Gramaxim Posted October 10, 2017 ID:1171344 Share Posted October 10, 2017 (edited) Good morning all! I'm very new to these forums so please bare with me! Yesterday my PC became infected with some sort of malware/virus. It began by installing several random programs on my computer, changed my browser settings, changed the way my computer started up, and messed things up pretty bad in my opinion. I downloaded MalwareBytes and it went ahead and removed most of the infected files on my PC. All but about 7. Now I run the Malwarebytes scan, it finds these same 7 or so files, labels them as the Trojan.Binuto, tells me their file location, and says it has quarantined them. I delete the files off of my PC, run another scan, and it keeps picking up the same files. It does this every single time like it has not removed them from my computer. In my task manager I can see processes that weren't there before and it will not let me end task. I try to locate it on my system and it takes me to the same directory where the trojan is located, but says "Access is denied". PC is not letting me system restore or fresh install windows. When I click the respective button to do so, nothing happens. I am running Windows 10 64bit Any help would be greatly appreciated. I am new to this and am desperate to get my PC back in working order. Thank you! Edited October 10, 2017 by Gramaxim Link to post Share on other sites More sharing options...
kevinf80 Posted October 10, 2017 ID:1171350 Share Posted October 10, 2017 Hello Gramaxim and welcome to Malwarebytes, Follow the instructions at this link and post the requested logs: https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/ Thank you, Kevin Link to post Share on other sites More sharing options...
Gramaxim Posted October 10, 2017 Author ID:1171380 Share Posted October 10, 2017 Kevinf80, Thank you for the reply and sorry for not reading the pinned posts! Attached are both requested .txt files. I appreciate it! Addition.txt FRST.txt Link to post Share on other sites More sharing options...
kevinf80 Posted October 10, 2017 ID:1171428 Share Posted October 10, 2017 Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Next, Please open Malwarebytes Anti-Malware. On the Settings tab > Protection Scroll to and make sure the following are selected:Scan for RootkitsScan within Archives Scroll further to Potential Threat Protection make sure the following are set as follows:Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended) Click on the Scan make sure Threat Scan is selected, A Threat Scan will begin. With some infections, you may or may not see this message box.'Could not load DDA driver' Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions. When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab If asked to restart your computer to complete the removal, please do so When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard. Wait for the prompt to restart the computer to appear, then click on Yes. After the restart once you are back at your desktop, open MBAM once more to retrieve the log. To get the log from Malwarebytes do the following: Click on the Reports tab > from main interface. Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Let me see those logs, also give an update on any remaining issues or concerns.. Kevin... fixlist.txt Link to post Share on other sites More sharing options...
Gramaxim Posted October 10, 2017 Author ID:1171444 Share Posted October 10, 2017 Kevin, Attached are both txt logs requested! Sorry for the ignorance, but was that supposed to fix what was wrong? PC is still running processes that I believe are Malware/Virus (or whatever infected my PC) related. There is a task open in windows task manager named "Windows Process Manager" that was never there before the install of whatever infected my PC. I try to locate file and get an "access denied" error. I located the folder where the task and processes are coming from, but wont let me delete, rename, or do anything with it. When hovered over, folder is saying is empty, but when I try to move to recycle bin it says there are 20 files in the folder and I don't have permissions. I've even changed owner to myself on folder and it is still not letting me. I've tried to kill using Windows Process Explorer, and have successfully killed the process tree, but the main one will not kill "access denied". Even so, the processes come back on restart of windows. MalwareBytes saying nothing is infected. Thank you for the help thus far, I look forward to your reply! Fixlog.txt MB.txt Link to post Share on other sites More sharing options...
kevinf80 Posted October 10, 2017 ID:1171445 Share Posted October 10, 2017 Follow instructions at this link: Requested Resource is in use Error - Unable to start Malwarebytes Link to post Share on other sites More sharing options...
Gramaxim Posted October 10, 2017 Author ID:1171451 Share Posted October 10, 2017 (edited) "The system volume seems inaccessible or encrypted. Scan can't continue" Error that shows up when trying to scan using the program from that link. Edited October 10, 2017 by Gramaxim Link to post Share on other sites More sharing options...
kevinf80 Posted October 10, 2017 ID:1171452 Share Posted October 10, 2017 I believe you have a variant of SmartService infection, this infection can have more than one rootkit so can be difficult to kill off. I want you to do the following: Download PowerTool and save to your Desktop, ensure to get the correct version: PowerTool for 64-bit systems >> https://malwarebytes.box.com/s/vnp2jdko58ww33bxabbm8zu9764u0tlh PowerTool for 32-bit systems >> https://malwarebytes.box.com/s/f0bsa1nuzjv994neyzbtrti1au0s98yx Please follow the instructions below: Right click on PowerTool, Select "Run as Administrator" Windows 10 users may see the following, if so select "More Info" In the next Window select "Run Anyway" Initially click on sq image to enlarge window to full screen (As shown in the image below) Now click on Kernel tab (No. 1 on the image below) Then click on Kernel Notify Routine (No. 2 on the image below) Also click on Path so you sort the list by name (No. 3 on the image below) Right click anywhere on listed items under path (No. 4 on the image above) and select Export. Save exported file to your Desktop, zip up that file and attach to your reply.... Thank you, Kevin...... Link to post Share on other sites More sharing options...
Gramaxim Posted October 10, 2017 Author ID:1171454 Share Posted October 10, 2017 Kevin, Thank you for the quick replies and the patience! I really do appreciate it! Attached is the requested file! notify.zip Link to post Share on other sites More sharing options...
kevinf80 Posted October 10, 2017 ID:1171468 Share Posted October 10, 2017 Hello Gramaxim, Run PowerTool again as before, when you are at the screen with "Kernel" > Kernel Notify Routine" > "Path" selected. now Right click on each line in turn as shown in the attached image, select this Remove notify. Confirm with Yes. They are on lines 6,7 and 8 When that is completed see if MBAR will now run.... Link to post Share on other sites More sharing options...
Gramaxim Posted October 10, 2017 Author ID:1171473 Share Posted October 10, 2017 (edited) Ran MBAR and first got a "could not load dda driver" (DDA driver was not installed which may be caused by rootkitactivity. Do you want to reboot the computer to install DAD driver. Scan will continue after reboot? I click yes, then immediately get another error saying, "Could not install driver on boot. Scan can't continue" But the pc didn't reboot, that error immediately shows up after I click yes Edited October 10, 2017 by Gramaxim Link to post Share on other sites More sharing options...
kevinf80 Posted October 10, 2017 ID:1171476 Share Posted October 10, 2017 Did you kill off PowerTools entries... If you did run once more as you did initially and attach fresh zipped log... Link to post Share on other sites More sharing options...
Gramaxim Posted October 10, 2017 Author ID:1171480 Share Posted October 10, 2017 Yes, PowerTool entries were killed as instructed. Attached is the requested fresh zip log! Thanks again! notify(fresh).zip Link to post Share on other sites More sharing options...
kevinf80 Posted October 10, 2017 ID:1171487 Share Posted October 10, 2017 Notify log is clean, smartservice infection is changing many times to make discovery more difficult to find each time.... Do you have a USB flashdrive, I want you to run FRST from flashdrive via the recovery environment.... try the following: Please download Farbar Recovery Scan Tool from here:http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit... Next, From your Desktop select the start Flag (bottom lefthand corner of screen) Hold down the "Shift key" of your keyboard, keep it down and select "Restart" Your PC should open to the "Choose an Option" window.... release shift key. From that window select "Troubleshoot" From the next window select "Advance Options" From that Window select "Command Prompt" Ensure to plug the flash drive into a USB port... You should now be in Recovery Environment with the Command Prompt Window open...... Continue with the following: In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type E:\frst64 or E:\frst depending on your version. Press Enter Note: Replace letter E with the drive letter of your flash drive. <<<----vey important The tool will start to run. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) on the flash drive. You will need to boot back to Normal windows to post the log, or if applicable do that action from a spare PC... To boot back to windows, type exit at the prompt and hit enter Please copy and paste or attach FRST log to your reply. Thanks, Kevin... Link to post Share on other sites More sharing options...
Gramaxim Posted October 10, 2017 Author ID:1171489 Share Posted October 10, 2017 Just a quick question. Would formatting the drive and reinstalling Windows take care of the problem? Link to post Share on other sites More sharing options...
kevinf80 Posted October 10, 2017 ID:1171490 Share Posted October 10, 2017 Yes if you fully format the HD, is it possible you can get the log via recovery environment before you make format, just for reference... Is no problem if you can`t. Link to post Share on other sites More sharing options...
Gramaxim Posted October 10, 2017 Author ID:1171491 Share Posted October 10, 2017 I tried to reset pc while holding shift. I get a "Please wait" blue screen, then the computer restarts. Doesn't take me to recovery environment Link to post Share on other sites More sharing options...
kevinf80 Posted October 10, 2017 ID:1171494 Share Posted October 10, 2017 Ah yes, this infection changes reg setting so booting to RE is blocked.... Can you run FRST fix as follows and post its log: Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. fixlist.txt Link to post Share on other sites More sharing options...
kevinf80 Posted October 14, 2017 ID:1172618 Share Posted October 14, 2017 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts