Malware/ Undetectable Rootkit Causing 100% CPU Load

[oscarcrimwhipples]

I've been trying every anti-malware scanner I can find to get rid of this but it's been super pesky and resilient. Not being detected by any current scans (used MBAR, ESet, JRT, etc) Upon boot I have a rekobdt.exe hogging CPU resources. It originates from this folder which is inaccessible

C:\Users\SAM\AppData\Local\pwabnml
C:\Users\SAM\AppData\Local\pwdrauc

I can pinpoint an exact date that these folders downloaded to my computer- 11/1/17 -11/2/17

 

Addition.txt

FRST.txt

[Aura]

Hi oscarcrimwhipples

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

• As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
• As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
• The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
• If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
• If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
• Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
• I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
• In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
• I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
  This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
  

This being said, it's time to clean-up some malware, so let's get started, shall we?

Follow the instructions in the thread below. Make sure to download the MBAR version linked in it. Let me know if you're not able to launch it and run a scan.
 
https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/
 
If you manage to run a scan, delete everything it finds, and then copy/paste the content of the mbar-log-DATE-(TIME).txt log that is located in the MBAR folder here after. 
 

[oscarcrimwhipples]

Attached

mbar-log-2017-11-03 (11-40-35).txt

[Aura]

Weird. You are infected with SmartService. MBAR should've detected and quarantined it.

Do you have a USB Flash Drive? If so, how big is it?

Edited November 3, 2017 by Aura

[oscarcrimwhipples]

I have an 8gb

[Aura]

Alright, follow the instructions below.

Farbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
• Right-click on the FRST executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Click on the Fix button
  
• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
• Copy and paste its content in your next reply
  

fixlist.txt

[oscarcrimwhipples]

Fix result of Farbar Recovery Scan Tool (x64) Version: 02-11-2017
Ran by SAM (03-11-2017 16:07:36) Run:29
Running from C:\Users\SAM\Downloads
Loaded Profiles: SAM (Available Profiles: SAM)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: fltmc instances
CMD: dir C:\Windows\system32\drivers
*****************

========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========

The operation completed successfully.

========= End of CMD: =========

========= bcdedit.exe /set {default} recoveryenabled yes =========

The operation completed successfully.

========= End of CMD: =========

========= fltmc instances =========

Filter                Volume Name                              Altitude        Instance Name       Frame   SprtFtrs  VlStatus
--------------------  -------------------------------------  ------------  ----------------------  -----   --------  --------
FileInfo              \Device\Harddisk0\DR0                      40500     FileInfo                  0     00000003  
FileInfo              \Device\Harddisk1\DR1                      40500     FileInfo                  0     00000003  
FileInfo              C:                                         40500     FileInfo                  0     00000003  
FileInfo                                                         40500     FileInfo                  0     00000003  
FileInfo              E:                                         40500     FileInfo                  0     00000003  
FileInfo              D:                                         40500     FileInfo                  0     00000003  
FileInfo              F:                                         40500     FileInfo                  0     00000003  
FileInfo              \Device\Mup                                40500     FileInfo                  0     00000003  
Wof                   C:                                         40700     Wof Instance              0     00000003  
Wof                                                              40700     Wof Instance              0     00000003  
Wof                   E:                                         40700     Wof Instance              0     00000003  
Wof                   D:                                         40700     Wof Instance              0     00000003  
aswMonFlt             C:                                        320700     aswMonFlt Instance        0     00000004  
aswMonFlt                                                       320700     aswMonFlt Instance        0     00000004  
aswMonFlt             E:                                        320700     aswMonFlt Instance        0     00000004  
aswMonFlt             D:                                        320700     aswMonFlt Instance        0     00000004  
aswMonFlt             \Device\Mup                               320700     aswMonFlt Instance        0     00000004  
aswSP                 C:                                        388401     aswSP Instance            0     00000004  
aswSP                                                           388401     aswSP Instance            0     00000004  
aswSP                 E:                                        388401     aswSP Instance            0     00000004  
aswSP                 D:                                        388401     aswSP Instance            0     00000004  
eamonm                \Device\Harddisk0\DR0                     328700     AmonMinifilter Instance    0     00000007  
eamonm                \Device\Harddisk1\DR1                     328700     AmonMinifilter Instance    0     00000007  
eamonm                C:                                        328700     AmonMinifilter Instance    0     00000007  
eamonm                                                          328700     AmonMinifilter Instance    0     00000007  
eamonm                E:                                        328700     AmonMinifilter Instance    0     00000007  
eamonm                D:                                        328700     AmonMinifilter Instance    0     00000007  
eamonm                F:                                        328700     AmonMinifilter Instance    0     00000007  
eamonm                \Device\Mup                               328700     AmonMinifilter Instance    0     00000007  
luafv                 C:                                        135000     luafv                     0     00000003  
npsvctrig             \Device\NamedPipe                          46000     npsvctrig                 0     00000000  
rvlhua                C:                                         45666     rvlhua Instance           0     00000000  
rvlhua                \Device\Mup                                45666     rvlhua Instance           0     00000000  
wcifs                 C:                                        189900     wcifs Instance            0     00000000  

========= End of CMD: =========

========= dir C:\Windows\system32\drivers =========

 Volume in drive C has no label.
 Volume Serial Number is 3E71-38DC

 Directory of C:\Windows\system32\drivers

11/03/2017  11:48 AM    <DIR>          .
11/03/2017  11:48 AM    <DIR>          ..
03/18/2017  03:56 PM           238,080 1394ohci.sys
11/02/2017  02:18 AM           255,928 17249AA8.sys
11/01/2017  11:18 PM           255,928 177367FF.sys
03/18/2017  03:56 PM           107,424 3ware.sys
11/03/2017  10:22 AM           255,928 47147628.sys
11/03/2017  11:40 AM           255,928 627574DF.sys
11/01/2017  11:08 PM           255,928 6617A306.sys
07/28/2017  12:23 AM           723,360 acpi.sys
03/18/2017  03:56 PM            20,480 AcpiDev.sys
03/18/2017  03:56 PM           127,392 acpiex.sys
03/18/2017  03:56 PM            12,800 acpipagr.sys
03/18/2017  03:56 PM            14,848 acpipmi.sys
03/18/2017  03:56 PM            14,336 acpitime.sys
03/18/2017  03:56 PM         1,135,512 adp80xx.sys
09/05/2017  12:11 AM           610,720 afd.sys
03/18/2017  03:58 PM           108,544 agilevpn.sys
03/18/2017  03:57 PM           239,616 ahcache.sys
03/18/2017  03:56 PM           176,640 amdk8.sys
03/18/2017  03:56 PM           172,544 amdppm.sys
03/18/2017  03:56 PM            83,352 amdsata.sys
03/18/2017  03:56 PM           259,488 amdsbs.sys
03/18/2017  03:56 PM            27,040 amdxata.sys
09/30/2017  12:40 AM           184,728 appid.sys
03/18/2017  03:58 PM            17,920 applockerfltr.sys
03/18/2017  03:56 PM           132,000 arcsas.sys
11/02/2017  01:59 AM           321,032 asw 8e627655b647ad7.tmp
11/02/2017  02:00 AM            84,416 asw bd97bf6faced6a2.tmp
11/02/2017  02:00 AM           363,440 asw c86b289c1c072b4.tmp
11/02/2017  02:00 AM           147,776 asw3876a4c822f6f0df.tmp
11/02/2017  01:59 AM            57,736 asw43ccc93fda2ab087.tmp
11/02/2017  02:00 AM           110,376 asw7945b3a874017c12.tmp
11/02/2017  01:59 AM           343,288 asw7a18037fa81bfbd9.tmp
11/02/2017  02:00 AM         1,029,872 aswac2c0f893c45a1af.tmp
11/02/2017  02:00 AM            47,008 aswb368294579741026.tmp
11/02/2017  01:59 AM           198,976 aswe721129a21631d51.tmp
11/02/2017  02:00 AM           587,168 aswed7add8f3a81aedc.tmp
11/02/2017  02:00 AM           201,352 aswf41c7e53fc95a28f.tmp
03/18/2017  03:57 PM            28,672 asyncmac.sys
03/18/2017  03:56 PM            29,088 atapi.sys
03/18/2017  03:56 PM           194,464 ataport.sys
03/18/2017  03:56 PM         4,233,728 athw8x.sys
03/18/2017  03:56 PM            57,344 BasicDisplay.sys
09/29/2017  02:32 AM            35,840 BasicRender.sys
03/18/2017  03:56 PM            36,256 battc.sys
12/14/2012  05:37 PM            15,739 BCM43241B0_002.001.013.0073.0076.hcd
12/10/2013  12:23 PM            16,838 BCM4324B3_002.004.006.0130.0131.hcd
12/10/2013  12:23 PM            16,838 BCM4324B3_002.004.006.0130.0132.hcd
12/10/2013  12:23 PM            16,778 BCM4324B3_002.004.006.0130.0133.hcd
12/10/2013  12:23 PM            16,790 BCM4324B3_002.004.006.0130.0135.hcd
12/10/2013  06:22 PM            16,799 BCM4324B3_002.004.006.0130.0138.hcd
02/03/2014  12:58 PM            16,824 BCM4324B3_002.004.006.0130.0143.hcd
04/23/2014  06:32 PM            16,778 BCM4324B3_002.004.006.0130.0148.hcd
05/22/2014  07:39 PM            16,778 BCM4324B3_002.004.006.0130.0150.hcd
12/05/2014  07:17 PM            17,346 BCM4324B3_002.004.006.0130.0161.hcd
11/20/2014  02:05 PM            41,333 BCM43341B0_002.001.014.0122.0176.hcd
08/05/2015  12:19 PM            34,320 BCM4356A2_001.003.015.0082.0243.hcd
09/13/2015  10:03 PM            34,320 BCM4356A2_001.003.015.0082.0253.hcd
09/13/2015  10:03 PM            34,320 BCM4356A2_001.003.015.0082.0254.hcd
02/01/2016  12:09 PM            40,647 BCM4356A2_001.003.015.0082.0285.hcd
10/12/2015  10:02 PM            40,518 BCM4356A2_001.003.015.0092.0273.hcd
03/18/2017  03:56 PM             9,728 bcmfn2.sys
03/18/2017  03:57 PM            10,240 beep.sys
03/18/2017  03:56 PM           101,888 bowser.sys
07/27/2017  11:25 PM           115,712 bridge.sys
03/18/2017  03:56 PM            23,552 BtaMPM.sys
03/18/2017  03:56 PM            43,520 BthAvrcpTg.sys
07/27/2017  11:08 PM            97,792 bthhfenum.sys
03/18/2017  03:56 PM            32,256 BthhfHid.sys
09/13/2017  10:11 PM            66,560 bthmodem.sys
02/17/2016  02:00 PM           213,312 btwampfl.sys
12/09/2015  06:47 PM           262,440 btwavdt.sys
11/04/2015  02:40 PM            47,392 btwrchid.sys
02/01/2016  12:09 PM           177,448 BtwSerialBus.sys
09/04/2017  11:28 PM            39,424 buttonconverter.sys
03/18/2017  03:56 PM           533,920 bxvbda.sys
03/18/2017  03:56 PM            53,664 CAD.sys
03/18/2017  03:56 PM           122,880 capimg.sys
03/18/2017  03:57 PM            93,184 cdfs.sys
03/18/2017  03:56 PM           160,256 cdrom.sys
03/18/2017  03:57 PM            77,216 CEA.sys
03/18/2017  03:56 PM           102,816 cht4dx64.sys
03/18/2017  03:56 PM           347,032 cht4sx64.sys
03/18/2017  03:56 PM         2,104,224 cht4vx64.sys
03/18/2017  03:56 PM            49,152 circlass.sys
03/18/2017  03:57 PM           391,584 Classpnp.sys
03/18/2017  03:58 PM            12,288 cldflt.sys
07/31/2017  09:38 PM           382,368 clfs.sys
03/18/2017  03:58 PM           877,472 ClipSp.sys
03/18/2017  03:56 PM            30,208 CmBatt.sys
03/18/2017  03:56 PM            28,064 cmimcext.sys
09/30/2017  12:40 AM           642,680 cng.sys
03/18/2017  03:57 PM            39,840 cnghwassist.sys
03/18/2017  03:57 PM            56,224 condrv.sys
12/22/2016  06:16 PM           123,376 CorsairGamingAudioamd64.sys
01/20/2017  04:28 PM            43,000 CorsairVBusDriver.sys
01/20/2017  04:28 PM            27,640 CorsairVHidDriver.sys
03/18/2017  03:57 PM            86,432 crashdmp.sys
05/20/2017  01:59 AM           112,544 dam.sys
11/01/2017  06:58 AM            45,640 dbx-canary.sys
11/01/2017  06:58 AM            45,672 dbx-dev.sys
11/01/2017  06:58 AM            45,640 dbx-stable.sys
03/18/2017  03:56 PM            45,568 devauthe.sys
03/18/2017  03:57 PM           150,528 dfsc.sys
03/18/2017  03:56 PM           102,816 disk.sys
03/18/2017  03:58 PM            38,816 Diskdump.sys
03/18/2017  03:57 PM            15,360 Dmpusbstor.sys
03/18/2017  03:56 PM            47,104 dmvsc.sys
03/18/2017  03:56 PM            97,280 drmk.sys
03/18/2017  03:56 PM            16,232 drmkaud.sys
12/13/2015  10:39 PM            30,264 dtlitescsibus.sys
12/13/2015  10:39 PM            46,392 dtliteusbbus.sys
03/18/2017  03:57 PM            35,744 Dumpata.sys
03/18/2017  03:59 PM            91,152 dumpfve.sys
09/05/2017  12:21 AM           189,344 dumpsd.sys
03/18/2017  03:58 PM            32,256 dumpsdport.sys
03/18/2017  03:57 PM            25,600 Dumpstorport.sys
09/30/2017  12:43 AM         2,442,136 dxgkrnl.sys
03/31/2017  07:52 PM           409,504 dxgmms1.sys
09/30/2017  12:44 AM           712,600 dxgmms2.sys
10/17/2017  08:07 AM           133,856 eamonm.sys
10/23/2017  12:28 AM           534,264 EasyAntiCheat.sys
09/25/2017  02:15 PM           107,336 edevmon.sys
10/05/2017  09:00 AM            15,392 eelam.sys
10/05/2017  09:00 AM           180,088 ehdrv.sys
03/18/2017  03:57 PM            88,992 EhStorClass.sys
03/18/2017  03:56 PM           119,200 EhStorTcgDrv.sys
09/25/2017  02:15 PM            50,744 ekbdflt.sys
09/13/2017  10:14 PM    <DIR>          en-US
09/25/2017  02:15 PM            81,888 epfw.sys
09/25/2017  02:15 PM           106,312 epfwwfp.sys
03/18/2017  03:56 PM            13,824 errdev.sys
11/02/2017  12:16 AM    <DIR>          etc
03/18/2017  03:56 PM         3,419,040 evbda.sys
03/18/2017  03:57 PM           347,136 exfat.sys
05/20/2017  01:53 AM           363,424 fastfat.sys
03/18/2017  03:56 PM            32,768 fdc.sys
03/18/2017  03:56 PM            54,272 filecrypt.sys
03/18/2017  03:57 PM            86,432 fileinfo.sys
03/18/2017  03:57 PM            36,864 filetrace.sys
03/18/2017  03:56 PM            26,624 flpydisk.sys
03/18/2017  03:57 PM           386,464 fltMgr.sys
03/18/2017  03:56 PM            63,904 fsdepends.sys
03/18/2017  03:57 PM            33,688 fs_rec.sys
09/05/2017  12:16 AM           715,168 fvevol.sys
03/18/2017  03:57 PM           419,744 FWPKCLNT.SYS
03/18/2017  03:56 PM            21,504 genericusbfn.sys
03/18/2017  03:57 PM         3,440,660 gm.dls
03/18/2017  03:57 PM               646 gmreadme.txt
03/18/2017  03:58 PM             8,192 gpuenergydrv.sys
06/20/2017  12:12 AM            86,528 hdaudbus.sys
03/18/2017  03:56 PM           416,256 HdAudio.sys
03/18/2017  03:56 PM            38,296 hidbatt.sys
09/04/2017  11:26 PM           107,008 hidbth.sys
03/18/2017  03:56 PM           180,736 hidclass.sys
03/18/2017  03:56 PM            52,224 hidi2c.sys
03/18/2017  03:56 PM            51,104 hidinterrupt.sys
03/18/2017  03:56 PM            46,592 hidir.sys
03/18/2017  03:56 PM            40,960 hidparse.sys
03/18/2017  03:56 PM            40,960 hidusb.sys
03/18/2017  03:56 PM            64,416 HpSAMD.sys
07/07/2017  02:07 AM         1,106,848 http.sys
03/18/2017  03:57 PM            74,648 hvservice.sys
03/18/2017  03:56 PM           118,688 hvsocket.sys
03/18/2017  03:57 PM            29,600 hwpolicy.sys
03/18/2017  03:56 PM            16,896 hyperkbd.sys
03/18/2017  03:56 PM           115,200 i8042prt.sys
03/18/2017  03:56 PM            33,280 iagpio.sys
03/18/2017  03:56 PM            81,408 iai2c.sys
03/18/2017  03:56 PM            70,656 iaLPSS2i_GPIO2.sys
03/18/2017  03:56 PM            85,504 iaLPSS2i_GPIO2_BXT_P.sys
03/18/2017  03:56 PM           165,376 iaLPSS2i_I2C.sys
03/18/2017  03:56 PM           168,448 iaLPSS2i_I2C_BXT_P.sys
03/18/2017  03:56 PM            38,128 iaLPSSi_GPIO.sys
03/18/2017  03:56 PM           113,152 iaLPSSi_I2C.sys
06/23/2015  04:58 PM         1,455,552 iaStorA.sys
03/18/2017  03:56 PM           673,184 iaStorAV.sys
03/18/2017  03:56 PM           412,064 iaStorV.sys
03/18/2017  03:56 PM           526,240 ibbus.sys
03/18/2017  03:58 PM            36,864 IndirectKmd.sys
03/18/2017  03:56 PM            19,360 intelide.sys
03/18/2017  03:56 PM            74,840 intelpep.sys
03/18/2017  03:56 PM           193,536 intelppm.sys
03/18/2017  03:57 PM            49,568 iorate.sys
03/18/2017  03:57 PM            87,040 ipfltdrv.sys
03/18/2017  03:56 PM            92,064 IPMIDrv.sys
03/18/2017  03:58 PM           214,528 ipnat.sys
03/18/2017  03:57 PM           120,320 irda.sys
03/18/2017  03:57 PM            19,968 irenum.sys
03/18/2017  03:56 PM            22,944 isapnp.sys
03/18/2017  03:56 PM            64,416 kbdclass.sys
03/18/2017  03:56 PM            40,448 kbdhid.sys
03/18/2017  03:56 PM            23,040 kdnic.sys
03/18/2017  03:58 PM           390,144 ks.sys
09/30/2017  12:49 AM           135,576 ksecdd.sys
03/18/2017  03:58 PM           170,912 ksecpkg.sys
05/20/2017  01:10 AM            27,136 ksthunk.sys
09/29/2016  04:14 PM            36,496 LGBusEnum.sys
09/29/2016  04:14 PM            57,368 LGJoyHidFilter.sys
09/29/2016  04:14 PM            47,256 LGJoyHidLo.sys
09/29/2016  04:14 PM            67,736 LGJoyXlCore.sys
09/29/2016  04:14 PM            64,280 LGSHidFilt.Sys
09/29/2016  04:14 PM            26,008 LGVirHid.sys
03/18/2017  03:58 PM            66,560 lltdio.sys
11/02/2017  02:00 AM            61,304 lpsport.sys
03/18/2017  03:56 PM           108,960 lsi_sas.sys
03/18/2017  03:56 PM           123,808 lsi_sas2i.sys
03/18/2017  03:56 PM           103,328 lsi_sas3i.sys
03/18/2017  03:56 PM            82,848 lsi_sss.sys
03/18/2017  03:57 PM           124,928 luafv.sys
10/26/2012  05:42 PM           266,828 LVAFT.cfg
10/26/2012  05:42 PM            26,784 lvbflt64.sys
10/26/2012  05:42 PM           351,520 lvrs64.sys
10/26/2012  05:42 PM         4,758,176 lvuvc64.sys
03/18/2017  03:56 PM           405,408 mausbhost.sys
03/18/2017  03:56 PM            51,104 mausbip.sys
10/04/2017  01:15 PM            77,440 mbae64.sys
11/14/2015  12:01 AM            41,096 MBfilt64.sys
03/18/2017  03:57 PM            23,552 mcd.sys
03/18/2017  03:56 PM            59,808 megasas.sys
03/18/2017  03:56 PM            64,416 MegaSas2i.sys
03/18/2017  03:56 PM           575,904 megasr.sys
03/18/2017  03:56 PM           842,656 mlx4_bus.sys
03/18/2017  03:57 PM            50,688 mmcss.sys
03/18/2017  03:57 PM            42,496 modem.sys
03/18/2017  03:56 PM            39,424 monitor.sys
03/18/2017  03:56 PM            60,320 mouclass.sys
03/18/2017  03:56 PM            33,280 mouhid.sys
03/18/2017  03:57 PM           105,880 mountmgr.sys
03/18/2017  03:58 PM            76,800 mpsdrv.sys
03/18/2017  03:57 PM           144,384 mrxdav.sys
03/18/2017  03:57 PM           467,352 mrxsmb.sys
09/29/2017  02:20 AM           286,208 mrxsmb10.sys
09/30/2017  12:41 AM           228,248 mrxsmb20.sys
03/18/2017  03:57 PM            31,744 msfs.sys
03/18/2017  03:57 PM           169,888 msgpioclx.sys
03/18/2017  03:56 PM            49,056 msgpiowin32.sys
03/18/2017  03:57 PM             8,704 mshidkmdf.sys
03/18/2017  03:57 PM            12,288 mshidumdf.sys
03/18/2017  03:56 PM            19,352 msisadrv.sys
07/28/2017  12:20 AM           279,968 msiscsi.sys
06/20/2017  12:14 AM            32,768 mskssrv.sys
03/18/2017  03:57 PM            83,456 mslldp.sys
03/18/2017  03:58 PM            10,752 mspqm.sys
03/18/2017  03:57 PM           367,000 msrpc.sys
03/18/2017  03:56 PM            44,960 mssmbios.sys
03/18/2017  03:58 PM            12,800 mstee.sys
03/18/2017  03:56 PM            16,896 MTConfig.sys
03/18/2017  03:57 PM           123,808 mup.sys
03/18/2017  03:56 PM            63,904 mvumis.sys
11/01/2017  10:58 PM            94,144 mwac.sys
03/18/2017  03:56 PM           108,960 ndfltr.sys
09/05/2017  12:23 AM         1,242,528 ndis.sys
03/18/2017  03:57 PM            50,688 ndiscap.sys
03/18/2017  03:57 PM           128,512 NdisImPlatform.sys
03/18/2017  03:58 PM            27,136 ndistapi.sys
03/18/2017  03:58 PM            65,536 ndisuio.sys
03/18/2017  03:57 PM            20,992 NdisVirtualBus.sys
03/18/2017  03:58 PM           192,000 ndiswan.sys
03/18/2017  03:58 PM            62,464 ndproxy.sys
03/18/2017  03:58 PM           127,488 Ndu.sys
03/18/2017  03:57 PM           122,368 NetAdapterCx.sys
03/18/2017  03:57 PM            57,760 netbios.sys
09/04/2017  11:23 PM           305,152 netbt.sys
09/05/2017  12:24 AM           519,584 netio.sys
04/19/2017  01:18 AM           118,784 netvsc.sys
03/18/2017  03:57 PM            69,120 npfs.sys
03/18/2017  03:56 PM            27,136 npsvctrig.sys
09/04/2017  11:25 PM            43,520 nsiproxy.sys
09/30/2017  12:48 AM         2,327,448 ntfs.sys
03/18/2017  03:57 PM            20,376 ntosext.sys
03/18/2017  03:57 PM             7,680 null.sys
03/18/2017  03:56 PM            80,896 nvdimmn.sys
10/12/2017  04:38 PM           225,208 nvhda64v.sys
03/18/2017  03:56 PM           150,432 nvraid.sys
03/18/2017  03:56 PM           166,304 nvstor.sys
10/12/2017  04:38 PM            48,064 nvvad64v.sys
10/12/2017  04:38 PM            57,792 nvvhci.sys
09/29/2017  02:29 AM           550,400 nwifi.sys
03/18/2017  03:57 PM           152,992 pacer.sys
03/18/2017  03:56 PM            97,792 parport.sys
09/05/2017  12:25 AM           159,648 partmgr.sys
03/18/2017  03:56 PM           353,696 pci.sys
03/18/2017  03:56 PM            16,800 pciide.sys
03/18/2017  03:56 PM            53,656 pciidex.sys
03/18/2017  03:56 PM           120,224 pcmcia.sys
03/18/2017  03:57 PM            52,640 pcw.sys
07/07/2017  02:24 AM           117,664 pdc.sys
03/18/2017  03:58 PM           741,376 PEAuth.sys
03/18/2017  03:56 PM            58,784 percsas2i.sys
03/18/2017  03:56 PM            61,848 percsas3i.sys
03/18/2017  03:56 PM           101,376 pmem.sys
03/18/2017  03:56 PM           373,248 portcls.sys
03/18/2017  03:56 PM           172,032 processr.sys
03/18/2017  03:57 PM            49,664 qwavedrv.sys
03/18/2017  03:57 PM            17,920 rasacd.sys
03/18/2017  03:58 PM           107,008 rasl2tp.sys
03/18/2017  03:57 PM            81,920 raspppoe.sys
03/18/2017  03:58 PM            97,792 raspptp.sys
03/18/2017  03:58 PM            79,872 rassstp.sys
03/18/2017  03:57 PM           434,080 rdbss.sys
03/18/2017  09:31 PM            27,136 rdpbus.sys
03/18/2017  09:31 PM           183,296 rdpdr.sys
03/18/2017  09:31 PM            30,624 rdpvideominiport.sys
03/18/2017  03:57 PM           282,528 rdyboost.sys
03/18/2017  03:57 PM         1,735,584 refs.sys
03/18/2017  03:57 PM           936,864 refsv1.sys
03/18/2017  03:57 PM            14,336 registry.sys
03/18/2017  03:56 PM            40,960 RfxVmt.sys
03/18/2017  03:57 PM           150,016 rmcast.sys
03/18/2017  03:57 PM            34,816 RNDISMP.sys
05/20/2017  01:08 AM            13,312 rootmdm.sys
03/18/2017  03:58 PM            82,432 rspndr.sys
11/13/2015  11:58 PM           887,552 rt640x64.sys
11/14/2015  12:01 AM         3,943,233 RTAIODAT.DAT
11/14/2015  12:01 AM         4,608,256 RTKVHD64.sys
06/23/2016  06:52 AM            51,736 rzbtendpt.sys
06/23/2016  06:55 AM            42,008 rzdaendpt.sys
06/23/2016  06:55 AM            51,736 rzendpt.sys
06/23/2016  06:55 AM            29,720 rzhnet.sys
06/23/2016  06:55 AM            36,368 rzjstk.sys
06/23/2016  06:55 AM            45,080 rzkeypadendpt.sys
06/23/2016  06:55 AM            47,640 rzmpos.sys
06/23/2016  06:55 AM            51,736 rzp1endpt.sys
06/23/2016  06:55 AM           203,288 rzudd.sys
06/23/2016  06:55 AM            43,544 rzvkeyboard.sys
06/23/2016  06:55 AM            43,544 rzvmouse.sys
03/18/2017  03:56 PM           110,496 sbp2port.sys
03/18/2017  03:57 PM            43,520 scfilter.sys
03/18/2017  03:56 PM            91,040 scmbus.sys
05/19/2013  02:02 AM            39,168 ScpVBus.sys
03/18/2017  03:57 PM           175,520 scsiport.sys
09/05/2017  12:30 AM           287,648 sdbus.sys
03/18/2017  03:56 PM            31,128 SDFRd.sys
03/18/2017  03:56 PM            98,208 sdport.sys
03/18/2017  03:56 PM            94,624 sdstor.sys
03/18/2017  03:57 PM            75,680 SerCx.sys
03/18/2017  03:57 PM           154,016 SerCx2.sys
03/18/2017  03:56 PM            26,112 serenum.sys
03/18/2017  03:56 PM            84,480 serial.sys
03/18/2017  03:56 PM            28,672 sermouse.sys
03/18/2017  03:56 PM            18,432 sfloppy.sys
03/18/2017  03:56 PM            44,960 sisraid2.sys
03/18/2017  03:56 PM            81,824 sisraid4.sys
10/05/2016  08:12 PM            28,424 sixaxis.sys
03/18/2017  03:58 PM            32,672 SleepStudyHelper.sys
03/18/2017  03:57 PM            21,504 smclib.sys
03/18/2017  03:56 PM           167,328 spacedump.sys
03/18/2017  03:56 PM           587,168 spaceport.sys
03/18/2017  09:31 PM            40,352 SpatialGraphFilter.sys
03/18/2017  03:57 PM            80,288 SpbCx.sys
09/29/2017  02:21 AM           414,208 srv.sys
09/29/2017  02:21 AM           722,944 srv2.sys
09/04/2017  11:11 PM           254,976 srvnet.sys
03/18/2017  03:56 PM            31,136 stexstor.sys
05/20/2017  01:54 AM           144,288 storahci.sys
03/18/2017  03:56 PM            95,648 stornvme.sys
09/05/2017  12:16 AM           546,208 storport.sys
03/18/2017  03:58 PM            79,872 storqosflt.sys
03/18/2017  03:56 PM            36,760 storufs.sys
03/18/2017  03:56 PM            36,768 storvsc.sys
03/18/2017  03:57 PM            75,776 stream.sys
03/18/2017  03:56 PM            18,336 swenum.sys
03/18/2017  03:56 PM            64,512 Synth3dVsc.sys
06/23/2016  06:55 AM           615,640 SynTP.sys
09/14/2017  11:32 AM            27,136 tap0901.sys
03/18/2017  03:57 PM            31,232 tape.sys
03/18/2017  03:57 PM            28,064 tbs.sys
09/30/2017  12:36 AM         2,672,024 tcpip.sys
03/18/2017  03:57 PM            51,712 tcpipreg.sys
03/18/2017  03:57 PM            40,352 tdi.sys
07/31/2017  09:36 PM           119,712 tdx.sys
07/07/2015  09:45 PM           184,608 TeeDriverW8x64.sys
03/18/2017  09:31 PM            37,280 terminpt.sys
06/03/2017  05:10 AM           130,464 tm.sys
11/22/2015  07:07 PM            25,928 tpfilter.sys
06/03/2017  05:00 AM           219,040 tpm.sys
11/03/2017  10:13 AM            28,272 TrueSight.sys
03/18/2017  03:56 PM            61,440 TsUsbFlt.sys
03/18/2017  03:56 PM            35,328 TsUsbGD.sys
03/18/2017  03:58 PM           162,304 tunnel.sys
03/18/2017  03:56 PM            78,752 uaspstor.sys
09/04/2017  11:27 PM           104,960 UcmCx.sys
03/18/2017  03:58 PM           179,200 UcmTcpciCx.sys
07/27/2017  11:27 PM            51,712 UcmUcsi.sys
03/18/2017  03:56 PM           213,920 Ucx01000.sys
03/18/2017  03:56 PM            45,568 Udecx.sys
03/18/2017  03:57 PM           324,096 udfs.sys
03/18/2017  03:56 PM            29,600 uefi.sys
03/18/2017  03:58 PM           263,584 ufx01000.sys
03/18/2017  03:56 PM            98,712 UfxChipidea.sys
03/18/2017  03:56 PM           138,656 ufxsynopsys.sys
03/18/2017  03:56 PM            57,856 umbus.sys
11/02/2017  04:42 PM    <DIR>          UMDF
03/18/2017  03:56 PM            14,336 umpass.sys
03/18/2017  03:56 PM            29,600 urschipidea.sys
03/18/2017  03:58 PM            59,288 urscx01000.sys
03/18/2017  03:56 PM            28,064 urssynopsys.sys
03/18/2017  03:57 PM            23,040 usb8023.sys
11/05/2015  04:23 PM            54,784 usbaapl64.sys
03/18/2017  03:56 PM           134,656 USBAUDIO.sys
03/18/2017  03:57 PM            37,888 USBCAMD2.sys
09/30/2017  12:40 AM           173,976 usbccgp.sys
03/18/2017  03:56 PM           103,424 usbcir.sys
03/18/2017  03:56 PM            32,160 usbd.sys
03/18/2017  03:56 PM            98,200 usbehci.sys
09/30/2017  12:45 AM           511,896 usbhub.sys
09/18/2017  06:09 PM           554,400 USBHUB3.SYS
03/18/2017  03:56 PM            30,720 usbohci.sys
03/18/2017  03:56 PM           466,336 usbport.sys
03/18/2017  03:56 PM            27,136 usbprint.sys
03/18/2017  03:56 PM            32,768 usbrpm.sys
09/04/2017  11:28 PM            71,680 usbser.sys
03/18/2017  03:56 PM           131,488 USBSTOR.SYS
03/18/2017  03:56 PM            35,328 usbuhci.sys
04/27/2017  07:59 PM           388,000 USBXHCI.SYS
03/18/2017  03:56 PM            54,176 vdrvroot.sys
11/02/2017  04:39 PM           137,552 vdsgknqu.sys
03/18/2017  03:57 PM           215,456 VerifierExt.sys
05/20/2017  01:54 AM           730,016 vhdmp.sys
03/18/2017  03:56 PM            35,328 vhf.sys
03/18/2017  03:57 PM            49,664 videoprt.sys
07/31/2017  09:30 PM            82,336 vmbkmcl.sys
07/31/2017  08:44 PM            83,968 vmbkmclr.sys
03/18/2017  03:56 PM           107,424 vmbus.sys
03/18/2017  03:56 PM            25,088 VMBusHID.sys
03/18/2017  03:56 PM            13,824 vmgencounter.sys
03/18/2017  03:56 PM            10,240 vmgid.sys
03/18/2017  03:56 PM             9,216 vms3cap.sys
03/18/2017  03:56 PM            47,520 vmstorfl.sys
03/18/2017  03:56 PM            83,360 volmgr.sys
03/18/2017  03:57 PM           373,664 volmgrx.sys
03/18/2017  03:57 PM           397,216 volsnap.sys
03/18/2017  03:56 PM            16,288 volume.sys
03/18/2017  03:56 PM            74,656 vpci.sys
03/18/2017  03:56 PM           166,816 vsmraid.sys
03/18/2017  03:56 PM           305,568 VSTXRAID.SYS
03/18/2017  03:58 PM            27,136 vwifibus.sys
03/18/2017  03:58 PM            77,312 vwififlt.sys
03/18/2017  03:58 PM            41,472 vwifimp.sys
03/18/2017  03:56 PM            30,720 wacompen.sys
03/18/2017  03:58 PM            81,408 wanarp.sys
03/18/2017  03:57 PM            55,808 watchdog.sys
06/20/2017  01:00 AM           142,752 wcifs.sys
03/18/2017  03:57 PM            72,192 wcnfs.sys
03/18/2017  03:56 PM            44,632 WdBoot.sys
03/18/2017  03:57 PM           902,376 Wdf01000.sys
03/18/2017  03:56 PM           294,816 WdFilter.sys
03/18/2017  03:57 PM            61,672 WdfLdr.sys
06/20/2017  12:07 AM           757,248 WdiWiFi.sys
03/18/2017  03:56 PM           121,248 WdNisDrv.sys
03/18/2017  03:57 PM            46,488 werkernel.sys
03/18/2017  03:57 PM           164,768 wfplwfs.sys
03/18/2017  03:57 PM            35,744 wimmount.sys
03/18/2017  03:58 PM            70,232 WindowsTrustedRT.sys
03/18/2017  03:56 PM            18,520 WindowsTrustedRTProxy.sys
03/18/2017  03:56 PM            31,648 winhv.sys
03/18/2017  03:57 PM            55,296 winhvr.sys
03/18/2017  03:56 PM            32,160 winmad.sys
03/18/2017  03:58 PM           217,088 winnat.sys
03/18/2017  03:56 PM            90,112 winusb.sys
03/18/2017  03:56 PM            64,920 winverbs.sys
03/18/2017  03:56 PM            18,432 wmiacpi.sys
03/18/2017  03:57 PM            20,384 wmilib.sys
03/18/2017  03:57 PM           208,288 wof.sys
03/18/2017  03:59 PM            30,624 WpdUpFltr.sys
03/18/2017  03:57 PM            33,184 WppRecorder.sys
03/18/2017  03:57 PM            23,552 ws2ifsl.sys
03/18/2017  03:56 PM            22,528 WSDPrint.sys
03/18/2017  03:56 PM            24,576 WSDScan.sys
03/18/2017  03:57 PM           100,864 WUDFPf.sys
03/18/2017  03:57 PM           220,672 WUDFRd.sys
05/20/2017  01:07 AM           277,504 xboxgip.sys
03/18/2017  03:56 PM            46,592 xinputhid.sys
12/02/2015  11:12 PM            63,840 XtuAcpiDriver.sys
03/18/2017  03:56 PM            98,816 xusb22.sys
             472 File(s)    102,997,181 bytes
               5 Dir(s)  89,923,538,944 bytes free

========= End of CMD: =========

==== End of Fixlog 16:07:36 ====

[Aura]

Alright, and now for the fun part.

Farbar Recovery Scan Tool (FRST) - Recovery Environment Scan
Follow the instructions below to download and execute a scan on your system with FRST from the Recovery Environment, and provide the logs in your next reply.

Item(s) required:

• USB Flash Drive (size depend on if you have to create a USB Recovery or Installation media)
• CD/DVD (optional: only needed if you need to create a Recovery or Installation media and your USB Flash Drive is too small)
• Another computer (optional: only needed if you cannot work from the infected computer directly)
  

Preparing the USB Flash Drive

• Download the right version of FRST for your system:
  
  • FRST 64-bit
    
• Move the executable (FRST.exe or FRST64.exe) on your USB Flash Drive
• Download the attached fixlist.txt, and move it on your USB Flash Drive as well
  

Boot in the Recovery Environment

• Plug your USB Flash Drive in the infected computer
• To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
  
  • Restart the computer
  • Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
  • Use the arrow keys to select Repair your computer, and press on Enter
  • Select your keyboard layout (US, French, etc.) and click on Next
  • Click on Command Prompt to open the command prompt
    Note:If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.
    
• To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums
  Note:If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.
• To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
  Note:If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.
  

Once in the command prompt

• In the command prompt, type notepad and press on Enter
• Notepad will open. Click on the File menu and select Open
• Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
• In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
• Note: Replace the letter e with the drive letter of your USB Flash Drive
• FRST will open
• Click on Yes to accept the disclaimer
• Click on the Fix button and wait for the scan to complete
• A log called fixlog.txt will be saved on your USB Flash Drive. Attach it in your next reply
  

fixlist.txt

[oscarcrimwhipples]

here you go

Fixlog.txt

[Aura]

Thank you Now you should be able to install and run a scan with Malwarebytes.

Malwarebytes - Clean Mode

• Download and install the free version of Malwarebytes
  Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
• Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
• Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
• Let the scan run, the time required to complete the scan depends of your system and computer specs
• Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
  
  • If it asks you to restart your computer to complete the removal, do so
    
• Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply
  

[oscarcrimwhipples]

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 11/5/17
Scan Time: 10:43 PM
Log File: 15d8d9ad-c2ad-11e7-95dc-d8cb8a4ff8cc.json
Administrator: Yes

-Software Information-
Version: 3.2.2.2029
Components Version: 1.0.212
Update Package Version: 1.0.3185
License: Trial

-System Information-
OS: Windows 10 (Build 15063.674)
CPU: x64
File System: NTFS
User: SAMPC1\SAM

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 376164
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 1 min, 43 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

(end)

[Aura]

Good! Now let's do a sweep with AdwCleaner and RogueKiller.

AdwCleaner - Fix Mode

• Download AdwCleaner and move it to your Desktop
• Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Accept the EULA (I accept), then click on Scan
• Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
  
• Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
• After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply
  

RogueKiller

• Download the right version of RogueKiller for your Windows version (32 or 64-bit)
• Once done, move the executable file to your Desktop, right-click on it and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
• Wait for the scan to complete
• On completion, the results will be displayed
• Check every single entry (threat found), and click on the Remove Selected button
• On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
• This will open the report in Notepad. Copy/paste its content in your next reply
  

Your next reply(ies) should therefore contain:

• Copy/pasted AdwCleaner clean log
• Copy/pasted RogueKiller clean log
  

[oscarcrimwhipples]

# AdwCleaner 7.0.2.1 - Logfile created on Mon Nov 06 20:33:46 2017
# Updated on 2017/29/08 by Malwarebytes 
# Database: 11-03-2017.2
# Running on Windows 10 Home (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************

C:/AdwCleaner/AdwCleaner[C0].txt - [3795 B] - [2017/9/12 2:9:51]
C:/AdwCleaner/AdwCleaner[C1].txt - [1937 B] - [2017/9/12 4:30:9]
C:/AdwCleaner/AdwCleaner[C2].txt - [2971 B] - [2017/11/2 1:55:22]
C:/AdwCleaner/AdwCleaner[S0].txt - [4020 B] - [2017/9/12 2:9:38]
C:/AdwCleaner/AdwCleaner[S1].txt - [1849 B] - [2017/9/12 4:29:55]
C:/AdwCleaner/AdwCleaner[S2].txt - [1210 B] - [2017/9/16 15:51:53]
C:/AdwCleaner/AdwCleaner[S3].txt - [3061 B] - [2017/11/2 1:55:8]
C:/AdwCleaner/AdwCleaner[S4].txt - [1411 B] - [2017/11/2 2:25:57]

########## EOF - C:\AdwCleaner\AdwCleaner[S5].txt ##########

[oscarcrimwhipples]

RogueKiller V12.11.23.0 (x64) [Nov  6 2017] (Premium) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.15063) 64 bits version
Started in : Normal mode
User : SAM [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 11/06/2017 14:46:14 (Duration : 00:13:58)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[PUP.uTorrentAds][File] C:\Users\SAM\AppData\Roaming\uTorrent\updates\3.5.0_44090\utorrentie.exe -> Deleted

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 850 EVO 500GB +++++
--- User ---
[MBR] 4746f0247dad4ec76b3a78d312e9d4c9
[BSP] b473be552ed7dd6a7773eb5614b8ef1a : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476488 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 975849472 | Size: 450 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD10EZEX-00BN5A0 +++++
--- User ---
[MBR] e2c9512ad30a37f25a171bf13a3bf3fa
[BSP] 00100762ff2cd8d51fc3026c570a0f95 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953766 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

[Aura]

Good! Now please run a new scan with FRST and provide me both logs, as we'll look for remnants.

[oscarcrimwhipples]

Addition.txt

FRST.txt

[Aura]

Almost done!

Farbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
• Right-click on the FRST executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Click on the Fix button
  
• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
• Copy and paste its content in your next reply
  

How's your system behaving now? Are there any other issues to address?

fixlist.txt

[oscarcrimwhipples]

Seems to be much better. No issues since the recovery mode fix

Fixlog.txt

[Aura]

Awesome!

Since there are no signs of infection anymore in your logs, and you just told me that there are no more issues left to address, I guess we're done here. We'll wrap it up by running DelFix to delete the tools and logs that were used in this clean-up.

DelFix
Follow the instructions below to download and execute DelFix.

• Download DelFix and move the executable to your Desktop
• Right-click on DelFix.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Check the following options :
  
  • Activate UAC
  • Remove disinfection tools
  • Create registry backup
  • Purge system restore
  • Reset system settings
    
• Once all the options mentionned above are checked, click on Run
• After DelFix is done running, a log will open. Please copy/paste the content of the output log in your next reply
  

Tips, tricks, advice and recommendations

Now it's time to give you some tips, tricks, advice and recommendations on how to protect your system and prevent you from being infected in the future. This is where I'll explain basic security measures that you should take to protect and harden your system, and also make sure it stays as safe and secure as possible against hackers and malware. You are free to ignore the recommendations listed below, although I obviously do not recommend it. If you have any questions about one of the points covered in the speech below, feel free to ask me your questions here directly so I can answer them and guide you.

Windows Updates

Keeping Windows up to date is one of the first steps in having a safe and secure system. The Security Updates that Windows receives are meant to fix exploits and flaws in it that makes it more secure and not exploitable by hackers. In order to do that, you should always install the Security Updates, known as "Important Updates" on your Windows system. These updates are released on the second Tuesday of every month, but some are also released before if they are emergency/critical Security Updates. Let's make sure that you have all your Important Updates and Recommended Updates installed and that your Windows Updates are set to be installed automatically.

• How To Change Windows Update Settings
• How To Check For & Install Windows Updates
  

Keeping your programs up-to-date

Like keeping Windows updated, keeping your installed programs up-to-date is another important step in having a safe and secure system. Outdated programs can be exploited by hackers and malware to infect a system and take it over. This is especially true today with the rise of Exploit Kits (and also 0-days) which is one of the biggest attack vectors to distribute malware. Therefore, you should always keep vulnerable programs like Adobe Flash Player, Adobe Shockwave Player, Java, Silverlight, Google Chrome, Mozilla Firefox, VLC Media Player, etc. updated to their most recent version (even better, you don't have to install them if you don't use them). Programs like UCheck, SecuniaPSI and Heimdal Free will scan your system for outdated programs, and help you identify them, as well as update them.

• UCheck Documentation
• How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector (PSI)
  

Anti-Virus

Note: The programs listed below are all free to use or they have some sort of trial. Some of them have a paid version that provides more features, while a lot of other good programs only have a paid version but aren't listed there (such as Kaspersky and ESET Antivirus products).

• Sophos Home
• Bitdefender Free Antivirus
• Emsisoft Anti-Malware - Free 30 day trial. Once it expires, EAM enters into a freeware mode where it is still considered an Antivirus program, but without real-time protection
• Avira Free Antivirus
• avast! Free Antivirus
  

Anti-Malware, Anti-Exploit and Anti-Ransomware

Having a decent security setup (which also includes an Antivirus) is the most crucial step to protect a system. These programs are additional layers of defence that will prevent a system from being infected, or if it somehow ends up infected, help mitigate the infection and remediate it. Fortunately, the new Malwarebytes 3 bundle all these layers in one, easy to use and efficient product. Malwarebytes 3 offers Malware, Web, Exploit and Ransomware protection modules that works together in order to keep your system protected and stop an infection at multiple level.

• Malwarebytes - Comes with a free trial of the Premium version for 14 days, after which it reverts back to the Free version
  

Note: Please note that only the Premium version of Malwarebytes 3 offers real-time protection (Malware, Web, Exploit and Ransomware). The free version only allows you to scan your system for threats and remove them.

Firewall

Starting in Windows Vista, the Windows Firewall greatly improved and will satisfy the needs of most users. If you do not have an Internet Suite Antivirus program (which includes a firewall) and you want to use a 3rd party firewall, you can consider the options below.

• GlassWire - Has both a free and paid version (with different packages)
• Windows Firewall Control - Gives you more control over your Windows Firewall
• TinyWall - Lightweight firewall implementing the Windows Firewall and giving you more control over it
  

Web Browsers and Web Browsing

Web Browsers could be considered as the closest door between a malware and your system. This is where most malware goes through to infect a system, and therefore it should be the program(s) you want to secure the most. There are two ways of going about it: hardening your web browser via extensions, and having good browsing habits. 

Hardening your web browser means to install extensions that will help it protect itself (and your system on the same occasion) against Exploit Kits, MiTM attacks, etc. but also you at the same time. Here are a few extensions that I recommend you to install.

• uBlock Origin: Efficient multi-purpose blocker that is lightweight on RAM and CPU usage (Google Chrome, Mozilla Firefox, Microsoft Edge, Opera and most Chromium and Firefox-based browsers)
• HTTPS Everywhere: Extension that converts your HTTP (unencrypted) requests to HTTPS (encrypted) ones (Google Chrome, Mozilla Firefox and Opera)
• Web of Trust: Website reputation, rating and review extension that will help you quickly identify bad and suspicious sites from good ones (every web browsers)
• NoScript: NoScript is a script blocker (Java, Flash, JavaScript, etc.) for Mozilla Firefox and Firefox-based browsers (Mozilla Firefox and Firefox-based web browsers)
• uMatrix: For advanced users, a point and click matrix-like extensions that allow you to control requests done on a webpage (based on source, destination and type) (Google Chrome, Mozilla Firefox and Opera)
• LastPass: Secure password manager allowing you to create, manage, and use passwords you save in your LastPass account (every web browser)
  

As for safe browsing habits, you can find tons of guides, tutorials, articles, etc. online that will highlight the basics you need to follow (only visit websites you trust, do not click on ads, do not download files from untrusted sources, use a password manager, always verify the URL of a website and make sure it's correctly typed, etc.), and even what you can do if you want to take it a step further (create a fake email address for spam emails, browse the web in a privacy mode, etc.). Here are a few:

• The Ultimate Guide to Secure your Online Browsing: Chrome, Firefox and Internet Explorer on Heimdal Security
• Seven Useful Habits For A Safer Internet on Kapsersky Blog
• Tips for Secure Web Browsing: Cybersecurity 101 on VeraCode
• Safe browsing habits on Internet Safety Project Wiki
  

As you can see, there are plenty of resources out there. Simply Googling "good browsing habits" or "safe browsing habits" should allow you to find a lot of them.

Other recommendations

Even if you follow every recommendation that I listed here, in the end, it's also your job to be careful when browsing the web and downloading files if you don't want to get infected. Therefore, if you use your brain (common sense) when browsing the web, downloading programs and files, etc., you have far less chances to get infected by a malware. If for example you're not sure if a website is legitimate or not, or if a file is safe to download and execute, or if a program looks "too good" to be free, I suggest you to avoid going to that website, downloading that file or using that program.

Here are a few guides, tutorials, articles, etc. that you could read in order to learn more about computer protection and security to improve your current computer protection setup but also improve your good web browsing and computer usage practices :

• Answers to common security questions - Best Practices by quietman7
• How Malware Spreads - How did I get infected by quietman7
• Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams (aka Grinler)
• How to Prevent Malware by miekiemoes
• Tips & Advice on StaySafeOnline.org
  

The End!

And that's it! Now that you know more about how to protect your computer and secure it, you're good to go back to your online activities, but in a safe and secure way! You are also free to stay on the forums and ask for help in different topics if you ever need to. Just make sure that you post your question/issue in the right section to get the best assistance possible. And if you ever get infected again (which I hope you wont!), you can always comeback in this section to get another checkup with one of our trained malware removal member.

Do you have any questions before I close this thread?

[oscarcrimwhipples]

All set, thank you very much

[Aura]

No problem, you're welcome!

Stay safe  

[Aura]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!