Jump to content

Windows Process Manager smartservice infection


Recommended Posts

Well, I might have not been paying to much attention to an .iso I downloaded yesterday, the second I ran the enclosed .exe I got inundated with Hacksaw.exe and Twisty.exe, 3 files in Appdata/Local that I cannot open, delete, take ownership of, etc, as well as several root-kits, trojans, registry edits, some fake-as-all-hell ushzrnesvc.exe in my system32, and 6 Windows Process Manager (32 bit) clogging up everything and Malwarebytes, Fileassassin, Unlocker, Mbar, Adwcleaner, and Farbar have all failed me.  So I started doing the steps shown here:  https://forums.malwarebytes.com/topic/216738-windows-process-manager-32-bit/

only to find that the "fixlist.txt" mentioned in the post about getting to the recovery environment was only good for that specific computer, and I've got no idea how to generate my own.  If someone could point me in the direction I need to go, that would be really awesome.  I've managed to take out most of this infection myself, ie. it's only the undeletable files and that so-called TOSHIBA CORP executable (I think) I need to get rid of.  I'm not sure what logs and such are needed for this, and since I don't have any brand new shiny ones I'll wait for someone more who knows what their doing to tell me which programs to run and all that.  Thank you very much in advance.

Link to post
Share on other sites

Aw *****, didn't read the stickies, sorry about that.  So I've attached the most recent FRST.txt and Addition.txt.  However, I can't attach the Malwarebytes logs because a) I don't know where they are and b) something is actively stopping Malwarebytes from starting, and uninstalling and reinstalling is the only way to get it to work.  However, chameleon works, would those logs be useful?

Addition.txt

FRST.txt

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

I have identified a bad SmartService infection.

You will need access to a spare PC and a USB flash drive that has not been in contact with the sick PC...
Let me know if you have these access to these devices.

I need to know first if you can enable the Recovery Environment.
It will be needed to remove this infection.

Open FRST on the compromised computer:

copy/paste the following inside the text area of FRST. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop. Attach it in your next reply.

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End::

http://i121.photobucket.com/albums/o239/kevinf80/Farbar%20Tools/frst%20b.jpg&key=98f8e4fa906452a8ed54423fd0407a3d120fe6064437244ca29c06ed5f968755]

On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
Copy and paste its content in your next reply.

Wait for further instructions.
<<<>>>

Link to post
Share on other sites

Fix result of Farbar Recovery Scan Tool (x64) Version: 06.10.2018
Ran by DethEagle (06-10-2018 12:17:46) Run:2
Running from C:\Users\DethEagle\Downloads
Loaded Profiles: DethEagle (Available Profiles: DethEagle)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes

*****************


========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========

The operation completed successfully.

========= End of CMD: =========


========= bcdedit.exe /set {default} recoveryenabled yes =========

The operation completed successfully.

========= End of CMD: =========


==== End of Fixlog 12:17:47 ====

Link to post
Share on other sites

Lets proceed:

Read all the instructions before proceeding.
Take your time and all should be well.

Preparing the USB Flash Drive

Boot up your spare PC:
Plug in the flash drive, navigate to that drive, right click on it direct and select format. Quick option is adequate.

Next,

On that same PC download the right version of Farbar program for your system to Desktop or the Flash drive.
64-bit or 32 bit version. Select the one you need.
https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

If the files were saved on the Desktopl Move the executable (FRST.exe or FRST64.exe) to your USB Flash Drive 
 


How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system.
https://support.microsoft.com/en-us/help/827218/how-to-determine-whether-a-computer-is-running-a-32-bit-version-or-64

Do not plug the Flash Drive into the sick PC until booted to Recovery Environment.

Boot the compromised PC to Recovery Environment, if you are unsure of that action have a read at the following link, maybe bookmark for future reference...

To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums https://www.tenforums.com/tutorials/2294-boot-advanced-startup-options-windows-10-a.html

From the Windows 10 Tutorial you should get access to the Advanced Startup Options at boot for Windows 10

Select in this order
"Troubleshoot" > "Advance Options" > "Command Prompt"


Once in the command prompt

Plug your USB Flash Drive in the infected computer

In the command prompt, type notepad and press on Enter
Notepad will open. Click on the File menu and select Open
Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
Note: Replace the letter e with the drive letter of your USB Flash Drive
FRST will open
Click on Yes to accept the disclaimer
Click on the Scan button and wait for the scan to complete
A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply.

p.s.
If at any time you need additional information please ask before proceeding.

Wait for further instructions.

Link to post
Share on other sites


Hi,

Remove this program in bold via the Control Panel > Programs > Programs and Features.
Driver Support (HKLM-x32\...\DriverSupport) (Version: 10.1.4.86 - PC Drivers HeadQuarters LP) <==== ATTENTION
===

Your Firewall was showing as off in your Addition.txt log.
Turn ON if still off.
https://support.microsoft.com/en-us/instantanswers/c9955ad9-1239-4cb2-988c-982f851617ed/turn-windows-firewall-on-or-off
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Run Malwarebytes and delete any remnant entries found.

===

Let me know of any issues with this computer.

p.s.
I will be here when you answer back.
 

fixlist.txt

Link to post
Share on other sites

I'm currently working on running the fix list, however before I continue I need to make sure I have to do the other parts of the list. I cannot uninstall "driver support." I get a message saying:

"An error occured while trying to uninstall Driver Support. It may have been uninstalled.

Would you like to remove Driver support from the Programs and Features list?"

I have not done that because I've got no idea where to find it to manually delete it.

Second, i cannot even access the windows defender firewall. It won't load, is the best description I can come up with.  Might have to do with how I can't even access the internet on the infected computer anymore, some service(s) are not starting, so i don't even get the option to look at available networks.

And finally, in your instruction you have directed me to use the jumpdrive i used to run Farbar in the recovery environment (or, so the first line of FRST.txt says), should i again run it in recovery or just straight off windows?

Link to post
Share on other sites

So ran frst both in regular mode AND recovery mode. No change. No way to access the internet or bluetooth, no firewall access, and I can't malwarebytes OR reinstall it. I have mbar and chameleon, but i dont know if i should run either (or of i can). 

Ive attached both Fixlog.txt, and Fixlog Recov.txt.  The first one war done from the regular windows environment, and the second one from the recovery environment using the command prompt.

Fixlog Recov.txt

Fixlog.txt

Link to post
Share on other sites


Hi,

I'm currently working on running the fix list, however before I continue I need to make sure I have to do the other parts of the list. I cannot uninstall "driver support." I get a message saying:

"An error occured while trying to uninstall Driver Support. It may have been uninstalled.
Would you like to remove Driver support from the Programs and Features list?"

I have not done that because I've got no idea where to find it to manually delete it.

p.s.
It's not important the program is not running.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download   Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or above, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other Services
  
Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.
===

Let me know if you can start the computer in Safe Mode, with and without the internet.


It's an empty entry in the Programs and Features list.
If yiou Click yes and the operating system will clean it.

Link to post
Share on other sites

In order:

I've gotten rid of that driver support program.  Glad that wasn't has a painful process like I started to think it would be.

The question of running frst wasnt about whay directory, because it's being run off a jump drive,  but rather do I run it normally through windows, or in the recovery environment using cmd? Ive done both, and put up both logs. The one I ran regularly i left alone but the one I ran in the recovery environment i re-labeled "Fixlog Recov.txt"

I cannot run Malwarebytes, it says something like "unable to connect to service."  I can't reinstall it through the downloaded installer either. Should I run chameleon?

Lastly, heres the fss.log you requested. It looks like basically every service on there except Windows Update got screwed up.

FSS.txt

Link to post
Share on other sites

Hi,

Repair these services.

Boot with Safe Mode with Networking. Execute the following.

Please Download Tweaking.com - Windows Repair from Here

  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click Repairs - Open Repairs in the bottom right corner
  • Uncheck the All repair button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    10 - Remove Policies Set By Infections
    16 - Repair Windows Updates
    20 - Repair MSI (Windows Installer)
    25 - Restore Important Windows Services
    26 - Set Windows Service to Default Startup
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.


===

Restart the computer normally to reset the registry.

Let me know what problem persists.


 

Link to post
Share on other sites

So I'm a complete idiot, and in my rush to not be late to work I did not read the last bit there where you asked me to copy any errors and send them to you. However, There are some logs made by windows repair tool.  On the other hand, it seems that this last step cleaned it all up. Well, most of it. So I shut down my laptop before I left, and as soon as I got back I immediately turned it on and let it load.  No windows process manager stuff came up, wifi worked, nothing strange at all outside of cryptography going nuts and lots of notifications saying that my default browser was reset, etc etc.  Reinstalled MBAM, ran a scan, and popped up 1 item.  This was the one and only remnant, some oddly named file in AppData\Local.  This was the same one I threw so much shtuff at before I came here.  I deleted it myself, and then left MBAM clear it.  I do not know if I need to take anymore steps, if you want me to run a Farbar again or anything? Or those logs made by Windows Repair?

Link to post
Share on other sites

  • 4 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.