Jump to content

Recommended Posts

  • Replies 55
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

***Edit*** > Can you tell me how you are accessing Recovery Environment, are you using a installation DVD, Repair DVD or onboard access. If you are using DVD is it 32 bit (X86) version...?

 

Run PowerTool one more time, again select the following as you did previously:

  • Kernel tab
  • Kernel Notify Routine
  • Path


From the list underneath Path Right click on each of the following files shown in the attached image (coegknqt.sys) and select "Remove Notify" Confirm with Yes. One of them maybe impossible to remove, just ignore that one.....

Next,

Go to the following link, follow  the instructions and see if MBAR will now run:

 

notify2.JPG

Edited by kevinf80
added edit to query RE access.
Link to post
Share on other sites

15 hours ago, fueryin said:

 

I'm at work right now I'll do all that when I get home but I'm accessing recovery environment by restarting my computer and it asked me if I want to boot into Windows or press F8 for more options and then I press F10 and there's an option to boot into recovery environment 

Link to post
Share on other sites

I queried the issue when trying to run FRST64.exe from cmd prompt in RE, the only possibility returned was if a 32 bit version of Windows on Installation DVD had been used to access RE. When using the system access that is 64 bit so there is still something stopping tools from running that we are not finding...... See what happens with PowerTools and MBAR

 

Link to post
Share on other sites

Thanks for the update. I`ve had some info off FRST developer, both version of FRST should be able to run from Recovery Environment, that is FRST64.exe or FRST.exe. Maybe worthwhile trying both when I compile next fix.... So if possible d/l both versions and save to USB flash drive. You can delete any log files already present on USB stick..

https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Can you run PowerTools one more time and post a fresh zip file,

Link to post
Share on other sites

Ok got it running in re. What I did was download it on another computer, put it on a USB, boot my infected computer into re, and only plugged in the USB into my infected computer untill I saw the command prompt. Tricky virus auto corrupting files I download?

Anyways, powertools attached. 

notify.7z

Edited by fueryin
Link to post
Share on other sites

Thanks for that update, I want you to d/l both versions of FRST and save to the USB flashdrive. As you are doing this on a clean PC also d/l and save the attach file fixlist.txt to same flashdrive.... Try either version if one fails...

Do not plug the flashdrive into the sick PC until you are in the Recovery Environment..... You are aware how to progress to the command prompt and run FRST, I`ll post again from command prompt...

Ensure to plug the Flashdrive into an open USB port, Continue with the following:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" or "My PC" and find your flash drive letter and close the notepad.
  • In the command window type  E:\frst64 or E:\frst depending on your version. Press Enter
  • Note: Replace letter E with the drive letter of your flash drive. <<<----vey important
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Fix button.
  • It will make a log (Fixlog.txt) on the flash drive. You will need to boot back to Normal windows to post the log, or if applicable do that action from a spare PC...
  • To boot back to windows, type exit at the prompt and hit enter
  • Please copy and paste or attach FRST log to your reply.

fixlist.txt

Edited by kevinf80
typing error
Link to post
Share on other sites

Thanks for that log, fingers crossed we`ve killed off our nemesis....

continue with the following:

Open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:
    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Post those logs in your reply, also give an update on any remaining issues or concerns....

 

 

Link to post
Share on other sites

Ok, go for clean install of Malwarebytes...

Before you do this run Powertools and post fresh zip file....

Next,

Totally Remove Malwarebytes from your system:

Download the latest version of Malwarebytes cleanup tool from here: https://downloads.malwarebytes.com/file/mb_clean and save to your Desktop..

If applicable, backup your Malwarebytes license key information and deactivate the product.

Close all open applications and deactivate Malwarebytes <---- Very important, do not miss that step

To deactivate Malwarebytes:

Right click on tray icon, from the opened list select "Quit Malwarebytes" an UAC alert will open, select "Yes" to deactivate Malwarebytes...
 
  • Double-click mb-clean.exe to run it
  • A prompt to confirm the cleanup will appear, select Yes or No
  • Yes - will proceed with the cleanup process <---- Select this option to start the tool
  • No - will exit the utility
  • The Utility will launch a Command Prompt window which will disappear once the the cleanup process completes.
  • Once completed, a log file ("mb-cleanresult.txt") will be on your desktop and you'll be prompted to reboot
  • We recommend an immediate reboot <--- Do Not miss out this step
  • Suppressing the reboot may result in an incomplete cleanup
  • Upon reboot Malwarebytes will be totally removed from your system


To re-install Malwarebytes:

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/
 
  • Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....
  • When the install completes and is updated do the following:
  • Open Malwarebytes, select > "settings" > "protection tab"
  • Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....
  • Go back to "DashBoard" select the Blue "Scan Now" tab......



When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

Thanks,

Kevin....

 

Link to post
Share on other sites

ok working on getting malwarebytes running, attached powertools. What I found interesting is in my download folder, there is a kEvP64.sys that wasn't here before. I attached it here all zipped up if you'd like to take a look at it. 

notify.7z

kEvP64.7z

Also want to add, malware bytes isnt running at all so its not in  the system tray or task manager. Tried searching through the mb install directory and couldn't find mb-clean.exe. Should I just do a normal uninstall of mb

Edited by fueryin
Link to post
Share on other sites

That mystery file is from PowerTools, you can safely delete that. The log from PowerTools has no hidden rootkit, looks like we may have put it to the sword...

Let me know what happens with Malwarebytes, its 23:10 local time for me, i`ve got an early call tomorrow so will be offline in maybe 50 minutes..

Link to post
Share on other sites

Also want to add, malware bytes isnt running at all so its not in  the system tray or task manager. Tried searching through the mb install directory and couldn't find mb-clean.exe. Should I just do a normal uninstall of mbmalware bytes 

Edited by fueryin
Link to post
Share on other sites

Alright ill be running all the scans ect. Probably wont see you until tomorrow before its done, just a quick question. 

Since malwarebytes didn't pick up anything the first time earlier today, would it be a smart idea to also scan my system with hitmanpro,  bitdefender and do a another scan with FRST? As far as my knowledge is these are also very credible antivurses.

Just want to make sure we nuked this thing.

Link to post
Share on other sites

If the infection was still onboard we would have seen it in PowerTools log, I ask for that log several times because the rootkit would respawn and change its name at a reboot. It would seem the best way to kill off this new infection is to boot into the RE, create the flashdrive with FRST and the fix file on another PC, only plug that into the sick PC when the RE was active.... Normal or Safe mode windows kills of our tools/fixes..

I`m up at about 06:00 tomorrow and will be online maybe 30 mins whilst I have my first two cups of coffee before I go out, i`ll catch up then...

Thank you,

Kevin...

***EDIT*** - Yes forgot to add, run FRST and also post fresh logs...

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

 

Edited by kevinf80
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.