Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Having alot of trouble removing SmartService. Please help, Thanks!


  • This topic is locked This topic is locked
15 replies to this topic

#1 AlexMiranda

AlexMiranda

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 24 June 2017 - 07:15 PM

Hi everyone, I have been trying to remove the Smart Service trojan, but i simply can't.

 

What happened:

 

I was playing a game one day and I noticed my game was running very slow. I checked the task manager and noticed the process "winvmx client". I knew this was not good thing so i began researching into it. I looked all over, but have reached a dead end.

 

 

Here is what I have done:

 

Windows Defender, didn't pick it up

 

MBAR, which crashed twice before it started giving me "The requested resource is in use," which is SmartService.

 

Several other AVs but they all got the Requested Resource Error.

I deleted the winvmx folder in the local app data folder, but i still cant run MBAR, or anything. 

 

 

 

 

 

I knew you get countless forum posts like these, but if you could help me it would be greatly appreciated!!

 

 

 

 

Alex 

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:30 AM

Posted 25 June 2017 - 09:19 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===


Please post the logs.

Let me know what problems persists.
==============================

#3 AlexMiranda

AlexMiranda
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 25 June 2017 - 10:13 AM

Hi, thank you for your reply. I tried running MBAM and AdwCleaner but they both gave me the "Requested resource is in use" error. I was able to run FRST and I have included both logs below.

 

 

 

Thanks,

Alex

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:30 AM

Posted 25 June 2017 - 12:56 PM

This is a bad infection.

Follow the instructions in the thread below. Make sure to download the MBAR linked in it. Let me know if you're not able to launch it and run a scan.
 
https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/
 
If you manage to run a scan, delete everything it finds, and then copy/paste the content of the "mbar-log-TODAY'S-DATE.txt" log that is located in the MBAR folder here after.

It will take a while to complete the scan. You can expect more than 9 hours sometime.

When completed run the Farbar tool and make sure that the box to create a fresh Addition.txt file is checked.

Post the logs for my review.

#5 AlexMiranda

AlexMiranda
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 25 June 2017 - 04:47 PM

Thank you so much for getting back to me. I was able to run the MBAR tool and the FRST tool. I have included the logs below.

 

 

 

 

 

 

 

 

Thanks,
Alex

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:30 AM

Posted 26 June 2017 - 07:49 AM



Hi,

Remove this program in bold via the Control Panel > Programs > Programs and Features.
Reimage Repair (HKLM\...\Reimage Repair) (Version: 1.8.5.8 - Reimage) <==== ATTENTION
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Reimage®) C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe
(Reimage®) C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe
CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3332132&octid=EB_ORIGINAL_CTID&ISID=M39348B98-8693-481E-AE66-3A8829C4B584&SearchSource=55&CUI=&UM=8&UP=SP79FAE675-5072-4F23-AC60-CE01220227DC&SSPV=
CHR StartupUrls: Default -> "hxxp://www.trovi.com/?gd=&ctid=CT3332132&octid=EB_ORIGINAL_CTID&ISID=M39348B98-8693-481E-AE66-3A8829C4B584&SearchSource=55&CUI=&UM=8&UP=SP79FAE675-5072-4F23-AC60-CE01220227DC&SSPV=","hxxp://roblox.com/","hxxp://www.trovi.com/?gd=&ctid=CT3321459&octid=EB_ORIGINAL_CTID&ISID=M0F77713D-4FE5-4490-A996-240FF9F3D186&SearchSource=55&CUI=&UM=5&UP=SPC59AD0B9-895F-4E39-A10B-5A8CF0764042&SSPV=","hxxp://www.wi.k12.ny.us/","hxxp://www.dregol.com/?f=7&a=drg_coin... (long line)
CHR Extension: (Chrome Web Store Payments) - C:\Users\TheBe\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-09]
CHR Extension: (Chrome Media Router) - C:\Users\TheBe\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-12]
R2 ReimageRealTimeProtector; C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [8515952 2017-05-14] (Reimage®)
Task: {6091FB79-63DB-42F9-BDDE-8FD4C7880496} - System32\Tasks\AGProxyCheck => C:\Program [Argument = Files (x86)\AnonymizerGadget\AGService.exe /recove]
Task: {62A30226-0FD4-4807-A303-82E48BBDA80D} - System32\Tasks\ReimageUpdater => C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [2017-05-14] (Reimage®) <==== ATTENTION
Task: {67EBC9F8-FA05-489C-9BB7-A40A1FAAD090} - System32\Tasks\Reimage Reminder => C:\Program Files\Reimage\Reimage Repair\ReimageReminder.exe [2017-05-10] (Reimage ltd.) <==== ATTENTION
Task: {81353432-E16C-48C3-843A-D9C3ACC6B5EE} - System32\Tasks\KMSAutoNet => C:\ProgramData\KMSAutoS\KMSAuto Net.exe [2015-07-31] (MSFree Inc.)
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0]
HKU\S-1-5-21-807126376-1515142061-3032373828-1001\Software\Classes\regfile: regedit.exe "%1" <==== ATTENTION
C:\Windows\System32\Tasks\AGProxyCheck =
C:\Program [Argument = Files (x86)\AnonymizerGadget\AGService.exe /recove]
C:\Windows\System32\Tasks\ReimageUpdater
C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe
C:\Windows\System32\Tasks\Reimage Reminder =
C:\Program Files\Reimage\Reimage Repair\ReimageReminder.exe
C:\Windows\System32\Tasks\KMSAutoNet
C:\ProgramData\KMSAutoS\KMSAuto Net.exe
C:\Program Files\Reimage

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Please let me know what problem persists with this computer.

#7 AlexMiranda

AlexMiranda
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 26 June 2017 - 01:23 PM

Thank you so much! The problem seems to be resolved. 

 

 

At least for now.

 

 

 

Thanks, 

Alex



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:30 AM

Posted 27 June 2017 - 06:55 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#9 AlexMiranda

AlexMiranda
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 28 June 2017 - 12:42 PM

Hello again, kind of embarrassing, but a knew problem seems to have arisen. I don't now whether or not to make a new topic for it, so I will just put it in here.

 

So, this problem has been coming up. A restart fixes it, but it soon comes back.

 

The text in windows programs, and the desktop have disappeared, and so has the text on the right click options. Please note that all is well in Google Chrome. It seems to only affect Windows Programs(Snipping Tool, Control Panel, etc)

 

For the control panel and desktop at least, all the icons are there and were they should be, but there is no text.

 

 

I do not know if this is linked to my other problem, but It would be greatly appreciated if you could help me!

 

 

 

Thanks,

Alex 



#10 AlexMiranda

AlexMiranda
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 28 June 2017 - 12:44 PM

UPDATE: It seems to also effect non default programs.

 

 

All is good in Chrome, but not Open Broadcaster Software(OBS).



#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:30 AM

Posted 28 June 2017 - 01:32 PM

Check the integrity of the operating system files.
How to run sfc /Scannow
http://support.microsoft.com/kb/929833

When completed refer to the Microsoft article again and follow the instructions to view details of the System File Checker process

Post the contents of the sfcdetails.txt file for my review.

Let me know if the problem persists.
<<<>>>

#12 AlexMiranda

AlexMiranda
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 04 July 2017 - 11:41 PM

Sorry for not replying for a while. I was away. I ran the sfc scan several times in and out of safe mode and they all stopped and gave the error:

 

"Windows Resource Protection could not perform the requested operation."

 

Any help would be appriciated.

 

 

Another thing that seems to be happening is that when i go into the properties option with files, it is all messed up and the window is stretched so it seems to be infinity long. The only way to exit the window is to Alt + F4. 



#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:30 AM

Posted 05 July 2017 - 07:33 AM

Repair these services.

Please Download Tweaking.com - Windows Repair from Here
  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click Repairs - Open Repairs in the bottom right corner
  • Uncheck the All repair button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    10 - Remove Policies Set By Infections
    11 - Repair Start Menu Icons Removed by Infections
    12 - Repair Icons
    17 - Repair Windows Updates
    21 - Repair MSI (Windows Installer)
    26 - Restore Important Windows Services
    27 - Set Windows Service to Default Startup
    32 - Restore UAC (User Account Control) Settings
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.
===

Restart the computer normally.

How is the computer running now?

#14 AlexMiranda

AlexMiranda
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 05 July 2017 - 12:30 PM

I was unable to run the scan as the options to uncheck the certain services was missing



#15 AlexMiranda

AlexMiranda
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 05 July 2017 - 05:10 PM

Nevermind, I was able to run the scan it seems.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users