Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ndistpr64.sys/svcvmx.exe Removal help?


  • This topic is locked This topic is locked
22 replies to this topic

#1 BrayWyattFan20

BrayWyattFan20

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 AM

Posted 02 August 2018 - 08:53 AM

A while ago I bought phone that was locked in a way that was basically impossible to use.

I downloaded all sorts of random programs and such trying to fix it and in the process got caught up with a virus of some kind.


When trying to uninstall certain things I get a BsoD and the file that comes up as the error is NDistpr64.sys

I havent used my laptop in a while but Id love to start and need help getting rid of this.


I cant use or install Any anti malware/ anti virus stuff cause it says "The requested resource is in use." Which I guess is the malware stopping my anti virus use.



Pleeeeeease help me.

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,511 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:31 AM

Posted 02 August 2018 - 12:36 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs for my review.

p.s.
Try to run this program in Normal Mode in an Administrator account.

If not possible run it in Safe Mode.

#3 BrayWyattFan20

BrayWyattFan20
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 AM

Posted 02 August 2018 - 02:49 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02.08.2018
Ran by Com (administrator) on DESKTOP-8T7N6RT (02-08-2018 15:18:03)
Running from C:\Users\Lance\Desktop
Loaded Profiles: Com (Available Profiles: Com)
Platform: Windows 10 Home Version 1709 16299.125 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.14.17639.18041-0\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\HelpPane.exe
(Microsoft Corporation) C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [630168 2017-09-29] (Microsoft Corporation)
HKLM\...\Run: [MouseDriver] => C:\Windows\system32\TiltWheelMouse.exe [241152 2013-04-09] (Pixart Imaging Inc)
HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [599896 2015-06-10] (Conexant Systems, Inc.)
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SACpl.exe [1830616 2014-04-09] (Conexant Systems, Inc.)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2397120 2016-06-14] (NVIDIA Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [508128 2016-07-01] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeGCInvoker-1.0] => C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe [316392 2018-05-11] (Adobe Systems, Incorporated)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [svcvmx] => C:\Users\Lance\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe [896512 2017-01-13] () <==== ATTENTION
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-09-05] (Oracle Corporation)
HKU\S-1-5-21-1913834664-1852450143-2133483467-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [3205920 2018-08-01] (Valve Corporation)
HKU\S-1-5-21-1913834664-1852450143-2133483467-1001\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe [225816 2017-02-21] (BlueStack Systems, Inc.)
HKU\S-1-5-21-1913834664-1852450143-2133483467-1001\...\Run: [VideoGuardMonitor] => C:\Users\Lance\AppData\Local\Cisco\VideoGuardPlayer\VideoGuardMonitor\CiscoVideoGuardMonitor.exe [4155656 2017-06-20] (Cisco)
HKU\S-1-5-21-1913834664-1852450143-2133483467-1001\...\RunOnce: [Application Restart #0] => C:\Windows\HelpPane.exe [976896 2017-09-29] (Microsoft Corporation)
GroupPolicy\User: Restriction - Chrome <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 108.166.149.2 108.166.149.3
Tcpip\..\Interfaces\{6b72b255-46f2-426b-8fc4-abd4c4c7a1a8}: [DhcpNameServer] 108.166.149.2 108.166.149.3
Tcpip\..\Interfaces\{774e0fb2-3280-423f-a8f3-46b633c3e467}: [DhcpNameServer] 192.168.10.1

Internet Explorer:
==================
HKU\S-1-5-21-1913834664-1852450143-2133483467-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://asus15.msn.com/?pc=ASTE
HKU\S-1-5-21-1913834664-1852450143-2133483467-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://asus15.msn.com/?pc=ASTE
SearchScopes: HKU\S-1-5-21-1913834664-1852450143-2133483467-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1913834664-1852450143-2133483467-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1913834664-1852450143-2133483467-1001 -> {7A766DBC-5FB8-4815-9F45-589353F44D3E} URL = hxxps://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=635779&p={searchTerms}
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\ssv.dll [2018-01-05] (Oracle Corporation)
BHO-x32: Evernote extension -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll [2015-09-03] (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\jp2ssv.dll [2018-01-05] (Oracle Corporation)

FireFox:
========
FF DefaultProfile: ac4fldlu.default-1533167179249
FF ProfilePath: C:\Users\Lance\AppData\Roaming\Mozilla\Firefox\Profiles\ac4fldlu.default-1533167179249 [2018-08-02]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_30_0_0_134.dll [2018-08-02] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_30_0_0_134.dll [2018-08-02] ()
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [No File]
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [No File]
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.68 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2015-08-25] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2015-08-25] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.151.2 -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\dtplugin\npDeployJava1.dll [2018-01-05] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.151.2 -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\plugin2\npjp2.dll [2018-01-05] (Oracle Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-08-01] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-08-01] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)

Chrome:
=======
CHR Profile: C:\Users\Lance\AppData\Local\Google\Chrome\User Data\Default [2017-10-27]
CHR Extension: (New XKit) - C:\Users\Lance\AppData\Local\Google\Chrome\User Data\Default\Extensions\inobiceghmpkaklcknpniboilbjmlald [2017-10-15] [UpdateUrl: hxxps://new-xkit.github.io/XKit/Extensions/dist/page/FirefoxUpdate.json] <==== ATTENTION
CHR Extension: (Chrome Web Store Payments) - C:\Users\Lance\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-10-15]
CHR Extension: (Chrome Media Router) - C:\Users\Lance\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-10-15]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AGMService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGMService.exe [2321384 2018-05-11] (Adobe Systems, Incorporated)
S2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2128872 2018-05-11] (Adobe Systems, Incorporated)
S4 AsusGameFirstService; C:\Program Files (x86)\ASUS\ROG Game First III\AsusGameFirstService.exe [356664 2015-02-02] (ASUSTeK)
S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [1362464 2016-03-18] ()
S3 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [428056 2017-02-21] (BlueStack Systems, Inc.)
S2 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [406040 2017-02-21] (BlueStack Systems, Inc.)
S3 BstHdPlusAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Plus-Service.exe [452632 2017-02-21] (BlueStack Systems, Inc.)
S2 Dataup; C:\Users\Lance\AppData\Local\ntuserlitelist\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
S2 esifsvc; C:\WINDOWS\SysWOW64\esif_uf.exe [1385640 2015-08-16] (Intel Corporation)
S2 ibtsiva; C:\WINDOWS\system32\ibtsiva.exe [515768 2017-04-13] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [881152 2015-05-22] (Intel® Corporation)
S3 Intel® Security Assist; C:\Program Files (x86)\Intel\Intel® Security Assist\isa.exe [335872 2015-05-19] (Intel Corporation) [File not signed]
S3 Intel® WiDi SAM; C:\Program Files (x86)\Intel Corporation\Intel WiDi\Intel® Software Asset Manager\bin\IntelSoftwareAssetManagerService.exe [19088 2015-06-17] (Intel Corporation)
S2 IntelUSBoverIP; C:\Program Files\Intel Corporation\USB over IP\bin\UoipService.exe [396992 2015-07-06] (Intel)
S2 isaHelperSvc; C:\Program Files (x86)\Intel\Intel® Security Assist\isaHelperService.exe [7680 2015-05-19] () [File not signed]
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [207648 2015-09-19] (Intel Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [268704 2016-11-29] ()
S3 npggsvc; C:\Windows\SysWOW64\GameMon.des [4362656 2016-02-24] (INCA Internet Co., Ltd.) [File not signed]
S2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1879488 2016-06-14] (NVIDIA Corporation)
S2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [2521024 2016-06-14] (NVIDIA Corporation)
S2 Razer Game Scanner Service; C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe [189264 2016-09-24] ()
S3 ROGGamingCenterService; C:\Program Files (x86)\ASUS\ROG Gaming Center\ROGGamingCenterService.exe [76032 2015-08-13] (ASUSTeK COMPUTER INC.)
S2 RzKLService; C:\Program Files (x86)\Razer\Razer Cortex\RzKLService.exe [133376 2016-09-28] (Razer Inc.)
S2 SAService; C:\Windows\system32\SAsrv.exe [427224 2015-04-17] (Conexant Systems, Inc.)
S2 ss_conn_service; C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe [752224 2017-01-16] (DEVGURU Co., LTD.)
S3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.14.17639.18041-0\NisSrv.exe [4632736 2018-04-28] (Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.14.17639.18041-0\MsMpEng.exe [104680 2018-04-28] (Microsoft Corporation)
S2 XTU3SERVICE; C:\Program Files (x86)\Intel\Intel® Extreme Tuning Utility\XtuService.exe [19192 2015-08-13] (Intel® Corporation)
S2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3732896 2016-11-29] (Intel® Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AsusSGDrv; C:\WINDOWS\system32\DRIVERS\AsusSGDrv.sys [138744 2015-08-18] (ASUS Corporation)
S3 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [152672 2017-02-21] (BlueStack Systems)
S3 BstkDrv; C:\Program Files (x86)\BlueStacks\BstkDrv.sys [270904 2017-02-21] (Bluestack System Inc. )
S3 CMUSBDAC; C:\WINDOWS\system32\DRIVERS\CMUSBDAC.sys [3778592 2015-11-26] (C-MEDIA)
S3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [131712 2017-01-16] (Samsung Electronics Co., Ltd.)
S3 dptf_acpi; C:\WINDOWS\System32\drivers\dptf_acpi.sys [55816 2015-08-16] (Intel Corporation)
S3 dptf_cpu; C:\WINDOWS\System32\drivers\dptf_cpu.sys [53752 2015-08-16] (Intel Corporation)
R0 drmkpro64; C:\WINDOWS\System32\drivers\ndistpr64.sys [78112 2013-09-28] () <==== ATTENTION
R3 ElcMouLFlt; C:\WINDOWS\System32\drivers\ElcMouLFlt.sys [28648 2015-09-11] (ELECOM)
R3 ElcMouUFlt; C:\WINDOWS\System32\drivers\ElcMouUFlt.sys [27624 2015-09-11] (ELECOM)
S3 esif_lf; C:\WINDOWS\system32\DRIVERS\esif_lf.sys [261624 2015-08-16] (Intel Corporation)
S3 ibtusb; C:\WINDOWS\system32\DRIVERS\ibtusb.sys [244744 2017-04-13] (Intel Corporation)
S2 iocbios2; C:\Program Files (x86)\Intel\Intel® Extreme Tuning Utility\Drivers\IocDriver\64bit\iocbios2.sys [30224 2015-08-13] (Intel Corporation)
S3 Netwtw04; C:\WINDOWS\System32\drivers\Netwtw04.sys [7689728 2017-09-29] (Intel Corporation)
R1 NFC_Driver; C:\WINDOWS\System32\drivers\NFC_Driver.sys [53440 2015-01-05] (Titan ARC Corp.)
S3 nvlddmkm; C:\WINDOWS\System32\DriverStore\FileRepository\nvamwu.inf_amd64_d4715679184092a8\nvlddmkm.sys [13754936 2016-09-12] (NVIDIA Corporation)
S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [26560 2016-06-14] (NVIDIA Corporation)
S3 nvvad_WaveExtensible; C:\WINDOWS\system32\drivers\nvvad64v.sys [56384 2016-04-14] (NVIDIA Corporation)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [935168 2015-10-09] (Realtek )
S3 RTSPER; C:\WINDOWS\system32\DRIVERS\RtsPer.sys [753368 2015-06-15] (Realsil Semiconductor Corporation)
S2 rzpmgrk; C:\WINDOWS\system32\drivers\rzpmgrk.sys [44144 2016-09-16] (Razer, Inc.)
S2 rzpnk; C:\WINDOWS\system32\drivers\rzpnk.sys [137840 2016-08-10] (Razer, Inc.)
S3 sparkocam; C:\WINDOWS\system32\DRIVERS\sparkocam.sys [36176 2015-12-21] (Sparkosoft)
S3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [165504 2017-01-16] (Samsung Electronics Co., Ltd.)
R3 t_mouse.sys; C:\WINDOWS\system32\DRIVERS\t_mouse.sys [6144 2013-04-09] ()
S3 usb3Hub; C:\WINDOWS\System32\drivers\usb3Hub.sys [212056 2015-07-06] (Windows ® Win 7 DDK provider)
S0 WdBoot; C:\WINDOWS\System32\drivers\wd\WdBoot.sys [46072 2018-04-28] (Microsoft Corporation)
S0 WdFilter; C:\WINDOWS\System32\drivers\wd\WdFilter.sys [313888 2018-04-28] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [61472 2018-04-28] (Microsoft Corporation)
S3 xhunter1; C:\WINDOWS\xhunter1.sys [47096 2018-02-14] (Wellbia.com Co., Ltd.)
S1 YSDrv; C:\Program Files (x86)\Bignox\BigNoxVM\RT\YSDrv.sys [270608 2017-11-02] (BigNox Corporation)
S3 X6va063; \??\C:\WINDOWS\SysWoW64\Drivers\X6va063 [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-08-02 15:18 - 2018-08-02 15:24 - 000015549 _____ C:\Users\Lance\Desktop\FRST.txt
2018-08-02 15:17 - 2018-08-02 15:18 - 000000000 ____D C:\FRST
2018-08-02 15:14 - 2018-08-02 15:14 - 002412544 _____ (Farbar) C:\Users\Lance\Desktop\FRST64.exe
2018-08-02 09:17 - 2018-08-02 09:31 - 000685900 _____ C:\WINDOWS\Minidump\080218-33968-01.dmp
2018-08-02 08:50 - 2018-08-02 08:50 - 000000192 _____ C:\Users\Lance\Desktop\yup.bat
2018-08-02 08:40 - 2018-08-02 08:40 - 000000000 _____ C:\Users\Lance\Desktop\New Text Document.txt
2018-08-02 07:51 - 2018-08-02 07:51 - 014178840 _____ (Malwarebytes Corp.) C:\Users\Lance\Desktop\1.exe
2018-08-02 07:44 - 2018-08-02 07:45 - 078389256 _____ (Malwarebytes ) C:\Users\Lance\Downloads\mb3-setup-consumer-3.5.1.2522-1.0.391-1.0.6153.exe
2018-08-02 07:34 - 2018-08-02 07:57 - 001388432 _____ C:\Users\Public\VOIP.dat
2018-08-02 07:25 - 2018-08-02 07:25 - 034768256 _____ (SUPERAntiSpyware) C:\Users\Lance\Downloads\SUPERAntiSpyware.exe
2018-08-02 07:21 - 2018-08-02 07:22 - 004858305 _____ C:\Users\Lance\Downloads\tdsskiller.zip
2018-08-02 07:21 - 2018-08-02 07:21 - 004949824 _____ (AO Kaspersky Lab) C:\Users\Lance\Downloads\tdsskiller.exe
2018-08-01 19:45 - 2018-08-01 19:45 - 001204720 _____ (Adobe Systems Incorporated) C:\Users\Lance\Downloads\flashplayer30au_ga_install.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-08-02 15:19 - 2016-11-20 20:35 - 000000000 ____D C:\Users\Lance\AppData\LocalLow\Mozilla
2018-08-02 15:11 - 2018-04-28 10:03 - 000000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2018-08-02 10:00 - 2017-09-29 04:45 - 000786432 _____ C:\WINDOWS\system32\config\BBI
2018-08-02 09:44 - 2018-02-12 14:14 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2018-08-02 09:17 - 2018-04-23 15:02 - 731247109 _____ C:\WINDOWS\MEMORY.DMP
2018-08-02 09:17 - 2018-04-23 15:02 - 000000000 ____D C:\WINDOWS\Minidump
2018-08-02 09:17 - 2018-02-12 14:21 - 000000000 ____D C:\Users\Lance
2018-08-02 09:03 - 2018-02-12 14:37 - 001066956 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2018-08-02 07:57 - 2018-02-12 14:47 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2018-08-02 07:57 - 2017-09-29 09:46 - 000000000 ____D C:\WINDOWS\DeliveryOptimization
2018-08-02 07:57 - 2017-09-29 09:46 - 000000000 ____D C:\WINDOWS\AppReadiness
2018-08-02 07:49 - 2018-02-12 14:21 - 000000000 ____D C:\Users\Lance\AppData\Local\Packages
2018-08-02 07:48 - 2017-09-29 09:46 - 000000000 ___HD C:\Program Files\WindowsApps
2018-08-02 07:39 - 2016-02-24 13:47 - 000000165 _____ C:\Users\Lance\AppData\Roaming\sp_data.sys
2018-08-02 07:38 - 2017-09-29 09:37 - 000000000 ____D C:\WINDOWS\CbsTemp
2018-08-02 07:38 - 2016-03-02 19:39 - 000000000 ____D C:\Users\Lance\AppData\Local\Adobe
2018-08-02 07:37 - 2018-03-25 23:07 - 000004584 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player NPAPI Notifier
2018-08-02 07:37 - 2017-09-29 09:46 - 000000000 ____D C:\WINDOWS\SysWOW64\Macromed
2018-08-02 07:37 - 2017-09-29 09:46 - 000000000 ____D C:\WINDOWS\system32\Macromed
2018-08-02 07:32 - 2016-11-20 17:50 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2018-08-02 07:32 - 2016-02-24 19:54 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-08-02 07:26 - 2016-02-25 12:14 - 000563832 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2018-08-01 21:13 - 2016-06-14 13:09 - 000000000 ____D C:\Program Files (x86)\Steam
2018-08-01 20:24 - 2016-02-27 20:30 - 000000000 ____D C:\Users\Lance\Documents\Vuze Downloads
2018-08-01 20:11 - 2017-11-01 20:56 - 000000000 ____D C:\Users\Lance\AppData\Roaming\Convergys
2018-08-01 20:10 - 2016-04-22 20:43 - 000000000 ____D C:\Program Files (x86)\AVS4YOU
2018-08-01 19:59 - 2016-12-05 23:04 - 000002303 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-08-01 19:59 - 2016-12-05 23:04 - 000002262 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-08-01 19:55 - 2017-07-25 09:06 - 000000000 ____D C:\Program Files (x86)\ASUS
2018-08-01 19:51 - 2018-02-12 14:47 - 000003374 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1913834664-1852450143-2133483467-1001
2018-08-01 19:51 - 2016-02-24 13:50 - 000002369 _____ C:\Users\Lance\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2018-08-01 19:51 - 2016-02-24 13:50 - 000000000 ___RD C:\Users\Lance\OneDrive
2018-08-01 19:49 - 2018-02-12 14:47 - 000003418 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2018-08-01 19:49 - 2018-02-12 14:47 - 000003294 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2018-08-01 19:46 - 2016-09-02 15:43 - 000000000 ____D C:\Users\Lance\Desktop\XInput
2018-08-01 19:46 - 2016-02-24 19:54 - 000001234 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk

==================== Files in the root of some directories =======

2018-08-02 07:34 - 2018-08-02 07:57 - 001388432 _____ () C:\Users\Public\VOIP.dat
2017-04-09 08:39 - 2017-04-09 08:39 - 000011568 _____ () C:\Users\Lance\AppData\Roaming\InstallationConfiguration.xml
2017-04-09 08:39 - 2017-04-09 08:39 - 000140288 _____ () C:\Users\Lance\AppData\Roaming\Installer.dat
2017-04-09 09:27 - 2017-04-09 09:28 - 000000008 _____ () C:\Users\Lance\AppData\Roaming\pllchannel.txt
2016-02-24 13:47 - 2018-08-02 07:39 - 000000165 _____ () C:\Users\Lance\AppData\Roaming\sp_data.sys
2016-08-08 20:24 - 2016-08-09 15:55 - 000001456 _____ () C:\Users\Lance\AppData\Local\Adobe Save for Web 13.0 Prefs
2017-04-11 16:45 - 2017-04-11 16:45 - 000288195 _____ () C:\Users\Lance\AppData\Local\ars.cache
2017-04-11 16:46 - 2017-04-11 16:46 - 000728040 _____ () C:\Users\Lance\AppData\Local\census.cache
2017-04-11 15:57 - 2017-04-11 15:57 - 000000036 _____ () C:\Users\Lance\AppData\Local\housecall.guid.cache
2017-05-21 02:16 - 2017-05-21 02:16 - 000000218 _____ () C:\Users\Lance\AppData\Local\recently-used.xbel
2017-04-11 16:14 - 2017-04-11 16:14 - 000000010 _____ () C:\Users\Lance\AppData\Local\sponge.last.runtime.cache
2017-02-22 10:37 - 2016-11-23 09:37 - 000000570 _____ () C:\Users\Lance\AppData\Local\TroubleshooterConfig.json

Files to move or delete:
====================
C:\Users\Lance\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe


Some files in TEMP:
====================
2018-02-12 19:18 - 2018-02-12 19:18 - 000000180 _____ () C:\Users\Lance\AppData\Local\Temp\3fc1552ba19ee3472398342b0fadfa41.dll
2018-02-12 19:18 - 2018-02-14 13:29 - 000000079 _____ () C:\Users\Lance\AppData\Local\Temp\a4ce204053e4dd9891affc16b94322e2.dll

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
C:\WINDOWS\system32\drivers\ndistpr64.sys -> Access Denied <======= ATTENTION


safeboot: Network => The system is configured to boot to Safe Mode <==== ATTENTION

LastRegBack: 2018-05-09 19:57

==================== End of FRST.txt ============================

Attached Files



#4 BrayWyattFan20

BrayWyattFan20
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 AM

Posted 02 August 2018 - 02:50 PM

Done. Im surprised I got something to run lol

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs for my review.

p.s.
Try to run this program in Normal Mode in an Administrator account.

If not possible run it in Safe Mode.

 



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,511 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:31 AM

Posted 03 August 2018 - 07:15 AM

Hi,

I have identified a bad SmartService infection.

You will need to have access to a spare PC and a USB flash drive that has not been in contact with the sick PC...
Let me know if you have this access.

I need to know first if you can enable the Recovery Environment...

Open FRST on the compromised computer:

copy/paste the following inside the text area of FRST. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop. Attach it in your next reply.

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End::

http://i121.photobucket.com/albums/o239/kevinf80/Farbar%20Tools/frst%20b.jpg&key=98f8e4fa906452a8ed54423fd0407a3d120fe6064437244ca29c06ed5f968755

On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
Copy and paste its content in your next reply.

Wait for further instructions.
<<<>>>

#6 BrayWyattFan20

BrayWyattFan20
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 AM

Posted 03 August 2018 - 09:44 AM

I do have access to a 2nd PC and a USB Flash, though Im sure I Have used it on this laptop before. I better get a new one just to be safe..

Hi,

I have identified a bad SmartService infection.

You will need to have access to a spare PC and a USB flash drive that has not been in contact with the sick PC...
Let me know if you have this access.

I need to know first if you can enable the Recovery Environment...

Open FRST on the compromised computer:

copy/paste the following inside the text area of FRST. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop. Attach it in your next reply.

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End::

http://i121.photobucket.com/albums/o239/kevinf80/Farbar%20Tools/frst%20b.jpg&key=98f8e4fa906452a8ed54423fd0407a3d120fe6064437244ca29c06ed5f968755

On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
Copy and paste its content in your next reply.

Wait for further instructions.
<<<>>>

 

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,511 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:31 AM

Posted 03 August 2018 - 12:53 PM

Lets proceed:

Read all the instructions before proceeding.
Take your time and all should be well.

Preparing the USB Flash Drive

Boot up your spare PC:
Plug in the flash drive, navigate to that drive, right click on it direct and select format. Quick option is adequate.

Next,

On that same PC download the right version of Farbar program for your system to Desktop or the Flash drive.
64-bit or 32 bit version. Select the one you need.
https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

If the files were saved on the Desktopl Move the executable (FRST.exe or FRST64.exe) to your USB Flash Drive
 

How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system.
https://support.microsoft.com/en-us/help/827218/how-to-determine-whether-a-computer-is-running-a-32-bit-version-or-64


Do not plug Flash Drive into sick PC until booted to Recovery Environment.

===

#8 BrayWyattFan20

BrayWyattFan20
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 AM

Posted 03 August 2018 - 04:30 PM

Lets proceed:

Read all the instructions before proceeding.
Take your time and all should be well.

Preparing the USB Flash Drive

Boot up your spare PC:
Plug in the flash drive, navigate to that drive, right click on it direct and select format. Quick option is adequate.

Next,

On that same PC download the right version of Farbar program for your system to Desktop or the Flash drive.
64-bit or 32 bit version. Select the one you need.
https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

If the files were saved on the Desktopl Move the executable (FRST.exe or FRST64.exe) to your USB Flash Drive
 

How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system.
https://support.microsoft.com/en-us/help/827218/how-to-determine-whether-a-computer-is-running-a-32-bit-version-or-64

Do not plug Flash Drive into sick PC until booted to Recovery Environment.

===


Ok. Im at work and wont be able to do the flash drive till later but seems simple enough. Please continue with the steps :)

#9 BrayWyattFan20

BrayWyattFan20
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 AM

Posted 03 August 2018 - 10:10 PM

Lets proceed:

Read all the instructions before proceeding.
Take your time and all should be well.

Preparing the USB Flash Drive

Boot up your spare PC:
Plug in the flash drive, navigate to that drive, right click on it direct and select format. Quick option is adequate.

Next,

On that same PC download the right version of Farbar program for your system to Desktop or the Flash drive.
64-bit or 32 bit version. Select the one you need.
https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

If the files were saved on the Desktopl Move the executable (FRST.exe or FRST64.exe) to your USB Flash Drive
 

How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system.
https://support.microsoft.com/en-us/help/827218/how-to-determine-whether-a-computer-is-running-a-32-bit-version-or-64


Do not plug Flash Drive into sick PC until booted to Recovery Environment.

===

 

 

 

USB Drive is good to go



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,511 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:31 AM

Posted 04 August 2018 - 07:07 AM

Hi,

Boot the compromised PC to Recovery Environment, if you are unsure of that action have a read at the following link, maybe bookmark for future reference...

To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums https://www.tenforums.com/tutorials/2294-boot-advanced-startup-options-windows-10-a.html

From the Windows 10 Tutorial you should get access to the Advanced Startup Options at boot for Windows 10

Select in this order
"Troubleshoot" > "Advance Options" > "Command Prompt"


Once in the command prompt

Plug your USB Flash Drive in the infected computer

In the command prompt, type notepad and press on Enter
Notepad will open. Click on the File menu and select Open
Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
Note: Replace the letter e with the drive letter of your USB Flash Drive
FRST will open
Click on Yes to accept the disclaimer
Click on the Scan button and wait for the scan to complete
A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply.

p.s.
If at any time you need additional information please ask before proceeding.

Wait for further instructions.

#11 BrayWyattFan20

BrayWyattFan20
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 AM

Posted 04 August 2018 - 10:03 AM

Hi,

Boot the compromised PC to Recovery Environment, if you are unsure of that action have a read at the following link, maybe bookmark for future reference...

To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums https://www.tenforums.com/tutorials/2294-boot-advanced-startup-options-windows-10-a.html

From the Windows 10 Tutorial you should get access to the Advanced Startup Options at boot for Windows 10

Select in this order
"Troubleshoot" > "Advance Options" > "Command Prompt"


Once in the command prompt

Plug your USB Flash Drive in the infected computer

In the command prompt, type notepad and press on Enter
Notepad will open. Click on the File menu and select Open
Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
Note: Replace the letter e with the drive letter of your USB Flash Drive
FRST will open
Click on Yes to accept the disclaimer
Click on the Scan button and wait for the scan to complete
A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply.

p.s.
If at any time you need additional information please ask before proceeding.

Wait for further instructions.

Done

Attached Files

  • Attached File  FRST.txt   17.67KB   31 downloads


#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,511 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:31 AM

Posted 04 August 2018 - 10:40 AM

Hi,

You have one of the first version of this malware.

Malwarebytes Anti-Rootkit

Please download Anti-Rootkit BETA and save it to your Desktop. <check the version below....
  • Right-click on the icon and select Run as administrator to start the extraction of the program;
  • Click Yes to accept the security warning that may appear;
  • Click OK to extract it to your Desktop (MBAR will be launched shortly after the extraction);
  • Click on Next, and then on the Update button to let it update its database. Once the database has been successfully updated, click on Next;
  • Make sure all the checkboxes are checked, then click on the Scan button, and let it completes its scan (this can take a while);
  • Once the scan is done, if threats are found, make sure that every item is checked, and click on the Cleanup button (a reboot might be required);
  • After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt;
  • Please copy and paste the entire content of that log in your next reply;
If you have any problems running either one come back and let me know.
===

#13 BrayWyattFan20

BrayWyattFan20
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 AM

Posted 04 August 2018 - 11:06 AM

Hi,

You have one of the first version of this malware.

Malwarebytes Anti-Rootkit

Please download Anti-Rootkit BETA and save it to your Desktop. <check the version below....

  • Right-click on the icon and select Run as administrator to start the extraction of the program;
  • Click Yes to accept the security warning that may appear;
  • Click OK to extract it to your Desktop (MBAR will be launched shortly after the extraction);
  • Click on Next, and then on the Update button to let it update its database. Once the database has been successfully updated, click on Next;
  • Make sure all the checkboxes are checked, then click on the Scan button, and let it completes its scan (this can take a while);
  • Once the scan is done, if threats are found, make sure that every item is checked, and click on the Cleanup button (a reboot might be required);
  • After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt;
  • Please copy and paste the entire content of that log in your next reply;
If you have any problems running either one come back and let me know.
===

 

 

 

Says this isnt the right version for my PC



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,511 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:31 AM

Posted 04 August 2018 - 12:30 PM

Hi,

Are you on a MAC or PC.

Are you running in normal mode with an Administrator account?

#15 BrayWyattFan20

BrayWyattFan20
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 AM

Posted 04 August 2018 - 01:10 PM

Hi,

Are you on a MAC or PC.

Are you running in normal mode with an Administrator account?


Im on PC. Windows 10 64bit. Its a gaming laptop.


I Am running on normal and tried booting the program by right clicking > run with admin priv. Windows says the program is not the right version, check the site for the correct version for this computer.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users