I have reformatted multiple times and it keeps coming back. I have a 3 hard drives installed, I ran the “clean” command from cmd on 2/3. The one I neglected to run it on was my SSD which I used secure erase+ from my bios. However, I am still worried I have the virus. Once I ran kaspersky disk rescue and some random .jpeg file came up as a virus, was then removed and no long have it. However just before I ran secure erase on my SSD, kaspersky av came up with a .dll file which is identified as a hack tool for damaging computers or something. I tried to install Avast but it says I don’t have required permissions to access the .exe to open it after the install, which is only located in programfiles folder so … I should be able to? I tried to run the avast stand-alone rootkit scanner, and as soon as I try to activate virtualization technology it BSOD’s due to a aswMBR.sys file. I have a 7700k intel @4.2ghz so I know I should be able to support it, but it crashes every time I turn it on and the tool BSOD’s every time I skip that and just try to simply scan. Says a couple services were locked. I can’t remember… I know this thing infected my phone which I had to throw out. I have been dealing with this virus for 5 months.
AV: Avast Antivirus (Disabled - Out of date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF} AV: Kaspersky Total Security (Enabled - Up to date) {86367591-4BE4-AE08-2FD9-7FCB8259CD98} AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B} AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96} AS: Kaspersky Total Security (Enabled - Up to date) {3D579475-6DDE-A186-1569-44B9F9DE8725} AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AS: Avast Antivirus (Disabled - Out of date) {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402} FW: Kaspersky Total Security (Enabled) {BE0DF4B4-018B-AF50-0486-D6FE7C8A8AE3}[b]Why Using Multiple Antivirus Programs is a Bad Idea[/b] https://www.kaspersky.com/blog/multiple-antivirus-programs-bad-idea/2670/
There can be only one https://www.youtube.com/watch?v=sqcLjcSloXs
Uninstalling other antivirus software >> https://support.avast.com/en-eu/article/Uninstall-other-antivirus
2017-12-12 07:00 - 2017-12-12 07:00 - 004922400 _____ (AO Kaspersky Lab) C:\Users\vvvvvvvvv\Desktop\luuuuuuuuuuerop.exe … <— Huh?
Someone will be along shortly I’m sure (Sassdrake or dbrise). In the meantime…
2017-12-12 02:27 - 2017-12-12 03:38 - 000001868 _____ C:\Users\vvvvvvvvv\Desktop\Rkill.txt <— Find this file, post it
2017-12-12 02:27 - 2017-12-12 02:27 - 001792640 _____ (Bleeping Computer, LLC) C:\Users\vvvvvvvvv\Downloads\rkill.com <— Stop downloading tools that you don’t know how to use
2017-12-12 03:10 - 2017-12-12 03:10 - 007176464 _____ (AVAST Software) C:\Users\vvvvvvvvv\Downloads\avast_free_antivirus_setup_online.exe <— Downloaded today??
2017-12-12 03:17 - 2017-12-12 03:17 - 000000000 ____D C:\ProgramData\HitmanPro <— Ditch Hitman Pro
2017-12-12 03:39 - 2017-12-12 03:39 - 004922400 _____ (AO Kaspersky Lab) C:\Users\vvvvvvvvv\Downloads\tdsskiller (1).exe <— Stop downloading tools that you don’t know how to use
2017-12-12 04:08 - 2017-12-12 04:08 - 005659243 _____ (Swearware) C:\Users\vvvvvvvvv\Downloads\ComboFix.exe
ComboFix Warning
Do NOT ever download ComboFix without visiting us, or another UNITE/AMF (MyCity or similar) website.
|Read: https://www.bleepingcomputer.com/forums/t/273628/combofix-usage-questions-help-look-here/
Platform: Windows 10 Pro Version 1709 16299.98 (X64) Language: English (United States)
Windows 10, Windows 8.1 and Windows 2000 are NOT supported by ComboFix.
Running ComboFix by yourself is like performing open heart surgery on yourself--the scalpel and other surgical tools that is ComboFix is meant to be wielded by a highly trained surgeon only in emergencies or dire circumstances. When the surgeon is thru s/he leaves the room. So combofix should be removed from a system once it has accomplished its job, unlike an AV that is there to protect you from future infections...CF does make some alterations to your system if you run it. Even if you had no malware removed and run the uninstall command, some things may be different now on your system. I can tell you that one thing is that all your restore points will be flushed out and a new one created. There is a good reason to do that when you have a severe infection--but if you aren't infected you might need those restore points.Read and abide by the disclaimer people. It’s there for a reason. Stick to running and protecting yourself with a good AV and firewall and an anti-malware scanner or two. If you feel you need a second opinion, try running online scans. If you feel you might need surgery, come here to BC and ask for help–that is what we’re here for.
Uninstall either Avast either Kaspersky. I don’t see traces of malware in your logs. Can you make a screenshot of that thing you think is malware?
That weird file was TDSkiller, someone said to rename it lol…
Just for the record, I never ran combofix cause I heard what you said from some one else. The thing is, every time I re-format I can’t find the RAT. But when I join an overwatch custom game server the same group of people will force my computer to shut down then I find one trace of it like a dll file or all my computer permissions change, or my graphics drivers stop working. I’m uninstalling kaspersky to try installing avast seeing how it goes. But I promise you, some how they fuck up my computer whenever they want and leave no traces until then.
I’ve been getting targeted and harassed for around 5+ months now. Even Blizzard can confirm that they’ve seen the messages from all these people. They some how manage to keep hacking my computer. I had to throw out my phone too.
This was the last detection I made before a reformat, however, the entire time leading up to the detection I was simply playing Overwatch, then they left the server after I joined, my gpu drivers were shut down and restarted then I performed a scan and found this.
https://threats.kaspersky.com/en/threat/RiskTool.Win64.HackKMS
10.12.2017 08.00.28;Detected object (file) not processed;C:\Windows\Temp\SppExtComObjHook.dll;C:\Windows\Temp\SppExtComObjHook.dll;not-a-virus:RiskTool.Win64.HackKMS.e;Legitimate software that can be used by criminals to damage your computer or personal data;12/10/2017 08:00:28
File Kaspersky deteted is KMS activator used for activating pirated version of Windows and Microsoft Office. Your system is clean and use “block user” option in Blizzard client and games.
• The following will implement some post-cleanup procedures:
=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
The block user function doesn’t quite work. You see… this harassment has gone outside of the game. I had to change my phone number and then throw away my phone. I was getting death threats on various social media applications. I was getting messages ALL over. Tinder, Facebook, Snapchat, Twitter, Twitch, Steam, kik, discord… It has gotten out of control. For 5 months because of a crazy ex-girlfriend defaming me to her thousands of followers behind my back in a way I can’t even know what they’re saying, doing, or defend myself. Blizzard has noted that the information they have gathered is purely toxic and can’t find a real reason behind it.
We will see how it goes. If anything else happens I will update here. Thank you for all of your help so far.
My computer just got a virus from a steam group I was in. Clicked a link to what I thought would be a meme. Nope. Windows defender detected a trojan then it couldn’t find it. Malwarebytes detected a registry edit from a hijacking thing. I had to system restore so I lost the scan logs… My computer was stuck booting into safe mode until I disabled it manually. Now I can’t seem to find it and I don’t know how to find out if I am safe.
Windows defender detected a trojan then it couldn't find it.huh ... explaine?
I had to system restore so I lost the scan logs...So the scan log is not located in malwarebytes > reports ?
User guide >> https://www.malwarebytes.com/support/guides/mb/
I did a system restore, lost the log file i exported. don’t see it in the list let me try to find it again
Found it.
My registry / system files are said to be corrupted.
My registry / system files are said to be corrupted.By what / Who ?
Windows defender detected a trojan then it couldn't find it.explaine?
Windows defender detected a trojan, now it is gone without me removing it, I only saw it detected in the history.
Windows won’t update, and using the trouble shooter it says it can’t find the correct file path and other stuff. Please help, what do I do now?
I can’t seem to download anything now, it keeps saying failed network error.
Windows defender detected a trojan, now it is gone without me removing it, I only saw it detected in the history.Blocked before it was downloaded? Detected in your computer and moved to quarantine?
Log should give info…
I have no idea. Where do I find that?
I think it was removed idk.
Look… i am still having weird registry issues according to the windows update trouble shooter tool
I can’t seem to update windows or anything please help.
Edit:
found the trojan
Trojan:Win32/Sonoko.A!ms
Details: This program is dangerous and executes commands from an attacker.
Affected items:
file: C:\Users\vvvvvvvvv\AppData\Local\Steam\htmlcache\Cache\f_00023c
https://go.microsoft.com/fwlink/?linkid=142185&name=Trojan:Win32/Sonoko.A!ms&threatid=<2147724631>
Did a FRST scan
Just completely reformatted everything.
Went to windows update trouble-shooter and it is already saying it’s detecting corruption…
Windows Defender even said it detected some kind of application trying to make unauthorized changes almost as soon as I started updating everything.
Malwarebytes and windows defender don’t seem to notice anything though? But this keeps happening… these people won’t leave me alone. i need serious help to get rid of a RAT
I will pay anyone who can help me. I really mean it. If you can get rid of this RAT/Virus/Trojan and/or PROVE I’m completely not infected I will pay you at least $100.00 USD