Windows 10: Trojan deep in my system

@Vikdal if that windows defender offline scan doesn't enable Malwarebytes to run, please take simrik's advice and run farbar. Check "additional" in options and run scan. Post both .txt files.

This will enable us to check what user accounts you have, if any are disabled etc...

 

Most viruses/malware likes to change admin settings to prevent you from taking action to remove the malware. You'll have to reset the permissions to the default Win settings. There is a thread here addressing this problem with advice from Brink that may be helpful.

Reset Windows 10 Administrator Account to default - - Windows 10 Forums

 

Give me a day, as these scans will take some time. Thanks for all the suggestions

 

Sorry for not posting in a while, I was taking a break. Are you talking about addition.txt?

And run a scan?

 

BTW there is some new dodgy DDLs running and some exe files. Ddl is Kokoko2

 

BTW there is some new dodgy DDLs running and some exe files. Ddl is Kokoko2 also, i now have to Google Chrome Shortcuts ;/


PS: Sorry for repost
Addition.txt FRST.txt

 

Yes Vikdal. FRST.txt and addition.txt.

Edit: I see you've already posted them. This will take some time.

 

I just want to note that the "Zemana AntiMalware" someone told me to download earlier is blocking some .dll files. I also did a little bit of a google and found out that kokoko2 is basicly a virus

exe file running was MIO.exe

 

Did you run that Windows defender deep scan? Seems things are back as they were.

 

Hi and thanks for the logs. I will review them now.
In the meantime, please disconnect the infected system from the internet, to prevent further downloads by the Trojan.

Do you have a clean system available in case we need to download tools from the internet before we let the infected computer go back online?

 

Yes, I have 3 computers to do so.

 

A nice clean installation....

 

Okay good. And all your important data is backed up, right?

*Wink If we can't clean it, or if the FRST logs show it's not worth cleaning, that's the next step.

I will be back in a while; please be patient with me.

 

Please "show hidden files, folders and drives" in Control Panel>File Explorer Options, "View" tab.
-----
Please uninstall the following applications:

ChromeExport your bookmarks in Chrome to an HTML file (you can import them later).
Uninstall Chrome using the instructions here:
Uninstall Google Chrome - Computer - Google Chrome Help
Be sure to delete all profile information and clear browsing history - we want nothing left on the system (except your bookmarks).
If you sync your Chrome Browser data, delete it (use Edge or IE to do this):
Quick Tip: How To Delete Your Google Chrome Browser Sync Data
Java 8 Update 121
LogMeIn
McAfee Security Scan Plus
Yahoo Search Set
-----
Whatever is on the system by IObit company, please remove it. (SmartDefrag?)
-----
Please change the DNS settings on your NIC
From: 130.67.15.198 & 193.213.112.4
To: 208.67.222.222 & 208.67.220.220
-----
Open an admin command prompt or admin powershell and enter:
ipconfig /flushdns
-----

Please copy the following exactly and paste it into Notepad. Save the file as fixlist.txt in the same folder where the Farbar (FRST) tool is running from (C:\Users\Janisin\Downloads). Run FRST and click FIX only once and wait. When it's finished it will create a log (Fixlog.txt). Please post that log.

Code: Start CreateRestorePoint EmptyTemp: CloseProcesses: Task: {33C02C52-CCB7-4FB7-9F2B-3E13439D75AC} - \SystemHealer Monitor -> No File <==== ATTENTION Task: {42AB3ED1-EDCA-4781-B9D9-994414E8141D} - System32\Tasks\SMW_UpdateTask_Time_333536383237363034362d50372d5a456c37325a347841 => Wscript.exe //B "C:\ProgramData\SearchModule\smhe.js" smu.exe /invoke /f:check_services /l:0 <==== ATTENTION Task: {5715A91F-9CEF-4E3B-A2E7-A4A86D8CFFC6} - \{78080447-0A0E-087F-0A11-7F7A7F0D110F} -> No File <==== ATTENTION Task: {908AE32D-C2C7-4FC6-8F3C-6056146FB457} - System32\Tasks\System Healer Task => C:\PROGRA~2\SYSTEM~1\RESCUE~1.EXE <==== ATTENTION Task: {A9094CB4-F599-4768-A5C0-93356813225B} - System32\Tasks\Milimili => C:\Program Files (x86)\MIO\MIO.exe [2017-05-04] () <==== ATTENTION Task: {CC5EE9C6-9C52-4411-87EC-7E310E536686} - \SystemHealer Run Delay -> No File <==== ATTENTION Task: {D2527136-A109-402E-AC24-ADD29340F413} - System32\Tasks\IBUpd2 => C:\Users\Janisin\AppData\Local\BrowserAir\48.0.0.0\updater.exe <==== ATTENTION Task: {E03EDFBB-11A3-41F1-B67D-AFE5EA703A33} - System32\Tasks\IBUpd => C:\Users\Janisin\AppData\Local\BrowserAir\48.0.0.0\updater.exe <==== ATTENTION Task: {F311310D-62D2-4E86-8C31-44E8AA2AAF89} - \oqnrzQS454 -> No File <==== ATTENTION Task: {F51D35EB-97ED-4E1C-9033-29B40EFE0129} - System32\Tasks\SMW_P => C:\ProgramData\smp2.exe <==== ATTENTION HKU\S-1-5-21-1197232350-3408337513-1167496310-1001\Software\Classes\regfile: regedit.exe "%1" <===== ATTENTION GroupPolicy: Restriction <======= ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION CHR Profile: C:\Users\Janisin\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-04-30] <==== ATTENTION CHR Extension: (AntiCaptcha automatic captcha solver) - C:\Users\Janisin\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\neodgnejhhhlcdoglifbmioajmagpeci [2017-04-28] [UpdateUrl: hxxps://antcpt.com/downloads/firefox/update_manifest.json] <==== ATTENTION R3 cpuz138; C:\Users\Janisin\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [27320 2017-05-02] (CPUID) <==== ATTENTION R1 ESEADriver2; C:\Users\Janisin\AppData\Local\Temp\ESEADriver2.sys [316552 2016-12-08] () <==== ATTENTION Amazon 1Button App (x32 Version: 2.3.4 - Amazon) Hidden <==== ATTENTION End[/quote]
Note: this is a unique fixlist - do not use this on another computer.
-----
Permanently remove the following manually (if they exist):C:\END
C:\Users\Janisin\AppData\Roaming\.pgbiasfx -----
Open Device Manager
View>Show Hidden Devices
Expand "Non-Plug and Play Drivers"
Look for ESEADriver2
If found, right click "ESEADriver2" and select Uninstall
(we need to get rid of this, as they apparently were using user's systems for bitcoin mining, and have full admin rights in this driver.)
-----
Download the following to a flash drive (or CD) on a clean system:
RKILL
RKill Download
Download the iExplore.exe version
JRT
Junkware Removal Tool Download
RogueKiller
RogueKiller Download
ADWCleaner
Downloads - AdwCleaner - ToolsLib

Copy all the tools over to the "desktop" of the infected system.
Run the tools in this order on the infected system (note: all tools are free/have free versions):

1. RKILL

2. ADWCleaner (it will reboot)

3. RKILL (again)

4. RogueKiller (select all boxes including "PUP and PUM is malware") Delete everything in RED.

5. JRT

6. Malwarebytes Antimalware (already on system, go online, update virus definitions, run a full scan of system drive, and be sure to check the box to scan for rootkits) You may have to re-download and re-install to get it working now(?)

The system can stay online at this point.

Please post all logs from these tools for evaluation.
-----
Completely reset all browsers left on the system.
How to Reset Your Web Browser To Its Default Settings

Reset Microsoft Edge to Default in Windows 10 - Windows 10 Browsers Email Tutorials
-----
Will watch for your logs. Please remember you are 6 hours ahead of me. *Wink

 

Hi and thanks for the guide.

However, there are two problems with this thought. First of all AdwCleaner has been blocked by a administrator (i am the only one). The other problem is that roguekiller does not aloud to change these settings in their free version. Malwarebytes can neither run.