Jump to content
fuqthupreme

Need fixlist.txt file made for windows process manager virus

Recommended Posts

A few days ago I somehow got a windows process manager virus, It also seems to have done something to my chrome browser. I have been following step by step on this Post which is almost identical to the issue I am having. I have gotten all the way to booting in advanced startup in order to run fixlist.txt on frst64 but I do not have a fix.txt file. I will provide some images of the situation and all the files that might be needed to help fix this. If someone is able to help me with this I would greatly appreciate it.

 

process manager.png

denied.png

virus.png

Fixlog.txt FRST.txt Addition.txt mbar-log-2019-04-14 (12-02-16).txt system-log.txt

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

I have identified a bad SmartService infection. The same type you found in the 2017 log.
The instructions have been changed. 

You will need access to a spare PC and a USB flash drive that has not been in contact with the sick PC...
Let me know if you have access to these devices.

I need to know before suggested the fix if you can enable the Recovery Environment.
It will be needed to remove this infection.

Open FRST on the compromised computer:

copy/paste the following inside the text area of FRST. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop. Attach it in your next reply.

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End::

http://i121.photobucket.com/albums/o239/kevinf80/Farbar%20Tools/frst%20b.jpg&key=98f8e4fa906452a8ed54423fd0407a3d120fe6064437244ca29c06ed5f968755]

On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
Copy and paste its content in your next reply.

Wait for further instructions.
<<<>>>

Share this post


Link to post
Share on other sites

I do have access to a spare pc and usb flash drive and I am able to boot into the recovery environment. I will paste the content of the log below and have attached the fixlog.txt file.

Quote

Fix result of Farbar Recovery Scan Tool (x64) Version: 15.04.2019 01
Ran by Beau (15-04-2019 16:09:20) Run:3
Running from C:\Users\Beau\Desktop
Loaded Profiles: Beau (Available Profiles: Beau & OVRLibraryService & DefaultAppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes

*****************


========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========

The operation completed successfully.

========= End of CMD: =========


========= bcdedit.exe /set {default} recoveryenabled yes =========

The operation completed successfully.

========= End of CMD: =========


==== End of Fixlog 16:09:20 ====

 

Fixlog.txt

Share this post


Link to post
Share on other sites

Lets proceed:

Read all the instructions before proceeding.
Take your time and all should be well.

Preparing the USB Flash Drive

Boot up your spare PC:
Plug in the flash drive, navigate to that drive, right click on it direct and select format. Quick option is adequate.

Next,

On that same PC download the right version of Farbar program for your system to Desktop or the Flash drive.
Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.

If the file was saved on the Desktop Move the executable (FRST.exe or FRST64.exe) to your USB Flash Drive 
 


How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system.
https://support.microsoft.com/en-us/help/827218/how-to-determine-whether-a-computer-is-running-a-32-bit-version-or-64

Do not plug the Flash Drive into the sick PC until booted to Recovery Environment.

Boot the compromised PC to Recovery Environment, if you are unsure of that action have a read at the following link, maybe bookmark for future reference...

To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums https://www.tenforums.com/tutorials/2294-boot-advanced-startup-options-windows-10-a.html

From the Windows 10 Tutorial you should get access to the Advanced Startup Options at boot for Windows 10

Select in this order
"Troubleshoot" > "Advance Options" > "Command Prompt"


Once in the command prompt

Plug your USB Flash Drive in the infected computer

In the command prompt, type notepad and press on Enter
Notepad will open. Click on the File menu and select Open
Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
Note: Replace the letter e with the drive letter of your USB Flash Drive
FRST will open
Click on Yes to accept the disclaimer
Click on the Scan button and wait for the scan to complete
A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply.

p.s.
If at any time you need additional information please ask before proceeding.

Wait for further instructions.

Share this post


Link to post
Share on other sites

Hi,

Please boot to normal mode and run this fix.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome

Open Google Chrome, click on menu icon google-chrome-setting-icon.png or the 3 vertical dots located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset and clean up" > "Restore settings to their original defaults"
 
Restart Chrome.
<<<>>>

Please post the Fixlog.txt and let me know what problem persists.

===========

p.s.
If unable to boot to Normal Mode boot to Safe Mode with Networking and run the fix.

When the local computer boots after the fix please run Malwarebytes and delete all reported items.
Restart the computer when completed.

Run the Farbar program and post fresh FRST.TXT and Addition.txt logs for my review.
Make sure that the box to create a Addition.txt is marked to create a fresh log.

Let me know what problem persists.


 

fixlist.txt

Share this post


Link to post
Share on other sites

Looks to be all clean thank you very much, only issue I have is that the chrome icon is gone im not sure why but I have reset chrome and it seems to be working fine besides this. 

Fixlog.txt

Share this post


Link to post
Share on other sites

I also have just found I am having an issue clicking any links outside of chrome, they just do not open at all when I click on them.

Share this post


Link to post
Share on other sites

Can you please elaborate what you are doing.

Do you have problems with other Browsers?

 

 

Share this post


Link to post
Share on other sites

When I click a link in another application on my computer like discord, slack, etc. chrome does not open up the link I click on anymore. I am not sure about the other browsers because I never use them but when I used to open links they would automatically open in chrome and now they do not. The only link I have gotten to automatically open when clicked is gyazo image capture, which is now opening in internet explorer even though it used to open in chrome and chrome is still the default browser. Also the chrome icon is gone, I will attach a picture.

Chrome icon gone

Share this post


Link to post
Share on other sites

Hi,

Your copy of Chrome may have been compromised

Remove and re-install Chrome

step1.gif Remove Chrome from your Computer and reinstall a fresh copy later.

step2.gifIf you remove the syncing of your account you must remove it before you save your bookmarks etc...
Delete Your Google Chrome Browser Sync Data if you sync with other devices. <- Important ...
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

step3.gif Before you remove Chrome Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.
How To: http://ccm.net/faq/31791-how-to-backup-your-google-chrome-bookmarks

step4.gif Before you remove Chrome Export your Passwords
How to export your saved passwords from Chrome
https://betanews.com/2018/03/09/export-chrome-passwords/

step5.gif Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

step6.gif Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

step7.gif Re-install Chrome and the Bookmarks.
<<<>>

How is it now?

Share this post


Link to post
Share on other sites

My chrome problem is solved thank you but one last thing, the virus locked me out of my windows defender settings so now I no longer have access to it. Here is a picture showing the problem.

Share this post


Link to post
Share on other sites

Hi,

Download   Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or above, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other Services
  
Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.
===

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.