Jump to content

Recommended Posts

Good morning all! 

I'm very new to these forums so please bare with me! 

Yesterday my PC became infected with some sort of malware/virus. It began by installing several random programs on my computer, changed my browser settings, changed the way my computer started up, and messed things up pretty bad in my opinion. I downloaded MalwareBytes and it went ahead and removed most of the infected files on my PC. All but about 7. Now I run the Malwarebytes scan, it finds these same 7 or so files, labels them as the Trojan.Binuto, tells me their file location, and says it has quarantined them. I delete the files off of my PC, run another scan, and it keeps picking up the same files. It does this every single time like it has not removed them from my computer. In my task manager I can see processes that weren't there before and it will not let me end task. I try to locate it on my system and it takes me to the same directory where the trojan is located, but says "Access is denied". PC is not letting me system restore or fresh install windows. When I click the respective button to do so, nothing happens. 

I am running Windows 10 64bit

 

Any help would be greatly appreciated. I am new to this and am desperate to get my PC back in working order.

 

Thank you!

Edited by Gramaxim
Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Please open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:
    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • With some infections, you may or may not see this message box.
    'Could not load DDA driver'
     
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

Let me see those logs, also give an update on any remaining issues or concerns..

Kevin...

 

fixlist.txt

Link to post
Share on other sites

Kevin, 

Attached are both txt logs requested!

Sorry for the ignorance, but was that supposed to fix what was wrong? PC is still running processes that I believe are Malware/Virus (or whatever infected my PC) related. There is a task open in windows task manager named "Windows Process Manager" that was never there before the install of whatever infected my PC. I try to locate file and get an "access denied" error. I located the folder where the task and processes are coming from, but wont let me delete, rename, or do anything with it. When hovered over, folder is saying is empty, but when I try to move to recycle bin it says there are 20 files in the folder and I don't have permissions. I've even changed owner to myself on folder and it is still not letting me. I've tried to kill using Windows Process Explorer, and have successfully killed the process tree, but the main one will not kill "access denied". Even so, the processes come back on restart of windows. MalwareBytes saying nothing is infected. 

Thank you for the help thus far, I look forward to your reply! 

 

:D

 

Fixlog.txt

MB.txt

Link to post
Share on other sites

I believe you have a variant of SmartService infection, this infection can have more than one rootkit so can be difficult to kill off. I want you to do the following:

Download PowerTool and save to your Desktop, ensure to get the correct version:

PowerTool for 64-bit systems >> https://malwarebytes.box.com/s/vnp2jdko58ww33bxabbm8zu9764u0tlh

PowerTool for 32-bit systems >> https://malwarebytes.box.com/s/f0bsa1nuzjv994neyzbtrti1au0s98yx

Please follow the instructions below:

Right click on user posted image PowerTool, Select "Run as Administrator"

Windows 10 users may see the following, if so select "More Info"

user posted image

In the next Window select "Run Anyway"

user posted image

Initially click on sq image to enlarge window to full screen (As shown in the image below)
Now click on Kernel tab (No. 1 on the image below)
Then click on Kernel Notify Routine (No. 2 on the image below)
Also click on Path so you sort the list by name (No. 3 on the image below)

user posted image

Right click anywhere on listed items under path (No. 4 on the image above) and select Export.

user posted image

Save exported file to your Desktop, zip up that file and attach to your reply....

user posted image user posted image

Thank you,

Kevin......
Link to post
Share on other sites

Hello Gramaxim,

Run PowerTool again as before, when you are at the screen with "Kernel" > Kernel Notify Routine" > "Path" selected. now Right click on each line in turn as shown in the attached image, select this Remove notify. Confirm with Yes. They are on lines 6,7 and 8

When that is completed see if MBAR will now run....

PTools.JPG

Link to post
Share on other sites

Ran MBAR and first got a "could not load dda driver" (DDA driver was not installed which may be caused by rootkitactivity. Do you want to reboot the computer to install DAD driver. Scan will continue after reboot? 

I click yes, then immediately get another error saying, "Could not install driver on boot. Scan can't continue" 

But the pc didn't reboot, that error immediately shows up after I click yes  

 

Edited by Gramaxim
Link to post
Share on other sites

Notify log is clean, smartservice infection is changing many times to make discovery more difficult to find each time....

Do you have a USB flashdrive, I want you to run FRST from flashdrive via the recovery environment.... try the following:

Please download Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit...

Next,

From your Desktop select the start Flag (bottom lefthand corner of screen)

Hold down the "Shift key" of your keyboard, keep it down and select "Restart"


user posted image


Your PC should open to the "Choose an Option" window.... release shift key.


user posted image


From that window select "Troubleshoot"


user posted image


From the next window select "Advance Options"


user posted image


From that Window select "Command Prompt"

Ensure to plug the flash drive into a USB port... You should now be in Recovery Environment with the Command Prompt Window open......

Continue with the following:
 
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type E:\frst64 or E:\frst depending on your version. Press Enter
  • Note: Replace letter E with the drive letter of your flash drive. <<<----vey important
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. You will need to boot back to Normal windows to post the log, or if applicable do that action from a spare PC...
  • To boot back to windows, type exit at the prompt and hit enter
  • Please copy and paste or attach FRST log to your reply.


Thanks,

Kevin...
Link to post
Share on other sites

Ah yes, this infection changes reg setting so booting to RE is blocked.... Can you run FRST fix as follows and post its log:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

 

fixlist.txt

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.