Jump to content

Recommended Posts

(https://pastebin.com/Npxh265M) FRST

 (https://pastebin.com/tsheYtuC) Addition (contains suspicious items)

 

I can provide a link to a quora member's post that infected me with this very persistant rootkit.

Share this post


Link to post
Share on other sites

Hi, 

My name is Maurice. I will be helping and guiding you, going forward on this case.

Please attach reports as we go along.


We need to get information from this machine in order to have the proper detail to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

    Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.4.0.615.exe to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

 

Thank you.

 

Share this post


Link to post
Share on other sites

Could you clarify what is blocked ?

You should be able to use the attach feature when you do a Reply on this forum.

Just click on the choose files link at the bottom left   of the reply box.   Look at the bottom left.

Share this post


Link to post
Share on other sites

Please read all of the directions below so that you get familiar with the overall steps.   You will need a clean working computer to do the downloads, and a USB-en-thumb drive in order to transfer some files to the infected machine.

 

This infection can only be removed in the Recovery Environment because it has an active rootkit driver prevented security tools from removing it normally.

Please do the following:

The next part of the process involves using a different computer to download a file and transferring that file onto a USB drive.

 

please save FRST64.exe and the attached fixlist to a USB stick, then we'll use that on the infected PC once it is booted into the Recovery Environment of Windows

Download FRST64.exe from this link > save to a USB
 



The instructions appear to be intimidating, but if you work through the steps you will be able to do it.

Select the Windows key and X key together, from the xmenu select Command Prompt (Admin)

At the prompt either type or copy/paste the following commands, select enter after each command:

bcdedit.exe /set {bootmgr} displaybootmenu yes
bcdedit.exe /set {default} recoveryenabled yes
Exit

Now we need to boot to the recovery environment and remove the infection from there:



NEXT

(Note: do not insert the USB into the infected PC until you are successfully booted to the recovery Environment.

Boot to the Recovery Console's Command prompt in the infected computer. (this is not the same as safe mode)

To enter the Recovery Environment 

1. Right click the windows logo lower left corner of your screen > choose Command Prompt (Admin)
2. Type the command below, and press Enter.
shutdown /r /o /f /t 00
The PC will now boot to the recovery options
Click Troubleshooting and then Advanced options to bring up the repair options.

Now click on command Prompt

choose your account to continue and enter the password to log into the account (if you use one.)

Insert the USB drive containing FRST64.exe and the Fixlist.txt

At the command prompt > type in notepad and press enter 

when the notepad opens > Under File > select Open > Select "This PC" and find your flash drive letter and close the notepad.
Now back in the command window type e:\frst64.exe and press Enter 


Note: Replace letter with the drive letter of your flash drive.

The tool will start to run. Now, there are 2 procedures to do, both with FRST64
A ) press the Scan button. That will deactivate the rootkit.

B } once the scan is finished, now press the Fix button.

These actions will make two logs, a Fixlog.txt and a FRST.txt log in the flash drive.Please attach those once booted back to normal mode.

If you have trouble getting into the recovery environment with these instructions, try the following batch file:

Please download boot_into_RE.bat using this link.
Open your Downloads folder.
Right-click boot_into_RE_2.bat and select Run as administrator to run the file.
Note: If you are prompted by Windows SmartScreen, click More info followed by Run anyway.

 

A black Command Prompt window will appear.
When prompted to consent, type Y and press Enter on your keyboard. Repeat again when prompted.
Your computer will automatically boot into the Recovery Environment.


Once in the Recovery Environment, click Troubleshoot.
Click Advanced Options followed by Command Prompt.
Select your account and enter your password if you have one.

Now inset the USB stick where the FRST64 program is saved.

Follow the remaining instructions above.

 

.

I do have a question:  Did you download & install any sort of free stuff on or about June 25 around 2 AM ?

Did you get something named " Optimizer " on June 25 ?

Sincerely,

Fixlist.txt

Share this post


Link to post
Share on other sites

P.S.   I noticed TDSSKILLER & mbar on the pc.  Be sure to not self-medicate on this case.  Do not run tools on your own as long as this case is on-going.

IF you are getting help on this elsewhere, kindly stop and let me know.  Dont make changes on your own please.

Share this post


Link to post
Share on other sites

Could you see if a friend, relative, neighbor, acquaintance is amenable to letting you use their system to do the 2 downloads?

That is so important.

Share this post


Link to post
Share on other sites

Sir, may you please just email it to me or reupload it? I'm suffering from circumstances right now that prohibit that.

Share this post


Link to post
Share on other sites

The issue is, if you were to get the files thru the infected machine, it is going to corrupt the files.

You need to borrow a clean working machine, and  have a clean USB-flash-thumb drive.   save the files to the USB, and then from there, transfer to the infected machine.

Share this post


Link to post
Share on other sites

No I can send files through email it's literally just this website that is blocked. It doesn't block the use of recovery tools just this website.

Share this post


Link to post
Share on other sites

If you read the reply I made on Wednesday, the links are there on it.  If you can read it, you can use the links.

Share this post


Link to post
Share on other sites

See your personal mail   ( PM )

Share this post


Link to post
Share on other sites

Hello,  Just checking in.   Have you managed to make progress?

Share this post


Link to post
Share on other sites

Hey, sorry, been busy. I didn't get any results with malwarebytes. Can you just analyze my FRST logs? This is a rootkit, I'm computer savvy and have tried many methods at remedying this

Share this post


Link to post
Share on other sites

This infection calls for running the procedures just as I had listed on July 3rd.

You have got to be able to do the steps as outlined.   The major goal is to run the FRST fix  by getting to run it off the USB flash drive.

This pc has a serious smartservice infection.   The only way to get it removed is by following the directions posted July 3.

 

Share this post


Link to post
Share on other sites

Tell me, did you follow my suggested steps?

If so, can you attach a copy of the FIXLOG.txt .

and

I would like you to run Malwarebytes Anti-Rootkit (MBAR)

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from here this link

and save it to your desktop.

 

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
 

 

Share this post


Link to post
Share on other sites

It has been 8 days since your last post.  I hope you are doing good.

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.