-1

I recently got infected with a ton of viruses, and I was able to clean out most of them, but there's still one that I can't get rid of. Here are the details (the computer is running Windows 10 x64):

-The effect of the virus is rather miniscule; whenever I search using the top bar on Google Chrome, it redirects my searches to Yahoo although I have my settings set to Google.

-The name of the program is msmnlbvsrv.exe. It appears in my Windows/temp folder, which is the temporary files folder specified by my environment variables.

-The exe itself can't be deleted from Windows because of some permissions shenanigans that I haven't been able to get around; basically even if I change the owner, it denies me access to delete it. In fact, you can't actually stop the process from the regular task manager either because it once again denies you access. But I was able to kill it by using Process Explorer as an admin.

But the real problem is this: I booted Gparted Live to delete it from there in an attempt to remove it, but when I restart my computer, it's back in my temp folder. This means that some other application is the actual culprit and is running at boot and creating this program that redirects my searches. How can I figure out what exactly is creating the process and remove it from the source? Neither Windows Defender nor Malwarebytes could get rid of the source itself, and I really, REALLY don't want to have to reinstall my OS. Also, I've seen Process Monitor mentioned here and there, but it doesn't run on my computer no matter what I do. No window opens, and if I look at process explorer, the process appears and disappears within the same second.

Kurausukun
  • 161
  • 6

1 Answers1

0

A few choices, in order of simplicity:

  • Completely wipe the drive and restore from your last known good image, after first saving any recent data offline and scanning the offline files for malware.
  • Run a malware removing tool from USB or CD, e.g Avira Rescue System, Panda Cloud Cleaner Rescue ISO or Kaspersky Rescue Disk.
  • Search the whole drive for the string "msmnlbvsrv.exe" to find where it is being re-created and manually change the filename wherever it occurs to change the extension, e.g. "msmnlbvsrv.xxe". This must also be done from an external bootable device, and is useless if the filename is encrypted.
DrMoishe Pippik
  • 25,661
  • 4
  • 36
  • 54
  • I don't quite understand your last suggestion; how would I search the entire drive for a string, and how would it tell me what's creating it? – Kurausukun Sep 17 '17 at 02:48
  • That would take a hex disk editing tool and knowledge of it use. There is not room in this forum to expand on this, and I don't recommend it... just listed it as another possibility. BTW, *most important*, what antimalware suite are you using? There are many good choices, and most would have prevented infection in the first place. – DrMoishe Pippik Sep 17 '17 at 02:53
  • I wasn't using anything at the time, but afterward I scanned with both Windows Defender and Malwarebytes, as I mentioned earlier. Yes, it's my fault for not having scanning on. Yes, I had a reason for not having it on. No, it wasn't a good reason. – Kurausukun Sep 17 '17 at 02:55
  • Okay, I just found something, not sure if it's relevant; I ran wmic process get processid,parentprocessid,executablepath|find with the process ID of the program, and it tells me the parent process is services.exe/svchost. That sounds like I'm in very deep shit. Am I? – Kurausukun Sep 17 '17 at 03:00
  • Did you scan from the infected HDD, or from a clean bootable device? Some malware cannot be removed while running on the infected drive. Trust the AV rescue disks mentioned above. – DrMoishe Pippik Sep 17 '17 at 03:01
  • I scanned from the infected HDD. But did you read my comment above/is it relevant? – Kurausukun Sep 17 '17 at 03:02
  • If malware has embedded itself as a Windows Service, you would need to know which service to stop and disable. Again, use a bootable disk or USB device. – DrMoishe Pippik Sep 17 '17 at 03:04
  • Alright, I'll give one of them a shot, but I'm getting dangerously close to formatting my hard drive and reinstalling Windows. Thanks for your help, though, no matter what I end up doing. – Kurausukun Sep 17 '17 at 03:05
  • Alright, Kaspersky found nothing, so I'm just going to format and reinstall. Thank you for putting up with my stupidity, though. This can be closed if anyone wants. – Kurausukun Sep 17 '17 at 03:16