Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

# Seem to have smart service virus that cannot be removed with mbar

14 replies to this topic

### #1 db1963

db1963

• Members
• 7 posts
• OFFLINE
•
• Local time:09:18 AM

Posted 24 August 2017 - 12:00 PM

I have tried everything that I can think of.  Can someone offer assistance?

Thanks

### #2 JSntgRvr

JSntgRvr

Master Surgeon General

• Malware Response Team
• 11,692 posts
• OFFLINE
•
• Gender:Male
• Location:Puerto Rico
• Local time:09:18 AM

Posted 24 August 2017 - 12:42 PM

Welcome.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
• Double-click to run it. When the tool opens click Yes to disclaimer.
• Make sure that under Optional Scans, there is a checkmark on Addition.txt.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!

### #3 db1963

db1963
• Topic Starter

• Members
• 7 posts
• OFFLINE
•
• Local time:09:18 AM

Posted 24 August 2017 - 04:12 PM

### #4 JSntgRvr

JSntgRvr

Master Surgeon General

• Malware Response Team
• 11,692 posts
• OFFLINE
•
• Gender:Male
• Location:Puerto Rico
• Local time:09:18 AM

Posted 24 August 2017 - 07:27 PM

• Highlight the entire content of the quote box below.

Start::
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
HKLM-x32\...\Run: [wmivtbb] => C:\Users\Office\AppData\Local\ntuserlitelist\wmivtbb\wmivtbb.exe [884224 2017-08-24] ()
2017-08-24 07:19 - 2017-08-24 07:21 - 000000000 ____D C:\Users\Office\AppData\Local\ntuserlitelist
2017-07-22 14:51 - 2017-07-22 14:51 - 000089576 _____ () C:\Users\Office\AppData\Local\Temp\vsdel.exe
2017-08-24 17:04 - 2017-08-24 17:04 - 000514339 ____N C:\Users\Akgk0\lawyers.enormous.xlsx
2017-08-24 17:04 - 2017-08-24 17:04 - 000507038 ____N C:\Users\Qldcsw\birds.crossing.freely.painted.xlsx
2017-08-24 17:04 - 2017-08-24 17:04 - 000230070 ____N C:\Users\Qldcsw\allied-devoted.mdb
2017-08-24 17:04 - 2017-08-24 17:04 - 000219945 ____N C:\Users\Akgk0\simultaneouslystillfortunate.mdb
2017-08-24 17:04 - 2017-08-24 17:04 - 000076903 ____N C:\Users\Qldcsw\firm-matrix-faced-slow.xls
2017-08-24 17:04 - 2017-08-24 17:04 - 000071417 ____N C:\Users\Akgk0\gap_combine_providence.xls
2017-08-24 17:04 - 2017-08-24 17:04 - 000058337 ____N C:\Users\Qldcsw\political-gear-mexico-baseball.pem
2017-08-24 17:04 - 2017-08-24 17:04 - 000052403 ____N C:\Users\Akgk0\anyhow_adopted_grace_fancy.pem
2017-08-24 17:04 - 2017-08-24 17:04 - 000032458 ____N C:\Users\Qldcsw\bar_existence_act_handwriting.txt
2017-08-24 17:04 - 2017-08-24 17:04 - 000022884 ____N C:\Users\Akgk0\amendment.talents.sql
2017-08-24 17:04 - 2017-08-24 17:04 - 000017392 ____N C:\Users\Qldcsw\july.atom.span.hanover.sql
2017-08-24 17:04 - 2017-08-24 17:04 - 000010795 ____N C:\Users\Akgk0\aheadslaves.txt
2017-08-18 18:37 - 2017-08-18 18:37 - 002793472 ____N C:\Windows\system32\msdvzfu.exe
2017-07-31 22:13 - 2017-07-31 22:13 - 000429568 ____N C:\Windows\system32\ravcpdkz.exe
2017-08-18 07:14 - 2017-06-27 23:08 - 000544424 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2017-08-18 18:37 - 2017-08-18 18:37 - 002793472 ____N () C:\WINDOWS\SYSTEM32\MSDVZFU.EXE
2017-07-31 22:13 - 2017-07-31 22:13 - 000429568 ____N () C:\WINDOWS\SYSTEM32\RAVCPDKZ.EXE
2017-02-16 19:30 - 2017-02-16 18:07 - 000012542 _____ () C:\Program Files (x86)\Common Files\client.wyc
2017-06-28 21:38 - 2017-06-30 06:24 - 000007598 _____ () C:\Users\Office\AppData\Local\resmon.resmoncfg
2017-08-04 19:00 - 2017-08-04 19:00 - 000740416 _____ (Oracle Corporation) C:\Users\Office\AppData\Local\Temp\jre-8u144-windows-au.exe
2017-06-27 21:59 - 2017-05-01 16:14 - 000869200 _____ (NVIDIA Corporation) C:\Users\Office\AppData\Local\Temp\nvSCPAPI64.dll
2017-06-30 19:49 - 2017-05-01 16:14 - 000367552 _____ (NVIDIA Corporation) C:\Users\Office\AppData\Local\Temp\nvStInst.exe
2017-07-22 14:51 - 2017-07-22 14:51 - 000089576 _____ () C:\Users\Office\AppData\Local\Temp\vsdel.exe
HKLM-x32\...\Run: [wmivtbb] => C:\Users\Office\AppData\Local\ntuserlitelist\wmivtbb\wmivtbb.exe [884224 2017-08-24] ()
Folder: C:\Windows\system32\Drivers
HOSTS:
Removeproxy:
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (wevtutil el) DO wevtutil cl "%i"
EMPTYTEMP:
Reboot:
End::

• Right click on the highlighted text and select Copy.
• Start FRST (FRST64) with Administrator privileges
• Press the Fix button. FRST will process the lines copied above from the clipboard.
• When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!

### #5 db1963

db1963
• Topic Starter

• Members
• 7 posts
• OFFLINE
•
• Local time:09:18 AM

Posted 25 August 2017 - 06:14 AM

### #6 JSntgRvr

JSntgRvr

Master Surgeon General

• Malware Response Team
• 11,692 posts
• OFFLINE
•
• Gender:Male
• Location:Puerto Rico
• Local time:09:18 AM

Posted 25 August 2017 - 12:48 PM

We will need to run the fix in the Recovery Console.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Please also download the attached file and save it in the same location the FRST64 is saved in the flash drive.

Insert the USB drive in the infected computer.

Boot to the Recovery Console's Command prompt.

Entry points into the Windows Recovery Environment (WinRE).

You can access WinRE features through the Boot Options menu, which can be launched from Windows in a few different ways:
• Option 1: From the login screen, click Shutdown, then hold down the Shift key while selecting Restart.
• Option 2: In Windows 10, select Start > Settings > Update & security > Recovery > under Advanced Startup, click Restart now.
• Option 3: Boot to recovery media.
• Option 4: Use a hardware recovery button (or button combination) configured by the OEM (Computer Manufacturer).
After any of these actions is performed, all user sessions are signed off and the Boot Options menu is displayed. The PC will restart into the WinRE and the selected feature is launched.

On the boot options, select Troubleshooting > Advanced Options > Command prompt.

Once in the Command Prompt:
• In the command window type in notepad and press Enter.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press the Fix button.
• It will make a log (Fixlog.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!

### #7 db1963

db1963
• Topic Starter

• Members
• 7 posts
• OFFLINE
•
• Local time:09:18 AM

Posted 25 August 2017 - 06:27 PM

### #8 JSntgRvr

JSntgRvr

Master Surgeon General

• Malware Response Team
• 11,692 posts
• OFFLINE
•
• Gender:Male
• Location:Puerto Rico
• Local time:09:18 AM

Posted 25 August 2017 - 07:10 PM

Outstanding.

You may now run MBAR.

• Right-Click MBAR.exe and select Run as administrator to run the installer.
• Select your Desktop as the location to extract the contents and click OK. The programme should open upon completion.
• Click Next, followed by Update. Upon update completion, click Next.
• Ensure Drivers, Sectors & System are checked and click Scan.
• Note: Do not use your computer during the scan.
• Upon completion:
• If no infection is found, close the MBAR window.
• If an infection is found, ensure Create Restore Point is checked and click Cleanup. Reboot when prompted.
• Two logs (mbar-log.txt and system-log.txt) will be created. Copy the contents of both logs and paste in your next reply. Both logs can be found in the MBAR folder.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!

### #9 db1963

db1963
• Topic Starter

• Members
• 7 posts
• OFFLINE
•
• Local time:09:18 AM

Posted 26 August 2017 - 01:05 PM

### #10 JSntgRvr

JSntgRvr

Master Surgeon General

• Malware Response Team
• 11,692 posts
• OFFLINE
•
• Gender:Male
• Location:Puerto Rico
• Local time:09:18 AM

Posted 26 August 2017 - 04:16 PM

Seems we got the rootkit.

• Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete, depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.
• XP users: Double click the AdwCleaner icon to start the program.
• Vista/7/8/10 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
You will see the following console:
• Click the Scan button and wait for the scan to finish.
• After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
• Click the Clean button.
• Everything checked will be moved to Quarantine.
• When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!

### #11 db1963

db1963
• Topic Starter

• Members
• 7 posts
• OFFLINE
•
• Local time:09:18 AM

Posted 26 August 2017 - 04:54 PM

### #12 JSntgRvr

JSntgRvr

Master Surgeon General

• Malware Response Team
• 11,692 posts
• OFFLINE
•
• Gender:Male
• Location:Puerto Rico
• Local time:09:18 AM

Posted 26 August 2017 - 05:26 PM

How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!

### #13 db1963

db1963
• Topic Starter

• Members
• 7 posts
• OFFLINE
•
• Local time:09:18 AM

Posted 26 August 2017 - 05:29 PM

Seems to be running okay now.

### #14 JSntgRvr

JSntgRvr

Master Surgeon General

• Malware Response Team
• 11,692 posts
• OFFLINE
•
• Gender:Male
• Location:Puerto Rico
• Local time:09:18 AM

Posted 26 August 2017 - 05:37 PM

Congratulations.

Remove the quarantined items:

• Double-click on delfix.exe to run the tool.
Vista/Windows 7/8/10 users right-click and select Run As Administrator.
• Put a check mark next to these items:
- Remove disinfection tools
- Create registry backup

.
• Click the "Run" button.
• When the tool has finished, it will create and open a log report (DelFix.txt)
Always keep your antivirus active and updated.

Best Regards.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!

### #15 JSntgRvr

JSntgRvr

Master Surgeon General

• Malware Response Team
• 11,692 posts
• OFFLINE
•
• Gender:Male
• Location:Puerto Rico
• Local time:09:18 AM

Posted 26 August 2017 - 05:37 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!

#### 0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users