Ore

@AdvancedSetup the FRST files Addition.txt FRST.txt

Sophos Log @AdvancedSetup 2017-03-31 17:01:06.580 Sophos Virus Removal Tool version 2.5.6 2017-03-31 17:01:06.580 Copyright (c) 2009-2016 Sophos Limited. All rights reserved. 2017-03-31 17:01:06.580 This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them. 2017-03-31 17:01:06.580 Windows version 6.2 SP 0.0 build 9200 SM=0x300 PT=0x1 WOW64 2017-03-31 17:01:06.581 Checking for updates... 2017-03-31 17:01:06.955 Update progress: proxy server not available 2017-03-31 17:01:26.740 Downloading updates... 2017-03-31 17:01:26.747 Update progress: [I96736] sdds.svrt_10: adding primary package C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED baseVersion=1 2017-03-31 17:01:26.747 Update progress: [I95020] sdds.svrt_10: looking for packages included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path= 2017-03-31 17:01:26.747 Update progress: [I22529] sdds.svrt_10: looking for supplements included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path= 2017-03-31 17:01:26.747 Update progress: [I49502] sdds.savi0910.xml: found supplement SAVIW32 LATEST path= baseVersion= [included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=] 2017-03-31 17:01:26.747 Update progress: [I95020] sdds.savi0910.xml: looking for packages included from product SAVIW32 LATEST path= 2017-03-31 17:01:26.747 Update progress: [I22529] sdds.savi0910.xml: looking for supplements included from product SAVIW32 LATEST path= 2017-03-31 17:01:26.747 Update progress: [I49502] sdds.data0910.xml: found supplement IDE537 LATEST path= baseVersion= [included from product SAVIW32 LATEST path=] 2017-03-31 17:01:26.747 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE537 LATEST path= 2017-03-31 17:01:26.747 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE537 LATEST path= 2017-03-31 17:01:26.747 Update progress: [I49502] sdds.data0910.xml: found supplement IDE538 LATEST path= baseVersion= [included from product IDE537 LATEST path=] 2017-03-31 17:01:26.747 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE538 LATEST path= 2017-03-31 17:01:26.747 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE538 LATEST path= 2017-03-31 17:01:26.747 Update progress: [I49502] sdds.data0910.xml: found supplement IDE539 LATEST path= baseVersion= [included from product IDE538 LATEST path=] 2017-03-31 17:01:26.747 Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE539 LATEST path= 2017-03-31 17:01:26.748 Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE539 LATEST path= 2017-03-31 17:01:26.748 Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path= 2017-03-31 17:01:27.082 Update progress: [I19463] Syncing product SAVIW32 LATEST path= 2017-03-31 17:01:27.082 Update progress: [I19463] Product download size 158884372 bytes 2017-03-31 17:02:22.500 Update progress: [I19463] Syncing product IDE537 LATEST path= 2017-03-31 17:02:22.500 Update progress: [I19463] Product download size 2537599 bytes 2017-03-31 17:02:25.644 Update progress: [I19463] Syncing product IDE538 LATEST path= 2017-03-31 17:02:25.645 Update progress: [I19463] Product download size 2280148 bytes 2017-03-31 17:02:30.004 Update progress: [I19463] Syncing product IDE539 LATEST path= 2017-03-31 17:02:30.004 Update progress: [I19463] Product download size 2180844 bytes 2017-03-31 17:02:33.623 Installing updates... 2017-03-31 17:02:34.122 Option all = no 2017-03-31 17:02:35.327 Option recurse = yes 2017-03-31 17:02:35.327 Option archive = no 2017-03-31 17:02:35.327 Option service = yes 2017-03-31 17:02:35.327 Option confirm = yes 2017-03-31 17:02:35.327 Option sxl = yes 2017-03-31 17:02:35.327 Option max-data-age = 35 2017-03-31 17:02:35.327 Option vdl-logging = yes 2017-03-31 17:02:35.327 Customer ID: 094260ca9b3af99f9d4a3909fc47a743 2017-03-31 17:02:35.329 Machine ID: 0e8263f709074b27a236fec98c1f17ad 2017-03-31 17:02:35.329 Component SVRTcli.exe version 2.5.6 2017-03-31 17:02:35.329 Component control.dll version 2.5.6 2017-03-31 17:02:35.329 Component SVRTservice.exe version 2.5.6 2017-03-31 17:02:35.329 Component engine\osdp.dll version 1.44.1.2280 2017-03-31 17:02:35.329 Component engine\veex.dll version 3.68.0.2280 2017-03-31 17:02:35.329 Component engine\savi.dll version 9.0.7.2280 2017-03-31 17:02:35.329 Component rkdisk.dll version 1.5.31.1 2017-03-31 17:02:35.329 Version info: Product version 2.5.6 2017-03-31 17:02:35.329 Version info: Detection engine 3.68.0 2017-03-31 17:02:35.329 Version info: Detection data 5.36 2017-03-31 17:02:35.330 Version info: Build date 2/7/2017 2017-03-31 17:02:35.330 Version info: Data files added 384 2017-03-31 17:02:35.330 Version info: Last successful update (not yet updated) 2017-03-31 17:02:35.330 Error level 1 2017-03-31 17:02:51.886 Update successful 2017-03-31 17:03:21.654 Option all = no 2017-03-31 17:03:21.654 Option recurse = yes 2017-03-31 17:03:21.654 Option archive = no 2017-03-31 17:03:21.654 Option service = yes 2017-03-31 17:03:21.654 Option confirm = yes 2017-03-31 17:03:21.654 Option sxl = yes 2017-03-31 17:03:21.657 Option max-data-age = 35 2017-03-31 17:03:21.657 Option vdl-logging = yes 2017-03-31 17:03:21.676 Customer ID: 094260ca9b3af99f9d4a3909fc47a743 2017-03-31 17:03:21.676 Machine ID: 0e8263f709074b27a236fec98c1f17ad 2017-03-31 17:03:21.682 Component SVRTcli.exe version 2.5.6 2017-03-31 17:03:21.683 Component control.dll version 2.5.6 2017-03-31 17:03:21.684 Component SVRTservice.exe version 2.5.6 2017-03-31 17:03:21.685 Component engine\osdp.dll version 1.44.1.2280 2017-03-31 17:03:21.688 Component engine\veex.dll version 3.68.0.2280 2017-03-31 17:03:21.689 Component engine\savi.dll version 9.0.7.2280 2017-03-31 17:03:21.691 Component rkdisk.dll version 1.5.31.1 2017-03-31 17:03:21.691 Version info: Product version 2.5.6 2017-03-31 17:03:21.692 Version info: Detection engine 3.68.0 2017-03-31 17:03:21.692 Version info: Detection data 5.36 2017-03-31 17:03:21.692 Version info: Build date 2/7/2017 2017-03-31 17:03:21.692 Version info: Data files added 384 2017-03-31 17:03:21.692 Version info: Last successful update 3/31/2017 10:02:51 AM 2017-03-31 18:32:48.110 >>> Virus 'Troj/Kovter-K' found in file C:\FRST\Quarantine\C\Users\tnguy_000\AppData\Local\{8a967ef8-b49d-2b2f-2054-a34da34e12fe}\{8a967ef8-b49d-2b2f-2054-a34da34e12fe}.exe 2017-03-31 18:33:02.900 Could not open C:\hiberfil.sys 2017-03-31 18:34:05.343 Could not open C:\pagefile.sys 2017-03-31 19:22:10.593 Could not open C:\swapfile.sys 2017-03-31 19:22:12.234 Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} 2017-03-31 19:22:12.264 Could not open C:\System Volume Information\{4bba569d-12f5-11e7-8601-0071cc94c154}{3808876b-c176-4e48-b7ae-04046e6cc752} 2017-03-31 19:22:12.267 Could not open C:\System Volume Information\{5b56cd08-162c-11e7-8606-0071cc94c154}{3808876b-c176-4e48-b7ae-04046e6cc752} 2017-03-31 19:22:12.270 Could not open C:\System Volume Information\{766f084f-0bf8-11e7-85f3-0071cc94c154}{3808876b-c176-4e48-b7ae-04046e6cc752} 2017-03-31 19:22:12.275 Could not open C:\System Volume Information\{fef6c664-1631-11e7-8607-0071cc94c154}{3808876b-c176-4e48-b7ae-04046e6cc752} 2017-03-31 19:23:13.600 Could not open C:\Users\tnguy_000\AppData\Local\Google\Chrome\User Data\Default\Current Session 2017-03-31 19:23:13.602 Could not open C:\Users\tnguy_000\AppData\Local\Google\Chrome\User Data\Default\Current Tabs 2017-03-31 20:04:08.370 Could not open C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb 2017-03-31 20:04:08.373 Could not open C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb 2017-03-31 20:04:27.828 Could not open C:\Windows\System32\config\BBI 2017-03-31 20:04:28.456 Could not open C:\Windows\System32\config\RegBack\DEFAULT 2017-03-31 20:04:28.509 Could not open C:\Windows\System32\config\RegBack\SAM 2017-03-31 20:04:28.548 Could not open C:\Windows\System32\config\RegBack\SECURITY 2017-03-31 20:04:28.579 Could not open C:\Windows\System32\config\RegBack\SOFTWARE 2017-03-31 20:04:28.607 Could not open C:\Windows\System32\config\RegBack\SYSTEM 2017-03-31 20:43:50.821 The following items will be cleaned up: 2017-03-31 20:43:50.821 Troj/Kovter-K

ADWcleaner log @AdvancedSetup # AdwCleaner v6.045 - Logfile created 31/03/2017 at 09:48:24 # Updated on 28/03/2017 by Malwarebytes # Database : 2017-03-30.1 [Server] # Operating System : Windows 8.1 (X64) # Username : tnguy_000 - SHANE-PC # Running from : C:\Users\tnguy_000\Downloads\AdwCleaner.exe # Mode: Clean # Support : https://www.malwarebytes.com/support ***** [ Services ] ***** ***** [ Folders ] ***** [-] Folder deleted: C:\ProgramData\{ab5163fd-a766-8056-ab51-163fda768ff6} [-] Folder deleted: C:\Users\Default User\AppData\Local\Pokki [#] Folder deleted on reboot: C:\Users\Default\AppData\Local\Pokki ***** [ Files ] ***** ***** [ DLL ] ***** ***** [ WMI ] ***** ***** [ Shortcuts ] ***** ***** [ Scheduled Tasks ] ***** ***** [ Registry ] ***** [-] Key deleted: HKLM\SOFTWARE\33f4cae1-2bda-4285-6364-67c251b188c8 [-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{2E5FA7B4-61A2-4662-BBCE-62BBB20FC649} [-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{5D7F05E3-075A-43AF-8BC7-21E2F7F38845} [-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{617E26CE-E6E1-4C75-A68A-A001F2B98491} [-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{79FBDBEA-A722-4ABD-BEC0-B7D463F6BA0E} [-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{8128586C-DF69-4266-873F-CF4C6F705A7C} [-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{C1F9CFCE-A7DC-4072-8B31-1DEA57004C86} [-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{EA4AD895-2A7F-430E-B973-DEE6C4E743A9} [-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{EBF4B60F-A863-426F-BE6F-5DFE83BC574F} [-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C} [-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC} [-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C} [-] Key deleted: HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0} [-] Key deleted: HKLM\SOFTWARE\VisualDiscovery [-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\castplatform.com [-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\cdn.castplatform.com [#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\castplatform.com [#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\cdn.castplatform.com [-] Key deleted: HKLM\SOFTWARE\Classes\AppID\VISUALDISCOVERY.EXE [#] Key deleted on reboot: HKLM\SOFTWARE\CLASSES\APPID\VISUALDISCOVERY.EXE [-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\VDWFP ***** [ Web browsers ] ***** [-] [C:\Users\tnguy_000\AppData\Local\Google\Chrome\User Data\Profile 1\Web data] [Search Provider] Deleted: aol.com [-] [C:\Users\tnguy_000\AppData\Local\Google\Chrome\User Data\Profile 1\Web data] [Search Provider] Deleted: ask.com ************************* :: "Tracing" keys deleted :: Winsock settings cleared ************************* C:\AdwCleaner\AdwCleaner[C0].txt - [2960 Bytes] - [31/03/2017 09:48:24] C:\AdwCleaner\AdwCleaner[R0].txt - [4944 Bytes] - [05/01/2015 11:25:02] C:\AdwCleaner\AdwCleaner[S0].txt - [5095 Bytes] - [05/01/2015 11:30:31] C:\AdwCleaner\AdwCleaner[S1].txt - [3211 Bytes] - [31/03/2017 09:43:58] ########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [3252 Bytes] ##########

@AdvancedSetup this is the JRT file JRT.txt

This morning I launched my laptop, then the posted a percentage number, next to it it said along the lines of "Please wait. Cleaning your drive C:", I found it really fishy so then I ran MalwareBytes. It said everything was fine so then I started going through my day. Then this happened. I was playing CS:GO, in the middle of a match then it disconnected me saying something about I couldn't connect to VAC servers because there were files on my system that prevented me? So then I was really suspicious now, so then I ran MalwareBytes Chameleon, but it said there was an error with my anti rootkits. I then tried to launch MalwareBytes again and it says I don't have the appropriate permissions. I relaunched my computer (Windows 8) and it put me on a temporary account because "my files can't be accessed" Help please. I attached a FRST log, a FRST Additon log, and a Malwarebytes log. Addition.txt FRST.txt Malwarebytes Log.txt