Solved Please help removing Windows Process Manager malware

[xtcmax]

Hello.
I just got a virus on my PC and I can't remove it using conventional software like:
- Malwarebytes anti rootkit
- Malwarebytes anti malware
- Hitman pro
- Protect Scan Portable

I did google the problem, tried some of the advice but nothing worked.

Problem:
At first I was getting a lot of instances of obese.exe and oc.exe. I found all the instances of the files and removed the manually.
Now I am getting this Addres has been blocked redirect all the time and the virus is sitting on my PC unremoved by all the anti virus programs.
Also !!!!! It seems like I can't do system restore because my PC does not reboot into Troubleshoot mode when I press SHIFT+Reboot. The PC can be rebooted in Safe Mode but Recovery Program will not run.

Below are the screenshots of the virus and the message I am getting from Nod32.

Please help me to remove this from my PC.

p.s. Also, these files are on my PC and I don't think I need them (never had them and never had the process running)

2018-01-27 20:16 - 2018-01-27 20:16 - 000004608 _____ C:\WINDOWS\SECOH-QAD.exe
2018-01-27 20:16 - 2018-01-27 20:16 - 000003584 _____ C:\WINDOWS\SECOH-QAD.dll


Thank you in advance.

 

[TwinHeadedEagle]

Hello,


Please download Farbar Recovery Scan Tool x64 and save it to a flash drive.

• Plug the flashdrive into the infected PC.
• Boot to windows recovery by using one of the methods on this link: Boot to Advanced Startup Options in Windows 10
• If you're unable to boot to recovery you will need to create a recovery drive. You can do it by following this guide: https://support.microsoft.com/en-us/help/4026852/windows-create-a-recovery-drive
  Make sure to uncheck Back up system files to the recovery drive box, so that process goes faster.

• Now you should get a window like this where you need to click Troubleshoot.

• In the next window, click Advanced options and select Command Prompt.
• Now you should log in into your account and after that Command Promptwindow.

Access the notepad and identify your USB drive

In the Command Prompt please type in:

notepad

and press Enter.

• When the notepad opens, go to File menu.
• Select Open.
• Go to Computer and search there for your USB drive letter.
• Note down the letter and close the notepad.

Scan with Farbar Recovery Scan Tool

Once back in the command prompt window, please do the following:

• Type in e:\frst64.exe and press Enter.
  You need to replace e with the letter of your USB drive taken from notepad!
• FRST will start to run. Give him a minute or so to load itself.
• Click Yes to Disclaimer.
• In the main console, please click Scan and wait.
• When finished it will produce a logfile named FRST.txt in the root of your pendrive and display it. Close that logfile.

Transfer it to your clean machine and include it in your next reply.

 

[xtcmax]

TwinHeadedEagle,
thank you very much for your assistance. I am sorry for late response, I had to find a second PC, which I found and it is ancient.

So, I ran the FSRT from clean USB and after I booted into the normal mode on the infected PC the virus has been cleaned, even the log shows it. If that is the case, I am just jumping in joy because I don't have to re-install Windows due to a lot of graphical stuff installed.

I have noticed I had the spyware in my root Windows directory, which I googled and removed the files manually from the directory.
SECOH-QAD.exe & .dll



Where were these files moved or were they deleted? (these are the virus files)
"HKLM\System\ControlSet001\Services\idbakrvs" => removed successfully
C:\Windows\System32\drivers\usahlorv.sys => moved successfully
C:\Users\xtcmax\AppData\Local\dtbxnwv\niocpvr.exe => moved successfully
C:\Users\xtcmax\AppData\Local\pwslger\pwslger.exe => moved successfully
C:\Users\xtcmax\AppData\Local\pwslger\upabzik.exe => moved successfully


Included is the new .log file per your request.

 

[TwinHeadedEagle]

Yes. Can you now boot normally and try to run a MalwareBytes scan?

 

[xtcmax]

Nothing has been detected. I think we can close the thread because the initial run of the FSRT from flash drive cleared out the virus I had problems with. I thank you for your help and will spread the word about this site.