Jump to content

Recommended Posts

Hello,

My computer has become infected with this particularly pesky trojan.  After reading around on the site, it sounds like there are a few variable ways to tackle removing this.  Since the computer has become infected I have added Norton's security suite but it doesn't detect the issue at all.

If possible, is someone able to help me tackle removing this malware?  Thank you!

Robert

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malware Removal for Windows Help forum. Being infected is not fun and can be very frustrating to resolve, but don't worry because we have a team of experts here help you!!

Note: Please be patient. When the site is busy it can take up to 48 hours before a malware removal helper can assist you. If no one has replied to your new topic after 48 hours please contact a Moderator or Administrator to let them know.

 

First, if you haven't done so, please run a Threat Scan with the latest version of Malwarebytes. This may resolve your malware infection issue without the need for additional support. Click "Reveal Hidden Contents" below for details:

Spoiler

Malwarebytes can detect and remove most malware with no further actions required for free.

If you do not have Malwarebytes, please download it here and install. Be sure to post back the log as shown below.

  1. Open Malwarebytes for Windows
  2. To the left, click Scan > Scan Types.
    image.png
  3. Select Threat Scan. Threat Scan is the most thorough and recommended scan method available.
    image.png
  4. Click Start Scan

Next, if you're still experiencing issues after running Malwarebytes, then technical logs will be required to assist you. Click "Reveal Hidden Contents" below and follow the instructions to run the Farbar Recovery Scan Tool:

Spoiler

Don't use any temporary file cleaners unless requested - this can cause data loss and make a recovery difficult.

Please download the Farbar Recovery Scan Tool here and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  1. Double-click to run it. When the tool opens click Yes to the disclaimer.
  2. Press the Scan button.
    _frst_scan.jpg.d10e66dc03e35ede4fdcba12b
  3. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  4. The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually.

Finally, attach the Malwarebytes Threat Scan, FRST.txt and Additional.txt logs to your reply. Before submitting your reply, be sure to enable "Notify me of replies" like so: notify me.jpeg

Click "Reveal Hidden Contents" below for details on how to add attachments to your post.
Note: If you are unable to attach files, please copy and past the contents of the requested files in your Reply instead. 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

_mb_attach.jpg.a0465aaafd6cae688aa38ab16

Please Note the Following:

  • One of our expert helpers will give you one-on-one assistance when one becomes available.
  • Refrain from making any further changes to your computer (such as Install/Uninstall programs, using special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.
  • Do not 'bump' or add a reply to your topic once it is started. Topics which appear to have replies are considered to have a helper assisting them and may be overlooked, resulting in a longer waiting period for help
  • If you're using Peer 2 Peer software such as uTorrent or similar, please completely disable it from running while being assisted here.

Troubleshooting Tips

Link to post
Share on other sites

Hello ramurphy86 and :welcome:
I'm Android8888 and I'll be helping you with your computer issues. Please ask questions if anything is unclear.

Your system is infected with a SmartService Rootkit which is a very nasty infection.

For now, in Normal mode do this please:

Right click on the FRST icon and select Run as administrator to start the tool;
Highlight and copy the following text and paste it inside the 'Search' box area of FRST;

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End::


Once done, click on the Fix button. A file called Fixlog.txt should appear on your computer Desktop;
Please attach it in your next reply.

Thank you.

Android8888

Link to post
Share on other sites

Alright, thank you for the log.

Now please read carefully the following instructions and if you don't understand something, please STOP and ask before proceed.

 

You will have to run a scan with FRST from the Windows Recovery Environment (RE).

First you will need to have access to a uninfected computer and a USB Flash Drive.

Please note: The USB Flash Drive can only be inserted in the infected computer when in the Windows RE (Recovery Environment). Otherwise, the infection will mess with the files on the USB.
 
Preparing the USB Flash Drive (on a clean computer)

  • Plug-in the USB Flash Drive on a clean computer and format it before using it ('Quick Format' is enough).
  • Access the Internet and download FRST64.exe from a clean computer (Don't use the FRST64.exe file from the infected computer): FRST 64-bit
  • Move the executable (FRST64.exe) on the USB Flash Drive.

 

Boot in the Recovery Environment (RE) (on the infected computer)

To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:

  • Restart the computer.
  • Once you've seen your BIOS splash screen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears.
  • Use the arrow keys to select Repair your computer, and press on Enter.
  • Select your keyboard layout (US, French, etc.) and click on Next.
  • Click on Command Prompt to open the command prompt.

Note:If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.

 

To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums.
Note:If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.

 

To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums.

Note:If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.

 

Note: Once in the Windows RE, plug the USB Flash Drive in the computer.
 
Once in the Command Prompt

  • In the command prompt, type notepad and press on Enter;
  • Notepad will open. Click on the File menu and select Open;
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad;
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter;
  • Note: Replace the letter e with the drive letter of your USB Flash Drive;
  • FRST will open;
  • Click on Yes to accept the disclaimer;
  • Click on the Scan button and wait for the scan to complete;
  • A log called FRST.txt will be saved on your USB Flash Drive;
  • Please post the entire content of that log in your next reply.


Let me see the FRST.txt log and wait for further instructions.

Thank you.

Android8888

Link to post
Share on other sites

Hello Robert.

6 hours ago, ramurphy86 said:

Thank you so much again for your continued help.

You're most welcome and thank you for the log. :)

 

Now, please run a new scan with Malwarebytes.

  • Launch Malwarebytes and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so;
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button;
    • If it asks you to restart your computer to complete the removal, do so;
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard.
  • Paste the content of that log in your next reply;

 

Thank you.

Android8888

Link to post
Share on other sites

Hello Android8888,

Thank you!  Very clear instructions, believe I got it right... ran two scans - one before the restart and a second after it had identified and quarantined a ton of files from WMC agent folder, both logs uploaded.  Looks promising...?

Thank you,

Robert

Report - 6.7.2018 - Before Restart.txt

Report - 6.7.2018 - After Restart.txt

Link to post
Share on other sites

Good job Robert! The latest Malwarebytes log is clean. :)

Now, please proceed with these instructions:

  • Download AdwCleaner and move it to your computer Desktop;
  • Right-click on AdwCleaner.exe and select Run as Administrator;
  • Click Yes to accept the User Account Control security warning that may appear;
  • Click on the blue button 'I AGREE';
  • Click on the Scan Now button;
  • Let the scan complete. Once it's done, make sure that every item listed is checked and click on the Clean & Repair button;
  • Click on the Clean & Restart Now button;
  • After the restart, a log will open when logging in. Please copy and paste the content of that log in your next reply.


Next,
Please download RogueKiller_portable64.exe by Tigzy and save it to your computer Desktop;

  • Now close all programs and Internet browsers and disconnect any USB or external drives from the computer before you run this scan!
  • Right-click on the file RogueKiller_portable64.exeand select Run as administrator to start the tool;
  • Click Yes to accept the User Account Control security warning that may appear;
  • Once the tool is open, click the 'Scan' tab menu and the click the Start Scan button;
  • Wait until the scan has finished. Note: This scan may take some time to complete;
  • Once finished the results will be displayed;
  • Check every single entry (threat found), and click on the Remove Selected button;
    Click on the Open Report button. It will open a new window.
  • Click Export TXT to export the report as a text file, give a name to the file such as RKlog.txt and save it to your computer Desktop.
  • Close RogueKiller.


Please copy and paste the contents of RKlog.txt to your next reply.

Please post both, the contents of the AdwCleaner clean log and the RogueKiller log and let me know how is the computer behaving.

Thank you.

Android8888

Link to post
Share on other sites

Great, it looks good and we are making progress.

Okay, please follow the instructions below to download and execute a new scan on your system with FRST, and provide me a new set of logs (FRST.txt and Addition.txt) in your next reply.
  • Right-click on the executable and select Run as Administrator to start the tool;
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry and will also search for updates which should take a few seconds;
  • Click on the Scan button;
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files;
  • Please attach both FRST.txt and Addition.txt in your next reply and wait for further instructions;

Thank you.

Android8888

 

Link to post
Share on other sites

Hello Robert,

There is something wrong with the content of the FRST.txt file. It is not complete.

Please delete both present files (FRST.txt and Addition.txt), then re-run a new scan with FRST and attach the two (FRST.txt and Addition.txt) new produced logs.

Thank you.

Android8888

Link to post
Share on other sites

Hello Robert,

Thank you for the new set of logs.

The script fix bellow include instructions to run a Disk Check so please be patient and let it complete.

Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open or modify that file!
  • Right-click on the FRST executable and select Run as Administrator;
  • Click on the Fix button;
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Please attach the Fixlog.txt in your next reply;


Next,

Please scan your computer with ESET Online Scanner to search for leftovers. This is a very thorough scan and can take several hours to complete but it's worth it.

  • Click on this link to open ESET Online Scanner in a new window.
    1. Click on the Scan Now button to download the esetonlinescanner_enu.exe file and save it to your computer Desktop.
    2. Close all your programs and browsers and disconnect any USB flash drives from the computer.
    3. Please disable your Antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
    4. Right-click on esetonlinescanner_enu.exe and select Run as administrator.
    5. Click Yes to accept the User Account Control security warning that may appear. It will open a window with the Terms of Use.

  • Click the Accept button.
  • Under Computer scan settings, check mark Enable detection of potentially unwanted applications.
  • Then click Advanced settings and check mark the following options:
    • Enable detection of potentially unsafe applications
    • Clean threats automatically
  • Click the Scan button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats.
  • Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Please attach the log in your next reply.
  • Click the Back button.
  • Click the Finish button.


Note: If nothing is found, it will not produce a log.

Please re-enable your Antivirus program.


In your next reply please attach the Fixlog.txt and the ESET log (if it produced one).

How is the computer behaving at this point? Are there any issues or concerns?

Android8888

fixlist.txt

Link to post
Share on other sites

Hello Robert.

Sorry for the delay in responding. The ESET log looks good. Now please do the following:

Download the Malicious Software Removal Tool by Microsoft and save it to the computer's Desktop.

MSRT 64 bit version

Right click on the Tool and select Run as administrator; (the tool will expand to the 'Options' window)
In the 'Scan Type' window, select Quick Scan;
Perform a scan and click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key simultaneously to open the 'Run' function;
2) Type or Copy and Paste the following command to the 'Run Line' and press Enter:

notepad c:\windows\debug\mrt.log

The log will include details for each time MSRT has run, we only need the most recent log by date and time.
 
Please post the contents of the most recent log in your next reply and let me know what issues or concerns are you still having on the computer.

 

Link to post
Share on other sites

Hello Android 8888,

 

No reason for you to apologize, I was the one very delayed in responding!

 

Computer is acting great now.  Log from the Microsoft app below.  Looks promising!

 


---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.61, June 2018 (build 5.61.14929.3)
Started On Tue Jun 12 21:49:05 2018

Engine: 1.1.14901.4
Signatures: 1.269.297.0
Run Mode: Interactive Graphical Mode

Results Summary:
----------------
No infection found.
 

Link to post
Share on other sites

Excellent! Your computer appears to be clean and free of malware. ?

It's time to search for updates. Outdated programs contains security vulnerabilities that are exploited by malware in order to infect the computer without the user's knowledge. Usually this is one of the ways that more contributes to infect the systems.

You can run a program like FileHippo Update Checker or UCheck to see what programs need to be updated. Any of them is easy to use.

When the updates are complete, you can delete the tools we used in the malware removal process by running DelFix. This is a simple little program that will also be removed by itself after ran.

Follow the instructions below to download and execute DelFix.

  • Download DelFix and move the executable to your Desktop;
  • Right-click on DelFix.exe and select Run as Administrator;
  • Check the following options :
    • Remove disinfection tools (this option will remove the tools used in the cleaning process).
    • Create registry backup (this option will create a backup from the Windows Registry).
    • Purge system restore (this option will remove all previous and possibly infected restore points, and will create a new and clean restore point of your system).
  • Once the options mentioned above are checked, click on Run;
  • After DelFix is done running, a log will open. I don't need to see the log file, just close and delete it. It's located in C:\Delfix.txt

Are there any issues or concerns with the computer or that's all?

Link to post
Share on other sites

Great!

To help keep malware off your system below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please consider using these ideas to help secure your computer.

Keep your Windows Operating System and antivirus up-to-date.

Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain check-boxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

Keep Malwarebytes up to date and perform a regular scan to your system as it will make it harder for malware to reside on your computer.
A tutorial on using MBAM can be found here and a complete guide here

Please Note:[/color] Only the paid for version has real time capabilities. Please go here and scroll down to find a comparison list of the two versions.

A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure.

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Another most feared threat at the moment is an infection by a Ransomware. A Ransomware infection is a program that ransoms the data or functionality of your computer until you perform an action. This action is typically to pay a ransom in the form of Bitcoins or another payment method. I advise you to read more info on this terrible threat here and here.

Please keep your programs up to date. This applies to most of the programs and ALL your Internet Browsers in particular. Vulnerabilities in the programs are often exploited in order to install malware on your PC.

Be careful with flash drives, as they can spread infections. See this post on USB/flash drive safety.

Stay away from P2P software; even with a clean P2P program, their networks are often riddled with malware.

Don't click on attachments or links in e-mail, and read your e-mail in text-only mode for the highest safety.

Don't click on links received in instant message programs.

A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available here

For much more useful and complete information, please read the following links to fully understand PC Security and Best Practices:
So how did I get infected in the first place
Answers to common security questions - Best Practices

Hopefully these steps will help to keep you error and malware free. If you run into more difficulty, we will certainly do what we can to help.

Happy surfing and stay safe. default_cool.png

Android8888

 

Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.