Valinorum Posted August 25, 2017 ID:1156987 Share Posted August 25, 2017 Try Normal Mode first. Link to post Share on other sites More sharing options...
TLJaguar Posted August 25, 2017 Author ID:1157014 Share Posted August 25, 2017 (edited) The cmd started the program, it ran update but then said it needed to reboot to install DDA Driver. After rebooot mbar.cmd starts but says "DDA Driver is not active. Scan can't continue" Edited August 25, 2017 by TLJaguar Link to post Share on other sites More sharing options...
TLJaguar Posted August 27, 2017 Author ID:1157474 Share Posted August 27, 2017 Any ideas on the DDA Driver? Link to post Share on other sites More sharing options...
Valinorum Posted August 28, 2017 ID:1157785 Share Posted August 28, 2017 This is a nasty piece of rootkit. Can you try the following article and see if you can boot from Recovery Mode. If all fails we will either go for making our own Recovery Console or Linux USB https://www.tenforums.com/tutorials/2294-boot-advanced-startup-options-windows-10-a.html Link to post Share on other sites More sharing options...
TLJaguar Posted August 28, 2017 Author ID:1157898 Share Posted August 28, 2017 I'm usually alot more careful about what I download, I just got careless. Is this recoverywhere I need to be? Link to post Share on other sites More sharing options...
TLJaguar Posted August 28, 2017 Author ID:1157908 Share Posted August 28, 2017 I had created occasional restore points including one shortly before getting this infection, but recovery mode doesn't show any restore points anymore. Link to post Share on other sites More sharing options...
TLJaguar Posted August 29, 2017 Author ID:1158175 Share Posted August 29, 2017 Do I "reset this pc" or is there another option I should choose? Link to post Share on other sites More sharing options...
Valinorum Posted August 29, 2017 ID:1158190 Share Posted August 29, 2017 Does the normal mode show any restore points prior to this infection? Reset PC is a good option but you will have to install all your apps/programs again. Link to post Share on other sites More sharing options...
TLJaguar Posted August 29, 2017 Author ID:1158218 Share Posted August 29, 2017 No.all my restore points have disappeared Link to post Share on other sites More sharing options...
Valinorum Posted August 29, 2017 ID:1158222 Share Posted August 29, 2017 Can you download MBAR again from the link I mentioned earlier? The developers updated it, let's check if it works. I can feel your frustration, and if it fails you can reset your PC unless you want to try a Live Linux USB. Link to post Share on other sites More sharing options...
TLJaguar Posted August 29, 2017 Author ID:1158226 Share Posted August 29, 2017 Is it still 1.09.4.101 or should it have a newer version number? Link to post Share on other sites More sharing options...
Valinorum Posted August 29, 2017 ID:1158230 Share Posted August 29, 2017 Yes, it is still 1.09.4.101 but you should update it to the latest database after downloading. That being said, can you only check the Drivers option and leave the other two options unchecked in the Scan Option. Link to post Share on other sites More sharing options...
TLJaguar Posted August 29, 2017 Author ID:1158231 Share Posted August 29, 2017 (edited) Root kit database is up to date v2017.08.02.01, but I still get the DDA Driver error no matter which "scan targets" are checked Edited August 29, 2017 by TLJaguar Link to post Share on other sites More sharing options...
Valinorum Posted August 29, 2017 ID:1158235 Share Posted August 29, 2017 Did you download a new version from the link and update it? I have attached the latest database version screenshot. Link to post Share on other sites More sharing options...
TLJaguar Posted August 29, 2017 Author ID:1158236 Share Posted August 29, 2017 (edited) yes I re-downloaded and updated, Edited August 29, 2017 by TLJaguar Link to post Share on other sites More sharing options...
Valinorum Posted August 29, 2017 ID:1158237 Share Posted August 29, 2017 Strange. It was working when I tried. Can you right-click and run the mbar.cmd file as Administrator? Restart your PC and try to run mbar again. Sometimes, it takes 2 or 3 tries but mbar is the only thing that has been working against this rootkit. Link to post Share on other sites More sharing options...
TLJaguar Posted August 29, 2017 Author ID:1158243 Share Posted August 29, 2017 Ran as admin, it made me reboot again to load DDA drivers, booted into Windows, still getting the same DDA Driver is not active error Link to post Share on other sites More sharing options...
TLJaguar Posted August 29, 2017 Author ID:1158280 Share Posted August 29, 2017 I ran through the above steps several times with the same results. I have the install files for my main applications, so I'm going to try resetting windows. Link to post Share on other sites More sharing options...
TLJaguar Posted August 29, 2017 Author ID:1158433 Share Posted August 29, 2017 I reset windows and mbar.cmd is working. Scan is running and has found 2 malware so far. Do you have recommendations for other scans to run after I do mbar and standard mwbyte scans? Link to post Share on other sites More sharing options...
Valinorum Posted August 30, 2017 ID:1158506 Share Posted August 30, 2017 Yes, after MBAR is done scanning, do a full scan with MBAM. Attach the both logs. Link to post Share on other sites More sharing options...
TLJaguar Posted August 30, 2017 Author ID:1158563 Share Posted August 30, 2017 Where do I find the log file? Link to post Share on other sites More sharing options...
TLJaguar Posted August 31, 2017 Author ID:1159027 Share Posted August 31, 2017 Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/29/17 Scan Time: 7:32 PM Log File: 562b3b9c-8d12-11e7-9517-082e5f2f81b6.json Administrator: Yes -Software Information- Version: 3.2.2.2018 Components Version: 1.0.188 Update Package Version: 1.0.2685 License: Free -System Information- OS: Windows 10 (Build 15063.540) CPU: x64 File System: NTFS User: DESKTOP-SSGMRCJ\tljag -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 322716 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 4 min, 1 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 11 PUP.Optional.SpyHunter, C:\USERS\TLJAG\DESKTOP\SPYHUNTER-INSTALLER.EXE, Quarantined, [927], [345850],1.0.2685 PUP.Optional.Reimage, C:\$RECYCLE.BIN\S-1-5-21-584086061-3025348732-3442670432-1002\$RNURPF6\REIMAGE.EXE, Quarantined, [1050], [327181],1.0.2685 PUP.Optional.Reimage, C:\$RECYCLE.BIN\S-1-5-21-584086061-3025348732-3442670432-1002\$RNURPF6\REI_ENGINE.DLL, Quarantined, [1050], [327181],1.0.2685 PUP.Optional.Reimage, C:\$RECYCLE.BIN\S-1-5-21-584086061-3025348732-3442670432-1002\$RNURPF6\REIMAGEREMINDER.EXE, Quarantined, [1050], [327181],1.0.2685 PUP.Optional.Reimage, C:\$RECYCLE.BIN\S-1-5-21-584086061-3025348732-3442670432-1002\$RNURPF6\LZMA.EXE, Quarantined, [1050], [327181],1.0.2685 PUP.Optional.Reimage, C:\$RECYCLE.BIN\S-1-5-21-584086061-3025348732-3442670432-1002\$RNURPF6\REI_AVIRA.EXE, Quarantined, [1050], [327181],1.0.2685 PUP.Optional.Reimage, C:\$RECYCLE.BIN\S-1-5-21-584086061-3025348732-3442670432-1002\$RNURPF6\REIMAGESAFEMODE.EXE, Quarantined, [1050], [388085],1.0.2685 PUP.Optional.Reimage, C:\$RECYCLE.BIN\S-1-5-21-584086061-3025348732-3442670432-1002\$RNURPF6\REI_SUPPORTINFOTOOL.EXE, Quarantined, [1050], [327181],1.0.2685 PUP.Optional.Reimage, C:\$RECYCLE.BIN\S-1-5-21-584086061-3025348732-3442670432-1002\$RNURPF6\REIMAGEREPAIR.EXE, Quarantined, [1050], [331559],1.0.2685 PUP.Optional.Reimage, C:\$RECYCLE.BIN\S-1-5-21-584086061-3025348732-3442670432-1002\$RNURPF6\REI_AXCONTROL.DLL, Quarantined, [1050], [327181],1.0.2685 PUP.Optional.Reimage, C:\$RECYCLE.BIN\S-1-5-21-584086061-3025348732-3442670432-1002\$RNURPF6\SAVAPI3.DLL, Quarantined, [1050], [327181],1.0.2685 Physical Sector: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
TLJaguar Posted August 31, 2017 Author ID:1159034 Share Posted August 31, 2017 --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.09.4.1001 (c) Malwarebytes Corporation 2011-2012 OS version: 10.0.15063 Windows 10 x64 Account is Administrative Internet Explorer version: 11.413.15063.0 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED CPU speed: 3.093000 GHz Memory total: 21430861824, free: 19260194816 Downloaded database version: v2017.08.25.06 Downloaded database version: v2017.08.02.01 Downloaded database version: v2017.08.18.01 ======================================= Initializing... DDA Driver installation error. Driver installed on boot. Reboot required. System shutdown occurred ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.09.4.1001 (c) Malwarebytes Corporation 2011-2012 OS version: 10.0.15063 Windows 10 x64 Account is Administrative Internet Explorer version: 11.413.15063.0 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED CPU speed: 3.093000 GHz Memory total: 21430861824, free: 19947839488 Initializing... ======================================= DDA Driver is not active. Scan can't continue ======================================= Initializing... DDA Driver is not active. Scan can't continue ======================================= Initializing... DDA Driver is not active. Scan can't continue ======================================= Initializing... DDA Driver is not active. Scan can't continue ======================================= Initializing... DDA Driver is not active. Scan can't continue ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.09.4.1001 (c) Malwarebytes Corporation 2011-2012 OS version: 10.0.15063 Windows 10 x64 Account is Administrative Internet Explorer version: 11.413.15063.0 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED CPU speed: 3.093000 GHz Memory total: 21430861824, free: 19450486784 ======================================= Initializing... DDA Driver installation error. Driver installed on boot. Reboot required. System shutdown occurred ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.09.4.1001 (c) Malwarebytes Corporation 2011-2012 OS version: 10.0.15063 Windows 10 x64 Account is Administrative Internet Explorer version: 11.413.15063.0 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED CPU speed: 3.093000 GHz Memory total: 21430861824, free: 19895894016 Initializing... ====================== DDA Driver is not active. Scan can't continue ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.09.4.1001 (c) Malwarebytes Corporation 2011-2012 OS version: 10.0.15063 Windows 10 x64 Account is Administrative Internet Explorer version: 11.413.15063.0 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED CPU speed: 3.093000 GHz Memory total: 21430861824, free: 18725564416 --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.09.4.1001 (c) Malwarebytes Corporation 2011-2012 OS version: 10.0.15063 Windows 10 x64 Account is Administrative Internet Explorer version: 11.413.15063.0 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED CPU speed: 3.093000 GHz Memory total: 21430861824, free: 18652442624 Downloaded database version: v2017.08.29.07 Downloaded database version: v2017.08.02.01 Downloaded database version: v2017.08.18.01 ======================================= Initializing... DDA Driver installation error. Driver installed on boot. Reboot required. System shutdown occurred ======================================= ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.09.4.1001 (c) Malwarebytes Corporation 2011-2012 OS version: 10.0.15063 Windows 10 x64 Account is Administrative Internet Explorer version: 11.413.15063.0 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED CPU speed: 3.093000 GHz Memory total: 21430861824, free: 19577126912 ======================================= Initializing... DDA Driver is not active. Scan can't continue ======================================= Initializing... DDA Driver is not active. Scan can't continue ======================================= Initializing... DDA Driver is not active. Scan can't continue Initializing... ====================== DDA Driver is not active. Scan can't continue ======================================= Initializing... DDA Driver is not active. Scan can't continue ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.09.4.1001 (c) Malwarebytes Corporation 2011-2012 OS version: 10.0.15063 Windows 10 x64 Account is Administrative Internet Explorer version: 11.413.15063.0 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED CPU speed: 3.093000 GHz Memory total: 21430861824, free: 18202447872 ======================================= Initializing... DDA Driver installation error. Driver installed on boot. Reboot required. System shutdown occurred ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.09.4.1001 (c) Malwarebytes Corporation 2011-2012 OS version: 10.0.15063 Windows 10 x64 Account is Administrative Internet Explorer version: 11.413.15063.0 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED CPU speed: 3.093000 GHz Memory total: 21430861824, free: 19768623104 Initializing... ====================== DDA Driver is not active. Scan can't continue ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.09.4.1001 (c) Malwarebytes Corporation 2011-2012 OS version: 10.0.15063 Windows 10 x64 Account is Administrative Internet Explorer version: 11.413.15063.0 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED CPU speed: 3.093000 GHz Memory total: 21430861824, free: 18115670016 ======================================= Initializing... DDA Driver installation error. Driver installed on boot. Reboot required. System shutdown occurred ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.09.4.1001 (c) Malwarebytes Corporation 2011-2012 OS version: 10.0.15063 Windows 10 x64 Account is Administrative Internet Explorer version: 11.413.15063.0 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED CPU speed: 3.093000 GHz Memory total: 21430861824, free: 19928629248 Initializing... ====================== DDA Driver is not active. Scan can't continue ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.09.4.1001 (c) Malwarebytes Corporation 2011-2012 OS version: 10.0.9200 Windows 10 x64 Account is Administrative Internet Explorer version: 11.0.15063.0 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED CPU speed: 3.093000 GHz Memory total: 21430861824, free: 19341193216 Downloaded database version: v2017.08.29.08 Downloaded database version: v2017.08.29.09 Downloaded database version: v2017.08.29.10 ======================================= Initializing... Driver version: 0.3.0.4 ------------ Kernel report ------------ 08/29/2017 18:14:00 ------------ Loaded modules ----------- \SystemRoot\system32\ntoskrnl.exe \SystemRoot\system32\hal.dll \SystemRoot\system32\kd.dll \SystemRoot\system32\mcupdate_GenuineIntel.dll \SystemRoot\System32\drivers\msrpc.sys \SystemRoot\System32\drivers\ksecdd.sys \SystemRoot\System32\drivers\werkernel.sys \SystemRoot\System32\drivers\CLFS.SYS \SystemRoot\System32\drivers\tm.sys \SystemRoot\system32\PSHED.dll \SystemRoot\system32\BOOTVID.dll \SystemRoot\System32\drivers\FLTMGR.SYS \SystemRoot\System32\drivers\clipsp.sys \SystemRoot\System32\drivers\cmimcext.sys \SystemRoot\System32\drivers\ntosext.sys \SystemRoot\system32\CI.dll \SystemRoot\System32\drivers\cng.sys \SystemRoot\system32\drivers\Wdf01000.sys \SystemRoot\system32\drivers\WDFLDR.SYS \SystemRoot\system32\drivers\SleepStudyHelper.sys \SystemRoot\System32\Drivers\acpiex.sys \SystemRoot\System32\Drivers\WppRecorder.sys \SystemRoot\System32\drivers\ACPI.sys \SystemRoot\System32\drivers\WMILIB.SYS \SystemRoot\System32\drivers\msisadrv.sys \SystemRoot\System32\drivers\pci.sys \SystemRoot\System32\drivers\tpm.sys \SystemRoot\system32\drivers\WindowsTrustedRT.sys \SystemRoot\System32\drivers\intelpep.sys \SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys \SystemRoot\System32\drivers\pcw.sys \SystemRoot\System32\drivers\vdrvroot.sys \SystemRoot\system32\drivers\pdc.sys \SystemRoot\system32\drivers\CEA.sys \SystemRoot\System32\drivers\partmgr.sys \SystemRoot\System32\drivers\pciide.sys \SystemRoot\System32\drivers\PCIIDEX.SYS \SystemRoot\System32\drivers\spaceport.sys \SystemRoot\System32\drivers\volmgr.sys \SystemRoot\System32\drivers\volmgrx.sys \SystemRoot\System32\drivers\mountmgr.sys \SystemRoot\System32\drivers\atapi.sys \SystemRoot\System32\drivers\ataport.SYS \SystemRoot\System32\drivers\fileinfo.sys \SystemRoot\System32\Drivers\Wof.sys \SystemRoot\System32\Drivers\NTFS.sys \SystemRoot\System32\Drivers\Fs_Rec.sys \SystemRoot\system32\drivers\ndis.sys \SystemRoot\system32\drivers\NETIO.SYS \SystemRoot\System32\Drivers\ksecpkg.sys \SystemRoot\System32\drivers\tcpip.sys \SystemRoot\System32\drivers\fwpkclnt.sys \SystemRoot\System32\drivers\wfplwfs.sys \SystemRoot\System32\DRIVERS\fvevol.sys \SystemRoot\System32\drivers\volume.sys \SystemRoot\System32\drivers\volsnap.sys \SystemRoot\System32\drivers\rdyboost.sys \SystemRoot\System32\Drivers\mup.sys \SystemRoot\system32\drivers\iorate.sys \SystemRoot\System32\drivers\disk.sys \SystemRoot\System32\drivers\CLASSPNP.SYS \SystemRoot\System32\Drivers\crashdmp.sys \SystemRoot\System32\drivers\cdrom.sys \SystemRoot\system32\drivers\filecrypt.sys \SystemRoot\system32\drivers\tbs.sys \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \SystemRoot\System32\drivers\BasicDisplay.sys \SystemRoot\System32\drivers\watchdog.sys \SystemRoot\System32\drivers\dxgkrnl.sys \SystemRoot\System32\drivers\vmbkmclr.sys \SystemRoot\System32\drivers\BasicRender.sys \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\system32\DRIVERS\tdx.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\System32\DRIVERS\netbt.sys \SystemRoot\system32\drivers\afd.sys \SystemRoot\System32\drivers\vwififlt.sys \SystemRoot\System32\drivers\pacer.sys \SystemRoot\system32\drivers\netbios.sys \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\drivers\csc.sys \SystemRoot\system32\drivers\nsiproxy.sys \SystemRoot\System32\drivers\npsvctrig.sys \SystemRoot\System32\drivers\mssmbios.sys \SystemRoot\System32\drivers\gpuenergydrv.sys \SystemRoot\System32\Drivers\dfsc.sys \SystemRoot\system32\DRIVERS\ahcache.sys \SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_de4c68ea4fb1be53\CompositeBus.sys \SystemRoot\System32\drivers\kdnic.sys \SystemRoot\System32\drivers\umbus.sys \SystemRoot\system32\DRIVERS\atikmpag.sys \SystemRoot\system32\DRIVERS\atikmdag.sys \SystemRoot\System32\drivers\HDAudBus.sys \SystemRoot\System32\drivers\portcls.sys \SystemRoot\System32\drivers\drmk.sys \SystemRoot\System32\drivers\ks.sys \SystemRoot\System32\drivers\TeeDriverW8x64.sys \SystemRoot\System32\drivers\e1i63x64.sys \SystemRoot\System32\drivers\usbehci.sys \SystemRoot\System32\drivers\USBPORT.SYS \SystemRoot\System32\drivers\kbdclass.sys \SystemRoot\System32\drivers\mouclass.sys \SystemRoot\System32\drivers\serial.sys \SystemRoot\System32\drivers\serenum.sys \SystemRoot\System32\drivers\intelppm.sys \SystemRoot\System32\drivers\wmiacpi.sys \SystemRoot\System32\drivers\NdisVirtualBus.sys \SystemRoot\System32\drivers\swenum.sys \SystemRoot\System32\drivers\rdpbus.sys \SystemRoot\System32\drivers\usbhub.sys \SystemRoot\System32\drivers\USBD.SYS \SystemRoot\system32\drivers\AtihdWT6.sys \SystemRoot\system32\drivers\ksthunk.sys \SystemRoot\system32\DRIVERS\HdAudio.sys \SystemRoot\System32\Drivers\fastfat.SYS \SystemRoot\System32\drivers\usbccgp.sys \SystemRoot\system32\DRIVERS\usbscan.sys \SystemRoot\System32\drivers\usbprint.sys \SystemRoot\System32\drivers\USBSTOR.SYS \SystemRoot\system32\DRIVERS\udfs.sys \SystemRoot\System32\Drivers\dump_dumpata.sys \SystemRoot\System32\Drivers\dump_atapi.sys \SystemRoot\System32\Drivers\dump_dumpfve.sys \SystemRoot\System32\drivers\hidusb.sys \SystemRoot\System32\drivers\HIDCLASS.SYS \SystemRoot\System32\drivers\HIDPARSE.SYS \SystemRoot\System32\drivers\kbdhid.sys \SystemRoot\System32\drivers\mouhid.sys \SystemRoot\System32\win32k.sys \SystemRoot\System32\win32kfull.sys \SystemRoot\System32\win32kbase.sys \SystemRoot\System32\drivers\dxgmms1.sys \SystemRoot\System32\drivers\monitor.sys \SystemRoot\System32\drivers\dxgmms2.sys \SystemRoot\System32\TSDDD.dll \SystemRoot\System32\cdd.dll \SystemRoot\system32\drivers\luafv.sys \SystemRoot\system32\drivers\wcifs.sys \SystemRoot\system32\drivers\WudfPf.sys \SystemRoot\system32\DRIVERS\WUDFRd.sys \SystemRoot\System32\drivers\WpdUpFltr.sys \SystemRoot\system32\drivers\storqosflt.sys \SystemRoot\System32\drivers\registry.sys \SystemRoot\system32\drivers\mslldp.sys \SystemRoot\system32\drivers\lltdio.sys \SystemRoot\system32\drivers\rspndr.sys \SystemRoot\system32\drivers\HTTP.sys \SystemRoot\System32\drivers\mpsdrv.sys \SystemRoot\System32\DRIVERS\srvnet.sys \SystemRoot\system32\drivers\mmcss.sys \SystemRoot\system32\drivers\Ndu.sys \SystemRoot\system32\drivers\peauth.sys \SystemRoot\System32\drivers\tcpipreg.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\System32\DRIVERS\srv2.sys \SystemRoot\system32\DRIVERS\mrxsmb10.sys \SystemRoot\System32\DRIVERS\srv.sys \SystemRoot\System32\drivers\tunnel.sys \SystemRoot\System32\drivers\condrv.sys \SystemRoot\system32\drivers\ndisuio.sys \SystemRoot\system32\drivers\WdFilter.sys \SystemRoot\system32\DRIVERS\mrxsmb20.sys \SystemRoot\system32\DRIVERS\bowser.sys \SystemRoot\system32\Drivers\WdNisDrv.sys \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1DB9E473-3589-494A-884E-6167C6593EA3}\MpKsl708035e1.sys \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys ----------- End ----------- Done! Scan started Database versions: main: v2017.08.29.10 rootkit: v2017.08.02.01 <<<2>>> Physical Sector Size: 512 Drive: 1, DevicePointer: 0xffffce802b90b060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffce802ae929f0, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xffffce802b90b060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\ DevicePointer: 0xffffce802b7326a0, DeviceName: Unknown, DriverName: \Driver\ACPI\ DevicePointer: 0xffffce802adb2060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes <<<2>>> <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers... Done! Physical Sector Size: 512 Drive: 0, DevicePointer: 0xffffce802b90c060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffce802ae919f0, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xffffce802b90c060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xffffce802ad72660, DeviceName: Unknown, DriverName: \Driver\ACPI\ DevicePointer: 0xffffce802adaf060, DeviceName: \Device\Ide\IdeDeviceP1T0L0-1\, DriverName: \Driver\atapi\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 Drive 0 Scanning MBR on drive 0... Inspecting partition table: This drive is a GPT Drive. MBR Signature: 55AA Disk Signature: 4C2B0944 GPT Protective MBR Partition information: Partition 0 type is EFI-GPT (0xee) Partition is NOT ACTIVE. Partition starts at LBA: 1 Numsec = 4294967295 Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 GPT Partition information: GPT Header Signature 4546492050415254 GPT Header Revision 65536 Size 92 CRC 1380445279 GPT Header CurrentLba = 1 BackupLba 5860533167 GPT Header FirstUsableLba 34 LastUsableLba 5860533134 GPT Header Guid 58478540-58e3-466c-9660-7eb9bce5c9f7 GPT Header Contains 128 partition entries starting at LBA 2 GPT Header Partition entry size = 128 Backup GPT header Signature 4546492050415254 Backup GPT header Revision 65536 Size 92 CRC 1380445279 Backup GPT header CurrentLba = 5860533167 BackupLba 1 Backup GPT header FirstUsableLba 34 LastUsableLba 5860533134 Backup GPT header Guid 58478540-58e3-466c-9660-7eb9bce5c9f7 Backup GPT header Contains 128 partition entries starting at LBA 5860533135 Backup GPT header Partition entry size = 128 Partition 0 Type e3c9e316-b5c-4db8-817d-f92df0215ae Partition ID 797a958e-55e2-4530-ba8-2cd7a2a5fb50 FirstLBA 34 Last LBA 262177 Attributes 0 Partition Name Microsoft reserved partition Partition 1 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7 Partition ID b1a39b1d-fb64-4fa1-93b4-25f1f3b8b7 FirstLBA 264192 Last LBA 5860532223 Attributes 0 Partition Name Basic data partition Disk Size: 3000592982016 bytes Sector size: 512 bytes Done! Drive 1 This is a System drive Scanning MBR on drive 1... Inspecting partition table: This drive is a GPT Drive. MBR Signature: 55AA Disk Signature: ADC9667E GPT Protective MBR Partition information: Partition 0 type is EFI-GPT (0xee) Partition is NOT ACTIVE. Partition starts at LBA: 1 Numsec = 4294967295 Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 GPT Partition information: GPT Header Signature 4546492050415254 GPT Header Revision 65536 Size 92 CRC 3381713283 GPT Header CurrentLba = 1 BackupLba 488397167 GPT Header FirstUsableLba 34 LastUsableLba 488397134 GPT Header Guid 7be1d017-3608-47f5-975e-ae404b166e2a GPT Header Contains 128 partition entries starting at LBA 2 GPT Header Partition entry size = 128 Backup GPT header Signature 4546492050415254 Backup GPT header Revision 65536 Size 92 CRC 3381713283 Backup GPT header CurrentLba = 488397167 BackupLba 1 Backup GPT header FirstUsableLba 34 LastUsableLba 488397134 Backup GPT header Guid 7be1d017-3608-47f5-975e-ae404b166e2a Backup GPT header Contains 128 partition entries starting at LBA 488397135 Backup GPT header Partition entry size = 128 Partition 0 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac Partition ID 80572099-cc62-4121-abc0-377a4aacb951 FirstLBA 2048 Last LBA 923647 Attributes 1 Partition Name Basic data partition Partition 1 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b Partition ID c078fb2a-61dd-487f-a244-b48978826067 FirstLBA 923648 Last LBA 1128447 Attributes 0 Partition Name EFI system partition GPT Partition 1 is bootable Partition 2 Type e3c9e316-b5c-4db8-817d-f92df0215ae Partition ID 82952695-51a1-41b6-8bd4-7999b0564580 FirstLBA 1128448 Last LBA 1161215 Attributes 0 Partition Name Microsoft reserved partition Partition 3 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7 Partition ID 9d2fc78b-de2b-4d9f-92e0-4e318986d5b FirstLBA 1161216 Last LBA 488396799 Attributes 0 Partition Name Basic data partition Disk Size: 250059350016 bytes Sector size: 512 bytes Done! Physical Sector Size: 0 Drive: 2, DevicePointer: 0xffffce802c0e5610, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffce802c112960, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xffffce802c0e5610, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\ DevicePointer: 0xffffce802bd2c060, DeviceName: \Device\0000003b\, DriverName: \Driver\USBSTOR\ ------------ End ---------- Infected: C:\$Recycle.Bin\S-1-5-21-584086061-3025348732-3442670432-1002\$R9GS8VN\u.exe --> [Adware.Yelloader] Infected: C:\$Recycle.Bin\S-1-5-21-584086061-3025348732-3442670432-1002\$RTVXR6D\s5m_install_325.exe --> [Trojan.Clicker] File "C:\Users\tljag\AppData\Local\Comms\UnistoreDB\store.vol" is sparse (flags = 32768) File "C:\ProgramData\Microsoft\Network\Downloader\qmgr.db" is sparse (flags = 32768) File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-D498E9EBD89C7FC96C414D35F660ACCFDF98F18A.bin.83" is compressed (flags = 1) File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-D498E9EBD89C7FC96C414D35F660ACCFDF98F18A.bin.79" is compressed (flags = 1) File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-D498E9EBD89C7FC96C414D35F660ACCFDF98F18A.bin.79" is compressed (flags = 1) File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-D498E9EBD89C7FC96C414D35F660ACCFDF98F18A.bin.79" is compressed (flags = 1) File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-D498E9EBD89C7FC96C414D35F660ACCFDF98F18A.bin.79" is compressed (flags = 1) File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-D498E9EBD89C7FC96C414D35F660ACCFDF98F18A.bin.79" is compressed (flags = 1) File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-D498E9EBD89C7FC96C414D35F660ACCFDF98F18A.bin.79" is compressed (flags = 1) File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-D498E9EBD89C7FC96C414D35F660ACCFDF98F18A.bin.79" is compressed (flags = 1) File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-D498E9EBD89C7FC96C414D35F660ACCFDF98F18A.bin.79" is compressed (flags = 1) File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-D498E9EBD89C7FC96C414D35F660ACCFDF98F18A.bin.79" is compressed (flags = 1) File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-D498E9EBD89C7FC96C414D35F660ACCFDF98F18A.bin.79" is compressed (flags = 1) File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-D498E9EBD89C7FC96C414D35F660ACCFDF98F18A.bin.79" is compressed (flags = 1) File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-D498E9EBD89C7FC96C414D35F660ACCFDF98F18A.bin.79" is compressed (flags = 1) File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-D498E9EBD89C7FC96C414D35F660ACCFDF98F18A.bin.79" is compressed (flags = 1) File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-D498E9EBD89C7FC96C414D35F660ACCFDF98F18A.bin.79" is compressed (flags = 1) File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-D498E9EBD89C7FC96C414D35F660ACCFDF98F18A.bin.7C" is compressed (flags = 1) Scan finished Creating System Restore point... Cleaning up... Removal scheduling successful. System shutdown needed. System shutdown occurred ======================================= Removal queue found; removal started Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam... Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam... Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-i.mbam... Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-r.mbam... Removal finished Link to post Share on other sites More sharing options...
Valinorum Posted September 1, 2017 ID:1159278 Share Posted September 1, 2017 How is your PC performing? Link to post Share on other sites More sharing options...
TLJaguar Posted September 1, 2017 Author ID:1159349 Share Posted September 1, 2017 Startup seems quite slow, it takes a little while after Windows loads before I can actually do anything. Also pauses every boot asking if I want to load windows or choose another option. But once windows is up and running, not getting any errors or other issues Link to post Share on other sites More sharing options...
Recommended Posts