Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ndistpr.sys/drmkpro64 - "SmartService"?


  • This topic is locked This topic is locked
30 replies to this topic

#1 Merkava

Merkava

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 22 April 2017 - 07:04 PM

Hello.

User error. Bonehead move with a suspect installer. Been years since I've had any serious infection, so I'm not completely humiliated right now... :blush:

I tried following this guide:

https://www.bleepingcomputer.com/virus-removal/remove-the-requested-resource-is-in-use-error

...but I can't run iExplore, Zemana, AdwareCleaner, or HitmanPro. I don't know how critical that is to the process, but running RogueKiller resulted in a few fixes beside the issue that still remains as title of this topic. I was also able to run FRST, and fix a few things. Nothing else fix-wise will run in Safe Mode however(since normal boot isn't an option due to the "IRQL not less or equal" error loop) - the programs I have installed: Comodo and SpywareBlaster, nor anything I have downloaded, e.g., MalwareBytes RootKit, AdwareCleaner, etc.

Attached is my FixLog from FRST. I've considered following the very lengthy process of manual deletion found here:  Mod Edit:  Pasted content into post - Hamluis.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-04-2017
Ran by Gurney Halleck (21-04-2017 09:44:52) Run:2
Running from C:\Users\Gurney Halleck\Desktop
Loaded Profiles: Gurney Halleck (Available Profiles: Gurney Halleck)
Boot Mode: Safe Mode (with Networking)
==============================================

fixlist content:
*****************
R0 drmkpro64; C:\Windows\System32\drivers\ndistpr64.sys [78112 2013-09-28] ()
*****************

drmkpro64 => Unable to stop service.
HKLM\System\CurrentControlSet\Services\drmkpro64 => key could not remove, key could be protected

Result of scheduled files to move (Boot Mode: Safe Mode (with Networking)) (Date&Time: 21-04-2017 09:57:57)


Result of scheduled keys to remove after reboot:

HKLM\System\CurrentControlSet\Services\drmkpro64 => key could not remove, key could be protected

==== End of Fixlog 09:57:58 ====

https://www.bleepingcomputer.com/news/security/smartservice-acts-like-an-adware-bodyguard-by-blocking-antivirus-software/

...but I wanted to check on any possible shortcut(s) devised by the resident sorcerers here at BC. :wizard:

Thank you in advance, and cheers for all you do!


Edited by hamluis, 22 April 2017 - 07:27 PM.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 PM

Posted 22 April 2017 - 08:57 PM

Hi Merkava :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Follow the instructions in the guide below.

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

It may take several attempts to get MBAR up and running. Once you do, make sure that you update the database before launching the scan. Once you're done scanning with MBAR, and it removed the threats, go into the MBAR folder, and copy/paste the content of the mbar-log-TODAY'S-DATE.txt log here.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Merkava

Merkava
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 23 April 2017 - 09:36 AM

Hello Aura,

Thank you for such a quick response. I was able to use the installer at the link, but it did not run automatically once it was finished extracting. Attempting to run the executable in the installation folder only yields the same "resource is in use" error message.



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 PM

Posted 23 April 2017 - 09:43 AM

If you launch mbar.cmd (it's in the same folder), does MBAR launch properly?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Merkava

Merkava
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 23 April 2017 - 10:23 AM

No. Unfortunately, it gives an error message also: "The application was unable to start correctly (0xc0000142).



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 PM

Posted 23 April 2017 - 11:58 AM

Are you able to download and run that copy of Zemana?

http://dl12.zemana.com/tmp/Zemana.AntiMalware.Portable-unsigned.exe

Or do you still get the same error message?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Merkava

Merkava
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 23 April 2017 - 01:09 PM

"...currently does not work in Safe Mode"(my only option ATM) :(



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 PM

Posted 23 April 2017 - 02:14 PM

In that case, follow the instructions in the thread below, and provide me both logs (FRST.txt and Addition.txt).

https://www.bleepingcomputer.com/forums/topic34773.html

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 Merkava

Merkava
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 23 April 2017 - 03:58 PM

Okay, here they are. Of course, following the 5th step (enabling firewall) isn't an option, so I had to skip it.

Attached Files



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 PM

Posted 23 April 2017 - 04:08 PM

Okay, do you have your Windows installation media by any chance, or not?

Also, follow the instructions below.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Right-click on your Desktop, select New and click on Text Document. Name it fixlist (make sure it's a .txt file) and press on Enter;
  • Open the file you just created and copy/paste the content below in it, then save it (Ctrl + S);
    CloseProcesses:
    
    Zip: C:\Windows\System32\drivers\ndistpr64.sys
    
    EmptyTemp:
    
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;
After running the fix, a .zip file should have been created on your desktop called "Upload_TODAY'S-DATE.zip". Upload it to the link below please.

https://www.bleepingcomputer.com/submit-malware.php?channel=194

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 Merkava

Merkava
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 23 April 2017 - 05:30 PM

Sorry, my Windows is OEM.

At this point, FRST seemed to have stalled, even though the progress bar is in motion. It's taking far too long, and there was an error message earlier:

"The specified directory ...\ndistpr64.sys is empty, so Compressed (zipped) Folders cannot add it to the archive.

Shall I force-stop the program?

#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 PM

Posted 23 April 2017 - 08:58 PM

You can kill the FRST process, yes. Simple curiosity, are you able to copy/paste that file on your desktop?
C:\Windows\System32\drivers\ndistpr64.sys
If you can, please .zip it afterwards, and upload it to the link I gave you in my previous post.

So far this infection hasn't been able to stop MBAR, so if this is an updated driver, we need to check it out and see how we can circumvent it.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 Merkava

Merkava
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 24 April 2017 - 01:14 PM

No go. Access denied.

#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 PM

Posted 24 April 2017 - 01:17 PM

Go back in the MBAR folder, and rename the "mbar.exe" for something else, like "test.exe" and try to run it. Do you still get the same error message?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 Merkava

Merkava
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 24 April 2017 - 02:18 PM

It's running! 😄




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users