Jump to content

Recommended Posts

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

I have identified a bad SmartService infection.

You will need access to a spare PC and a USB flash drive that has not been in contact with the sick PC...
Let me know if you have access to these devices.

I need to know before suggested the fix if you can enable the Recovery Environment.
It will be needed to remove this infection.

Open FRST on the compromised computer:

copy/paste the following inside the text area of FRST. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop. Attach it in your next reply.

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End::

http://i121.photobucket.com/albums/o239/kevinf80/Farbar%20Tools/frst%20b.jpg&key=98f8e4fa906452a8ed54423fd0407a3d120fe6064437244ca29c06ed5f968755]

On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
Copy and paste its content in your next reply.

Wait for further instructions.
<<<>>>

Link to post
Share on other sites

Thank you for responding!  Yes, I have access to a spare computer and USB flash drive that have not been in contact with the infected computer.  Here is the text:

Fix result of Farbar Recovery Scan Tool (x64) Version: 25.02.2019 01
Ran by kfant (26-02-2019 13:59:42) Run:1
Running from C:\Users\kfant\OneDrive\Desktop
Loaded Profiles: kfant (Available Profiles: kfant & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes

*****************


========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========

The operation completed successfully.

========= End of CMD: =========


========= bcdedit.exe /set {default} recoveryenabled yes =========

The operation completed successfully.

========= End of CMD: =========


==== End of Fixlog 13:59:43 ====

 

Fixlog.txt

Link to post
Share on other sites

Hi,

Lets proceed:

Read all the instructions before proceeding.
Take your time and all should be well.

Preparing the USB Flash Drive

Boot up your spare PC:
Plug in the flash drive, navigate to that drive, right click on it direct and select format. Quick option is adequate.

Next,

On that same PC download the right version of Farbar program for your system to Desktop or the Flash drive.
64-bit or 32 bit version. Select the one you need.
https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

If the files were saved on the Desktopl Move the executable (FRST.exe or FRST64.exe) to your USB Flash Drive 
 
 

Quote

How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system.
https://support.microsoft.com/en-us/help/827218/how-to-determine-whether-a-computer-is-running-a-32-bit-version-or-64

Do not plug the Flash Drive into the sick PC until booted to Recovery Environment.

Boot the compromised PC to Recovery Environment, if you are unsure of that action have a read at the following link, maybe bookmark for future reference...

To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums https://www.tenforums.com/tutorials/2294-boot-advanced-startup-options-windows-10-a.html

From the Windows 10 Tutorial you should get access to the Advanced Startup Options at boot for Windows 10

Select in this order
"Troubleshoot" > "Advance Options" > "Command Prompt"

Once in the command prompt

Plug your USB Flash Drive in the infected computer

In the command prompt, type notepad and press on Enter
Notepad will open. Click on the File menu and select Open
Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
Note: Replace the letter e with the drive letter of your USB Flash Drive
FRST will open
Click on Yes to accept the disclaimer
Click on the Scan button and wait for the scan to complete
A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply.

p.s.
If at any time you need additional information please ask before proceeding.

Wait for further instructions.
 

Link to post
Share on other sites

Also, does this mean that flash drives that have come in contact with the infected computer are no longer safe to use?  I used a flash drive to install the original copy of the Farber program rather than connecting that computer to the internet to download it directly.  I just want to know if I should throw it away.

Link to post
Share on other sites

If you did the fix in the Recovery environment the flash drive will not be compromised.

The fix will create a Fixlog.txt that will not be compromised.

Reboot normally and post the Fixlog.txt from the Fla;sh driver to this topic.

Let me know how the computer working in normal mode.

 

Link to post
Share on other sites

Hi,

Looking better.

Some other work needs to be done.

Please run the Farbar program in normal mode and post Fresh FRST.TXT and Addition.txt logs for my review.

Let me know what problem persists.

p.s.

You can run Malwarebytes and delete all the items found before running the Farbar program.

Link to post
Share on other sites

I ran Malwarebytes and it was able to quarantine all but 2 of the items (I deleted all in quarantine).  I am attaching that log too.  I am a little confused because your instructions told me to run a scan in the recovery environment, not a fix.  Here are the FRST and addition logs produced from the scan in normal mode.

malwarebytes 2-28.txt

FRST.txt

Addition.txt

Link to post
Share on other sites

Hi,

You may have been infected by a new version of the SmartService

A new version of the Farbar program is now available and should remove it.

Delete the Farbar version now on your Flash Drive.

Using a clean computer download to the Flash Drive the new version.

Then Start Recovery Environment on the compromised computer.

Only when ou are in the Recovery Environment can the mount the Flash drive. Follow the instructions listed in Post no. 4.

Read the instructions again and follow them carefully.

Post the FRST.TXT log that will be created.

Link to post
Share on other sites

Hi,

Good work, lets clean the rest.

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
NativeDesktopMediaService (HKLM-x32\...\{FC44DE72-60F9-4BC1-B098-D2F6B5A06187}) (Version: 3.5.0 - Jetmedia) <==== ATTENTION
WinVPN (HKLM\...\{EF9BEECA-275E-46B8-AF4F-FD5F398722E6}) (Version: 1.0.1 - WinSoft)

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Scan the compute with Malwarebytes and delete all items that will be reported.

===

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Link to post
Share on other sites

Hi,

Is the folder in bold still in your computer?

C:\USERS\KFANT\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\

Is there any files in the folder?

===

It may be a Syncing issues with Edge an other devices you may be using.

Check it out.

https://www.tenforums.com/tutorials/36286-turn-off-sync-favorites-reading-list-microsoft-edge.html
===

Link to post
Share on other sites

Yes, I did find the folder you listed on the computer.  It says that it has 1,961 files, 854 folders in it.  I followed the instructions on the page you linked to turn off syncing.  Syncing was on even though there weren’t any devices configured to sync with the computer.

Link to post
Share on other sites

Hi,

Let me check what is in that folder.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.
 

fixlist.txt

Link to post
Share on other sites

Hi,

There is nothing suspicious in the C:\USERS\KFANT\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences\ folder.

To remove it step1.gif Remove Chrome from your Computer and reinstall a fresh copy later.

step2.gifIf you remove the syncing of your account you must remove it before you save your bookmarks etc...
Delete Your Google Chrome Browser Sync Data if you sync with other devices. <- Important ...
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

step3.gif Before you remove Chrome Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.
How To: http://ccm.net/faq/31791-how-to-backup-your-google-chrome-bookmarks

step4.gif Before you remove Chrome Export your Passwords
How to export your saved passwords from Chrome
https://betanews.com/2018/03/09/export-chrome-passwords/

step5.gif Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

step6.gif Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

step7.gif Re-install Chrome and the Bookmarks.
<<<>>>

Keep me posted.
 

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.