New Virus/malware found

A couple days ago my system started running slow. I have run Windows Defender (it won’t run now), Malwarebytes finds it but will not get rid of it. So, I looked online for more info and found a program named Reason Core Security that said it could get rid of the virus/malware. I ran the software and it did find a directory in my C;\program files dir named mbcdhze and a exe file in c:\windows/system32 named sneiukpsvc.exe. I start task manager and attempt to end the process and get a window saying The operation could not be completed. Access denied. I can’t delete the file because it is running. I am able to delete the mbcdhze firectory but it keeps returning. I am running an AMD FX8320 (8core cpu) with a R7 200 2gig vid card and 16gigs of ram on Windows 7 Ultimate. Hoping one of the Avast is aware of this issue and working on a fix. I believe this isa new virus/malware because there is NO INFO on this file sneiukpsvc.exe which makes me think it is new. I always wonder when a new virus is found and there seems to always be 1 company out there that offers the fix. Makes me think the company that is selling the Malware/virus scanner (that seems to be the ONLY one that knows about it) had a hand in the writing and distribution of the virus/malware. Any suggestions?

Also, I have booted into safe mode and tried running Avast and Malwarebytes but neither find any issues.

When I run Malwarebytes and it gets to the Rootkit section, I get a window that says it couldn’t scan for Rootkits and ased to reboot system. Unfortunately MB doesn’t seem to want to run anymore so I can’t give the exact statement in the window.

You where asked to provide log files.

Uhmm…no I wasn’t. All I want to do is let Avast know there is a new virus out there. I am not worried about my system. THe untimate Virus fixer is format and reinstall which takes me about 2 hrs when I get motivated and as I stated in my repost, MB will not run anymore. I believe whatever got into my system, disabled it and other virus/malware checkers.

https://forum.avast.com/index.php?topic=209388.msg1423858#msg1423858

You sure was!

“If you wish help, here are some tools and logs that will speed up the process of getting you clean.”

If you are referring to the above line taken from that thread you posted, there is nothing there asking me to provide logs. and the 1st step in those instructions say to run MalwareBytes…which I have already stated it won’t run, neither will other virus/malware type software now. To me, it looks like whatever got into my system removed the use of those programs.

Since I am using the free version of Avast, apparently I have no avenue other than the forums to inform someone of a (possibly) new virus/malware. But, I have downloaded and run the program Farbar Recovery Scan Tool. If you tell me which part of the 2 files (FTST.txt and Addition.txt) you need, I will paste them here. I do not feel comfortable uploading a file with the info it contains to a public post.

FRST logs are computer diagnostic logs, and both logs are needed. And don’t paste, attach logs

I have no avenue other than the forums to inform someone of a (possibly) new virus/malware.
Do you have a sample? It can be sendt to avast lab. See instructions >> https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

You can also check suspicious files at: www.virustotal.com / www.jotti.org / www.metadefender.com

So, I looked online for more info and found a program named [b]Reason Core Security[/b] that said it could get rid of the virus/malware. I
:P http://uk.pcmag.com/software/89944/review/reason-core-security

Malware expert is notified.

Not sure what you are saying? File is suspicious? After rebooting, the file is there in the running processes and trying to end the process gets a unable to terminate the process. Operation could not be completed, access is denied.

Malware expert will check the FRST logs you attached when he is online

You may post link to VirusTotal scan result here

There were no results all three URLs you posted reported zero of whatever scans they did. All said the file was clean. BUT, the only way I could test the file was copy it to another directory so I guess to be technical, I didn’t check the actual (possibly) infected file. There is also a directory C:\program files\mbcdhze being created after each reboot (I can delete the directory b4 reboot) and it is empty. I am assuming it has to do with the file c:\windows\system32\sneiukpsvc.exe.

There were no results all three URLs you posted reported zero of whatever scans they did. All said the file was clean.
There are additional file info given when you scan it, like file type, who made it, digitally signed, seen before, ......... And lots more

Did you install BOINC?

I installed BOINC back in 1999 and have been running it fine since. I have not updated it for a few months either.

  • Open Notepad (click Start button → type notepad.exe → press Enter)
  • Copy text from code block below and paste it into Notepad
BootExecute: autocheck autochk * bddel.exe
FF user.js: detected! => C:\Users\KingKoz\AppData\Roaming\Mozilla\Firefox\Profiles\eeiipjvw.default-1489569338083\user.js [2017-03-18]
VirusTotal: C:\Windows\system32\sneiukpsvc.exe
  • Go to FileSave As
  • Make sure that UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

here is the fixlog.txt you requested

File seems to be clean according to VirusTotal result but follow Pondus isntruction for uploading suspicious files to Avast.
https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

Thanks for the help. I have more info for you. I booted into safe mode and was then able to delete the sneiukpsvc.exe file as well as the c:\program files\mbcdhze directory. That directory appears after rebooting and is empty. Looking at the same directory a few minutes later it was full of dll’s and other files as well as a LOCALE directory. Inside that directory are 2 language file dirs…us-en and zh-cn. I am not positive but I think zh-cn is a chinese language file. Seems odd that ONLY those 2 language files are there. Makes me think this is originally from China. Unfortunately, after rebooting from safe mode, the sneiukpsvc.exe and the mbcdhze have returned. My system seems fine after reboot but as time goes by I notice it slowing down. There are moments of total freeze, nothing crashes, everything freezes for a short time then back to normal. I have also noticed that programs that were running after reboot (i.e. checked my email with Thunderbird, firing up AVG PC Tuneup) will not start up. The task for that program is in the task manager but clicking on it gives a window saying the operation could not be completed. access denied. Since I am administrator (and the only one that uses this pc) it looks like this issue has changed my access as well. The only way I can start a program at that point is to reboot my system.

Anyway, I will follow the instructions to upload the suspect file as soon as I can. thanks again

Need more help. I went to the thread you posted, found the submit a file section, click the BROWSE button, but when I surf to the location of the file, it is not listed. If I surf to the same directory going through my Computer/Program files the file is listed there. I have my system set to see hidden files. So how do I upload the alleged infected file? I also use Windows Commander (file manager application) and have that set to see hidden files but it also does not see this file. Can I drag & drop the file to your upload page? I can copy the suspect file to another firectory and upload that but I would think that is probably not a good idea. Please advise.

Tried to upload infect file but had issues. See previous post. I did upload the file but it was the copied file so hopefully that will be ok. If not, I will need halp.