FaTone Posted December 12, 2017 ID:1190963 Share Posted December 12, 2017 Hi, I have been trying to clean my computer after I clicked on a file I downloaded from a website which was suppose to update a program, but it didn't. After it ran, a bunch of weird things started happening and I promptly started trying to clean it up with stopping suspect processes/services and deleting newly created files. I did get some of the weird behavior to stop and don't see any malware errors when I run a threat scan with MalwareBytes. The first time I ran the threat scan, there were 20 malwares and I quarantined and then deleted them all. I also ran FRST64 and see some weird services/drivers listed, even in the whitelisted area as shown below. ===================== Drivers (Whitelisted) ====================== U4 gwhkbvs; system32\drivers\cohruxbe.sys S4 4275621E; system32\drivers\4275621E.sys [X] FYI, I have deleted the below items a few times by going into recovery console and going to command prompt and then deleting files and directory, but they still keep coming back. At this point, I am asking for assistance from the experts to get a clean system and to get rid of these infected hidden files permanently. FYI, I attached the logs from MalwareBytes scan and FRST64 scan (FRST.txt and Addition.txt). I also ran Avast Free Antivirus software and it didn't find any viruses or malware. Thanks in advance for the assistance! Addition.txt FRST.txt malwarebytesScanLog.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 12, 2017 ID:1191096 Share Posted December 12, 2017 Hello FaTone and welcome to Malwarebytes, What you describe is more than likely smartservice infection, do the following and post the produced log: Also, launch FRST, and copy/paste the following inside the text area. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop. Attach it in your next reply. Quote Start:: CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes CMD: bcdedit.exe /set {default} recoveryenabled yes CMD: fltmc instances CMD: dir /a:-d /o:d C:\windows\system32\drivers End:: Also do you have access to another PC and have a USB Flash Drive value > 4GB Thank you, Kevin... Link to post Share on other sites More sharing options...
FaTone Posted December 12, 2017 Author ID:1191104 Share Posted December 12, 2017 I attached the fixlog.txt I do have a USB flash drive > 4gb, but not another PC. I do have access to a Macbook Pro laptop. fixlog.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 12, 2017 ID:1191114 Share Posted December 12, 2017 Thanks for that log, yes i`ve just helped someone with smartservice infection on Windows PC who used a Macbook to d/l FRST and the Fixlist and save to a flash drive.... Please download Farbar Recovery Scan Tool from here:http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit... Download and save to the same Flash drive the attached file "fixlist.txt" (end of reply) Do not plug flashdrive into sick PC until booted to Recovery Environment... Next, You already know how to boot sick PC to recovery mode, please that and progress to the Command Prompt... In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type e:\frst64 or e:\frst depending on your version. Press Enter Note: Replace letter e with the drive letter of your flash drive. The tool will start to run. When the tool opens click Yes to disclaimer. Press Fix button. It will make a log (fixlist.txt) on the flash drive. Please copy and paste it to your reply. Next, Boot back to Normal windows, Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs.... In your reply attach or post fixlog.txt, FRST,txt and Addition.txt.. Thank you, Kevin... fixlist.txt Link to post Share on other sites More sharing options...
FaTone Posted December 12, 2017 Author ID:1191160 Share Posted December 12, 2017 A couple of issues happened when I tried to follow the above instructions. 1. When I tried to go into Recovery console after reboot, I got the error "Windows failed to start. A recent hardware or software change might be the cause." Status: 0xc000000f Info: The boot selection failed because a required device is inaccessible. It tells you to insert you windows installation disc and restart computer and then use "Repair your computer" from there. I was able to get to the recovery console from there and then followed your instructions. I attached the fixlog which was created after running FRST64 from the USB Flash drive. When I tried to restart Windows normally, I logged in and now when I try to run FRST64.exe, I just have the cursor with the spinning logo. Nothing happens, but I can click on the Start Menu and see my shortcuts and was even able to open an app like notepad++. I couldn't get to the task manager. Fixlog.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 12, 2017 ID:1191169 Share Posted December 12, 2017 Can you boot your PC to a normal Desktop..? can you open your browser... Is task manager the only problem Link to post Share on other sites More sharing options...
FaTone Posted December 12, 2017 Author ID:1191180 Share Posted December 12, 2017 The PC boots to a normal Desktop? I was able to open a browser and was able to open task manager initially. Once I clicked on the FRST64 program from my desktop, everything stopped working. So I did CTRl ALT DEL and then told computer to restart and it did and then went into Safe mode with networking. I ran FRST64 from safe mode and the results are attached. I still see that driver 4275621E in the ADDITIONS.TXT and C:\Windows\system32\Drivers\iaknqtxa.sys in FRST.txt Addition.txt FRST.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 12, 2017 ID:1191182 Share Posted December 12, 2017 Hiya FaTone, Run the following whilst I check thse logs you`ve attached... Download PowerTool and save to your Desktop, ensure to get the correct version: PowerTool for 64-bit systems >> https://malwarebytes.box.com/s/vnp2jdko58ww33bxabbm8zu9764u0tlh PowerTool for 32-bit systems >> https://malwarebytes.box.com/s/f0bsa1nuzjv994neyzbtrti1au0s98yx Please follow the instructions below: Right click on PowerTool, Select "Run as Administrator" Windows 8/8.1/10 users may see the following, if so select "More Info" In the next Window select "Run Anyway" Initially click on sq image to enlarge window to full screen (As shown in the image below) Now click on Kernel tab (No. 1 on the image below) Then click on Kernel Notify Routine (No. 2 on the image below) Also click on Path so you sort the list by name (No. 3 on the image below) Right click anywhere on listed items under path (No. 4 on the image above) and select Export. Save exported file to your Desktop, zip up that file and attach to your reply.... Thank you, Kevin. Link to post Share on other sites More sharing options...
FaTone Posted December 12, 2017 Author ID:1191183 Share Posted December 12, 2017 Should I run this from my desktop or the USB flash drive? Link to post Share on other sites More sharing options...
kevinf80 Posted December 12, 2017 ID:1191184 Share Posted December 12, 2017 Desktop please... Link to post Share on other sites More sharing options...
FaTone Posted December 12, 2017 Author ID:1191185 Share Posted December 12, 2017 ok. Should I also go back to normal windows or can i run it in safe mode? Link to post Share on other sites More sharing options...
kevinf80 Posted December 12, 2017 ID:1191188 Share Posted December 12, 2017 Try normal first... Link to post Share on other sites More sharing options...
FaTone Posted December 12, 2017 Author ID:1191191 Share Posted December 12, 2017 It's not running in normal mode, and when I tried to run in safe mode as an administrator, it then prompts me saying certain things not loaded, run as an administrator. I did run as an administrator. Link to post Share on other sites More sharing options...
kevinf80 Posted December 12, 2017 ID:1191192 Share Posted December 12, 2017 I half expected that, smartservice is a nasty infection, it does have protective rootkits that do stop tools from running and may even replace files we remove... Keep in Safe mode with NW and try the following: Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. fixlist.txt Link to post Share on other sites More sharing options...
FaTone Posted December 12, 2017 Author ID:1191197 Share Posted December 12, 2017 I am attaching the results. I am still in Safe mode. fixlog.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 12, 2017 ID:1191200 Share Posted December 12, 2017 Well the bad driver was moved that time.... Boot to Normal mode and run the following: Open Malwarebytes Anti-Malware. On the Settings tab > Protection Scroll to and make sure the following are selected:Scan for RootkitsScan within Archives Scroll further to Potential Threat Protection make sure the following are set as follows:Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended) Click on the Scan make sure Threat Scan is selected, A Threat Scan will begin. When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab If asked to restart your computer to complete the removal, please do so When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard. Wait for the prompt to restart the computer to appear, then click on Yes. After the restart once you are back at your desktop, open MBAM once more to retrieve the log. To get the log from Malwarebytes do the following: Click on the Reports tab > from main interface. Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Thanks, Kevin Link to post Share on other sites More sharing options...
FaTone Posted December 12, 2017 Author ID:1191204 Share Posted December 12, 2017 When I try to start the Anit-Rootkit, I get a dialog box from Malwarebytes that says" Malwarebytes is unalbe to load the Anti-Rootkit DDA Driver. This error may be due to rootkit activity. We recommend rebooting so Malwarebytes can attempt to install the driver. Do you want to reboot now? Yes or No. Should I do the reboot? Link to post Share on other sites More sharing options...
kevinf80 Posted December 12, 2017 ID:1191205 Share Posted December 12, 2017 Yes go for re-boot, see what happens... Link to post Share on other sites More sharing options...
FaTone Posted December 13, 2017 Author ID:1191245 Share Posted December 13, 2017 I ran the Malwarebytes Anti-Rootkit process and it didn't report any malware, but a suspicious file, which is a file I know isn't infected, it is a data file for an automotive program. It said it will need to reboot to complete process and I did that, but now I can not go back into Malwarebytes to get results. Also, there is a process called nvvsvc.exe in the windows task manager and when I try to end the process it says 'Access is denied' I believe this is the process stopping me from running Malwarebytes, PowerTools and FRST64. What should I do now? Link to post Share on other sites More sharing options...
FaTone Posted December 13, 2017 Author ID:1191247 Share Posted December 13, 2017 I went into safe mode to get the report from Malwarebytes scan. The results are below: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/12/17 Scan Time: 6:10 PM Log File: a1aba4e0-df91-11e7-a58e-00ff5b286276.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3476 License: Trial -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: FLASH\smills -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 612874 Threats Detected: 1 Threats Quarantined: 1 Time Elapsed: 2 hr, 28 min, 31 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Generic.Malware/Suspicious, C:\USERS\SMILLS\DESKTOP\ESYSPLUS2.8.ZIP, Quarantined, [0], [392686],1.0.3476 Physical Sector: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
kevinf80 Posted December 13, 2017 ID:1191272 Share Posted December 13, 2017 Hello FaTone, nvvsvc.exe Is a known video card driver by nVidia, have a read at the following link: https://www.bleepingcomputer.com/startups/GoogleUpdate.exe-25794.html Download RogueKiller and save it on your desktop, ensure to download correct version..RogueKiller (X86)RogueKiller (x64) Exit all running applications. Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue. If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon. Click "Start Scan" to begin the analysis. This may take some time. Once the scan is complete, click the "Open TXT" button to display the scan report. Copy/Paste it's content in your next reply. Do not use the Remove Selected option until i`ve had a look at the log.. Thanks, Kevin.. Link to post Share on other sites More sharing options...
FaTone Posted December 13, 2017 Author ID:1191372 Share Posted December 13, 2017 This think took forever to run. The results are below: RogueKiller V12.11.28.0 (x64) [Dec 11 2017] (Free) by Adlice Software mail : http://www.adlice.com/contact/ Feedback : https://forum.adlice.com Website : http://www.adlice.com/download/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : smills [Administrator] Started from : C:\Users\smills\Desktop\RogueKiller_portable64.exe Mode : Scan -- Date : 12/13/2017 02:36:39 (Duration : 09:13:40) ¤¤¤ Processes : 1 ¤¤¤ [PUP.HackTool|VT.Detected] AutoKMS.exe(1460) -- C:\Windows\AutoKMS\AutoKMS.exe[-] -> Found ¤¤¤ Registry : 16 ¤¤¤ [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} (C:\ProgramData\Partner\Partner64.dll) -> Found [Suspicious.Path] (X64) HKEY_CLASSES_ROOT\CLSID\{E86236DE-9BD2-42b7-86F6-A829D8EC768C} (C:\Users\smills\AppData\Local\DIRECTV Player\win64\npPlayerPlugin64.dll) -> Found [PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} (C:\ProgramData\Partner\Partner64.dll) -> Found [PUP.Gen0] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} (C:\ProgramData\Partner\Partner64.dll) -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F9B35118-A546-432D-9E27-9DC8DBCD128E} | NameServer : 10.24.16.45,10.68.100.13 ([][]) -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{F9B35118-A546-432D-9E27-9DC8DBCD128E} | NameServer : 10.24.16.45,10.68.100.13 ([][]) -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {725EE339-FA8E-415A-B00C-F722DBDA4BC7} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|App=C:\Users\smills\AppData\Local\Programs\Fiddler\Fiddler.exe|Name=FiddlerProxy|Desc=Permit inbound connections to Fiddler|Defer=User| [7] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {725EE339-FA8E-415A-B00C-F722DBDA4BC7} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|App=C:\Users\smills\AppData\Local\Programs\Fiddler\Fiddler.exe|Name=FiddlerProxy|Desc=Permit inbound connections to Fiddler|Defer=User| [7] -> Found [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowDownloads : 2 -> Found [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowDownloads : 2 -> Found [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12132017023456400\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowDownloads : 2 -> Found [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12132017023456400\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12132017023456400\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowDownloads : 2 -> Found [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12132017023456400\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found ¤¤¤ Tasks : 1 ¤¤¤ [PUP.HackTool|VT.Detected] \AutoKMS -- C:\Windows\AutoKMS\AutoKMS.exe -> Found ¤¤¤ Files : 4 ¤¤¤ [PUP.Gen1][Folder] C:\ProgramData\Partner -> Found [PUP.HackTool][Folder] C:\Windows\AutoKMS -> Found [PUP.uTorrentAds][File] C:\Users\smills\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe -> Found [PUP.Gen1][Folder] C:\ProgramData\Partner -> Found ¤¤¤ WMI : 0 ¤¤¤ ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤ ¤¤¤ Web browsers : 3 ¤¤¤ [PUP.Gen2][Firefox:Addon] wz1ox6y2.default : Amazon Assistant for Firefox [abb@amazon.com] -> Found [PUP.Gen0][Chrome:Addon] Default : JSONView [chklaanhfefbnpoihckbnefhakgolnmc] -> Found [PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [https://webmd.okta.com] -> Found ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: Hitachi HTS725050A9A360 +++++ --- User --- [MBR] db89b7c60f30281ca2303db91f8cb6f3 [BSP] cd04164ecd9b320d630b54c6990d9a36 : Windows Vista/7/8|VT.Unknown MBR Code Partition table: 0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10297 MB 1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 21090304 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 21295104 | Size: 466541 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] User = LL1 ... OK User = LL2 ... OK Link to post Share on other sites More sharing options...
kevinf80 Posted December 13, 2017 ID:1191377 Share Posted December 13, 2017 What is the current status of your PC, is it responding as expected, is there any odd or erratic behavior. RK log is not showing anything major... apart from AutoKMS, that software has been known to be used to infect with smartservice infection.... Link to post Share on other sites More sharing options...
FaTone Posted December 13, 2017 Author ID:1191410 Share Posted December 13, 2017 autokms has been running for some years, but this infection just started on 12/5/17. Can I delete all the other registry entries that rogue killer found? Link to post Share on other sites More sharing options...
FaTone Posted December 13, 2017 Author ID:1191414 Share Posted December 13, 2017 Also, I was able to run PowerTools x64 and am attaching the results. notify.csv Link to post Share on other sites More sharing options...
Recommended Posts