Jump to content

I have a VERY powerful virus and need help


Recommended Posts

For the past 2 weeks I've been looking for help on removing this virus that I've obtained due to my stupidity. What this virus does is that an exe that has different names after resetting my computer every time will appear in task manager and in the system32 folder, at the moment, it's called wdesziusvc.exe; when i hover my cursor over it it, it says TOSHIBA CORPORATION. After that appears, I won't be able to make restore points, download certain anti-viruses, and go into a recovery environment the normal way (I'd have to tap Shift + F8 upon start up). if wdesziusvc has internet access, it'll use my computer's resources to bring forth another exe called igfxmtc, which will run in task manager and have it's own folder in Appdata/Local folder which i cannot access nor delete. In the task manager, igfxmtc doesn't seem to do anything; idk what it's for but after a few after that, wdesziusvc will use resources again to bring forth this thing called Windows Process Manager (32-bit) with multiple clients, which slows down my computer by A LOT and also has it's own folder, wibxtrg. If i reset my computer to factory settings, you know, wipe everything, They all just come back with with different names except for igfxmtc. I know all this stuff because of the 2 weeks i've had with this problem. Here are some pictures and a FRST and Addition txt attatched.

If there's anyone willing to help me out it'll mean a lot to me.

1.) I do have a flash drive that's bigger than 4GB

2.) I do have access to a clean PC

igfxmtc.png

wdesziusvc.png

windows process manager.png

Addition.txt

FRST.txt

Edited by NateTheKingIV
Link to post
Share on other sites

Hi NateTheKingIV :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Launch FRST and copy/paste the following inside the text area. Once done, click on the Fix button. Afterwards, a file called fixlog.txt should appear on your desktop. Attach it in your nexy reply.

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: fltmc instances
CMD: dir /a:-d /o:d C:\windows\system32\drivers
End::

Link to post
Share on other sites

Alright. For the next step, you'll need to download FRST and the fixlist.txt on a clean computer and move them on your USB. And before connecting your USB on the infected computer, it must be shut down, then you must boot directly in the RE afterwards.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Recovery Environment Scan
Follow the instructions below to download and execute a scan on your system with FRST from the Recovery Environment, and provide the logs in your next reply.

Item(s) required:

  • USB Flash Drive (size depend on if you have to create a USB Recovery or Installation media)
  • CD/DVD (optional: only needed if you need to create a Recovery or Installation media and your USB Flash Drive is too small)
  • Another computer (optional: only needed if you cannot work from the infected computer directly)

Preparing the USB Flash Drive

  • Download the right version of FRST for your system:
  • Move the executable (FRST.exe or FRST64.exe) on your USB Flash Drive
  • Download the attached fixlist.txt, and move it on your USB Flash Drive as well

Boot in the Recovery Environment

  • Plug your USB Flash Drive in the infected computer
  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
    • Restart the computer
    • Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
    • Use the arrow keys to select Repair your computer, and press on Enter
    • Select your keyboard layout (US, French, etc.) and click on Next
    • Click on Command Prompt to open the command prompt
      Note:If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.
  • To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums
    Note:If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.
  • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
    Note:If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.

Once in the command prompt

  • In the command prompt, type notepad and press on Enter
  • Notepad will open. Click on the File menu and select Open
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
  • Note: Replace the letter e with the drive letter of your USB Flash Drive
  • FRST will open
  • Click on Yes to accept the disclaimer
  • Click on the Fix button and wait for the scan to complete
  • A log called fixlog.txt will be saved on your USB Flash Drive. Attach it in your next reply

fixlist.txt

Link to post
Share on other sites

Done. Here ya go. Based on the contents of this log, it seemed to have fixed the problem, but i just wanna be sure because the guy i was talking with previously sent me a fixlist that i used, but after the fix when i checked to see if the virus was gone, it seemed like it, but when i tried to install Comodo, the installation stopped and each piece of the virus was replaced; different names, new folders, same location.

So I'm currently still one the cmd screen in the RE, and i'll stay on this screen until your next reply, what should i do next? check to see if i can install Comodo?

Fixlog.txt

Link to post
Share on other sites

We're not quite done yet :) And once we are, the malware won't comeback. Even right now it won't come back.

zcMPezJ.pngAdwCleaner - Fix Mode

  • Download AdwCleaner and move it to your Desktop
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
    V7SD4El.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply

RQKuhw1.pngRogueKiller

  • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
  • Once done, move the executable file to your Desktop, right-click on it and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Check every single entry (threat found), and click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply

Your next reply(ies) should therefore contain:

  • Copy/pasted AdwCleaner clean log
  • Copy/pasted RogueKiller clean log

Link to post
Share on other sites

After the AdwCleaner scan, it said that there was no unwanted elements found; it didn't prompt a restart. This txt doc showed up:

# AdwCleaner 7.0.5.0 - Logfile created on Sun Dec 17 17:41:17 2017
# Updated on 2017/29/11 by Malwarebytes
# Database: 12-15-2017.1
# Running on Windows 10 Home (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support
 
***** [ Services ] *****
 
No malicious services found.
 
***** [ Folders ] *****
 
No malicious folders found.
 
***** [ Files ] *****
 
No malicious files found.
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
***** [ WMI ] *****
 
No malicious WMI found.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts found.
 
***** [ Tasks ] *****
 
No malicious tasks found.
 
***** [ Registry ] *****
 
No malicious registry entries found.
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries.
 
*************************
 
C:/AdwCleaner/AdwCleaner[S0].txt - [945 B] - [2017/12/17 17:33:30]
 

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt ##########
 
After that, I did the roguekiller scan:
 
RogueKiller V12.11.28.0 (x64) [Dec 11 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com
 
Operating System : Windows 10 (10.0.10586) 64 bits version
Started in : Normal mode
User : NateTheKingIV [Administrator]
Started from : C:\Users\NateTheKingIV\Desktop\RogueKiller_portable64.exe
Mode : Scan -- Date : 12/17/2017 12:38:20 (Duration : 00:46:19)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 0 ¤¤¤
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MQ01ABF050 +++++
--- User ---
[MBR] 44d3043ab6c3ad5c928b30cf117569fe
[BSP] 0343b75cd2a422677de6fa3608ef8bb0 : Empty MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 260 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 534528 | Size: 16 MB
2 - Basic data partition | Offset (sectors): 567296 | Size: 456871 MB
3 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 936239104 | Size: 980 MB
4 - [SYSTEM] Basic data partition | Offset (sectors): 938246144 | Size: 18807 MB
User = LL1 ... OK
User = LL2 ... OK
 
 
Edited by NateTheKingIV
Link to post
Share on other sites

There's one last thing though, it looks like you have two Antivirus installed: Comodo and McAfee. You should never have two Antivirus installed at the time on a system as it can cause conflict and instability. So you should uninstall one, and keep the other.

Link to post
Share on other sites

Just now, Here's what happened: I was in the process of downloading some applications that I had on my computer before i even had the virus, I started running an installation for an application i wanted that I saved on another computer that i had moved over to my flash drive then to my computer, than all of a sudden a notification from COMODO popped up on the bottom right corner of the screen saying that it was blocking something potentially harmful from starting. I tried to get a good look at it because it showed the file location, but before i could see it my computer just restarted on it's own! I didn't even get any sort of prompt or verification to do that! I did manage to see something about APPDATA in the COMODO notification. Then when my computer booted up, i went into the task manager and saw that the virus has come back! And for some reason, on my computer, I can't access the internet even though my Wi-Fi is turned on; I even disconnected and reconnected. I also can't even open up COMODO!

Here's a picture. Instead of being called wdesziusvc, It's now called dthrvcesvc :( and igfxmtc and Windows Process Manager hasn't been brought forth by dthrvcesvc, but the folder for igfxmtc is here

dthrvcesvc.png

igfxmtc folder.png

Edited by NateTheKingIV
Link to post
Share on other sites

It's because i was thinking that after My computer restarted so i decided to delete all my saved installations from my flash drive and the clean PC. What other types of files could've been prone to be bundled with the infection? because i do have other files i had when i obtained the infection like video files, pictures, and sound files. Or is it only installation type files?

Edited by NateTheKingIV
Link to post
Share on other sites

I've only seen SmartService being distributed via executables and installers (.exe, .msi).

Download FRST from a clean computer and move it on your USB once more. Then go in the RE, launch FRST but this time use the "Scan" button. Afterwards, restart your computer and provide me the FRST.txt file that will be on your USB.

Link to post
Share on other sites

Here's something weird, after doing the FRST scan in the RE and booting normally, dthrvcesvc isn't running in task manager, and i'm able to open COMODO again. In COMODO I was able to see what was stopped earlier, Here's a picture along with the txt files. Since COMODO actually manage to quarantine whatever it was, everything seems to be fine.

But lets keep going just in case

Addition.txt

FRST.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.