\GM Otomon\AppData\Roaming\eLfFXAVPXPVe
C:\Users\GM Otomon\AppData\Local\Temp\libeay32.dll
C:\Users\GM Otomon\AppData\Local\Temp\msvcr120.dll
C:\Users\GM Otomon\AppData\Local\Temp\nvSCPAPI64.dll
C:\Users\GM Otomon\AppData\Local\Temp\nvStInst.exe
C:\Users\GM Otomon\AppData\Local\Temp\sqlite3.dll
Task: {F3F7B09A-7FB2-48A6-B1E6-590B5871D0EE} - \TweakBit\PCRepairKit\Start PCRepairKit ?n logon -> No File <==== ATTENTION
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end


NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..".  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load. 

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.



If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply post.  Also, tell me how your system is running now.

[REDACTED]

You have BrowserAir on your system as your default web browser.  Did you mean to do this?

No the browser hijacker keeps changing my start page (its startgo123.com now) and making other browsers my default, I cant even change it back anymore, I checked the 3 places in Chromes setting but nothing there. I attached the file you asked, ran AdwCleaner to make sure everything is okay, and this same virus in the registry came out, which wont get deleted no matter how many times I run AdwCleaner...its still way less viruses than when I started running AdwCleaner, but I think whatever is in my registry is whats installing everything:

[dbrisendine]

FIRST >>>>
Download a fresh copy of Chrome for 64bit from here .  Save this to your desktop but do not install it yet.


SECOND >>>>
Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter.  Please copy the contents of the Code box below.  To do this highlight the contents of the box by clicking [Select] next to Code: , then right click on any of the highlighted text and select copy.  Paste this into the open notepad. Save it to your desktop as fixlist.txt
 

Code: [Select]

Start
CreateRestorePoint:
CloseProcesses:
C:\Users\GM Otomon\AppData\Local\BrowserAir
Unlock: HKLM\SYSTEM\CurrentControlSet\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC}
REG: reg delete HKLM\SYSTEM\CurrentControlSet\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC} /f
Unlock: HKLM\SYSTEM\CurrentControlSet\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1}
REG: reg delete HKLM\SYSTEM\CurrentControlSet\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1} /f
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..".  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load. 

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.



If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply post.  Also, tell me how your system is running now.


LAST >>>>

After the system reboots, repair Chrome by running the installation file on your desktop (the one you downloaded in step 1).

[REDACTED]

Well just ran AdwCleaner after following your instructions, says there is no malacious viruses Will browse around today for a bit and will report back tomorrow.. fingers crossed this nigthmare is over and I will wise enough next time to read the fine print of "freeware" btw when I got the infection I copied over some files to my external HD incase things didnt work out, could the virus attach itself to other files? I deleted the .exe that gave me the virus.

[dbrisendine]

Cool!     Sounds good and my fingers are crossed also!

FYI, BrowserAir is a chromium based browser (based on Google Chrome) so the browser looks like Chrome but the ads are built in and can not be removed.

[REDACTED]

Bad news I am afraid my friend..something once again kept changing my default browser to something else, not sure what probably the program you mentioned, it didnt matter how many times I told it to make Chrome my default browser, as soon as I closed it, it went back to not being my default browser, a quick scan of AdwCleaner said it had something to do with Chrome (uninstalling it fixes the problem) I will attach the log here...is there no end to this nigthmare? Should I just stop using Chrome alltogether?

[REDACTED]

Btw I tried manually deleting the folder...something keeps creating it as soon as I delete it >_<

[dbrisendine]

Unfortunately, I suspect that the problem lies in Google Drive which is resyncing your files (and Chrome extensions) but lets check some further. 

FIRST >>>>

Junkware Removal Tool
Please download JRT from here to your desktop.

Note: Temporarily disable/shut down your protection software now to avoid potential conflicts, how to do so can be read here.

Double click the JRT.exe file to run the application.

The application will open an Command Prompt window and run from there (this is normal for this program, so not to be alarmed).

When it is asked, press any key to allow the program to continue / run.

This will create a log on the desktop; please copy and paste the JRT.txt log text in your next post.

Note: After the log file is created, please enable your protection software / reboot your system and verify your protection software is enabled.


SECOND >>>>

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
You will see the following console:


Click the Scan button and wait for the scan to finish.

After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Waiting for action. Please uncheck elements you don't want to remove.

Click the Clean button.

Everything checked will be deleted.

When the program has finished cleaning a report appears.

Once done it will ask to reboot, allow this


On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt


Optional:
NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.


LAST >>>>

Malwarebytes' Anti-Malware
Please start Malwarebytes' Anti-Malware.

When the main screen opens, if the database is out of date, you can click on the Fix Now banner or the Update Now link


Once the program has loaded and updated, select "Scan Now >>" to start the scan.


The scan may take some time to finish, so please be patient.

If any malware is found, you will be presented with a screen like the one below.


If any malware is found, make sure that everything is checked, and click Remove Selected.
When the scan is complete, click View detailed log >> to view the results.
The report screen will open.
At the bottom click on Export and select as txt file, save the file to your desktop and click OK.  When the export is complete, select OPEN.
The log file will be opened in your default text file viewer (usually Notepad); select the whole text (Ctrl + A) and copy (Ctrl + c) it to paste here in a reply.

[REDACTED]

Okay ran the programs as you asked (I currently have Chrome uninstalled since last time I posted, since it keeps creating that folder I mentioned before), I have never used Google Drive...is there a way to stop that folder from being synched? And AdwCleaner and MalwareBytes came out clean,  however here is the log from JRT, it seems the virus just keeps creating folders in the AppData folder, and could there be any connection between this, and the software I mentioned in the OP called BITSADMIN which lets someone remotely access my computer?:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.7 (07.03.2016)
Operating System: Windows 8.1 Enterprise N x64
Ran by GM Otomon (Administrator) on Thu 07/14/2016 at 13:38:17.01
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 2

Successfully deleted: C:\Users\GM Otomon\AppData\Local\crashrpt (Folder)
Successfully deleted: C:\Users\GM Otomon\Appdata\LocalLow\company (Folder)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 07/14/2016 at 13:40:10.09
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[dbrisendine]

When you bought this system, it came as is?  Windows 8.1 Enterprise N, already activated?

Also, can you send me the last Fixlog.txt file (either on desktop or in C:\FRST\Logs - it should have been run yesterday)?


This next step may take a while (just to warn you) .....

ESET Online does not work with IE 11 (Internet Explorer) at the moment (a few weeks ago anyway) so if you have IE 11, Chrome or Firefox has to be used instead.  ESET Online does work with IE 10 and earlier.

You can leave your AntiVirus Enabled even though ESET may warn about it. just makes the scan take longer. The pictures below showing what to click may be blue instead of green on the ESET website now, but the procedure is still the same

Please read carefully and Slowly, Notice all the settings listed below to check before starting the scan. Stop and ask if you have any questions.

Take note of the NO tick in the Remove found threats setting below at it needs to have the tick removed.

-------------------------------------------------------------------------------------------------------------------

Hold down Control key and click on the following link to open ESET OnlineScan in a new window.

Link =>> ESET Online Scanner  <<

Click the Run ESET Online Scanner located on the left side of the page (not the free trial).



For browsers other than Internet Explorer only: (Microsoft Internet Explorer users can skip this step)
Click on the esetsmartinstaller link in the popup window that opens. Save it to your desktop.



Double click on the icon on your desktop.



Check (accept) the Terms of Use.



Click the START button.
Accept any security warnings from your browser.

Now in the Computer scan settings window that appears:-
Make sure that the option Enable detection of potentially unwanted applications is selected.
Now click on Advanced Settings and configure the options as follows:

Remove found threats is Not checked
Scan archives is checked
Scan for potentially unsafe applications is checked
Enable Anti-Stealth Technology is checked


Now click on: Start




ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.






When the scan is finished, if any threats are found you will see the screen below.  Click to view the found threats.



At the bottom of the listed threats, there is an option to save the results to a text file.  Please do this so you can attach the results here for review and removal of the items that are not false positives (these will be scripted out so do not worry).



Once the log text file is saved, return to the Scan Finished screen by clicking "<<Back", then click on the uninstall button and click Finish.



Attach the saved log file in your next reply please.  Thanks.

[REDACTED]

Well I tried to do as you said, ran the software and made sure to have no tick in the Remove found thrit is not unresponsive as I can pause it and eats setting, I ran it 3 times already and every time just when it hits the last it thbe thing greys out and is unable to finish, it crashes if I try to click Stop... so I am not sure if its the virus causing this or the software itself has some sort of glitch on this version (my virus protection is off btw), it detects 12 malicious infections within seconds of the scan, should I run again and make it automatically delete infections this time?:



As for my new computer, the guy put in my hardrive from my previous computer, formatted it and installed fresh copy of Windows 8, so it was completely clean, it was not until I installed some sketchy freeware, that the problem began...it sucks, it seems for every virus I delete, 10 new ones pop up

Also I deleted the fixlog since I didn't think it would be needed...is there any hope?

[dbrisendine]

Uninstall the ESET Online Scanner.


Go to Emsisoft and download the Emsisoft Free Emergency Kit from here.

• Double click on the EmsisoftEmergencyKit.exe file and then click on Extract to unpack the files (the default directory of C:\EEK is fine).
  
• Go to the new directory and right click on Start Emergency Kit Scanner.exe and choose 'Run as Administrator'.
  
• Once the scanner loads, allow it check for updates.
  
• When the updates are finished, click the BACK button to return to the main menu.
  
• Click on the SCAN and select Malware Scan to start scanning your system.  Please enable the PUP detection option, if it asks.
  
• If the scan finds anything, it will open a scan finding window.  Please click on View Report; copy this report and paste it here in reply post.
  
• Please close the Emergency Kit Scanner program now.