CLOSED Malware - Can't remove

Recommended Posts

I ran a scan with emnisoft and it found several threaths. Tried to remove them. "The following objects  C:\Windows\System32\Drivers\Winmon.sys
C:\Windows\System32\Drivers\WinmonFS.sys were not removed for your safety ...Removing these items bears an unusually high risk of crashing your OS.."

I followed the instructions on the "START HERE.." page and it asked to post remaining items here.  

Thanks for your help. 

(Sorry for my bad english, i'm not a native speaker)

Edit: I can't start Windows Defender






Share this post

Link to post
Share on other sites

I see a few things that do need to be taken care of. In short, your machine was infected yes; but it still is. The first and most major step is killing the most invasive infection on the computer, and the one responsible for our program not installing properly: SmartService.

Please read through these instructions before starting. If you think you can handle all this, move forward. If you don't, please get someone involved who can.

SmartService IS possible to remove, and for someone savvy enough, actually pretty easy. For most people though, SmartService is a pretty big pain to remove. Do you have access to a clean, uninfected Windows 10 machine? If you do, we can use the recovery environment of a Windows 10 installation USB stick (8GB or larger, you'll need one of those too) to get rid of it.

Things to consider:
1. SmartService disables recovery mode in Windows 10, so we have to make a recovery boot USB stick from a clean computer, and configure the infected computer to boot from it.
2. SmartService knows how to patch FRST64.exe so it will not run in recovery mode, so we must make sure SmartService never 'sees' the FRST64.exe program used for this next set of steps.
3. If regular Windows boots while either the Windows 10 recovery USB stick or the FRST USB stick are inserted, you need to format the USB stick and start over. It is safe to format it using the clean computer.

How savvy are you with such things? Here's what to do:

1. Create a Windows 10 recovery USB stick:
2. Using the clean machine, download a fresh copy of FRST64.exe that has never touched the 'sick' machine, and copy it to a separate USB stick. DO NOT INSERT THE USB STICK INTO THE 'SICK' MACHINE YET.
3. Once you're ready with the USB stick and the Windows 10 recovery USB stick (yes, two sticks), shut down the sick computer completely. As in shut down power off. Follow the instructions here to boot from the Windows 10 recovery USB stick:
4. Use the Repair -> Troubleshoot -> Command Prompt option within recovery mode. Once there, plug in the second USB stick that has FRST64 on it. Find your USB drive by running notepad.exe, clicking File->Open, then noting which drive says "Boot". Normally that is D: or E:, depending on how many drives are in your machine. Either way, we're looking for the USB stick drive letter. You can also find it by typing (in the command prompt) "dir d:", "dir e:" etc. until you find the FRST64.exe program you downloaded earlier.
5. Type "FRST64" to run it. Click the Scan button. Please send the FRST.txt file that it creates. If all goes well, FRST64 will have killed the SmartService driver, and you'll be able to reboot into normal mode where we can finish the removal.

If these instructions are too much, it may be better to get someone involved who has enough experience to do it - while this is not an inherently dangerous exercise, it's not exactly for the faint of heart.

Until SmartService is killed, nothing we do on this machine is going to work properly in way of getting rid of malware.

Share this post

Link to post
Share on other sites
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.