Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seem to have smart service virus that cannot be removed with mbar


  • This topic is locked This topic is locked
14 replies to this topic

#1 db1963

db1963

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 24 August 2017 - 12:00 PM

I have tried everything that I can think of.  Can someone offer assistance?

Thanks



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:40 AM

Posted 24 August 2017 - 12:42 PM

Welcome. :)

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure that under Optional Scans, there is a checkmark on Addition.txt.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also produce another log (Addition.txt ). Please attach this to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 db1963

db1963
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 24 August 2017 - 04:12 PM

Attached File  FRST.txt   75.54KB   6 downloadsAttached File  Addition.txt   35.66KB   2 downloads



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:40 AM

Posted 24 August 2017 - 07:27 PM

  • Highlight the entire content of the quote box below.

Start::  
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
Task: {4A6369E4-DD91-4E00-AF61-4EAD8C148EEA} - \cFos\Registration Tasks\Open Browser -> No File <==== ATTENTION
Task: {4A6369E4-DD91-4E00-AF61-4EAD8C148EEA} - \cFos\Registration Tasks\Open Browser -> No File <==== ATTENTION
HKLM-x32\...\Run: [wmivtbb] => C:\Users\Office\AppData\Local\ntuserlitelist\wmivtbb\wmivtbb.exe [884224 2017-08-24] ()
2017-08-24 07:19 - 2017-08-24 07:21 - 000000000 ____D C:\Users\Office\AppData\Local\ntuserlitelist
2017-07-22 14:51 - 2017-07-22 14:51 - 000089576 _____ () C:\Users\Office\AppData\Local\Temp\vsdel.exe
2017-08-24 17:04 - 2017-08-24 17:04 - 000514339 ____N C:\Users\Akgk0\lawyers.enormous.xlsx
2017-08-24 17:04 - 2017-08-24 17:04 - 000507038 ____N C:\Users\Qldcsw\birds.crossing.freely.painted.xlsx
2017-08-24 17:04 - 2017-08-24 17:04 - 000230070 ____N C:\Users\Qldcsw\allied-devoted.mdb
2017-08-24 17:04 - 2017-08-24 17:04 - 000219945 ____N C:\Users\Akgk0\simultaneouslystillfortunate.mdb
2017-08-24 17:04 - 2017-08-24 17:04 - 000076903 ____N C:\Users\Qldcsw\firm-matrix-faced-slow.xls
2017-08-24 17:04 - 2017-08-24 17:04 - 000071417 ____N C:\Users\Akgk0\gap_combine_providence.xls
2017-08-24 17:04 - 2017-08-24 17:04 - 000058337 ____N C:\Users\Qldcsw\political-gear-mexico-baseball.pem
2017-08-24 17:04 - 2017-08-24 17:04 - 000052403 ____N C:\Users\Akgk0\anyhow_adopted_grace_fancy.pem
2017-08-24 17:04 - 2017-08-24 17:04 - 000032458 ____N C:\Users\Qldcsw\bar_existence_act_handwriting.txt
2017-08-24 17:04 - 2017-08-24 17:04 - 000022884 ____N C:\Users\Akgk0\amendment.talents.sql
2017-08-24 17:04 - 2017-08-24 17:04 - 000017392 ____N C:\Users\Qldcsw\july.atom.span.hanover.sql
2017-08-24 17:04 - 2017-08-24 17:04 - 000010795 ____N C:\Users\Akgk0\aheadslaves.txt
2017-08-18 18:37 - 2017-08-18 18:37 - 002793472 ____N C:\Windows\system32\msdvzfu.exe
2017-07-31 22:13 - 2017-07-31 22:13 - 000429568 ____N C:\Windows\system32\ravcpdkz.exe
2017-08-18 07:14 - 2017-06-27 23:08 - 000544424 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2017-08-18 18:37 - 2017-08-18 18:37 - 002793472 ____N () C:\WINDOWS\SYSTEM32\MSDVZFU.EXE
2017-07-31 22:13 - 2017-07-31 22:13 - 000429568 ____N () C:\WINDOWS\SYSTEM32\RAVCPDKZ.EXE
2017-02-16 19:30 - 2017-02-16 18:07 - 000012542 _____ () C:\Program Files (x86)\Common Files\client.wyc
2017-06-28 21:38 - 2017-06-30 06:24 - 000007598 _____ () C:\Users\Office\AppData\Local\resmon.resmoncfg
2017-08-04 19:00 - 2017-08-04 19:00 - 000740416 _____ (Oracle Corporation) C:\Users\Office\AppData\Local\Temp\jre-8u144-windows-au.exe
2017-06-27 21:59 - 2017-05-01 16:14 - 000869200 _____ (NVIDIA Corporation) C:\Users\Office\AppData\Local\Temp\nvSCPAPI64.dll
2017-06-30 19:49 - 2017-05-01 16:14 - 000367552 _____ (NVIDIA Corporation) C:\Users\Office\AppData\Local\Temp\nvStInst.exe
2017-07-22 14:51 - 2017-07-22 14:51 - 000089576 _____ () C:\Users\Office\AppData\Local\Temp\vsdel.exe
HKLM-x32\...\Run: [wmivtbb] => C:\Users\Office\AppData\Local\ntuserlitelist\wmivtbb\wmivtbb.exe [884224 2017-08-24] ()
Folder: C:\Windows\system32\Drivers
HOSTS:
Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button. FRST will process the lines copied above from the clipboard.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.
 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 db1963

db1963
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 25 August 2017 - 06:14 AM

Attached File  Fixlog.txt   78.87KB   5 downloads



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:40 AM

Posted 25 August 2017 - 12:48 PM

We will need to run the fix in the Recovery Console.

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Please also download the attached file and save it in the same location the FRST64 is saved in the flash drive.

Insert the USB drive in the infected computer.

Boot to the Recovery Console's Command prompt.

Entry points into the Windows Recovery Environment (WinRE).

You can access WinRE features through the Boot Options menu, which can be launched from Windows in a few different ways:
  • Option 1: From the login screen, click Shutdown, then hold down the Shift key while selecting Restart.
  • Option 2: In Windows 10, select Start > Settings > Update & security > Recovery > under Advanced Startup, click Restart now.
  • Option 3: Boot to recovery media.
  • Option 4: Use a hardware recovery button (or button combination) configured by the OEM (Computer Manufacturer).
After any of these actions is performed, all user sessions are signed off and the Boot Options menu is displayed. The PC will restart into the WinRE and the selected feature is launched.

On the boot options, select Troubleshooting > Advanced Options > Command prompt.

Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button.
  • It will make a log (Fixlog.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 db1963

db1963
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 25 August 2017 - 06:27 PM

Attached File  Fixlog.txt   1.16KB   6 downloads



#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:40 AM

Posted 25 August 2017 - 07:10 PM

Outstanding.

 

You may now run MBAR.

 

 

  • Please download this version of Malwarebytes Anti-Rootkit and save the file to your Desktop.
  • Right-Click MBAR.exe and select AVOiBNU.jpgRun as administrator to run the installer.
  • Select your Desktop as the location to extract the contents and click OK. The programme should open upon completion.
  • Click Next, followed by Update. Upon update completion, click Next.
  • Ensure Drivers, Sectors & System are checked and click Scan.
  • Note: Do not use your computer during the scan.
  • Upon completion:
    • If no infection is found, close the MBAR window.
    • If an infection is found, ensure Create Restore Point is checked and click Cleanup. Reboot when prompted.
  • Two logs (mbar-log.txt and system-log.txt) will be created. Copy the contents of both logs and paste in your next reply. Both logs can be found in the MBAR folder.

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 db1963

db1963
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 26 August 2017 - 01:05 PM

Attached File  mbar-log-2017-08-26 (13-51-26).txt   2.06KB   2 downloadsAttached File  system-log.txt   37.48KB   2 downloads



#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:40 AM

Posted 26 August 2017 - 04:16 PM

Seems we got the rootkit.

Please download Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
Download AdwCleaner from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.
  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8/10 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:
65MBhLLb.png
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this
adwcleaner_delete_restart.jpg
  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 db1963

db1963
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 26 August 2017 - 04:54 PM

Attached File  JRT.txt   556bytes   1 downloadsAttached File  AdwCleanerC0.txt   1.68KB   2 downloads



#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:40 AM

Posted 26 August 2017 - 05:26 PM

How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 db1963

db1963
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 26 August 2017 - 05:29 PM

Seems to be running okay now.



#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:40 AM

Posted 26 August 2017 - 05:37 PM

Congratulations.

Remove the quarantined items:

Please download DelFix by Xplode and save to your Desktop.
  • Double-click on delfix.exe to run the tool.
    Vista/Windows 7/8/10 users right-click and select Run As Administrator.
  • Put a check mark next to these items:
    - Remove disinfection tools
    - Create registry backup
    delfix.jpg
    .
  • Click the "Run" button.
  • When the tool has finished, it will create and open a log report (DelFix.txt)
Always keep your antivirus active and updated.

Best Regards. :)

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:40 AM

Posted 26 August 2017 - 05:37 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users