Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows process Manager (32 bit) infection /virus


  • This topic is locked This topic is locked
17 replies to this topic

#1 roughtrade32

roughtrade32

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 01 February 2018 - 05:18 PM

hello, iv searched all over for help with my issue, iv come across a few windows process manager viruses and issues people were having, i am positive i am having the same issue. My new desktop that is only a month old has been infected with this same virus and i really need assistance with it. iv scanned with MBAM, MBAR, Adwear cleaner and my virus program , it has removed quite a few issues but the processes remain along with a few suspicious .EXE files.

 

   i ran a "fix" in FRST and a basic scan. Please help me as soon as possible.. thank you. 

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:30 AM

Posted 01 February 2018 - 05:37 PM

Hi

Welcome :)

I'll be helping you with your computer.

Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.

Please take note of the guidelines for this fix:

  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. :)

Let's begin... :)


This is one of the most difficult rootkit to remove. You will need an uninfected computer to download FRST64 to a USB flash drive. Once done, boot the infected computer to the Recovery Environment (WinRE) Command prompt, insert the USB flash drive and run FRST64. The flash drive must be inserted in the infected computer, only once you have reached the command prompt in WinRE.

You are using Windows 10.

Boot in the Recovery Environment

  • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.

Once in the command prompt

 

  • Insert the USB flash drive into the computer.
  • In the command prompt, type notepad and press on Enter
  • Notepad will open. Click on the File menu and select Open
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
  • Note: Replace the letter e with the drive letter of your USB Flash Drive
  • FRST will open
  • Click on Yes to accept the disclaimer
  • Click on the Scan button and wait for it to complete
  • A log called frst.txt will be saved on your USB Flash Drive. Post it in your next reply

 

If you successfully run FRST64 in WinRE, boot in Normal Mode, and re-scan with Malwarebytes Antimalware and post its report.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 roughtrade32

roughtrade32
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 01 February 2018 - 06:07 PM

i had to make a recover on an external hard drive earlier, but it did allow me to load into command prompt i scanned with frst and logged into reg mode and scanned with malwarebytes as well.. here are the logs.

Attached Files



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:30 AM

Posted 01 February 2018 - 06:34 PM

Nice going! Let's do a sweep with RogueKiller and AdwCleaner.

RQKuhw1.pngRogueKiller

  • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
  • Once done, move the executable file to your Desktop, right-click on it and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Check every single entry (threat found), and click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply

zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
    V7SD4El.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply

Your next reply(ies) should therefore contain:
  • Copy/pasted RogueKiller clean log
  • Copy/pasted AdwCleaner clean log


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 roughtrade32

roughtrade32
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 01 February 2018 - 07:15 PM

done :)

Attached Files



#6 roughtrade32

roughtrade32
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 01 February 2018 - 07:18 PM

also there is this Windows host process (Rundll32) that is odd running in my processes 



#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:30 AM

Posted 01 February 2018 - 07:56 PM

  • Highlight the entire content of the quote box below.

Start::  
2018-01-31 22:11 - 2018-01-31 22:11 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\104F.tmp.exe
2018-02-01 14:01 - 2018-02-01 14:01 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\12ED.tmp.exe
2018-01-31 22:18 - 2018-01-31 22:18 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\39FD.tmp.exe
2018-01-31 22:36 - 2018-01-31 22:36 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\5607.tmp.exe
2018-01-31 22:19 - 2018-01-31 22:19 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\6EF7.tmp.exe
2018-01-31 22:10 - 2018-01-31 22:10 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\79DB.tmp.exe
2018-01-31 22:10 - 2018-01-31 22:10 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\8C1B.tmp.exe
2018-01-31 22:09 - 2018-01-31 22:09 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\95B5.tmp.exe
2018-02-01 10:19 - 2018-02-01 10:19 - 000157897 _____ (9649) C:\Users\Rough\AppData\Local\Temp\AE60.tmp.exe
2018-01-31 22:18 - 2018-01-31 22:18 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\B711.tmp.exe
2018-01-31 22:19 - 2018-01-31 22:19 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\B7D8.tmp.exe
2018-01-31 22:12 - 2018-01-31 22:12 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\BF09.tmp.exe
2018-02-01 10:19 - 2018-02-01 10:19 - 000157897 _____ (9649) C:\Users\Rough\AppData\Local\Temp\D243.tmp.exe
2018-01-31 22:12 - 2018-01-31 22:12 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\DCF1.tmp.exe
2018-01-31 22:19 - 2018-01-31 22:19 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\F4C1.tmp.exe
2018-01-25 00:21 - 2018-01-25 00:21 - 000808944 _____ (Intel® Corporation) C:\Windows\System32\Drivers\SETA94B.tmp
2018-01-31 22:11 - 2018-01-31 22:11 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\104F.tmp.exe
2018-02-01 14:01 - 2018-02-01 14:01 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\12ED.tmp.exe
2018-01-31 22:18 - 2018-01-31 22:18 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\39FD.tmp.exe
2018-01-31 22:36 - 2018-01-31 22:36 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\5607.tmp.exe
2018-01-31 22:19 - 2018-01-31 22:19 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\6EF7.tmp.exe
2018-01-31 22:10 - 2018-01-31 22:10 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\79DB.tmp.exe
2018-01-31 22:10 - 2018-01-31 22:10 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\8C1B.tmp.exe
2018-01-31 22:09 - 2018-01-31 22:09 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\95B5.tmp.exe
2018-02-01 10:19 - 2018-02-01 10:19 - 000157897 _____ (9649) C:\Users\Rough\AppData\Local\Temp\AE60.tmp.exe
2018-01-31 22:18 - 2018-01-31 22:18 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\B711.tmp.exe
2018-01-31 22:19 - 2018-01-31 22:19 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\B7D8.tmp.exe
2018-01-31 22:12 - 2018-01-31 22:12 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\BF09.tmp.exe
2018-02-01 10:19 - 2018-02-01 10:19 - 000157897 _____ (9649) C:\Users\Rough\AppData\Local\Temp\D243.tmp.exe
2018-01-31 22:12 - 2018-01-31 22:12 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\DCF1.tmp.exe
2018-01-31 22:19 - 2018-01-31 22:19 - 002393088 _____ (Farbar) C:\Users\Rough\AppData\Local\Temp\F4C1.tmp.exe
C:\Users\Rough\AppData\Local\nvdharp
C:\Program Files (x86)\AMLyRCNlUIE
C:\Windows\System32\Tasks\CcUoDIeswNjImb
C:\Windows\System32\Tasks\bVyBIwMCwVjnlcc2
S3 ooorrr; system32\drivers\hhhlll.sys [X]
C:\Windows\system32\drivers\hhhlll.sys
C:\Users\Rough\AppData\Roaming\yvk2tvadjs2
C:\Users\Rough\AppData\Local\nihbotw
C:\Users\Rough\AppData\Local\exmhkip
C:\Users\Rough\AppData\Roaming\q3shjta5dem
C:\Windows\System32\lmmuvcxsvc.exe
C:\Users\Rough\AppData\Local\acsz
C:\Windows\SysWOW64\rekhucn
D C:\Windows\System32\rekhucn
C:\Users\Rough\AppData\Roaming\et
CMD: fltmc instances
Folder: C:\Windows\System32\Drivers
Reg: Reg query "HKLM\SYSTEM\Select"
HOSTS:
CMD: Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button. FRST will process the lines copied above from the clipboard.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.

 

Re-scan with FRST64 and post the resulting logs, Frst.txt and Addition.txt.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 roughtrade32

roughtrade32
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 01 February 2018 - 08:10 PM

    after the first scan my computer restarted on its own, on the start up screen with Acer logo a line appears about fixing a drive a bunch of numbers n letters and // with 100% at the end.. its been there since the infection. Thank you so much sir for all of your help by the way :)

Attached Files



#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:30 AM

Posted 01 February 2018 - 09:34 PM

All looks clear in the logs. Just an entry that was not removed due to an error in the script.

 

  • Highlight the entire content of the quote box below.

Quote

Start::  
C:\Windows\System32\rekhucn
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button. FRST will process the lines copied above from the clipboard.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Give it a restart and test. Let me know of any issues.


Edited by JSntgRvr, 01 February 2018 - 09:34 PM.
typo

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 roughtrade32

roughtrade32
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 01 February 2018 - 09:58 PM

when i restart the computer that fixing drive is still there and it dose not just boot to windows, first it opens a gray and black screen asking me to pick windows 10 something with boot manager.. and pressing f8 ... or was it f10 for more choices? how do i fix that. besides that i am not seeing anything its loading ok, no processes running that are odd. Thank you very much for the help. 

 

  Also after this would it be a good idea to refresh windows maybe? or do anything else just to be safe?


Edited by roughtrade32, 01 February 2018 - 10:01 PM.


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:30 AM

Posted 01 February 2018 - 10:15 PM

Perhaps was the fixlist you ran before posting.

 

Open an Administrator command prompt. At the prompt copy and paste the following and press enter:

 

bcdedit.exe /set {bootmgr} displaybootmenu no

 

Type Exit to return to Windows and restart.

 

Let me know if that menu returns.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 roughtrade32

roughtrade32
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 01 February 2018 - 10:26 PM

it did not, it goes straight to the log in now, thank you :). On the Acer load screen that file path is still showing up, saying fixing drive /// and the 100% at the end.. is this an issue or will it just be there from now on? it was never there untill the infection happened 



#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:30 AM

Posted 01 February 2018 - 11:58 PM

I found a few issues with that. What F9 is used for at boot? If it is some type of Restore, what would be restored?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:30 AM

Posted 03 February 2018 - 09:46 AM

Any progress?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 roughtrade32

roughtrade32
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 04 February 2018 - 01:20 PM

im sorry for not getitng back.. not sure if this is still open. Im not quite sure what u mean by what f9 is used for at boot or what would be restored? 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users