Author Topic: Malware that can't be removed  (Read 15605 times)

0 Members and 1 Guest are viewing this topic.

November 26, 2017, 05:10:25 AM

xsilicon9

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Malware that can't be removed
« on: November 26, 2017, 05:10:25 AM »
I have some kind of adware malware that can't be removed. I was able to delete most of it with revo unistaller. But now there is some that is hiding in processes and appdata and I think the registry. It blocks comodo,comboxfix,hijackthis,processhacker from running.Also hijacks my google search to bing.Any attempt at removing the files or stopping the processes int safe mode or normal mode I get "access is denied".  I tried to manually delete from live cd and my dual boot win8.1 but it comes right back. It also runs in clean boot and safe mode, so I can't do anything there. Roguekiller log attached.

Reply #1November 26, 2017, 03:43:57 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Malware that can't be removed
« Reply #1 on: November 26, 2017, 03:43:57 PM »
Hi xsilicon9,

You are infected by the SmartService rootkit.
Please follow the instruction in shadowwar post and attach MBAR log with your next reply.

Regards.

Reply #2November 26, 2017, 06:52:53 PM

xsilicon9

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Re: Malware that can't be removed
« Reply #2 on: November 26, 2017, 06:52:53 PM »
Its saying "no malware found" after scan. Attached is log.

Reply #3November 26, 2017, 06:56:02 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Malware that can't be removed
« Reply #3 on: November 26, 2017, 06:56:02 PM »
Hi xsilicon9,

Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please attach log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also attach that along with the FRST.txt into your reply.
Regards.

Reply #4November 26, 2017, 08:06:54 PM

xsilicon9

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Re: Malware that can't be removed
« Reply #4 on: November 26, 2017, 08:06:54 PM »
The logs are attached.

Reply #5November 26, 2017, 09:12:48 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Malware that can't be removed
« Reply #5 on: November 26, 2017, 09:12:48 PM »
Hi xsilicon9,

You are using cracked software, they are the entrypoint of many infections. I strongly advise you to get rid of them and not to download such stuff in the futur.
Please also only keep one malware resident and uninstall the others.

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

A folder named FRST should have been created at the root of your system drive (C:\FRST). Could you please zip it and attach it as well ?
Please also run a new scan with RogueKiller and attach the JSON report as well.

Regards.

Reply #6November 26, 2017, 11:15:10 PM

xsilicon9

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Re: Malware that can't be removed
« Reply #6 on: November 26, 2017, 11:15:10 PM »
I had to run the fixlist in safe mode because the malware kept blocking me from downloading or copying the fixlist. The malware looks to still be running.I had just eset as my primary internet security but the malware blocked it and it won't run. Attached are the files.

Reply #7November 26, 2017, 11:23:07 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Malware that can't be removed
« Reply #7 on: November 26, 2017, 11:23:07 PM »
Hi xsilicon9,

Yes, FRST was not able to remove the rootkit.
Could you please generate a fresh FRST report and attach it with your next reply ?

Regards.

Reply #8November 27, 2017, 12:28:49 AM

xsilicon9

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Re: Malware that can't be removed
« Reply #8 on: November 27, 2017, 12:28:49 AM »
New logs attached

Reply #9November 27, 2017, 01:11:33 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Malware that can't be removed
« Reply #9 on: November 27, 2017, 01:11:33 AM »
Hi xsilicon9,

We need to use Windows Recovery Environment to get rid it of it
  • On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive. Do the same with the attached fixlist.txt file.
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

    Note: You need to download the version compatible with your machine i.e. 32-bit or 64-bit.

    Plug the flashdrive into the infected PC.
     
  • Enter System Recovery Environment Command Prompt:

    Instructions for Windows 10
    Instructions for Windows 8
    Instructions for Windows 7
     
  • Once in the Command Prompt:

    Run FRST/FRST64 located on your flashdrive and press the Fix button just once and wait.
    The tool will generate a log on the flashdrive (Fixlog.txt) please post it with your reply.
Regards.

Reply #10November 27, 2017, 06:26:18 AM

xsilicon9

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Re: Malware that can't be removed
« Reply #10 on: November 27, 2017, 06:26:18 AM »
Log attached.It looks like the same programs are still being blocked by the malware.

Reply #11November 27, 2017, 12:58:02 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Malware that can't be removed
« Reply #11 on: November 27, 2017, 12:58:02 PM »
Hi xsilicon9,

I'm not sure the driver has been deleted.
Could you please generate a fresh FRST log once again and attach it with your next reply ?

Regards.

Reply #12November 27, 2017, 06:59:30 PM

xsilicon9

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Re: Malware that can't be removed
« Reply #12 on: November 27, 2017, 06:59:30 PM »
New logs attached.

Reply #13November 27, 2017, 07:17:17 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Malware that can't be removed
« Reply #13 on: November 27, 2017, 07:17:17 PM »
Hi xsilicon9,

We are going somewhere.
Please use this new fixlist.txt in Windows Recovery Environment, post the fixlog.txt and a fresh FRST report with your next reply.

Regards.

Reply #14November 27, 2017, 09:11:04 PM

xsilicon9

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Re: Malware that can't be removed
« Reply #14 on: November 27, 2017, 09:11:04 PM »
Logs attached. Now everything works.Thanks