Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Process Manager (32 bit) Virus


  • This topic is locked This topic is locked
41 replies to this topic

#1 forevergent777

forevergent777

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 05 January 2018 - 01:29 PM

I've been hit by the Windows Process Manager (32 Bit) Virus as well. I've tried to follow the instructions I've been seeing regarding this long complicated process, but have had no luck and am in need of help.

I've done as many anti-malware programs as possible, including Malwarebytes and FRST64, but still no luck.  On top of that, I've been unable to access the Advanced Boot menu that's being described in this process.  Please help.

 

Attached are the FRST.txt, Addition.txt, and Malwarebytes.txt files.  Please let me know if there's anything else you need.

Attached Files



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 AM

Posted 05 January 2018 - 01:37 PM

Hi forevergent777 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Launch FRST and copy/paste the following inside the text area. Once done, click on the Fix button. A file called fixlog.txt will appear on your desktop. Attach it in your next reply.
Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: fltmc instances
CMD: dir C:\Windows\system32\drivers
End::

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 forevergent777

forevergent777
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 05 January 2018 - 02:45 PM

I understand.  Thank you for taking the time to help me.

 

Here's the fixlog.txt.  For some reason, I can't find the attach files option.

Fix result of Farbar Recovery Scan Tool (x64) Version: 02.01.2018
Ran by John (05-01-2018 11:43:37) Run:4
Running from C:\Users\John\Desktop
Loaded Profiles: John (Available Profiles: John)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: fltmc instances
CMD: dir C:\Windows\system32\drivers

*****************


========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========

The operation completed successfully.

========= End of CMD: =========


========= bcdedit.exe /set {default} recoveryenabled yes =========

The operation completed successfully.

========= End of CMD: =========


========= fltmc instances =========

Filter                Volume Name                              Altitude        Instance Name       Frame   SprtFtrs  VlStatus
--------------------  -------------------------------------  ------------  ----------------------  -----   --------  --------
FileInfo                                                         40500     FileInfo                  0     00000007  
FileInfo                                                         40500     FileInfo                  0     00000007  
FileInfo              \Device\HarddiskVolume3                    40500     FileInfo                  0     00000007  
FileInfo              C:                                         40500     FileInfo                  0     00000007  
FileInfo                                                         40500     FileInfo                  0     00000007  
FileInfo                                                         40500     FileInfo                  0     00000007  
FileInfo                                                         40500     FileInfo                  0     00000007  
FileInfo              \Device\HarddiskVolumeShadowCopy4          40500     FileInfo                  0     00000007  
FileInfo              \Device\Mup                                40500     FileInfo                  0     00000007  
WdFilter                                                        328010     WdFilter Instance         0     00000007  
WdFilter                                                        328010     WdFilter Instance         0     00000007  
WdFilter              \Device\HarddiskVolume3                   328010     WdFilter Instance         0     00000007  
WdFilter              C:                                        328010     WdFilter Instance         0     00000007  
WdFilter                                                        328010     WdFilter Instance         0     00000007  
WdFilter                                                        328010     WdFilter Instance         0     00000007  
WdFilter                                                        328010     WdFilter Instance         0     00000007  
WdFilter              \Device\HarddiskVolumeShadowCopy4         328010     WdFilter Instance         0     00000007  
WdFilter              \Device\Mup                               328010     WdFilter Instance         0     00000007  
Wof                                                              40700     Wof Instance              0     00000007  
Wof                   \Device\HarddiskVolume3                    40700     Wof Instance              0     00000007  
Wof                   C:                                         40700     Wof Instance              0     00000007  
Wof                                                              40700     Wof Instance              0     00000007  
Wof                                                              40700     Wof Instance              0     00000007  
Wof                                                              40700     Wof Instance              0     00000007  
Wof                   \Device\HarddiskVolumeShadowCopy4          40700     Wof Instance              0     00000007  
bulxirwh              C:                                         45666     bulxirwh Instance         0     00000000  
bulxirwh              \Device\Mup                                45666     bulxirwh Instance         0     00000000  
cjmpsw                                                           45888     cjmpsw Instance           0     00000000  
cjmpsw                                                           45888     cjmpsw Instance           0     00000000  
cjmpsw                \Device\HarddiskVolume3                    45888     cjmpsw Instance           0     00000000  
cjmpsw                C:                                         45888     cjmpsw Instance           0     00000000  
cjmpsw                                                           45888     cjmpsw Instance           0     00000000  
cjmpsw                                                           45888     cjmpsw Instance           0     00000000  
cjmpsw                                                           45888     cjmpsw Instance           0     00000000  
cjmpsw                \Device\HarddiskVolumeShadowCopy4          45888     cjmpsw Instance           0     00000000  
luafv                 C:                                        135000     luafv                     0     00000007  
npsvctrig             \Device\NamedPipe                          46000     npsvctrig                 0     00000000  
wcifs                 C:                                        189900     wcifs Instance            0     00000007  

========= End of CMD: =========


========= dir C:\Windows\system32\drivers =========

 Volume in drive C is TI10653400C
 Volume Serial Number is 4415-5794

 Directory of C:\Windows\system32\drivers

01/05/2018  10:01 AM    <DIR>          .
01/05/2018  10:01 AM    <DIR>          ..
09/29/2017  05:41 AM           237,056 1394ohci.sys
01/03/2018  07:27 PM           255,928 21441734.sys
09/29/2017  05:41 AM           107,416 3ware.sys
01/03/2018  11:50 AM           255,928 6641F901.sys
01/03/2018  06:20 PM           255,928 7614B1B8.sys
09/29/2017  05:41 AM           733,592 acpi.sys
09/29/2017  05:41 AM            20,480 AcpiDev.sys
09/29/2017  05:41 AM           127,896 acpiex.sys
09/29/2017  05:41 AM            12,800 acpipagr.sys
09/29/2017  05:41 AM            14,336 acpipmi.sys
09/29/2017  05:41 AM            13,312 acpitime.sys
09/29/2017  05:41 AM         1,135,512 adp80xx.sys
09/29/2017  05:41 AM           614,296 afd.sys
09/29/2017  05:41 AM           108,032 agilevpn.sys
09/29/2017  05:41 AM           240,640 ahcache.sys
09/29/2017  05:41 AM           180,224 amdk8.sys
09/29/2017  05:41 AM           178,176 amdppm.sys
09/29/2017  05:41 AM            83,352 amdsata.sys
09/29/2017  05:41 AM           258,592 amdsbs.sys
09/29/2017  05:41 AM            27,032 amdxata.sys
09/29/2017  05:41 AM           191,008 appid.sys
09/29/2017  05:41 AM            18,432 applockerfltr.sys
09/29/2017  05:41 AM           131,992 arcsas.sys
09/29/2017  05:41 AM            28,160 asyncmac.sys
09/29/2017  05:41 AM            28,568 atapi.sys
09/29/2017  05:41 AM           194,456 ataport.sys
12/07/2017  03:34 PM            59,800 bam.sys
09/29/2017  05:41 AM            58,880 BasicDisplay.sys
12/07/2017  12:10 PM            34,816 BasicRender.sys
09/29/2017  05:41 AM            39,832 battc.sys
08/04/2015  12:49 PM           199,472 bcbtums.sys
08/04/2015  12:35 PM            70,001 BCM20702A1_001.002.014.1443.1459.hex
09/29/2017  05:41 AM             9,728 bcmfn2.sys
09/29/2017  05:42 AM            10,240 beep.sys
09/29/2017  05:41 AM           101,888 bowser.sys
09/29/2017  05:41 AM           116,736 bridge.sys
09/29/2017  05:41 AM            23,040 BtaMPM.sys
09/29/2017  05:41 AM           191,488 BthA2DP.sys
09/29/2017  05:41 AM            45,056 BthAvrcpTg.sys
09/29/2017  05:41 AM           105,472 bthenum.sys
09/29/2017  05:41 AM            46,592 BthHfAud.sys
09/29/2017  05:41 AM           107,008 bthhfenum.sys
09/29/2017  05:41 AM            31,232 BthhfHid.sys
09/29/2017  05:41 AM            83,968 bthl2cap.sys
09/29/2017  05:40 AM            67,584 bthmodem.sys
09/29/2017  05:41 AM           129,536 bthpan.sys
12/07/2017  12:10 PM         1,015,296 bthport.sys
09/29/2017  05:41 AM            85,504 BTHUSB.SYS
09/29/2017  05:41 AM            37,784 bttflt.sys
08/04/2015  12:49 PM           214,328 btwampfl.sys
09/29/2017  05:41 AM            39,424 buttonconverter.sys
09/29/2017  05:41 AM           533,912 bxvbda.sys
09/29/2017  05:40 AM            60,312 CAD.sys
09/29/2017  05:41 AM           122,368 capimg.sys
09/29/2017  05:41 AM            93,184 cdfs.sys
09/29/2017  05:41 AM           159,744 cdrom.sys
09/29/2017  05:41 AM            78,744 CEA.sys
09/29/2017  05:41 AM           141,208 cht4dx64.sys
09/29/2017  05:41 AM           357,272 cht4sx64.sys
09/29/2017  05:41 AM         1,723,288 cht4vx64.sys
09/29/2017  05:40 AM            49,152 circlass.sys
09/29/2017  05:41 AM           403,352 Classpnp.sys
09/29/2017  05:41 AM           384,000 cldflt.sys
12/07/2017  12:10 PM           373,656 clfs.sys
09/29/2017  05:41 AM         1,007,512 ClipSp.sys
09/29/2017  05:41 AM            29,696 CmBatt.sys
09/29/2017  05:41 AM            28,568 cmimcext.sys
12/07/2017  03:23 PM           677,272 cng.sys
09/29/2017  05:41 AM            39,320 cnghwassist.sys
09/29/2017  05:41 AM            55,704 condrv.sys
09/29/2017  05:41 AM            85,912 crashdmp.sys
01/05/2018  09:06 AM           142,672 csbmptwz.sys
09/29/2017  05:42 AM            81,304 dam.sys
09/29/2017  05:41 AM            61,440 dc1-controller.sys
09/29/2017  05:41 AM            45,056 devauthe.sys
09/29/2017  05:41 AM           151,040 dfsc.sys
09/29/2017  05:41 AM            94,104 disk.sys
09/29/2017  05:41 AM            38,808 Diskdump.sys
09/29/2017  05:41 AM            15,360 Dmpusbstor.sys
09/29/2017  05:41 AM            46,592 dmvsc.sys
09/29/2017  05:40 AM            96,768 drmk.sys
09/29/2017  05:40 AM            16,224 drmkaud.sys
09/29/2017  05:41 AM            35,736 Dumpata.sys
09/29/2017  05:43 AM            91,152 dumpfve.sys
12/07/2017  12:10 PM           187,288 dumpsd.sys
09/29/2017  05:41 AM            32,256 dumpsdport.sys
09/29/2017  05:41 AM            25,600 Dumpstorport.sys
12/07/2017  12:10 PM         2,573,208 dxgkrnl.sys
09/29/2017  05:41 AM           408,096 dxgmms1.sys
12/07/2017  12:10 PM           749,976 dxgmms2.sys
09/29/2017  05:41 AM            87,960 EhStorClass.sys
09/29/2017  05:40 AM           118,680 EhStorTcgDrv.sys
09/29/2017  06:43 AM    <DIR>          en-US
09/29/2017  05:41 AM            13,824 errdev.sys
12/07/2017  05:09 PM    <DIR>          etc
09/29/2017  05:41 AM         3,419,032 evbda.sys
09/29/2017  05:41 AM           354,304 exfat.sys
09/29/2017  05:41 AM           371,608 fastfat.sys
09/29/2017  05:41 AM            32,768 fdc.sys
09/29/2017  05:41 AM            55,808 filecrypt.sys
09/29/2017  05:41 AM            85,400 fileinfo.sys
09/29/2017  05:41 AM            36,864 filetrace.sys
09/29/2017  05:41 AM            26,624 flpydisk.sys
12/07/2017  12:10 PM           398,744 fltMgr.sys
09/29/2017  05:41 AM            62,872 fsdepends.sys
09/29/2017  05:41 AM            34,200 fs_rec.sys
09/29/2017  05:43 AM           727,448 fvevol.sys
07/10/2012  03:35 PM             9,216 FwLnk.sys
09/29/2017  05:41 AM           441,240 FWPKCLNT.SYS
09/29/2017  05:41 AM            20,992 genericusbfn.sys
09/29/2017  05:41 AM         3,440,660 gm.dls
09/29/2017  05:41 AM               646 gmreadme.txt
09/29/2017  05:41 AM             8,192 gpuenergydrv.sys
09/29/2017  05:40 AM            86,016 hdaudbus.sys
07/02/2012  02:16 PM            62,784 HECIx64.sys
09/29/2017  05:41 AM            38,296 hidbatt.sys
09/29/2017  05:41 AM           114,688 hidbth.sys
09/29/2017  05:41 AM           187,392 hidclass.sys
09/29/2017  05:41 AM            52,224 hidi2c.sys
09/29/2017  05:41 AM            50,584 hidinterrupt.sys
09/29/2017  05:40 AM            46,592 hidir.sys
09/17/2014  07:47 AM             7,680 hidkmdf.sys
09/29/2017  05:41 AM            45,568 hidparse.sys
09/29/2017  05:41 AM            40,960 hidusb.sys
01/04/2018  08:25 AM            55,232 hitmanpro37.sys
09/29/2017  05:41 AM            63,520 HpSAMD.sys
09/29/2017  05:41 AM         1,103,768 http.sys
09/29/2017  05:41 AM            73,112 hvservice.sys
12/07/2017  03:22 PM           129,432 hvsocket.sys
09/29/2017  05:41 AM            29,592 hwpolicy.sys
09/29/2017  05:41 AM            16,896 hyperkbd.sys
09/29/2017  05:41 AM            28,160 HyperVideo.sys
09/29/2017  05:41 AM           105,984 i8042prt.sys
09/29/2017  05:40 AM            36,864 iagpio.sys
09/29/2017  05:40 AM            91,648 iai2c.sys
09/29/2017  05:40 AM            79,360 iaLPSS2i_GPIO2.sys
09/29/2017  05:40 AM            88,576 iaLPSS2i_GPIO2_BXT_P.sys
09/29/2017  05:40 AM           171,520 iaLPSS2i_I2C.sys
09/29/2017  05:40 AM           174,592 iaLPSS2i_I2C_BXT_P.sys
09/29/2017  05:41 AM            38,128 iaLPSSi_GPIO.sys
09/29/2017  05:40 AM           113,152 iaLPSSi_I2C.sys
07/31/2012  10:22 AM           645,952 iaStorA.sys
09/29/2017  05:41 AM           674,200 iaStorAV.sys
09/29/2017  05:41 AM           412,056 iaStorV.sys
09/29/2017  05:41 AM           526,232 ibbus.sys
05/03/2016  08:30 PM         3,811,288 igdkmd64.sys
09/29/2017  05:41 AM            39,424 IndirectKmd.sys
08/21/2015  09:50 AM           463,112 IntcDAud.sys
09/29/2017  05:41 AM            19,352 intelide.sys
09/29/2017  05:41 AM           130,640 intelpep.sys
09/29/2017  05:41 AM           198,656 intelppm.sys
09/29/2017  05:41 AM            38,912 invdimm.sys
09/29/2017  05:41 AM            56,728 iorate.sys
09/29/2017  05:41 AM            85,504 ipfltdrv.sys
09/29/2017  05:41 AM            92,056 IPMIDrv.sys
09/29/2017  05:41 AM           214,016 ipnat.sys
09/29/2017  05:41 AM            26,112 ipt.sys
09/29/2017  05:42 AM           119,808 irda.sys
09/29/2017  05:42 AM            19,968 irenum.sys
09/29/2017  05:41 AM            22,936 isapnp.sys
12/01/2015  11:46 AM            38,896 iwdbus.sys
09/29/2017  05:41 AM            63,384 kbdclass.sys
09/29/2017  05:41 AM            40,448 kbdhid.sys
09/29/2017  05:41 AM            23,040 kdnic.sys
12/07/2017  12:10 PM           394,752 ks.sys
09/29/2017  05:41 AM           139,672 ksecdd.sys
09/29/2017  05:41 AM           170,904 ksecpkg.sys
09/29/2017  05:41 AM            27,136 ksthunk.sys
09/29/2017  05:41 AM           121,344 L1C63x64.sys
09/29/2017  05:41 AM            65,024 lltdio.sys
09/29/2017  05:41 AM           108,064 lsi_sas.sys
09/29/2017  05:41 AM           123,800 lsi_sas2i.sys
09/29/2017  05:41 AM           103,320 lsi_sas3i.sys
09/29/2017  05:41 AM            82,840 lsi_sss.sys
12/07/2017  12:10 PM           124,928 luafv.sys
09/29/2017  05:41 AM           505,240 mausbhost.sys
09/29/2017  05:41 AM            55,840 mausbip.sys
11/29/2017  09:11 AM            77,432 mbae64.sys
01/03/2018  07:27 PM           192,952 mbamchameleon.sys
01/05/2018  10:01 AM           253,880 mbamswissarmy.sys
09/29/2017  05:42 AM            23,552 mcd.sys
09/29/2017  05:41 AM            59,800 megasas.sys
09/29/2017  05:41 AM            63,520 MegaSas2i.sys
09/29/2017  05:41 AM           575,896 megasr.sys
09/29/2017  05:41 AM            78,848 Microsoft.Bluetooth.Legacy.LEEnumerator.sys
09/29/2017  05:41 AM           842,648 mlx4_bus.sys
09/29/2017  05:41 AM            43,520 mmcss.sys
09/29/2017  05:42 AM            42,496 modem.sys
09/29/2017  05:41 AM            38,912 monitor.sys
09/29/2017  05:41 AM            57,240 mouclass.sys
09/29/2017  05:41 AM            32,768 mouhid.sys
09/29/2017  05:41 AM           103,320 mountmgr.sys
09/29/2017  05:41 AM            75,776 mpsdrv.sys
09/29/2017  05:42 AM           143,872 mrxdav.sys
12/07/2017  12:10 PM           495,000 mrxsmb.sys
12/07/2017  12:11 PM           285,696 mrxsmb10.sys
12/07/2017  12:10 PM           230,296 mrxsmb20.sys
09/29/2017  05:41 AM            31,232 msfs.sys
07/16/2016  03:42 AM                 3 MsftWdf_Kernel_01019_Inbox_Critical.Wdf
04/24/2017  03:27 AM                 0 Msft_Kernel_Smb_driver_Intel_01011.Wdf
04/24/2017  03:27 AM                 0 Msft_Kernel_SynTP_01011.Wdf
09/23/2016  04:40 AM                 0 Msft_User_WpdFs_01_11_00.Wdf
08/11/2016  11:20 AM                 0 Msft_User_WpdMtpDr_01_11_00.Wdf
08/07/2016  12:34 PM                 0 Msft_User_WUDFUsbccidDriver_01_11_00.Wdf
09/29/2017  05:41 AM           169,880 msgpioclx.sys
09/29/2017  05:41 AM            49,048 msgpiowin32.sys
09/29/2017  05:41 AM             8,704 mshidkmdf.sys
09/29/2017  05:41 AM            11,776 mshidumdf.sys
09/29/2017  05:41 AM            27,136 mshwnclx.sys
09/29/2017  05:41 AM            18,840 msisadrv.sys
09/29/2017  05:41 AM           279,448 msiscsi.sys
09/29/2017  05:41 AM            33,280 mskssrv.sys
09/29/2017  05:41 AM            84,480 mslldp.sys
09/29/2017  05:41 AM            10,752 mspclock.sys
09/29/2017  05:41 AM            10,752 mspqm.sys
09/29/2017  05:41 AM           376,864 msrpc.sys
09/29/2017  05:41 AM            40,856 mssmbios.sys
09/29/2017  05:41 AM            12,800 mstee.sys
09/29/2017  05:41 AM            16,896 MTConfig.sys
09/29/2017  05:41 AM           123,800 mup.sys
09/29/2017  05:41 AM            63,896 mvumis.sys
01/03/2018  11:16 AM            94,144 mwac.sys
09/29/2017  05:41 AM           108,952 ndfltr.sys
12/07/2017  12:10 PM         1,277,848 ndis.sys
09/29/2017  05:42 AM            50,688 ndiscap.sys
09/29/2017  05:41 AM           128,000 NdisImPlatform.sys
09/29/2017  05:41 AM            27,136 ndistapi.sys
09/29/2017  05:41 AM            65,024 ndisuio.sys
09/29/2017  05:41 AM            21,504 NdisVirtualBus.sys
09/29/2017  05:41 AM           192,000 ndiswan.sys
09/29/2017  05:41 AM            62,464 ndproxy.sys
09/29/2017  05:41 AM           124,416 Ndu.sys
09/29/2017  05:41 AM           132,608 NetAdapterCx.sys
09/29/2017  05:41 AM            57,752 netbios.sys
09/29/2017  05:41 AM           316,928 netbt.sys
09/29/2017  05:41 AM           535,960 netio.sys
12/07/2017  02:07 PM           192,512 netvsc.sys
09/29/2017  05:41 AM            73,216 npfs.sys
09/29/2017  05:41 AM            26,112 npsvctrig.sys
09/29/2017  05:41 AM            44,544 nsiproxy.sys
12/07/2017  12:10 PM         2,395,032 ntfs.sys
09/29/2017  05:41 AM            19,864 ntosext.sys
09/29/2017  05:41 AM             7,168 null.sys
09/29/2017  05:41 AM            88,576 nvdimmn.sys
09/29/2017  05:41 AM           150,424 nvraid.sys
09/29/2017  05:41 AM           166,296 nvstor.sys
12/07/2017  12:10 PM           529,408 nwifi.sys
09/29/2017  05:41 AM           152,984 pacer.sys
09/29/2017  05:41 AM            98,816 parport.sys
12/07/2017  03:30 PM           166,296 partmgr.sys
12/07/2017  03:10 PM           362,904 pci.sys
09/29/2017  05:41 AM            16,280 pciide.sys
09/29/2017  05:41 AM            53,144 pciidex.sys
09/29/2017  05:40 AM           119,704 pcmcia.sys
09/29/2017  05:41 AM            53,144 pcw.sys
09/29/2017  05:41 AM           123,288 pdc.sys
09/29/2017  05:42 AM           723,968 PEAuth.sys
09/29/2017  05:41 AM            58,776 percsas2i.sys
09/29/2017  05:41 AM            61,848 percsas3i.sys
09/29/2017  05:41 AM           100,352 pmem.sys
09/29/2017  05:41 AM            16,896 pnpmem.sys
09/29/2017  05:40 AM           379,392 portcls.sys
09/29/2017  05:41 AM           177,152 processr.sys
09/29/2017  05:41 AM            49,152 qwavedrv.sys
09/29/2017  05:41 AM            39,832 ramdisk.sys
09/29/2017  05:41 AM            17,920 rasacd.sys
09/29/2017  05:41 AM           106,496 rasl2tp.sys
09/29/2017  05:41 AM            82,944 raspppoe.sys
09/29/2017  05:41 AM            97,280 raspptp.sys
09/29/2017  05:41 AM            78,336 rassstp.sys
12/07/2017  12:10 PM           428,952 rdbss.sys
09/29/2017  06:43 AM            27,136 rdpbus.sys
09/29/2017  06:43 AM           182,784 rdpdr.sys
09/29/2017  06:43 AM            30,616 rdpvideominiport.sys
09/29/2017  05:42 AM           282,520 rdyboost.sys
09/29/2017  05:41 AM         1,849,752 refs.sys
09/29/2017  05:41 AM           936,856 refsv1.sys
09/29/2017  05:41 AM           189,440 rfcomm.sys
09/29/2017  05:41 AM            43,008 RfxVmt.sys
09/29/2017  05:41 AM           103,936 rhproxy.sys
09/29/2017  05:41 AM           149,504 rmcast.sys
09/29/2017  05:42 AM            35,328 RNDISMP.sys
09/29/2017  05:42 AM            13,312 rootmdm.sys
09/29/2017  05:41 AM            80,896 rspndr.sys
12/10/2012  01:12 AM           381,405 RTAIODAT.DAT
09/29/2017  05:41 AM            59,904 rteth.sys
12/10/2012  01:12 AM         3,242,896 RTKVHD64.sys
07/13/2016  03:09 PM           433,912 RtsUer.sys
09/29/2017  05:40 AM         3,717,120 rtwlane_13.sys
09/29/2017  05:41 AM           109,976 sbp2port.sys
09/29/2017  05:42 AM            43,008 scfilter.sys
09/29/2017  05:41 AM           118,168 scmbus.sys
09/29/2017  05:42 AM           175,512 scsiport.sys
12/07/2017  12:10 PM           285,080 sdbus.sys
09/29/2017  05:41 AM            33,176 SDFRd.sys
09/29/2017  05:41 AM            97,688 sdport.sys
09/29/2017  05:41 AM            96,664 sdstor.sys
09/29/2017  05:41 AM            74,784 SerCx.sys
09/29/2017  05:41 AM           154,520 SerCx2.sys
09/29/2017  05:41 AM            25,088 serenum.sys
09/29/2017  05:41 AM            84,992 serial.sys
09/29/2017  05:41 AM            28,160 sermouse.sys
09/29/2017  05:41 AM            17,920 sfloppy.sys
09/29/2017  05:41 AM            44,952 sisraid2.sys
09/29/2017  05:41 AM            81,816 sisraid4.sys
09/29/2017  05:41 AM            34,200 SleepStudyHelper.sys
08/08/2015  09:20 AM            42,184 Smb_driver_AMDASF.sys
05/04/2017  07:38 PM            69,216 Smb_driver_AMDASF_Aux.sys
08/08/2015  09:20 AM            42,696 Smb_driver_Intel.sys
05/04/2017  07:38 PM            72,792 Smb_driver_Intel_Aux.sys
09/29/2017  05:42 AM            21,504 smclib.sys
09/29/2017  05:41 AM           171,416 spacedump.sys
12/07/2017  03:14 PM           571,288 spaceport.sys
09/29/2017  06:43 AM            56,216 SpatialGraphFilter.sys
09/29/2017  05:41 AM            81,816 SpbCx.sys
12/07/2017  12:11 PM           422,912 srv.sys
12/07/2017  12:10 PM           726,016 srv2.sys
12/07/2017  12:10 PM           259,072 srvnet.sys
01/21/2014  03:52 PM           108,800 ssudbus.sys
09/29/2017  05:41 AM            31,128 stexstor.sys
12/07/2017  12:10 PM           149,400 storahci.sys
09/29/2017  05:41 AM           103,320 stornvme.sys
12/07/2017  12:10 PM           559,512 storport.sys
09/29/2017  05:41 AM            79,872 storqosflt.sys
12/07/2017  12:10 PM            45,464 storufs.sys
09/29/2017  05:41 AM            39,320 storvsc.sys
09/29/2017  05:42 AM            75,264 stream.sys
09/29/2017  05:41 AM            18,328 swenum.sys
05/04/2017  07:38 PM            66,136 SynRMIHID_Aux.sys
09/29/2017  05:41 AM            64,512 Synth3dVsc.sys
05/04/2017  07:38 PM           943,192 SynTP.sys
09/29/2017  05:42 AM            31,232 tape.sys
09/29/2017  05:41 AM            28,056 tbs.sys
09/29/2017  05:41 AM         2,773,400 tcpip.sys
09/29/2017  05:41 AM            51,712 tcpipreg.sys
09/29/2017  05:41 AM            40,344 tdi.sys
09/29/2017  05:41 AM           121,240 tdx.sys
09/29/2017  06:43 AM            37,272 terminpt.sys
07/29/2015  03:54 AM            54,424 Thotkey.sys
09/29/2017  05:41 AM           128,408 tm.sys
08/06/2012  08:55 PM            19,936 tosrfec.sys
09/29/2017  05:41 AM           229,272 tpm.sys
09/29/2017  05:41 AM            62,976 TsUsbFlt.sys
09/29/2017  05:41 AM            35,328 TsUsbGD.sys
09/29/2017  05:41 AM           106,496 tunnel.sys
07/25/2012  03:34 PM            32,832 TVALZ.SYS
07/21/2016  06:24 PM            53,888 TVALZ_O.SYS
09/29/2017  05:41 AM            79,256 uaspstor.sys
12/07/2017  12:10 PM           114,688 UcmCx.sys
09/29/2017  05:41 AM           146,944 UcmTcpciCx.sys
12/07/2017  12:10 PM            57,344 UcmUcsi.sys
09/29/2017  05:41 AM           227,224 Ucx01000.sys
09/29/2017  05:41 AM            45,056 Udecx.sys
09/29/2017  05:42 AM           323,072 udfs.sys
09/29/2017  05:41 AM            28,568 uefi.sys
09/29/2017  05:41 AM           266,648 ufx01000.sys
09/29/2017  05:41 AM            97,312 UfxChipidea.sys
09/29/2017  05:41 AM           140,696 ufxsynopsys.sys
09/29/2017  05:41 AM            56,320 umbus.sys
12/07/2017  02:24 PM    <DIR>          UMDF
09/29/2017  05:41 AM            14,336 umpass.sys
09/29/2017  05:41 AM            28,568 urschipidea.sys
12/07/2017  12:10 PM            60,824 urscx01000.sys
09/29/2017  05:41 AM            27,544 urssynopsys.sys
09/29/2017  05:41 AM            23,040 usb8023.sys
09/29/2017  05:42 AM            37,376 USBCAMD2.sys
09/29/2017  05:41 AM           168,856 usbccgp.sys
09/29/2017  05:40 AM           102,912 usbcir.sys
09/29/2017  05:41 AM            32,152 usbd.sys
09/29/2017  05:41 AM            95,640 usbehci.sys
09/29/2017  05:41 AM           513,944 usbhub.sys
12/07/2017  12:10 PM           555,416 USBHUB3.SYS
09/29/2017  05:41 AM            30,720 usbohci.sys
09/29/2017  05:41 AM           454,040 usbport.sys
09/29/2017  05:41 AM            27,136 usbprint.sys
09/29/2017  05:41 AM            46,080 usbscan.sys
09/29/2017  05:41 AM            71,680 usbser.sys
09/29/2017  05:41 AM           130,968 USBSTOR.SYS
09/29/2017  05:41 AM            35,328 usbuhci.sys
09/29/2017  05:41 AM           280,576 usbvideo.sys
12/07/2017  03:24 PM           437,144 USBXHCI.SYS
09/29/2017  05:41 AM            54,680 vdrvroot.sys
09/29/2017  05:41 AM           225,688 VerifierExt.sys
12/07/2017  12:10 PM           713,624 vhdmp.sys
09/29/2017  05:41 AM            34,816 vhf.sys
09/29/2017  05:41 AM            44,544 videoprt.sys
09/29/2017  05:41 AM            81,304 vmbkmcl.sys
09/29/2017  05:41 AM            80,384 vmbkmclr.sys
09/29/2017  05:41 AM           109,976 vmbus.sys
09/29/2017  05:41 AM            25,088 VMBusHID.sys
09/29/2017  05:41 AM            13,312 vmgencounter.sys
09/29/2017  05:41 AM            10,240 vmgid.sys
09/29/2017  05:41 AM             9,216 vms3cap.sys
09/29/2017  05:41 AM            47,512 vmstorfl.sys
09/17/2014  07:47 AM            10,752 vmulti.sys
09/29/2017  05:41 AM            43,008 vnvdimm.sys
12/07/2017  12:10 PM            82,840 volmgr.sys
09/29/2017  05:41 AM           373,144 volmgrx.sys
12/07/2017  03:12 PM           401,304 volsnap.sys
09/29/2017  05:41 AM            15,392 volume.sys
09/29/2017  05:41 AM            75,160 vpci.sys
09/29/2017  05:41 AM           166,808 vsmraid.sys
09/29/2017  05:41 AM           305,560 VSTXRAID.SYS
09/29/2017  05:42 AM            27,136 vwifibus.sys
09/29/2017  05:42 AM            76,800 vwififlt.sys
12/07/2017  12:10 PM            41,472 vwifimp.sys
09/29/2017  05:41 AM            30,720 wacompen.sys
09/29/2017  05:41 AM            80,896 wanarp.sys
09/29/2017  05:41 AM            56,320 watchdog.sys
12/07/2017  12:10 PM           147,864 wcifs.sys
09/29/2017  05:41 AM            76,288 wcnfs.sys
01/05/2018  09:07 AM    <DIR>          wd
09/29/2017  05:41 AM            44,608 WdBoot.sys
11/12/2015  07:50 PM            26,880 wdcsam64.sys
09/29/2017  05:41 AM           918,240 Wdf01000.sys
09/29/2017  05:41 AM           309,144 WdFilter.sys
09/29/2017  05:41 AM            61,664 WdfLdr.sys
12/07/2017  12:10 PM           770,048 WdiWiFi.sys
09/29/2017  05:41 AM           119,192 WdNisDrv.sys
09/29/2017  05:41 AM            33,792 wdnsfltr.sys
09/29/2017  05:41 AM            45,464 werkernel.sys
09/29/2017  05:41 AM           163,736 wfplwfs.sys
09/29/2017  05:41 AM            35,736 wimmount.sys
09/29/2017  05:41 AM            71,248 WindowsTrustedRT.sys
09/29/2017  05:41 AM            18,000 WindowsTrustedRTProxy.sys
09/29/2017  05:41 AM            31,640 winhv.sys
09/29/2017  05:41 AM            62,464 winhvr.sys
09/29/2017  05:41 AM            32,152 winmad.sys
09/29/2017  05:41 AM           225,280 winnat.sys
09/29/2017  05:41 AM            92,672 winusb.sys
09/29/2017  05:41 AM            64,920 winverbs.sys
09/29/2017  05:41 AM            18,432 wmiacpi.sys
09/29/2017  05:41 AM            20,376 wmilib.sys
09/29/2017  05:41 AM           209,304 wof.sys
09/29/2017  05:41 AM            30,104 WpdUpFltr.sys
09/29/2017  05:41 AM            33,176 WppRecorder.sys
09/29/2017  05:42 AM            23,040 ws2ifsl.sys
09/29/2017  05:41 AM            23,040 WSDPrint.sys
09/29/2017  05:41 AM            25,088 WSDScan.sys
09/29/2017  05:41 AM           115,200 WUDFPf.sys
09/29/2017  05:41 AM           259,584 WUDFRd.sys
09/29/2017  05:41 AM           281,600 xboxgip.sys
09/29/2017  05:41 AM            46,592 xinputhid.sys
             439 File(s)     92,207,883 bytes
               6 Dir(s)  452,103,155,712 bytes free

========= End of CMD: =========


==== End of Fixlog 11:43:39 ====


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 AM

Posted 05 January 2018 - 02:54 PM

For the next part, you'll need to download the FRST executable and fixlist.txt on a clean computer, and move them on your USB Flash Drive. That USB can only be inserted in the infected computer if it is either shutdown, or in the Windows RE. Otherwise, the infection will mess with the files on the USB and you'll have to restart.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Recovery Environment Scan
Follow the instructions below to download and execute a scan on your system with FRST from the Recovery Environment, and provide the logs in your next reply.

Item(s) required:
  • USB Flash Drive (size depend on if you have to create a USB Recovery or Installation media)
  • CD/DVD (optional: only needed if you need to create a Recovery or Installation media and your USB Flash Drive is too small)
  • Another computer (optional: only needed if you cannot work from the infected computer directly)
Preparing the USB Flash Drive
  • Download the right version of FRST for your system:
  • Move the executable (FRST.exe or FRST64.exe) on your USB Flash Drive
  • Download the attached fixlist.txt, and move it on your USB Flash Drive as well
Boot in the Recovery Environment
  • Plug your USB Flash Drive in the infected computer
  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
    • Restart the computer
    • Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
    • Use the arrow keys to select Repair your computer, and press on Enter
    • Select your keyboard layout (US, French, etc.) and click on Next
    • Click on Command Prompt to open the command prompt
      Note: If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.
  • To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.
  • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.
Once in the command prompt
  • In the command prompt, type notepad and press on Enter
  • Notepad will open. Click on the File menu and select Open
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
  • Note: Replace the letter e with the drive letter of your USB Flash Drive
  • FRST will open
  • Click on Yes to accept the disclaimer
  • Click on the Fix button and wait for the scan to complete
  • A log called fixlog.txt will be saved on your USB Flash Drive. Attach it in your next reply

Attached Files


animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 forevergent777

forevergent777
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 05 January 2018 - 03:06 PM

This is the part I've always been stuck at.  For some reason, my laptop won't let me access the Recovery Environment even with the options available to me (Windows 10).  It just brings me to a black screen with freedom of my mouse cursor movements before it does a full restart, flashes to the boot options for a brief moment before continuing on to my sign in screen.

 

I'll keep trying at it, but I'm also gonna be a bit busy for a few days.  Can you give me til January 9 to continue with this?



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 AM

Posted 05 January 2018 - 03:11 PM

Sure.

And did you try booting in the Windows RE after running the FRST fix above? Because 2 options were enabled in the fix that should allow you to enter the RE properly.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 forevergent777

forevergent777
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 05 January 2018 - 09:08 PM

Which one am I supposed to do?  Because right now, I've only tried to access the Windows RE but have not done the FRST Fix yet, and I can't access the RE.  I tried the Advanced Startup from the Settings and the Shift+Restart technique, but it still does the same thing I described in my last post.

 

Am I supposed to do it after running the FRST Fixlist?



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 AM

Posted 05 January 2018 - 10:51 PM

Did you try accessing the Windows RE after running the 1st FRST fix?

https://www.bleepingcomputer.com/forums/t/667279/windows-process-manager-32-bit-virus/#entry4416192

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 forevergent777

forevergent777
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 05 January 2018 - 11:56 PM

If you mean pressing "Scan" on FRST64 as per your first instruction, then yes.  Otherwise, I haven't pressed "Fix" on FRST64.  So far, I've managed to download FRST64.exe and the Fixlist.txt on a USB from a clean computer.



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 AM

Posted 06 January 2018 - 09:55 AM

Good. Now, try to boot in the Windows RE, and see if it works. Make sure to insert the USB in the infected computer only when you are in the Windows RE.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 forevergent777

forevergent777
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 06 January 2018 - 12:10 PM

I can't boot in the Windows RE.  I've tried the options you linked me for the Windows RE/Advanced Boot, but the same thing I described a few posts ago keeps happening (black screen and the flash of the Safe Mode option screen before resuming restart).  In fact, just now, I can't even access Update and Security in my Settings menu.  Instead, it freezes.



#12 forevergent777

forevergent777
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 06 January 2018 - 03:08 PM

Ok, so what I managed to do instead was access System Configuration using WinKey+R, type in msconfig, and open the System Configuration window.  Using that, I changed the Boot Option to Safe Boot.  From there, I was able to use the Command Prompt to run the FRST64 program and the Fixlist.  Looking at the Fixlist, I can see that it at least found the folders in the Appdata/Local folder that is the source of the problem (because I couldn't and still can't delete them since I'm denied access, even though I'm the Administrator).  However, it was unable to get rid of those folders.

 

Here's the fixlog.  Please let me know what else I can do because I'm still unable to access the Windows RE.

Attached Files



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 AM

Posted 06 January 2018 - 08:51 PM

The fix won't go through completely in Safe Mode, hence why running it in the Windows RE is necessary. Can you run the batch file below with Admin Rights? It should make your computer reboot in the Windows RE.

https://malwarebytes.app.box.com/s/cfblhjw2uvf0gaao88nt7jm6owm3ysox

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 forevergent777

forevergent777
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 06 January 2018 - 11:13 PM

I've just tried to run this through the normal mode (not Safe Mode).  I right-clicked and ran the file with Admin Rights, followed the instructions regarding consent to reboot to Windows RE, but it only functioned like a regular restart.



#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:27 AM

Posted 07 January 2018 - 10:14 AM

Do you have a Windows installation or recovery media?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users