Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with "WTDMKERNEL.SYS" and possibly a SmartService Rootkit


  • This topic is locked This topic is locked
11 replies to this topic

#1 AmericanBoi87

AmericanBoi87

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 AM

Posted 25 October 2017 - 10:52 AM

Hi, I was recently scanning my computer with Malware-bytes Anti-malware and I have attached the scan log in the post.

 

P.S. I have been able to install Following Programs: Malwarebytes (free version), RogueKiller, Zemana Anti-Malware (installed but wont open) and Farbar Recovery Scan tool.

 

And, I have tried but with NO SUCCESS to use other anti-malware programs like Kaspersky's TDSKill, Hitman Pro, Zemana Anti-malware and emisoft anti-malware. None of these programs setups even open, everytime i try to run their setup, I get an error: "THE REQUESTED RESOURCE IS IN USE".

 

So then I used the Farbar Recovery Scan Tool and here are the "scan" results. Both FRST and Addition logs attached in this post.

 

I would really appreciate all the help i can get, so as to make my pc clean again. Thank you for your assistance.

Attached Files


Edited by AmericanBoi87, 25 October 2017 - 06:14 PM.


BC AdBot (Login to Remove)

 


#2 AmericanBoi87

AmericanBoi87
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 AM

Posted 25 October 2017 - 01:30 PM

Just doing an update to what else I've done: I just ran Adwcleaner and did a "clean up after the scan was done.The log of that scan is attached here.

 

After the scan was completed, the pc was rebooted and the above log was the one which was generated. Now I won't do anything else and I await your instructions in this matter. Thank you in advance.

Attached Files


Edited by AmericanBoi87, 25 October 2017 - 06:16 PM.


#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:11 AM

Posted 25 October 2017 - 04:05 PM

Hi

Welcome :)

I'll be helping you with your computer.

Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.

Please take note of the guidelines for this fix:

  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. :)

Let's begin... :)
 

 

 

 

 

  • Please download Malwarebytes Anti-Rootkit and save the file to your Desktop.
  • Right-Click MBAR.exe and select AVOiBNU.jpgRun as administrator to run the installer.
  • Select your Desktop as the location to extract the contents and click OK. The programme should open upon completion.
  • Click Next, followed by Update. Upon update completion, click Next.
  • Ensure Drivers, Sectors & System are checked and click Scan.
  • Note: Do not use your computer during the scan.
  • Upon completion:
    • If no infection is found, close the MBAR window.
    • If an infection is found, ensure Create Restore Point is checked and click Cleanup. Reboot when prompted.
  • Two logs (mbar-log.txt and system-log.txt) will be created. Copy the contents of both logs and paste in your next reply. Both logs can be found in the MBAR folder.

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 AmericanBoi87

AmericanBoi87
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 AM

Posted 25 October 2017 - 05:50 PM

Hello JSntgRvr,

 

Thank you for your prompt reply. So I followed your instructions and downloaded the setup for Malwarebytes Anti-Rootkit

 

However when the setup name was mbar-1.10.2.1002-nr.exe, I was unable to open it as it said "the requested resource is in use" so I put it on desktop and renamed it "explorer.exe" and then it was able to run.

 

After doing the scan, it detected 11 malware and I did a "clean" up of it and the pc rebooted.

 

I searched my pc and found the mbar folder, the logs are posted below. I'm sorry for the confusion. I thought the logs were meant to show up as pop-ups after system reboot.

 

Attached Files


Edited by AmericanBoi87, 25 October 2017 - 06:10 PM.


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:11 AM

Posted 25 October 2017 - 06:39 PM

Outstanding :)
  • Highlight the entire content of the quote box below.

Start::
Reg: reg delete "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\wtmhdkernel" /f
2016-09-07 15:26 - 2017-10-25 01:12 - 000000073 _____ () C:\Users\Aman\AppData\Roaming\sp_data.sys
2017-02-02 00:05 - 2017-02-03 01:05 - 000000102 _____ () C:\Users\Aman\AppData\Roaming\WB.CFG
2016-12-14 17:30 - 2017-08-18 16:16 - 000000552 _____ () C:\Users\Aman\AppData\Local\TroubleshooterConfig.json
2017-09-12 12:45 - 2017-09-12 12:45 - 000000004 _____ () C:\ProgramData\abl.3ets
2014-07-17 06:58 - 2014-07-17 06:58 - 000000000 ____H () C:\ProgramData\DP45977C.lfl
2014-05-15 11:58 - 2012-09-07 07:40 - 000000256 _____ () C:\ProgramData\SetStretch.cmd
2014-05-15 11:58 - 2009-07-22 06:04 - 000024576 _____ () C:\ProgramData\SetStretch.exe
2014-05-15 11:58 - 2012-09-07 07:37 - 000000103 _____ () C:\ProgramData\SetStretch.VBSS3 OpenVPNService; "C:\Program Files (x86)\OpenVPN\bin\openvpnserv.exe" [X]
S1 bbeqegjj; \??\C:\Windows\system32\drivers\bbeqegjj.sys [X]
GroupPolicy: Restriction <==== ATTENTION
Task: {972A6FEF-2FC4-4C10-BA47-BAD344614946} - System32\Tasks\Update\Update => cmd /c type "C:\Users\Aman\AppData\Local\Temp\Update.txt" | cmd <==== ATTENTION
Task: {97EAFA72-2925-4C75-ACDB-B70397557D78} - System32\Tasks\VoiceMars => C:\Windows\system32\rundll32.exe "C:\Program Files\VoiceMars\VoiceMars.dll",ELMZJEMO <==== ATTENTION
CustomCLSID: HKU\S-1-5-21-2727897549-728201087-556530888-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\Aman\AppData\Local\Microsoft\OneDrive\17.3.6966.0824\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-2727897549-728201087-556530888-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\Aman\AppData\Local\Microsoft\OneDrive\17.3.6966.0824\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-2727897549-728201087-556530888-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\Aman\AppData\Local\Microsoft\OneDrive\17.3.6966.0824\amd64\FileSyncShell64.dll => No File
2017-10-24 22:45 - 2017-05-14 15:06 - 001737600 _____ (Microsoft Corporation) C:\Users\Aman\AppData\Local\Temp\dllnt_dump.dll
Task: {972A6FEF-2FC4-4C10-BA47-BAD344614946} - System32\Tasks\Update\Update => cmd /c type "C:\Users\Aman\AppData\Local\Temp\Update.txt" | cmd <==== ATTENTION
2017-10-25 01:37 - 2017-10-25 01:37 - 001175040 _____ () C:\Users\Aman\AppData\Local\Temp\is-CRPI9.tmp\Zemana.AntiMalware.Setup.tmp
2017-10-25 01:37 - 2017-10-25 01:37 - 001175040 _____ () C:\Users\Aman\AppData\Local\Temp\is-86VUB.tmp\Zemana.AntiMalware.Setup.tmp
FirewallRules: [{9EA99304-8C48-4B40-B477-E9BDB73AAE59}] => (Allow) C:\Users\Aman\AppData\Local\Temp\RemoveTemp.exe
FirewallRules: [{5F269D0B-9803-4679-8ED9-05DE82F008F6}] => (Allow) C:\Users\Aman\AppData\Local\Temp\RemoveTemp.exe
2017-10-25 01:37 - 2017-10-25 01:37 - 001175040 _____ () C:\Users\Aman\AppData\Local\Temp\is-CRPI9.tmp\Zemana.AntiMalware.Setup.tmp
2017-10-25 01:37 - 2017-10-25 01:37 - 001175040 _____ () C:\Users\Aman\AppData\Local\Temp\is-86VUB.tmp\Zemana.AntiMalware.Setup.tmp
Folder: C:\Windows\System32\Drivers
HOSTS:
Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button. FRST will process the lines copied above from the clipboard.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.
Please copy and paste its contents in your next reply.

Please download Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
favicon-32x32.png Please download Malwarebytes to your desktop.
  • Double-click mb3-setup-1878.1878-3.4.5.2467.exe and follow the prompts to install the program.
  • Once the program has fully updated, Proceed with the Scan options and select "Threat Scan".
  • The Scan Pane is the introduction to scan-related options in the program. When you click Scan in the Menu Pane, you will see the screen shown below.
02-malwarebytes-premium-scan-methods.jpg
  • After a scan has been executed, scan results are displayed.
  • Put a checkmark on all detected and click on "Quarantine Selected"
  • Selected reports may be viewed on screen, or exported to a text file for later viewing. Please note that only manual (on demand) scans are available for users of the free version of Malwarebytes.
You may export to your clipboard or to a text (TXT) file. Export to a .txt file and post its contents.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 AmericanBoi87

AmericanBoi87
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 AM

Posted 26 October 2017 - 12:52 AM

Hi again JSntgRvr Sir,

 

I have done all the scans in the order in which you wrote and the logs of all scans have been attached in this post.

 

I have a request to make please. Once my pc has been disinfected, please tell me what antivirus or other protection programs I can use so that to prevent re-infection by any malware in the future. Thank you in advance

Attached Files



#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:11 AM

Posted 26 October 2017 - 12:53 PM

The system seems clear, Congratulations. :)

 

Use the following application to remove part of the tools used and their quarantined:

 

Please download DelFix by Xplode and save to your Desktop.

  • Double-click on delfix.exe to run the tool.
    Vista/Windows 7/8/10 users right-click and select Run As Administrator.
  • Put a check mark next to these items:
    - Remove disinfection tools
    - Create registry backup
    delfix.jpg
    .
  • Click the "Run" button.
  • When the tool has finished, it will create and open a log report (DelFix.txt)

 

Always maintain your antivirus active and updated.

 

Best regards. :)


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 AmericanBoi87

AmericanBoi87
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 AM

Posted 26 October 2017 - 01:19 PM

Wow, this site is awesome! Mr.JSntgRvr Sir, you have been a grrrrrrreat help. Thankkkk you!
 
I have download and run the DelFix and the log is posted below.

 

I am thinking of buying emisoft internet security and malwarebytes premium. Are those good choices?

Attached Files


Edited by AmericanBoi87, 26 October 2017 - 01:20 PM.


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:11 AM

Posted 26 October 2017 - 03:27 PM

Wow, this site is awesome! Mr.JSntgRvr Sir, you have been a grrrrrrreat help. Thankkkk you!
 
I have download and run the DelFix and the log is posted below.

 

I am thinking of buying emisoft internet security and malwarebytes premium. Are those good choices?

Both applications are mostly the same. I would say AVAST and Malwarebytes Antimalware will be a good combination.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 AmericanBoi87

AmericanBoi87
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:11 AM

Posted 29 October 2017 - 01:41 PM

Great, thanks. I'll get both those installed and running on my system.

 

Your help was greatly appreciated as you saved me from going to a shop and paying alot of $$$. Have a great weekend.



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:11 AM

Posted 29 October 2017 - 02:40 PM

Thank you. Don't spend too much. :)


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:11 AM

Posted 29 October 2017 - 02:40 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users