Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

windows process manager 32 bit virus [Closed]

rootkit

  • This topic is locked This topic is locked

#1
I96L

I96L

    New Member

  • Member
  • Pip
  • 4 posts

Hello, my computer has been infected with the windows process manager 32 bit virus for 2 weeks and i have been trying to get it removed every since. The virus/rootkit slows down my computer by taking resource using many random processes. i did a FRST scan.

Thank you, have a nice day.

Attached Thumbnails

  • virus.PNG

Attached Files


Edited by I96L, 21 April 2018 - 06:37 AM.

  • 0

Advertisements


#2
Gary R

Gary R

    Trusted Helper

  • Malware Removal
  • 217 posts

Looking over your logs back soon.


  • 0

#3
Gary R

Gary R

    Trusted Helper

  • Malware Removal
  • 217 posts
The following lines from your log show that you have a variation of a rootkit infection we know as Smart Service ....
 

() C:\Users\Nicolas Mazzon\AppData\Local\rtbcank\exarcit.exe
() C:\Users\Nicolas Mazzon\AppData\Local\exhowrp\exhowrp.exe
() C:\Users\Nicolas Mazzon\AppData\Local\exhowrp\usrxzme.exe
() C:\Users\Nicolas Mazzon\AppData\Local\exhowrp\usrxzme.exe
() C:\Users\Nicolas Mazzon\AppData\Local\exhowrp\usrxzme.exe
() C:\Users\Nicolas Mazzon\AppData\Local\exhowrp\usrxzme.exe
() C:\Users\Nicolas Mazzon\AppData\Local\exhowrp\usrxzme.exe
U5 1864d068d501128776; D:\cheaterino\1864d068d501128776.sys [33560 2018-03-17] () <==== ATTENTION Necurs Rootkit?
R3 ilpsvy; system32\drivers\osvycf.sys [X]
C:\Windows\system32\drivers\snhilorv.sys -> Access Denied <======= ATTENTION


... there are a number of different versions of this infection, and as you're already aware, all are difficult to remove. In some cases removing it can cause incidental damage, which may not always be easily repairable.

So, at this point you have 2 options ....
  • Reset your computer to factory conditions.
    • In which case you will lose all your personal files and you will have to re-install them from a backup, along with any applications you currently have installed.
  • Attempt to remove it.
    • This can sometimes be a long, involved process, and there is no absolute guarantee of success.
Please let me know which option you would like to take

If you opt for the 2nd, please let me know if your computer allows you to open a Command window in Recovery Environment ...
  • Open your start menu, and shift click on Restart
  • Windows will boot into Advanced Startup Options menu
    • Click on Troubleshoot
      • Click on Advanced Startup
        • Click on Command Prompt
If you can't, then please let me know if you have access to another uninfected Windows 10 machine.
  • 0

#4
I96L

I96L

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

I can access the command prompt in Recovery Environment, so i will try option 2.

Thank you, and i have a second windows 10 computer that's not infected.


Edited by I96L, 21 April 2018 - 04:51 PM.

  • 0

#5
Gary R

Gary R

    Trusted Helper

  • Malware Removal
  • 217 posts
OK in that case ....

Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Please observe these rules while we work:
  • Do not edit your logs in any way whatsoever.
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to install any new software (other than those I ask you to) until we've got your computer clean.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. If your defensive programmes warn you about any of those tools, be assured that they are not infected, and are safe to use.
If you can do these things, everything should go smoothly.
 

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


To start, I need you to run a scan with FRST from Recovery Environment, when FRST is run this way it will automatically remove the Smart Service Rootkit driver that is making the removal of everything else so difficult.
  • Using your unnfected W10 machine Download FRST to a USB. flash drive. Do not use the infected machine because it will corrupt FRST.
  • Power down your infected machine.
  • Plug the USB drive into the infected machine. Do not plug the USB drive into the infected machine until it is powered down. If you do, your infection will corrupt the copy of FRST it finds on it and we'll have to start over again.
Boot your computer into Recovery Environment
  • Please follow the instructions ... HERE ... that explain how to open a Command window in Recovery Environment.
  • Once the Command window is open.
    • Type notepad then hit Enter.
    • Notepad will open.
      • Click File > Open then select Computer.
      • Note down the drive letter for your USB Drive.
      • Close Notepad.
  • Back in the command window ....
    • Type e:/frst64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
    • FRST will start to run.
      • When the tool opens click Yes to disclaimer.
      • Press Scan button.
      • When finished scanning it will make a log FRST.txt on the flash drive.
  • Close the command window.
  • Shut down your computer and post me the FRST.txt log please.

  • 0

#6
I96L

I96L

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

I did a FRST64 scan in a Recovery Environment here are the results.

Attached Files

  • Attached File  FRST.txt   44.02KB   69 downloads

  • 0

#7
Gary R

Gary R

    Trusted Helper

  • Malware Removal
  • 217 posts
Checking over your latest log now, will get back to you as soon as I've finished analysing it.
  • 0

#8
Gary R

Gary R

    Trusted Helper

  • Malware Removal
  • 217 posts
  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
  • Copy/Paste the contents of the code box below into Notepad.
S3 cpuz139; C:\Users\Nicolas Mazzon\AppData\Local\Temp\cpuz139\cpuz139_x64.sys [43312 2018-04-20] (CPUID) <==== ATTENTION
C:\Users\Nicolas Mazzon\AppData\Local\Temp\cpuz139
  •  
  • Save it to your USB flashdrive as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

Boot into Recovery Environment



  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt on your USB flashdrive.
  • Exit out of Recovery Environment and post me the log please.

Next ...

Boot your computer into "Normal Mode" and then if possible please run a Threat Scan with Malwarebytes Anti-Malware (which I believe you have installed).

When finished ... with Malwarebytes open ...



  • Click on Reports to open the report page.
  • Check the appropriate report entry and then click View Report
  • Click Export and then Copy to Clipboard
  • Please post me the log.

Next ....

Please run a new scan with FRST and post me the new logs created (FRST.txt and Addition.txt)

 


  • 0

#9
I96L

I96L

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

These are my malwarebyte report and my FRST scan

Malwarebytes

www.malwarebytes.com
 
-Log Details-
Scan Date: 4/22/18
Scan Time: 11:15 AM
Log File: f348cc64-463f-11e8-a71a-88d7f6c5d918.json
Administrator: Yes
 
-Software Information-
Version: 3.4.5.2467
Components Version: 1.0.342
Update Package Version: 1.0.4836
License: Trial
 
-System Information-
OS: Windows 10 (Build 16299.371)
CPU: x64
File System: NTFS
User: DESKTOP-S7GCF3Q\Nicolas Mazzon
 
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 331700
Threats Detected: 4
Threats Quarantined: 4
Time Elapsed: 3 min, 40 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 4
PUP.Optional.SpyHunter, C:\USERS\NICOLAS MAZZON\DOWNLOADS\SPYHUNTER-INSTALLER.EXE, Delete-on-Reboot, [5362], [433139],1.0.4836
RiskWare.BitCoinMiner, C:\USERS\NICOLAS MAZZON\DOWNLOADS\XMR-STAK-WIN64.ZIP, Delete-on-Reboot, [912], [506407],1.0.4836
Trojan.Dropper, C:\USERS\NICOLAS MAZZON\APPDATA\LOCAL\TEMP\A924.TMP, Delete-on-Reboot, [2889], [501356],1.0.4836
Trojan.Dropper, C:\USERS\NICOLAS MAZZON\APPDATA\LOCAL\TEMP\DECA.TMP, Delete-on-Reboot, [2889], [501356],1.0.4836
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)

Attached Files


  • 0

#10
Gary R

Gary R

    Trusted Helper

  • Malware Removal
  • 217 posts

If you haven't already done so, reboot your computer so that Malwarebytes can complete the removal of the items it found.

Next ...

Question ... did you install Team Viewer yourself ?  If you did no problem, if not please let me know.

Next ...
 

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press Ctrl+y (Ctrl and y keys at the same time)
  • A blank randomly named .txt Notepad file will open.
  • Copy and paste the following into it ....
SearchScopes: HKU\S-1-5-21-1361136488-2336437257-4009925153-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04222018111552082 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
S1 aswArPot; system32\drivers\aswArPot.sys [X]
S1 aswbidsdriver; system32\drivers\aswbidsdrivera.sys [X]
S0 aswbidsh; system32\drivers\aswbidsha.sys [X]
S0 aswblog; system32\drivers\aswbloga.sys [X]
S0 aswbuniv; system32\drivers\aswbuniva.sys [X]
S3 aswHwid; system32\drivers\aswHwid.sys [X]
S2 aswMonFlt; system32\drivers\aswMonFlt.sys [X]
S1 aswRdr; system32\drivers\aswRdr2.sys [X]
S0 aswRvrt; system32\drivers\aswRvrt.sys [X]
S1 aswSnx; system32\drivers\aswSnx.sys [X]
S1 aswSP; system32\drivers\aswSP.sys [X]
S2 aswStm; system32\drivers\aswStm.sys [X]
S0 aswVmm; system32\drivers\aswVmm.sys [X]
S3 cpuz143; \??\C:\Windows\temp\cpuz143\cpuz143_x64.sys [X]
2018-04-03 18:50 - 2018-04-03 18:50 - 000000000 ____D C:\Users\Nicolas Mazzon\AppData\Roaming\AVAST Software
2018-04-03 18:47 - 2018-04-03 18:47 - 000460520 _____ (AVAST Software) C:\Windows\system32\Drivers\asw77fba660d104671d.tmp
2018-04-03 18:47 - 2018-04-03 18:47 - 000460520 _____ (AVAST Software) C:\Windows\system32\Drivers\asw1827a5ce9bb0316d.tmp
2018-04-03 18:47 - 2018-04-03 18:47 - 000380528 _____ (AVAST Software) C:\Windows\system32\Drivers\aswf0509b0b4ea566f7.tmp
2018-04-03 18:47 - 2018-04-03 18:47 - 000380528 _____ (AVAST Software) C:\Windows\system32\Drivers\asw5bff90c47849630e.tmp
2018-04-03 18:47 - 2018-04-03 18:47 - 000205976 _____ (AVAST Software) C:\Windows\system32\Drivers\aswe7adc468d4219e9e.tmp
2018-04-03 18:47 - 2018-04-03 18:47 - 000205976 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbba1146fc55db8a6.tmp
2018-04-03 18:47 - 2018-04-03 18:47 - 000196640 _____ (AVAST Software) C:\Windows\system32\Drivers\asw2f5da75d9eeeebe8.tmp
2018-04-03 18:47 - 2018-04-03 18:47 - 000196640 _____ (AVAST Software) C:\Windows\system32\Drivers\asw1137048650a39ab6.tmp
2018-04-03 18:47 - 2018-04-03 18:47 - 000147224 _____ (AVAST Software) C:\Windows\system32\Drivers\aswf7408fae7d01a3c7.tmp
2018-04-03 18:47 - 2018-04-03 18:47 - 000147224 _____ (AVAST Software) C:\Windows\system32\Drivers\aswd97671f3d58dc09b.tmp
2018-04-03 18:47 - 2018-04-03 18:47 - 000111352 _____ (AVAST Software) C:\Windows\system32\Drivers\aswc48b08fe2a045507.tmp
2018-04-03 18:47 - 2018-04-03 18:47 - 000111352 _____ (AVAST Software) C:\Windows\system32\Drivers\asw6ffd7c5a9bd1f461.tmp
2018-04-03 18:47 - 2018-04-03 18:47 - 000084368 _____ (AVAST Software) C:\Windows\system32\Drivers\asw688a70d3cb5acc7e.tmp
2018-04-03 18:47 - 2018-04-03 18:47 - 000084368 _____ (AVAST Software) C:\Windows\system32\Drivers\asw39e4f90c79e38320.tm
2018-04-03 18:47 - 2018-04-03 18:47 - 000046968 _____ (AVAST Software) C:\Windows\system32\Drivers\asw23d5b5de6e01c8d2.tmp
2018-04-03 18:47 - 2018-04-03 18:47 - 000046968 _____ (AVAST Software) C:\Windows\system32\Drivers\asw d122391c5371263.tmp
2018-04-03 18:47 - 2018-04-03 18:47 - 000000000 ____D C:\Program Files\Common Files\AVAST Software
2018-04-03 18:47 - 2018-04-03 18:46 - 001026696 _____ (AVAST Software) C:\Windows\system32\Drivers\aswe41c44592edfb154.tmp
2018-04-03 18:47 - 2018-04-03 18:46 - 001026696 _____ (AVAST Software) C:\Windows\system32\Drivers\aswdaf23f23450d87cb.tmp
2018-04-03 18:47 - 2018-04-03 18:46 - 000343752 _____ (AVAST Software) C:\Windows\system32\Drivers\aswe54e5c1a68415207.tmp
2018-04-03 18:47 - 2018-04-03 18:46 - 000343752 _____ (AVAST Software) C:\Windows\system32\Drivers\asw51fccfb388f3f85c.tmp
2018-04-03 18:47 - 2018-04-03 18:46 - 000227504 _____ (AVAST Software) C:\Windows\system32\Drivers\aswdff265355e244076.tmp
2018-04-03 18:47 - 2018-04-03 18:46 - 000227504 _____ (AVAST Software) C:\Windows\system32\Drivers\asw80647094cb67ab1b.tmp
2018-04-03 18:47 - 2018-04-03 18:46 - 000199440 _____ (AVAST Software) C:\Windows\system32\Drivers\asw6ff3cc2b8cd837e1.tmp
2018-04-03 18:47 - 2018-04-03 18:46 - 000199440 _____ (AVAST Software) C:\Windows\system32\Drivers\asw ace53b62a8813fa.tmp
2018-04-03 18:47 - 2018-04-03 18:46 - 000057680 _____ (AVAST Software) C:\Windows\system32\Drivers\aswec05ac09a59def04.tmp
2018-04-03 18:47 - 2018-04-03 18:46 - 000057680 _____ (AVAST Software) C:\Windows\system32\Drivers\aswc91017d286c98e68.tmp
2018-04-03 18:46 - 2018-04-03 18:46 - 000000000 ____D C:\Program Files\AVAST Software
2018-04-03 18:45 - 2018-04-03 18:47 - 000000000 ____D C:\ProgramData\AVAST Software
emptytemp:
cmd: ipconfig /flushdns
hosts:
  • Press Ctrl+s to save fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system


  • Now press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
  • Please post me the log

Next ...

Please run a scan with ESET Online Scanner (please note that this can sometimes take hours to complete)

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go HERE then click on Scan Now
  • You will need to download esetsmartinstaller_enu.exe when prompted, and then double click on it to install.
  • Select the option Accept to accept the terms and conditions, and when prompted by UAC, allow E-Set to make changes.
  • Select the following option.
    • Enable detection of potentially unwanted applications
  • Now click on Scan
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When complete the scan will begin.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed you will be presented with a list of found threats ....
    • Do not clean any of the found threats
    • Click on Save to text file
    • Save as ESET.txt to your Desktop
  • Exit out of ESET Online Scanner.
  • Post me the contents of ESET.txt please.

 

 


  • 0

#11
Gary R

Gary R

    Trusted Helper

  • Malware Removal
  • 217 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.


  • 0






Similar Topics


Also tagged with one or more of these keywords: rootkit

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP