TwinkieTheKidd

@kevinf80 The virus has been successfully eradicated from my system. I greatly appreciate your help. However I have another system that has the same infection (I assume it jumped over via my network or a flash drive). If I perform the first steps and generate a log file from the 2nd infected system would you be willing to create a fixlist for it? I've done my research and I understand the nature of the virus now as a ring zero driver based "bodyguard" type malware protecting a generic clicker virus and a trojan but I don't have the required understanding of it to create a fixlist.txt from a scan results text file.

@kevinf80 I have done as you instructed. Here is the log file: FRST.txt

Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/22/18 Scan Time: 9:46 AM Log File: e1491cc0-463b-11e8-96ad-005056c00001.json Administrator: Yes -Software Information- Version: 3.4.5.2467 Components Version: 1.0.342 Update Package Version: 1.0.4836 License: Trial -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: Unimatrix0\UnimatrixZero -Scan Summary- Scan Type: Custom Scan Scan Initiated By: Manual Result: Cancelled Objects Scanned: 365 Threats Detected: 1 Threats Quarantined: 0 (No malicious items detected) Time Elapsed: 1 min, 3 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Rootkit.Agent.PUA, C:\Windows\System32\drivers\atoilpsv.sys, No Action By User, [382], [429857],0.0.0 Physical Sector: 0 (No malicious items detected) (end) I quarantined the PUA Agent. The virus is located inside a folder called ataepwm so I suspect that is involved somehow. FRST.txt Addition.txt

I seem to have acquired a rather nasty Bitcoin miner (or I assume that's what it is). It seems to generate a random name and create a folder in Appdata/Low which I cannot access due to an access denied. It asks for administrator rights which when provided it still says access denied (these are my personal machines. I'm the only admin). I tried to take ownership via file security but I always get an access denied error and it says the current owner is unknown. It creates multiple threads using the same name as the folder it created which I cannot affect in any way. I can't kill them or restrict there priority level. I also cannot open the containing folder due to the aforementioned admin issue. It seems to constantly max out either 1 or 2 cores on and off. It drops down to no usage for 30 seconds to 2 minutes on a regular basis. I'm not sure what it's doing as I don't get a spike in network traffic. Based on how the performance hit affects my system I suspect these processes have given themselves above average priority. The virus seems to have spread to my Laptop and HTPC via my network since there isn't any download I've made that the 3 of them have in common. The processes have in common only that they identify themselves as "Windows Process Manager" in the description bar and that whenever the file name of the current process is googled it always seems to be listed on the page of a spam redirect webpage: * www.discopoints.org/?postfix=CB&prefix=WE I suspect that web portal acts as some sort of homing device since every filename they've taken so far has been on that webpage. The hard part is I can't find out how to remove the virus because I don't know the name or strain of the virus due to it creating randomly named folders. MalwareBytes Anti Malware (which is supposedly the best at detecting Malware) never detects it even when I specifically tell it to scan the aforementioned folders. It doesn't seem to be using my GPU. Only my CPU. So far the process names i've seen are: * nvbtcis * weklacb * aurpmwc * nvczsrmsvc It's also always accompanied by a process that describes itself as "Printer Driver Host" * dtmcbpx They are always 32-bit processes. Each instance of the main mining process seems to use between 20 and 100MB of RAM depending on the age of the process. Do any of you recognize this behavior? If I can find out what virus I'm dealing with I can likely find instructions on its removal. I've never seen a virus that takes this degree of control over my systems. * Edit: Both systems are running Windows 7 Ultimate SP1 64-bit * Edit 2: I also tried booting to Linux Live to view the folders. Under Linux the folders appeared as empty. I tried deleting them so I could boot back into Windows and create my own folders in a read only state so they couldn't re replicate themselves. By the time I was into Explorer they had already been taken over by the virus again. * Edit 3: I've noticed it has the digital signature of a company called Jetbrains S.R.O. so I've sent them an email to see if they know anything about this. I assume they won't be happy that there digital signature is on a virus program. * Edit 4: Reinstalling my OS isn't an option. It would take monthes to reinstall all my software. We're talking 3+ year old installs with TBs of data. It was suggested I try posting here. Neither MalwareBytes nor Avast have been able to succesfully remove this virus. Avasts BootScan just threw out a data error and was unable to correctly delete the files. RKill didn't kill it.