Jump to content

Have a virus infection


Recommended Posts

Hello,

I ran a fake installer and realized when my browser was hijacked that something was wrong.
 
Ran Microsoft Security Essentials (nothing), Microsoft Safety Scanner (nothing), system file checker (nothing), Malware Bytes (Which found about 15 items) and then saw your post and ran Malware Bytes Anti-Rootkit (which found several items).
 
Had a bunch of 'Windows Process Manager (32 bit) in task manager'.  MB ARK fixed those.
I still have about 3 bad items in task manager.
 
Malware Bytes ARK after each reboot finds the same 4 items.  Says it cleans them and I reboot.  Then they show up again.
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\UDISKMGR (Rootkit.Agent)
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\UDISKMGR|ImagePath (Rootkit.Agent)
c:\users\mike\appdata\local\igfxmtc (Trojan.SmartService)
c:\users\mike\appdata\local\igfxmtc\igfxmtc.exe (Trojan.SmartService)
 
I can't detete the folder ~\Appdata\Local\igfxmtc.
Can't assign myself as owner, in security, says I do not have permission to view or edit the object's permissions.
I have access denied ending the task or deleting the files.
 
Safe mode will not work so I booted from a Win 10 USB install and used command prompt to delete the exe files:
c:\users\mike\appdata\local\igfxmtc (removed folder)
c:\users\mike\appdata\local\spembxr (removed folder)
c:\windows\system32\upcwlxrsvc.exe
 
When I delete them, upcwlxrsvc.exe is recreated at the time of login and igfxmtc.exe and spembxr.exe about two minutes later.  UGH.  So I am still missing something.
 
I downloaded Autoruns from MS and looked through the list.  Didn't find any of the files above.
I did find this registry entry, not sure if it is valid or not:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components 
C:\Windows\System32\Rundll32.exe C:\Windows\System32\mscories.dll,Install
 
Malware bytes is even running active protection, and it doesn't sense these at startup.
 
FRST log and addition files attached.
I see 2 items marked ATTENTION but I'm not sure how to remove them...
 
Thank you for the help.

Addition.txt

FRST.txt

mbar-log-2017-12-07 (18-21-35).txt

Edited by yellowdot
Link to post
Share on other sites

According to this thread it looks like I have a nasty "smartservice" infection so I will wait for help with a FRST removal list.

I have a Win 10 USB drive that allows me to boot into recovery to reach the cmd prompt to execute.  I have another computer that is a Mac that I am able to use to set up the fixlist.txt file and add a fresh download of FRST64.exe.

Edited by yellowdot
Link to post
Share on other sites

Hello yellodot and welcome to Malwarebytes,

See if you can do the following:

launch FRST, copy/paste the following inside the text area. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop or folder you`ve ran FRST from . Attach it in your next reply.

Quote

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: fltmc instances
CMD: dir /a:-d /o:d C:\windows\system32\drivers
End::

Thanks,

Kevin

Link to post
Share on other sites

Download latest version of FRST64 from here: https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/  Save to your Flashdrive, also D/L and add to same Flashdrive the attached file fixlist.txt

Both of those actions must not be done on the sick PC,  they must be done on a spare PC... Also wait until Recovery Environment is open before plugging in the Flash drive

Boot sick PC to the Recovery Environment, follow options you are aware of and navigate to Command Prompt...

At the prompt continue with the following:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" or "My PC" and find your flash drive letter and close the notepad.
  • In the command window type  E:\frst64 or E:\frst depending on your version. Press Enter
  • Note: Replace letter E with the drive letter of your flash drive. <<<----vey important
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. You will need to boot back to Normal windows to post the log, or if applicable do that action from a spare PC...
  • To boot back to windows, type exit at the prompt and hit enter
  • Please copy and paste or attach FRST log to your reply.

Thanks,

Kevin...

 

fixlist.txt

Link to post
Share on other sites

Ok, booted from the Win 10 flash drive, opened command prompt, ran frst64 by clicking Scan.  I did not do anything to load the fixlist.txt, although it is in the same folder as frst64 so I am guessing it does so automatically?

FRST.txt from the run attached.

I did not boot the computer back into Windows -- I turned it off after your instructions as I did not want to risk the virus spreading again.  Let me know if we need to run another fix or I can boot it to Windows?

FRST.txt

Edited by yellowdot
Link to post
Share on other sites

I looked at FRST.txt in the previous post and saw the same recent files as before, and files you listed in the fixlist.txt.  So, I think I was supposed to select Fix instead of Scan?  I re-booted to recovery cmd prompt, opened FRST64 and clicked Fix.  Attaching fixlog.txt.

I then ran scan again, attaching FRST.txt.  Now I don't see directories such as spembxr in the recent files.

Did not boot into windows.  Awaiting next steps from you.

Fixlog.txt

FRST.txt

Edited by yellowdot
Link to post
Share on other sites

Yes apologies I picked up the wrong c/r it should have been FIX as you stated.... D/L and add to Flashdrive the attached file fixlist.txt

Wait until Recovery Environment is open before plugging in the Flash drive

Boot sick PC to the Recovery Environment, follow options you are aware of and navigate to Command Prompt...

At the prompt continue with the following:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" or "My PC" and find your flash drive letter and close the notepad.
  • In the command window type  E:\frst64 or E:\frst depending on your version. Press Enter
  • Note: Replace letter E with the drive letter of your flash drive. <<<----vey important
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Fix button.
  • It will make a log (fixlist.txt) on the flash drive. You will need to boot back to Normal windows to post the log, or if applicable do that action from a spare PC...
  • To boot back to windows, type exit at the prompt and hit enter
  • Please copy and paste or attach FRST log to your reply.

Next,

Boot back to Normal Windows and continue with the following:

Open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:
    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....

The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.



Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Let me see those logs, also let me know if there are any remaining issues or concerns...

Thanks,

Kevin...

fixlist.txt

Link to post
Share on other sites

Hi Kevin,

Malwarebytes 3.3.1
Scan with rootkit and within archives enabled per instructions.
Log attached.  Only one PUP issue which I believe is tied to Google Chrome syncing?
The main viruses are gone!  I do not see them running in task manager.

AdwCleaner by Malwarebytes
No unwanted elements found!

Sophos Free Virus Removal Tool
No threats found.  Took about 3 hours to scan.

malwarebytes log.txt

Link to post
Share on other sites

Thanks for those log updates.. How is your PC responding in general, any odd or erratic behavior. I see Chrome is your default browser, yes what you mention about the entry in Malwarebytes log is related to sync. Also there was a problem with the startup URL`s for Chrome, I would recommend a clean install of Chrome and removal of all synced data to stop a return of problems...

If your Chrome Bookmarks are important do this first:

Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome, save to your Desktop or similar. Note the instructions can also be used to Import the bookmarks.....

Continue for a clean install:

Download Chrome installer and save to install later: https://www.google.com/intl/en_uk/chrome/browser/desktop/index.html https://www.google.com/intl/en_usa/chrome/browser/desktop/index.html

Next,

Open Chrome and sign into your account, open a new tab and type or copy paste chrome://settings/syncSetup hit enter...

In the new window that opens "Sync everthing" will probably be selected, scroll down to and select "Managed sync data on Google Dashboard"

A new window will open, scroll down to and select "Reset Sync" that will clear synced data from Google Server...

Continue to next step to completely Uninstall Chrome....

Next.

Uninstall Chrome: https://support.google.com/chrome/answer/95319?hl=en-GB follow those instructions, ensure the option to "Also delete your browsing data" is selected. <<--- Very important!!

Navigate to C:\Users\Your user name\Appdata\Local from that folder delete the folder named Google (you will need to show hidden files/folders to see the folder Appdata)

For XP that will be My Computer > C:\ Documents and Settings\Your User Name\Application Data\Roaming

How to show hidden files and folders for windows: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Next,

Install Google Chrome :

Next,

Import your Bookmarks... (instructions in the first step)

Next,

Install uBlock origin to Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en
 
Let me know if you have any remaining issues or concerns, if none I guess we can clean up...
 
Thank you,
 
Kevin
Link to post
Share on other sites

Ok, I followed your instructions to delete the sync data, uninstall chrome, delete chrome folder, reinstall, and re-enable syncing.

Malwarebytes scan shows no threats.

The only lasting effect is that Microsoft Edge crashes when trying to launch, which was probably from the virus but I can't say 100%.  I don't need to fix that unless you have dealt with this before.

Link to post
Share on other sites

Hello yellowdot.

Regarding MS Edge maybe a reset will help, follow the instructions at this link:  http://www.thewindowsclub.com/reset-microsoft-edge-browser-to-default-settings-in-windows-10

If no other remaining issues or concerns clean up as follows:

Uninstall Sophos AV http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/

Also delete this folder if still present: C:\ProgramData\Sophos

Next,

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we may have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Unfortunately that is the only set of instructions I have found in any article, and it does not work to fix my issue.

To start, packageinstaller does not work in safe mode.  So I deleted the folder in safe mode and then ran the powershell command after restarting.  It recreates the folder but edge still immediately crashes.

 

Edit: Looking in event viewer, it is not actually launching from that location.  Also indicated where it is installing in powershell.  I wonder if I should delete the Edge folder in SystemApps and then try the installer?

Faulting application name: MicrosoftEdge.exe, version: 11.0.14393.1944, time stamp: 0x5a1fb49d
Faulting module name: eModel.dll, version: 11.0.14393.1944, time stamp: 0x5a1fb4de
Exception code: 0xc0000409
Fault offset: 0x00000000000d4810
Faulting process id: 0x1484
Faulting application start time: 0x01d3748a9d8cbff3
Faulting application path: C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
Faulting module path: C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\eModel.dll
Report Id: d7e02d63-f453-4a17-bcfa-253ef8c8a74c
Faulting package full name: Microsoft.MicrosoftEdge_38.14393.1066.0_neutral__8wekyb3d8bbwe
Faulting package-relative application ID: MicrosoftEdge

In this thread, a lot of people are saying "Trusteer Rappor AV" was the issue and uninstalling it fixed it, but I do not have that program.  Just Windows Defender and MalwareBytes.

https://social.technet.microsoft.com/Forums/windows/en-US/4af16a6b-00fb-452f-91dd-d384a4b0797a/microsoft-edge-crashes-on-windows-10-version-1703?forum=win10itprogeneral

 

powershell.JPG

normal boot.JPG

Edited by yellowdot
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.