Jump to content
SCOP-Victim

scop.exe (not being detected, causing damage) missing os

Recommended Posts

Hi, I am rather terrified.

I was an idiot and installed malware on my computer. It is called scop.exe, and it will not let me close it down or delete it. Since it has shown up, I've been noticing clicking sounds every second. As if it is doing background stuff.

in just fifteen minutes while I was scanning, it has imported 92 viruses. Various riskware, Trojans, and adware. Upon restarting to quorentine my computer no longer starts up properly. I have repaired startup through the repair disk and that worked, but only temporarily. If I restart, the same thing occurs again. No hardware is damaged. It doesn't show up as a virus by makwarebytes. And malwarebytes is the best, so I resorted to this. 

Attached are the processes. One is under wininit.exe

the other is scop.exe, which relaunches every time I open a browser.

firefox and chrome have been renamed to chrome334.exe and firefox334.exe

these are running in safe mode and are just as bad

i know I am not including a lot of data so please give me a list of what you need to know.

 

IMG_5039.JPG

IMG_5040.JPG

Share this post


Link to post
Share on other sites

Hi SCOP-Victim :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Follow the instructions in the thread below, and provide me both FRST logs (FRST.txt and Addition.txt) and the Malwarebytes log. You can attach them in your next post, or copy/paste their content.

https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/

Share this post


Link to post
Share on other sites

Hi, Aura! :)
I have both of the text files attached! I removed some files to follow your terms correctly. If there is anything left it was not intentional.

This appears to be an automated response, but what I want to know is, you're aware that it already made changes, right? Once it gets my system clear could you help my computer rediscover the operating system? I know you guys aren't windows, but you have a lot of knowledge it appears, and Microsoft's own employees know absolutely nothing, hahaha.

I also discovered there is a file the virus resides in that I am not set as owner on, and it refuses to allow me to claim ownership, this may be where it is hiding.

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites
Quote

This appears to be an automated response, but what I want to know is, you're aware that it already made changes, right?

You are infected with SmartService. As complex as the infection is, it shouldn't prevent your system to boot up normally.

Quote

Once it gets my system clear could you help my computer rediscover the operating system?

I can take a look at the end, yes.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Copy/paste the following inside the text area:
    Start::
    CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
    CMD: bcdedit.exe /set {default} recoveryenabled yes
    End::
    
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

Share this post


Link to post
Share on other sites

Hello, Again. Here is the log file. It is rather short and I put the specified text in the search area, presuming that is what you meant.

What is SmartService, though? Can you give me some background info? Why did I find 90 viruses one time, and 40 another? Does it install viruses? Is there somewhere where I can read about its origins and what it does? Also, what is hijack.host because that's all that's being detected right now

also why cant your program detect it?

Fixlog.txt

Share this post


Link to post
Share on other sites
Quote

What is SmartService, though? Can you give me some background info? Why did I find 90 viruses one time, and 40 another? Does it install viruses? Is there somewhere where I can read about its origins and what it does? Also, what is hijack.host because that's all that's being detected right now

SmartService is a rootkit that is commonly delivered with the Yelloader adware. However, since this infection also comes with a downloader, it can drop a lot of adware, PUP, etc. at once on a system it infect. So even if you remove some of the malware it installed on a system, they'll be downloaded and installed again if you don't remove the infection as a whole. There's still no technical article regarding SmartService (at least, none that are up to date), but here's one from BleepingComputer when the malware was first sighted.

https://www.bleepingcomputer.com/news/security/smartservice-and-s5mark-acts-like-an-adware-bodyguard-by-blocking-antivirus-software/

Quote

Also, what is hijack.host because that's all that's being detected right now

Most likely hijacked entries in the hosts file. We'll replace it as well.

Quote

also why cant your program detect it?

Malwarebytes can detect SmartService, however, once installed, every security products are useless against it, since it basically prevents all of them from working properly. At the moment, it can only be removed from the Windows RE, which is what we'll do.

For the next part, you'll need to download the FRST executable a clean computer, and move them on your USB Flash Drive. That USB can only be inserted in the infected computer if it is either shutdown, or in the Windows RE. Otherwise, the infection will mess with the files on the USB and you'll have to restart.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Recovery Environment Scan
Follow the instructions below to download and execute a scan on your system with FRST from the Recovery Environment, and provide the logs in your next reply.

Item(s) required:

  • USB Flash Drive (size depend on if you have to create a USB Recovery or Installation media)
  • Another computer (clean of infection)
  • CD/DVD (optional: only needed if you need to create a Recovery or Installation media and your USB Flash Drive is too small)

Preparing the USB Flash Drive

  • Download the right version of FRST for your system from a clean computer:
    • FRST 32-bit
    • FRST 64-bit
      Note: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using.
  • Move the executable (FRST.exe or FRST64.exe) on your USB Flash Drive

Boot in the Recovery Environment

  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
    • Restart the computer
    • Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
    • Use the arrow keys to select Repair your computer, and press on Enter
    • Select your keyboard layout (US, French, etc.) and click on Next
    • Click on Command Prompt to open the command prompt
      Note:If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.
  • To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums
    Note:If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.
  • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
    Note:If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.
  • Once in the Windows RE, plug the USB Flash Drive in the computer

Once in the command prompt

  • In the command prompt, type notepad and press on Enter
  • Notepad will open. Click on the File menu and select Open
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
  • Note: Replace the letter e with the drive letter of your USB Flash Drive
  • FRST will open
  • Click on Yes to accept the disclaimer
  • Click on the Scan button and wait for the scan to complete
  • A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply

Share this post


Link to post
Share on other sites

Here is the problem. Every time I restart it says Operating System Missing. I have to launch the repair disk every time and enter startup repair, then it gets me to my operating system. every time it needs to be repaired again.

From my understanding you are telling me to install farbar to a clean computer, move the exe to the flashdrive, and use it on this computer, but have it plugged in from startup and not plug it in when it is on? The virus runs during safemode

Can you tell me what to do to match this accordingly? I have Win7, and I cant do f8 if it cant find the operating system

Share this post


Link to post
Share on other sites
Quote

I have to launch the repair disk every time and enter startup repair, then it gets me to my operating system. every time it needs to be repaired again.

Having a repair disk will allow you to enter the Windows RE (this is where the "Startup Repair" is), and you'll have the option to open the command prompt.

Quote

From my understanding you are telling me to install farbar to a clean computer, move the exe to the flashdrive, and use it on this computer, but have it plugged in from startup and not plug it in when it is on? The virus runs during safemode

That's right. The USB can only be plugged in the infected computer if you're in the Windows RE, or booting the computer and going straight to the Windows RE.

Share this post


Link to post
Share on other sites

I am away from home, and I have one last question. 

Will you help me fix the startup at some point? I don't understand what happened, but I think Hitman pro quarantined some windows files, or the virus deleted them. Also, how can I delete the source file that SmartService is in? It seems to have privileges that mark it as the owner, even though it didn't show. I checked my command prompt and removed a credential it had in my control panel. Additionally, I disabled a startup that the virus seemed  to turn on. This is all I have done additionally, I thought I'd let you know.

Either way, why isnt it recognizing windows 7 every time it starts up? It only recognizes it after startup repair does something different every time. I can get into safemode if I hit f8 while the PC restarts from startup repair, if that is needed. However it still runs, of course.

Also, what is Chrome334.exe, and Firefox334.exe? Chrome334 launches Scop.exe

What is scop.exe, is it just a random file name that was generated?

Is iexplorer the default for internet explorer? I know its a crap browser but I figured it was so unpopular the virus wouldnt think to alter that, and i think im right

Share this post


Link to post
Share on other sites
Quote

Will you help me fix the startup at some point?

I will, but first, we need to remove SmartService otherwise it'll get in the way of the repairs.

Quote

Also, how can I delete the source file that SmartService is in? It seems to have privileges that mark it as the owner, even though it didn't show. I checked my command prompt and removed a credential it had in my control panel. Additionally, I disabled a startup that the virus seemed  to turn on. This is all I have done additionally, I thought I'd let you know.

SmartService will be removed as soon as you run a scan with FRST in the Windows RE. It cannot be removed inside Windows.

Quote

Either way, why isnt it recognizing windows 7 every time it starts up? It only recognizes it after startup repair does something different every time. I can get into safemode if I hit f8 while the PC restarts from startup repair, if that is needed. However it still runs, of course.

Most likely because the BCD is corrupt, or the boot loader is. We'll address this once SmartService will be removed.

Quote

Also, what is Chrome334.exe, and Firefox334.exe? Chrome334 launches Scop.exe

Modified versions of Google Chrome and Mozilla Firefox that comes with ads, pop-ups, etc.

Quote

What is scop.exe, is it just a random file name that was generated?

A randomly named adware payload.

Quote

Is iexplorer the default for internet explorer? I know its a crap browser but I figured it was so unpopular the virus wouldnt think to alter that, and i think im right

iexplore.exe is the executable for Internet Explorer.

Share this post


Link to post
Share on other sites

Hi SCOP-Victim,

Are you still with me?

Share this post


Link to post
Share on other sites

Yes! I am. I'd like to let you know I cannot access my computer until 8-9pm sunday. (your timezone.) Is this okay? I'd like to bump this so it does not get locked.

Share this post


Link to post
Share on other sites

All good, thanks for letting me know. I'll be waiting in that case :) 

Share this post


Link to post
Share on other sites

Hi SCOP-Victim,

Are you still with me?

Share this post


Link to post
Share on other sites

Yes! I have two big school projects! Sorry!! I am available after tomorrow, but may be able to do some work after 12. Is this okay with you?

I apologize for bumping the thread so much, I just cannot afford for this to be closed, you're a great help to me and basically my only hope.

Share this post


Link to post
Share on other sites

Alright, I'll be waiting :) 

Share this post


Link to post
Share on other sites

Hi! I did everything you asked with a flash drive but ran into this when opening farbar64.exe

i used the command prompt with the windows re disk

Should I click continue and continue the steps?

image.jpg

Share this post


Link to post
Share on other sites

Did you download and move FRST on a USB from a clean computer, or the infected one?

Share this post


Link to post
Share on other sites

Alright, can you click on the "Continue" button and see what happens?

Share this post


Link to post
Share on other sites

It is complete and it gave me the log. Will I need to use farbar again? Will the virus alter it if the flash drive is present or just if it's running? I can go back into safemode to share it with you but I don't have access to the clean PC right now

Share this post


Link to post
Share on other sites

If you were able to run a scan with FRST in the Windows RE and the scan went through, SmartService (the infection) should've been removed. So you can boot Windows normally and provide me the FRST.txt log that is on your USB flash drive :) 

Share this post


Link to post
Share on other sites

Hello, again!! My computer looks like it's all polished up! All of those random garble processes are gone! <3

I have the log attached to this message.

Can you tell me if it is safe to use chrome or firefox? I'm a bit hesitant because of their previous reinstallation of the virus.

Who knew that internet explorer would actually help me for once? For being such an outdated browser that SmartService didn't think to alter it.

Can you tell me how I can recover deleted data? I seem to be missing some files.

FRST.txt

Share this post


Link to post
Share on other sites

Good! Now you should be able to install and run a scan with Malwarebytes.

j1Bynr2.pngMalwarebytes - Clean Mode

  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

Quote

Can you tell me if it is safe to use chrome or firefox? I'm a bit hesitant because of their previous reinstallation of the virus.

You can use them, yes.

Quote

Can you tell me how I can recover deleted data? I seem to be missing some files.

What files are you missing?

Share this post


Link to post
Share on other sites

File wise, nothing too important. Some python coding. Who knows, I could have deleted it myself. I was wondering if there is any file recovery software you recommend.

I will be sure to send that exportation once the scan completes.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.