Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan: Windows Process Manager (32 bit)


  • This topic is locked This topic is locked
13 replies to this topic

#1 airplaneBEN

airplaneBEN

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 29 April 2018 - 12:22 PM

Hello,

 

Recently, I made the tragic mistake of clicking on the incorrect download link on a website and installing some malicious software on my PC. Checking in Task Manager, the software seems to be called "Windows Process Manager (32 bit)", it is also made up of many sub-processes of the same name. When I right click one of these processes in task manager, I can see that the file is located in C:\Users\Ben\AppData\Local\dtezpro. When I try to delete this detzpro folder, I am told that I do not have permissions, and I am also unable to change the folder permissions. This program seems to tank my CPU and memory; and I believe that it is caused by a trojan.

 

I have viewed other forums with people who describe having the same problem, but with some slight differences. Like many of those other cases, the program also installed all kinds of adware and browser hijackers. However, I managed to remove most of that stuff by reinstalling my browsers and uninstalling the PUPs and their folders via Control Panel > Programs and Features. I also deleted many of their folders manually.

 

I also can't seem to fix Microsoft Edge, which appears to still be hijacked. While I have google.com set to be my default search engine, every search I make redirects instantly and makes the search on Bing instead. Although I do not prefer using Edge, the idea of having this on my computer bothers me. I was able to fix this problem with Firefox and Chrome because I was able to uninstall and reinstall those browsers, but as you probably know, that is not possible with Edge.

 

There is also one more piece of software that I cannot remove. It is called rtkbwvcsvc.exe. I cannot seem to end this program in TM and it is installed in C:\Windows\System32 (important folder). I also cannot delete this exe from my System32 folder.

 

I tried using File Assassin to kill these files to no avail. Although Malwarebytes seems to detect the malware, I doesn't successfully remove it. Also when Malwarebytes tries to remove the software, it asks me to restart my PC. After doing so and logging into my desktop, I am unable to open Malwarebytes again and I am required to uninstall+reinstall Malwarebytes in order for it to work. I also ran FRSTx64 and will attach its text files.

 

If there is any other information you need, let me know! I really don't want to have to re-image my PC and if anyone can walk me through getting this crap off my computer, I will be forever your debt. Thank you.

 

Ben

 

P.S.

I have attached screenshots of the locations of the files as well how they appear in TM. Plus the three text files that were created by FRST.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:44 AM

Posted 30 April 2018 - 10:09 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

I have identified a bad SmartService infection.

You will need access to a spare PC and a USB flash drive that has not been in contact with the sick PC...

To see if you can run the following to enable Recovery Environment...

Open FRST on the compromised computer:

copy/paste the following inside the text area of FRST. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop. Attach it in your next reply.

Start:
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End:

http://i121.photobucket.com/albums/o239/kevinf80/Farbar%20Tools/frst%20b.jpg&key=98f8e4fa906452a8ed54423fd0407a3d120fe6064437244ca29c06ed5f968755]

On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
Copy and paste its content in your next reply
---

Let me know if you have access to a good computer and a flash drive.

Post the log and wait for further instructions.

#3 airplaneBEN

airplaneBEN
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 30 April 2018 - 05:00 PM

I think this just got more interesting.

 

When I run the fix in FRST with the text copied into the box, I get an error saying that no fixlist.txt file is found and that this fixlist.txt file should be located in the same directory as FRST. When trying to create a text file named fixlist.txt, I am told that I do not have permission to name the file. If I try to name the file ANYTHING ELSE, it works fine, but for some reason I do not have permission to create a file named fixlist.txt.

 

I do have access to another computer and a USB flash drive.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:44 AM

Posted 01 May 2018 - 07:43 AM

Hi,

Lets try this.

Preparing the USB Flash Drive

Boot up your spare PC:
Plug in the flash drive, navigate to that drive, right click on it direct and select format. Quick option is adequate.

Next,

On that same PC download the right version of Farbar program for your system to Desktop or the Flash drive.
64-bit or 32 bit version. Select the one you need.
https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

If the files were saved on the Desktopl Move the executable (FRST.exe or FRST64.exe) to your USB Flash Drive
 

How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system.
https://support.microsoft.com/en-us/help/827218/how-to-determine-whether-a-computer-is-running-a-32-bit-version-or-64


Do not plug Flash Drive into sick PC until booted to Recovery Environment.

===

Boot the compromised PC to Recovery Environment, if you are unsure of that action have a read at the following link, maybe bookmark for future reference...

To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums https://www.tenforums.com/tutorials/2294-boot-advanced-startup-options-windows-10-a.html

From the Windows 10 Tutorial you should get access to the Advanced Startup Options at boot for Windows 10

Select in this order
"Troubleshoot" > "Advance Options" > "Command Prompt"


Once in the command prompt

Plug your USB Flash Drive in the infected computer

In the command prompt, type notepad and press on Enter
Notepad will open. Click on the File menu and select Open
Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
Note: Replace the letter e with the drive letter of your USB Flash Drive
FRST will open
Click on Yes to accept the disclaimer
Click on the Scan button and wait for the scan to complete
A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply.

p.s.
If at any time you need additional information please ask before proceeding.

Post the Fixlog.txt and the FRST.txt logs for my review.

Wait for further instructions.

#5 airplaneBEN

airplaneBEN
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 02 May 2018 - 06:06 PM

Should I also run these commands once I get into the FRST in the recovery environment?

 

Start:
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End:

 

Or are those commands just for the "fix" part of FRST?

 

I have not yet booted into recovery environment as I wanted to ask this question first. I apologize if I take too long to respond as I am very busy during my school day. 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:44 AM

Posted 03 May 2018 - 07:10 AM

Hi,

Or are those commands just for the "fix" part of FRST?


Yes, it confirms that your Recovery Environment is working well.

Take your time with this fix, read carefully before proceeding.

#7 airplaneBEN

airplaneBEN
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 03 May 2018 - 06:16 PM

Ok

 

I can't seem to boot into Windows Recovery Environment. All of the methods I tried from the website simply restarted my computer and booted into regular Windows. I almost accessed the recovery environment by going into my boot menu and selecting Windows Boot Manager, but it failed to load into the recovery environment as I am apparently missing a file for that. According to the screen, the missing file is located in ..\system32\winload.efi.

 

I actually have another flashdrive with a tool known as Gandalf's Windows 10PE Redstone on it. I also successfully managed to boot into this environment. Could this tool be helpful? If not, that is fine, it was just an idea I had when I remembered I had this tool.

 

 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:44 AM

Posted 04 May 2018 - 07:53 AM

Hi,

I actually have another flashdrive with a tool known as Gandalf's Windows 10PE Redstone on it. I also successfully managed to boot into this environment.


Not sure never used that.

You can try but make sure you can boot to the Recovery Environment,

Then follow the instructions on post no. 4.

and Start from this section.

Boot the compromised PC to Recovery Environment, if you are unsure of that action have a read at the following link, maybe bookmark for future reference...

If not then let me know and I will give you an other alternative.

#9 airplaneBEN

airplaneBEN
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 04 May 2018 - 01:07 PM

Ok, but still can't get into the recovery environment. I have tried all of the methods, and all it does is restart my computer and bring me back into regular windows.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:44 AM

Posted 04 May 2018 - 01:31 PM

Hi,

Proceed this way.

Read carefully and is help is needed before proceeding please let me know.

If your computer does not have the Windows Recovery Environment installed and available you can use the following method to run the Recovery Environment from a bootable USB disk.

NOTE: This USB disk needs to be created from a clean computer. You cannot use an infected computer for this process

NOTE: An 8GB USB 2.0 stick is required or at least recommended. In some cases a USB 3.0 disk can be used but some computers have issues booting from USB 3.0 disks.

Example drive (no endorsement implied, example only) - This drive example has not been tested by me. It is an older 2015 model with many good reviews though.

Amazon: Kingston 8GB DataTraveler 101 G2 USB 2.0 Flash Drive (DT101G2/8GBZ)

NewEgg: Kingston 8GB DataTraveler 101 G2 USB 2.0 Flash Drive (DT101G2/8GBZ)


STEP 1

Download a Windows 10 ISO image from Microsoft.

Method A: Using the Microsoft Media Creation Tool

https://www.microsoft.com/en-gb/software-download/windows10

Download the Media Creation Tool: https://go.microsoft.com/fwlink/?LinkId=691209

Follow the instructions displayed on the tool to download the Windows 10 ISO image.

In my testing I was not prompted for a license key to download the latest Windows 10 ISO image.

At the time of this writing 2017/12/21 there was only one ISO image offered. Windows 10

32-bit x86 or 64-bit x64


Note: You need to run the version compatible with your system.

You can check here if you're not sure if your computer is 32-bit or 64-bit


Method B: If Method A: above is not working for you then you can try the following method

Microsoft Windows and Office ISO Download Tool (this is not an authorized Microsoft tool, but appears to be legal)

https://www.heidoc.net/joomla/technology-science/microsoft/67-microsoft-windows-and-office-iso-download-tool

Download: https://www.heidoc.net/php/Windows%20ISO%20Downloader.exe

STEP 2

If you were unable to use the Windows Media Creation Tool in STEP 1 to create a USB disk then you can use this tool to burn the Windows 10 ISO image from STEP 1 above.

Download the Windows USB/DVD Download Tool from Gitbub and save to your computer.

English version: https://github.com/mantas-masidlauskas/wudt/raw/master/Downloads/Windows7-USB-DVD-Download-Tool-Installer-en-US.exe

Then install the Windows USB/DVD Download Tool and run it to burn a bootable USB disk from the ISO image. Browse to the location where you saved the Windows 10 ISO image in STEP 1

Note: This tool should work on XP, Vista, Windows 7, or Windows 10 - it is simply used to make a bootable USB disk. Remember, all of this needs to be done on a clean computer.

MCWx4mf.jpg

5IvFX1o.jpg

1hzeggf.jpg

g1iLLSH.jpg

KkzebK6.jpg


STEP 3

Please download the Farbar Recovery Scan Tool and save it to your desktop or other location you know where it's saved to. Then copy it to the USB disk you just created.

Note: You need to run the version compatible with your system.

You can check here if you're not sure if your computer is 32-bit or 64-bit

STEP 4

Shut down the infected computer. Do Not insert the USB disk you created until the infected computer has been shut down.

Once the computer is shut down then insert the newly created Windows 10 USB disk into the infected computer and power it back on and press the appropriate key to bring up the boot menu. The link below will help show you which key for various computers manufacturers is used to bring up the boot menu. Most will be either USB or UEFI depending on hardware and settings. If the computer boots up into the Normal Windows instead of the USB stick it may become infected and need to be completely redone again. Make sure you select the correct boot option.

How to Boot Your Computer from a USB Flash Drive

STEP 5

Once the computer starts to boot up from the USB disk, follow the screens and directions below.

Gvt31DC.jpg

wk8hs0E.jpg

F2gCAoF.jpg

X8NEEvb.jpg

You will need to open NOTEPAD.EXE to help find out which drive is your Windows drive and which drive is your USB disk drive you just created

O27kz3e.jpg

RRI6og4.jpg

For the more advanced user you could also use DISKPART to help locate which drive is mapped to your USB disk. In most cases the USB disk will be either D: or E: but depending on hardware the drive could be a much higher level such as H: or higher.

Example only - your hardware will look different

DISKPART> list volume

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info

  ----------  ---  -----------  -----  ----------  -------  ---------  --------

  Volume 0     Z                       DVD-ROM         0 B  No Media

  Volume 1     C                NTFS   Partition    931 GB  Healthy    System

  Volume 2     Q   SEA-USB-4.0  NTFS   Partition   3725 GB  Healthy

  Volume 3     D                NTFS   Removable   7636 MB  Healthy
Go back to the DOS Command Prompt (if you used DISKPART type in Exit and press the Enter key) and type in the following and press the Enter key.

CD /D D: (or E: or whichever drive letter the USB stick is on)

Then type in CD\
and press the Enter key to get to the root or top of the USB disk.

Then type in FRST or FRST64 (depending on which version your computer uses) and click the Scan button.

A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply.

If all went well you should now be able to boot into Normal Mode and run Malwarebytes and run a Threat Scan to have it finish the removal process.

#11 airplaneBEN

airplaneBEN
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 04 May 2018 - 04:03 PM

Okay

 

I managed to get into the Recovery Environment with the bootable drive. Here is the FRST.txt file. The Malwarebytes threat scan came up clean. 

 

 

 

I actually have another flashdrive with a tool known as Gandalf's Windows 10PE Redstone on it. I also successfully managed to boot into this environment.

 

It is worth mentioning that earlier today I used the previously mentioned Ghandalf's Windows 10PE environment to successfully delete the folder located in C:\Users\Ben\AppData\Local\dtezpro, which was the location of the malicious Windows Process Manager (32 bit). That program no longer runs on the infected computer. After that, I ran a malwarebytes threat scan which located some bad registry keys and some other bad folders. I deleted those keys and deleted those folders.

 

A threat scan now detects no threats, but I am still unsure if my computer is completely cleaned at this point.

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:44 AM

Posted 05 May 2018 - 07:51 AM

Hi,

Nice work.


Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\Ben\...\Run: [PJ8qKP4Oo'.exe] => C:\Program Files\Windows Mail\W9MWZ7ZLDDLHZIKEJKS8H3JSWW\PJ8qKP4Oo'.exe
GroupPolicy: Restriction - Windows Defender <==== ATTENTION
S2 889d079228a00174eb28516ba67a3fb9; C:\WINDOWS\zbvrfhpqautlcbrj.dll [1408512 2018-04-28] ()
S2 5e2e3940e911ec84d761d456c46fc2a7; "C:\Program Files\5e2e3940e911ec84d761d456c46fc2a7\f83c7496edb6684e89960c5c49caf921.exe" [X]
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S4 windowsmanagementservice; windowsmanagementservice [X] <==== ATTENTION
2018-05-04 12:03 - 2018-05-04 12:03 - 000000000 ____D C:\Users\Ben\AppData\Local\raigotx
2018-05-04 11:46 - 2018-05-04 11:46 - 000000000 ____D C:\Users\Ben\AppData\Local\spnwlht
2018-05-04 11:13 - 2018-05-04 15:33 - 000000000 ____D C:\Users\Ben\AppData\Local\dtezpro
2018-05-04 11:13 - 2018-05-04 11:13 - 000000000 ____D C:\Users\Ben\AppData\Local\cwegumo
2018-05-04 11:08 - 2018-05-04 12:01 - 002888704 _____ C:\Windows\System32\rtkbwvcsvc.exe
2018-05-04 10:52 - 2018-05-04 10:52 - 000000000 ____D C:\Users\Ben\AppData\Local\wednavc
2018-05-04 10:48 - 2018-05-04 10:48 - 000000000 ____D C:\Users\Ben\AppData\Local\wemgvtl
2018-05-03 16:17 - 2018-05-03 16:17 - 000000000 ____D C:\Users\Ben\AppData\Local\pwhekba
2018-05-03 16:06 - 2018-05-03 16:06 - 000000000 ____D C:\Users\Ben\AppData\Local\sibtgro
2018-04-29 10:09 - 2018-04-29 10:09 - 000000000 ____D C:\Users\Ben\AppData\Local\msovzxi
2018-04-29 10:08 - 2018-05-04 14:01 - 000000000 ____D C:\Users\Ben\AppData\Local\vskadtu
2018-04-28 16:56 - 2018-04-29 10:01 - 000000000 ____D C:\Users\Ben\AppData\Local\pcklura
2018-04-28 16:56 - 2018-04-28 16:56 - 000000000 ____D C:\Users\Ben\AppData\Local\sesckth
2018-04-28 14:39 - 2018-04-28 14:39 - 000000000 ____D C:\Users\Ben\AppData\Local\ElDewrito
2018-04-28 13:45 - 2018-04-28 13:45 - 000000000 ____D C:\Users\Ben\AppData\Local\lmmzwtr
2018-04-28 13:44 - 2018-04-28 15:44 - 000000000 ____D C:\Users\Ben\AppData\Local\svbdkca
2018-04-28 10:48 - 2018-05-04 15:33 - 000000000 ____D C:\Users\Ben\AppData\Local\wmcagent
2018-04-28 10:48 - 2018-04-28 13:39 - 000000000 ____D C:\Users\Ben\AppData\Local\weaikuc
2018-04-28 09:16 - 2018-04-28 09:16 - 000000000 ____D C:\Windows\SysWOW64\psdcaru
2018-04-28 09:16 - 2018-04-28 09:16 - 000000000 ____D C:\Windows\System32\psdcaru
2018-04-27 21:32 - 2018-04-27 21:32 - 000000000 ____D C:\Users\Ben\Desktop\ZeldaSave
C:\Program Files\Windows Mail\W9MWZ7ZLDDLHZIKEJKS8H3JSWW\PJ8qKP4Oo'.exe
C:\WINDOWS\zbvrfhpqautlcbrj.dll
AlternateDataStreams: C:\ProgramData\TEMP:F25DDE13 [380]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

The computer will restart after the fix.
Run the Farbar program in Normal mode and post a fresh FRST log for my review.

Please let me know what problem persists with this computer.

#13 airplaneBEN

airplaneBEN
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 05 May 2018 - 07:47 PM

Okay

 

I ran the FRST fix with that file. Here is the fixlog.txt.

Attached Files



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:44 AM

Posted 06 May 2018 - 07:24 AM

Hi,

Looking good.

Just run the Malwarebytes and clean any left over entries.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users