Slimware driverupdate keeps being found on PC, despite MWB removing it.

[smeekwoodworks]

The PC that my wife normally uses keeps ending up with a bunch of Slimeware Driverupdate files that MalwareBytes finds and I have it remove them. However, it keeps coming back. I have run MWB in regular and safe mode. 

What is weird is that it is showing up under my user on this PC. I very rarely use this computer. Neither of the computers I use (Lenovo laptop and a Surface 3) are having this problem.

 

Ran FRST in safe mode. Files are attached.

Addition.txt

FRST.txt

[TwinHeadedEagle]

Hello,

Can you attach MalwareBytes report?

[smeekwoodworks]

Here is the latest MalwareBytes log.

MWB Scan Log.txt

[TwinHeadedEagle]

Okay, I would like to see FRST reports from Normal mode if possible:
 
Scan with Farbar Recovery Scan Tool
 
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

[smeekwoodworks]

Here are the FRST logs, run normally, as administrator.

 

 

Addition.txt

FRST.txt

[smeekwoodworks]

Just curious, what are all the items listed under Hosts content in the additions.txt file? I don't recognize any of those sites.

[TwinHeadedEagle]

These are items installed by Unchecky and they should block Adware from installing.
 
 
Fix with Farbar Recovery Scan Tool
 

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

fixlist.txt

[smeekwoodworks]

Fixlog is attached

[smeekwoodworks]

Try this again...

[smeekwoodworks]

For some reason, the file won't upload. I will just paste the text here:

Fix result of Farbar Recovery Scan Tool (x64) Version:28-06-2015 01

Ran by Scott at 2015-07-03 16:49:21 Run:1

Running from C:\Users\Scott\Desktop

Loaded Profiles: Scott & (Available Profiles: Scott & Lori & ivyau_000)

Boot Mode: Normal

==============================================

fixlist content:

*****************

closeprocesses:

emptytemp:

AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm

AlternateDataStreams: C:\ProgramData\TEMP:0888F409

AlternateDataStreams: C:\ProgramData\TEMP:3440EB47

AlternateDataStreams: C:\ProgramData\TEMP:66633281

AlternateDataStreams: C:\Users\ivyau_000\SkyDrive:ms-properties

AlternateDataStreams: C:\Users\Lori\SkyDrive:ms-properties

AlternateDataStreams: C:\Users\Scott\SkyDrive:ms-properties

C:\ProgramData\.bf45c81f8dc8abfeecf09.dat

*****************

Processes closed successfully.

C:\ProgramData\Reprise => ":wupeogjxldtlfudivq`qsp`26hfm" ADS removed successfully.

C:\ProgramData\TEMP => ":0888F409" ADS removed successfully.

C:\ProgramData\TEMP => ":3440EB47" ADS removed successfully.

C:\ProgramData\TEMP => ":66633281" ADS removed successfully.

"C:\Users\ivyau_000\SkyDrive" => ":ms-properties" ADS not found.

C:\Users\Lori\SkyDrive => ":ms-properties" ADS removed successfully.

C:\Users\Scott\SkyDrive => ":ms-properties" ADS removed successfully.

C:\ProgramData\.bf45c81f8dc8abfeecf09.dat => moved successfully.

EmptyTemp: => 911.9 MB temporary data Removed.

The system needed a reboot..

==== End of Fixlog 16:49:46 ====

[TwinHeadedEagle]

Good. How is your PC behaving now?

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!