Hello. I've performed some scans with tools found in some of the threads here for example: Malwarebytes Anti-Rootkit which as you can see has picked up something what a paid Norton subscription could not. Below are all of what has been removed and every scan using this very tool has come back clean ever since. Something still lurks in the svchost...I think., (probably) and I'll post the RKill results shortly after.
================================================================================================
Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
Database version:
main: v2014.11.18.05
rootkit: v2014.11.12.01
Windows 10 x64 NTFS
Internet Explorer 11.447.14393.0
AM-I-INFECTED :: DESKTOP-ACTI** [administrator]
06/12/2016 21:39:06
mbar-log-2016-12-06 (21-39-06).txt
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 389178
Time elapsed: 44 minute(s), 11 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 6
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe (Trojan.Agent) -> Delete on reboot. [a79685b85d1ff046ceffbb39c43fcf31]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe (Security.Hijack) -> Delete on reboot. [211c66d7265672c4d313748001022ed2]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\svchost.exe (Security.Hijack) -> Delete on reboot. [192477c66f0d5bdb0105d225cb38bb45]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe (Trojan.Agent) -> Delete on reboot. [cd7039045923b18539949b595fa4ad53]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe (Security.Hijack) -> Delete on reboot. [8db0b38a48343cfa8e582bc9649f6898]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\svchost.exe (Security.Hijack) -> Delete on reboot. [c5788eafef8d1d19d036fdfa45be50b0]
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
Physical Sectors Detected: 0
(No malicious items detected)
(end)
Edited by LetGetStarted, 07 December 2016 - 11:33 AM.