Jump to content

Phished fontdrvhost.exe Infection?

JJ10157

By JJ10157
in Resolved Malware Removal Logs

 Share

Recommended Posts

kevinf80

kevinf80

Posted
Posted

That would suggest that FRST does not see D:\ drive when running via the recovery environment....

Can you navigate to and open this folder: D:\C\Program Files (x86)\Imouto Paradise 3\Game\妹ぱらだいす!3\res   Right click on moonstone.TTE and select "Properties"

In the new windows select "Security" tab with your Admin account selected what permissions are listed for that file..? are they the same as the attached image example...?

Perms.JPG

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted (edited)
Please download GrantPerms from here: https://www.bleepingcomputer.com/download/grantperms/ and save it to your desktop.
Ensure to get the correct version for your system. GrantPerms.zip or GrantPerms64.zip
Unzip that version to its own folder on your Desktop so you have GrantPerms.exe or GrantPerms64.exe in that folder. Right click on the exe and select "Run as Administrator"

Copy and paste the following in the edit box:.

D:\C\Program Files (x86)\Imouto Paradise 3\Game\ 妹ぱらだいす!3 \res\moonstone.TTE

Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run from.
Edited by kevinf80
missing instruction
Link to post
Share on other sites
JJ10157

JJ10157

Posted
  • Author
Posted

I got an error. I can say with surety that the majority of our problems are because it's hidden behind Asian characters. Once again, the program we tried to use couldn't recognize the lettering and find the path as seen in the below log, apparently it shows it as "?"s.

GrantPerms by Farbar 
Ran by Gina (administrator) at 2018-04-29 19:06:54

===============================================
ERROR: Parsing the SD of <\\?\D:\C\Program Files (x86)\Imouto Paradise 3\Game\ ???????? \res\moonstone.TTE> failed with: The system cannot find the path specified.


Operating system error message: The system cannot find the path specified.

================ End Of List ================

Link to post
Share on other sites
JJ10157

JJ10157

Posted
  • Author
Posted

GrantPerms by Farbar 
Ran by Gina (administrator) at 2018-04-29 19:15:33

===============================================
\\?\D:\C\Program Files (x86)\Imouto Paradise 3

   Owner: DESKTOP-8CFTPA0\Gina

   DACL(NP)(AI):
   Everyone   FULL   ALLOW   (I)
   Everyone   FULL   ALLOW   (CI)(OI)(IO)(I)
   BUILTIN\Administrators   FULL   ALLOW   (I)
   BUILTIN\Administrators   FULL   ALLOW   (CI)(OI)(IO)(I)
   NT AUTHORITY\SYSTEM   FULL   ALLOW   (I)
   NT AUTHORITY\SYSTEM   FULL   ALLOW   (CI)(OI)(IO)(I)
   NT AUTHORITY\Authenticated Users   change   ALLOW   (I)
   NT AUTHORITY\Authenticated Users   change   ALLOW   (CI)(OI)(IO)(I)
   BUILTIN\Users   READ/EXECUTE   ALLOW   (I)
   BUILTIN\Users   READ/EXECUTE   ALLOW   (CI)(OI)(IO)(I)

================ End Of List ================

Link to post
Share on other sites
JJ10157

JJ10157

Posted
  • Author
Posted

I'm going to leave and come back in an hr. 

Thank you so much for helping me thus far, but I've decided to treat my family for dinner and take an hr break. I'll be back in like 1 hr to continue working with you, I'm sure you could probably use a break as well :)

Thanks again, and see you soon.

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Yep I defo need a break, i`m in the uk and my local time is 34 mins after midnight... I`m off to bed very shortly... After the unlock completes try the following, it may or may not work...

Navigate to and open D:\C\Program Files (x86)\Imouto Paradise 3\Game inside that folder right click on 妹ぱらだいす!3 and select "Rename"

If you are allowed rename that to killme or a word of your choice, if that works we should be able to have a better chance....

Link to post
Share on other sites
JJ10157

JJ10157

Posted
  • Author
Posted

Yeah, I understand if you need to go to bed.

Anyway, https://gyazo.com/ac8488d39e19e6c90bcff6e5a2d01eb1 is the result of me doing so after attempting to unlock it. I had a feeling this would be the outcome since the file in the folder is constantly in use. If you have any more ideas about how to solve this problem, please get back to me.

Link to post
Share on other sites
JJ10157

JJ10157

Posted
  • Author
Posted
15 minutes ago, JJ10157 said:

Yeah, I understand if you need to go to bed.

Anyway, https://gyazo.com/ac8488d39e19e6c90bcff6e5a2d01eb1 is the result of me doing so after attempting to unlock it. I had a feeling this would be the outcome since the file in the folder is constantly in use. If you have any more ideas about how to solve this problem, please get back to me.

I've also tried deleting the file through commands, to no avail. I get access denied.
https://gyazo.com/bf1e937e30d887268793e12f633e7321
https://gyazo.com/8c82f84f62c7f0eae2a75b57514f0e7f

Link to post
Share on other sites
JJ10157

JJ10157

Posted
  • Author
Posted (edited)

I've also tried deleting the file through commands, to no avail. I get access denied.
https://gyazo.com/bf1e937e30d887268793e12f633e7321
https://gyazo.com/8c82f84f62c7f0eae2a75b57514f0e7f

I have finally solved the issue. Through using your "Recovery Environment" method you taught me, I entered the commands I did in the pictures above and forcefully deleted the folder and all of it's subsidiaries. I believe the issue to be solved, as the folder is completely gone. Please get back to me and tell me if there is any other things I need to do to make sure my PC is clean. It's been a pleasure working with you!

Edited by JJ10157
Typo
Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Nice job, pleased to hear you`ve finally nailed that nagging issue. We need to remove FRST64 and all of its folders:

Right click on D:\Desktop\FRST64.exe, rename to uninstall.exe Right click on the renamed value and select "Run as Administrator" your system should reboot, if not do that yourself...

Blitzbank can be deleted.

Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2

Create clean fresh Restore Point:    http://www.thewindowsclub.com/create-system-restore-point

From there you should be good to go...

Regards,

Kevin

 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.