Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Can't delete a virus located in my system32 folder


Hamada
 Share

Recommended Posts

Hello,

A week ago, I tried to download a file from the internet. When I clicked it, pop ups from websites started to open up every five minutes. I somehow managed to uninstall and delete the most part of the "corrupted" files but one stuck in my system 32 folder. Specifically in this location: C:\Windows\System32\drivers

The name of the file is c3Xi0d1.sys

Then I noticed that all my files were encrypted (.stax) and Windows Defender is turned off so I searched online for a solution and turns out it is a STOP/djvu ransomware and I should first remove the ransomware so I did a scan with Malwarebytes and it detected a lot of malware so I pressed Quarantine but i did a scan with HitmanPro too to make sure everything is OK. Unfortunately, the file above came as malware and I tried removing it but I got Access Denied Even though I am an Administrator. I tried to delete it with safe mode but failed too     

Addition.txt FRST.txt Malwarebytes scan.txt

Link to post
Share on other sites

Hello.

Malwarebytes has no decrypter for any file encrypted by any ransomware.

I notice that this pc has HitmanPro, Zemana, IObit Unlocker, SpyHunter5

>

The presence of the file C:\WINDOWS\system32\Drivers\c3Xi0d1.sys  is the least of your problems.  It is possible to attempt to unlock & possibly to remove it, but it will have no effect as to the files encrypted by the ransomware.

>

Files encrypted by ransomware cannot be "read" or used normally once they are encrypted.  Encryption means that the ransomware has physically changed the file so you cannot access it.  

Malwarebytes has no decrypter. We cannot recover any of your encrypted files.  We have no magical tool.
User files or documents or images damaged by the encrypting ransomware cannot be cured ( or fixed) by malwarebytes.

You could recover your damaged files from a offline backup ( that you had made from before this ransomware incident). Offline backup is your friend.
Do you have a old offline backup of your machine?

I take it that this pc did not have installed , prior to the ransomware incident, the Premium Malwarebytes. Had the case been that the pc did have the Premium Malwarebytes beforehand, the malicious ransomware would have been stopped.

Look on your Desktop and or your Documents folder or any other folder where there are encrypted files.  You most likely will see a text-type file named 

_readme.txt

or

_openme.txt

pr

_open_.txt


That would be a file containing a ransom note made by this ransomware.  We here on the forum and also at Malwarebytes have no decryption tool,

Just so you are aware of that.  It seems your machine was / is a victim of a variant of the STOP (djvu) ransomware.

See these articles

"Meet Stop Ransomware: The Most Active Ransomware Nobody Talks About"
https://www.bleepingcomputer.com/news/security/meet-stop-ransomware-the-most-active-ransomware-nobody-talks-about/

 

Also See https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-puma-djvu-promo-drume-help-support-topic/

 

If you have saved offline backups of the system from before this infection, that is the best means of recovering damaged user files.

Link to post
Share on other sites

Hello Maurice,

Thanks for responding. As you have mentioned, I downloaded these programs to try and remove this file( c3Xi0d1.sys) but It did not work.

If I may ask what other problems have you noticed ?

I know I can't use any of the previous programs to decrypt my files but as I read online, I should first get rid of the infection files first and then I can try using some Recovery software. Also, I had Ransomware Protection in Windows Defender Enabled and a lot of of folders and sub-folders and due to that the files in my downloads and desktop and some files in other drives in deep sub-folders were not encrypted.

Additionally, I have some offline backups but I am afraid of connecting them to the infected PC as they might get encrypted too.

So, Can you help me get rid of this (c3Xi0d1.sys) and get Windows Defender working back again so that I can continue with process of trying to recover some of my data  ?

Your assistance is much appreciated.

Hamada

Link to post
Share on other sites

Hello.

Here below is a custom run intended to do some cleanups.  Please take time to read carefully & apply all directions below.

This will attempt to get c3Xi0d1.sys deleted.  It will attempt to Enable the Microsoft Defender antivirus.

We cannot repair or fix or change any encrypted user files or documents.  This is not a cure-all.

If you have a question, stop and ask me first.

[    1    ]

As a next basic step, Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[    2    ]

We will use FRST64.exe   to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  HAMADA  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will rebuild the Winsock.  It will run the Windows DISM tool to check the system. 

. If you have any questions or concerns please ask before running this fix.

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   Desktop folder

Fixlist.txt

 

Then, Start the Windows Explorer and then, go  to the Desktop   folder.


RIGHT click on  FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with next reply.

Link to post
Share on other sites

Hello.  Thanks for the Fixlog.

I have several concerns.  The file you had hoped to remove is still around, apparently.

C:\WINDOWS\system32\Drivers\c3Xi0d1.sys => Could not move

In addition, for some unknown reason, Windows defender is showing as set to exclude a raft of folders.

{C:\Users\Hamada\AppData\Local\Temp, C:\Users\Hamada\Downloads\Compress
                                                ed\AAct.4.0_Portable_sigma4pc.com\AAct.4.0_Portable_sigma4pc.com\AAct.4
                                                .0_Portable\AAct_files, C:\Users\Hamada\Downloads\Compressed\AAct.4.0_P
                                                ortable_sigma4pc.com\AAct.4.0_Portable_sigma4pc.com\AAct.4.0_Portable\A
                                                Act_files\KMSSS.exe, C:\Users\Hamada\Downloads\Compressed\AAct.4.0_Port
                                                able_sigma4pc.com\AAct.4.0_Portable_sigma4pc.com\AAct.4.0_Portable\AAct
                                                _x64.exe...}

In addition, there is a exclusion also for rundll32.exe to be excluded from monitoring by MS Defender.

System File Checker found some integrity errosr and made some corrections.   However, the status of MS Defender protections is in question.

For your long-term security and peace of mind, I would suggest to rebuild Windows from scratch, and later do new installs for your program applications.

Do you have backup of your personal files and documents ?

See Clean Install Windows 10 -Greg Carmack - MVP 2010-2020 -
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587

How to Create a Local Account While Setting Up Windows 10
https://www.howtogeek.com/442792/how-to-create-a-local-account-while-setting-up-windows-10/

 

 

Link to post
Share on other sites

Hello Maurice,

To be honest, I don't have a backup for all my important files on this PC and some of them were not encrypted so I prefer if there was a way to keep them or at least reinstall Windows without losing these files.

Worst case, If I do a clean install, can I connect my external HDD and transfer the data that were not encrypted or this might infect the whole HDD ? (As I can risk having the HDD infected because it has most of my important data).

I forgot to mention I can't do a Windows Update too.

I searched this forum and found a case similar to mine :

 

Link to post
Share on other sites

Do keep in mind that not all other user-cases like yours here are the same.

and now that you mention Windows Update failurs, that adds further complications.

Befoire you think of copying anything, lets be sure to scan this system with other tools.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.

 

Let me know the result of this.    This is likely to run for many hours. It may in fact run for more than a full day.   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply.

 

Link to post
Share on other sites

The Microsoft Safety Scanner found & removed 2 trojans & some hacktools.

 

Allow me to encourage one other scan.

This is a  different special tool to check your pc for viruses, trojans & other malware.

Download Sophos Free Virus Removal Tool   and save it to your desktop.

  • If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
  • Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...

 

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

  • Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your reply

  • Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result....

  • The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Let me know what Sophos reports.   

Link to post
Share on other sites

I am going to be making this reply, plus another one to follow.

We are done with Sophos VRT tool.  Now to uninstall it.

1. Press & hold  the Windows key on keyboard & then tap the R key   to open the Run box-windoww.
2. Type 

appwiz.cpl 

and tap Enter.
The Programs and Features window will appear.   Locate on the list "Sophos Virus Removal".

Do a right-click on it.  Then choose Uninstall.   Let it proceed.

Exit Programs and Features, when done.

>

3.  Now do a Windows Restart.

Link to post
Share on other sites

After the above has been done.     would highly suggest that you do this next scan.

I would suggest a free scan with the ESET Online Scanner.  This will be another check for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

  • When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.
  • Click The blue Save scan log to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for “periodic scanning”.

Please make sure you attach the log report.     There will be more to do later.

Link to post
Share on other sites

There is no negative impact from not having Uninstalled the Sophos before the start of the ESET scan. Other than likely slowing it.

The ESET found a large number of_readme.txt which ( 1) would have been helpful to have a copy of from the very start of this case. ( 2) Be fully aware that this is one indicator that this machine had a encrypting ransomware. (3) as I said earlier, you would be safer in the long term to rebuild this system from scratch. Still let me know if you choose to do that. Otherwise, there is not a good way to vouch for its security & safety. (4) in the long term, you must be extremely careful what you download. 

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

 

There was 1 hacktool removed + some 3 LNK/Agent.CH trojans on your C drive Downloads folder.

>

Your PC is very  compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with these malware, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

 

We can attempt to do more hunting to try to clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup attempt, please proceed with the following steps.

>

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

  • Internet Services
    Windows Firewall
    System Restore
    Security Center/Action Center
    Windows Update
    Windows Defender
    Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file.  

[     2    ]

Now a readout report as to update status of some key apps.   I need this to get additional detail on status of Microsoft Defender.

Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

and save the tool on the desktop.

  •                                If Windows's  SmartScreen block that with a message-window, then

                                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

  • This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

Edited by Maurice Naggar
Link to post
Share on other sites

The SecurityCheck recommends to Uninstall these 3 'programs'

Combo Cleaner 

IObit Unlocker

SpyHunter

It also shows that Microsoft Defender antivirus is still disabled.

In addition, The FSS report indicates this Windows is missing the service registry entries for SecurityHealthService + wscsvc ( Microsoft Security Center service) + Windows Update service (wuauserv)

>

If you have a large-enough backup media, you can go ahead and make copies of your personal files & documents.   You can do that now.

>

You have run Malwarebytes for Windows.  I had you run Microsoft Safety Scanner, Sophos Virus Removal tool, + ESET onlinescanner.

>

Allow me to suggest using ( one time) a different tool.

This ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.

get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.

Disregard the title subject of the topic.

 

Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

 

when done, I need the MBAR logs.

Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.

 

Both files can be found in the extracted MBAR folder on your Desktop.

Please attach both files in your next reply.

Link to post
Share on other sites

I uninstalled the 3 programs you have mentioned.

6 hours ago, Maurice Naggar said:

If you have a large-enough backup media, you can go ahead and make copies of your personal files & documents.   You can do that now.

So I can start transferring my data now without worrying about the infection or do I run a test on these data first ?

 

mbar-log-2021-11-18 (01-54-45).txt system-log.txt

Link to post
Share on other sites

The MBAR scan found no malware / no rootkit.  I notice you had done a Deep scan.

You can copy your personal files to offline media, like I mentioned earlier.   After you have cleanly installed Windows, and you have a good antivirus program again, before you restore back the personal files, you should scan them with the antivirus and with the Malwarebytes for Windows.

Link to post
Share on other sites

Hello. Alright.  I have cited the how-to before & listing it here too.

 Clean Install Windows 10 -Greg Carmack - MVP 2010-2020 -
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587

>

After you have rebuilt Windows, here are additional safety tips.

Let me suggest that you get your browsers each, as applicable, to have the Malwarebytes Browser Guard.

See Support article how-to

https://support.malwarebytes.com/hc/en-us/articles/360038520374-Install-Malwarebytes-Browser-Guard


Note: If your pc has Windows 10 EDGE browser, or Opera or Brave or Vivaldi browser, you can install the Chrome version of the Malwarebytes Browser Guard ( on each as appropriate).
>

Have the Premium Malwarebytes so that your system has full protections in real-time. I believe ther is currently a Black Friday sale https://www.malwarebytes.com/premium

>

Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

SAFETY TIPS:

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html

Only using the Standard-access-level user account when surfing and downloading / installing would have been a tremendous way to prevent the infections of this machine.


Don't remove ( or change )  your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"  

>

I am marking this case for closure.
I wish you all the best. Stay safe.
Sincerely.

Maurice

 

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.