Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 10 on Microsoft Surface Pro 3 - Rootkit nightmare


  • This topic is locked This topic is locked
31 replies to this topic

#1 joe11757

joe11757

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 AM

Posted 01 November 2017 - 08:07 PM

I have a nasty rootkit, blocks Windows Defender, ALL rootkit programs including USB run ones.

 

Logs attached


Oh, it blocks me from even resetting my computer lol

Attached Files



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 AM

Posted 02 November 2017 - 07:29 AM

Hi joe11757 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Please give me a few to review your logs and get back at you.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 AM

Posted 02 November 2017 - 07:33 AM

Thank you for waiting. Follow the instructions below.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

Attached Files


animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 joe11757

joe11757
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 AM

Posted 02 November 2017 - 11:02 AM

Fix result of Farbar Recovery Scan Tool (x64) Version: 01-11-2017
Ran by user (02-11-2017 12:01:54) Run:1
Running from C:\Users\admin\Downloads\FRST
Loaded Profiles: user (Available Profiles: defaultuser0 & user)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: fltmc instances
CMD: dir C:\Windows\system32\drivers
*****************
 
 
========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========
 
The operation completed successfully.
 
========= End of CMD: =========
 
 
========= bcdedit.exe /set {default} recoveryenabled yes =========
 
The operation completed successfully.
 
========= End of CMD: =========
 
 
========= fltmc instances =========
 
Filter                Volume Name                              Altitude        Instance Name       Frame   SprtFtrs  VlStatus
--------------------  -------------------------------------  ------------  ----------------------  -----   --------  --------
FileInfo                                                         40500     FileInfo                  0     00000003  
FileInfo              \Device\HarddiskVolume2                    40500     FileInfo                  0     00000003  
FileInfo              C:                                         40500     FileInfo                  0     00000003  
FileInfo              \Device\HarddiskVolumeShadowCopy1          40500     FileInfo                  0     00000003  
FileInfo              \Device\HarddiskVolumeShadowCopy2          40500     FileInfo                  0     00000003  
FileInfo              \Device\HarddiskVolumeShadowCopy3          40500     FileInfo                  0     00000003  
FileInfo              \Device\Mup                                40500     FileInfo                  0     00000003  
WdFilter                                                        328010     WdFilter Instance         0     00000007  
WdFilter              \Device\HarddiskVolume2                   328010     WdFilter Instance         0     00000007  
WdFilter              C:                                        328010     WdFilter Instance         0     00000007  
WdFilter              \Device\HarddiskVolumeShadowCopy1         328010     WdFilter Instance         0     00000007  
WdFilter              \Device\HarddiskVolumeShadowCopy2         328010     WdFilter Instance         0     00000007  
WdFilter              \Device\HarddiskVolumeShadowCopy3         328010     WdFilter Instance         0     00000007  
WdFilter              \Device\Mup                               328010     WdFilter Instance         0     00000007  
Wof                                                              40700     Wof Instance              0     00000003  
Wof                   C:                                         40700     Wof Instance              0     00000003  
Wof                   \Device\HarddiskVolumeShadowCopy1          40700     Wof Instance              0     00000003  
Wof                   \Device\HarddiskVolumeShadowCopy2          40700     Wof Instance              0     00000003  
Wof                   \Device\HarddiskVolumeShadowCopy3          40700     Wof Instance              0     00000003  
luafv                 C:                                        135000     luafv                     0     00000003  
npsvctrig             \Device\NamedPipe                          46000     npsvctrig                 0     00000000  
rchpzgoe              C:                                         45666     rchpzgoe Instance         0     00000000  
rchpzgoe              \Device\Mup                                45666     rchpzgoe Instance         0     00000000  
wcifs                 C:                                        189900     wcifs Instance            0     00000000  
 
========= End of CMD: =========
 
 
========= dir C:\Windows\system32\drivers =========
 
 Volume in drive C has no label.
 Volume Serial Number is B42A-9F13
 
 Directory of C:\Windows\system32\drivers
 
11/01/2017  09:47 PM    <DIR>          .
11/01/2017  09:47 PM    <DIR>          ..
03/18/2017  04:56 PM           238,080 1394ohci.sys
03/18/2017  04:56 PM           107,424 3ware.sys
10/08/2017  03:43 PM           723,360 acpi.sys
03/18/2017  04:56 PM            20,480 AcpiDev.sys
03/18/2017  04:56 PM           127,392 acpiex.sys
03/18/2017  04:56 PM            12,800 acpipagr.sys
03/18/2017  04:56 PM            14,848 acpipmi.sys
03/18/2017  04:56 PM            14,336 acpitime.sys
03/18/2017  04:56 PM         1,135,512 adp80xx.sys
10/08/2017  03:43 PM           610,720 afd.sys
03/18/2017  04:58 PM           108,544 agilevpn.sys
03/18/2017  04:57 PM           239,616 ahcache.sys
03/18/2017  04:56 PM           176,640 amdk8.sys
03/18/2017  04:56 PM           172,544 amdppm.sys
03/18/2017  04:56 PM            83,352 amdsata.sys
03/18/2017  04:56 PM           259,488 amdsbs.sys
03/18/2017  04:56 PM            27,040 amdxata.sys
09/30/2017  01:40 AM           184,728 appid.sys
03/18/2017  04:58 PM            17,920 applockerfltr.sys
03/18/2017  10:30 PM           127,904 AppVStrm.sys
03/18/2017  10:30 PM           161,696 AppvVemgr.sys
03/18/2017  10:30 PM           143,776 AppvVfs.sys
03/18/2017  04:56 PM           132,000 arcsas.sys
03/18/2017  04:57 PM            28,672 asyncmac.sys
03/18/2017  04:56 PM            29,088 atapi.sys
03/18/2017  04:56 PM           194,464 ataport.sys
03/18/2017  04:56 PM            57,344 BasicDisplay.sys
09/29/2017  03:32 AM            35,840 BasicRender.sys
03/18/2017  04:56 PM            36,256 battc.sys
03/18/2017  04:56 PM             9,728 bcmfn2.sys
03/18/2017  04:57 PM            10,240 beep.sys
03/18/2017  04:56 PM           101,888 bowser.sys
10/08/2017  03:43 PM           115,712 bridge.sys
03/18/2017  04:56 PM            23,552 BtaMPM.sys
03/18/2017  04:56 PM           181,248 BthA2DP.sys
03/18/2017  04:56 PM            43,520 BthAvrcpTg.sys
10/08/2017  03:43 PM           105,472 bthenum.sys
03/18/2017  04:56 PM            47,104 BthHfAud.sys
10/08/2017  03:43 PM            97,792 bthhfenum.sys
03/18/2017  04:56 PM            32,256 BthhfHid.sys
10/08/2017  03:43 PM            66,560 bthmodem.sys
10/08/2017  03:43 PM           130,560 bthpan.sys
10/08/2017  03:43 PM           982,016 bthport.sys
03/18/2017  04:56 PM            85,504 BTHUSB.SYS
10/08/2017  03:43 PM            39,424 buttonconverter.sys
03/18/2017  04:56 PM           533,920 bxvbda.sys
03/18/2017  04:56 PM            53,664 CAD.sys
03/18/2017  04:56 PM           122,880 capimg.sys
03/18/2017  04:57 PM            93,184 cdfs.sys
03/18/2017  04:56 PM           160,256 cdrom.sys
03/18/2017  04:57 PM            77,216 CEA.sys
03/18/2017  04:56 PM           102,816 cht4dx64.sys
03/18/2017  04:56 PM           347,032 cht4sx64.sys
03/18/2017  04:56 PM         2,104,224 cht4vx64.sys
03/18/2017  04:56 PM            49,152 circlass.sys
03/18/2017  04:57 PM           391,584 Classpnp.sys
03/18/2017  04:58 PM            12,288 cldflt.sys
10/08/2017  03:43 PM           382,368 clfs.sys
03/18/2017  04:58 PM           877,472 ClipSp.sys
03/18/2017  04:56 PM            30,208 CmBatt.sys
03/18/2017  04:56 PM            28,064 cmimcext.sys
09/30/2017  01:40 AM           642,680 cng.sys
03/18/2017  04:57 PM            39,840 cnghwassist.sys
03/18/2017  04:57 PM            56,224 condrv.sys
03/18/2017  04:57 PM            86,432 crashdmp.sys
03/18/2017  10:30 PM           559,104 csc.sys
07/11/2017  01:40 AM           112,544 dam.sys
03/18/2017  04:56 PM            45,568 devauthe.sys
03/18/2017  04:57 PM           150,528 dfsc.sys
03/18/2017  04:56 PM           102,816 disk.sys
03/18/2017  04:58 PM            38,816 Diskdump.sys
03/18/2017  04:57 PM            15,360 Dmpusbstor.sys
03/18/2017  04:56 PM            47,104 dmvsc.sys
03/18/2017  04:56 PM            97,280 drmk.sys
03/18/2017  04:56 PM            16,232 drmkaud.sys
03/18/2017  04:57 PM            35,744 Dumpata.sys
03/18/2017  04:59 PM            91,152 dumpfve.sys
10/08/2017  03:43 PM           189,344 dumpsd.sys
03/18/2017  04:58 PM            32,256 dumpsdport.sys
03/18/2017  04:57 PM            25,600 Dumpstorport.sys
09/30/2017  01:43 AM         2,442,136 dxgkrnl.sys
07/11/2017  01:40 AM           409,504 dxgmms1.sys
09/30/2017  01:44 AM           712,600 dxgmms2.sys
03/18/2017  04:57 PM            88,992 EhStorClass.sys
03/18/2017  04:56 PM           119,200 EhStorTcgDrv.sys
03/18/2017  10:31 PM    <DIR>          en-US
03/18/2017  04:56 PM            13,824 errdev.sys
10/08/2017  08:27 PM    <DIR>          etc
03/18/2017  04:56 PM         3,419,040 evbda.sys
03/18/2017  04:57 PM           347,136 exfat.sys
07/11/2017  01:40 AM           363,424 fastfat.sys
03/18/2017  04:56 PM            32,768 fdc.sys
03/18/2017  04:56 PM            54,272 filecrypt.sys
03/18/2017  04:57 PM            86,432 fileinfo.sys
03/18/2017  04:57 PM            36,864 filetrace.sys
03/18/2017  04:56 PM            26,624 flpydisk.sys
03/18/2017  04:57 PM           386,464 fltMgr.sys
03/18/2017  04:56 PM            63,904 fsdepends.sys
03/18/2017  04:57 PM            33,688 fs_rec.sys
10/08/2017  03:43 PM           715,168 fvevol.sys
03/18/2017  04:57 PM           419,744 FWPKCLNT.SYS
03/18/2017  04:56 PM            21,504 genericusbfn.sys
03/18/2017  04:57 PM         3,440,660 gm.dls
03/18/2017  04:57 PM               646 gmreadme.txt
03/18/2017  04:58 PM             8,192 gpuenergydrv.sys
07/11/2017  01:40 AM            86,528 hdaudbus.sys
03/18/2017  04:56 PM            38,296 hidbatt.sys
10/08/2017  03:43 PM           107,008 hidbth.sys
03/18/2017  04:56 PM           180,736 hidclass.sys
03/18/2017  04:56 PM            52,224 hidi2c.sys
03/18/2017  04:56 PM            51,104 hidinterrupt.sys
03/18/2017  04:56 PM            46,592 hidir.sys
03/18/2017  04:56 PM            40,960 hidparse.sys
03/18/2017  04:56 PM            40,960 hidusb.sys
03/18/2017  04:56 PM            64,416 HpSAMD.sys
07/11/2017  01:40 AM         1,106,848 http.sys
03/18/2017  04:57 PM            74,648 hvservice.sys
03/18/2017  04:56 PM           118,688 hvsocket.sys
03/18/2017  04:57 PM            29,600 hwpolicy.sys
03/18/2017  04:56 PM            16,896 hyperkbd.sys
03/18/2017  04:56 PM           115,200 i8042prt.sys
03/18/2017  04:56 PM            33,280 iagpio.sys
03/18/2017  04:56 PM            81,408 iai2c.sys
03/18/2017  04:56 PM            70,656 iaLPSS2i_GPIO2.sys
03/18/2017  04:56 PM            85,504 iaLPSS2i_GPIO2_BXT_P.sys
03/18/2017  04:56 PM           165,376 iaLPSS2i_I2C.sys
03/18/2017  04:56 PM           168,448 iaLPSS2i_I2C_BXT_P.sys
03/18/2017  04:56 PM            38,128 iaLPSSi_GPIO.sys
03/18/2017  04:56 PM           113,152 iaLPSSi_I2C.sys
03/18/2017  04:56 PM           673,184 iaStorAV.sys
03/18/2017  04:56 PM           412,064 iaStorV.sys
03/18/2017  04:56 PM           526,240 ibbus.sys
01/10/2017  01:58 AM         7,970,264 igdkmd64.sys
03/18/2017  04:58 PM            36,864 IndirectKmd.sys
05/12/2016  08:32 AM           481,768 IntcDAud.sys
03/18/2017  04:56 PM            19,360 intelide.sys
03/18/2017  04:56 PM            74,840 intelpep.sys
03/18/2017  04:56 PM           193,536 intelppm.sys
03/18/2017  04:57 PM            49,568 iorate.sys
03/18/2017  04:57 PM            87,040 ipfltdrv.sys
03/18/2017  04:56 PM            92,064 IPMIDrv.sys
03/18/2017  04:58 PM           214,528 ipnat.sys
03/18/2017  04:57 PM           120,320 irda.sys
03/18/2017  04:57 PM            19,968 irenum.sys
03/18/2017  04:56 PM            22,944 isapnp.sys
03/18/2017  04:56 PM            64,416 kbdclass.sys
03/18/2017  04:56 PM            40,448 kbdhid.sys
03/18/2017  04:56 PM            23,040 kdnic.sys
03/18/2017  04:58 PM           390,144 ks.sys
09/30/2017  01:49 AM           135,576 ksecdd.sys
03/18/2017  04:58 PM           170,912 ksecpkg.sys
07/11/2017  01:40 AM            27,136 ksthunk.sys
03/18/2017  04:58 PM            66,560 lltdio.sys
08/08/2017  01:59 PM            61,304 lpsport.sys
03/18/2017  04:56 PM           108,960 lsi_sas.sys
03/18/2017  04:56 PM           123,808 lsi_sas2i.sys
03/18/2017  04:56 PM           103,328 lsi_sas3i.sys
03/18/2017  04:56 PM            82,848 lsi_sss.sys
03/18/2017  04:57 PM           124,928 luafv.sys
03/18/2017  04:56 PM           405,408 mausbhost.sys
03/18/2017  04:56 PM            51,104 mausbip.sys
10/04/2017  01:15 PM            77,440 mbae64.sys
10/30/2017  09:07 PM           192,952 MbamChameleon.sys
11/01/2017  09:47 PM           252,232 mbamswissarmy.sys
03/18/2017  04:57 PM            23,552 mcd.sys
03/18/2017  04:56 PM            59,808 megasas.sys
03/18/2017  04:56 PM            64,416 MegaSas2i.sys
03/18/2017  04:56 PM           575,904 megasr.sys
10/08/2017  03:43 PM            97,280 Microsoft.Bluetooth.Legacy.LEEnumerator.sys
03/18/2017  04:56 PM           842,656 mlx4_bus.sys
03/18/2017  04:57 PM            50,688 mmcss.sys
03/18/2017  04:57 PM            42,496 modem.sys
03/18/2017  04:56 PM            39,424 monitor.sys
03/18/2017  04:56 PM            60,320 mouclass.sys
03/18/2017  04:56 PM            33,280 mouhid.sys
03/18/2017  04:57 PM           105,880 mountmgr.sys
03/18/2017  04:58 PM            76,800 mpsdrv.sys
03/18/2017  04:56 PM         1,036,288 mrvlpcie8897.sys
03/18/2017  04:57 PM           144,384 mrxdav.sys
03/18/2017  04:57 PM           467,352 mrxsmb.sys
09/29/2017  03:20 AM           286,208 mrxsmb10.sys
09/30/2017  01:41 AM           228,248 mrxsmb20.sys
03/18/2017  04:57 PM            31,744 msfs.sys
07/16/2016  07:42 AM                 3 MsftWdf_Kernel_01019_Inbox_Critical.Wdf
03/18/2017  04:57 PM           169,888 msgpioclx.sys
03/18/2017  04:56 PM            49,056 msgpiowin32.sys
03/18/2017  04:57 PM             8,704 mshidkmdf.sys
03/18/2017  04:57 PM            12,288 mshidumdf.sys
03/18/2017  04:56 PM            19,352 msisadrv.sys
10/08/2017  03:43 PM           279,968 msiscsi.sys
07/11/2017  01:40 AM            32,768 mskssrv.sys
03/18/2017  04:57 PM            83,456 mslldp.sys
03/18/2017  04:58 PM            10,752 mspclock.sys
03/18/2017  04:58 PM            10,752 mspqm.sys
03/18/2017  04:57 PM           367,000 msrpc.sys
03/18/2017  10:31 PM           230,816 mssecflt.sys
03/18/2017  04:56 PM            44,960 mssmbios.sys
03/18/2017  04:58 PM            12,800 mstee.sys
02/27/2017  09:00 AM           385,088 msux64w10.sys
03/18/2017  04:56 PM            16,896 MTConfig.sys
03/18/2017  04:57 PM           123,808 mup.sys
03/18/2017  04:56 PM            63,904 mvumis.sys
10/30/2017  09:06 PM            94,144 mwac.sys
03/18/2017  04:56 PM           108,960 ndfltr.sys
10/08/2017  03:43 PM         1,242,528 ndis.sys
03/18/2017  04:57 PM            50,688 ndiscap.sys
03/18/2017  04:57 PM           128,512 NdisImPlatform.sys
03/18/2017  04:58 PM            27,136 ndistapi.sys
03/18/2017  04:58 PM            65,536 ndisuio.sys
03/18/2017  04:57 PM            20,992 NdisVirtualBus.sys
03/18/2017  04:58 PM           192,000 ndiswan.sys
03/18/2017  04:58 PM            62,464 ndproxy.sys
03/18/2017  04:58 PM           127,488 Ndu.sys
03/18/2017  04:57 PM           122,368 NetAdapterCx.sys
03/18/2017  04:57 PM            57,760 netbios.sys
10/08/2017  03:43 PM           305,152 netbt.sys
10/08/2017  03:43 PM           519,584 netio.sys
07/11/2017  01:40 AM           118,784 netvsc.sys
03/18/2017  04:57 PM            69,120 npfs.sys
03/18/2017  04:56 PM            27,136 npsvctrig.sys
10/08/2017  03:43 PM            43,520 nsiproxy.sys
09/30/2017  01:48 AM         2,327,448 ntfs.sys
03/18/2017  04:57 PM            20,376 ntosext.sys
03/18/2017  04:57 PM             7,680 null.sys
03/18/2017  04:56 PM            80,896 nvdimmn.sys
03/18/2017  04:56 PM           150,432 nvraid.sys
03/18/2017  04:56 PM           166,304 nvstor.sys
09/29/2017  03:29 AM           550,400 nwifi.sys
03/18/2017  04:57 PM           152,992 pacer.sys
03/18/2017  04:56 PM            97,792 parport.sys
10/08/2017  03:43 PM           159,648 partmgr.sys
03/18/2017  04:56 PM           353,696 pci.sys
03/18/2017  04:56 PM            16,800 pciide.sys
03/18/2017  04:56 PM            53,656 pciidex.sys
03/18/2017  04:56 PM           120,224 pcmcia.sys
03/18/2017  04:57 PM            52,640 pcw.sys
07/11/2017  01:40 AM           117,664 pdc.sys
03/18/2017  04:58 PM           741,376 PEAuth.sys
03/18/2017  04:56 PM            58,784 percsas2i.sys
03/18/2017  04:56 PM            61,848 percsas3i.sys
03/18/2017  04:56 PM           101,376 pmem.sys
03/18/2017  04:56 PM           373,248 portcls.sys
03/18/2017  04:56 PM           172,032 processr.sys
03/18/2017  04:57 PM            49,664 qwavedrv.sys
03/18/2017  04:57 PM            17,920 rasacd.sys
03/18/2017  04:58 PM           107,008 rasl2tp.sys
03/18/2017  04:57 PM            81,920 raspppoe.sys
03/18/2017  04:58 PM            97,792 raspptp.sys
03/18/2017  04:58 PM            79,872 rassstp.sys
03/18/2017  04:57 PM           434,080 rdbss.sys
03/18/2017  10:31 PM            27,136 rdpbus.sys
03/18/2017  10:30 PM           183,296 rdpdr.sys
03/18/2017  10:30 PM            30,624 rdpvideominiport.sys
03/18/2017  04:57 PM           282,528 rdyboost.sys
03/18/2017  04:57 PM         1,735,584 refs.sys
03/18/2017  04:57 PM           936,864 refsv1.sys
03/18/2017  04:57 PM            14,336 registry.sys
10/08/2017  03:43 PM           180,736 rfcomm.sys
03/18/2017  04:56 PM            40,960 RfxVmt.sys
03/18/2017  04:57 PM           150,016 rmcast.sys
03/18/2017  04:57 PM            34,816 RNDISMP.sys
07/11/2017  01:40 AM            13,312 rootmdm.sys
03/18/2017  04:58 PM            82,432 rspndr.sys
04/27/2017  06:09 AM         5,704,704 RTKVHD64.sys
10/29/2015  05:53 AM                98 RTMICAR.DAT
03/18/2017  04:56 PM           110,496 sbp2port.sys
03/18/2017  04:57 PM            43,520 scfilter.sys
03/18/2017  04:56 PM            91,040 scmbus.sys
03/18/2017  04:57 PM           175,520 scsiport.sys
10/08/2017  03:43 PM           287,648 sdbus.sys
03/18/2017  04:56 PM            31,128 SDFRd.sys
03/18/2017  04:56 PM            98,208 sdport.sys
03/18/2017  04:56 PM            94,624 sdstor.sys
03/18/2017  04:57 PM            75,680 SerCx.sys
03/18/2017  04:57 PM           154,016 SerCx2.sys
03/18/2017  04:56 PM            26,112 serenum.sys
03/18/2017  04:56 PM            84,480 serial.sys
03/18/2017  04:56 PM            28,672 sermouse.sys
03/18/2017  04:56 PM            18,432 sfloppy.sys
03/18/2017  04:56 PM            44,960 sisraid2.sys
03/18/2017  04:56 PM            81,824 sisraid4.sys
03/18/2017  04:58 PM            32,672 SleepStudyHelper.sys
03/18/2017  04:57 PM            21,504 smclib.sys
03/18/2017  04:56 PM           167,328 spacedump.sys
03/18/2017  04:56 PM           587,168 spaceport.sys
03/18/2017  10:31 PM            40,352 SpatialGraphFilter.sys
03/18/2017  04:57 PM            80,288 SpbCx.sys
09/29/2017  03:21 AM           414,208 srv.sys
09/29/2017  03:21 AM           722,944 srv2.sys
10/08/2017  03:43 PM           254,976 srvnet.sys
05/18/2017  10:17 PM           131,984 ssudbus.sys
05/18/2017  10:17 PM           166,288 ssudmdm.sys
03/18/2017  04:56 PM            31,136 stexstor.sys
07/11/2017  01:40 AM           144,288 storahci.sys
03/18/2017  04:56 PM            95,648 stornvme.sys
10/08/2017  03:43 PM           546,208 storport.sys
03/18/2017  04:58 PM            79,872 storqosflt.sys
03/18/2017  04:56 PM            36,760 storufs.sys
03/18/2017  04:56 PM            36,768 storvsc.sys
03/18/2017  04:57 PM            75,776 stream.sys
04/13/2017  12:18 AM            60,552 SurfaceAccessoryDevice.sys
04/13/2017  11:11 PM            52,848 SurfaceCapacitiveHomeButton.sys
04/13/2017  08:53 PM            50,312 SurfaceDisplayCalibration.sys
04/13/2017  11:11 PM            58,472 SurfaceIntegrationDriver.sys
04/12/2017  11:36 PM            44,136 SurfacePciController.sys
03/07/2017  03:03 AM           115,600 SurfacePenDriver.sys
03/24/2017  05:19 PM            43,680 SurfaceTypeCover.sys
04/13/2017  11:15 PM            52,760 SurfaceTypeCoverV3Integration.sys
03/18/2017  04:56 PM            18,336 swenum.sys
03/18/2017  04:56 PM            64,512 Synth3dVsc.sys
03/18/2017  04:57 PM            31,232 tape.sys
03/18/2017  04:57 PM            28,064 tbs.sys
09/30/2017  01:36 AM         2,672,024 tcpip.sys
03/18/2017  04:57 PM            51,712 tcpipreg.sys
03/18/2017  04:57 PM            40,352 tdi.sys
10/08/2017  03:43 PM           119,712 tdx.sys
04/12/2017  11:38 PM           109,032 TeeDriverx64.sys
03/18/2017  10:31 PM            37,280 terminpt.sys
07/11/2017  01:40 AM           130,464 tm.sys
07/11/2017  01:40 AM           219,040 tpm.sys
04/12/2017  11:41 PM            44,648 TrueColor.sys
03/18/2017  04:56 PM            61,440 TsUsbFlt.sys
03/18/2017  04:56 PM            35,328 TsUsbGD.sys
03/18/2017  10:30 PM           125,952 tsusbhub.sys
03/18/2017  04:58 PM           162,304 tunnel.sys
03/18/2017  04:56 PM            78,752 uaspstor.sys
10/08/2017  03:43 PM           104,960 UcmCx.sys
03/18/2017  04:58 PM           179,200 UcmTcpciCx.sys
10/08/2017  03:43 PM            51,712 UcmUcsi.sys
03/18/2017  04:56 PM           213,920 Ucx01000.sys
03/18/2017  04:56 PM            45,568 Udecx.sys
03/18/2017  04:57 PM           324,096 udfs.sys
03/18/2017  04:56 PM            29,600 uefi.sys
03/18/2017  10:31 PM            40,344 UevAgentDriver.sys
03/18/2017  04:58 PM           263,584 ufx01000.sys
03/18/2017  04:56 PM            98,712 UfxChipidea.sys
03/18/2017  04:56 PM           138,656 ufxsynopsys.sys
03/18/2017  04:56 PM            57,856 umbus.sys
10/08/2017  09:34 PM    <DIR>          UMDF
03/18/2017  04:56 PM            14,336 umpass.sys
03/18/2017  04:56 PM            29,600 urschipidea.sys
03/18/2017  04:58 PM            59,288 urscx01000.sys
03/18/2017  04:56 PM            28,064 urssynopsys.sys
03/18/2017  04:57 PM            23,040 usb8023.sys
04/12/2017  11:44 PM            87,256 usbaud64.sys
03/18/2017  04:57 PM            37,888 USBCAMD2.sys
09/30/2017  01:40 AM           173,976 usbccgp.sys
03/18/2017  04:56 PM           103,424 usbcir.sys
03/18/2017  04:56 PM            32,160 usbd.sys
03/18/2017  04:56 PM            98,200 usbehci.sys
09/30/2017  01:45 AM           511,896 usbhub.sys
10/08/2017  03:43 PM           554,400 USBHUB3.SYS
03/18/2017  04:56 PM            30,720 usbohci.sys
03/18/2017  04:56 PM           466,336 usbport.sys
03/18/2017  04:56 PM            27,136 usbprint.sys
03/18/2017  04:56 PM            32,768 usbrpm.sys
10/08/2017  03:43 PM            71,680 usbser.sys
03/18/2017  04:56 PM           131,488 USBSTOR.SYS
03/18/2017  04:56 PM            35,328 usbuhci.sys
07/11/2017  01:40 AM           264,192 usbvideo.sys
07/11/2017  01:40 AM           388,000 USBXHCI.SYS
03/18/2017  04:56 PM            54,176 vdrvroot.sys
03/18/2017  04:57 PM           215,456 VerifierExt.sys
07/11/2017  01:40 AM           730,016 vhdmp.sys
03/18/2017  04:56 PM            35,328 vhf.sys
03/18/2017  04:57 PM            49,664 videoprt.sys
10/08/2017  03:43 PM            82,336 vmbkmcl.sys
10/08/2017  03:43 PM            83,968 vmbkmclr.sys
03/18/2017  04:56 PM           107,424 vmbus.sys
03/18/2017  04:56 PM            25,088 VMBusHID.sys
03/18/2017  04:56 PM            13,824 vmgencounter.sys
03/18/2017  04:56 PM            10,240 vmgid.sys
03/18/2017  04:56 PM             9,216 vms3cap.sys
03/18/2017  04:56 PM            47,520 vmstorfl.sys
03/18/2017  04:56 PM            83,360 volmgr.sys
03/18/2017  04:57 PM           373,664 volmgrx.sys
03/18/2017  04:57 PM           397,216 volsnap.sys
03/18/2017  04:56 PM            16,288 volume.sys
03/18/2017  04:56 PM            74,656 vpci.sys
03/18/2017  04:56 PM           166,816 vsmraid.sys
03/18/2017  04:56 PM           305,568 VSTXRAID.SYS
03/18/2017  04:58 PM            27,136 vwifibus.sys
03/18/2017  04:58 PM            77,312 vwififlt.sys
03/18/2017  04:58 PM            41,472 vwifimp.sys
03/18/2017  04:56 PM            30,720 wacompen.sys
03/18/2017  04:58 PM            81,408 wanarp.sys
03/18/2017  04:57 PM            55,808 watchdog.sys
07/11/2017  01:40 AM           142,752 wcifs.sys
03/18/2017  04:57 PM            72,192 wcnfs.sys
03/18/2017  04:56 PM            44,632 WdBoot.sys
03/18/2017  04:57 PM           902,376 Wdf01000.sys
03/18/2017  04:56 PM           294,816 WdFilter.sys
03/18/2017  04:57 PM            61,672 WdfLdr.sys
07/11/2017  01:40 AM           757,248 WdiWiFi.sys
03/18/2017  04:56 PM           121,248 WdNisDrv.sys
03/18/2017  04:57 PM            46,488 werkernel.sys
03/18/2017  04:57 PM           164,768 wfplwfs.sys
03/18/2017  04:57 PM            35,744 wimmount.sys
03/18/2017  04:58 PM            70,232 WindowsTrustedRT.sys
03/18/2017  04:56 PM            18,520 WindowsTrustedRTProxy.sys
03/18/2017  04:56 PM            31,648 winhv.sys
03/18/2017  04:57 PM            55,296 winhvr.sys
03/18/2017  04:56 PM            32,160 winmad.sys
03/18/2017  04:58 PM           217,088 winnat.sys
03/18/2017  04:56 PM            90,112 winusb.sys
03/18/2017  04:56 PM            64,920 winverbs.sys
03/18/2017  04:56 PM            18,432 wmiacpi.sys
03/18/2017  04:57 PM            20,384 wmilib.sys
11/01/2017  09:47 PM           116,560 wmseilor.sys
03/18/2017  04:57 PM           208,288 wof.sys
03/18/2017  04:59 PM            30,624 WpdUpFltr.sys
03/18/2017  04:57 PM            33,184 WppRecorder.sys
03/18/2017  04:57 PM            23,552 ws2ifsl.sys
03/18/2017  04:56 PM            22,528 WSDPrint.sys
03/18/2017  04:56 PM            24,576 WSDScan.sys
03/18/2017  04:57 PM           100,864 WUDFPf.sys
03/18/2017  04:57 PM           220,672 WUDFRd.sys
07/11/2017  01:40 AM           277,504 xboxgip.sys
03/18/2017  04:56 PM            46,592 xinputhid.sys
             416 File(s)     92,441,607 bytes
               5 Dir(s)  183,998,390,272 bytes free
 
========= End of CMD: =========
 
 
==== End of Fixlog 12:01:54 ====


#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 AM

Posted 02 November 2017 - 11:15 AM

Do you have a USB Flash Drive? If so, how big is it?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 joe11757

joe11757
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 AM

Posted 02 November 2017 - 04:22 PM

Do you have a USB Flash Drive? If so, how big is it?

Yes I have one, 16Gig

 

Sorry for the late reply, I was at school.


Edited by joe11757, 02 November 2017 - 04:22 PM.


#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 AM

Posted 03 November 2017 - 07:52 AM

Follow the instructions in the thread below. Make sure to download the MBAR version linked in it. Let me know if you're not able to launch it and run a scan.

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

If you manage to run a scan, delete everything it finds, and then copy/paste the content of the mbar-log-DATE-(TIME).txt log that is located in the MBAR folder here after.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 joe11757

joe11757
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 AM

Posted 03 November 2017 - 08:10 AM

It will not run at all, as admin or not it wont start up. 



#9 joe11757

joe11757
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 AM

Posted 03 November 2017 - 08:17 AM

I also tried the zip version, it blocked that as well. 



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 AM

Posted 03 November 2017 - 10:33 AM

Are you able to launch the mbar.cmd file inside the MBAR folder (using Admin Rights, once again)?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 joe11757

joe11757
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 AM

Posted 03 November 2017 - 10:49 AM

Running it now, give me a minute.



#12 joe11757

joe11757
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 AM

Posted 03 November 2017 - 10:57 AM

Are you able to launch the mbar.cmd file inside the MBAR folder (using Admin Rights, once again)?

Computer is frozen on the restart screen.

Attached Files


Edited by joe11757, 03 November 2017 - 10:59 AM.


#13 joe11757

joe11757
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 AM

Posted 03 November 2017 - 11:08 AM

Restarted, defender works as well as MBAR.

 

How can we confirm it is clean?



#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 AM

Posted 03 November 2017 - 11:46 AM

Can you provide me the "mbar-log-DATE-(TIME).txt" file that should be in the MBAR folder?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 joe11757

joe11757
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 AM

Posted 03 November 2017 - 02:38 PM

Trying to get it, t keeps freezing up on the restart now.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users