Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent rootkit cannot remove


  • This topic is locked This topic is locked
8 replies to this topic

#1 Austin0751

Austin0751

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 01 November 2017 - 08:43 PM

In the past week I was able to removal a host of dnschangers and trojans on my computer.  But my internet connection is still experiencing latency issues and I noticed that this may stem from an .exe called Tihevna.exe I found siphoning off my network and making tcp connections.  I am unable to remove or enter the folder for vdswuto due to not having privileges for AppData/local/vdswuto/tihevna.exe. I am the admin account and I have tried to Take Ownership of the folder for vdswuto and vdnewkt and cannot. I need some help with getting rid of these problematic files and folders.

 

https://imgur.com/a/K7qFz

 

https://imgur.com/a/r4z9K

 

https://forums.malwarebytes.com/topic/213617-cannot-remove-spywareadware-dnschanger-trojan/?page=2 for more background on this issue, we found a rootkit file located at c:\windows\system32\drivers\coiuxaeh.sys 

 

This rootkit is persistent to deletion

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 01 November 2017 - 08:45 PM

Hi Austin0751 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Follow the instructions in the thread below. Make sure to download the MBAR version linked in it. Let me know if you're not able to launch it and run a scan.

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

If you manage to run a scan, delete everything it finds, and then copy/paste the content of the mbar-log-DATE-(TIME).txt log that is located in the MBAR folder here after.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Austin0751

Austin0751
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 01 November 2017 - 08:51 PM

I have already ran MBAR and it found nothing, when I run GMER on the other hand it finds the problematic driver coiuxaeh.srs immediately but when GMER scans it has been leading to crashing my PC.

 

Malwarebytes Anti-Rootkit BETA 1.10.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2017.11.01.12
  rootkit: v2017.10.14.01
 
Windows 10 x64 NTFS
Internet Explorer 11.15.16299.0
Austin Solecitto :: AUSTINSOLECITTO [administrator]
 
11/1/2017 9:25:28 PM
mbar-log-2017-11-01 (21-25-28).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 363817
Time elapsed: 7 minute(s), 25 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 01 November 2017 - 08:55 PM

Do you have a USB Flash Drive? If so, how big is it?

Also, follow the instructions below.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

Attached Files


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Austin0751

Austin0751
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 01 November 2017 - 08:57 PM

Edit: I have 2 flash drives both are 16gb

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 01-11-2017
Ran by Austin Solecitto (01-11-2017 21:58:01) Run:4
Running from C:\Users\Austin Solecitto\Desktop
Loaded Profiles: Austin Solecitto (Available Profiles: Austin Solecitto & Administrator)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: fltmc instances
CMD: dir C:\Windows\system32\drivers
*****************
 
 
========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========
 
The operation completed successfully.
 
========= End of CMD: =========
 
 
========= bcdedit.exe /set {default} recoveryenabled yes =========
 
The operation completed successfully.
 
========= End of CMD: =========
 
 
========= fltmc instances =========
 
Filter                Volume Name                              Altitude        Instance Name       Frame   SprtFtrs  VlStatus
--------------------  -------------------------------------  ------------  ----------------------  -----   --------  --------
FileCrypt             E:                                        141100     FileCrypt Instance        0     00000007  
FileInfo              D:                                         40500     FileInfo                  0     00000007  
FileInfo              E:                                         40500     FileInfo                  0     00000007  
FileInfo                                                         40500     FileInfo                  0     00000007  
FileInfo                                                         40500     FileInfo                  0     00000007  
FileInfo              C:                                         40500     FileInfo                  0     00000007  
FileInfo                                                         40500     FileInfo                  0     00000007  
FileInfo              F:                                         40500     FileInfo                  0     00000007  
FileInfo              \Device\HarddiskVolumeShadowCopy1          40500     FileInfo                  0     00000007  
FileInfo              \Device\Mup                                40500     FileInfo                  0     00000007  
Wof                   D:                                         40700     Wof Instance              0     00000007  
Wof                   E:                                         40700     Wof Instance              0     00000007  
Wof                                                              40700     Wof Instance              0     00000007  
Wof                                                              40700     Wof Instance              0     00000007  
Wof                   C:                                         40700     Wof Instance              0     00000007  
Wof                                                              40700     Wof Instance              0     00000007  
Wof                   \Device\HarddiskVolumeShadowCopy1          40700     Wof Instance              0     00000007  
ZAM                   D:                                         80681     ZAMDefaultFilter          0     00000000  
ZAM                   E:                                         80681     ZAMDefaultFilter          0     00000000  
ZAM                                                              80681     ZAMDefaultFilter          0     00000000  
ZAM                                                              80681     ZAMDefaultFilter          0     00000000  
ZAM                   C:                                         80681     ZAMDefaultFilter          0     00000000  
ZAM                                                              80681     ZAMDefaultFilter          0     00000000  
ZAM                   F:                                         80681     ZAMDefaultFilter          0     00000000  
ZAM                   \Device\HarddiskVolumeShadowCopy1          80681     ZAMDefaultFilter          0     00000000  
ZAM                   \Device\Mup                                80681     ZAMDefaultFilter          0     00000000  
epp                   D:                                        328900     epp Instance              0     00000004  
epp                   E:                                        328900     epp Instance              0     00000004  
epp                                                             328900     epp Instance              0     00000004  
epp                                                             328900     epp Instance              0     00000004  
epp                   C:                                        328900     epp Instance              0     00000004  
epp                                                             328900     epp Instance              0     00000004  
epp                   F:                                        328900     epp Instance              0     00000004  
epp                   \Device\HarddiskVolumeShadowCopy1         328900     epp Instance              0     00000004  
epp                   \Device\Mup                               328900     epp Instance              0     00000004  
luafv                 C:                                        135000     luafv                     0     00000007  
npsvctrig             \Device\NamedPipe                          46000     npsvctrig                 0     00000000  
wcifs                 E:                                        189900     wcifs Instance            0     00000007  
wcifs                 C:                                        189900     wcifs Instance            0     00000007  
zwkinr                C:                                         45666     zwkinr Instance           0     00000000  
zwkinr                \Device\Mup                                45666     zwkinr Instance           0     00000000  
 
========= End of CMD: =========
 
 
========= dir C:\Windows\system32\drivers =========
 
 Volume in drive C has no label.
 Volume Serial Number is B0BC-D05A
 
 Directory of C:\Windows\system32\drivers
 
11/01/2017  09:25 PM    <DIR>          .
11/01/2017  09:25 PM    <DIR>          ..
09/29/2017  09:41 AM           237,056 1394ohci.sys
11/01/2017  09:25 PM           255,928 215297B6.sys
09/29/2017  09:41 AM           107,416 3ware.sys
08/10/2016  11:11 PM           159,360 9DD97E12-2970-45CF-A3-1D-C7-AD-93-DC-63-96.sys
09/29/2017  09:41 AM           733,592 acpi.sys
09/29/2017  09:41 AM            20,480 AcpiDev.sys
09/29/2017  09:41 AM           127,896 acpiex.sys
09/29/2017  09:41 AM            12,800 acpipagr.sys
09/29/2017  09:41 AM            14,336 acpipmi.sys
09/29/2017  09:41 AM            13,312 acpitime.sys
09/29/2017  09:41 AM         1,135,512 adp80xx.sys
09/29/2017  09:41 AM           614,296 afd.sys
09/29/2017  09:41 AM           108,032 agilevpn.sys
09/29/2017  09:41 AM           240,640 ahcache.sys
09/29/2017  09:41 AM           180,224 amdk8.sys
10/27/2014  07:46 PM            62,152 amdkmpfd.sys
09/29/2017  09:41 AM           178,176 amdppm.sys
09/29/2017  09:41 AM            83,352 amdsata.sys
09/29/2017  09:41 AM           258,592 amdsbs.sys
09/29/2017  09:41 AM            27,032 amdxata.sys
09/29/2017  09:41 AM           191,008 appid.sys
09/29/2017  09:41 AM            18,432 applockerfltr.sys
09/29/2017  10:42 AM           126,872 AppVStrm.sys
09/29/2017  10:42 AM           158,616 AppvVemgr.sys
09/29/2017  10:42 AM           143,768 AppvVfs.sys
10/19/2017  07:22 PM    <DIR>          ar-SA
09/29/2017  09:41 AM           131,992 arcsas.sys
09/29/2017  09:41 AM            28,160 asyncmac.sys
09/29/2017  09:41 AM            28,568 atapi.sys
09/29/2017  09:41 AM           194,456 ataport.sys
10/05/2017  06:53 PM            44,488 avkmgr.sys
10/05/2017  06:53 PM            38,048 avusbflt.sys
09/29/2017  09:42 AM            60,312 bam.sys
09/29/2017  09:41 AM            58,880 BasicDisplay.sys
10/18/2017  09:39 PM            34,816 BasicRender.sys
09/29/2017  09:41 AM            39,832 battc.sys
09/29/2017  09:41 AM             9,728 bcmfn2.sys
09/29/2017  09:42 AM            10,240 beep.sys
01/30/2015  11:29 PM    <DIR>          bg-BG
09/29/2017  09:41 AM           101,888 bowser.sys
09/29/2017  09:41 AM           116,736 bridge.sys
09/29/2017  09:41 AM            23,040 BtaMPM.sys
09/29/2017  09:41 AM            45,056 BthAvrcpTg.sys
09/29/2017  09:41 AM           107,008 bthhfenum.sys
09/29/2017  09:41 AM            31,232 BthhfHid.sys
09/29/2017  09:40 AM            67,584 bthmodem.sys
09/29/2017  09:41 AM            37,784 bttflt.sys
09/29/2017  09:41 AM            39,424 buttonconverter.sys
09/29/2017  09:41 AM           533,912 bxvbda.sys
09/29/2017  09:40 AM            60,312 CAD.sys
09/29/2017  09:41 AM           122,368 capimg.sys
09/29/2017  09:41 AM            93,184 cdfs.sys
09/29/2017  09:41 AM           159,744 cdrom.sys
09/29/2017  09:41 AM            78,744 CEA.sys
09/29/2017  09:41 AM           141,208 cht4dx64.sys
09/29/2017  09:41 AM           357,272 cht4sx64.sys
09/29/2017  09:41 AM         1,723,288 cht4vx64.sys
09/29/2017  09:40 AM            49,152 circlass.sys
09/29/2017  09:41 AM           403,352 Classpnp.sys
09/29/2017  09:41 AM           384,000 cldflt.sys
10/18/2017  09:39 PM           373,656 clfs.sys
09/29/2017  09:41 AM         1,007,512 ClipSp.sys
09/29/2017  09:41 AM            29,696 CmBatt.sys
09/29/2017  09:41 AM            28,568 cmimcext.sys
10/18/2017  09:39 PM           677,280 cng.sys
09/29/2017  09:41 AM            39,320 cnghwassist.sys
11/01/2017  06:02 PM           137,040 coiuxaeh.sys
09/29/2017  09:41 AM            55,704 condrv.sys
09/29/2017  09:41 AM            85,912 crashdmp.sys
09/29/2017  10:42 AM           559,616 csc.sys
09/29/2017  09:42 AM            81,304 dam.sys
10/17/2017  11:48 AM            45,640 dbx-canary.sys
10/17/2017  11:48 AM            45,672 dbx-dev.sys
10/17/2017  11:48 AM            45,640 dbx-stable.sys
10/19/2017  07:22 PM    <DIR>          de-DE
09/29/2017  09:41 AM            45,056 devauthe.sys
09/29/2017  09:41 AM           151,040 dfsc.sys
09/29/2017  09:41 AM            94,104 disk.sys
09/29/2017  09:41 AM            38,808 Diskdump.sys
09/29/2017  09:41 AM            15,360 Dmpusbstor.sys
09/29/2017  09:41 AM            46,592 dmvsc.sys
09/15/2017  02:49 PM            21,232 dpclat_driver.sys
09/29/2017  09:40 AM            96,768 drmk.sys
09/29/2017  09:40 AM            16,224 drmkaud.sys
09/29/2017  09:41 AM            35,736 Dumpata.sys
09/29/2017  09:43 AM            91,152 dumpfve.sys
09/29/2017  09:41 AM           187,288 dumpsd.sys
09/29/2017  09:41 AM            32,256 dumpsdport.sys
09/29/2017  09:41 AM            25,600 Dumpstorport.sys
10/18/2017  09:39 PM         2,573,208 dxgkrnl.sys
09/29/2017  09:41 AM           408,096 dxgmms1.sys
09/29/2017  09:41 AM           749,976 dxgmms2.sys
04/15/2017  09:25 PM           560,680 EasyAntiCheat.sys
09/29/2017  09:41 AM            87,960 EhStorClass.sys
09/29/2017  09:40 AM           118,680 EhStorTcgDrv.sys
10/19/2017  07:22 PM    <DIR>          en-US
09/29/2017  09:41 AM            13,824 errdev.sys
10/31/2017  06:48 PM    <DIR>          etc
10/21/2017  10:19 PM            32,840 ETDSMBus.sys
09/29/2017  09:41 AM         3,419,032 evbda.sys
09/29/2017  09:41 AM           354,304 exfat.sys
09/29/2017  09:41 AM           371,608 fastfat.sys
09/29/2017  09:41 AM            32,768 fdc.sys
09/29/2017  09:41 AM            55,808 filecrypt.sys
09/29/2017  09:41 AM            85,400 fileinfo.sys
09/29/2017  09:41 AM            36,864 filetrace.sys
09/29/2017  09:41 AM            26,624 flpydisk.sys
09/29/2017  09:41 AM           398,744 fltMgr.sys
10/19/2017  07:22 PM    <DIR>          fr-FR
09/29/2017  09:41 AM            62,872 fsdepends.sys
09/29/2017  09:41 AM            34,200 fs_rec.sys
09/29/2017  09:43 AM           727,448 fvevol.sys
09/29/2017  09:41 AM           441,240 FWPKCLNT.SYS
09/29/2017  09:41 AM            20,992 genericusbfn.sys
09/29/2017  09:41 AM         3,440,660 gm.dls
09/29/2017  09:41 AM               646 gmreadme.txt
09/29/2017  09:41 AM             8,192 gpuenergydrv.sys
09/29/2017  09:40 AM            86,016 hdaudbus.sys
10/19/2017  07:22 PM    <DIR>          he-IL
09/29/2017  09:41 AM            38,296 hidbatt.sys
09/29/2017  09:41 AM           114,688 hidbth.sys
09/29/2017  09:41 AM           187,392 hidclass.sys
09/29/2017  09:41 AM            52,224 hidi2c.sys
09/29/2017  09:41 AM            50,584 hidinterrupt.sys
09/29/2017  09:40 AM            46,592 hidir.sys
09/29/2017  09:41 AM            45,568 hidparse.sys
09/29/2017  09:41 AM            40,960 hidusb.sys
11/01/2017  07:58 PM            55,232 hitmanpro37.sys
09/29/2017  09:41 AM            63,520 HpSAMD.sys
09/29/2017  09:41 AM         1,103,768 http.sys
09/29/2017  09:41 AM            73,112 hvservice.sys
09/29/2017  09:41 AM           129,432 hvsocket.sys
09/28/2017  01:25 AM            27,552 HWiNFO64A.SYS
09/29/2017  09:41 AM            29,592 hwpolicy.sys
09/29/2017  09:41 AM            16,896 hyperkbd.sys
09/29/2017  09:41 AM            28,160 HyperVideo.sys
09/29/2017  09:41 AM           105,984 i8042prt.sys
09/29/2017  09:40 AM            36,864 iagpio.sys
09/29/2017  09:40 AM            91,648 iai2c.sys
09/29/2017  09:40 AM            79,360 iaLPSS2i_GPIO2.sys
09/29/2017  09:40 AM            88,576 iaLPSS2i_GPIO2_BXT_P.sys
09/29/2017  09:40 AM           171,520 iaLPSS2i_I2C.sys
09/29/2017  09:40 AM           174,592 iaLPSS2i_I2C_BXT_P.sys
09/29/2017  09:41 AM            38,128 iaLPSSi_GPIO.sys
09/29/2017  09:40 AM           113,152 iaLPSSi_I2C.sys
10/21/2017  10:16 PM         1,469,952 iaStorA.sys
09/29/2017  09:41 AM           674,200 iaStorAV.sys
09/29/2017  09:41 AM           412,056 iaStorV.sys
09/29/2017  09:41 AM           526,232 ibbus.sys
09/29/2017  09:41 AM            39,424 IndirectKmd.sys
09/29/2017  09:41 AM            19,352 intelide.sys
09/29/2017  09:41 AM           130,640 intelpep.sys
09/29/2017  09:41 AM           198,656 intelppm.sys
09/29/2017  09:41 AM            38,912 invdimm.sys
09/29/2017  09:41 AM            56,728 iorate.sys
09/29/2017  09:41 AM            85,504 ipfltdrv.sys
09/29/2017  09:41 AM            92,056 IPMIDrv.sys
09/29/2017  09:41 AM           214,016 ipnat.sys
09/29/2017  09:41 AM            26,112 ipt.sys
09/29/2017  09:42 AM           119,808 irda.sys
09/29/2017  09:42 AM            19,968 irenum.sys
09/29/2017  09:41 AM            22,936 isapnp.sys
12/25/2015  11:03 PM            47,008 ISCTD64.sys
10/19/2017  07:22 PM    <DIR>          it-IT
09/29/2017  09:41 AM            63,384 kbdclass.sys
09/29/2017  09:41 AM            40,448 kbdhid.sys
09/29/2017  09:41 AM            23,040 kdnic.sys
03/22/2017  12:44 PM           161,408 KeyCrypt64.sys
09/29/2017  09:41 AM           394,752 ks.sys
10/18/2017  09:39 PM           139,672 ksecdd.sys
09/29/2017  09:41 AM           170,904 ksecpkg.sys
09/29/2017  09:41 AM            27,136 ksthunk.sys
08/29/2016  08:17 PM            36,496 LGBusEnum.sys
08/29/2016  08:17 PM            67,736 LGJoyXlCore.sys
05/30/2013  01:16 PM            64,280 LGSHidFilt.Sys
08/29/2016  08:17 PM            26,008 LGVirHid.sys
09/29/2017  09:41 AM            65,024 lltdio.sys
09/24/2016  03:23 PM            18,960 LNonPnP.sys
09/29/2017  09:41 AM           108,064 lsi_sas.sys
09/29/2017  09:41 AM           123,800 lsi_sas2i.sys
09/29/2017  09:41 AM           103,320 lsi_sas3i.sys
09/29/2017  09:41 AM            82,840 lsi_sss.sys
09/29/2017  09:41 AM           124,928 luafv.sys
10/26/2012  04:42 PM           266,828 LVAFT.cfg
10/26/2012  04:42 PM           351,520 lvrs64.sys
10/26/2012  04:42 PM         4,758,176 lvuvc64.sys
09/29/2017  09:41 AM           505,240 mausbhost.sys
09/29/2017  09:41 AM            55,840 mausbip.sys
10/04/2017  01:15 PM            77,440 mbae64.sys
11/01/2017  09:24 PM           192,952 MbamChameleon.sys
09/29/2017  09:42 AM            23,552 mcd.sys
09/29/2017  09:41 AM            59,800 megasas.sys
09/29/2017  09:41 AM            63,520 MegaSas2i.sys
09/29/2017  09:41 AM           575,896 megasr.sys
09/29/2017  09:41 AM           842,648 mlx4_bus.sys
09/29/2017  09:41 AM            43,520 mmcss.sys
09/29/2017  09:42 AM            42,496 modem.sys
09/29/2017  09:41 AM            38,912 monitor.sys
09/29/2017  09:41 AM            57,240 mouclass.sys
09/29/2017  09:41 AM            32,768 mouhid.sys
09/29/2017  09:41 AM           103,320 mountmgr.sys
09/29/2017  09:41 AM            75,776 mpsdrv.sys
09/29/2017  09:42 AM           143,872 mrxdav.sys
09/29/2017  09:41 AM           496,536 mrxsmb.sys
10/18/2017  09:39 PM           285,696 mrxsmb10.sys
10/18/2017  09:39 PM           232,344 mrxsmb20.sys
09/29/2017  09:41 AM            31,232 msfs.sys
07/16/2016  07:42 AM                 3 MsftWdf_Kernel_01019_Inbox_Critical.Wdf
04/15/2016  03:09 AM                 0 Msft_User_WpdFs_01_11_00.Wdf
01/10/2016  12:29 AM                 0 Msft_User_WpdMtpDr_01_11_00.Wdf
09/29/2017  09:41 AM           169,880 msgpioclx.sys
09/29/2017  09:41 AM            49,048 msgpiowin32.sys
09/29/2017  09:41 AM             8,704 mshidkmdf.sys
09/29/2017  09:41 AM            11,776 mshidumdf.sys
09/29/2017  09:41 AM            27,136 mshwnclx.sys
09/29/2017  09:41 AM            18,840 msisadrv.sys
09/29/2017  09:41 AM           279,448 msiscsi.sys
09/29/2017  09:41 AM            33,280 mskssrv.sys
09/29/2017  09:41 AM            84,480 mslldp.sys
09/29/2017  09:41 AM            10,752 mspclock.sys
09/29/2017  09:41 AM            10,752 mspqm.sys
09/29/2017  09:41 AM           376,864 msrpc.sys
09/29/2017  10:42 AM           293,272 mssecflt.sys
09/29/2017  09:41 AM            40,856 mssmbios.sys
09/29/2017  09:41 AM            12,800 mstee.sys
09/29/2017  09:41 AM            16,896 MTConfig.sys
09/29/2017  09:41 AM           123,800 mup.sys
09/29/2017  09:41 AM            63,896 mvumis.sys
11/01/2017  05:24 PM            94,144 mwac.sys
09/29/2017  09:41 AM           108,952 ndfltr.sys
09/29/2017  09:41 AM         1,278,872 ndis.sys
09/29/2017  09:42 AM            50,688 ndiscap.sys
09/29/2017  09:41 AM           128,000 NdisImPlatform.sys
09/29/2017  09:41 AM            27,136 ndistapi.sys
09/29/2017  09:41 AM            65,024 ndisuio.sys
09/29/2017  09:41 AM            21,504 NdisVirtualBus.sys
09/29/2017  09:41 AM           192,000 ndiswan.sys
09/29/2017  09:41 AM            62,464 ndproxy.sys
09/29/2017  09:41 AM           124,416 Ndu.sys
09/29/2017  09:41 AM           132,608 NetAdapterCx.sys
09/29/2017  09:41 AM            57,752 netbios.sys
09/29/2017  09:41 AM           316,928 netbt.sys
09/29/2017  09:41 AM           535,960 netio.sys
09/29/2017  09:41 AM           192,512 netvsc.sys
10/19/2017  07:22 PM    <DIR>          nl-NL
09/29/2017  09:41 AM            73,216 npfs.sys
09/29/2017  09:41 AM            26,112 npsvctrig.sys
09/29/2017  09:41 AM            44,544 nsiproxy.sys
10/18/2017  09:39 PM         2,400,664 ntfs.sys
09/29/2017  09:41 AM            19,864 ntosext.sys
09/29/2017  09:41 AM             7,168 null.sys
09/29/2017  09:41 AM            88,576 nvdimmn.sys
10/09/2017  11:14 AM           227,408 nvhda64v.sys
09/29/2017  09:41 AM           150,424 nvraid.sys
09/29/2017  09:41 AM           166,296 nvstor.sys
01/13/2015  12:15 AM           452,424 nvstusb.sys
09/06/2014  01:22 AM            19,616 nvswcfilter.sys
10/10/2017  09:01 PM            50,808 nvvad64v.sys
10/12/2017  05:38 PM            57,792 nvvhci.sys
10/18/2017  09:39 PM           529,408 nwifi.sys
09/29/2017  09:41 AM           152,984 pacer.sys
09/29/2017  09:41 AM            98,816 parport.sys
09/29/2017  09:41 AM           165,784 partmgr.sys
09/29/2017  09:41 AM           362,904 pci.sys
09/29/2017  09:41 AM            16,280 pciide.sys
09/29/2017  09:41 AM            53,144 pciidex.sys
09/29/2017  09:40 AM           119,704 pcmcia.sys
09/29/2017  09:41 AM            53,144 pcw.sys
09/29/2017  09:41 AM           123,288 pdc.sys
09/29/2017  09:42 AM           723,968 PEAuth.sys
09/29/2017  09:41 AM            58,776 percsas2i.sys
09/29/2017  09:41 AM            61,848 percsas3i.sys
10/19/2017  07:22 PM    <DIR>          pl-PL
09/29/2017  09:41 AM           100,352 pmem.sys
09/29/2017  09:41 AM            16,896 pnpmem.sys
09/29/2017  09:40 AM           379,392 portcls.sys
09/29/2017  09:41 AM           177,152 processr.sys
11/10/2015  02:15 PM            27,136 ptun0901.sys
09/29/2017  09:41 AM            49,152 qwavedrv.sys
09/29/2017  09:41 AM            39,832 ramdisk.sys
09/29/2017  09:41 AM            17,920 rasacd.sys
09/29/2017  09:41 AM           106,496 rasl2tp.sys
09/29/2017  09:41 AM            82,944 raspppoe.sys
09/29/2017  09:41 AM            97,280 raspptp.sys
09/29/2017  09:41 AM            78,336 rassstp.sys
09/29/2017  09:41 AM           426,904 rdbss.sys
09/29/2017  10:42 AM            27,136 rdpbus.sys
09/29/2017  10:42 AM           182,784 rdpdr.sys
09/29/2017  10:42 AM            30,616 rdpvideominiport.sys
09/29/2017  09:42 AM           282,520 rdyboost.sys
09/29/2017  09:41 AM         1,849,752 refs.sys
09/29/2017  09:41 AM           936,856 refsv1.sys
09/29/2017  09:41 AM            43,008 RfxVmt.sys
09/29/2017  09:41 AM           103,936 rhproxy.sys
09/29/2017  09:41 AM           149,504 rmcast.sys
09/29/2017  09:42 AM            35,328 RNDISMP.sys
09/29/2017  09:42 AM            13,312 rootmdm.sys
07/13/2015  10:16 AM            26,368 rspLLL64.sys
09/29/2017  09:41 AM            80,896 rspndr.sys
10/21/2017  10:18 PM         1,009,120 rt640x64.sys
10/21/2017  10:18 PM        12,334,923 RTAIODAT.DAT
09/29/2017  09:41 AM            59,904 rteth.sys
01/11/2017  11:38 AM         1,920,870 rtkSSTsetting.dat
10/21/2017  10:18 PM         5,826,560 RTKVHD64.sys
10/28/2017  05:19 PM            79,064 rtnoh.sys
01/11/2017  11:38 AM         5,804,772 rtvienna.dat
10/19/2017  07:22 PM    <DIR>          ru-RU
07/19/2017  12:16 PM            45,752 rzpmgrk.sys
08/19/2017  11:56 AM           139,704 rzpnk.sys
10/16/2016  07:04 AM            49,176 RzSurroundVAD.sys
09/29/2017  09:41 AM           109,976 sbp2port.sys
09/29/2017  09:42 AM            43,008 scfilter.sys
09/29/2017  09:41 AM           118,168 scmbus.sys
09/29/2017  09:42 AM           175,512 scsiport.sys
09/29/2017  09:41 AM           285,080 sdbus.sys
09/29/2017  09:41 AM            33,176 SDFRd.sys
09/29/2017  09:41 AM            97,688 sdport.sys
09/29/2017  09:41 AM            96,664 sdstor.sys
09/29/2017  09:41 AM            74,784 SerCx.sys
09/29/2017  09:41 AM           154,520 SerCx2.sys
09/29/2017  09:41 AM            25,088 serenum.sys
09/29/2017  09:41 AM            84,992 serial.sys
09/29/2017  09:41 AM            28,160 sermouse.sys
09/29/2017  09:41 AM            13,312 serscan.sys
09/29/2017  09:41 AM            17,920 sfloppy.sys
09/29/2017  09:41 AM            44,952 sisraid2.sys
09/29/2017  09:41 AM            81,816 sisraid4.sys
09/29/2017  09:41 AM            34,200 SleepStudyHelper.sys
09/29/2017  09:42 AM            21,504 smclib.sys
09/29/2017  09:41 AM           171,416 spacedump.sys
09/29/2017  09:41 AM           571,288 spaceport.sys
09/29/2017  10:42 AM            56,216 SpatialGraphFilter.sys
09/29/2017  09:41 AM            81,816 SpbCx.sys
10/18/2017  09:39 PM           422,912 srv.sys
10/18/2017  09:39 PM           726,016 srv2.sys
09/29/2017  09:41 AM           258,560 srvnet.sys
09/29/2017  09:41 AM            31,128 stexstor.sys
09/29/2017  09:41 AM           149,400 storahci.sys
09/29/2017  09:41 AM           103,320 stornvme.sys
10/18/2017  09:39 PM           559,000 storport.sys
09/29/2017  09:41 AM            79,872 storqosflt.sys
10/18/2017  09:39 PM            45,976 storufs.sys
09/29/2017  09:41 AM            39,320 storvsc.sys
09/29/2017  09:42 AM            75,264 stream.sys
09/29/2017  09:41 AM            18,328 swenum.sys
09/29/2017  09:41 AM            64,512 Synth3dVsc.sys
09/29/2017  09:42 AM            31,232 tape.sys
09/29/2017  09:41 AM            28,056 tbs.sys
09/29/2017  09:41 AM         2,773,400 tcpip.sys
09/29/2017  09:41 AM            51,712 tcpipreg.sys
09/29/2017  09:41 AM            40,344 tdi.sys
09/29/2017  09:41 AM           121,240 tdx.sys
12/25/2015  11:01 PM           193,336 TeeDriverW8x64.sys
09/29/2017  10:42 AM            37,272 terminpt.sys
09/29/2017  09:41 AM           128,408 tm.sys
09/29/2017  09:41 AM           229,272 tpm.sys
09/29/2017  09:41 AM            62,976 TsUsbFlt.sys
09/29/2017  09:41 AM            35,328 TsUsbGD.sys
09/29/2017  10:42 AM           126,464 tsusbhub.sys
09/29/2017  09:41 AM           106,496 tunnel.sys
09/29/2017  09:41 AM            79,256 uaspstor.sys
09/29/2017  09:41 AM           114,688 UcmCx.sys
09/29/2017  09:41 AM           146,944 UcmTcpciCx.sys
10/18/2017  09:39 PM            57,344 UcmUcsi.sys
09/29/2017  09:41 AM           227,224 Ucx01000.sys
09/29/2017  09:41 AM            45,056 Udecx.sys
09/29/2017  09:42 AM           323,072 udfs.sys
09/29/2017  09:41 AM            28,568 uefi.sys
09/29/2017  10:42 AM            40,344 UevAgentDriver.sys
09/29/2017  09:41 AM           266,648 ufx01000.sys
09/29/2017  09:41 AM            97,312 UfxChipidea.sys
09/29/2017  09:41 AM           140,696 ufxsynopsys.sys
09/29/2017  09:41 AM            56,320 umbus.sys
10/20/2017  10:12 PM    <DIR>          UMDF
09/29/2017  09:41 AM            14,336 umpass.sys
09/29/2017  09:41 AM            28,568 urschipidea.sys
10/18/2017  09:39 PM            60,824 urscx01000.sys
09/29/2017  09:41 AM            27,544 urssynopsys.sys
09/29/2017  09:41 AM            23,040 usb8023.sys
06/17/2015  09:04 PM            54,784 usbaapl64.sys
09/29/2017  09:40 AM           135,168 USBAUDIO.sys
09/29/2017  09:42 AM            37,376 USBCAMD2.sys
09/29/2017  09:41 AM           168,856 usbccgp.sys
09/29/2017  09:40 AM           102,912 usbcir.sys
09/29/2017  09:41 AM            32,152 usbd.sys
09/29/2017  09:41 AM            95,640 usbehci.sys
09/29/2017  09:41 AM           513,944 usbhub.sys
09/29/2017  09:41 AM           555,416 USBHUB3.SYS
09/29/2017  09:41 AM            30,720 usbohci.sys
09/29/2017  09:41 AM           454,040 usbport.sys
09/29/2017  09:41 AM            27,136 usbprint.sys
09/29/2017  09:41 AM            71,680 usbser.sys
09/29/2017  09:41 AM           130,968 USBSTOR.SYS
09/29/2017  09:41 AM            35,328 usbuhci.sys
09/29/2017  09:41 AM           437,656 USBXHCI.SYS
09/29/2017  09:41 AM            54,680 vdrvroot.sys
09/29/2017  09:41 AM           225,688 VerifierExt.sys
09/29/2017  09:41 AM           713,624 vhdmp.sys
09/29/2017  09:41 AM            34,816 vhf.sys
09/29/2017  09:41 AM            44,544 videoprt.sys
09/29/2017  09:41 AM            81,304 vmbkmcl.sys
09/29/2017  09:41 AM            80,384 vmbkmclr.sys
09/29/2017  09:41 AM           109,976 vmbus.sys
09/29/2017  09:41 AM            25,088 VMBusHID.sys
09/29/2017  09:41 AM            13,312 vmgencounter.sys
09/29/2017  09:41 AM            10,240 vmgid.sys
09/29/2017  09:41 AM             9,216 vms3cap.sys
09/29/2017  09:41 AM            47,512 vmstorfl.sys
09/29/2017  09:41 AM            43,008 vnvdimm.sys
09/29/2017  09:41 AM            83,864 volmgr.sys
09/29/2017  09:41 AM           373,144 volmgrx.sys
09/29/2017  09:42 AM           401,304 volsnap.sys
09/29/2017  09:41 AM            15,392 volume.sys
09/29/2017  09:41 AM            75,160 vpci.sys
02/15/2010  11:07 PM            66,728 vrtaucbl.sys
09/29/2017  09:41 AM           166,808 vsmraid.sys
09/29/2017  09:41 AM           305,560 VSTXRAID.SYS
09/29/2017  09:42 AM            27,136 vwifibus.sys
09/29/2017  09:42 AM            76,800 vwififlt.sys
09/29/2017  09:42 AM            40,448 vwifimp.sys
09/29/2017  09:41 AM            30,720 wacompen.sys
09/29/2017  09:41 AM            80,896 wanarp.sys
09/29/2017  09:41 AM            56,320 watchdog.sys
09/29/2017  09:41 AM           147,864 wcifs.sys
09/29/2017  09:41 AM            76,288 wcnfs.sys
09/29/2017  09:41 AM            44,608 WdBoot.sys
09/29/2017  09:41 AM           918,240 Wdf01000.sys
09/29/2017  09:41 AM           309,144 WdFilter.sys
09/29/2017  09:41 AM            61,664 WdfLdr.sys
09/29/2017  09:42 AM           770,048 WdiWiFi.sys
09/29/2017  09:41 AM           119,192 WdNisDrv.sys
09/29/2017  09:41 AM            33,792 wdnsfltr.sys
09/29/2017  09:41 AM            45,464 werkernel.sys
09/29/2017  09:41 AM           163,736 wfplwfs.sys
09/29/2017  09:41 AM            35,736 wimmount.sys
09/29/2017  09:41 AM            71,248 WindowsTrustedRT.sys
09/29/2017  09:41 AM            18,000 WindowsTrustedRTProxy.sys
09/29/2017  09:41 AM            31,640 winhv.sys
09/29/2017  09:41 AM            62,464 winhvr.sys
09/29/2017  09:41 AM            32,152 winmad.sys
09/29/2017  09:41 AM           225,280 winnat.sys
09/29/2017  09:41 AM            92,672 winusb.sys
09/29/2017  09:41 AM            64,920 winverbs.sys
09/29/2017  09:41 AM            18,432 wmiacpi.sys
09/29/2017  09:41 AM            20,376 wmilib.sys
09/29/2017  09:41 AM           209,304 wof.sys
09/29/2017  09:41 AM            30,104 WpdUpFltr.sys
09/29/2017  09:41 AM            33,176 WppRecorder.sys
09/29/2017  09:42 AM            23,040 ws2ifsl.sys
09/29/2017  09:41 AM            23,040 WSDPrint.sys
09/29/2017  09:41 AM           115,200 WUDFPf.sys
09/29/2017  09:41 AM           259,584 WUDFRd.sys
09/29/2017  09:41 AM           281,600 xboxgip.sys
09/29/2017  09:41 AM            46,592 xinputhid.sys
01/29/2016  12:53 AM            63,840 XtuAcpiDriver.sys
11/01/2017  04:07 PM           203,680 zam64.sys
10/11/2017  10:15 PM           203,680 zamguard64.sys
             445 File(s)    112,948,910 bytes
              14 Dir(s)  156,456,611,840 bytes free
 
========= End of CMD: =========
 
 
==== End of Fixlog 21:58:01 ====

Edited by Austin0751, 01 November 2017 - 09:06 PM.


#6 Austin0751

Austin0751
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 02 November 2017 - 12:34 AM

So I haven't gave up while you were gone, I was able to make a Windows 10 boot disc and booted from that, I went to the recovery environment on the boot disc and was able to delete the problematic rootkit which renamed itself to coinrubx.sys earlier when I rebooted my PC randomly.  After I deleted coinrubx.sys I was able to log into my Windows 10 and Killbox was then able to delete the vdswuto and vdnewkt folders. So far everything is saying my pc is clean now and I do not see a Tihevna.exe on my resource monitor.  I am not sure if the rootkit may have been deeper into my system and will return in a couple days but at the moment even GMER is saying my system is rootkit free.  I will be keeping an eye on my system but I believe the rootkit is gone for now.  Is there any diagnostic you would like to see to confirm? I am worried if it could have potentially rooted itself deeper into my system than it already was by the time I deleted the rootkit.


Edited by Austin0751, 02 November 2017 - 12:34 AM.


#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 02 November 2017 - 07:24 AM

Good job doing that by yourself :) Now we'll just clean up the remnants, so it should be a breeze.

j1Bynr2.pngMalwarebytes - Clean Mode
  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 05 November 2017 - 09:21 AM

Hi Austin0751,

Are you still with me?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 07 November 2017 - 03:56 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users