The computer is infected with a variant of the SmarService Rootkit. Very difficult to remove, but with the right protocol we may be able to do so.
You will need another computer to download FRST64 to a USB drive, run FRST64 in the Recovery Environment, then back in Normal Mode.
Please download Farbar Recovery Scan Tool in an uninfected computer and save it to a flash drive (Pen Drive).
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. In your case is FRST64.exe
Please also download the attached file and save it in the same location the FRST64 is saved in the flash drive.
Boot to the Recovery Console's Command prompt in the infected computer.
To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums
After any of these actions is performed, all user sessions are signed off and the Boot Options menu is displayed. The PC will restart into the WinRE and the selected feature is launched.
On the boot options, select Troubleshooting > Advanced Options > Command prompt.
Once in the Command Prompt:
- Insert the USB drive containing FRST64 and the Fixlist
- In the command window type in notepad and press Enter.
- The notepad opens. Under File menu select Open.
- Select "Computer" and find your flash drive letter and close the notepad.
- In the command window type e:\frst64 and press Enter
Note: Replace letter e with the drive letter of your flash drive.
- The tool will start to run.
- When the tool opens click Yes to disclaimer.
- First press the Scan button. That will deactivate the rootkit, once the scan is finished, press the Fix button.
- These actions will make two logs, a Fixlog.txt and a FRST.txt logs in the flash drive. Please copy and paste them in your reply.
Once finished in the Recovery Environment, restart the computer in Normal Mode.
Please download Farbar Recovery Scan Tool and save it to your desktop.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. In your case is FRST64.
- Double-click to run it. When the tool opens click Yes to disclaimer.
- Make sure that under Optional Scans, there is a checkmark on Addition.txt.
- Press Scan button.
- It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
- The tool will also produce another log (Addition.txt ). Please attach this to your reply.
I will expect the following reports:
Frst.txt produced in the Recovery Console
Fixlog.txt produced in the Recovery Console
Frst.txt produced in Normal Mode
Addition.txt produced in Normal Mode
No request for help throughout private messaging will be attended.
If I have helped you, consider making a donation to help me continue the fight against Malware!