degao Posted November 3, 2018 ID:1279061 Share Posted November 3, 2018 Hi, please help. see attach docs. FRST.txt Addition.txt log_malwarebytes.txt Link to post Share on other sites More sharing options...
nasdaq Posted November 3, 2018 ID:1279081 Share Posted November 3, 2018 Hello, Welcome to Malwarebytes. I'm nasdaq and will be helping you. If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed. === I have identified a bad SmartService infection. You will need access to a spare PC and a USB flash drive that has not been in contact with the sick PC... Let me know if you have these access to these devices. I need to know first if you can enable the Recovery Environment. It will be needed to remove this infection. Open FRST on the compromised computer: copy/paste the following inside the text area of FRST. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop. Attach it in your next reply. Start:: CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes CMD: bcdedit.exe /set {default} recoveryenabled yes End:: http://i121.photobucket.com/albums/o239/kevinf80/Farbar%20Tools/frst%20b.jpg&key=98f8e4fa906452a8ed54423fd0407a3d120fe6064437244ca29c06ed5f968755] On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad Copy and paste its content in your next reply. Wait for further instructions. <<<>>> Link to post Share on other sites More sharing options...
degao Posted November 3, 2018 Author ID:1279099 Share Posted November 3, 2018 Yes I have clean laptop and USB drive. please see result from FRST Fixlog.txt Link to post Share on other sites More sharing options...
nasdaq Posted November 4, 2018 ID:1279230 Share Posted November 4, 2018 Hi, Lets proceed: Read all the instructions before proceeding. Take your time and all should be well. Preparing the USB Flash Drive Boot up your spare PC: Plug in the flash drive, navigate to that drive, right click on it direct and select format. Quick option is adequate. Next, On that same PC download the right version of Farbar program for your system to Desktop or the Flash drive. 64-bit or 32 bit version. Select the one you need.https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ If the files were saved on the Desktopl Move the executable (FRST.exe or FRST64.exe) to your USB Flash Drive How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system.https://support.microsoft.com/en-us/help/827218/how-to-determine-whether-a-computer-is-running-a-32-bit-version-or-64 Do not plug the Flash Drive into the sick PC until booted to Recovery Environment. Boot the compromised PC to Recovery Environment, if you are unsure of that action have a read at the following link, maybe bookmark for future reference... To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums https://www.tenforums.com/tutorials/2294-boot-advanced-startup-options-windows-10-a.html From the Windows 10 Tutorial you should get access to the Advanced Startup Options at boot for Windows 10 Select in this order"Troubleshoot" > "Advance Options" > "Command Prompt" Once in the command prompt Plug your USB Flash Drive in the infected computer In the command prompt, type notepad and press on Enter Notepad will open. Click on the File menu and select Open Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on EnterNote: Replace the letter e with the drive letter of your USB Flash Drive FRST will open Click on Yes to accept the disclaimer Click on the Scan button and wait for the scan to complete A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply. p.s. If at any time you need additional information please ask before proceeding. Wait for further instructions. Link to post Share on other sites More sharing options...
degao Posted November 4, 2018 Author ID:1279249 Share Posted November 4, 2018 please see attachedAddition.txt FRST.txt Link to post Share on other sites More sharing options...
nasdaq Posted November 4, 2018 ID:1279257 Share Posted November 4, 2018 Hi, The instructions were to boot to the Recovery Console, not safe mode. Please repeat the instructions. p.s. The Farbar program downloaded to your flash drive may have been compromised. Please delete the current version and get a fresh version before you mount it to the compromised computer. Link to post Share on other sites More sharing options...
degao Posted November 4, 2018 Author ID:1279264 Share Posted November 4, 2018 ok my mistake. i reformatted the USB and ran it in recovery now. please see attached FRST.txt Link to post Share on other sites More sharing options...
nasdaq Posted November 5, 2018 ID:1279401 Share Posted November 5, 2018 Hi, Remove this program in bold via the Control Panel > Programs > Programs and Features.CPUID CPU-Z 1.78 (HKLM\...\CPUID CPU-Z_is1) (Version: - ) <==== ATTENTION This version is not signed and could be compromised. If you still need it get it from this site.https://www.cpuid.com/ === Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from. The location is listed in the 3rd line of the FRST.txt log you have submitted. Run FRST and click Fix only once and wait. The tool will create a log (Fixlog.txt) please post it to your reply. === Please run the Malwarebytes and clean everything that will be found. Run the Farbar program is normal mode and post a fresh FRST.txt log for my review. Let me know of any issues with this computer. fixlist.txt Link to post Share on other sites More sharing options...
degao Posted November 5, 2018 Author ID:1279428 Share Posted November 5, 2018 Hi, Just to clarify. remove the program in normal mode. Do I Run the fix in recovery mode or normal mode? then run Malwarebytes and scan for Farbar in normal mode as well? thank you in advance. Dennis Link to post Share on other sites More sharing options...
nasdaq Posted November 5, 2018 ID:1279455 Share Posted November 5, 2018 Quote Do I Run the fix in recovery mode or normal mode? then run Malwarebytes and scan for Farbar in normal mode as well? Do all in normal mode. Link to post Share on other sites More sharing options...
degao Posted November 6, 2018 Author ID:1279499 Share Posted November 6, 2018 please see attached files. the malwarebyte scan keep getting a trojan.clicker in the registry is that something to be concerned of? I have deleted that before. Fixlog.txt log_malwarebytes_11_5_18.txt FRST.txt Addition.txt Link to post Share on other sites More sharing options...
nasdaq Posted November 6, 2018 ID:1279621 Share Posted November 6, 2018 (edited) Hi, Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from. The location is listed in the 3rd line of the FRST.txt log you have submitted. Run FRST and click Fix only once and wait. The tool will create a log (Fixlog.txt) please post it to your reply. === Quote Registry Key: 1 Trojan.Clicker, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\msidntfs, Quarantined, [2584], [433331],1.0.7711 This could be a Syncing issue. If you are Syncing Firefox it with other Devices remove it.https://support.mozilla.org/en-US/kb/how-do-i-set-sync-my-computer When all is well you can re-sync your devices. NOT NOW. <<<>>> How is the computer's performance? fixlist.txt Edited November 6, 2018 by nasdaq Link to post Share on other sites More sharing options...
degao Posted November 6, 2018 Author ID:1279627 Share Posted November 6, 2018 ok thanks for the reply. I will stop using firefox till we are done here. However, I am not even signed into firefox for syncing. please see attached fixlog Fixlog.txt Link to post Share on other sites More sharing options...
degao Posted November 6, 2018 Author ID:1279628 Share Posted November 6, 2018 computer is running much more smoothly and faster btw Link to post Share on other sites More sharing options...
nasdaq Posted November 6, 2018 ID:1279670 Share Posted November 6, 2018 Glad we could help. Link to post Share on other sites More sharing options...
degao Posted November 7, 2018 Author ID:1279712 Share Posted November 7, 2018 are we done with extracting the virus? Link to post Share on other sites More sharing options...
nasdaq Posted November 7, 2018 ID:1279794 Share Posted November 7, 2018 Yes unless you do have other issues? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 19, 2018 Root Admin ID:1282156 Share Posted November 19, 2018 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
Recommended Posts