Jump to content

Nasty Malware, MBAR won't work


Stanczyk

Recommended Posts

  • Replies 90
  • Created
  • Last Reply

Top Posters In This Topic

Go here: https://www.tenforums.com/tutorials/3841-add-take-ownership-context-menu-windows-10-a.html

Follow the instructions for step 2,  then go to No.5 below step 4 for rest of instructions. Basically you will down load a .reg file to your Desktop, from there run the file to merge the new registry setting. That will add "Take Ownership" to the Context Menu (Right Click)

So now navigate to C:\Users\List\AppData\Local\unikrpc right click direct on the folder "unikrpc" use the Take Ownership option. Close out then re-navigate, will the folder manually delete..

That context setting can be removed with step 4 of same site...

Link to post
Share on other sites

Run the following fix, no fix will be done just a log showing folder contents....

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

fixlist.txt

Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

fixlist.txt

Link to post
Share on other sites

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-09-2017
Ran by List (20-09-2017 17:59:29) Run:15
Running from C:\Users\List\Desktop\FINALFIX\_1
Loaded Profiles: List (Available Profiles: List)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
C:\Users\List\AppData\Local\unikrpc\data*
C:\Users\List\AppData\Local\unikrpc - Copy\data*
end

 

 

*****************


=========== "C:\Users\List\AppData\Local\unikrpc\data*" ==========

not found

========= End -> "C:\Users\List\AppData\Local\unikrpc\data*" ========


=========== "C:\Users\List\AppData\Local\unikrpc - Copy\data*" ==========

not found

========= End -> "C:\Users\List\AppData\Local\unikrpc - Copy\data*" ========


==== End of Fixlog 17:59:29 ====

Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

fixlist.txt

Link to post
Share on other sites

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-09-2017
Ran by List (20-09-2017 18:07:32) Run:16
Running from C:\Users\List\Desktop\FINALFIX\_1
Loaded Profiles: List (Available Profiles: List)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
2017-09-05 11:18 - 2017-09-11 22:05 - 000000000 ____D () C:\Users\List\AppData\Local\unikrpc\data601
2017-09-05 11:18 - 2017-09-11 20:53 - 000456704 _____ () C:\Users\List\AppData\Local\unikrpc\data601\Cookies
2017-09-05 11:18 - 2017-09-11 20:53 - 000000000 _____ () C:\Users\List\AppData\Local\unikrpc\data601\Cookies-journal
2017-09-05 11:23 - 2017-09-05 11:23 - 000000000 ____D () C:\Users\List\AppData\Local\unikrpc\data601\databases
2017-09-05 11:23 - 2017-09-05 11:23 - 000007168 _____ () C:\Users\List\AppData\Local\unikrpc\data601\databases\Databases.db
2017-09-05 11:23 - 2017-09-05 11:23 - 000000000 _____ () C:\Users\List\AppData\Local\unikrpc\data601\databases\Databases.db-journal
2017-09-06 16:22 - 2017-09-11 20:52 - 000000000 ____D () C:\Users\List\AppData\Local\unikrpc\data601\File System
2017-09-06 16:22 - 2017-09-11 20:52 - 000000000 ____D () C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins
2017-09-06 16:22 - 2017-09-11 20:53 - 000000804 _____ () C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\000003.log
2017-09-11 20:51 - 2017-09-11 20:51 - 000000466 _____ () C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\000004.ldb
2017-09-11 20:52 - 2017-09-11 20:52 - 000000466 _____ () C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\000005.ldb
2017-09-11 20:52 - 2017-09-11 20:52 - 000000466 _____ () C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\000006.ldb
2017-09-11 20:52 - 2017-09-11 20:52 - 000000466 _____ () C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\000007.ldb
2017-09-11 20:52 - 2017-09-11 20:52 - 000000466 _____ () C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\000008.ldb
2017-09-11 20:52 - 2017-09-11 20:52 - 000000466 _____ () C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\000009.ldb
2017-09-06 16:22 - 2017-09-06 16:22 - 000000016 _____ () C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\CURRENT
2017-09-06 16:22 - 2017-09-06 16:22 - 000000000 _____ () C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\LOCK
2017-09-06 16:22 - 2017-09-11 20:53 - 000000947 _____ () C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\LOG
2017-09-06 16:22 - 2017-09-11 20:48 - 000000294 _____ () C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\LOG.old
2017-09-06 16:22 - 2017-09-06 16:22 - 000000041 _____ () C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\MANIFEST-000001
2017-09-06 16:24 - 2017-09-06 16:24 - 000000000 ____D () C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\lost
end

 

 

*****************


"C:\Users\List\AppData\Local\unikrpc\data601" folder move:

Could not move "C:\Users\List\AppData\Local\unikrpc\data601" => Scheduled to move on reboot.

Could not move "C:\Users\List\AppData\Local\unikrpc\data601\Cookies" => Scheduled to move on reboot.
Could not move "C:\Users\List\AppData\Local\unikrpc\data601\Cookies-journal" => Scheduled to move on reboot.

"C:\Users\List\AppData\Local\unikrpc\data601\databases" folder move:

Could not move "C:\Users\List\AppData\Local\unikrpc\data601\databases" => Scheduled to move on reboot.

Could not move "C:\Users\List\AppData\Local\unikrpc\data601\databases\Databases.db" => Scheduled to move on reboot.
Could not move "C:\Users\List\AppData\Local\unikrpc\data601\databases\Databases.db-journal" => Scheduled to move on reboot.

"C:\Users\List\AppData\Local\unikrpc\data601\File System" folder move:

Could not move "C:\Users\List\AppData\Local\unikrpc\data601\File System" => Scheduled to move on reboot.


"C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins" folder move:

Could not move "C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins" => Scheduled to move on reboot.

Could not move "C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\000003.log" => Scheduled to move on reboot.
Could not move "C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\000004.ldb" => Scheduled to move on reboot.
Could not move "C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\000005.ldb" => Scheduled to move on reboot.
Could not move "C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\000006.ldb" => Scheduled to move on reboot.
Could not move "C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\000007.ldb" => Scheduled to move on reboot.
Could not move "C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\000008.ldb" => Scheduled to move on reboot.
Could not move "C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\000009.ldb" => Scheduled to move on reboot.
Could not move "C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\CURRENT" => Scheduled to move on reboot.
Could not move "C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\LOCK" => Scheduled to move on reboot.
Could not move "C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\LOG" => Scheduled to move on reboot.
Could not move "C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\LOG.old" => Scheduled to move on reboot.
Could not move "C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\MANIFEST-000001" => Scheduled to move on reboot.

"C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\lost" folder move:

Could not move "C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\lost" => Scheduled to move on reboot.


Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 20-09-2017 18:08:32)

"C:\Users\List\AppData\Local\unikrpc\data601" => Could not move
"C:\Users\List\AppData\Local\unikrpc\data601\Cookies" => Could not move
"C:\Users\List\AppData\Local\unikrpc\data601\Cookies-journal" => Could not move
"C:\Users\List\AppData\Local\unikrpc\data601\databases" => Could not move
"C:\Users\List\AppData\Local\unikrpc\data601\databases\Databases.db" => Could not move
"C:\Users\List\AppData\Local\unikrpc\data601\databases\Databases.db-journal" => Could not move
"C:\Users\List\AppData\Local\unikrpc\data601\File System" => Could not move
"C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins" => Could not move
"C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\000003.log" => Could not move
"C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\000004.ldb" => Could not move
"C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\000005.ldb" => Could not move
"C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\000006.ldb" => Could not move
"C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\000007.ldb" => Could not move
"C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\000008.ldb" => Could not move
"C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\000009.ldb" => Could not move
"C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\CURRENT" => Could not move
"C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\LOCK" => Could not move
"C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\LOG" => Could not move
"C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\LOG.old" => Could not move
"C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\MANIFEST-000001" => Could not move
"C:\Users\List\AppData\Local\unikrpc\data601\File System\Origins\lost" => Could not move

==== End of Fixlog 18:08:33 ====

Link to post
Share on other sites

mmmm, just wanted to see if FRST would move selected files from inside unikrpc folder.... we`ve tried to move the folders from outside of windows via recovery environment and suffered the same outcome...

I`m out of ideas, will see if one of the other guys will have a look at your thread, maybe have a better idea of the way ahead....

These two folders are proving to be a real problem, maybe they can be deleted via Ubuntu live CD, do you have any experience of such systems...

Link to post
Share on other sites

1) I have some experience. If you give me a bootable File Manager or OS I could try to delete the folders.

 

2) I have a list of infection issues:

 

a) I'm locked out of some anti-malware programs ("The requested resource is in use.") RKill.exe, for example.

b) Windows doesn't update.

c) Microsoft's 'Edge' browser won't work (DNS error, sites won't display)

d) The Windows toolbar has limited functionality - I can't right-click an object for options or information.

e) My webcam stopped working, and I had problems with USB in general (partially fixed, but webcam won't work)

f) whenever I start the computer up, I hear a number of alert sound effects generated by the malware (windows 'beeps'.)

g) Malwarebyte's 'Web Protection' can't be turned on (all others are turned on.)

 

 

Link to post
Share on other sites

I want you to try the following, see if this makes any difference. When complete, 1. check the folders are still there, 2. See if they will delete manually. 3. Try fix as per reply #39

Select the Windows key and X Key together. From the produced list select::

Command Promt (Admin)

Accept UAC alert...

At the Command prompt, type

CHKDSK C: /R

hit the Enter key.

You will get a message that the drive cannot be locked, but that the command can be scheduled to run at the next boot - hit the Y key, press Enter, and then reboot.

The CHKDSK may take a few hours depending on the size of the drive, so be patient!

After the CHKDSK has run use the following instructions to find the log:

Check Disk report:
 
  • Press the WindowsKey + R on your keyboard at the same time. Type eventvwr into the run box and click OK.
  • In the left panel, expand Windows Logs and then click on Application.
  • Now, on the right side, click on Filter Current Log.
  • Under Event Sources, (expand the drop down arrow) check only Wininit and click OK.
  • You mayl be presented with one or multiple Wininit logs.
  • Click on an entry corresponding to the date and time of the disk check.
  • On the top main menu, click Action > Copy > Copy Details as Text.
  • Paste the contents into your next reply.

Thank you,

Kevin...

Link to post
Share on other sites

We need to be sure your system is definitely clean before we try to progress with broken services..

Go here and click 'SCAN NOW' under 'ESET Online Scanner' save to your Desktop.

Turn off the real-time scanner of any existing antivirus program before performing the online scan. Here's how

Right click on user posted image and select "Run as Administrator"

In the new Window accept the terms of service

user posted image

In the new Window select "Enable detection of potentially unwanted applictions" then expand "Advanced Settings"

user posted image

In the new Window checkmark (tick) the entries as shown, make sure "Clean threats automatically" is not checkmarked. Now select "Scan"

user posted image

In the new Window new virus database signatures will download, Do Not Select Stop

user posted image

The Window will progress showing the scan in action....

user posted image

In the new Window if no threats are found, select "Delete applications data on close" then select "Finish" no log is produced, confirm that in your reply...

user posted image

If threats are found the following Window will open:

user posted image

Click on "Select All" then "Save to Text file" name and save that file, attach to your reply.

Now select "Do not clean" and then close out....
 
Thank you...
 
Kevvin
Link to post
Share on other sites

The scan flagged some old programs that are definitely not threats, and found nothing else.

 

D:\Games\Blizzard\Diablo\bobafett\DTrainer.exe    a variant of Win32/GameHack.EW potentially unsafe application    
D:\Games\Command & Conquer 3\C & C 3 Trainer 1.09.exe    a variant of Win32/GameHack.F potentially unsafe application    
D:\Games\Command & Conquer 3 Kane's Wrath\C&C 3 Kanes Wrath Promo Trainer.exe    a variant of Win32/GameHack.F potentially unsafe application    
D:\Games\_GamePlayDocs\DarkestDungeon\Darkest Dungeon Build 14620 Trainer +6 MrAntiFun.EXE    a variant of Win32/HackTool.CheatEngine.AF potentially unsafe application    
D:\Programs\Cheat Engine 6.6\standalonephase1.dat    a variant of Win32/HackTool.CheatEngine.AF potentially unsafe application    

 

Link to post
Share on other sites

Run Windows all in one repair tool by Tweaking.com, see how your system responds when complete....

Download Portable Windows Repair (all in one) from one of the following:

www.tweaking.com/files/setups/tweaking.com_windows_repair_aio.zip

http://www.majorgeeks.com/mg/getmirror/tweaking_com_windows_repair_portable,1.html

https://www.bleepingcomputer.com/download/windows-repair-all-in-one/

Unzip the contents into a newly created folder on your desktop.

Boot your system to Safe mode, instructions here: https://support.microsoft.com/en-gb/help/12376/windows-10-start-your-pc-in-safe-mode

Open the Tweaking.com folder, run the tool by right click on Repair_Windows (icon with red briefcase) select "Run as Administrator"

From the main GUI do the following:

Select Tab 5 to make Registry backup, use the recommended option...

user posted image

When complete select "Repairs" tab, from there select "Open Repairs" tab..

From that window select the default option and checkmarck "Select All" box. When ready select "Start Repairs" tab....

user posted image

When complete re-boot your system to Normal mode, see if there is any improvement...

Logs are saved to the Tweaking.com folder on your Desktop, the one to post is _Windows_Repair_Log.txt
 
Let me know if there is any improvement...
Link to post
Share on other sites

No improvement yet.

 

 

 

Tweaking.com - Windows Repair 2018 (v4.0.6)
--------------------------------------------------------------------------------

System Variables
--------------------------------------------------------------------------------
OS: Windows 10 Home
OS Architecture: 64-bit
OS Version: 10.0.15063.608
OS Service Pack:
Computer Name: DESKTOP-HO5U8KA
Windows Drive: C:\
Windows Path: C:\WINDOWS
Program Files: C:\Program Files
Program Files (x86): C:\Program Files (x86)
Current Profile: C:\Users\List
Current Profile SID: S-1-5-21-2489865123-2485827485-1206147462-1001
Current Profile Classes: S-1-5-21-2489865123-2485827485-1206147462-1001_Classes
Profiles Location: C:\Users
Profiles Location 2: C:\WINDOWS\ServiceProfiles
Local Settings AppData: C:\Users\List\AppData\Local
--------------------------------------------------------------------------------

System Information
--------------------------------------------------------------------------------
System Up Time: 0 Days 00:05:05

Process Count: 34
Commit Total: 1.05 GB
Commit Limit: 36.68 GB
Commit Peak: 1.17 GB
Handle Count: 10589
Kernel Total: 359.36 MB
Kernel Paged: 278.25 MB
Kernel Non Paged: 81.11 MB
System Cache: 1,001.04 MB
Thread Count: 439
--------------------------------------------------------------------------------

Memory Before Cleaning with CleanMem
--------------------------------------------------------------------------------
Memory Total: 31.93 GB
Memory Used: 1.17 GB(3.6656%)
Memory Avail.: 30.75 GB
--------------------------------------------------------------------------------

Cleaning Memory Before Starting Repairs...

Memory After Cleaning with CleanMem
--------------------------------------------------------------------------------
Memory Total: 31.93 GB
Memory Used: 1.02 GB(3.2076%)
Memory Avail.: 30.90 GB
--------------------------------------------------------------------------------

Starting Repairs...
   Started at (9/21/2017 9:02:06 AM)

Setting Any Missing 'InstallDate' From Uninstall Sections Before Running Repair...
Total Missing 'InstallDate' Fixed: 95
 
01 - Reset Registry Permissions
   Restore Windows 7/8/10 Default Registry Permissions
   Start (9/21/2017 9:02:07 AM)


Decompressing & Updating Windows Permission File C:\Users\List\Desktop\Tweaking.com - Windows Repair\files\permissions\10\hku.7z
Done,  0.2 seconds.


Decompressing & Updating Windows Permission File C:\Users\List\Desktop\Tweaking.com - Windows Repair\files\permissions\10\hklm.7z
Done,  2.2 seconds.

   Running Repair Under System Account
   Done (9/21/2017 9:02:42 AM)

02 - Reset File Permissions
   Restore Windows 7/8/10 Default File Permissions
   Start (9/21/2017 9:02:42 AM)


Decompressing & Updating Windows Permission File C:\Users\List\Desktop\Tweaking.com - Windows Repair\files\permissions\10\default.7z
Done,  0.13 seconds.


Decompressing & Updating Windows Permission File C:\Users\List\Desktop\Tweaking.com - Windows Repair\files\permissions\10\profile.7z
Done,  0.16 seconds.


Decompressing & Updating Windows Permission File C:\Users\List\Desktop\Tweaking.com - Windows Repair\files\permissions\10\program_files.7z
Done,  0.3 seconds.


Decompressing & Updating Windows Permission File C:\Users\List\Desktop\Tweaking.com - Windows Repair\files\permissions\10\program_files_x86.7z
Done,  0.13 seconds.


Decompressing & Updating Windows Permission File C:\Users\List\Desktop\Tweaking.com - Windows Repair\files\permissions\10\programdata.7z
Done,  0.14 seconds.


Decompressing & Updating Windows Permission File C:\Users\List\Desktop\Tweaking.com - Windows Repair\files\permissions\10\windows.7z
Done,  1.0 seconds.

   Running Repair Under System Account
   Done (9/21/2017 9:04:28 AM)

03 - Reset Service Permissions
   Start (9/21/2017 9:04:28 AM)

   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:04:39 AM)

04 - Register System Files
   Start (9/21/2017 9:04:39 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:05:05 AM)

05 - Repair WMI
   Start (9/21/2017 9:05:05 AM)

   Starting Security Center So We Can Export The Security Info.

   Exporting Antivirus Info...
   Windows Defender Exported.
   Malwarebytes Exported.

   Exporting AntiSpyware Info...
   Malwarebytes Exported.
   Windows Defender Exported.

   Exporting 3rd Party Firewall Info...
   No Firewall Products Reported.

   Running Repair Under Current User Account
   Done (9/21/2017 9:06:07 AM)

06 - Repair Windows Firewall
   Start (9/21/2017 9:06:07 AM)

Decompressing & Updating Windows Permission File C:\Users\List\Desktop\Tweaking.com - Windows Repair\files\permissions\10\services.7z
Done,  0.14 seconds.

   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:06:25 AM)

07 - Repair Internet Explorer
   Start (9/21/2017 9:06:25 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:06:40 AM)

08 - Repair MDAC/MS Jet
   Start (9/21/2017 9:06:40 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:06:46 AM)

09 - Repair Hosts File
   Start (9/21/2017 9:06:46 AM)
   Running Repair Under System Account
   Done (9/21/2017 9:06:47 AM)

10 - Remove Policies Set By Infections
   Start (9/21/2017 9:06:47 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:06:49 AM)

11 - Repair Start Menu Icons Removed By Infections
   Start (9/21/2017 9:06:49 AM)
   Running Repair Under System Account
   Done (9/21/2017 9:06:50 AM)

12 - Repair Icons
   Start (9/21/2017 9:06:50 AM)
   Running Repair Under Current User Account
   Done (9/21/2017 9:07:41 AM)

13 - Repair Network
   Start (9/21/2017 9:07:41 AM)

Decompressing & Updating Windows Permission File C:\Users\List\Desktop\Tweaking.com - Windows Repair\files\permissions\10\services.7z
Done,  0.14 seconds.

   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:07:47 AM)

14 - Remove Temp Files
   Start (9/21/2017 9:07:47 AM)
   Running Repair Under System Account
   Done (9/21/2017 9:07:48 AM)

15 - Repair Proxy Settings
   Start (9/21/2017 9:07:48 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:07:50 AM)

16 - Repair Windows Updates
   Start (9/21/2017 9:07:50 AM)

Decompressing & Updating Windows Permission File C:\Users\List\Desktop\Tweaking.com - Windows Repair\files\permissions\10\services.7z
Done,  0.13 seconds.

   Running Repair Under Current User Account
   Running Repair Under System Account
   Setting Windows Updates Files That Are In Use To Be Removed At Next Boot.
   Done (9/21/2017 9:08:07 AM)

17 - Repair CD/DVD Missing/Not Working
   Start (9/21/2017 9:08:07 AM)
   iTunes or GEARAspiWDM.sys not found, not applying UpperFilters iTunes Reg Key
   Done (9/21/2017 9:08:07 AM)

18 - Repair Volume Shadow Copy Service
   Start (9/21/2017 9:08:07 AM)

Decompressing & Updating Windows Permission File C:\Users\List\Desktop\Tweaking.com - Windows Repair\files\permissions\10\services.7z
Done,  0.13 seconds.

   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:08:44 AM)

19 - Repair Windows Sidebar/Gadgets
   Start (9/21/2017 9:08:44 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:08:46 AM)

20 - Repair MSI (Windows Installer)
   Start (9/21/2017 9:08:46 AM)

Decompressing & Updating Windows Permission File C:\Users\List\Desktop\Tweaking.com - Windows Repair\files\permissions\10\services.7z
Done,  0.14 seconds.

   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:08:57 AM)

21 - Repair Windows Snipping Tool
   Start (9/21/2017 9:08:57 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:08:59 AM)

22.01 - Repair bat Association
   Start (9/21/2017 9:08:59 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:09:01 AM)

22.02 - Repair cmd Association
   Start (9/21/2017 9:09:01 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:09:03 AM)

22.03 - Repair com Association
   Start (9/21/2017 9:09:03 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:09:05 AM)

22.04 - Repair Directory Association
   Start (9/21/2017 9:09:05 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:09:07 AM)

22.05 - Repair Drive Association
   Start (9/21/2017 9:09:07 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:09:09 AM)

22.06 - Repair exe Association
   Start (9/21/2017 9:09:09 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:09:11 AM)

22.07 - Repair Folder Association
   Start (9/21/2017 9:09:11 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:09:13 AM)

22.08 - Repair inf Association
   Start (9/21/2017 9:09:13 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:09:16 AM)

22.09 - Repair lnk (Shortcuts) Association
   Start (9/21/2017 9:09:16 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:09:18 AM)

22.10 - Repair msc Association
   Start (9/21/2017 9:09:18 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:09:20 AM)

22.11 - Repair reg Association
   Start (9/21/2017 9:09:20 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:09:22 AM)

22.12 - Repair scr Association
   Start (9/21/2017 9:09:22 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:09:24 AM)

23 - Repair Windows Safe Mode
   Start (9/21/2017 9:09:24 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:09:26 AM)

24 - Repair Print Spooler
   Start (9/21/2017 9:09:26 AM)

Decompressing & Updating Windows Permission File C:\Users\List\Desktop\Tweaking.com - Windows Repair\files\permissions\10\services.7z
Done,  0.14 seconds.

   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:09:30 AM)

25 - Restore Important Windows Services
   Start (9/21/2017 9:09:30 AM)

Decompressing & Updating Windows Permission File C:\Users\List\Desktop\Tweaking.com - Windows Repair\files\permissions\10\services.7z
Done,  0.14 seconds.

   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:09:37 AM)

26 - Set Windows Services To Default Startup
   Start (9/21/2017 9:09:37 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:09:41 AM)

27.01 - Repair Windows 8/10 App Store
   Start (9/21/2017 9:09:41 AM)

Decompressing & Updating Windows Permission File C:\Users\List\Desktop\Tweaking.com - Windows Repair\files\permissions\10\hku.7z
Done,  0.21 seconds.

   Running Repair Under Current User Account
   Done (9/21/2017 9:10:57 AM)

28 - Repair Windows 8/10 Component Store
   Start (9/21/2017 9:10:57 AM)
   Running Repair Under Current User Account
   Done (9/21/2017 9:12:34 AM)

29 - Restore Windows 8/10 COM+ Unmarshalers
   Start (9/21/2017 9:12:34 AM)
   Running Repair Under System Account
[X] -----Job Complete-----         Items Done: 1      
   Done (9/21/2017 9:12:36 AM)

30 - Repair Windows 'New' Submenu
   Start (9/21/2017 9:12:36 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:12:38 AM)

31 - Restore UAC (User Account Control) Settings
   Start (9/21/2017 9:12:38 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (9/21/2017 9:12:41 AM)

32 - Repair Performance Counters
   Start (9/21/2017 9:12:41 AM)
   Running Repair Under Current User Account
   Done (9/21/2017 9:12:45 AM)

33 - Repair Recycle Bin (Deletes Recycle Bin Contents): C:
   Start (9/21/2017 9:12:45 AM)

   Setting Permissions For Recycle Bin On C:\
   Running Repair Under Current User Account

   Removing Recycle Bin Items On C:\
   Done (9/21/2017 9:12:46 AM)

33 - Repair Recycle Bin (Deletes Recycle Bin Contents): D:
   Start (9/21/2017 9:12:46 AM)

   Setting Permissions For Recycle Bin On D:\
   Running Repair Under Current User Account

   Removing Recycle Bin Items On D:\
   Done (9/21/2017 9:12:47 AM)

Cleaning up empty logs...

All Selected Repairs Done.
   Done at (9/21/2017 9:12:47 AM)
   Total Repair Time: 00:10:42


...YOU MUST RESTART YOUR SYSTEM...

 

Link to post
Share on other sites

None got fixed.

I ran Malwarebytes to turn the protections back on, and it restarted my computer to load the anti-rootkit drivers. When I restarted I got a page fault error (had to restart again) that started with this file:

C:\Windows\System32\drivers\terruxbe.sys

If I'm not mistaken this is a malware driver that was already deleted. (it's back)

 

Edited by Stanczyk
Link to post
Share on other sites

This is frustrating for sure, this infection "smartservice" has changed quite a bit since its conception.. We are dealing with more than one rootkit now, hence we have not killed it off fully and it continues to reinstate what we move....

Can you run FRST from normal windows and post fresh logs "FRST.txt" and "Addition.txt"

Also run FRST fix via recovery environment and post fixlog.txt. i`ve attached fixlist.txt

Thanks,

Kevin

fixlist.txt

Link to post
Share on other sites

Can you upload couple of files to VirusTotal and have them check out...

Upload Files to Virustotal

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file C:\Windows\system32\drivers\19A67FD7.sys
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the results back here please.
  • Repeat the above steps for the following files
C:\Windows\system32\drivers\1E6D6CB4.sys
Link to post
Share on other sites

(There's a lot of stuff that isn't easy to copy/paste.)

 

Both files have the exact same results. Both files have everything has 'Clean'  ("No engines detected this file,"), except for these:

Alibaba, Symantec Mobile Insight,Trustlook

("Unable to process file type" instead of 'Clean.')

 

 

 

SHA-256 cd41acbc70412b61c844adc26413728a09d60983a464327a285c80e08d37f8b6
File name mbamswissarmy.sys
File size 247.94 KB
Last analysis 2017-09-21 16:13:03 UTC

 

MD5 94fca94ee7937ea3ed75f39de4c8e292
SHA-1 4bf1224bc61610e32eafb11dce65b54c4dc78a47
Authentihash 238049b6929b5b9245ac5d1e2b0ec23de5ee51f9e17628256582d4e9182c33a8
Imphash 2f42b60dc3bcefcbc3efbe291474350e
File Type Win32 EXE
Magic PE32+ executable for MS Windows (native) Mono/.Net assembly
SSDeep 6144:9t8N0l3KWmWY7ddZMcZpCWWN3XeiyhyEJHlUjI8Sa5xMeAVFPIX:9t8NuNmWYF3pCWWN3XeiKysmMPa5x7Si
TRiD Generic Win/DOS Executable (50%) DOS Executable Generic (49.9%)
File Size 247.94 KB
 
 
 
Creation Time
2017-07-17 21:14:48
First Seen In The Wild
2014-04-08 17:53:07
First Submission
2017-08-01 18:07:09
Last Submission
2017-09-21 16:13:03
Last Analysis
2017-09-21 16:13:03
Debug Artifacts
2017-07-18 01:14:48
Signature Date
2017-07-17 22:17:00
 
 

 

File names

  • mbamswissarmy.sys
  • MBAMSwissArmy.sys
  • MB3SwissArmy.sys
  • CD41ACBC70412B61C844ADC26413728A09D60983A464327A285C80E08D37F8B6
  • mb3swissarmy.sys

 

Signature Info

Signature Verification

Signed file, valid signature

File Version Information

Copyright
(C) Malwarebytes. All rights reserved.
Product
Malwarebytes SwissArmy
Description
Malwarebytes SwissArmy
Original Name
mbamswissarmy.sys
Internal Name
mbamswissarmy.sys
File Version
4.2.0.122
Date signed
10:17 PM 7/17/2017

Signers

Malwarebytes Corporation

Status
Valid
Valid From
1:00 AM 7/21/2016
Valid To
1:00 PM 7/25/2019
Valid Usage
Code Signing
Algorithm
sha1RSA
Thumbprint
249BDA38A611CD746A132FA2AF995A2D3C941264
Serial Number
04 4E 3B F5 89 76 88 0F FD 07 44 48 A8 F7 A0 58
 
DigiCert Assured ID Code Signing CA-1
Status
Valid
Valid From
1:00 PM 2/11/2011
Valid To
1:00 PM 2/10/2026
Valid Usage
Code Signing
Algorithm
sha1RSA
Thumbprint
409AA4A74A0CDA7C0FEE6BD0BB8823D16B5F1875
Serial Number
0F A8 49 06 15 D7 00 A0 BE 21 76 FD C5 EC 6D BD

 

Status
Valid
Valid From
1:00 AM 11/10/2006
Valid To
1:00 AM 11/10/2031
Valid Usage
Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing
Algorithm
sha1RSA
Thumbprint
0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Serial Number
0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39

 

Counter Signers

DigiCert Timestamp Responder
Status
Valid
Valid From
1:00 AM 10/22/2014
Valid To
1:00 AM 10/22/2024
Valid Usage
Timestamp Signing
Algorithm
sha1RSA
Thumbprint
614D271D9102E30169822487FDE5DE00A352B01D
Serial Number
03 01 9A 02 3A FF 58 B1 6B D6 D5 EA E6 17 F0 66
 
DigiCert Assured ID CA-1
Status
Valid
Valid From
1:00 AM 11/10/2006
Valid To
1:00 AM 11/10/2021
Valid Usage
Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing
Algorithm
sha1RSA
Thumbprint
19A09B5A36F4DD99727DF783C17A51231A56C117
Serial Number
06 FD F9 03 96 03 AD EA 00 0A EB 3F 27 BB BA 1B

 

DigiCert

Status
Valid
Valid From
1:00 AM 11/10/2006
Valid To
1:00 AM 11/10/2031
Valid Usage
Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing
Algorithm
sha1RSA
Thumbprint
0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Serial Number
0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39
 

 

The rest is just tables that don't format well. I can paste them if necessary.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.