Adlice forum
General Category => Malware removal help => Topic started by: xsilicon9 on November 26, 2017, 05:10:25 AM
-
I have some kind of adware malware that can't be removed. I was able to delete most of it with revo unistaller. But now there is some that is hiding in processes and appdata and I think the registry. It blocks comodo,comboxfix,hijackthis,processhacker from running.Also hijacks my google search to bing.Any attempt at removing the files or stopping the processes int safe mode or normal mode I get "access is denied". I tried to manually delete from live cd and my dual boot win8.1 but it comes right back. It also runs in clean boot and safe mode, so I can't do anything there. Roguekiller log attached.
-
Hi xsilicon9,
You are infected by the SmartService rootkit.
Please follow the instruction in shadowwar post (https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/) and attach MBAR log with your next reply.
Regards.
-
Its saying "no malware found" after scan. Attached is log.
-
Hi xsilicon9,
Please download Farbar Recovery Scan Tool (x64) (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to your Desktop.
- Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will produce a log called FRST.txt in the same directory the tool is run from.
- Please attach log back here.
- The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also attach that along with the FRST.txt into your reply.
Regards.
-
The logs are attached.
-
Hi xsilicon9,
You are using cracked software, they are the entrypoint of many infections. I strongly advise you to get rid of them and not to download such stuff in the futur.
Please also only keep one malware resident and uninstall the others.
Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !
Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.
A folder named FRST should have been created at the root of your system drive (C:\FRST). Could you please zip it and attach it as well ?
Please also run a new scan with RogueKiller and attach the JSON report as well.
Regards.
-
I had to run the fixlist in safe mode because the malware kept blocking me from downloading or copying the fixlist. The malware looks to still be running.I had just eset as my primary internet security but the malware blocked it and it won't run. Attached are the files.
-
Hi xsilicon9,
Yes, FRST was not able to remove the rootkit.
Could you please generate a fresh FRST report and attach it with your next reply ?
Regards.
-
New logs attached
-
Hi xsilicon9,
We need to use Windows Recovery Environment to get rid it of it
- On a clean machine, please download Farbar Recovery Scan Tool (https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to a flash drive. Do the same with the attached fixlist.txt file.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Note: You need to download the version compatible with your machine i.e. 32-bit or 64-bit.
Plug the flashdrive into the infected PC.
- Enter System Recovery Environment Command Prompt:
Instructions for Windows 10 (https://www.tenforums.com/tutorials/2880-open-command-prompt-boot-windows-10-a.html)
Instructions for Windows 8 (https://www.bleepingcomputer.com/tutorials/windows-8-recovery-environment-command-prompt/)
Instructions for Windows 7 (https://www.bleepingcomputer.com/tutorials/windows-7-recovery-environment-command-prompt/)
- Once in the Command Prompt:
Run FRST/FRST64 located on your flashdrive and press the Fix button just once and wait.
The tool will generate a log on the flashdrive (Fixlog.txt) please post it with your reply.
Regards.
-
Log attached.It looks like the same programs are still being blocked by the malware.
-
Hi xsilicon9,
I'm not sure the driver has been deleted.
Could you please generate a fresh FRST log once again and attach it with your next reply ?
Regards.
-
New logs attached.
-
Hi xsilicon9,
We are going somewhere.
Please use this new fixlist.txt in Windows Recovery Environment, post the fixlog.txt and a fresh FRST report with your next reply.
Regards.
-
Logs attached. Now everything works.Thanks
-
Hi xsilicon9,
You are welcome. However, there is still a leftover service from the infection.
Please use the attached fixlist.txt on normal mode to get rid of it.
It will be very valuable for the malware analysis community to get the initial source of this malware (dropper).
I highly suspect that it lies in a crack/keygen/hacktool you executed on November. So, could you please make an archive of all of them and send me a Private Message with the archive in attachment ?
Regards.
-
I'm not the only one using the computer. But I think the culprit was Office 2016 Permanent Activator Ultimate 1.4 which my friend downloaded to use on his laptop.I deleted a lot of the other malware it installed but there was some leftover.
-
Hi xsilicon9,
Thanks for your input.
You can now delete FRST and the files/folders it created.
Regards.