Jump to content

Stubborn malware/ransomware on desktop PC


Recommended Posts

I managed to infect my computer, after having no problems for 7 years.  :(

I'm unable to load Windows (I'm running Windows 7) and there's one file that Zemana AntiMalware managed to quarantine, but that only lasted a few days.  It showed back up.

"cgrdolm.exe" which is associated with "spovaze.exe".

When I reboot the computer, when it gets to the main Windows welcome screen, it just sits there.

I surely hope that someone can help me get this thing cleaned up.

Thanks in advance!

 

FRST.txt

Addition.txt

hjt.txt

Link to post
Share on other sites

Hello danlboi and welcome to Malwarebytes,

Run the following fix with FRST and post back the log, I do not want to do anything else until we see that log, it looks like there maybe a protective rootkit on your system that will stop progress....

First can you Uninstall Spybot Search and Destroy.. https://www.safer-networking.org/faq/how-to-uninstall-2/

Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.


Also do you have a USB flashdrive available...

fixlist.txt

Link to post
Share on other sites

Hello, kevinf80, appreciate the response.

Okay, I deleted Spybot and ran the fixlist.txt file twice.  I had my computer in safe mode the first time, as I was unable to bring up Windows regularly.  Unfortunately, I didn't save the fixlog.txt from the 1st run.

After I rebooted and was able to finally bring up regular Windows, I ran the fixlist.txt file again.  This time I DID save the fixlog.txt.

 

And, yes, I also have a 3 GB USB flash drive available.

Fixlog.txt

Link to post
Share on other sites

See if you can follow the instructions to run MBAR from the following link:

When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"


Thanks,

Kevin

Link to post
Share on other sites

Okay, Kevin, I downloaded the mbar.exe file and clicked on it, but nothing happened.  I read the article further and went to the article asking "what should I do if none of my security applications will run" and then followed the directions and downloaded the MBAR zip file and extracted the files.  I attempt to run the mbar.cmd as an administrator and get the following message: "there was a problem starting mbar.dll, mbar.dll is not a valid Win32 application"

So, unfortunately, I'm stuck at the moment.

Link to post
Share on other sites

Thanks for those logs and update, run the following and post the produced log...

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.


Let me see that log in your reply, we will probably have to run the next fix via the recovery environment...

fixlist.txt

Link to post
Share on other sites

Hiya danlboi

Thanks for that log, continue with the following:

Please download Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit

Download attached fixlist.txt file (end of reply) and save it to the Flasdrive. "Do not open that file"

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

If you are using Windows 8 or 10 consult How to use the Windows 8 or 10 System Recovery Environment Command Prompt Here: http://www.howtogeek.com/126016/three-ways-to-access-the-windows-8-boot-options-menu/ to enter System Recovery Command prompt.

If you are using Vista or Windows 7 enter System Recovery Options.

Plug the flashdrive into the infected PC.

Enter System Recovery Options I give two methods, use whichever is convenient for you.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.


To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you may get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

 
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type E:\frst64 or E:\frst depending on your version. Press Enter Note: Replace letter E with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Fix button.
  • It will make a log (Fixlog.txt) on the flash drive. Please copy and paste it to your reply.

Next,

Boot back to Normal windows, see if MBAR will now run....

Post produced logs to your reply...

Thank you,

Kevin...

fixlist.txt

Link to post
Share on other sites

Thanks for those logs, yes couple of problems have returned....

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Please open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:
    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

Next,

Run FRST one more time:

Type the following in the edit box after "Search:".

svchost.exe

Click Search Files button and post the log (Search.txt) it makes to your reply.

Let me see those logs in your reply....

Thanks,

Kevin

 

fixlist.txt

Link to post
Share on other sites

Thanks for those logs, looks like we still have problems..... "C:\Windows\system32\resbwohsvc.exe" => Could not move

Upload a File to Virustotal

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file C:\I386\SVCHOST.EXE
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.

Thanks,

Kevin

 

 

Link to post
Share on other sites

I'm still awake just looking around and thought I'd do another FRST scan for the heck of it (not trying to tell you how to do your "job") and out of all I could see, there were only 2 areas showing the "dreaded" <==== ATTENTION, both near the bottom of the FRST.txt log...

 

"C:\Windows\SysWOW64\svchost.exe IS MISSING <==== ATTENTION"

 

"C:\Windows\system32\drivers\vshlosvy.sys -> MD5 = D41D8CD98F00B204E9800998ECF8427E (0-byte MD5) <======= ATTENTION"

 

Don't know if either of these are super important...just thought I'd share what I noticed.  :)

 

Good morning,

Mark

FRST.txt

Addition.txt

Link to post
Share on other sites

Hiya Mark,

I appreciate your replies, also any information you feel maybe important, anyway here is brief explanation of our findings:

This file C:\Windows\system32\resbwohsvc.exe is the main problem, we cannot remove that file, even via the recovery environment...

This entry "C:\Windows\SysWOW64\svchost.exe IS MISSING <==== ATTENTION" I did see that in your initial set of logs, but was more concerned with the crux of the infection first...

We did manage to remove most of the infection as we progressed, problem is the unmovable file resbwohsvc.exe seems to replace and rename a driver (.sys) file at each boot after we have removed it....

Back to the missing SysWOW64 directory, you are probably aware that 64 bit versions of Windows still have certain 32 bit services to comply with programs/applications that need them...
So all 64 bit services are stored in and run from System32 directory, all 32 bit services run from SysWOW64 directory.. Confusing! windows always is....

When we did a search for svchost.exe I was looking for a reason why syswow entry was gone, what we got was totally unexpected..... This is the log that was produced on your Windows 7 64 bit version...

 

================== Search Files: "svchost.exe" =============

C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe
[2009-07-13 17:19][2009-07-13 19:14] 000020992 _____ (Microsoft Corporation) 54A47F6B5E09A77E61649109C6A08866 [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe
[2009-07-13 17:31][2009-07-13 19:39] 000027136 _____ (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D [File is digitally signed]

C:\Windows\System32\svchost.exe
[2009-07-13 17:31][2009-07-13 19:39] 000027136 _____ (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D [File is digitally signed]

C:\I386\SVCHOST.EXE
[2003-07-25 22:24][2002-08-29 04:00] 000012800 _____ (Microsoft Corporation) 0F7D9C87B0CE1FA520473119752C6F79 [File not signed][/b]


====== End of Search ======

Here is a log from a VM version of Windows 7 64 bit version I ran myself, note the differences.. Your version has no SysWOW64 directory entries. It has entries that were normally found in Windows XP

================== Search Files: "svchost.exe" =============

C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.15063.0_none_d123dd2c727d3948\svchost.exe
[2017-03-18 20:58][2017-03-18 20:58] 000040904 _____ (Microsoft Corporation) 6BDB3091562E7DD2C877472286B6CC46 [File is digitally signed]

C:\Windows\WinSxS\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.15063.0_none_c6cf32da3e1c774d\svchost.exe
[2017-03-18 20:58][2017-03-18 20:58] 000047664 _____ (Microsoft Corporation) 3120B24060924F9B94182A1432B2D7F9 [File is digitally signed]

C:\Windows\SysWOW64\svchost.exe
[2017-03-18 20:58][2017-03-18 20:58] 000040904 _____ (Microsoft Corporation) 6BDB3091562E7DD2C877472286B6CC46 [File is digitally signed]

C:\Windows\System32\svchost.exe
[2017-03-18 20:58][2017-03-18 20:58] 000047664 _____ (Microsoft Corporation) 3120B24060924F9B94182A1432B2D7F9 [File is digitally signed]


====== End of Search ======

I`m asking for advice in our private forums, will get back asap...

Thanks,

Kevin

Link to post
Share on other sites

Kevin,

Huh...that's weird.

Well, the main reason that I'm not running around like a chicken with my head cut off is that even through all of this trying to eradicate the "bad stuff", my computer is working pretty well.

So, I appreciate your time and patience, and just letting you know that I'm not worried at this point.

Hopefully, we'll get everything pretty much back to normal, but in due time.

 

Mark

Link to post
Share on other sites

Howdy, Kevin

Attached is the latest Fixlog.txt

And, in answer to your question, this computer was bought brand new with Windows 7 already installed.  It's been a little over 7 years ago...I can't even begin to tell you where the original Windows 7 disk might be. (or if it even came with one when I initially purchased the computer)

Maybe in my attempts at trying to eradicate the stupid virus/malware before finally reaching out to this community messed some of those needed files up.

Fixlog.txt

Link to post
Share on other sites

Hiya Mark,

The ability to run MBAR unhindered and returning clean logs confirms smartservice infection is now off your system.... Why you have XP files/folders is very much odd, i`d asked for help from Malwarebytes gurus hence the question about system upgrade....

Before cleaning up and reoving tools I want you to run Windows system file checker to replace any missing or corrupt system files, full instructions at the following link:

http://www.thewindowsclub.com/how-to-run-system-file-checker-analyze-its-logs-in-windows-7-vista

Unless you have any remaining issues or concerns continue with the following:

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we may have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.