Jump to content

Undeleteable virus is bypassing all removal tools


Recommended Posts

I have a virus that has bypassed Malwarebytes, HitmanPro, and AdwCleaner. Originally it was part of another virus that got removed by those tools (SystemHealer, s5m, AnonymizerGadget, and something else).

I can see it in my Program Files as a folder named "judith" and "Zip" and others. In those folders are the applications "Closeness" and "accumulates," which are clogging up my computer. I can't delete them because they are in use by another program, and as soon as I end them in Task Manager they pop up again. I can't "Shred" them through McAfee either. They are not being recognized by any program as a virus, yet they are or are remnants of aforementioned virus I can't get rid of. What should I do?

FRST.txt

Addition.txt

screenshot malware.jpg

Malwarebytes export log.txt

Link to post
Share on other sites

Hello candi_2008 and welcome to Malwarebytes,


You have smartservice infection, to remove that infection you will need access to another PC and USB flash drive 4GB or above. Are those available to you..?

For now do the following:

Open FRST, copy/paste the following inside the text area of FRST. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop or the folder you ran FRST from. Attach it in your next reply.
 
Quote

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: fltmc instances
CMD: dir /a:-d /o:d C:\windows\system32\drivers
End::

 

Post that log in your reply, also let me know if you have access to PC and Flash drive....

Thank you,

Kevin
user posted image

 

 

Link to post
Share on other sites

I was able to delete the folders aforementioned shortly after posting my original message, so I can't upload Zips\accumulates.exe anymore. My apologies.

 

Yes, I have access to another PC. No, I don't have a USB flash drive with 4GB.  I do however have a phone that is recognized by both computers with over 4GB space on it. Will that work, or does it have to have no internet/networks on it?

 

 

Fixlog.txt

Link to post
Share on other sites

Yes agree with you, especially with smartservice infection.... I`ll post the instructions you`ll need when you have Flash drive...

Boot up your spare PC plug in the flash drive, navigate to that drive, right click on it direct and select format. Quick option is adequate...

Next,

On that same PC downoad and save FRST to same Flash drive, make sure to get the correct version, if you are unsure d/l and save both, only the correct one will run. Do not plug Flash Drive into sick PC until booted to Recovery Environment.

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Next,

Boot sick PC to Recovery Environment, if you are unsure of that action have a read at the following link, maybe bookmark for future reference...

https://www.tenforums.com/tutorials/2294-boot-advanced-startup-options-windows-10-a.html

Next,

From the Windows 10 Tutorial you should get access to the Advanced Startup Options at boot for Windows 10

user posted image


From that window select "Troubleshoot"


user posted image


From the next window select "Advance Options"


user posted image


From that Window select "Command Prompt"

Ensure to plug the flash drive into a USB port... You should now be in Recovery Environment with the Command Prompt Window open......

Continue with the following:
 
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" or "My PC" and find your flash drive letter and close the notepad.
  • In the command window type E:\frst64 or E:\frst depending on your version. Press Enter Note: Replace letter E with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Leave the infected PC in Recovery mode, post the produced log from your flash drive via the spare PC....

Thank you,

Kevin

 

Link to post
Share on other sites

Thanks for that log, boot your sick PC back to Normal mode, using FRST do the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:
    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs, also tell me if there are any remaining issues or concerns...

Thank you,

Kevin.

fixlist.txt

Link to post
Share on other sites

Looks like that did it! I don't see any bad apps running any more and the scans came back clean.

 

Two things that I've noticed are still different: upon booting up my computer, I still have to choose how to boot up, which I'm assuming is a result of the FSRT code you had me input. I still see the "Scanning and repairing (XXXXXXXXXXXXXXXXXXX)" text shortly after that when the computer logo screen pops up upon boot. Anything we can do to get rid of those?

Fixlog.txt

AdwCleaner[S1].txt

mrt log.txt

Malwarebytes report 3.txt

Link to post
Share on other sites

Open FRST, copy/paste the following inside the text area of FRST. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop or the folder you ran FRST from. Attach it in your next reply.

Quote

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu no
reboot:
End::

Does that help...?

Link to post
Share on other sites

The thing I was talking about in #15 appears for a split second when you first turn on the PC, so I can't get a screenshot. It's during the logo screen (Dell for me). I tried taking a photo and attached the best one I could take with my phone.

 

I zipped the FRST/Quarantine folder so I could attach it, but it's too large even after compression. "You are only allowed to upload 58.59mb." Looks like the actual size of the folder after compression is about 140 MB. I checked the subfolders' properties to see if I could send it in smaller chunks, but they'll still be over 58MB after compression since it's really two big folders about the same size. Got any other ideas?

20180305_190428 Screenshot Dell virus.jpg

Link to post
Share on other sites

I`m not really sure what is happening with that screenshot you`ve posted... looking at the drives list from FRST logs it seems to be the bottom one that is being checked.. yet it shows no size in the log drive list..??
 

Quote

 

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:106.96 GB) (Free:17.22 GB) NTFS
Drive d: (DATA) (Fixed) (Total:931.39 GB) (Free:808.2 GB) NTFS

\\?\Volume{c31d7efc-8521-46d5-be71-515743805fba}\ (ESP) (Fixed) (Total:0.48 GB) (Free:0.45 GB) FAT32
\\?\Volume{e08e8e78-38bb-4db6-b456-5aad62517178}\ () (Fixed) (Total:0.83 GB) (Free:0.45 GB) NTFS
\\?\Volume{33f1bcb6-cfce-4b6c-9988-fbc8ff3db677}\ () (Fixed) (Total:0 GB) (Free:0 GB)


 

Regarding the Quarantine folder, you can upload here:  https://www.sendspace.com/  Then copy the download link page URL and post to your reply...

Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

fixlist.txt

Link to post
Share on other sites

I'm still having trouble uploading the Quarantine folders. Sendspace will only upload files, not folders. Yet when I click into the folders to get the files, there are no files for me to click on (screenshot attached. If I click to further open the folders, I get a blank screen/more folders that eventually lead no where).

 

On that note, I've noticed twice in the past week when using Firefox that in the midst of doing something else (like watching anime or designing a game) a new Firefox tab will open with adware with audio. I didn't catch the website as I exited out of it very quickly. We definitely missed something somewhere...

Fixlog.txt

Screenshot sendspace.jpg

Link to post
Share on other sites

Hello Candi_2008,

The quarantine folder must be zipped up before you upload to sendspace...

Navigate here: C:\FRST\Logs - Inside that folder Right click on "Quarantine folder" then select > Send to > Compressed (zipped) folder. That will be named Quarantine.zip and will upload to sendspace...

Next,

Regarding issue with Firfox, lets try a clean install see if that helps;

Make a "Clean" install Firefox:

Use the following link for instructions how to back up your bookmarks, same link can be used to import saved Bookmarks:

https://support.mozilla.org/en-US/kb/export-firefox-bookmarks-to-backup-or-transfer

Next,

Remove all synced data from Firefox to stop possible re-infection or exploitation.

https://support.mozilla.org/en-US/questions/1037353

Next,

Go here: http://www.mozilla.org/en-US/ download save the latest version of Firefox.. We will install this later...

Next,

Lets totally remove Firefox and start over.

Go here: https://support.mozilla.org/en-US/kb/uninstall-firefox-from-your-computer and follow those instructions...

Ensure when the uninstall completes to navigate to and delete the firefox installation folder (if present):

(32-bit Windows) C:\Program Files\Mozilla Firefox
(64-bit Windows) C:\Program Files (x86)\Mozilla Firefox

It is essential the installation folder is removed. Re-boot your system when that is completed....

Next,

To remove all remaining data and profile information...

Press "Windows key + R" to open the Run box
In the Run box, type in or copy and paste %APPDATA%
Click OK. A Windows Explorer window will appear.
In this window, choose/open in succession Mozilla > Firefox > Profiles.
Select Delete on each entry in reverse, eg Profiles > Delete. Firefox > Delete. Mozilla > Delete.

Re-boot your system when complete!

Next,

Use the Mozilla Firefox installer to reinstall your Browser....

When Firefox is installed and open select these keys together :- Ctrl - Shift - A that will access Addons manger, this gives access to find addons/extensions, use, start, stop or disable those features etc....

uBlock-Origin can be installed from here: https://addons.mozilla.org/en-GB/firefox/addon/ublock-origin/ <<--- Recommended.
 
Thank you,
 
Kevin
Edited by kevinf80
typing error
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.