http://imgur.com/a/vXpNG (contents of 1.bat&1.vbs and 12.bat&12.vbs). Rarsfx1 contains the 12.bat and vbs, whereas all the other folders contain 1.bat and vbs.
In the temp folder, there are these folders rarsfx0-1056. They all contain 1.bat and 1.vbs. When I open my task manager, there are multiple cmd's opened, each taking 0.6 or 0.7mb. It eats up a lot of my memory. In either the bat or the vbs file, there is an email - roma98(dot)27@mail(dot)ru. At one point, I started deleting all the files, and successfully did so (after deleting the processes, manually deleting all vbs and bat files, then system files, then all the .dll files). Then, I restarted. A command prompt opened up (couldnt take a screenshot), that looked like it connected to the email address(email address was mentioned, and multiple files were being downloaded). I closed it, then went back to the folder, and saw that all the rarsfx0-rarsfx1056 (1057 folders in total) came back.
Used adwcleaner, malwarebytes(premium), kaspersky(premium), it doesnt do anything to the folder or the files at all. Need help, as it's slowing down my laptop, and my dad is superworried.
I used Everything program to delete all the vbs and bat files, and only then could I delete the system.exe file, then I deleted the folders.
!! DO NOT CLICK ON LINK!! This is the only website on google that contains the exact email words: https://www(dot)google(dot)com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwio-a7J9KXTAhUSLlAKHRsuBicQFggkMAA&url=https%3A%2F%2Fvk(dot)com%2Fwall-93660645&usg=AFQjCNGaxIndpAipavAIXQeC75MxdZA5_A&sig2=y9fg80mwo7Sps0TkSuSL_w&bvm=bv(dot)152479541,d(dot)ZWM !! DO NOT CLICK ON LINK!!
Do not click on link said because I dont know what the bleep will happen to your pc.
The highlighted system.exe is the file, and as seen in the pictures, all those 32 bit cmd's are open (64 bit laptop). Thanks in advance
Posted the same thing on reddit: https://www.reddit.com/r/computerviruses/comments/65hwe7/rarsfx01056/
Edited by blablahbla, 15 April 2017 - 02:36 AM.