Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan virus/rootkit.


  • This topic is locked This topic is locked
10 replies to this topic

#1 hyunjin

hyunjin

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 24 December 2017 - 06:34 PM

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:39 PM

Posted 25 December 2017 - 09:55 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

I have identified a bad SmartService infection.
We have some work to do.

Launch FRST and copy/paste the following inside the text area. Once done, click on the Fix button. Afterwards, a file called fixlog.txt should appear on your desktop. Attach it in your nexy reply.

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: fltmc instances
CMD: dir /a:-d /o:d C:\windows\system32\drivers
End::


Wait for further instructions.

#3 hyunjin

hyunjin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 25 December 2017 - 02:06 PM

I don't know how to attach the file so I just copied and pasted it. 
 
Fix result of Farbar Recovery Scan Tool (x64) Version: 23-12-2017 01
Ran by chris (25-12-2017 13:03:52) Run:1
Running from C:\Users\chris\Downloads
Loaded Profiles: chris (Available Profiles: chris)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: fltmc instances
CMD: dir /a:-d /o:d C:\windows\system32\drivers
 
*****************
 
 
========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========
 
The operation completed successfully.
 
========= End of CMD: =========
 
 
========= bcdedit.exe /set {default} recoveryenabled yes =========
 
The operation completed successfully.
 
========= End of CMD: =========
 
 
========= fltmc instances =========
 
Filter                Volume Name                              Altitude        Instance Name       Frame   SprtFtrs  VlStatus
--------------------  -------------------------------------  ------------  ----------------------  -----   --------  --------
FileInfo                                                         40500     FileInfo                  0     00000007  
FileInfo              C:                                         40500     FileInfo                  0     00000007  
FileInfo                                                         40500     FileInfo                  0     00000007  
FileInfo              \Device\Mup                                40500     FileInfo                  0     00000007  
MBAMChameleon                                                   400900     MBAMChameleon             0     00000000  
MBAMChameleon         C:                                        400900     MBAMChameleon             0     00000000  
MBAMChameleon                                                   400900     MBAMChameleon             0     00000000  
MBAMChameleon         \Device\Mup                               400900     MBAMChameleon             0     00000000  
MBAMFarflt                                                      268150     MBAMFarflt                0     00000004  
MBAMFarflt            C:                                        268150     MBAMFarflt                0     00000004  
MBAMFarflt                                                      268150     MBAMFarflt                0     00000004  
MBAMProtection                                                  328800     MBAMProtection            0     00000004  
MBAMProtection        C:                                        328800     MBAMProtection            0     00000004  
MBAMProtection                                                  328800     MBAMProtection            0     00000004  
MBAMProtection        \Device\Mup                               328800     MBAMProtection            0     00000004  
Wof                   C:                                         40700     Wof Instance              0     00000007  
Wof                                                              40700     Wof Instance              0     00000007  
hnuklxra              C:                                         45666     hnuklxra Instance         0     00000000  
hnuklxra              \Device\Mup                                45666     hnuklxra Instance         0     00000000  
luafv                 C:                                        135000     luafv                     0     00000007  
npsvctrig             \Device\NamedPipe                          46000     npsvctrig                 0     00000000  
udiskMgr                                                         45888     udiskMgr Instance         0     00000000  
udiskMgr              C:                                         45888     udiskMgr Instance         0     00000000  
udiskMgr                                                         45888     udiskMgr Instance         0     00000000  
wcifs                 C:                                        189900     wcifs Instance            0     00000007  
 
========= End of CMD: =========
 
 
========= dir /a:-d /o:d C:\windows\system32\drivers =========
 
 Volume in drive C is OS
 Volume Serial Number is 781C-39B9
 
 Directory of C:\windows\system32\drivers
 
11/05/2008  08:45 AM            11,576 SSPORT.sys
03/07/2012  10:07 AM           128,512 tiehdusb.sys
05/12/2015  11:44 PM            19,976 AsHIDSwitch64.sys
05/25/2015  02:20 PM            21,816 AiCharger.sys
07/28/2015  12:01 AM           888,064 rt640x64.sys



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:39 PM

Posted 26 December 2017 - 09:08 AM

Hi,

Thank you. For the next step, you'll need to download FRST and the fixlist.txt attached on a clean computer and move them on your USB Flash Drive. You cannot insert the USB in the infected computer if Windows is running. The computer needs to be shut down, or you need to be in the Recovery Environmant. Otherwise, the infection will mess with the files on your USB and you'll have to download them again.

You'll need to download FRST and the fixlist.txt attached on a clean computer and move them on your USB. And before connecting your USB on the infected computer, it must be shut down, then you must boot directly in the Recovery Environment afterwards.

Farbar Recovery Scan Tool (FRST) - Recovery Environment Scan
Follow the instructions below to download and execute a scan on your system with FRST from the Recovery Environment, and provide the logs in your next reply.

Lets start.

FOLLOW THE PROCEDURES FOR YOUR VERSION OF WINDOWS, 7 OR 10.

Item(s) required:

USB Flash Drive (size depend on if you have to create a USB Recovery or Installation media)
CD/DVD (optional: only needed if you need to create a Recovery or Installation media and your USB Flash Drive is too small)
Another computer (optional: only needed if you cannot work from the infected computer directly)

Preparing the USB Flash Drive

Download the right version of FRST for your system:
64-bit or 32 bit version. Select the one you need.
https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Move the executable (FRST.exe or FRST64.exe) on your USB Flash Drive
Download the attached fixlist.txt and move it on your USB Flash Drive as well.

Boot in the Recovery Environment WINDOWS 7 USERS. See below for Windows 10.

Plug your USB Flash Drive in the infected computer
To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
Restart the computer
Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
Use the arrow keys to select Repair your computer, and press on Enter
Select your keyboard layout (US, French, etc.) and click on Next
Click on Command Prompt to open the command prompt

Note:If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial https://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html on SevenForums.

WINDOWS 10 USERS.

To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums https://www.tenforums.com/tutorials/2294-boot-advanced-startup-options-windows-10-a.html

Note:If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on https://www.tenforums.com/tutorials/36083-create-system-repair-disc-windows-10-a.html TenForums.

Once in the command prompt

In the command prompt, type notepad and press on Enter
Notepad will open. Click on the File menu and select Open
Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
Note: Replace the letter e with the drive letter of your USB Flash Drive
FRST will open
Click on Yes to accept the disclaimer
Click on the Fix button and wait for the scan to complete
A log called fixlog.txt will be saved on your USB Flash Drive. Attach it in your next reply.

p.s.
If at any time you need additional information please ask before proceeding.

Let me know what problem persists.

Attached Files



#5 hyunjin

hyunjin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 26 December 2017 - 12:57 PM

Here is the fixlog. Thanks

 

Attached File  Fixlog.txt   7.64KB   2 downloads

<script> </script>



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:39 PM

Posted 26 December 2017 - 01:10 PM

Good work.

Please run the Farbar program and post a fresh FRST log for my review.

Let me know what problem persists.

#7 hyunjin

hyunjin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 26 December 2017 - 01:55 PM

Attached File  FRST.txt   130.31KB   2 downloads

Attached File  Addition.txt   52.36KB   0 downloads



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:39 PM

Posted 26 December 2017 - 02:38 PM

Hi,

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-3580221259-212085990-1318806337-1003\...\Run: [banquettes] => "C:\Program Files (x86)\Hypocritically\leath.exe"
HKU\S-1-5-21-3580221259-212085990-1318806337-1003\...\Run: [banquettesbanquettes] => "C:\Program Files (x86)\Lagos\leath.exe"
HKU\S-1-5-21-3580221259-212085990-1318806337-1003\...\Run: [novels] => "C:\Program Files (x86)\Hypocritically\leath.exe"
HKU\S-1-5-21-3580221259-212085990-1318806337-1003\...\Run: [novelsnovels] => "C:\Program Files (x86)\Lagos\leath.exe"
HKU\S-1-5-21-3580221259-212085990-1318806337-1003\...\Run: [scurries] => "C:\Program Files (x86)\Hypocritically\leath.exe"
SearchScopes: HKU\S-1-5-21-3580221259-212085990-1318806337-1003 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={EFF5C8BC-EF60-4A65-B4CF-D8896ED93F40}&mid=2aa174781f9947ccbfbfcdfe6a03dd0b-7ccc01e2c99890fe0128e127cda86f670bf5f59e&lang=en&ds=AVG&coid=avgtbavg&cmpid=0717tb&pr=fr&d=2016-06-05 09:05:21&v=4.3.8.510&pid=wtu&sg=&sap=dsp&q={searchTerms}
BHO: AVG Web TuneUp -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files\AVG Web TuneUp\4.3.8.566\AVG Web TuneUp.dll => No File
BHO-x32: AVG Web TuneUp -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files (x86)\AVG Web TuneUp\4.3.8.566\AVG Web TuneUp.dll => No File
FF Plugin HKU\S-1-5-21-3580221259-212085990-1318806337-1003: tdameritrade.com/thinkorswim -> C:\Program Files\thinkorswim\npthinkorswim.dll [No File]
FF Plugin HKU\S-1-5-21-3580221259-212085990-1318806337-1003: tdameritrade.com/tossc -> C:\Program Files\thinkorswim\nptossc.dll [No File]
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found>

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#9 hyunjin

hyunjin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 26 December 2017 - 02:53 PM

Attached File  Fixlog.txt   4.87KB   2 downloads



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:39 PM

Posted 27 December 2017 - 08:14 AM

Hi,

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#11 hyunjin

hyunjin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 27 December 2017 - 12:01 PM

Thanks you so much!


Edited by hyunjin, 27 December 2017 - 12:01 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users