Access Denied to Likely Infected Folders \\ Undetected Malware

[halp]

Hello! A few days ago my AV was disabled for a period of time while I was configuring an anti-cheat for a game.  I’d forgotten to turn it back on, and it appears I was infected in the meantime. I removed most of the malware, but (similar to another thread I see) I have not been able to remove these final pieces - the tagged files.

They are located in my Appdata folder (and  one in my System32), but I can’t delete them. I’ve tried every way listed on how to gain access short of booting to Linux. Malwarebytes, Avast, and Kaspersky all come up negative.

OS: Windows 7 Home Edition

Thank you so much in advance!

 

Edited November 25, 2017 by halp

[kevinf80]

Hello halp and welcome to Malwarebytes, Follow the instructions at this link and post the requested logs: https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/ Thank you, Kevin

[halp]

Thank you Kevin,

 I've attached them below!

FRST.txt 

 

Addition.txt

[kevinf80]

Thanks for those logs halp, continue as follows..

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Open Malwarebytes Anti-Malware.   On the Settings tab > Protection Scroll to and make sure the following are selected: Scan for Rootkits Scan within Archives   Scroll further to Potential Threat Protection make sure the following are set as follows: Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended) Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)   Click on the Scan make sure Threat Scan is selected, A Threat Scan will begin. When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab If asked to restart your computer to complete the removal, please do so When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard. Wait for the prompt to restart the computer to appear, then click on Yes. After the restart once you are back at your desktop, open MBAM once more to retrieve the log. To get the log from Malwarebytes do the following:   Click on the Reports tab > from main interface. Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply   Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror   Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop Ensure to get the correct version for your system.... https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\mrt.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Let me see those logs in your reply, also tell me if there are any remaining issues or concerns... Thank you, Kevin

fixlist.txt

[halp]

Hi! It won't let me download fixlist. It saves it as an empty text document on my screen. I went through the motions anyway, just in case that's typical!

Additionally, the Windows program you had me download listed (while searching) 3 infected files - but then the logs said that no malicious software was detected. Hm.

All logs attached.

 

mrt.logFixlog.txtADWpaste.txtMWB Log.txt

[kevinf80]

Can you run Malwarebytes, second step of my last reply...?

[halp]

I did, wha? That’s the “MWB Log” above ?

[halp]

I re-ran it and attached it again, though MWBnew.txt

[kevinf80]

Hiya halp,

I could not get the Malwarebytes log to open, that is why I asked you run again and post fresh log... Another remaining issue is the FRST fix, that also needs to be run again to remove the infection. As you state the file can only be saved as an empty file we will try via recovery environment...

First download and save to a USB flash drive FRST, make sure to get correct version:

Please download Farbar Recovery Scan Tool from here: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit... Download and save to the same Flash drive the attached file "fixlist.txt" (end of reply) Next, From your Desktop select the start Flag (bottom lefthand corner of screen) Hold down the "Shift key" of your keyboard, keep it down and select "Restart" Your PC should open to the "Choose an Option" window.... release shift key. From that window select "Troubleshoot" From the next window select "Advance Options" From that Window select "Command Prompt" Ensure to plug the flash drive into a USB port... You should now be in Recovery Environment with the Command Prompt Window open...... Continue with the following:   In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" or "My PC" and find your flash drive letter and close the notepad. In the command window type E:\frst64 or E:\frst depending on your version. Press Enter Note: Replace letter E with the drive letter of your flash drive. <<<----vey important The tool will start to run. When the tool opens click Yes to disclaimer. Press FIX button. It will make a log (Fixlog.txt) on the flash drive. You will need to boot back to Normal windows to post the log, or if applicable do that action from a spare PC... To boot back to windows, type exit at the prompt and hit enter Please copy and paste or attach FRST log to your reply. Thanks, Kevin...

fixlist.txt

[halp]

Hi Kevin,

I have been travelling all day. I’ll get to this ASAP tomorrow! Thank you so much again!

[kevinf80]

Thanks for the update halp, catch up later....

Kevin...

[halp]

Hi Kevin,

 

Attached is the Fixlog.

 

Fixlog.txt

[kevinf80]

That log is from a second run, also the fix was ran from Safe Mode,  not the recovery environment. The fix obviously worked, which is interesting as the infection removed fixlist.txt contents last time... Also the log you posted is not complete, can you post again... Logs are saved here: C:\FRST\Logs

Go to the following link: 

Follow those instructions, post the two produced logs....

Thank you...

Kevin....

Edited November 29, 2017 by kevinf80
typing error

[halp]

Hi Kevin,

Sorry for the confusion - I use Windows 7, and the shift + restart didn’t do anything. That’s why I presumed it was the safe mode command prompt. Weird that it worked.

I’ll be home in 3 hours, and I’ll get you the additional logs then!

[kevinf80]

Thanks for the update halp, yes that was my mistake, I should have seen the OS was windows 7 and not 10... Lets wait and see if MBAR runs successfully, if not i`ll give you the correct instructions to access the Recovery Environment if needed....

Couple of questions, do you have a Windows 7 installation DVD, or a System Repair CD. A USB flashdrive 4GB or above..

Thank you,

Kevin...

[halp]

Hey Kevin,

I do not currently have any system recovery disks on hand.

The logs are attached below!

 

mbar-log-2017-11-30 (19-50-10).txt

system-log.txt

FRST_25-11-2017 17.40.40.txt

[kevinf80]

Do you have USB flashdrive....?

[halp]

I do have a USB flash drive, yes

[kevinf80]

Please download Farbar Recovery Scan Tool from here: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit Download attached fixlist.txt file (end of reply) and save it to the Flashdrive. "Do not open that file" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. If you are using Vista or Windows 7 enter System Recovery Options. Plug the flashdrive into the infected PC. Enter System Recovery Options I give two methods, use whichever is convenient for you. To enter System Recovery Options from the Advanced Boot Options: Restart the computer. As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears. Use the arrow keys to select the Repair your computer menu item. Select Your Country as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account an click Next. To enter System Recovery Options by using Windows installation disc: Insert the installation disc. Restart your computer. If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings. Click Repair your computer. Select Your Country as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account and click Next. On the System Recovery Options menu you may get the following options: Startup Repair System Restore Windows Complete PC Restore Windows Memory Diagnostic Tool Command Prompt   Select Command Prompt In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type E:\frst64 or E:\frst depending on your version. Press Enter Note: Replace letter E with the drive letter of your flash drive. The tool will start to run. When the tool opens click Yes to disclaimer. Press Fix button. It will make a log (Fixlog.txt) on the flash drive. Please copy and paste it to your reply.

fixlist.txt

[halp]

Thank you again Kevin,

Fixlog.txt

The log is attached!

 

[kevinf80]

I`m not sure we`ve killed of the current infection.... Run FRST again and post fresh logs...

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Next,

Download BSOD Inspector from here: https://github.com/blueelvis/BSOD-Inspector/releases/download/1.0.5/BSODInspector-1.0.5.exe Save that executable file to your Desktop, Right click direct on the file and Select "Run as Administrator" A black window will open and may flash, when complete a Zip file will be created on your Desktop, or if you ran the tool from another folder the zip file will save there, attach that to your reply...   Thanks, Kevin

 

 

[halp]

Hey Kevin,

Thank you so much for all of the support and help! I've attached the logs below

 

Fixlog.txt

X0TEK_PC_12_5_2017_7_46_17_PM.zip

[kevinf80]

Hiya halp,

You`ve posted "Fixlog.txt" that is a log from a fix done with FRST, I want to see logs from a scan.... I believe you have smartservice infection and more than likely the latest version. That version is very difficult to remove.  Do the following and post the produced logs...

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Next,

Download PowerTool and save to your Desktop, ensure to get the correct version: PowerTool for 64-bit systems >> https://malwarebytes.box.com/s/vnp2jdko58ww33bxabbm8zu9764u0tlh PowerTool for 32-bit systems >> https://malwarebytes.box.com/s/f0bsa1nuzjv994neyzbtrti1au0s98yx Please follow the instructions below: Right click on PowerTool, Select "Run as Administrator" Windows 8/8.1/10 users may see the following, if so select "More Info" In the next Window select "Run Anyway" Initially click on sq image to enlarge window to full screen (As shown in the image below) Now click on Kernel tab (No. 1 on the image below) Then click on Kernel Notify Routine (No. 2 on the image below) Also click on Path so you sort the list by name (No. 3 on the image below) Right click anywhere on listed items under path (No. 4 on the image above) and select Export. Save exported file to your Desktop, zip up that file and attach to your reply.... Thank you, Kevin......

 

 

[halp]

Hey Kevin,

I wanted to say thank you for all of your help. Unfortunately, after my computer restarted the last time, it now refuses to start! It always fails the startup haha.

note: I can access the command prompt in system recovery mode, though. 

[kevinf80]

Hiya halp,

As you are aware you have smartservice infection, unfortunately it seems to be the latest version. This latest version is very ruthless when discovered,  it has protective options that can be well hidden and difficult to find.

Another big problem is it will stop tools we try to use from running, that does include in recovery environment if tools/options were created on the sick PC... Do you have access to a spare PC, if so what version of Windows is installed. eg Windows 7 64bit. etc etc... How are you accessing The Recovery Environment is it using the sick PC utilities, W7 installation DVD or W7 repair CD...

Thanks,

Kevin....