GeekPolice Tech Tutorials

# Computer Infected and Tough Getting It Cleaned

Im here because my friend FreeBooter told me its the best place to find help for getting rid of a virus. Anyone?
Attachments
Hello there, welcome to GeekPolice. Thanks for posting.

Right away, I will say I do not spot anything immediately alarming, except for the use of uTorrent and keygens. Therefore, even if we do assist you, if you become infected again, it will be because of the keygens/use of uTorrent.

I can verify a few things first... Let's see:

• Doubleclick on MBRScan.exe and click the Report button. (Windows 7+ Users, right click on MBRScan and then click on run as administrator).
• Please don't use the computer while the scan is running. The computer may not respond until the scan is done. Please be patient and don't force a restart of the computer.
• When the scan is finished, a log file will appear.

TDSSKiller

• Right-click on tdsskiller.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
• Accept the End User License Agreement (EULA) and the KSN Statement;
• Once the application is done initializing, click on the Change parameters button;
• In addition to the current checked boxes, check these two as well:

• Verify file digital signature;
• Detect TDLFS file system;

• Once done, click on Ok then click on Start scan;
• After the scan is complete, click on the Report button, in the top right corner;
• A report window will open with the scan log. Copy and paste it in your next reply;
Ok, i appreciate the help. I understand the risks of files from the internet and especially malicious code. Here are my 2 scans
Attachments

• Double click MBRCheck.exe to run (Vista and Windows 7+ users, right click and select Run as Administrator).
• It will show a black screen with some data on it.
• A report called MBRcheckxxxx.txt will be on your desktop
• Open this report and post its content in your next reply.

Ok i did what you told me, the second one i was confused... Do I check Show All  because it was already unchecked and while scanning the computer crashed with this information:

Code:

Stop code: DRIVER_IRQL_NOT_LESS_OR_EQUALWhat failed: ffliyfod.sys

And I attached the file from the first scan!

PS: I will try the scan again in safe mode after some sleep, I need to get some rest.
Attachments
Try this first and then try GMER again please.

To disable CD Emulation programs using DeFogger please perform these steps:
2. Once downloaded, double-click on the DeFogger icon to start the tool.
3. The application window will now appear. You should now click on the Disable button to disable your CD Emulation drivers
4. When it prompts you whether or not you want to continue, please click on the Yes button to continue
5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
6. If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.

Note about GMER before running it again:

• This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
• This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
• No matter what is in the log, please post all the information/contents of the log.
• These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT"
I got the same error message with a crash again after doing the last steps.
Attempt in safe mode with networking and let me know what happens please
This time doing it in safe mode found 2 things it out in red that it said might be rootkits it asked for full scan and I clicked no so I could uncheck that one thing you said and it scanned and crashed on the same line again, same crash error. Want me to go back to safe mode and run it again just to copy down the 2 things it said were warnings before I clicked scan?
I'm sure it would be useful, so yes please.
Hey, the virus came back, it’s so aggressive also. Currently running Avg Netsh tool to try to remove it since for the most part we Figured out the name of the virus
That is one old infection, and what's weird is that it creates itself using very old programming schemes back from Windows XP days. This would be a Windows XP exploit... Why it's causing issues on a W10 PC is beyond me, but it's not like it can do all that much damage as long as Windows is patched.

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:

Code:

:filefinddirectx.syssvchost.compopen

• Click the Look button to start the scan.

Note: The log can also be found on your Desktop entitled SystemLook.txt

• Doubleclick CKScanner.exe and click Search For Files.
• After a very short time, when the cursor hourglass disappears, click Save List To File.
• A message box will verify that the file is saved.
Ok System Look gave me:
SystemLook 30.07.11 by jpshortstuff
Log created at 19:41 on 29/10/2017 by lee
========== filefind ==========
Searching for "directx.sys"
No files found.
Searching for "svchost.com"
No files found.
Searching for "popen"
No files found.
-= EOF =-

And CKScanner gave:

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\program files\adobe\adobe after effects cc 2018\support files\presets\toonitv2 presets\roto toon\roto toon crackle problem.ffx
c:\program files\boris fx, inc\bcc presets 10\styles\material styles\stone_wood_leather\cracked peeling.mtl
c:\program files\boris fx, inc\bcc presets 10 ofx\styles\material styles\stone_wood_leather\cracked peeling.mtl
c:\program files\common files\native instruments\battery 4\presets\lofi\crackle.nbfx
c:\program files\common files\native instruments\kontakt 5\presets\effects\convolution\05 drum reverbs\0.4s firecracker snare orven.nkp
c:\program files\cycling '74\max 7\resources\media\jitter\materials\pavement.cracks.jitmtl
c:\program files\presonus\studio one 3\presets\presonus\fat channel\drum\snare crackalak.dsppreset
c:\program files\red giant\rgfx\plugins\universe_stylize_texturize\resources\presets\grunge\cracked wall.preset
c:\program files (x86)\common files\native instruments\fm8\sounds\fm7 legacy\beam cracker bass.nfm8
c:\program files (x86)\common files\native instruments\fm8\sounds\fm7 legacy\cracklephone.nfm8
c:\program files (x86)\common files\native instruments\massive\sounds\massive factory\crackle carl.nmsv
c:\program files (x86)\common files\native instruments\massive\sounds\massive factory\digitoy crackle.nmsv
c:\program files (x86)\common files\native instruments\shared content\sounds\fm8\fm7 factory\beam cracker bass.ksd
c:\program files (x86)\common files\native instruments\shared content\sounds\fm8\fm7 factory\cracklephone.ksd
c:\program files (x86)\common files\native instruments\shared content\sounds\massive\crackle carl.ksd
c:\program files (x86)\common files\native instruments\shared content\sounds\massive\digitoy crackle.ksd
c:\program files (x86)\image-line\fl studio 12\data\patches\packs\drums (modeaudio)\claps\ma firecracker clap.wv
c:\program files (x86)\image-line\fl studio 12\data\patches\packs\drums (modeaudio)\hi hats\ma firecracker chat.wv
c:\program files (x86)\image-line\fl studio 12\data\patches\packs\drums (modeaudio)\kicks\ma firecracker kick.wv
c:\program files (x86)\image-line\fl studio 12\data\patches\packs\drums (modeaudio)\snares\ma firecracker snare.wv
c:\program files (x86)\image-line\fl studio 12\data\patches\plugin presets\generators\drumpad\sound fx\crack.fst
c:\program files (x86)\image-line\fl studio 12\plugins\fruity\effects\hardcore\presets\default\i cracked my tube!.hdprg
c:\program files (x86)\image-line\fl studio 12\plugins\fruity\generators\drumaxx\drum patches\sound fx\crack.dmpatch
c:\program files (x86)\image-line\fl studio 12\plugins\fruity\generators\drumpad\drum patches\sound fx\crack.dmpatch
c:\program files (x86)\image-line\fl studio 12\plugins\fruity\generators\sawer\presets\ambient\mc cracked.sawer
c:\program files (x86)\image-line\fl studio 12\plugins\fruity\generators\toxic biohazard\presets\basses\crack.tbio
c:\program files (x86)\presonus\studio one 3\presets\presonus\fat channel\drum\snare crackalak.dsppreset
c:\_torrents\_torrentfiles\completed\native.instruments.battery.4.v4.1.6.incl.patched.and.keygen-r2r.torrent
c:\_torrents\_torrentfiles\completed\native.instruments.maschine.2.v2.6.5.update.incl.patched.and.keygen-r2r.torrent
scanner sequence 3.ZZ.11.GCNAVZ
----- EOF -----
Open SystemLook and type/copy & paste the following in just as last time:

Code:

:dirc:\_torrentsc:\_torrents\_torrentfilesc:\_torrents\_torrentfiles\completed
Permissions in this forum:
You cannot reply to topics in this forum