Jump to content

Need fixlist.txt file made for windows process manager virus


Recommended Posts

A few days ago I somehow got a windows process manager virus, It also seems to have done something to my chrome browser. I have been following step by step on this Post which is almost identical to the issue I am having. I have gotten all the way to booting in advanced startup in order to run fixlist.txt on frst64 but I do not have a fix.txt file. I will provide some images of the situation and all the files that might be needed to help fix this. If someone is able to help me with this I would greatly appreciate it.

 

process manager.png

denied.png

virus.png

Fixlog.txt FRST.txt Addition.txt mbar-log-2019-04-14 (12-02-16).txt system-log.txt

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

I have identified a bad SmartService infection. The same type you found in the 2017 log.
The instructions have been changed. 

You will need access to a spare PC and a USB flash drive that has not been in contact with the sick PC...
Let me know if you have access to these devices.

I need to know before suggested the fix if you can enable the Recovery Environment.
It will be needed to remove this infection.

Open FRST on the compromised computer:

copy/paste the following inside the text area of FRST. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop. Attach it in your next reply.

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End::

http://i121.photobucket.com/albums/o239/kevinf80/Farbar%20Tools/frst%20b.jpg&key=98f8e4fa906452a8ed54423fd0407a3d120fe6064437244ca29c06ed5f968755]

On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
Copy and paste its content in your next reply.

Wait for further instructions.
<<<>>>

Link to post
Share on other sites

I do have access to a spare pc and usb flash drive and I am able to boot into the recovery environment. I will paste the content of the log below and have attached the fixlog.txt file.

Quote

Fix result of Farbar Recovery Scan Tool (x64) Version: 15.04.2019 01
Ran by Beau (15-04-2019 16:09:20) Run:3
Running from C:\Users\Beau\Desktop
Loaded Profiles: Beau (Available Profiles: Beau & OVRLibraryService & DefaultAppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes

*****************


========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========

The operation completed successfully.

========= End of CMD: =========


========= bcdedit.exe /set {default} recoveryenabled yes =========

The operation completed successfully.

========= End of CMD: =========


==== End of Fixlog 16:09:20 ====

 

Fixlog.txt

Link to post
Share on other sites

Lets proceed:

Read all the instructions before proceeding.
Take your time and all should be well.

Preparing the USB Flash Drive

Boot up your spare PC:
Plug in the flash drive, navigate to that drive, right click on it direct and select format. Quick option is adequate.

Next,

On that same PC download the right version of Farbar program for your system to Desktop or the Flash drive.
Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.

If the file was saved on the Desktop Move the executable (FRST.exe or FRST64.exe) to your USB Flash Drive 
 


How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system.
https://support.microsoft.com/en-us/help/827218/how-to-determine-whether-a-computer-is-running-a-32-bit-version-or-64

Do not plug the Flash Drive into the sick PC until booted to Recovery Environment.

Boot the compromised PC to Recovery Environment, if you are unsure of that action have a read at the following link, maybe bookmark for future reference...

To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums https://www.tenforums.com/tutorials/2294-boot-advanced-startup-options-windows-10-a.html

From the Windows 10 Tutorial you should get access to the Advanced Startup Options at boot for Windows 10

Select in this order
"Troubleshoot" > "Advance Options" > "Command Prompt"


Once in the command prompt

Plug your USB Flash Drive in the infected computer

In the command prompt, type notepad and press on Enter
Notepad will open. Click on the File menu and select Open
Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
Note: Replace the letter e with the drive letter of your USB Flash Drive
FRST will open
Click on Yes to accept the disclaimer
Click on the Scan button and wait for the scan to complete
A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply.

p.s.
If at any time you need additional information please ask before proceeding.

Wait for further instructions.

Link to post
Share on other sites

Hi,

Please boot to normal mode and run this fix.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome

Open Google Chrome, click on menu icon google-chrome-setting-icon.png or the 3 vertical dots located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset and clean up" > "Restore settings to their original defaults"
 
Restart Chrome.
<<<>>>

Please post the Fixlog.txt and let me know what problem persists.

===========

p.s.
If unable to boot to Normal Mode boot to Safe Mode with Networking and run the fix.

When the local computer boots after the fix please run Malwarebytes and delete all reported items.
Restart the computer when completed.

Run the Farbar program and post fresh FRST.TXT and Addition.txt logs for my review.
Make sure that the box to create a Addition.txt is marked to create a fresh log.

Let me know what problem persists.


 

fixlist.txt

Link to post
Share on other sites

When I click a link in another application on my computer like discord, slack, etc. chrome does not open up the link I click on anymore. I am not sure about the other browsers because I never use them but when I used to open links they would automatically open in chrome and now they do not. The only link I have gotten to automatically open when clicked is gyazo image capture, which is now opening in internet explorer even though it used to open in chrome and chrome is still the default browser. Also the chrome icon is gone, I will attach a picture.

Chrome icon gone

Link to post
Share on other sites

Hi,

Your copy of Chrome may have been compromised

Remove and re-install Chrome

step1.gif Remove Chrome from your Computer and reinstall a fresh copy later.

step2.gifIf you remove the syncing of your account you must remove it before you save your bookmarks etc...
Delete Your Google Chrome Browser Sync Data if you sync with other devices. <- Important ...
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

step3.gif Before you remove Chrome Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.
How To: http://ccm.net/faq/31791-how-to-backup-your-google-chrome-bookmarks

step4.gif Before you remove Chrome Export your Passwords
How to export your saved passwords from Chrome
https://betanews.com/2018/03/09/export-chrome-passwords/

step5.gif Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

step6.gif Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

step7.gif Re-install Chrome and the Bookmarks.
<<<>>

How is it now?

Link to post
Share on other sites

Hi,

Download   Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or above, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other Services
  
Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.
===

Link to post
Share on other sites

Here are the FSS.txt contents 

Quote

Farbar Service Scanner Version: 27-01-2016
Ran by Beau (administrator) on 24-04-2019 at 16:23:04
Running from "D:\Downloads"
Microsoft Windows 10 Home  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy: 
==================


System Restore:
============

System Restore Policy: 
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy: 
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend: ""C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1903.4-0\MsMpEng.exe"".


Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

 

Link to post
Share on other sites

Hi,

This should enable it.

Copy all the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.

Quote

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"-

 

Restart the computer when completed.

You can delete the fixme.reg file when done.
 

Link to post
Share on other sites

Hi,

Please run the Farbar Service Scanner.

Is this still being reported?

Windows Defender Disabled Policy: 


==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Is this "DisableAntiSpyware"=DWORD:1 still there or has it been changed to zero ( 0 )?
===

Can this article help.?
https://www.thewindowsclub.com/windows-defender-settings-windows-10

Check the setting if you can.

===

If still an issue, tell me did you previously installed a Virus protection program?

Is chrome Synced with other devices?

Link to post
Share on other sites

I have just run the Farbar tool again and there is still a 1 instead of a 0. I have not other virus protection installed or active besides windows defender, and my chrome is not synced with any other device. Nothing in the article allowed me to access the virus and threat protection part of windows defender it still will just tell me this(image). I did not have this problem ever until the virus had made its way onto my computer, and even then it still did not immediately do this because I initially was using it to quarantine and delete any processes I saw come up. All my other problems have been solved except for this one. The reason this is such a big problem for me now is that I had to reinstall a program specific to my work that I had to make an exception for on defender before(it recognizes it as a trojan even though it is not), and since I can't access defender to make this exception again, windows will not allow me to use the application and I have no way off allowing it. Any other suggestions on what I could do would be very appreciated, thanks.

Link to post
Share on other sites

Update: Just had this window pop up in the corner of my screen, I have never had McAfee or any other virus protection so I know this is false. It would not let me take a screenshot of it so I had to take a picture of the screen from my phone(image). I tried to connect to the site that was showing in the pop up to see what it was and it denied my connection(image).

Link to post
Share on other sites

Sorry for the late response I have been away, so I was able to stop those ads from popping up in chrome but now every few days my cursor will randomly drag itself into the bottom left corner of my display and will not let me move it unless I restart my PC. I appreciate all the help so far.

Link to post
Share on other sites

Hi,

Your mouse may be going bad.

Change it and if the problem remains run this program.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Wait for further instructions

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.