Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I know I have a rootkit - How do I Remove?


  • This topic is locked This topic is locked
8 replies to this topic

#1 sn00pryan

sn00pryan

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 PM

Posted 09 May 2018 - 04:50 PM

I recently downloaded a sketchy file, and sure enough now have a virus on my computer. I keep getting toolbar add ons to chrome etc., however that is not the main issue - I believe I have a rootkit. I have run Malware bytes and it will come up with nothing, and when I try to open it again it doesn't work. There was one anti rootkit program I downloaded (forget the name) and it crashed before it could complete its scan. 

 

There is a program which keeps popping up in task manager "Windows Process Manager" which will occasionally spike to around 40% CPU usage, I know that is not a legit program. There is also a program wmcagent which I can not remove which runs as a background process, as well as a program lsowzkcsvc.exe located in my system 32. There are lots of files in my local app data which I know are not legit which appeared when I downloaded this virus. 

 

I am not sure how to proceed - I do not have access to another windows computer and it has been super difficult trying to create a bootable usb. is that the only course of action? I am not incredibly computer literate I have just been trying to fix this issue for the past week since it started. I have also run Farbar recovery tool if posting those files would help.

 



BC AdBot (Login to Remove)

 


#2 Android8888

Android8888

  • Malware Response Team
  • 148 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:28 PM

Posted 09 May 2018 - 05:09 PM

Hello sn00pryan and welcome to Bleeping Computer.

My screen name is Android8888 but if you wish you can call me Rui which is my real name. I will be helping you with your malware issues. Please ask questions if anything is unclear.

Please read the instructions carefully and follow the directions in the order listed.

Some set of instructions may be long or you can stay without Internet connection for a while so I suggest printing out each set of instructions or copy them to a Notepad file and reading the entire post before proceeding. It will make following them easier.

Make sure to run all tools from the computer's Desktop and with Administrator privileges (i.e. right-click the tool icon and select Run as administrator).

Please run one scan at a time.

Once started the malware removal process has to be completed in order to ensure the success of the clean-up. Even if your computer appears to be running better after performing a first set of instructions, it may still be infected as some infections are difficult to remove and can leave remnants on the System. Please consider it clean and safe only when I declare it free of malware.

 

 

Now I would like to see the two (FRST.txt and Addition.txt) logs produced by the Farbar tool that you already ran.

 

Please attach them in your next reply for my review.

 

Thank you.

 

Android8888

(Rui)


Proud graduate of SpywareInfo

Member of UNITE - Unified Network of Instructors and Trusted Eliminators

Website: http://android8888.comlu.com

Tavira - Here's where I live!


#3 sn00pryan

sn00pryan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 PM

Posted 09 May 2018 - 10:47 PM

okay sounds good, here you go.

 

 

Attached Files



#4 Android8888

Android8888

  • Malware Response Team
  • 148 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:28 PM

Posted 10 May 2018 - 06:01 AM

Hello sn00pryan.

Thank you for the logs.

Your computer is infected with a Rootkit know as SmartService which is a very nasty infection but with the right procedures we will try to remove it and leave your computer free of malware.

Please do not run other tools on your own and follow the instructions in the order listed.


For now, in Normal mode do this please:

Right click on the FRST icon and select Run as administrator to start the tool;
Highlight and copy the following text and paste it inside the 'Search' box area of FRST;

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End::

Once done, click on the Fix button. A file called Fixlog.txt should appear in the same place where the Farbar tool is located;

 

Please copy and paste its content to your next reply and wait for further instructions.

Thank you.

Android8888


Proud graduate of SpywareInfo

Member of UNITE - Unified Network of Instructors and Trusted Eliminators

Website: http://android8888.comlu.com

Tavira - Here's where I live!


#5 sn00pryan

sn00pryan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 PM

Posted 10 May 2018 - 01:48 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 10.05.2018
Ran by Ryan (10-05-2018 11:47:20) Run:1
Running from C:\Users\Ryan\Desktop
Loaded Profiles: Ryan (Available Profiles: Ryan)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
 
*****************
 
 
========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========
 
The operation completed successfully.
 
========= End of CMD: =========
 
 
========= bcdedit.exe /set {default} recoveryenabled yes =========
 
The operation completed successfully.
 
========= End of CMD: =========
 
 
==== End of Fixlog 11:47:20 ====


#6 Android8888

Android8888

  • Malware Response Team
  • 148 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:28 PM

Posted 10 May 2018 - 04:14 PM

sn00pryan, thank you for the log.

Now please read carefully the following instructions and if you don't understand something, please STOP and ask before proceed.

You will have to run a scan with FRST from the Windows Recovery Environment (RE).

First you will need to have access to a uninfected computer and a USB Flash Drive. I'm afraid but this is the only way to remove this rootkit. If you don't have another clean computer then you can try from a familiar or friend computer running Windows. Take your time, I can wait until you are ready.

Please note: The USB Flash Drive can only be inserted in the infected computer if it is either shutdown, or in the Windows RE (Recovery Environment). Otherwise, the infection will mess with the files on the USB.
 
Preparing the USB Flash Drive (on a clean computer)

  • Plug-in the USB Flash Drive on a clean computer and format it before using it ('Quick Format' is enough).
  • Access the Internet and download FRST64.exe from a clean computer (Don't use the FRST64.exe file from the infected computer):
  • Move the executable (FRST64.exe) on the USB Flash Drive.

Boot in the Recovery Environment (RE) (on the infected computer)

  • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums.
    Note:If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.

Note: Once in the Windows RE, plug the USB Flash Drive in the computer.

 

You will have to reach and select the Command Prompt icon in Advanced Options in the Recovery Environment.
 
Once in the Command Prompt

  • In the command prompt, type notepad and press on Enter;
  • Notepad will open. Click on the File menu and select Open;
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad;
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter;
  • Note: Replace the letter e with the drive letter of your USB Flash Drive;
  • FRST will open;
  • Click on Yes to accept the disclaimer;
  • Click on the Scan button and wait for the scan to complete;
  • A log called FRST.txt will be saved on your USB Flash Drive;
  • Please post the entire content of that log in your next reply.

Let me see the FRST.txt log in your next reply and wait for further instructions.

 

Thank you.

 

Android8888


Proud graduate of SpywareInfo

Member of UNITE - Unified Network of Instructors and Trusted Eliminators

Website: http://android8888.comlu.com

Tavira - Here's where I live!


#7 sn00pryan

sn00pryan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 PM

Posted 11 May 2018 - 01:43 AM

okay - quick question: does it matter what OS I use for the clean computer? I have a chromebook which I am using, otherwise I can find a friend with windows. 

Also for the format of the USB does it have to be a specific type (ie NTFS or ExFat etc.) ? 



#8 Android8888

Android8888

  • Malware Response Team
  • 148 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:28 PM

Posted 11 May 2018 - 04:15 AM

Hello.

Chromebook runs the Linux-based Chrome OS as its operating system. Different operating systems use different file systems which means different ways of organizing data on a disk. Since your computer is running a Windows OS you will need another computer with Windows Operating System as well. The Windows version (7,8 or 10) is not important for this case.

 

Format the USB flash drive using FAT32 since it is compatible and supported on almost all devices and OS.
 

Android8888


Proud graduate of SpywareInfo

Member of UNITE - Unified Network of Instructors and Trusted Eliminators

Website: http://android8888.comlu.com

Tavira - Here's where I live!


#9 Android8888

Android8888

  • Malware Response Team
  • 148 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:08:28 PM

Posted 29 May 2018 - 09:37 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.


Proud graduate of SpywareInfo

Member of UNITE - Unified Network of Instructors and Trusted Eliminators

Website: http://android8888.comlu.com

Tavira - Here's where I live!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users