Detroit Red

CLOSED Rootkit.SmartService (A) and Trojan.Trafmous (A)

Recommended Posts

Hello there, I've had a rootkit infection on my computer for a while now and have had extreme difficulty getting rid of it. I posted a similar topic a while back but didn't get back to it in time and for that, I apologize. I would really appreciate a response to this issue as soon as possible. The files I scanned are located below.

Share this post


Link to post
Share on other sites

Do the following:

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM-x32\...\Run: [svcvmx] => "C:\Users\Sensei Tommy\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe" -starup <==== ATTENTION
HKLM-x32\...\Run: [cpx] => "C:\Users\Sensei Tommy\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <==== ATTENTION
GroupPolicy: Restriction <==== ATTENTION
S2 Dataup; C:\Users\Sensei Tommy\AppData\Local\ntuserlitelist\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
S1 ccvmhgwf; \??\C:\WINDOWS\system32\drivers\ccvmhgwf.sys [X]
S5 drmkpro64;  <==== ATTENTION: Locked Service <==== ATTENTION
S1 huzhetud; \??\C:\WINDOWS\system32\drivers\huzhetud.sys [X]
S1 sjpnplnh; \??\C:\WINDOWS\system32\drivers\sjpnplnh.sys [X]
S1 wcnxsfju; \??\C:\WINDOWS\system32\drivers\wcnxsfju.sys [X]
2017-11-20 16:38 - 2017-02-20 20:38 - 000000000 ____D C:\ProgramData\{238BE6E8-A9C9-6C2E-2F0F-F26CB54D79A2}
C:\WINDOWS\system32\drivers\ndistpr64.sys -> MD5 = D41D8CD98F00B204E9800998ECF8427E (0-byte MD5) <======= ATTENTION
C:\Users\Sensei Tommy\AppData\Local\ntuserlitelist\cpx\cpx.exe
C:\Users\Sensei Tommy\AppData\Local\ntuserlitelist\cpx
C:\Users\Sensei Tommy\AppData\Local\ntuserlitelist\dataup\dataup.exe
C:\Users\Sensei Tommy\AppData\Local\ntuserlitelist\dataup
C:\Users\Sensei Tommy\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe
C:\Users\Sensei Tommy\AppData\Local\ntuserlitelist\svcvmx
C:\Users\Sensei Tommy\AppData\Local\ntuserlitelist
C:\WINDOWS\system32\drivers\ccvmhgwf.sys
C:\WINDOWS\system32\drivers\huzhetud.sys
C:\WINDOWS\system32\drivers\ndistpr64.sys
C:\WINDOWS\system32\drivers\sjpnplnh.sys
C:\WINDOWS\system32\drivers\wcnxsfju.sys
Task: {6F692641-CD09-4534-897E-7DB0FC21CF92} - \Online Application V2G1 -> No File <==== ATTENTION
Task: {DAD892E7-C07A-43A4-945D-7C59B5DED715} - \Online Application V2G2 -> No File <==== ATTENTION
Task: {DF1DFF6F-9BAD-4589-9FA1-041A520C82F3} - \Online Application V2G3 -> No File <==== ATTENTION
Task: {E5F76175-25D3-4960-AD80-823DFADB1E94} - System32\Tasks\Updater_Online_Application => C:\Program Files (x86)\Microleaves\Online Application\Online Application Updater.exe [2017-04-18] (Microleaves) <==== ATTENTION
Task: {F048C364-3FB8-4287-BCC3-199804EFFDE1} - System32\Tasks\Yahoo! Powered fadem => C:\Windows\system32\wscript.exe "C:\ProgramData\{238BE6E8-A9C9-6C2E-2F0F-F26CB54D79A2}\mato.txt" "687474703a2f2f7761676e672e636f6d" "433a5c50726f6772616d446174615c7b32333842453645382d413943392d364332452d324630462d4632364342353444373941327d5c6e6563656469" "433a5c50726f6772616d446174615c7b32333842453645382d413943392d364332452d324630 (the data entry has 78 more characters). <==== ATTENTION
Task: {FB06BD2C-F871-4544-9494-04312341E9E1} - System32\Tasks\OSpeedy System Optimizer Startup => C:\Program Files (x86)\OSpeedy System Optimizer\OSpeedy System Optimizer.exe [2015-05-15] () <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application V2G1.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application V2G2.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application V2G3.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Updater_Online_Application.job => C:\Program Files (x86)\Microleaves\Online Application\Online Application Updater.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Yahoo! Powered fadem.job => Wscript.exe  C:\ProgramData\{238BE6E8-A9C9-6C2E-2F0F-F26CB54D79A2}\mato.txt <==== ATTENTION
Reg; reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\DATAUP" /f

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Thanks man I appreciate you helping me out but I don't believe it worked. Either that or I messed up some where; I opened frst64 with fixlist.txt(I dragged it over the icon and opened it that way). Everything happened according to what you said with the exception of the reboot. After the reboot, the software opened up by itself and wasn't responding. However I did get the fixlog. I still can't run my antivirus software either.

Fixlog.txt

Share this post


Link to post
Share on other sites

Alright so I did what you said and it didn't work. I ran the Malwarebytes software as an admin and I waited hours for it to finally finish scanning and it had stated that I had 4,864 types of malware on my laptop. Now it also stated that the program stopped responding. The version I was running was 1.10.3.1001, I followed all the instructions of the link you sent and now I don't know what else to do. I would really appreciate a response back as soon as possible. Below is a screenshot of what happened.

Malwarebytes screenshot.PNG
Download Image

Share this post


Link to post
Share on other sites

Run MBAR again with only Drivers selected in Scan Targets.  MBAR is most likely choking on the llssoft folder because of its size and the thousands of files it contains.

Share this post


Link to post
Share on other sites

Alright so I did what you told me to do and I had scanned just the driver. Then I had scanned the  sectors and they both said they were clean of any type of malware. Now when I scanned the system was where the same problem as before occurred where the software stopped responding. I deleted the software and tried downloading it as a zip file to counteract this but I got the same response as before. When I scanned the driver, a message popped up saying that a rootkit had been removed. Now I'm not sure if I still have it or if it's just the amount of files that I have. I don't know what else to do now, the software can never finish scanning the system before it stops responding.

Share this post


Link to post
Share on other sites

Let's get fresh logs.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Share this post


Link to post
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM-x32\...\Run: [svcvmx] => "C:\Users\Sensei Tommy\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe" -starup <==== ATTENTION
HKLM-x32\...\Run: [cpx] => "C:\Users\Sensei Tommy\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <==== ATTENTION
SearchScopes: HKU\S-1-5-21-1386859512-2196362297-3995221610-1002 -> {2211d4a5-48d0-47f5-a7cd-81e861470f7f} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_fs_17_08&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0EyEtDtBzy0B0DtA0BtD0CtDtCyEyCtAtN0D0Tzu0StCzzyByBtN1L2XzutAtFtByBtFtCtFyDtDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StCtBtAyCzyzy0DtBtGyDtBtByEtGyCyB0A0EtGtD0E0CtCtGtDtCzzzytB0A0EtDtB0F0BtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0ByE0CzytDyB0BzztGzyyEtB0BtGyEtDzzyEtG0B0BtDzytGtDyByDyCtCzzyBzyzytC0D0B2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtBtDyByE%26cr%3D1418294305%26a%3Dwbf_fs_17_08%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1386859512-2196362297-3995221610-1002 -> {808679A4-6D18-4258-84DA-98F4A9D8001A} URL =
2017-12-16 18:38 - 2017-12-19 13:38 - 000000068 _____ C:\Users\Sensei Tommy\AppData\Local\hBPdxRfzTh
2017-06-15 18:11 - 2017-06-15 20:18 - 007649280 _____ () C:\Program Files (x86)\GUT8360.tmp
2017-12-16 18:38 - 2017-12-19 13:38 - 000000068 _____ () C:\Users\Sensei Tommy\AppData\Local\hBPdxRfzTh
C:\Users\Sensei Tommy\AppData\Local\ntuserlitelist
C:\WINDOWS\system32\tprdpw64.exe

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

According to your fixlog none of he target items are present on the system.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Share this post


Link to post
Share on other sites

Alright I finished the scans and every trace of malware is gone (about fucking time). The scans are located below, I really appreciate the help you've given me. If I didn't come here I would have to had pay $100 or more to have someone fix it and I just don't have that type of budget. What's your personal opinion on great antivirus software I could invest in? And thanks again.

FRST.txt

Addition.txt

Emsisoft scan.txt

Share this post


Link to post
Share on other sites

Your FRST.txt file is incomplete.  FRST appears not have ran it's scan correctly.

The EEK log shows no malware.

Our Emsisoft Anti-Malwre.  Link at the bottom of my post.  A 1 PC 1 Yr license is $39.95 USD.  We currently have specials for a 3 PC 1 Yr license for $39.96 USD and a 5 PC 1 Yr license for $59.85 USD.

Share this post


Link to post
Share on other sites

It is incomplete, meaning that it is missing a significant amount of data.

Delete the copy of FRST on your system and download a fresh copy.

Share this post


Link to post
Share on other sites

I have messaged you.

Closing this thread as I will be handling the remaining issues via our Private Message system.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.