Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smart Service Trojan & Other Infections


  • Please log in to reply
34 replies to this topic

#1 alecgee

alecgee

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 13 September 2017 - 12:19 PM

The addition.txt and FRST.txt files are attached.  I need to compile a fixlist file.  In addition I need to remove the SmartService trojan from my computer and nothing so far has worked.  Most every program that can remove it cannot run because of the trojan, and the others are no help whatsoever.

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,218 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:08:51 AM

Posted 13 September 2017 - 12:33 PM

Hi alecgee :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Do you have a USB Flash Drive? If so, how big is it?

Also, follow the instructions below.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

Attached Files


unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 alecgee

alecgee
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 14 September 2017 - 07:34 PM

I ran the fix on FRST.  I have a 8GB flash drive with me right now, and I have access to a 16GB and a 64GB.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 11-09-2017 02
Ran by Alec's Laptop (14-09-2017 20:32:22) Run:1
Running from C:\Users\Alec's Laptop\Downloads
Loaded Profiles: Alec's Laptop (Available Profiles: Alec's Laptop)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: dir C:\Windows
CMD: dir C:\Windows\system32\drivers
*****************


========= bcdedit.exe /set {default} recoveryenabled yes =========

The operation completed successfully.

========= End of CMD: =========


========= dir C:\Windows =========

 Volume in drive C is Windows
 Volume Serial Number is 929D-9820

 Directory of C:\Windows

09/13/2017  03:51 PM    <DIR>          .
09/13/2017  03:51 PM    <DIR>          ..
08/29/2017  11:54 AM    <DIR>          3F5C371F8EA24F259D3DD0B4526E3AEA.TMP
03/21/2016  12:29 AM    <DIR>          45235788142C44BE8A4DDDE9A84492E5.TMP
05/21/2016  04:47 PM    <DIR>          85EBB28365AF4C539EBE7C0A232762F7.TMP
05/01/2017  09:08 PM    <DIR>          8A809006C25A4A3A9DAB94659BCDB107.TMP
07/26/2017  02:31 PM    <DIR>          8AAB4176A747493AA42CB63CFADFD8E3.TMP
07/14/2009  01:32 AM    <DIR>          addins
05/23/2015  11:01 AM    <DIR>          AppCompat
09/11/2017  07:30 PM    <DIR>          AppPatch
04/15/2015  06:00 PM    <DIR>          AutoKMS
03/21/2016  12:29 AM    <DIR>          AutoRearm
11/20/2010  11:24 PM            71,168 bfsvc.exe
07/14/2009  01:32 AM    <DIR>          Boot
07/14/2009  01:32 AM    <DIR>          Branding
02/11/2015  10:26 PM    <DIR>          ConfigSetRoot
06/01/2015  03:56 PM    <DIR>          Cursors
08/24/2017  05:32 PM    <DIR>          debug
09/10/2015  08:21 PM    <DIR>          Dell
07/14/2009  01:32 AM    <DIR>          diagnostics
07/14/2009  01:37 AM    <DIR>          DigitalLocker
08/29/2017  11:57 AM            74,849 DirectX.log
03/13/2015  11:57 AM    <DIR>          Downloaded Installations
08/24/2017  06:08 PM    <DIR>          Downloaded Program Files
03/21/2016  12:29 AM    <DIR>          E4D153288C89484BB9AAF5BE9EA6D01C.TMP
02/18/2015  08:26 AM                 0 EEventManager.INI
01/19/2017  10:17 AM    <DIR>          ehome
12/21/2016  08:53 PM    <DIR>          en-US
12/21/2016  07:42 PM             2,155 epplauncher.mif
09/10/2017  11:01 AM    <DIR>          erdnt
09/15/2010  07:00 PM            17,776 EvtMessage.dll
11/20/2010  07:24 PM         2,872,320 explorer.exe
07/13/2009  09:39 PM            15,360 fveupdate.exe
08/11/2016  08:29 AM    <DIR>          Globalization
08/30/2000  08:00 PM            80,412 grep.exe
02/23/2017  05:25 PM    <DIR>          Help
07/13/2009  05:39 PM           733,696 HelpPane.exe
07/13/2009  09:39 PM            16,896 hh.exe
06/10/2009  04:30 PM            48,265 HomePremium.xml
07/14/2009  01:37 AM    <DIR>          IME
09/14/2017  03:42 PM    <DIR>          inf
09/03/2017  01:59 PM         1,210,856 is-4UDK7.exe
09/03/2017  01:59 PM               495 is-4UDK7.lst
09/03/2017  01:59 PM            22,701 is-4UDK7.msg
10/02/1998  07:00 PM           327,168 IsUninst.exe
07/03/2017  03:13 PM    <DIR>          KMSServerService
07/14/2009  01:32 AM    <DIR>          L2Schemas
02/26/2015  08:30 AM    <DIR>          LiveKernelReports
06/10/2017  06:11 PM               236 LkmdfCoInst.log
08/17/2017  11:23 PM    <DIR>          Logs
11/07/2010  01:20 PM           208,896 MBR.exe
07/13/2009  07:06 PM            43,131 mib.bin
08/26/2017  05:49 PM    <DIR>          Microsoft.NET
02/11/2015  06:59 PM    <DIR>          Migration
09/14/2017  03:31 PM    <DIR>          Minidump
07/13/2009  10:34 PM    <DIR>          ModemLogs
01/14/2017  07:38 PM             6,688 movexe.exe
01/14/2017  07:38 PM                69 movexe.ini
06/10/2009  04:36 PM             1,405 msdfmap.ini
04/20/2009  12:56 AM            60,416 NIRCMD.exe
07/09/2015  01:57 PM           193,536 notepad.exe
09/13/2017  11:14 PM           882,718 ntbtlog.txt
02/11/2015  10:26 PM    <DIR>          OEM
08/24/2017  06:09 PM    <DIR>          Offline Web Pages
09/17/2015  02:09 PM    <DIR>          Panther
02/17/2015  06:31 PM    <DIR>          PCHEALTH
07/14/2009  01:32 AM    <DIR>          Performance
06/26/2011  02:45 AM           256,000 PEV.exe
09/14/2017  03:30 PM         5,413,586 PFRO.log
07/13/2009  11:20 PM    <DIR>          PLA
09/07/2017  09:50 PM    <DIR>          PolicyDefinitions
09/13/2017  03:05 PM    <DIR>          Prefetch
09/08/2017  12:08 PM    <DIR>          pss
12/19/2016  09:53 PM             4,752 Q070201.log
04/10/2016  10:51 PM             3,878 Q752445.log
07/13/2009  09:39 PM           427,008 regedit.exe
04/08/2016  05:18 AM    <DIR>          registration
09/07/2017  09:48 PM               167 Reimage.ini
08/31/2017  11:56 AM    <DIR>          rescache
07/14/2009  01:32 AM    <DIR>          Resources
04/28/2016  12:10 PM               848 Rtcwplat.INI
02/25/2015  09:31 PM         2,097,152 sample5x.dat
07/13/2009  10:35 PM    <DIR>          SchCache
07/14/2009  01:32 AM    <DIR>          schemas
07/13/2009  11:20 PM    <DIR>          security
08/30/2000  08:00 PM            98,816 sed.exe
07/14/2009  12:45 AM    <DIR>          ServiceProfiles
09/10/2015  08:20 PM    <DIR>          servicing
04/04/2015  07:19 PM    <DIR>          Setup
09/14/2017  03:32 PM             6,950 setupact.log
06/08/2017  10:20 PM                 0 setuperr.log
09/07/2017  09:49 PM    <DIR>          ShellNew
01/15/2017  11:53 AM    <DIR>          SoftwareDistribution
04/12/2011  04:17 AM    <DIR>          Speech
11/20/2010  07:24 PM            67,072 splwow64.exe
06/10/2009  04:31 PM            48,201 Starter.xml
03/05/2015  01:24 PM    <DIR>          Sun
08/30/2000  08:00 PM           518,144 SWREG.exe
08/30/2000  08:00 PM           406,528 SWSC.exe
08/30/2000  08:00 PM           212,480 SWXCACLS.exe
07/13/2009  10:36 PM    <DIR>          system
09/10/2017  10:45 AM               215 system.ini
09/14/2017  03:42 PM    <DIR>          System32
09/12/2017  04:34 PM    <DIR>          SysWOW64
07/14/2009  12:57 AM    <DIR>          TAPI
09/13/2017  11:53 AM    <DIR>          Tasks
09/14/2017  08:32 PM    <DIR>          Temp
02/26/2015  12:42 PM    <DIR>          tracing
06/10/2009  05:41 PM            94,784 twain.dll
02/16/2015  06:11 PM    <DIR>          twain_32
11/20/2010  11:25 PM            51,200 twain_32.dll
06/10/2009  05:41 PM            49,680 twunk_16.exe
07/13/2009  09:14 PM            31,232 twunk_32.exe
07/13/2009  11:20 PM    <DIR>          Vss
07/17/2017  10:36 AM               298 vtmb.ini
07/14/2009  01:32 AM    <DIR>          Web
07/13/2009  09:09 PM               403 win.ini
09/14/2017  03:48 PM           119,614 WindowsUpdate.log
07/13/2009  09:14 PM             9,728 winhlp32.exe
09/13/2017  04:31 PM             4,796 wininit.ini
09/11/2017  07:35 PM    <DIR>          winsxs
06/10/2009  04:52 PM           316,640 WMSysPr9.prx
07/13/2009  09:39 PM            10,240 write.exe
02/16/2015  06:14 PM                44 XP-610.ini
09/03/2017  02:15 PM            73,099 ZAM.krnl.trace
09/03/2017  02:34 PM                 0 ZAM_Guard.krnl.trace
08/30/2000  08:00 PM            68,096 zip.exe
              56 File(s)     17,282,863 bytes
              71 Dir(s)  45,596,848,128 bytes free

========= End of CMD: =========


========= dir C:\Windows\system32\drivers =========

 Volume in drive C is Windows
 Volume Serial Number is 929D-9820

 Directory of C:\Windows\system32\drivers

09/14/2017  03:30 PM    <DIR>          .
09/14/2017  03:30 PM    <DIR>          ..
07/13/2009  08:06 PM            68,096 1394bus.sys
11/20/2010  11:23 PM           229,888 1394ohci.sys
05/23/2012  02:22 PM            27,760 accelern.sys
11/20/2010  11:23 PM           334,208 acpi.sys
11/20/2010  11:23 PM            12,800 acpipmi.sys
07/13/2009  09:52 PM           491,088 adp94xx.sys
07/13/2009  09:52 PM           339,536 adpahci.sys
07/13/2009  09:52 PM           182,864 adpu320.sys
10/13/2015  09:41 AM           497,664 afd.sys
07/13/2009  08:10 PM            60,416 agilevpn.sys
07/13/2009  09:52 PM            61,008 AGP440.sys
07/13/2009  09:52 PM            15,440 aliide.sys
07/13/2009  09:52 PM            15,440 amdide.sys
07/13/2009  07:19 PM            64,512 amdk8.sys
07/13/2009  07:19 PM            60,928 amdppm.sys
03/11/2011  02:41 AM           107,904 amdsata.sys
07/13/2009  09:52 PM           194,128 amdsbs.sys
11/20/2010  07:23 PM            27,008 amdxata.sys
10/12/2013  04:58 PM            33,872 anvsnddrv.sys
08/20/2014  08:50 PM           561,456 Apfiltr.sys
10/11/2016  04:03 PM            62,464 appid.sys
07/13/2009  09:52 PM            87,632 arc.sys
07/13/2009  09:52 PM            97,856 arcsas.sys
07/13/2009  08:10 PM            23,040 asyncmac.sys
07/13/2009  09:52 PM            24,128 atapi.sys
11/20/2010  07:23 PM           155,520 ataport.sys
05/30/2015  03:03 PM           310,728 atksgt.sys
04/06/2016  11:39 PM            55,168 awtfvkwa.sys
06/10/2009  04:34 PM           270,848 b57nd60a.sys
07/13/2009  09:52 PM            28,240 battc.sys
07/13/2009  08:00 PM             6,656 beep.sys
07/13/2009  07:35 PM            45,056 blbdrive.sys
10/05/2016  10:54 AM            90,112 bowser.sys
06/10/2009  04:41 PM            18,432 BrFiltLo.sys
06/10/2009  04:41 PM             8,704 BrFiltUp.sys
07/13/2009  09:01 PM            95,232 bridge.sys
07/13/2009  09:19 PM           286,720 BrSerId.sys
06/10/2009  04:41 PM            47,104 BrSerWdm.sys
06/10/2009  04:41 PM            14,976 BrUsbMdm.sys
06/10/2009  04:41 PM            14,720 BrUsbSer.sys
07/13/2009  08:06 PM            41,984 bthenum.sys
07/13/2009  08:06 PM            72,192 bthmodem.sys
07/06/2017  12:56 AM           119,296 bthpan.sys
07/06/2012  04:07 PM           552,960 bthport.sys
04/27/2011  11:54 PM            80,384 BTHUSB.SYS
06/10/2009  04:34 PM           468,480 bxvbda.sys
07/13/2009  07:19 PM            92,160 cdfs.sys
11/20/2010  11:23 PM           147,456 cdrom.sys
08/19/2013  11:17 PM           107,296 cdryrwpm.sys
07/13/2009  08:06 PM            45,568 circlass.sys
11/20/2010  11:24 PM           179,072 Classpnp.sys
07/13/2009  07:31 PM            17,664 CmBatt.sys
07/13/2009  09:52 PM            17,488 cmdide.sys
11/20/2016  10:07 AM           467,392 cng.sys
07/13/2009  09:52 PM            21,584 compbatt.sys
11/20/2010  11:23 PM            38,912 CompositeBus.sys
07/13/2009  09:47 PM            39,504 crashdmp.sys
07/13/2009  09:47 PM            24,144 crcdisk.sys
05/28/2009  02:49 PM           224,768 CtAudDrv.sys
06/15/2009  05:06 PM           172,704 CtClsFlt.sys
12/05/2012  04:23 PM            98,888 ctxusbm.sys
06/22/2011  06:01 PM            45,672 cvusbdrv.sys
09/10/2015  02:00 PM            95,016 dc3d.sys
09/08/2016  10:55 AM           106,496 dfsc.sys
07/13/2009  07:37 PM            40,448 discache.sys
07/13/2009  09:47 PM            73,280 disk.sys
11/20/2010  07:24 PM            27,520 Diskdump.sys
12/08/2015  02:54 PM           116,736 drmk.sys
12/08/2015  02:11 PM             5,632 drmkaud.sys
07/13/2009  09:47 PM            28,736 Dumpata.sys
07/13/2009  09:43 PM            55,128 dumpfve.sys
07/13/2009  07:38 PM            16,896 dxapi.sys
07/13/2009  07:38 PM            98,816 dxg.sys
04/09/2016  12:01 AM           986,344 dxgkrnl.sys
04/09/2016  12:01 AM           264,936 dxgmms1.sys
06/10/2009  04:35 PM           145,792 E1G6032E.sys
04/06/2010  03:37 AM           301,232 e1k62x64.sys
12/03/2013  09:54 AM            30,752 ElRawDsk.sys
07/13/2009  09:47 PM           530,496 elxstor.sys
09/07/2017  09:53 PM    <DIR>          en-US
07/13/2009  07:31 PM             9,728 errdev.sys
09/10/2017  10:44 AM    <DIR>          etc
06/10/2009  04:34 PM         3,286,016 evbda.sys
07/13/2009  03:23 PM           195,072 exfat.sys
08/21/2017  11:25 PM           101,784 farflt.sys
07/13/2009  03:23 PM           204,800 fastfat.sys
07/13/2009  08:00 PM            29,696 fdc.sys
07/13/2009  09:47 PM            70,224 fileinfo.sys
07/13/2009  07:25 PM            34,304 filetrace.sys
09/20/2006  01:56 AM            57,656 FilterPC.bmp
08/30/2007  11:39 PM            24,995 FilterPC.jpg
07/13/2009  08:00 PM            24,576 flpydisk.sys
11/20/2010  11:24 PM           289,664 fltMgr.sys
07/13/2009  09:47 PM            55,376 fsdepends.sys
03/01/2012  02:46 AM            23,408 fs_rec.sys
11/20/2010  07:24 PM           223,248 fvevol.sys
04/04/2014  07:47 PM           288,192 FWPKCLNT.SYS
07/13/2009  09:47 PM            65,088 GAGP30KX.SYS
10/03/2012  04:14 PM            33,240 GEARAspiWDM.sys
06/10/2009  04:30 PM         3,440,660 gm.dls
06/10/2009  04:30 PM               646 gmreadme.txt
11/13/2013  11:05 AM            16,640 gtkdrv.sys
02/20/2017  08:02 AM            83,008 hcmon.sys
06/10/2009  04:31 PM            31,232 hcw85cir.sys
11/20/2010  11:23 PM           122,368 hdaudbus.sys
11/20/2010  11:23 PM           350,208 HdAudio.sys
01/23/2013  09:18 PM            56,344 HECIx64.sys
07/13/2009  07:31 PM            26,624 hidbatt.sys
07/13/2009  08:06 PM           100,864 hidbth.sys
07/03/2013  12:05 AM            76,800 hidclass.sys
07/13/2009  08:06 PM            46,592 hidir.sys
07/03/2013  12:05 AM            32,896 hidparse.sys
11/20/2010  11:23 PM            30,208 hidusb.sys
09/04/2017  01:45 AM            41,080 hitmanpro37.sys
11/20/2010  11:23 PM            78,720 HpSAMD.sys
02/24/2015  08:18 PM           754,688 http.sys
11/20/2010  11:24 PM            14,720 hwpolicy.sys
07/13/2009  07:19 PM           105,472 i8042prt.sys
11/20/2010  07:23 PM           410,496 iaStorV.sys
02/01/2013  06:58 AM        12,312,928 igdkmd64.sys
07/13/2009  09:48 PM            44,112 iirsp.sys
02/27/2010  03:32 AM           158,976 Impcd.sys
08/22/2011  07:42 PM           317,440 IntcDAud.sys
07/13/2009  09:48 PM            16,960 intelide.sys
07/13/2009  07:19 PM            62,464 intelppm.sys
11/20/2010  11:24 PM            82,944 ipfltdrv.sys
11/20/2010  11:23 PM            78,848 IPMIDrv.sys
07/13/2009  08:10 PM           116,224 ipnat.sys
07/13/2009  08:09 PM           120,320 irda.sys
07/13/2009  08:08 PM            17,920 irenum.sys
07/13/2009  09:48 PM            20,544 isapnp.sys
07/13/2009  09:48 PM            50,768 kbdclass.sys
11/20/2010  11:23 PM            33,280 kbdhid.sys
11/20/2010  11:24 PM           243,712 ks.sys
01/05/2017  07:55 PM            95,464 ksecdd.sys
01/05/2017  07:55 PM           154,856 ksecpkg.sys
07/13/2009  08:00 PM            20,992 ksthunk.sys
06/17/2015  10:25 PM            87,696 LEqdUsb.sys
11/23/2009  08:37 PM            22,408 LGBusEnum.sys
11/23/2009  08:38 PM            16,008 LGVirHid.sys
06/17/2015  10:25 PM            23,184 LHidEqd.sys
06/17/2015  10:25 PM            86,672 LHidFilt.Sys
05/30/2015  02:45 PM            42,696 lirsgt.sys
07/13/2009  08:08 PM            60,928 lltdio.sys
06/17/2015  10:25 PM            69,264 LMouFilt.Sys
06/10/2017  06:11 PM            18,960 LNonPnP.sys
07/13/2009  09:48 PM           114,752 lsi_fc.sys
07/13/2009  09:48 PM           106,560 lsi_sas.sys
07/13/2009  09:48 PM            65,600 lsi_sas2.sys
07/13/2009  09:48 PM           115,776 lsi_scsi.sys
07/13/2009  07:26 PM           113,152 luafv.sys
06/17/2015  10:25 PM            50,832 LUsbFilt.sys
06/27/2017  12:06 PM            77,376 mbae64.sys
08/24/2017  05:10 PM            45,472 mbam.sys
08/24/2017  05:11 PM           188,352 MBAMChameleon.sys
09/14/2017  01:13 PM           194,776 MBAMSwissArmy.sys
07/13/2009  08:01 PM            22,016 mcd.sys
02/24/2009  07:35 PM           255,552 mcdbus.sys
07/13/2009  09:48 PM            35,392 megasas.sys
07/13/2009  09:48 PM           284,736 MegaSR.sys
07/13/2009  08:10 PM            40,448 modem.sys
07/13/2009  07:38 PM            30,208 monitor.sys
07/13/2009  09:48 PM            49,216 mouclass.sys
07/13/2009  08:00 PM            31,232 mouhid.sys
06/14/2016  06:21 PM            94,440 mountmgr.sys
08/25/2016  10:46 AM           295,000 MpFilter.sys
11/20/2010  11:23 PM           155,008 mpio.sys
07/13/2009  08:08 PM            77,312 mpsdrv.sys
09/08/2016  10:55 AM           142,336 mrxdav.sys
01/05/2017  06:25 PM           159,744 mrxsmb.sys
01/05/2017  06:24 PM           291,328 mrxsmb10.sys
01/05/2017  06:24 PM           129,536 mrxsmb20.sys
11/20/2010  11:23 PM            31,104 msahci.sys
11/20/2010  11:23 PM           140,672 msdsm.sys
07/13/2009  07:19 PM            26,112 msfs.sys
06/02/2012  10:35 AM                 3 MsftWdf_Kernel_01011_Inbox_Critical.Wdf
06/02/2012  10:57 AM                 3 MsftWdf_User_01_11_00_Inbox_Critical.Wdf
07/13/2009  08:06 PM             8,192 mshidkmdf.sys
07/13/2009  09:48 PM            15,424 msisadrv.sys
11/20/2010  11:23 PM           273,792 msiscsi.sys
07/13/2009  08:00 PM            11,136 mskssrv.sys
07/13/2009  08:00 PM             7,168 mspclock.sys
07/13/2009  08:00 PM             6,784 mspqm.sys
11/20/2010  11:24 PM           366,976 msrpc.sys
07/13/2009  09:48 PM            32,320 mssmbios.sys
07/13/2009  08:00 PM             8,064 mstee.sys
07/13/2009  08:02 PM            15,360 MTConfig.sys
07/13/2009  09:48 PM            60,496 mup.sys
08/21/2017  03:26 PM            84,256 mwac.sys
10/13/2015  12:57 AM           950,720 ndis.sys
07/13/2009  08:08 PM            35,328 ndiscap.sys
07/13/2009  08:10 PM            24,064 ndistapi.sys
11/20/2010  11:24 PM            56,832 ndisuio.sys
11/20/2010  11:24 PM           164,352 ndiswan.sys
11/20/2010  11:24 PM            57,856 ndproxy.sys
08/25/2017  04:31 PM            22,784 neo_vpn.sys
07/13/2009  08:09 PM            44,544 netbios.sys
05/11/2016  10:58 AM           262,144 netbt.sys
11/26/2013  04:40 AM           376,768 netio.sys
05/29/2013  10:10 AM        11,524,096 NETwsw00.sys
08/25/2015  12:08 AM        11,534,096 NETwsw01.sys
07/13/2009  09:48 PM            51,264 nfrd960.sys
08/25/2016  10:46 AM           135,928 NisDrvWFP.sys
06/19/2015  02:48 PM            35,344 npf.sys
07/13/2009  07:19 PM            44,032 npfs.sys
07/13/2009  07:21 PM            24,576 nsiproxy.sys
04/12/2013  05:45 PM         1,656,680 ntfs.sys
07/13/2009  07:19 PM             6,144 null.sys
02/05/2015  04:49 AM           197,408 nvhda64v.sys
10/18/2016  10:53 AM        12,909,624 nvlddmkm.sys
11/20/2010  07:23 PM           148,352 nvraid.sys
11/20/2010  07:23 PM           166,272 nvstor.sys
09/05/2013  06:37 AM           450,848 nvstusb.sys
07/13/2009  09:48 PM           122,960 NV_AGP.SYS
07/13/2009  08:07 PM           318,976 nwifi.sys
07/13/2009  08:06 PM            72,832 ohci1394.sys
11/20/2010  11:24 PM           131,584 pacer.sys
07/13/2009  08:00 PM            97,280 parport.sys
03/17/2012  03:58 AM            75,120 partmgr.sys
06/04/2008  06:14 PM            32,240 PBADRV.SYS
11/20/2010  11:23 PM           184,704 pci.sys
07/13/2009  09:45 PM            12,352 pciide.sys
07/13/2009  09:45 PM            48,720 pciidex.sys
07/13/2009  09:45 PM           220,752 pcmcia.sys
07/13/2009  09:45 PM            50,768 pcw.sys
12/03/2013  09:54 AM            82,160 PDFsFilter.sys
06/14/2016  01:11 PM           663,552 PEAuth.sys
09/10/2015  02:00 PM            68,904 point64.sys
12/08/2015  02:12 PM           230,400 portcls.sys
07/13/2009  07:19 PM            60,416 processr.sys
07/13/2009  09:45 PM         1,524,816 ql2300.sys
07/13/2009  09:45 PM           128,592 ql40xx.sys
07/13/2009  08:09 PM            46,592 qwavedrv.sys
07/13/2009  08:10 PM            14,848 rasacd.sys
11/20/2010  11:24 PM           129,536 rasl2tp.sys
07/13/2009  08:10 PM            92,672 raspppoe.sys
11/20/2010  11:24 PM           111,104 raspptp.sys
07/13/2009  08:10 PM            83,968 rassstp.sys
02/19/2016  07:17 AM            41,576 rawdsk3.sys
11/20/2010  11:24 PM           309,248 rdbss.sys
07/13/2009  08:17 PM            24,064 rdpbus.sys
07/13/2009  08:16 PM             7,680 RDPCDD.sys
07/13/2009  08:16 PM             7,680 RDPENCDD.sys
07/13/2009  08:16 PM             8,192 RDPREFMP.sys
08/23/2012  10:10 AM            19,456 rdpvideominiport.sys
07/16/2014  09:21 PM           212,480 rdpwd.sys
11/20/2010  11:24 PM           213,888 rdyboost.sys
07/13/2009  08:06 PM           158,720 rfcomm.sys
03/07/2015  08:43 AM            78,848 risdsne64.sys
11/05/2015  05:53 AM           146,944 rmcast.sys
07/13/2009  04:09 PM            41,472 RNDISMP.sys
07/04/2012  04:26 PM            41,472 rndismpx.sys
07/13/2009  08:10 PM            11,264 rootmdm.sys
07/13/2009  08:08 PM            76,800 rspndr.sys
11/20/2010  11:23 PM           103,808 sbp2port.sys
10/08/2014  09:13 AM           127,760 scdemu.sys
11/20/2010  11:24 PM            29,696 scfilter.sys
11/20/2010  11:24 PM           171,392 scsiport.sys
11/20/2010  11:23 PM           109,056 sdbus.sys
06/10/2009  04:37 PM            23,040 secdrv.sys
07/13/2009  08:00 PM            23,552 serenum.sys
07/13/2009  08:00 PM            94,208 serial.sys
07/13/2009  08:00 PM            26,624 sermouse.sys
07/13/2009  08:01 PM            14,336 sffdisk.sys
07/13/2009  08:01 PM            13,824 sffp_mmc.sys
11/20/2010  11:23 PM            14,336 sffp_sd.sys
07/13/2009  08:01 PM            16,896 sfloppy.sys
07/13/2009  09:45 PM            43,584 sisraid2.sys
07/13/2009  09:45 PM            80,464 sisraid4.sys
07/13/2009  08:09 PM            93,184 smb.sys
02/09/2016  02:15 PM            32,936 Smb_driver_Intel.sys
07/13/2009  08:00 PM            20,992 smclib.sys
09/11/2017  07:29 PM                20 SMR501.dat
07/13/2009  09:45 PM            19,008 spldr.sys
06/10/2009  04:48 PM           426,496 spsys.sys
06/30/2015  07:08 PM           526,392 sptd.sys
08/12/2016  09:26 AM           464,896 srv.sys
08/12/2016  09:26 AM           405,504 srv2.sys
08/12/2016  09:26 AM           168,960 srvnet.sys
01/22/2014  08:52 AM           108,800 ssudbus.sys
01/22/2014  08:52 AM           206,080 ssudmdm.sys
07/16/2011  01:31 AM            22,128 stdcfltn.sys
07/13/2009  09:45 PM            24,656 stexstor.sys
11/20/2010  07:24 PM           189,824 storport.sys
07/13/2009  04:06 PM            68,864 stream.sys
08/17/2010  02:59 AM           515,584 stwrt64.sys
03/07/2015  08:44 AM            67,184 ST_ACCEL.sys
07/13/2009  09:45 PM            12,496 swenum.sys
07/13/2009  08:01 PM            29,184 tape.sys
04/04/2014  07:47 PM         1,903,552 tcpip.sys
11/20/2010  07:23 PM            45,056 tcpipreg.sys
11/20/2010  11:24 PM            26,624 tdi.sys
07/13/2009  08:16 PM            15,872 tdpipe.sys
02/17/2012  12:57 AM            23,552 tdtcp.sys
10/13/2015  09:40 AM           118,272 tdx.sys
11/20/2010  11:23 PM            63,360 termdd.sys
07/17/2014  02:21 AM            39,936 tssecsrv.sys
11/20/2010  07:24 PM            59,392 TsUsbFlt.sys
11/20/2010  11:23 PM            31,232 TsUsbGD.sys
11/20/2010  11:24 PM           125,440 tunnel.sys
07/13/2009  09:45 PM            64,080 UAGP35.SYS
11/20/2010  11:23 PM           328,192 udfs.sys
07/22/2015  02:19 PM           102,576 UimBus.sys
07/22/2015  02:19 PM           556,464 UimFIO.sys
07/22/2015  02:19 PM            25,904 uim_devim.sys
07/22/2015  02:19 PM           701,232 uim_im.sys
07/13/2009  09:45 PM            64,592 ULIAGPKX.SYS
11/20/2010  11:23 PM            48,640 umbus.sys
04/08/2016  01:41 AM    <DIR>          UMDF
07/13/2009  08:06 PM             9,728 umpass.sys
02/12/2013  12:12 AM            19,968 usb8023.sys
02/12/2013  12:12 AM            19,968 usb8023x.sys
06/17/2015  05:04 PM            54,784 usbaapl64.sys
07/12/2013  06:40 AM           109,824 USBAUDIO.sys
11/20/2010  11:24 PM            32,896 USBCAMD2.sys
11/27/2013  02:41 AM            99,840 usbccgp.sys
07/12/2013  06:41 AM           100,864 usbcir.sys
11/27/2013  02:41 AM             7,808 usbd.sys
11/27/2013  02:41 AM            53,248 usbehci.sys
11/27/2013  02:41 AM           343,040 usbhub.sys
07/13/2009  04:06 PM            25,600 usbohci.sys
11/27/2013  02:41 AM           325,120 usbport.sys
07/13/2009  08:38 PM            25,088 usbprint.sys
11/20/2010  11:24 PM            31,744 usbrpm.sys
07/03/2013  12:40 AM            42,496 usbscan.sys
02/03/2016  02:07 PM            91,648 USBSTOR.SYS
11/27/2013  02:41 AM            30,720 usbuhci.sys
07/12/2013  06:41 AM           185,344 usbvideo.sys
03/04/2016  05:29 PM           982,504 VBoxDrv.sys
03/04/2016  05:29 PM           127,456 VBoxNetAdp6.sys
03/04/2016  05:29 PM           205,784 VBoxNetLwf.sys
03/04/2016  05:29 PM           148,808 VBoxUSBMon.sys
07/13/2009  09:45 PM            36,432 vdrvroot.sys
07/13/2009  07:38 PM            29,184 vga.sys
07/13/2009  07:38 PM            29,184 vgapnp.sys
11/20/2010  11:23 PM           215,936 vhdmp.sys
07/13/2009  09:45 PM            17,488 viaide.sys
07/13/2009  07:38 PM           129,024 videoprt.sys
09/30/2016  01:11 AM           106,560 vmci.sys
06/19/2017  07:58 PM            49,216 vmparport.sys
06/19/2017  07:58 PM            88,504 vmx86.sys
11/20/2010  11:23 PM            71,552 volmgr.sys
11/20/2010  07:24 PM           363,392 volmgrx.sys
11/20/2010  11:23 PM           295,808 volsnap.sys
07/13/2009  09:45 PM           161,872 vsmraid.sys
07/13/2009  08:07 PM            24,576 vwifibus.sys
07/13/2009  08:07 PM            59,904 vwififlt.sys
07/13/2009  08:07 PM            17,920 vwifimp.sys
07/13/2009  08:02 PM            27,776 wacompen.sys
11/20/2010  11:24 PM            88,576 wanarp.sys
07/13/2009  07:37 PM            42,496 watchdog.sys
07/13/2009  09:45 PM            21,056 wd.sys
04/30/2015  12:01 AM            23,200 wdcsam64.sys
06/25/2013  06:55 PM           785,624 Wdf01000.sys
07/26/2012  12:55 AM            54,376 WdfLdr.sys
07/13/2009  08:09 PM            12,800 wfplwf.sys
07/13/2009  09:45 PM            22,096 wimmount.sys
11/20/2010  11:23 PM            41,984 winusb.sys
03/29/2016  11:48 PM            49,384 WirelessKeyboardFilter.sys
04/27/2010  04:57 PM            26,440 WmBEnum.sys
04/27/2010  02:02 PM            43,976 WmFilter.sys
07/13/2009  07:31 PM            14,336 wmiacpi.sys
07/13/2009  09:45 PM            16,464 wmilib.sys
04/27/2010  04:57 PM            16,200 WmVirHid.sys
04/27/2010  02:03 PM            77,512 WmXlCore.sys
07/13/2009  08:10 PM            21,504 ws2ifsl.sys
07/13/2009  08:39 PM            23,040 WSDPrint.sys
07/13/2009  08:35 PM            25,088 WSDScan.sys
11/20/2010  07:23 PM           112,128 WUDFPf.sys
11/20/2010  07:23 PM           172,544 WUDFRd.sys
             367 File(s)    102,611,943 bytes
               5 Dir(s)  45,596,815,360 bytes free

========= End of CMD: =========


==== End of Fixlog 20:32:22 ====



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,218 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:08:51 AM

Posted 14 September 2017 - 07:37 PM

Good :) Let's try something first though. A new version of MBAR was released. Follow the instructions in the thread below. Make sure to download the MBAR version linked in it. Let me know if you're not able to launch it and run a scan.

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

If you manage to run a scan, delete everything it finds, and then copy/paste the content of the "mbar-log-DATE-(TIME).txt" log that is located in the MBAR folder here after.

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 alecgee

alecgee
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 14 September 2017 - 07:44 PM

I keep getting a DDA driver error whenever I try to begin a scan.



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,218 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:08:51 AM

Posted 14 September 2017 - 07:45 PM

If you launch MBAR using the mbar.cmd from the MBAR folder, can the start scan?

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 alecgee

alecgee
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 14 September 2017 - 07:46 PM

I get the same error.



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,218 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:08:51 AM

Posted 14 September 2017 - 07:58 PM

Just to make sure, you are inside the MBAR folder, not the zipped (.zip) form of it, right?

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 alecgee

alecgee
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 14 September 2017 - 08:08 PM

Yes, I'm in the extracted folder.



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,218 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:08:51 AM

Posted 14 September 2017 - 08:37 PM

Alright in that case, we'll need to remove the infection from within the Recovery Environment.
iO3R662.pngFarbar Recovery Scan Tool (FRST) - Recovery Environment Scan
Follow the instructions below to download and execute a scan on your system with FRST from the Recovery Environment, and provide the logs in your next reply.

Item(s) required:
  • USB Flash Drive (size depend on if you have to create a USB Recovery or Installation media)
  • CD/DVD (optional: only needed if you need to create a Recovery or Installation media and your USB Flash Drive is too small)
  • Another computer (optional: only needed if you cannot work from the infected computer directly)
Preparing the USB Flash Drive
  • Download the right version of FRST for your system:
  • Move the executable (FRST.exe or FRST64.exe) on your USB Flash Drive
  • Download the attached fixlist.txt, and move it on your USB Flash Drive as well
Boot in the Recovery Environment
  • Plug your USB Flash Drive in the infected computer
  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
    • Restart the computer
    • Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
    • Use the arrow keys to select Repair your computer, and press on Enter
    • Select your keyboard layout (US, French, etc.) and click on Next
    • Click on Command Prompt to open the command prompt
      Note: If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.
  • To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.
  • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.
Once in the command prompt
  • In the command prompt, type notepad and press on Enter
  • Notepad will open. Click on the File menu and select Open
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
  • Note: Replace the letter e with the drive letter of your USB Flash Drive
  • FRST will open
  • Click on Yes to accept the disclaimer
  • Click on the Fix button and wait for the scan to complete
  • A log called fixlog.txt will be saved on your USB Flash Drive. Attach it in your next reply

Attached Files


unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 alecgee

alecgee
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 15 September 2017 - 09:26 AM

Fixlog is attached.

Attached Files



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,218 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:08:51 AM

Posted 15 September 2017 - 09:48 AM

Awesome :) Now are you able to run a scan with MBAR? If so, do it and after it's done removing the threats and restarting your computer, attach the mbar-log-DATE-(TIME).txt log that will be in the MBAR folder.

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 alecgee

alecgee
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 15 September 2017 - 10:30 AM

I still get the DDA driver error.



#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,218 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:08:51 AM

Posted 15 September 2017 - 10:34 AM

Let's try something else then. Go back in the Recovery Environment, open the command prompt and launch FRST. BUT this time, click on the Scan button instead. A log called FRST.txt will be created on your USB. Attach it here afterwards.

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 alecgee

alecgee
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 15 September 2017 - 11:21 AM

Here it is.

Attached Files

  • Attached File  FRST.txt   78.17KB   3 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users