Jump to content
FaTone

Infected computer not allowing me to run restore points or chkdsk

Recommended Posts

Hi,

I have been trying to clean my computer after I clicked on a file I downloaded from a website which was suppose to update a program, but it didn't.  After it ran, a bunch of weird things started happening and I promptly started trying to clean it up with stopping suspect processes/services and deleting newly created files.  I did get some of the weird behavior to stop and don't see any malware errors when I run a threat scan with MalwareBytes.  The first time I ran the threat scan, there were 20 malwares and I quarantined and then deleted them all.  

I also ran FRST64 and see some weird services/drivers listed, even in the whitelisted area as shown below.

===================== Drivers (Whitelisted) ======================
U4 gwhkbvs; system32\drivers\cohruxbe.sys

S4 4275621E; system32\drivers\4275621E.sys [X]
 

FYI, I have deleted the below items a few times by going into recovery console and going to command prompt and then deleting files and directory, but they still keep coming back.  

At this point, I am asking for assistance from the experts to get a clean system and to get rid of these infected hidden files permanently.  

FYI, I attached the logs from MalwareBytes scan and FRST64 scan (FRST.txt  and Addition.txt).  I also ran Avast Free Antivirus software and it didn't find any viruses or malware.

 

Thanks in advance for the assistance!

 

Addition.txt

FRST.txt

malwarebytesScanLog.txt

Share this post


Link to post
Share on other sites

Hello FaTone and welcome to Malwarebytes,

What you describe is more than likely smartservice infection, do the following and post the produced log:

Also, launch FRST, and copy/paste the following inside the text area. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop. Attach it in your next reply.

Quote

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: fltmc instances
CMD: dir /a:-d /o:d C:\windows\system32\drivers
End::

 

Also do you have access to another PC and have a USB Flash Drive value > 4GB

Thank you,

Kevin...

Share this post


Link to post
Share on other sites

Thanks for that log, yes i`ve just helped someone with smartservice infection on Windows PC who used a Macbook to d/l FRST and the Fixlist and save to a flash drive....

Please download Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit...

Download and save to the same Flash drive the attached file "fixlist.txt" (end of reply) Do not plug flashdrive into sick PC until booted to Recovery Environment...

Next,

You already know how to boot sick PC to recovery mode, please that and progress to the Command Prompt...
 
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64 or e:\frst depending on your version. Press Enter Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Fix button.
  • It will make a log (fixlist.txt) on the flash drive. Please copy and paste it to your reply.


Next,

Boot back to Normal windows, Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs....

In your reply attach or post fixlog.txt, FRST,txt and Addition.txt..

Thank you,

Kevin...

 

fixlist.txt

Share this post


Link to post
Share on other sites

A couple of issues happened when I tried to follow the above instructions.

1.  When I tried to go into Recovery console after reboot, I got the error "Windows failed to start. A recent hardware or software change might be the cause."  

Status: 0xc000000f

Info: The boot selection failed because a required device is inaccessible.

It tells you to insert you windows installation disc and restart computer and then use "Repair your computer" from there.  I was able to get to the recovery console from there and then followed your instructions.

I attached the fixlog which was created after running FRST64 from the USB Flash drive.

When I tried to restart Windows normally, I logged in and now when I try to run FRST64.exe, I just have the cursor with the spinning logo.  Nothing happens, but I can click on the Start Menu and see my shortcuts and was even able to open an app like notepad++.  I couldn't get to the task manager.

 

Fixlog.txt

Share this post


Link to post
Share on other sites

Can you boot your PC to a normal Desktop..? can you open your browser... Is task manager the only problem

Share this post


Link to post
Share on other sites

The PC boots to a normal Desktop?  I was able to open a browser and was able to open task manager initially.  Once I clicked on the FRST64 program from my desktop, everything stopped working.  So I did CTRl ALT DEL and then told computer to restart and it did and then went into Safe mode with networking.  I ran FRST64 from safe mode and the results are attached.

 

I still see that driver 4275621E in the ADDITIONS.TXT and C:\Windows\system32\Drivers\iaknqtxa.sys in FRST.txt

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites

Hiya FaTone,

Run the following whilst I check thse logs you`ve attached...

Download PowerTool and save to your Desktop, ensure to get the correct version:

PowerTool for 64-bit systems >> https://malwarebytes.box.com/s/vnp2jdko58ww33bxabbm8zu9764u0tlh

PowerTool for 32-bit systems >> https://malwarebytes.box.com/s/f0bsa1nuzjv994neyzbtrti1au0s98yx

Please follow the instructions below:

Right click on user posted image PowerTool, Select "Run as Administrator"

Windows 8/8.1/10 users may see the following, if so select "More Info"

user posted image

In the next Window select "Run Anyway"

user posted image

Initially click on sq image to enlarge window to full screen (As shown in the image below)
Now click on Kernel tab (No. 1 on the image below)
Then click on Kernel Notify Routine (No. 2 on the image below)
Also click on Path so you sort the list by name (No. 3 on the image below)

user posted image

Right click anywhere on listed items under path (No. 4 on the image above) and select Export.

user posted image

Save exported file to your Desktop, zip up that file and attach to your reply....

user posted image user posted image

Thank you,

Kevin.

Share this post


Link to post
Share on other sites

It's not running in normal mode, and when I tried to run in safe mode as an administrator, it then prompts me saying certain things not loaded, run as an administrator.  I did run as an administrator.

Share this post


Link to post
Share on other sites

I half expected that, smartservice is a nasty infection, it does have protective rootkits that do stop tools from running and may even replace files we remove... Keep in Safe mode with NW and try the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

fixlist.txt

Share this post


Link to post
Share on other sites

Well the bad driver was moved that time.... Boot to Normal mode and run the following:

Open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:
    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

Thanks,

Kevin

Share this post


Link to post
Share on other sites

When I try to start the Anit-Rootkit, I get a dialog box from Malwarebytes that says" Malwarebytes is unalbe to load the Anti-Rootkit DDA Driver.  This error may be due to rootkit activity.  We recommend rebooting so Malwarebytes can attempt to install the driver.  Do you want to reboot now? Yes or No.

Should I do the reboot?

Share this post


Link to post
Share on other sites

I ran the Malwarebytes  Anti-Rootkit  process and it didn't report any malware, but a suspicious file, which is a file I know isn't infected, it is a data file for an automotive program.  It said it will need to reboot to complete process and I did that, but now I can not go back into Malwarebytes to get results.  Also, there is a process called nvvsvc.exe in  the windows task manager and when I try to end the process it says 'Access is denied'  I believe this is the process stopping me from running Malwarebytes, PowerTools and FRST64.  

What should I do now?

Share this post


Link to post
Share on other sites

I went into safe mode to get the report from Malwarebytes scan.  The results are below:

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/12/17
Scan Time: 6:10 PM
Log File: a1aba4e0-df91-11e7-a58e-00ff5b286276.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3476
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: FLASH\smills

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 612874
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 2 hr, 28 min, 31 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Generic.Malware/Suspicious, C:\USERS\SMILLS\DESKTOP\ESYSPLUS2.8.ZIP, Quarantined, [0], [392686],1.0.3476

Physical Sector: 0
(No malicious items detected)


(end)

Share this post


Link to post
Share on other sites

Hello FaTone,

nvvsvc.exe Is a known video card driver by nVidia, have a read at the following link:

https://www.bleepingcomputer.com/startups/GoogleUpdate.exe-25794.html

Download RogueKiller and save it on your desktop, ensure to download correct version..

RogueKiller (X86)

RogueKiller (x64)
 
  • Exit all running applications.
  • Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue.
  • If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon.
  • Click "Start Scan" to begin the analysis. This may take some time.
  • Once the scan is complete, click the "Open TXT" button to display the scan report.
  • Copy/Paste it's content in your next reply.



Do not use the Remove Selected option until i`ve had a look at the log..

Thanks,

Kevin..

Share this post


Link to post
Share on other sites

This think took forever to run.  The results are below:

 

RogueKiller V12.11.28.0 (x64) [Dec 11 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : smills [Administrator]
Started from : C:\Users\smills\Desktop\RogueKiller_portable64.exe
Mode : Scan -- Date : 12/13/2017 02:36:39 (Duration : 09:13:40)

¤¤¤ Processes : 1 ¤¤¤
[PUP.HackTool|VT.Detected] AutoKMS.exe(1460) -- C:\Windows\AutoKMS\AutoKMS.exe[-] -> Found

¤¤¤ Registry : 16 ¤¤¤
[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} (C:\ProgramData\Partner\Partner64.dll) -> Found
[Suspicious.Path] (X64) HKEY_CLASSES_ROOT\CLSID\{E86236DE-9BD2-42b7-86F6-A829D8EC768C} (C:\Users\smills\AppData\Local\DIRECTV Player\win64\npPlayerPlugin64.dll) -> Found
[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} (C:\ProgramData\Partner\Partner64.dll) -> Found
[PUP.Gen0] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} (C:\ProgramData\Partner\Partner64.dll) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F9B35118-A546-432D-9E27-9DC8DBCD128E} | NameServer : 10.24.16.45,10.68.100.13 ([][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{F9B35118-A546-432D-9E27-9DC8DBCD128E} | NameServer : 10.24.16.45,10.68.100.13 ([][])  -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {725EE339-FA8E-415A-B00C-F722DBDA4BC7} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|App=C:\Users\smills\AppData\Local\Programs\Fiddler\Fiddler.exe|Name=FiddlerProxy|Desc=Permit inbound connections to Fiddler|Defer=User| [7] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {725EE339-FA8E-415A-B00C-F722DBDA4BC7} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|App=C:\Users\smills\AppData\Local\Programs\Fiddler\Fiddler.exe|Name=FiddlerProxy|Desc=Permit inbound connections to Fiddler|Defer=User| [7] -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowDownloads : 2  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowDownloads : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12132017023456400\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowDownloads : 2  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12132017023456400\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12132017023456400\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowDownloads : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1139965613-3398555138-2291953773-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-12132017023456400\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

¤¤¤ Tasks : 1 ¤¤¤
[PUP.HackTool|VT.Detected] \AutoKMS -- C:\Windows\AutoKMS\AutoKMS.exe -> Found

¤¤¤ Files : 4 ¤¤¤
[PUP.Gen1][Folder] C:\ProgramData\Partner -> Found
[PUP.HackTool][Folder] C:\Windows\AutoKMS -> Found
[PUP.uTorrentAds][File] C:\Users\smills\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe -> Found
[PUP.Gen1][Folder] C:\ProgramData\Partner -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 3 ¤¤¤
[PUP.Gen2][Firefox:Addon] wz1ox6y2.default : Amazon Assistant for Firefox [abb@amazon.com] -> Found
[PUP.Gen0][Chrome:Addon] Default : JSONView [chklaanhfefbnpoihckbnefhakgolnmc] -> Found
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [https://webmd.okta.com] -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS725050A9A360 +++++
--- User ---
[MBR] db89b7c60f30281ca2303db91f8cb6f3
[BSP] cd04164ecd9b320d630b54c6990d9a36 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10297 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 21090304 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 21295104 | Size: 466541 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Share this post


Link to post
Share on other sites

What is the current status of your PC, is it responding as expected, is there any odd or erratic behavior. RK log is not showing anything major... apart from AutoKMS, that software has been known to be used to infect with smartservice infection....

Share this post


Link to post
Share on other sites

autokms has been running for some years, but this infection just started on 12/5/17.  Can I delete all the other registry entries that rogue killer found?

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.