Search the Community

Showing results for tags 'rootkit'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Malware Removal for Windows
    • Malware Removal for Mac
    • Malware Removal for Mobile
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes 3
    • Malwarebytes for Mac
    • Malwarebytes for Android
    • False Positives
    • Translator Lounge
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response (includes Breach Remediation)
    • Malwarebytes Endpoint Security
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
  • General
    • General Chat
    • Forums Announcements & Feedback

Found 98 results

  1. Hello there, One of my machines using running on Windows Vista SP2 has a semi-serious problems, even i cannot name it. This is the final chance for me to figure out whether i'm safe or not. Here is the issue. I came across a malware a few years ago which is infected my machine through a non-secure JAVA web applet. After this infection, i immediately took some actions and tried neutralizing malware and cleaning as well, i also used Malwarebytes 1.x and 2.x series. After some years have passed, i still noticed that the nasty and non-existent registry entry of this malware is still visible by regedit, and GMER. I had no abnormal activity since then, and tried numerous rootkit removers listed below with following results: - GMER: Shows hidden driver service highlighted red but unable to remove / disable because it's not existed in fact (IMHO). - Sophos Anti-Rootkit: No malware is found, system is clean. - BitDefender Anti-Rootkit: No malware is found, system is clean (scan took very short though, not sure why). - Kaspersky TDSS Remover: No malware is found, system is clean. - Rootkit Hook Analyzer: No malware is found, system is clean. - Symantec TDSS Fix Tool: No malware is found, system is clean. -...and finally Malwarebytes Anti-Rootkit BETA along with Malwarebytes Premium (3.3.1) edition: System is clean, no malware is found. Although almost all of major removers say that the system is clean, i'm so picky that i have no idea why regedit and GMER display the presence of malware (PragmaXXXXX - random numbers), especially regedit shows error immediately when i click on this key as if it does NOT exist, but i can't do anything even i try a lot of methods including running regedit under SYSTEM account, running offline registry editor using recovery disc, and using command prompt. It seems a kind of very strange glitch in registry file, and it cannot be removed there eventhough the entry (PramaXXXXX) is shown. I'm attaching all the screenshots that would help on describing the issue, along with FRST log, addition.txt log and MBAM Anti-Rootkit log file. I'd be so grateful if there is any additional steps to take other than formatting the whole drive, as i have a lot of documents and installations with senstive configurations. Thanks in advance! Addition.txt FRST.txt system-log.txt
  2. Threat scan results: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/14/18 Scan Time: 11:20 AM Log File: fc0fb9b6-f95f-11e7-88f2-1c1b0d63b3b0.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3693 License: Premium -System Information- OS: Windows 10 (Build 16299.192) CPU: x64 File System: NTFS User: User-PC\User -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 313979 Threats Detected: 3 Threats Quarantined: 0 (No malicious items detected) Time Elapsed: 13 min, 35 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 3 PUP.Optional.BundleInstaller, C:\USERS\USER\APPDATA\LOCAL\TEMP\BIT8ED6.TMP.EXE, No Action By User, [19], [458026],1.0.3693 PUP.Optional.MailRu, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, No Action By User, [611], [477962],1.0.3693 PUP.Optional.MailRu, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, No Action By User, [611], [477962],1.0.3693 Physical Sector: 0 (No malicious items detected) ------------------------------------------------ From what I can tell this malware is at Least a year old. (looking in public forums - i dont mean a year on my computer) I can't think of any reason why Malwarebytes (which i pay for) hasn't provided a fix for it within Multiple updates. Per forum its been mentioned to MB prior. I found a post in here somewhere from about a year ago providing a fix, but it's probably over 50 steps (beyond any malware fix I've seen, pretty absurd)...and since it was a year ago... I'd REeeeeeeally like to think the MB team has a better solution to remedy this...at least for paying customers. Please advise.
  3. Good afternoon and Happy New Year! I *just* got a new laptop from Dell - Inspirion 7370 as my previous laptop was aging and seemed to have it's own infections. As soon as I signed into my Microsoft account to install everything, files that synced from prior computer appear to have installed on my new one. I can tell because the packages such as Microsoft Photos, Edge, etc. are named the same as my prior computer and they have dates all prior to when this my current laptop was even created. I've already gone through resetting, clean install, etc, but nothing thus far has worked. I have the option of sending this back to Dell for them to try to repair, but I'd be without my laptop for 12 days. I'm hoping that by posting here, if it is a malware issue, the fine experts might be able to save the time, money, and agony over sending this thing to Dell. I may end up trying to just send it back entirely if we don't make any headway here. So, I tried re-installing Malware Bytes (I have a premium account) but it could not connect and so I ran the MB-Clean which seems to not have been able to get uninstall it. I've pasted that log, as well as the FRST Log and Addition log. I look forward to working with an expert helper closely and will follow all instructions you provide - I know your time is valuable and I sincerely appreciate in advance any help I may receive. Thank you!! PhxGuy FRST.txt Addition.txt mb-clean-results.txt
  4. So the last known programs installed, were on the 18 of this month. Im running windows 10, and i made the mistake of thinking it could handle me torrenting. As I've done it countless times before, on win7 ult and didnt encounter a thing wrong. Anyways, long story short, im infected with something. I've ran countless programs to remedy it to no avail. unhackme, malwarebytes, adw cleaner, roguekiller, and hitmanpro, all based on this websites recommendation. im still infected. upon going through, nearly every folder in my drive (fresh install of win10 so i dont have much)i came across 3 folders that i had no control over, and couldnt delete. dtmhnlx, igfxmtc,wmhtcir. my guess is mining programs, but FRST revealed it to be a trojan. Although im still needing help on what to do to erase this. I want to play my games again without my cpu and gpu hitting max load, for games that arent even modern....also i should note, windows reset, and restore wont work at all. ive put win8 iso on dvd and tried to run on pc but wont read it at all, even disable secure boiot and rearranged the boot order. nothing works. if this doesnt work then i'll have to resort to taking out the hdd and doing a complete partition wipe of it, which i dont want to do because im just lazy. someone please help?
  5. I scanned my pc with Mwb and I had numerous infections popup, the first time it was able to clear all but two. Both were rootkit.agent and the object type was registry key and registry value. I rebooted and tried again and this time it worked. However, everytime i reboot both the malware come back and shows up when i rescan. Furthermore if i use my pc a little and scan, it comes with the 2 rootkits and additional viruses. I have tried several programs but some of them arent even able to identify the rootkits. Any help would be appreciated. Thanks
  6. Hello, I have found on the task manager five windows process managers (32 bit) Every time I launch a game on steam, one or two of them would suddenly jump from 60% to 80% CPU usage. I have searched for a solution, scanned with malware-bytes free and adware cleaner, but nothing worked. Then I got mbar, but it just does not start. When I launch it, it would ask for administrator permission, and then nothing would happen. Malwarebytes log Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/22/17 Scan Time: 9:43 AM Log File: 6cf58efe-e726-11e7-901b-4ccc6a8170c6.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3543 License: Free -System Information- OS: Windows 10 (Build 15063.786) CPU: x64 File System: NTFS User: MSI\Legitozone (H) -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 351463 Threats Detected: 5 Threats Quarantined: 3 Time Elapsed: 3 min, 52 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 5 PUP.Optional.RelevantKnowledge, C:\USERS\LEGITOZONE (H)\APPDATA\LOCAL\TEMP\~OSCD9C.TMP\RLXF.DLL, Removal Failed, [1136], [296186],1.0.3543 PUP.Optional.RelevantKnowledge, C:\USERS\LEGITOZONE (H)\APPDATA\LOCAL\TEMP\~OSCD9C.TMP\RLXG.DLL, Removal Failed, [1136], [296186],1.0.3543 PUP.Optional.Conduit, C:\USERS\LEGITOZONE (H)\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 2\Sync Data\SyncData.sqlite3, Replaced, [532], [454835],1.0.3543 PUP.Optional.Conduit, C:\USERS\LEGITOZONE (H)\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 2\Web Data, Replaced, [532], [454835],1.0.3543 PUP.Optional.Trovi, C:\USERS\LEGITOZONE (H)\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 2\Web Data, Replaced, [4703], [454808],1.0.3543 Physical Sector: 0 (No malicious items detected) (end) Adwarecleaner log # AdwCleaner 7.0.4.0 - Logfile created on Fri Dec 22 14:57:08 2017 # Updated on 2017/27/10 by Malwarebytes # Database: 12-21-2017.1 # Running on Windows 10 Home (X64) # Mode: scan # Support: https://www.malwarebytes.com/support ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** PUP.Optional.Legacy, C:\ProgramData\Tencent PUP.Optional.Legacy, C:\ProgramData\Application Data\Tencent PUP.Optional.Legacy, C:\Users\All Users\Tencent ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious WMI found. ***** [ Shortcuts ] ***** No malicious shortcuts found. ***** [ Tasks ] ***** No malicious tasks found. ***** [ Registry ] ***** No malicious registry entries found. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries. ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries. ************************* C:/AdwCleaner/AdwCleaner[C0].txt - [2112 B] - [2017/11/2 23:13:50] C:/AdwCleaner/AdwCleaner[C1].txt - [1556 B] - [2017/11/26 5:31:49] C:/AdwCleaner/AdwCleaner[C2].txt - [1564 B] - [2017/11/27 15:30:46] C:/AdwCleaner/AdwCleaner[S0].txt - [2059 B] - [2017/11/2 23:13:30] C:/AdwCleaner/AdwCleaner[S1].txt - [1590 B] - [2017/11/26 5:25:15] C:/AdwCleaner/AdwCleaner[S2].txt - [1449 B] - [2017/11/26 5:28:29] C:/AdwCleaner/AdwCleaner[S3].txt - [1414 B] - [2017/11/27 15:29:53] C:/AdwCleaner/AdwCleaner[S4].txt - [1423 B] - [2017/12/1 21:59:41] C:/AdwCleaner/AdwCleaner[S5].txt - [1491 B] - [2017/12/2 15:42:21] C:/AdwCleaner/AdwCleaner[S6].txt - [1559 B] - [2017/12/6 19:20:20] C:/AdwCleaner/AdwCleaner[S7].txt - [1627 B] - [2017/12/10 2:8:35] C:/AdwCleaner/AdwCleaner[S8].txt - [1823 B] - [2017/12/22 14:35:53] ########## EOF - C:\AdwCleaner\AdwCleaner[S9].txt ##########
  7. Hi, I think I'm infected with a rootkit as I cannot back up my computer with blazeback, install bitdefender, or use any of the following programs: malwarebytes anti-rootkit, adwcleaner, hitmanpro, or zemana antimalware. I was able to successfully run MalwareBytes AntiMalware with the 'search for rootkits' (or something like that) checked, but it did not fix the problem. I always run Rkill successfully before attempting to execute these programs with administrative privileges and still get the 'The requested resource is in use.' error. I ran the Farbar Recovery Scan Tool (x64) for windows and attached the created FRST.txt and Addition.txt log files as I've seen in multiple threads. Thanks for any help! FRST.txt Addition.txt
  8. i have the same virus and issues ive tried everything in all the threads and i cant get rid of it their is another one for me to and i cant get rid of it either my avast picks up one called serxovp
  9. For the past 2 weeks I've been looking for help on removing this virus that I've obtained due to my stupidity. What this virus does is that an exe that has different names after resetting my computer every time will appear in task manager and in the system32 folder, at the moment, it's called wdesziusvc.exe; when i hover my cursor over it it, it says TOSHIBA CORPORATION. After that appears, I won't be able to make restore points, download certain anti-viruses, and go into a recovery environment the normal way (I'd have to tap Shift + F8 upon start up). if wdesziusvc has internet access, it'll use my computer's resources to bring forth another exe called igfxmtc, which will run in task manager and have it's own folder in Appdata/Local folder which i cannot access nor delete. In the task manager, igfxmtc doesn't seem to do anything; idk what it's for but after a few after that, wdesziusvc will use resources again to bring forth this thing called Windows Process Manager (32-bit) with multiple clients, which slows down my computer by A LOT and also has it's own folder, wibxtrg. If i reset my computer to factory settings, you know, wipe everything, They all just come back with with different names except for igfxmtc. I know all this stuff because of the 2 weeks i've had with this problem. Here are some pictures and a FRST and Addition txt attatched. If there's anyone willing to help me out it'll mean a lot to me. 1.) I do have a flash drive that's bigger than 4GB 2.) I do have access to a clean PC Addition.txt FRST.txt
  10. Hi, I have been trying to clean my computer after I clicked on a file I downloaded from a website which was suppose to update a program, but it didn't. After it ran, a bunch of weird things started happening and I promptly started trying to clean it up with stopping suspect processes/services and deleting newly created files. I did get some of the weird behavior to stop and don't see any malware errors when I run a threat scan with MalwareBytes. The first time I ran the threat scan, there were 20 malwares and I quarantined and then deleted them all. I also ran FRST64 and see some weird services/drivers listed, even in the whitelisted area as shown below. ===================== Drivers (Whitelisted) ====================== U4 gwhkbvs; system32\drivers\cohruxbe.sys S4 4275621E; system32\drivers\4275621E.sys [X] FYI, I have deleted the below items a few times by going into recovery console and going to command prompt and then deleting files and directory, but they still keep coming back. At this point, I am asking for assistance from the experts to get a clean system and to get rid of these infected hidden files permanently. FYI, I attached the logs from MalwareBytes scan and FRST64 scan (FRST.txt and Addition.txt). I also ran Avast Free Antivirus software and it didn't find any viruses or malware. Thanks in advance for the assistance! Addition.txt FRST.txt malwarebytesScanLog.txt
  11. n65adserv

    I don't know what this infection is classified as, i.e trojan, virus, rootkit, but it is extremely annoying. I'm constantly getting popups that malwarebytes has blocked this vicious program from accessing the internet. how do I go about eradicating this thing from the face of the earth? Thank you, FunkyJoe
  12. Igfmxtc

    Hey all, got infected by several rootkits/smartservice. browsed around the forums and came to this So i downloaded farbar and did a scan and got my logs attached. could someone make me a fix file. and just a fyi, ran mb rootkit removal, and all the other removal programs. dont do anything and this virus blocks me from opening any antivirus. FRST.txt Addition.txt
  13. Good afternoon. When we are setting up our policy it appears Full Scan has been replaced by Threat Scan in the cloud console. Does Threat Scan include all the options available in the Optional Scan check boxes including the root kit scan? I don't see mention of this in the admin guide and didn't find anything when searching the forum. Thank you! Henry
  14. I got infected by rootkit malware SCVCMX and CPX, whihc blocked all common utilities with resource already in use notification, so after one day of working on this issue i desperately used fixlist through FRST64 which was posted in this forum for some other guy (Michael in one of the forums) and it worked (i think); nevertheless i wanted someone to have a look on the FRST64 attached files which are generated post the "fix" i did, and after executing several cleaning tools (mbar, RKILL, TDSSKILLER , ZEMAMANA). I was wondering if someone can help in creating a anew fixlist for FRST64 for the attached files, if there is a need. FRST.txt Addition.txt
  15. Pulling my hair out. Somewhere some $*%^ is responsible for wasting my time. I wish I could give a swift kick to their nether-regions. Just had to get that out. I have what appears to be a rootkit infection that is prohibiting me from any type of malware/antivirus install, including malwarebytes, it's anti rootkit software, as well as executing mbar.exe or mbamdor.exe in the unzip package meant to bypass using the anti rootkit installer. I am at a standstill as this infection continues to pillage my machine. Please help. I would like to buy a subscription to malwarebytes but am at a standstill. Additional symptoms include: 1) In google chrome address bar once entering text for a google search a redirection to bing.com happens, momentarily I notice the following address ( extension.citypage.today/?affID=970801784&q=exporting ) 2) The following I exported from the ESET NOD32 scans that may be of interest <?xml version="1.0" encoding="UTF-8"?> -<ESET> -<LOG> -<RECORD> <COLUMN NAME="Time">9/3/2017 10:50:24 PM</COLUMN> <COLUMN NAME="Scanner">Real-time file system protection</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">C:\Users\Robert\AppData\Local\ntuserlitelist\regtool\regtool.exe</COLUMN> <COLUMN NAME="Threat">a variant of Generik.DTEABHP trojan</COLUMN> <COLUMN NAME="Action">cleaned by deleting</COLUMN> <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN> <COLUMN NAME="Information">Event occurred during an attempt to access the file by the application: C:\Windows\System32\msqmtik.exe.</COLUMN> <COLUMN NAME="Hash">D036ECF02ACF3CEA48C04969D555C75E7683B0F1</COLUMN> <COLUMN NAME="First seen here">7/27/2017 11:34:58 PM</COLUMN> </RECORD> -<RECORD> <COLUMN NAME="Time">9/6/2017 5:19:10 PM</COLUMN> <COLUMN NAME="Scanner">Real-time file system protection</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">C:\Users\Robert\AppData\Local\ntuserlitelist\regtool\regtool.exe</COLUMN> <COLUMN NAME="Threat">a variant of Generik.DTEABHP trojan</COLUMN> <COLUMN NAME="Action">cleaned by deleting</COLUMN> <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN> <COLUMN NAME="Information">Event occurred on a new file created by the application: C:\Windows\System32\msqmtik.exe.</COLUMN> <COLUMN NAME="Hash">D036ECF02ACF3CEA48C04969D555C75E7683B0F1</COLUMN> <COLUMN NAME="First seen here">7/27/2017 11:34:58 PM</COLUMN> </RECORD> -<RECORD> <COLUMN NAME="Time">9/6/2017 7:39:39 PM</COLUMN> <COLUMN NAME="Scanner">HTTP filter</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">http://www.support.microsoft9002bfrmsclffc8275.com.s3-website.eu-central-1.amazonaws.com</COLUMN> <COLUMN NAME="Threat">HTML/FakeAlert.MD trojan</COLUMN> <COLUMN NAME="Action">connection terminated</COLUMN> <COLUMN NAME="User">Orex\Robert</COLUMN> <COLUMN NAME="Information">Threat was detected upon access to web by the application: C:\Users\Robert\AppData\Local\ntuserlitelist\vmadgip\imexbzr.exe.</COLUMN> <COLUMN NAME="Hash">761BEA759DAA7FB0BE22C3A57BABE6B0B6248F39</COLUMN> <COLUMN NAME="First seen here"/> </RECORD> -<RECORD> <COLUMN NAME="Time">9/11/2017 8:18:39 PM</COLUMN> <COLUMN NAME="Scanner">Real-time file system protection</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">C:\Users\Robert\AppData\Local\ntuserlitelist\regtool\regtool.exe</COLUMN> <COLUMN NAME="Threat">a variant of Generik.DTEABHP trojan</COLUMN> <COLUMN NAME="Action">cleaned by deleting</COLUMN> <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN> <COLUMN NAME="Information">Event occurred on a new file created by the application: C:\Windows\System32\msqmtik.exe.</COLUMN> <COLUMN NAME="Hash">D036ECF02ACF3CEA48C04969D555C75E7683B0F1</COLUMN> <COLUMN NAME="First seen here">7/27/2017 11:34:58 PM</COLUMN> </RECORD> -<RECORD> <COLUMN NAME="Time">9/14/2017 9:42:27 PM</COLUMN> <COLUMN NAME="Scanner">Real-time file system protection</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">C:\Users\Robert\AppData\Local\ntuserlitelist\regtool\regtool.exe</COLUMN> <COLUMN NAME="Threat">a variant of Generik.DTEABHP trojan</COLUMN> <COLUMN NAME="Action">cleaned by deleting</COLUMN> <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN> <COLUMN NAME="Information">Event occurred on a new file created by the application: C:\Windows\System32\msqmtik.exe.</COLUMN> <COLUMN NAME="Hash">D036ECF02ACF3CEA48C04969D555C75E7683B0F1</COLUMN> <COLUMN NAME="First seen here">7/27/2017 11:34:58 PM</COLUMN> </RECORD> -<RECORD> <COLUMN NAME="Time">9/15/2017 9:00:23 PM</COLUMN> <COLUMN NAME="Scanner">HTTP filter</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">http://rkrlroen.greenworldlp.com/install?vnpksbnm=rkrlroen&libfbfti=hsszzhdb&bohbakdm=mhabztzs</COLUMN> <COLUMN NAME="Threat">JS/Chromex.Submelius.D trojan</COLUMN> <COLUMN NAME="Action">connection terminated</COLUMN> <COLUMN NAME="User">Orex\Robert</COLUMN> <COLUMN NAME="Information">Threat was detected upon access to web by the application: C:\Users\Robert\AppData\Local\ntuserlitelist\vmadgip\imexbzr.exe.</COLUMN> <COLUMN NAME="Hash">4149272F85A262C85F8BBAFB0A21B7DBDD12EBD5</COLUMN> <COLUMN NAME="First seen here"/> </RECORD> -<RECORD> <COLUMN NAME="Time">9/19/2017 10:53:46 AM</COLUMN> <COLUMN NAME="Scanner">Real-time file system protection</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">C:\Users\Robert\AppData\Local\ntuserlitelist\regtool\regtool.exe</COLUMN> <COLUMN NAME="Threat">a variant of Generik.DTEABHP trojan</COLUMN> <COLUMN NAME="Action">cleaned by deleting</COLUMN> <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN> <COLUMN NAME="Information">Event occurred on a new file created by the application: C:\Windows\System32\msqmtik.exe.</COLUMN> <COLUMN NAME="Hash">D036ECF02ACF3CEA48C04969D555C75E7683B0F1</COLUMN> <COLUMN NAME="First seen here">7/27/2017 11:34:58 PM</COLUMN> </RECORD> -<RECORD> <COLUMN NAME="Time">9/26/2017 1:29:41 PM</COLUMN> <COLUMN NAME="Scanner">Real-time file system protection</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">C:\Users\Robert\AppData\Local\ntuserlitelist\regtool\regtool.exe</COLUMN> <COLUMN NAME="Threat">a variant of Generik.DTEABHP trojan</COLUMN> <COLUMN NAME="Action">cleaned by deleting</COLUMN> <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN> <COLUMN NAME="Information">Event occurred on a new file created by the application: C:\Windows\System32\msqmtik.exe.</COLUMN> <COLUMN NAME="Hash">D036ECF02ACF3CEA48C04969D555C75E7683B0F1</COLUMN> <COLUMN NAME="First seen here">7/27/2017 11:34:58 PM</COLUMN> </RECORD> -<RECORD> <COLUMN NAME="Time">9/30/2017 5:05:13 PM</COLUMN> <COLUMN NAME="Scanner">Real-time file system protection</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">C:\Users\Robert\AppData\Local\ntuserlitelist\regtool\regtool.exe</COLUMN> <COLUMN NAME="Threat">a variant of Generik.DTEABHP trojan</COLUMN> <COLUMN NAME="Action">cleaned by deleting</COLUMN> <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN> <COLUMN NAME="Information">Event occurred on a new file created by the application: C:\Windows\System32\msqmtik.exe.</COLUMN> <COLUMN NAME="Hash">D036ECF02ACF3CEA48C04969D555C75E7683B0F1</COLUMN> <COLUMN NAME="First seen here">7/27/2017 11:34:58 PM</COLUMN> </RECORD> -<RECORD> <COLUMN NAME="Time">10/8/2017 2:14:49 PM</COLUMN> <COLUMN NAME="Scanner">Real-time file system protection</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">C:\Users\Robert\AppData\Local\ntuserlitelist\regtool\regtool.exe</COLUMN> <COLUMN NAME="Threat">a variant of Generik.DTEABHP trojan</COLUMN> <COLUMN NAME="Action">cleaned by deleting</COLUMN> <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN> <COLUMN NAME="Information">Event occurred on a new file created by the application: C:\Windows\System32\msqmtik.exe.</COLUMN> <COLUMN NAME="Hash">D036ECF02ACF3CEA48C04969D555C75E7683B0F1</COLUMN> <COLUMN NAME="First seen here">7/27/2017 11:34:58 PM</COLUMN> </RECORD> -<RECORD> <COLUMN NAME="Time">10/11/2017 7:42:25 PM</COLUMN> <COLUMN NAME="Scanner">Real-time file system protection</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">C:\Users\Robert\AppData\Local\ntuserlitelist\regtool\regtool.exe</COLUMN> <COLUMN NAME="Threat">a variant of Generik.DTEABHP trojan</COLUMN> <COLUMN NAME="Action">cleaned by deleting</COLUMN> <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN> <COLUMN NAME="Information">Event occurred on a new file created by the application: C:\Windows\System32\msqmtik.exe.</COLUMN> <COLUMN NAME="Hash">D036ECF02ACF3CEA48C04969D555C75E7683B0F1</COLUMN> <COLUMN NAME="First seen here">7/27/2017 11:34:58 PM</COLUMN> </RECORD> -<RECORD> <COLUMN NAME="Time">10/16/2017 10:09:24 PM</COLUMN> <COLUMN NAME="Scanner">Real-time file system protection</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">C:\Users\Robert\AppData\Local\ntuserlitelist\regtool\regtool.exe</COLUMN> <COLUMN NAME="Threat">a variant of Generik.DTEABHP trojan</COLUMN> <COLUMN NAME="Action">cleaned by deleting</COLUMN> <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN> <COLUMN NAME="Information">Event occurred on a new file created by the application: C:\Windows\System32\msqmtik.exe.</COLUMN> <COLUMN NAME="Hash">D036ECF02ACF3CEA48C04969D555C75E7683B0F1</COLUMN> <COLUMN NAME="First seen here">7/27/2017 11:34:58 PM</COLUMN> </RECORD> -<RECORD> <COLUMN NAME="Time">10/20/2017 8:02:47 AM</COLUMN> <COLUMN NAME="Scanner">Real-time file system protection</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">C:\Users\Robert\AppData\Local\ntuserlitelist\regtool\regtool.exe</COLUMN> <COLUMN NAME="Threat">a variant of Generik.DTEABHP trojan</COLUMN> <COLUMN NAME="Action">cleaned by deleting</COLUMN> <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN> <COLUMN NAME="Information">Event occurred on a new file created by the application: C:\Windows\System32\msqmtik.exe.</COLUMN> <COLUMN NAME="Hash">D036ECF02ACF3CEA48C04969D555C75E7683B0F1</COLUMN> <COLUMN NAME="First seen here">7/27/2017 11:34:58 PM</COLUMN> </RECORD> -<RECORD> <COLUMN NAME="Time">10/23/2017 1:25:59 PM</COLUMN> <COLUMN NAME="Scanner">Real-time file system protection</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">C:\Users\Robert\AppData\Local\ntuserlitelist\regtool\regtool.exe</COLUMN> <COLUMN NAME="Threat">a variant of Generik.DTEABHP trojan</COLUMN> <COLUMN NAME="Action">cleaned by deleting</COLUMN> <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN> <COLUMN NAME="Information">Event occurred on a new file created by the application: C:\Windows\System32\msqmtik.exe.</COLUMN> <COLUMN NAME="Hash">D036ECF02ACF3CEA48C04969D555C75E7683B0F1</COLUMN> <COLUMN NAME="First seen here">7/27/2017 11:34:58 PM</COLUMN> </RECORD> -<RECORD> <COLUMN NAME="Time">10/26/2017 7:51:11 PM</COLUMN> <COLUMN NAME="Scanner">Real-time file system protection</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">C:\Users\Robert\AppData\Local\ntuserlitelist\regtool\regtool.exe</COLUMN> <COLUMN NAME="Threat">a variant of Generik.DTEABHP trojan</COLUMN> <COLUMN NAME="Action">cleaned by deleting</COLUMN> <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN> <COLUMN NAME="Information">Event occurred on a new file created by the application: C:\Windows\System32\msqmtik.exe.</COLUMN> <COLUMN NAME="Hash">D036ECF02ACF3CEA48C04969D555C75E7683B0F1</COLUMN> <COLUMN NAME="First seen here">7/27/2017 11:34:58 PM</COLUMN> </RECORD> -<RECORD> <COLUMN NAME="Time">10/28/2017 12:06:41 PM</COLUMN> <COLUMN NAME="Scanner">Real-time file system protection</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">D:\IE TEMP\Temporary Internet Files\IE\0G52W29J\sam_IC[1]</COLUMN> <COLUMN NAME="Threat">a variant of Win32/Kryptik.FVQD trojan</COLUMN> <COLUMN NAME="Action">cleaned by deleting</COLUMN> <COLUMN NAME="User">OREX\Robert</COLUMN> <COLUMN NAME="Information">Event occurred on a file modified by the application: C:\Program Files\CCleaner\CCleaner64.exe (B5FD83C714C6997049AB40623B3498C58FAD46C7).</COLUMN> <COLUMN NAME="Hash">CA7EDF9F768F218254421D588C934E449604539E</COLUMN> <COLUMN NAME="First seen here">8/17/2017 10:14:28 AM</COLUMN> </RECORD> -<RECORD> <COLUMN NAME="Time">10/28/2017 12:06:41 PM</COLUMN> <COLUMN NAME="Scanner">Real-time file system protection</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">D:\IE TEMP\Temporary Internet Files\IE\4F7ZYHKL\sci0[1]</COLUMN> <COLUMN NAME="Threat">a variant of Win32/Kryptik.FVQH trojan</COLUMN> <COLUMN NAME="Action">cleaned by deleting</COLUMN> <COLUMN NAME="User">OREX\Robert</COLUMN> <COLUMN NAME="Information">Event occurred on a file modified by the application: C:\Program Files\CCleaner\CCleaner64.exe (B5FD83C714C6997049AB40623B3498C58FAD46C7).</COLUMN> <COLUMN NAME="Hash">4F93521E78FF089A3B7EC105EC0454547C3B1585</COLUMN> <COLUMN NAME="First seen here">8/17/2017 10:14:25 AM</COLUMN> </RECORD> -<RECORD> <COLUMN NAME="Time">10/28/2017 12:06:46 PM</COLUMN> <COLUMN NAME="Scanner">Real-time file system protection</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">D:\IE TEMP\Temporary Internet Files\IE\TVFWQJDO\sci1[1]</COLUMN> <COLUMN NAME="Threat">a variant of Win32/Kryptik.FVQD trojan</COLUMN> <COLUMN NAME="Action">cleaned by deleting</COLUMN> <COLUMN NAME="User">OREX\Robert</COLUMN> <COLUMN NAME="Information">Event occurred on a file modified by the application: C:\Program Files\CCleaner\CCleaner64.exe (B5FD83C714C6997049AB40623B3498C58FAD46C7).</COLUMN> <COLUMN NAME="Hash">33D4FEE23CEA73F97B5FDF007B5BB04EF2740D10</COLUMN> <COLUMN NAME="First seen here">8/17/2017 10:17:01 AM</COLUMN> </RECORD> -<RECORD> <COLUMN NAME="Time">10/29/2017 8:07:25 PM</COLUMN> <COLUMN NAME="Scanner">Real-time file system protection</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">C:\Users\Robert\AppData\Local\ntuserlitelist\regtool\regtool.exe</COLUMN> <COLUMN NAME="Threat">a variant of Generik.DTEABHP trojan</COLUMN> <COLUMN NAME="Action">cleaned by deleting</COLUMN> <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN> <COLUMN NAME="Information">Event occurred on a new file created by the application: C:\Windows\System32\msqmtik.exe.</COLUMN> <COLUMN NAME="Hash">D036ECF02ACF3CEA48C04969D555C75E7683B0F1</COLUMN> <COLUMN NAME="First seen here">7/27/2017 11:34:58 PM</COLUMN> </RECORD> -<RECORD> <COLUMN NAME="Time">11/7/2017 10:46:41 AM</COLUMN> <COLUMN NAME="Scanner">Real-time file system protection</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">C:\Users\Robert\AppData\Local\ntuserlitelist\regtool\regtool.exe</COLUMN> <COLUMN NAME="Threat">a variant of Generik.DTEABHP trojan</COLUMN> <COLUMN NAME="Action">cleaned by deleting</COLUMN> <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN> <COLUMN NAME="Information">Event occurred on a new file created by the application: C:\Windows\System32\msqmtik.exe.</COLUMN> <COLUMN NAME="Hash">D036ECF02ACF3CEA48C04969D555C75E7683B0F1</COLUMN> <COLUMN NAME="First seen here">7/28/2017 12:34:58 AM</COLUMN> </RECORD> -<RECORD> <COLUMN NAME="Time">11/7/2017 12:22:16 PM</COLUMN> <COLUMN NAME="Scanner">HTTP filter</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">http://screenaddict.thewhizproducts.com/?chid=307&oid=624&subid=OPsrUvAh-h0&pubid=93855</COLUMN> <COLUMN NAME="Threat">JS/Adware.AztecMedia.A application</COLUMN> <COLUMN NAME="Action">connection terminated</COLUMN> <COLUMN NAME="User">Orex\Robert</COLUMN> <COLUMN NAME="Information">Threat was detected upon access to web by the application: C:\Users\Robert\AppData\Local\ntuserlitelist\vmadgip\imexbzr.exe.</COLUMN> <COLUMN NAME="Hash">8E2AAC64EC36923E088EE83D766DE8F58E883FE2</COLUMN> <COLUMN NAME="First seen here"/> </RECORD> -<RECORD> <COLUMN NAME="Time">11/9/2017 3:22:06 PM</COLUMN> <COLUMN NAME="Scanner">HTTP filter</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">http://fulltab.com/lp3?pub_id=3248&sub_id=102bf61837baccc6a2fc670ca6cce1&srcid=20281</COLUMN> <COLUMN NAME="Threat">JS/Adware.Imali.A application</COLUMN> <COLUMN NAME="Action">connection terminated</COLUMN> <COLUMN NAME="User">Orex\Robert</COLUMN> <COLUMN NAME="Information">Threat was detected upon access to web by the application: C:\Users\Robert\AppData\Local\ntuserlitelist\vmadgip\imexbzr.exe.</COLUMN> <COLUMN NAME="Hash">E823E5F1D6EE760C236BC1B52EA8708E67580B12</COLUMN> <COLUMN NAME="First seen here"/> </RECORD> -<RECORD> <COLUMN NAME="Time">11/10/2017 12:27:13 PM</COLUMN> <COLUMN NAME="Scanner">Real-time file system protection</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">C:\Users\Robert\AppData\Local\ntuserlitelist\regtool\regtool.exe</COLUMN> <COLUMN NAME="Threat">a variant of Generik.DTEABHP trojan</COLUMN> <COLUMN NAME="Action">cleaned by deleting</COLUMN> <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN> <COLUMN NAME="Information">Event occurred on a new file created by the application: C:\Windows\System32\msqmtik.exe.</COLUMN> <COLUMN NAME="Hash">D036ECF02ACF3CEA48C04969D555C75E7683B0F1</COLUMN> <COLUMN NAME="First seen here">7/28/2017 12:34:58 AM</COLUMN> </RECORD> -<RECORD> <COLUMN NAME="Time">11/11/2017 2:40:41 PM</COLUMN> <COLUMN NAME="Scanner">HTTP filter</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">http://computer-52ca2.stream/view?a=AZ&pagex=0&s1=qmHgUo4gNNywKrtSqmGfaN6Ycb7aeOH3pDC6EKpQR7sCaJl0dqJQ56grG94vYGBS2XGaWoQvdofcCD6BZWAAsA,,&os=Windows&browser=Chrome&isp=Mci Communications Services inc. Dba Verizon Business&ip=71.105.31.67</COLUMN> <COLUMN NAME="Threat">HTML/FakeAlert.MD trojan</COLUMN> <COLUMN NAME="Action">connection terminated</COLUMN> <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN> <COLUMN NAME="Information">Threat was detected upon access to web by the application: C:\Users\Robert\AppData\Local\ntuserlitelist\vmadgip\imexbzr.exe.</COLUMN> <COLUMN NAME="Hash">19392EDDE5C73BAAF4EE026DE507C782A889A918</COLUMN> <COLUMN NAME="First seen here"/> </RECORD> -<RECORD> <COLUMN NAME="Time">11/12/2017 10:07:10 PM</COLUMN> <COLUMN NAME="Scanner">HTTP filter</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">http://fulltab.com/lp3?pub_id=3248&sub_id=1020615d6a7f568ed7e5f2c4edf113&srcid=20281</COLUMN> <COLUMN NAME="Threat">JS/Adware.Imali.A application</COLUMN> <COLUMN NAME="Action">connection terminated</COLUMN> <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN> <COLUMN NAME="Information">Threat was detected upon access to web by the application: C:\Users\Robert\AppData\Local\ntuserlitelist\vmadgip\imexbzr.exe.</COLUMN> <COLUMN NAME="Hash">E0B281ABFF26B62047544EDEE3E8426704AD02F0</COLUMN> <COLUMN NAME="First seen here"/> </RECORD> -<RECORD> <COLUMN NAME="Time">11/13/2017 4:08:56 PM</COLUMN> <COLUMN NAME="Scanner">Real-time file system protection</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">C:\Users\Robert\AppData\Local\ntuserlitelist\regtool\regtool.exe</COLUMN> <COLUMN NAME="Threat">a variant of Generik.DTEABHP trojan</COLUMN> <COLUMN NAME="Action">cleaned by deleting</COLUMN> <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN> <COLUMN NAME="Information">Event occurred on a new file created by the application: C:\Windows\System32\msqmtik.exe.</COLUMN> <COLUMN NAME="Hash">D036ECF02ACF3CEA48C04969D555C75E7683B0F1</COLUMN> <COLUMN NAME="First seen here">7/28/2017 12:34:58 AM</COLUMN> </RECORD> -<RECORD> <COLUMN NAME="Time">11/13/2017 5:23:06 PM</COLUMN> <COLUMN NAME="Scanner">HTTP filter</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">http://fulltab.com/lp3?pub_id=3248&sub_id=10278e43faf02ca461531c8465cb76&srcid=20281</COLUMN> <COLUMN NAME="Threat">JS/Adware.Imali.A application</COLUMN> <COLUMN NAME="Action">connection terminated</COLUMN> <COLUMN NAME="User">Orex\Robert</COLUMN> <COLUMN NAME="Information">Threat was detected upon access to web by the application: C:\Users\Robert\AppData\Local\ntuserlitelist\vmadgip\imexbzr.exe.</COLUMN> <COLUMN NAME="Hash">79A25F1E8939496AAD1E4F4A1951CB7650121CC6</COLUMN> <COLUMN NAME="First seen here"/> </RECORD> </LOG> </ESET>
  16. I've been trying every anti-malware scanner I can find to get rid of this but it's been super pesky and resilient. Not being detected by any current scans (used MBAR, ESet, JRT, etc) Upon boot I have a rekobdt.exe hogging CPU resources. It originates from this folder which is inaccessible C:\Users\SAM\AppData\Local\pwabnml C:\Users\SAM\AppData\Local\pwdrauc I can pinpoint an exact date that these folders downloaded to my computer- 11/1/17 -11/2/17 Addition.txt FRST.txt
  17. Story TL;DR: I seem to be infected with a pretty advanced rootkit/etc. I'm not sure if I am being too paranoid, or, if there is something actually going on (Rootkits are almost impossible to detect, BADUSB , etc... Which are all available by a simple google search nowadays...) I have reinstalled Windows 10 x64 pro, with USB drives multiple times (Re-downloading it). I think the MBR, BIOS, Firmware of devices may be infected. I would appreciate the help and may consider buying software/upgrading components for these type of attacks. Addition.txt aswMBR.txt FRST.txt log file MWB.txt
  18. Well, I did a checkup and found this. Malewarebytes says its malware. CanĀ“t find help to this specific problem. Is ths real or a false positive?? Would be thankful for fast help.
  19. Several devices on network have been infected (Windows 10, Windows 7 pro editions)Initially I discovered several Windows folders that stuck out from normal (install dates, certificates and drivers are fake or modified). Registry has a lot of modifications, and User accounts have been modified with "Trusted Installer" and other Admin, and System user accounts with full control permissions for unknown file folders, dll's etc during troubleshooting. When attempting to delete or modify, I run into "denied access" or similar errors. I suspect Windows Management Console, SMM or something of that sort, along with a shell is being run. Suspect BIOS/UEFI based malware attack. CD-Rom, USB ports, i394 port, pci cards, gpu, is either infected and being used to store data, devices are emulated and restored if I attempt to modify. I finally decided to reinstall OS. During OS installs from several verified Microsoft cdroms (I tried Windows 10, Win7 ultimate, pro, and Win 8.1) with same results = During install, the initial boot program is loaded, then emulated, while a similar (fake) OS begins to install alongside it. From research, I suspect the malware/rootkit is embedded within the firmware of any device with storage,rom,ram available because in device manager I see 12 USB controllers of various types for communicating, devices modified with sophisticated drivers to create internal modems using internal hardware, and several other connections of all sorts that I am not knowledgeable enough to ascertain. Windows updates only go so far and it seems that certain Windows update kb's will not apply. System control, WMI or SMM seems to be corrupted and in control either in some sort of Shell, and system communicates when online using several different methods during updates which further enhances the attack. Suspect ACPI is being used as the weak point to corrupt legacy devices to force compatibility issues with UEFI's known exploits. If you run Malwarebytes, it is also hijacked and replaced with an alternate. The current GUI image is used but the actual program seems to run in a shell and does not detect, acts weird, requests restarts, infects system tray, creates folders that are not consistent with Malwarebytes behavior. Any additional rootkill, cleaning attempts are not successful as the files will rebuild. Registry seems to have a ton of modifications and entries not normally found in a clean Windows install, modifications to the registry are quickly repaired by the System. I believe the firmware of several devices are corrupted and possibly even the cpu itself may have been microcoded with a kernel based malware operating at low levels during post and avoiding detection while injecting exploits to the BIOS. Inserting a USB stick prompts a Window asking to clean or format any drives that are external and will wipe out the USB contents or corrupt the device. All devices on the network have been affected and it is a high probability that the router/modem has been compromised as well. All infected devices are inoperable, I've taken apart modules, disabled unneeded ports/devices, attempted/applied bios updates, firmware, chipset, control modules etc. to no avail. Had to install learn Linux and have been using Ubuntu as primary OS in an attempt to figure all this out. mb-check-results.zip msinfo32_loadedmodules.txt msinfo32_modem.txt msinfo32_runningtasks.txt msinfo32_systemdrivers.txt msinfor32_results_10232017.txt setupact187.txt
  20. Hello, My name is Ethan and I'd like to request help with malware/rootkit/ad/etc removal. To give you some background, I recently got infected with THIS file. It changed my browser, redirected pages to "eatyellowmango. com", changed file names to ".bat", installed bitcoin miners, 100% CPU usage, and much worse. After 10+ hours of running every AV program I knew, it's mostly gone; but I'm still having issues with what I believe is "Adware.Yelloader" and rootkit(s). I've also gotten a BSOD message three times, saying "irql_not_less_or_equal", but that stopped now. So far, I've ran the following programs: Rkill, Malwarebytes, Chameleon, Zemana, AdwCleaner, HitmanPro, SUPERAntiSpyware, Webroot SecureAnywhere, AVG, Avast, ESET Online Scanner, Sophos, EmsisoftEmergencyKit, Defogger, MiniToolBox, FRST (Logs), and FixTDSS (Unsuccessful) - and I plan to run TronScript soon. (I also ran these programs in SafeMode w/ Network) Everything seems to be normal now, except that I'm having problems running TDSSkiller, JRT, ComboFix, Malwarebytes Anti-Rootkit (Missing DDA driver + "The system inaccessible seems inaccessible or encrypted. Scan cant continue"), BitDefender, and some other normal programs such as Razer Synapse. They ask for admin privileges, but they never open afterwords. While I'm not very experienced on this topic, I believe it may be a program/virus denying me access. I'm willing to simply wipe my drives (SSD w/ win10, HDD for storage), but that's the last resort. If you could help, I'd greatly appreciate it. Thank you to anyone who reads/replies to my thread! Addition.txt FRST.txt MB Scan.txt
  21. the windows 10 exploit for the creators edition. Just reinstalled windows and didn't want to restart but it did on its own. but just need help removing it and then getting it off my MacBook air which currently doesn't want to reinstall its OS X FRST.txt MBAMex.txt Addition.txt
  22. Rootkit.Fileless.MTgen, is showing up on every MBAM scan for me, one entry for the registry key, another for the value. MBAM fails to remove it every time i try, i've tried just about everything, any help is appreciated.
  23. First off- using a vm machine, host OS is ubuntu linux- the logs attached are from Virtual Box of a Window 10 machine. I have to use a linux machine because; - can not reinstall any Windows without the infection hijacking the install, I've tried installing WinXP, 8.1, 7, 7 pro, WinUltimate, -during reinstall, at the cd/rom loads, then at a point the install instructions are taken over, and a similiar gui appears to complete install. -infects any device attached physical of network, usb will be formatted automatically (fake warning posted gui) -registry is infected -possible firmware exploited, usb and pci seem to be used as alternate devices, -system32 files are unusual -unable to flash bios -appears as hidden sector or directory, hijacks the mbr, -has the ability to replicate if deleted or core files, registry is changed -suspected WMI Shell running with TRUSTED INSTALLER -Possible ChipSec related? I think I've tried everthing as far as scans, rkhunter, Hirens Boot Cd, Process Monitor, msconfig, BIOS settings, hdd replacement. All my machines at home are down/infected. Only way to get back was Linux, and using VM to start Windows 10. This is from a enterprise PC Tech Level 2 working at home. FRST.txt Addition.txt mbt first scan.txt
  24. After doing a scan with Malwarebytes on 9/20/17 it detected a rootkit and said I needed to restart in order to quarantine it. My computer then froze when restarting it and now my audio drivers don't work, says that my audio devices aren't installed and that it can't be loaded in the device manager. It's listed as High Definition Audio Controller in the Device manager. Updating it does nothing, says that it's already installed. I've also reinstalled the audio software. Please help. Log File.txt
  25. I have a friend who says that their PC was hacked and subsequently infected. Their firewall doesn't work, their PC is running incredibly slow, their antivirus is gone, and they can't download or install anything. They also run Windows 7 Ultimate if that helps with anything. They did tell me that, if nothing else works, they have no problem with formatting (however I'd prefer that to be a last resort if possible). Despite not being able to download anything I had them attempt to download Farbar to see if that would work at all. They were able to download FRST using a download manager so we're getting somewhere. They're still unable to install any programs, but they can at least use the download manager to download things. I also wanted to note that my friend and I can only communicate online at the moment, though we can still send files to each other just fine. I'm only mentioning this in case it's of any importance. Here are the Farbar logs: FRST.txt Addition.txt