Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple reappearing infections; possible new partition to reinfect created


  • This topic is locked This topic is locked
5 replies to this topic

#1 Nihilust

Nihilust

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:27 AM

Posted 11 May 2018 - 05:25 PM

Maybe too much information, but rather that than not enough.

Recommended roomate get auslogics defrag & ccleaner to maintain his slow dell laptop; he ended up grabbing a bad torrent of cc from piratebay instead of buying it as I suggested. .zip file; he says upon unzipping it prompted him to click to "prove he was human" before install, he noped out & grabbed me when it directed him to fill out a survey beforehand & wouldn't let him close out firefox instead.

 

Task mgr killed firefox instance; it immediately started opening a new edge instance for each I closed, while cmd windows started intermittently flashing on & off & a bunch of "install x game" shortcuts popped up on desktop, win defender warnings about malware. Win defender was partially disabled & he'd had no a/v beyond an expired mcafee trial.

 

Reenabled win defender & both quick and full scanned; found a lot of malicious files it claimed it fixed; installed & ran malwarebytes, found about as many again. Went through several cycles of running MWB, quarantining, rebooting, and deleting from quarantine, kept finding around the same # every subsequent scan. Tried to safe mode boot, couldn't get it to work, enabled legacy safe boot & ran MWB cycle again several times in safe mode, still kept finding around the same # of infections. Noticed at some point during every startup, at the Dell screen, it would hang for a bit, then a message about "Scanning & repairing (weirdly named serial string drive)" would appear; he says no such message ever appeared before. Laptop currently has 5 partitions beyond the system partition; 3 "recovery", 1 "OEM", and 1 "EFI system". He left it with me to try & fix, it's sat for a bit as I've been busy with work & whatnot. Logs follow.

 

Any potential help appreciated, as this is beyond my barely beginner skills.

 

Attached File  FRST.txt   28.58KB   6 downloads

 

Attached File  Addition.txt   31.43KB   2 downloads



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:27 AM

Posted 12 May 2018 - 07:30 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Hi,

I have identified a bad SmartService infection.

You will need access to a spare PC and a USB flash drive that has not been in contact with the sick PC...

I need to know first if you can enable the Recovery Environment...

Open FRST on the compromised computer:

copy/paste the following inside the text area of FRST. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop. Attach it in your next reply.
 
Start:
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End:
Wait for further instructions.

Edited by nasdaq, 12 May 2018 - 07:31 AM.


#3 Nihilust

Nihilust
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:27 AM

Posted 12 May 2018 - 09:43 AM

Hello nasdaq, thanks for your assistance. I do have access to both a spare PC & a USB flash not in contact with the infected laptop.

 

FRST updated itself upon opening; pasted the text into the "search" box, clicked "fix", error msg appeared "No fixlist.txt found. Should be in same folder/directory the tool is located." 3 attempts, same result.

 

 

 

EDIT: Restarting & will attempt again in case it needed that to function after update.

2nd EDIT: Same result. Don't want to do anything else you're not instructing me to, so will wait.


Edited by Nihilust, 12 May 2018 - 10:01 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:27 AM

Posted 13 May 2018 - 07:19 AM

Hi,

This is the second time someone tells me that the command is not working.
I have to investivate this with the Owner of the tool.

Lets proceed and see if your Recovery Console is enabled.

---

Print or read carefully these instructions.

Preparing the USB Flash Drive

Boot up your spare PC:
Plug in the flash drive, navigate to that drive, right click on it direct and select format. Quick option is adequate.

Next,

On that same PC download the right version of Farbar program for your system to Desktop or the Flash drive.
64-bit or 32 bit version. Select the one you need.
https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

If the files were saved on the Desktopl Move the executable (FRST.exe or FRST64.exe) to your USB Flash Drive
 

How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system.
https://support.microsoft.com/en-us/help/827218/how-to-determine-whether-a-computer-is-running-a-32-bit-version-or-64


Do not plug Flash Drive into sick PC until booted to Recovery Environment.

===

Boot the compromised PC to Recovery Environment, if you are unsure of that action have a read at the following link, maybe bookmark for future reference...

To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums https://www.tenforums.com/tutorials/2294-boot-advanced-startup-options-windows-10-a.html

From the Windows 10 Tutorial you should get access to the Advanced Startup Options at boot for Windows 10

Select in this order
"Troubleshoot" > "Advance Options" > "Command Prompt"


Once in the command prompt

Plug your USB Flash Drive in the infected computer

In the command prompt, type notepad and press on Enter
Notepad will open. Click on the File menu and select Open
Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
Note: Replace the letter e with the drive letter of your USB Flash Drive
FRST will open
Click on Yes to accept the disclaimer
Click on the Scan button and wait for the scan to complete
A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply.

p.s.
If at any time you need additional information please ask before proceeding.

Post the Fixlog.txt and the FRST.txt logs for my review.

Wait for further instructions.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:27 AM

Posted 19 May 2018 - 07:10 AM

Hi,

Are you still with me?

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:27 AM

Posted 25 May 2018 - 06:26 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users