Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

vmxclient


  • This topic is locked This topic is locked
133 replies to this topic

#1 originaljgf

originaljgf

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 29 January 2018 - 05:25 PM

I shall try not to be too prolix but want to be thorough.

 

System is Dell Inspiron laptop purchased at a yard sale a couple of weeks back (to use while rebuilding my main system, which ate its mobo);  owner had wiped the HD and reinstalled W7 Ulitimate, he let me take it in the house and check it out (has no battery).  Everything worked, no problems going online, task manager showed nothing unusual, system page said windows was "genuine" (didn't want one of those phone calls to MS begging for activation code).  Once home I installed Kaspersky and disabled Defender, installed Firefox with my usual plugins/add-ons, Teracopy, and Foxit PDF reader.  All was well for a few days then Firefox became exceedingly sluggish, to the point of often showing "not responding".  The only visible clue I had was occasionally when loading a new site (not a new page on a site already loaded) I would get a brief glimpse of a different page loading before the one I wanted, too brief to tell more than a white background with large black script font - "Shopper Spy", "Shopping Spy", or similar.  But Task Manager was the giveaway;  in Programs was Firefox and two instances of "client" (without quotes).  And under processes is:

 

lsrkgnc.exe, description - "print driver host" (1.5meg RAM, never see any cpu usage)

usigvkw.exe, description - "usigvkw.exe" (824k RAM, never see any cpu usage)

wikuapesvc.exe, description blank (6.4meg RAM, never see any cpu usage)

and 2-6 instances of msirblu.exe, description - "Windows Process Manager"

 

Without the browser running, msirblu.exe always has at least two instances running, using 1-30meg RAM and 2-20% cpu usage each (usually around 0-7%cpu);  four other instances, with similar RAM and cpu stats, randomly appear and disappear.  With the browser running there are always six instances of msirblu running, with five averaging 70meg RAM each and cpu 0-30%, and one instance using around 200meg RAM and cpu 20-50%.

 

Any attempt to kill any of these at any time gets an immediate "Access Denied".  Right click on them in processes and select properties shows wikuapesvc resides in System32, the other three files are in folders with the same names as their respective files in AppData.  In addition, properties/details for usigvkw.exe shows "Copyright 2000-2017 Plot Soft SMARTSOFT".  Any attempt to access the files or folders, left click or right click, gets an immediate "Access Denied".

 

What I have tried:

 

-Kaspersky, Loaris Trojan Remover, Malwarebytes Anti-Rootkit, McAfee Anti-Rootkit, all find nothing.

-RKill followed by AdwCleaner found nothing.

-eXplorer apparently did nothing (ran a small window for about a minute, then nothing).

-used Unlocker to try to delete the files at next boot, nothing happened

-Hitman does nothing, a couple of seconds hourglass cursor, no more.

-Malwarebytes gets about 70% through a full scan then BSOD, when windows restarts Malwarebytes will no longer run (uninstalling and reinstalling Malwarebytes gets the same result).

-Comodo Cleaning Essentials will not run, neither from normal, aggressive, or CMD;  get hourglass cursor for a couple of seconds then nothing.

-booting from flashdrive with Puppy/Linux to try deleting files;  accessing the HD gets this message:

 

"The NTFS-3g driver was unable to mount the NTFS partition and returned this error message:

Failed to write lock 'dev/sda2': Resouce temporarily unavailable

Error opening 'dev/sda2': Resouce temporarily unavailable

Failed to mount 'dev/sda2': Resouce temporarily unavailable

 

So, the inbuilt kernel NTFS driver has been used to mount the partition read-only."

 

The Puppy forums recommended I try a newer version of Puppy, downloaded that and created another bootable flashdrive (both on a different computer).  Same results.

 

(continued)


Edited by Orange Blossom, 29 January 2018 - 08:48 PM.
Moved to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 originaljgf

originaljgf
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 29 January 2018 - 05:31 PM

This morning while waiting for Firefox to load I checked Task Manager and saw "vmxclient" instead of just "client" (within a few seconds it had reverted to the latter).  Aha!  a name!  First hit on that search brought me here  - https://www.bleepingcomputer.com/virus-removal/remove-winvmx-client-and-vmxclient.exe-pup/

 

 

You can see I've done many of those things, though not in that order.  Since some of that software will not currently run on this system, have you other suggestions?  (System is functional, I'm using it now;  this malware is obviously more annoying than destructive, but has barricaded itself quite well.)


Edited by originaljgf, 29 January 2018 - 05:34 PM.


#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:24 AM

Posted 29 January 2018 - 07:55 PM

Hi

Welcome :)

I'll be helping you with your computer.

Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.

Please take note of the guidelines for this fix:

  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. :)
  • Let's begin... :)

    The first thing you will need a non infected computer to download FRST.exe (FRST64.exe if x64bit) to a flash drive

    Here is the link for Farbar Recovery Scan Tool.

    The file must be downloaded and save to a flash drive in a non infected computer. Do not insert the USB flash drive in the infected computer until you have reached the Recovery Environment command prompt.

    Boot to the Recovery Environment
  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
  • Restart the computer
  • Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
  • Use the arrow keys to select Repair your computer, and press on Enter
  • Select your keyboard layout (US, French, etc.) and click on Next
  • Logon with your user name and in the next screen
  • Click on Command Prompt to open the command prompt

Note: If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.

  • Once in the command prompt, Insert the USB flash drive with Frst.exe (Frst64.exe if x64bit) in it.
  • In the command prompt, type notepad and press on Enter
  • Notepad will open. Click on the File menu and select Open
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
  • Note: Replace the letter e with the drive letter of your USB Flash Drive
  • FRST will open
  • Click on Yes to accept the disclaimer
  • Click on the Scan button and wait for it to complete
  • A log called frst.txt will be saved on your USB Flash Drive. Post it in your next reply

If you are able to run Frst.exe (Frst64.exe) to the end:

 

favicon-32x32.png Please download Malwarebytes to your desktop.

  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • Once the program has fully updated, Proceed with the Scan options and select "Threat Scan".
  • The Scan Pane is the introduction to scan-related options in the program. When you click Scan in the Menu Pane, you will see the screen shown below.

02-malwarebytes-premium-scan-methods.jpg

  • After a scan has been executed, scan results are displayed.
  • Put a checkmark on all detected and click on "Quarantine Selected"
  • Selected reports may be viewed on screen, or exported to a text file for later viewing. Please note that only manual (on demand) scans are available for users of the free version of Malwarebytes.

You may export to your clipboard or to a text (TXT) file. Export to a .txt file and post its contents.

 

Reports needed:

 

FRST.txt

MBAM report


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 originaljgf

originaljgf
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 30 January 2018 - 12:54 PM

Thanks for your time.  No hurry, system is functional, just sluggish online (I'm using it now);  but I certainly do not want to proceed with any new software installs til we clear this issue.  I do have a backup system, old but serviceable (and malware free), so we're good there.

 

First question - when I get to the install Malwarebytes stage, is this still in Recovery Environment?



#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:24 AM

Posted 30 January 2018 - 06:15 PM

No once frst is ran, boot in normal mode and run malwarebyes.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 originaljgf

originaljgf
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 31 January 2018 - 12:52 PM

No recovery options in boot menu on my system (F12, btw).  Tried to create recovery disc, progress bar goes about half way, there's perhaps 15 seconds of CD drive activity,  nothing happens for a couple of minutes, then this message:

 

System repair disc could not be created

Incorrect function (0x80070001)



#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:24 AM

Posted 31 January 2018 - 03:55 PM

That is Windows 7. The Repair My Computer option should be part of the Advanced Menu tapping on F8 at startup.
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as RunMe.bat
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Once saved, right click on the RunMe.bat file and and select Run as Administrator.

@echo Off
cd /d %~dp0
Color 1F
CMD: bcdedit.exe /set {current} recoveryenabled Yes
CMD: bcdedit.exe /set {bootmgr} displaybootmenu Yes
fltmc instances >Report.txt
Dir /a C:\Windows\System32\Drivers >>Report.txt
Reg query "HKLM\SYSTEM\Select" >>Report.txt
Start Report.txt
Exit


Please post the Report.txt that will be created on your desktop, and retry the Recovery Environment Tapping on F8 and selecting Repair My Computer. If successful, run FRST64.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 originaljgf

originaljgf
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 31 January 2018 - 07:29 PM

Report.txt:

 

Filter                Volume Name                              Altitude        Instance Name      Frame  VlStatus
--------------------  -------------------------------------  ------------  ---------------------  -----  --------
KLIF                  \Device\Mup                             320400       KLIF                     0    
KLIF                  C:                                      320400       KLIF                     0    
KLIF                                                          320400       KLIF                     0    
luafv                 C:                                      135000       luafv                    0    
klbackupflt           C:                                      100800       klbackupflt              0    
klbackupflt                                                   100800       klbackupflt              0    
oruybe                C:                                       45888       oruybe Instance          0    
oruybe                                                         45888       oruybe Instance          0    
tmhvlcgb              \Device\Mup                              45666       tmhvlcgb Instance        0    
tmhvlcgb              C:                                       45666       tmhvlcgb Instance        0    
FileInfo              \Device\Mup                              45000       FileInfo                 0    
FileInfo              C:                                       45000       FileInfo                 0    
FileInfo                                                       45000       FileInfo                 0    
 Volume in drive C has no label.
 Volume Serial Number is 4C47-F424

 Directory of C:\Windows\System32\Drivers

01/31/2018  12:31 PM    <DIR>          .
01/31/2018  12:31 PM    <DIR>          ..
07/13/2009  06:51 PM            54,784 1394bus.sys
07/13/2009  06:52 PM           163,328 1394ohci.sys
07/13/2009  08:26 PM           274,496 acpi.sys
07/13/2009  06:16 PM             9,728 acpipmi.sys
07/13/2009  08:26 PM           422,976 adp94xx.sys
07/13/2009  08:26 PM           297,552 adpahci.sys
07/13/2009  08:26 PM           146,512 adpu320.sys
07/13/2009  06:12 PM           338,944 afd.sys
07/13/2009  06:55 PM            49,152 agilevpn.sys
07/13/2009  08:26 PM            53,312 AGP440.sys
07/13/2009  08:26 PM            14,400 aliide.sys
07/13/2009  08:26 PM            53,312 AMDAGP.SYS
07/13/2009  08:26 PM            14,912 amdide.sys
07/13/2009  06:11 PM            55,296 amdk8.sys
07/13/2009  06:11 PM            52,736 amdppm.sys
07/13/2009  08:26 PM            79,952 amdsata.sys
07/13/2009  08:26 PM           159,312 amdsbs.sys
07/13/2009  08:26 PM            23,616 amdxata.sys
07/13/2009  06:36 PM            50,176 appid.sys
07/13/2009  08:26 PM            76,368 arc.sys
07/13/2009  08:26 PM            86,608 arcsas.sys
07/13/2009  06:54 PM            17,920 asyncmac.sys
07/13/2009  08:26 PM            21,584 atapi.sys
07/13/2009  08:26 PM           133,200 ataport.sys
07/13/2009  05:02 PM           229,888 b57nd60x.sys
07/13/2009  08:26 PM            25,168 battc.sys
07/13/2009  05:02 PM            46,080 bcm4sbxp.sys
07/13/2009  06:45 PM             6,144 beep.sys
07/13/2009  06:23 PM            35,328 blbdrive.sys
07/13/2009  06:14 PM            69,632 bowser.sys
07/13/2009  05:53 PM            13,568 BrFiltLo.sys
07/13/2009  05:53 PM             5,248 BrFiltUp.sys
07/13/2009  07:41 PM            78,336 bridge.sys
07/13/2009  07:57 PM           272,128 BrSerId.sys
07/13/2009  05:53 PM            62,336 BrSerWdm.sys
07/13/2009  05:53 PM            12,160 BrUsbMdm.sys
07/13/2009  05:53 PM            11,904 BrUsbSer.sys
07/13/2009  06:51 PM            34,816 bthenum.sys
07/13/2009  06:51 PM            56,320 bthmodem.sys
07/13/2009  06:51 PM            93,696 bthpan.sys
07/13/2009  06:51 PM           392,704 bthport.sys
07/13/2009  06:51 PM            58,880 BTHUSB.SYS
07/13/2009  05:02 PM           430,080 bxvbdx.sys
07/13/2009  06:11 PM            70,656 cdfs.sys
07/13/2009  06:11 PM           108,544 cdrom.sys
07/13/2009  06:51 PM            37,888 circlass.sys
07/13/2009  08:26 PM           140,864 Classpnp.sys
07/13/2009  06:19 PM            14,080 CmBatt.sys
07/13/2009  08:26 PM            15,952 cmdide.sys
12/26/2016  11:27 PM           176,864 cm_km.sys
07/13/2009  08:17 PM           369,568 cng.sys
07/13/2009  08:26 PM            19,024 compbatt.sys
07/13/2009  06:45 PM            31,232 CompositeBus.sys
07/13/2009  08:20 PM            35,408 crashdmp.sys
07/13/2009  08:20 PM            22,096 crcdisk.sys
07/13/2009  06:15 PM           387,584 csc.sys
01/31/2018  12:28 PM           113,488 csefilos.sys
07/13/2009  06:14 PM            78,336 dfsc.sys
07/13/2009  06:24 PM            32,256 discache.sys
07/13/2009  08:20 PM            57,424 disk.sys
07/13/2009  08:20 PM            26,688 Diskdump.sys
07/13/2009  08:20 PM            70,720 djsvs.sys
07/13/2009  07:41 PM            80,896 drmk.sys
07/13/2009  06:50 PM             5,120 drmkaud.sys
07/13/2009  08:20 PM            26,704 Dumpata.sys
07/13/2009  08:17 PM            55,584 dumpfve.sys
07/13/2009  06:25 PM            13,312 dxapi.sys
07/13/2009  06:25 PM            76,288 dxg.sys
07/13/2009  06:26 PM           720,896 dxgkrnl.sys
07/13/2009  06:25 PM           211,968 dxgmms1.sys
07/13/2009  08:20 PM           453,712 elxstor.sys
07/13/2009  11:56 PM    <DIR>          en-US
07/13/2009  06:19 PM             7,168 errdev.sys
07/13/2009  09:37 PM    <DIR>          etc
07/13/2009  05:02 PM         3,100,160 evbdx.sys
07/13/2009  06:14 PM           142,336 exfat.sys
07/13/2009  06:14 PM           148,480 fastfat.sys
07/13/2009  06:45 PM            25,088 fdc.sys
07/13/2009  08:20 PM            58,448 fileinfo.sys
07/13/2009  06:15 PM            28,160 filetrace.sys
07/13/2009  06:45 PM            19,968 flpydisk.sys
07/13/2009  08:20 PM           198,208 fltMgr.sys
07/13/2009  08:20 PM            46,160 fsdepends.sys
07/13/2009  08:20 PM            19,536 fs_rec.sys
07/13/2009  08:17 PM           194,488 fvevol.sys
07/13/2009  08:20 PM           187,472 FWPKCLNT.SYS
07/13/2009  08:20 PM            57,936 GAGP30KX.SYS
06/10/2009  04:14 PM         3,440,660 gm.dls
06/10/2009  04:14 PM               646 gmreadme.txt
07/13/2009  05:54 PM            26,624 hcw85cir.sys
07/13/2009  06:50 PM           108,544 hdaudbus.sys
07/13/2009  06:51 PM           304,128 HdAudio.sys
07/13/2009  06:19 PM            21,504 hidbatt.sys
07/13/2009  06:51 PM            91,136 hidbth.sys
07/13/2009  06:51 PM            55,808 hidclass.sys
07/13/2009  06:51 PM            37,888 hidir.sys
07/13/2009  06:51 PM            25,728 hidparse.sys
07/13/2009  06:51 PM            24,064 hidusb.sys
07/13/2009  08:20 PM            67,152 HpSAMD.sys
07/13/2009  06:12 PM           513,024 http.sys
07/13/2009  08:20 PM            13,904 hwpolicy.sys
07/13/2009  06:11 PM            80,896 i8042prt.sys
07/13/2009  08:20 PM           332,352 iaStorV.sys
07/13/2009  08:20 PM            41,040 iirsp.sys
07/13/2009  08:20 PM            15,424 intelide.sys
07/13/2009  06:11 PM            53,760 intelppm.sys
07/13/2009  06:54 PM            58,880 ipfltdrv.sys
07/13/2009  06:30 PM            65,536 IPMIDrv.sys
07/13/2009  06:54 PM           101,888 ipnat.sys
07/13/2009  06:53 PM            96,768 irda.sys
07/13/2009  06:53 PM            13,824 irenum.sys
07/13/2009  08:20 PM            46,656 isapnp.sys
07/13/2009  08:20 PM            42,576 kbdclass.sys
07/13/2009  06:45 PM            28,160 kbdhid.sys
10/01/2016  05:26 AM           165,296 kl1.sys
12/25/2017  11:31 AM            62,184 klbackupdisk.sys
12/25/2017  11:31 AM            97,512 klbackupflt.sys
06/01/2016  02:24 AM            69,000 kldisk.sys
01/23/2018  03:25 AM           164,056 klflt.sys
01/23/2018  03:25 AM           229,592 klhk.sys
01/23/2018  03:25 AM           835,264 klif.sys
10/11/2016  05:14 PM            49,744 klim6.sys
12/23/2016  12:19 PM            50,400 klkbdflt.sys
12/07/2016  12:38 PM            51,424 klmouflt.sys
12/25/2017  11:31 AM            45,552 klpd.sys
06/07/2016  04:31 AM            48,056 kltap.sys
12/25/2017  11:31 AM            75,760 kltdi.sys
12/25/2017  11:31 AM           120,544 klwtp.sys
12/25/2017  11:31 AM           165,088 kneps.sys
07/13/2009  06:45 PM           190,976 ks.sys
07/13/2009  08:20 PM            67,664 ksecdd.sys
07/13/2009  08:20 PM           133,200 ksecpkg.sys
07/13/2009  06:53 PM            48,128 lltdio.sys
07/13/2009  08:20 PM            95,824 lsi_fc.sys
07/13/2009  08:20 PM            89,168 lsi_sas.sys
07/13/2009  08:20 PM            54,864 lsi_sas2.sys
07/13/2009  08:20 PM            96,848 lsi_scsi.sys
07/13/2009  06:15 PM            86,528 luafv.sys
07/13/2009  06:45 PM            18,432 mcd.sys
07/13/2009  08:20 PM            30,800 megasas.sys
07/13/2009  08:20 PM           235,584 MegaSR.sys
07/13/2009  06:55 PM            31,744 modem.sys
07/13/2009  06:25 PM            23,552 monitor.sys
07/13/2009  08:20 PM            41,552 mouclass.sys
07/13/2009  06:45 PM            26,112 mouhid.sys
07/13/2009  08:20 PM            78,416 mountmgr.sys
07/13/2009  08:20 PM           130,624 mpio.sys
07/13/2009  06:52 PM            60,416 mpsdrv.sys
07/13/2009  06:14 PM           115,712 mrxdav.sys
07/13/2009  06:14 PM           123,392 mrxsmb.sys
07/13/2009  06:14 PM           221,184 mrxsmb10.sys
07/13/2009  06:14 PM            95,744 mrxsmb20.sys
07/13/2009  08:20 PM            27,712 msahci.sys
07/13/2009  08:20 PM           115,792 msdsm.sys
07/13/2009  06:11 PM            22,528 msfs.sys
06/10/2009  04:27 PM                 3 MsftWdf_Kernel_01009_Inbox_Critical.Wdf
01/23/2018  02:17 AM                 0 Msft_User_WpdFs_01_09_00.Wdf
07/13/2009  06:51 PM             4,096 mshidkmdf.sys
07/13/2009  08:20 PM            13,888 msisadrv.sys
07/13/2009  08:20 PM           186,960 msiscsi.sys
07/13/2009  06:45 PM             8,320 mskssrv.sys
07/13/2009  06:45 PM             5,888 mspclock.sys
07/13/2009  06:45 PM             5,504 mspqm.sys
07/13/2009  08:20 PM           162,896 msrpc.sys
07/13/2009  08:20 PM            28,240 mssmbios.sys
07/13/2009  06:45 PM             6,144 mstee.sys
07/13/2009  06:46 PM            12,288 MTConfig.sys
07/13/2009  08:20 PM            49,728 mup.sys
07/13/2009  08:20 PM           710,720 ndis.sys
07/13/2009  06:52 PM            27,136 ndiscap.sys
07/13/2009  06:54 PM            20,992 ndistapi.sys
07/13/2009  06:53 PM            45,568 ndisuio.sys
07/13/2009  06:54 PM           118,784 ndiswan.sys
07/13/2009  06:54 PM            48,128 ndproxy.sys
07/13/2009  06:53 PM            36,352 netbios.sys
07/13/2009  06:12 PM           187,904 netbt.sys
07/13/2009  08:20 PM           240,208 netio.sys
07/13/2009  05:02 PM         4,231,168 netw5v32.sys
07/13/2009  08:20 PM            44,624 nfrd960.sys
07/13/2009  06:11 PM            35,328 npfs.sys
07/13/2009  06:12 PM            16,896 nsiproxy.sys
07/13/2009  08:20 PM         1,210,432 ntfs.sys
07/13/2009  06:11 PM             4,608 null.sys
09/05/2013  05:38 AM         9,253,664 nvlddmkm.sys
07/13/2009  08:20 PM           117,312 nvraid.sys
07/13/2009  08:20 PM           142,416 nvstor.sys
07/13/2009  08:20 PM           105,024 NV_AGP.SYS
07/13/2009  06:52 PM           267,264 nwifi.sys
07/13/2009  06:51 PM            62,464 ohci1394.sys
07/13/2009  06:53 PM           104,448 pacer.sys
07/13/2009  06:45 PM            79,360 parport.sys
07/13/2009  08:20 PM            56,912 partmgr.sys
07/13/2009  06:45 PM             8,704 parvdm.sys
07/13/2009  08:20 PM           153,680 pci.sys
07/13/2009  08:20 PM            12,368 pciide.sys
07/13/2009  08:19 PM            42,560 pciidex.sys
07/13/2009  08:19 PM           180,288 pcmcia.sys
07/13/2009  08:19 PM            43,088 pcw.sys
07/13/2009  07:41 PM           586,752 PEAuth.sys
07/13/2009  06:51 PM           177,152 portcls.sys
07/13/2009  06:11 PM            52,224 processr.sys
07/13/2009  08:19 PM         1,383,488 ql2300.sys
07/13/2009  08:19 PM           106,064 ql40xx.sys
07/13/2009  06:54 PM            31,744 qwavedrv.sys
07/13/2009  06:54 PM            11,776 rasacd.sys
07/13/2009  06:54 PM            78,848 rasl2tp.sys
07/13/2009  06:54 PM            77,824 raspppoe.sys
07/13/2009  06:54 PM            73,728 raspptp.sys
07/13/2009  06:54 PM            75,264 rassstp.sys
07/13/2009  06:14 PM           241,664 rdbss.sys
07/13/2009  07:02 PM            18,944 rdpbus.sys
07/13/2009  07:01 PM             6,656 RDPCDD.sys
07/13/2009  07:02 PM           133,120 rdpdr.sys
07/13/2009  07:01 PM             6,656 RDPENCDD.sys
07/13/2009  07:01 PM             7,168 RDPREFMP.sys
07/13/2009  07:01 PM           177,152 rdpwd.sys
07/13/2009  08:19 PM           173,648 rdyboost.sys
07/13/2009  06:51 PM           129,536 rfcomm.sys
11/14/2006  08:35 PM            37,376 rixdptsk.sys
07/13/2009  06:53 PM           117,248 rmcast.sys
07/13/2009  06:54 PM            33,280 RNDISMP.sys
07/13/2009  06:55 PM             8,192 rootmdm.sys
07/13/2009  06:53 PM            60,928 rspndr.sys
07/13/2009  08:19 PM            85,568 sbp2port.sys
07/13/2009  06:33 PM            26,624 scfilter.sys
07/13/2009  08:19 PM           140,368 scsiport.sys
10/09/2009  09:31 PM            84,992 sdbus.sys
07/13/2009  03:50 PM            20,480 secdrv.sys
07/13/2009  06:45 PM            17,920 serenum.sys
07/13/2009  06:45 PM            83,456 serial.sys
07/13/2009  06:45 PM            19,968 sermouse.sys
07/13/2009  06:45 PM            11,264 sffdisk.sys
07/13/2009  06:45 PM            12,288 sffp_mmc.sys
10/09/2009  09:57 PM            12,800 sffp_sd.sys
07/13/2009  06:45 PM            13,824 sfloppy.sys
07/13/2009  08:19 PM            52,304 SISAGP.SYS
07/13/2009  08:19 PM            40,016 sisraid2.sys
07/13/2009  08:19 PM            77,888 sisraid4.sys
07/13/2009  06:53 PM            71,168 smb.sys
07/13/2009  06:45 PM            17,408 smclib.sys
07/13/2009  08:19 PM            17,472 spldr.sys
07/13/2009  03:34 PM           405,504 spsys.sys
12/08/2009  03:05 AM           310,784 srv.sys
07/13/2009  06:14 PM           306,688 srv2.sys
12/08/2009  03:05 AM           113,664 srvnet.sys
07/13/2009  08:19 PM            21,072 stexstor.sys
07/13/2009  08:19 PM           144,960 storport.sys
07/13/2009  08:19 PM            28,224 storvsc.sys
07/13/2009  06:50 PM            53,632 stream.sys
07/13/2009  08:19 PM            12,240 swenum.sys
07/13/2009  06:45 PM            24,576 tape.sys
07/13/2009  08:19 PM         1,285,712 tcpip.sys
07/13/2009  06:54 PM            34,816 tcpipreg.sys
07/13/2009  06:12 PM            20,992 tdi.sys
07/13/2009  07:01 PM            17,920 tdpipe.sys
07/13/2009  07:01 PM            24,064 tdtcp.sys
07/13/2009  06:12 PM            74,240 tdx.sys
07/13/2009  08:19 PM            51,776 termdd.sys
07/13/2009  07:01 PM            30,208 tssecsrv.sys
07/13/2009  06:54 PM           108,544 tunnel.sys
07/13/2009  08:19 PM            55,888 UAGP35.SYS
07/13/2009  06:14 PM           246,784 udfs.sys
07/13/2009  08:19 PM            57,424 ULIAGPKX.SYS
07/13/2009  06:51 PM            39,936 umbus.sys
01/23/2018  02:17 AM    <DIR>          UMDF
07/13/2009  06:51 PM             8,192 umpass.sys
07/13/2009  06:54 PM            15,872 usb8023.sys
07/13/2009  06:51 PM            25,856 USBCAMD.sys
07/13/2009  06:51 PM            25,856 USBCAMD2.sys
07/13/2009  06:51 PM            75,264 usbccgp.sys
07/13/2009  06:51 PM            86,016 usbcir.sys
07/13/2009  06:51 PM             5,888 usbd.sys
07/13/2009  06:51 PM            41,472 usbehci.sys
07/13/2009  06:52 PM           258,560 usbhub.sys
07/13/2009  06:51 PM            20,480 usbohci.sys
07/13/2009  06:51 PM           284,160 usbport.sys
07/13/2009  07:17 PM            19,968 usbprint.sys
07/13/2009  07:14 PM            26,112 usbrpm.sys
07/13/2009  06:51 PM            74,752 USBSTOR.SYS
07/13/2009  06:51 PM            24,064 usbuhci.sys
07/13/2009  06:51 PM           146,176 usbvideo.sys
07/13/2009  08:19 PM            32,832 vdrvroot.sys
07/13/2009  06:25 PM            25,088 vga.sys
07/13/2009  06:25 PM            26,112 vgapnp.sys
07/13/2009  08:19 PM           159,824 vhdmp.sys
07/13/2009  08:19 PM            53,328 VIAAGP.SYS
07/13/2009  06:11 PM            52,736 viac7.sys
07/13/2009  08:19 PM            16,976 viaide.sys
07/13/2009  06:25 PM           111,616 videoprt.sys
07/13/2009  08:19 PM           175,824 vmbus.sys
07/13/2009  06:28 PM            17,920 VMBusHID.sys
07/13/2009  06:28 PM             5,632 vms3cap.sys
07/13/2009  08:19 PM            40,896 vmstorfl.sys
07/13/2009  08:19 PM            53,312 volmgr.sys
07/13/2009  08:19 PM           297,040 volmgrx.sys
07/13/2009  08:19 PM           245,328 volsnap.sys
07/13/2009  08:19 PM           141,904 vsmraid.sys
07/13/2009  05:13 PM           207,360 VSTAZL3.SYS
07/13/2009  05:13 PM           661,504 VSTCNXT3.SYS
07/13/2009  05:13 PM           980,992 VSTDPV3.SYS
06/10/2009  04:40 PM           146,036 VSTProf.cty
07/13/2009  06:52 PM            19,968 vwifibus.sys
07/13/2009  06:52 PM            48,128 vwififlt.sys
07/13/2009  06:52 PM            14,336 vwifimp.sys
07/13/2009  06:46 PM            21,632 wacompen.sys
07/13/2009  06:55 PM            63,488 wanarp.sys
07/13/2009  06:24 PM            35,328 watchdog.sys
07/13/2009  08:19 PM            19,024 wd.sys
07/13/2009  08:19 PM           445,008 Wdf01000.sys
07/13/2009  08:19 PM            38,480 WdfLdr.sys
07/13/2009  06:53 PM             9,728 wfplwf.sys
07/13/2009  08:19 PM            19,008 wimmount.sys
07/13/2009  08:20 PM            43,600 winhv.sys
07/13/2009  06:19 PM            11,264 wmiacpi.sys
07/13/2009  08:19 PM            14,912 wmilib.sys
07/13/2009  06:55 PM            16,384 ws2ifsl.sys
07/13/2009  06:50 PM            92,672 WUDFPf.sys
07/13/2009  06:50 PM           132,224 WUDFRd.sys
             315 File(s)     54,282,265 bytes
               5 Dir(s)  63,401,287,680 bytes free

HKEY_LOCAL_MACHINE\SYSTEM\Select
    Current    REG_DWORD    0x1
    Default    REG_DWORD    0x1
    Failed    REG_DWORD    0x0
    LastKnownGood    REG_DWORD    0x2
 



#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:24 AM

Posted 31 January 2018 - 08:13 PM

Were you able to run FRST64 in the Recovery Environment?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 originaljgf

originaljgf
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 01 February 2018 - 05:30 PM

Thought there might be input from that text.  Still no Recovery Environment.  System is Dell, at that point of boot cycle is Dell logo on screen with progress bar and notice that "F2=setup" (BIOS) and "F12=boot options";  fwiw worth, boot options are:

 

-internal HDD

-cd/dvd

-onboard NIC

 

-BIOS setup

-Diagnostics

 

F8 does nothing (but cause system beeps if I hit it too often).

 

Tried again to make repair disk, same result.



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:24 AM

Posted 01 February 2018 - 05:56 PM

Lets try this version of MBAR.

 

Follow the instructions in the thread below. Make sure to download the MBAR version linked in it. Let me know if you're not able to launch it and run a scan.

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

If you manage to run a scan, delete everything it finds]Upon completion of the scan or after the reboot, two files named  mbar-log.txt and system-log.txt will be created. Both files can be found in the extracted MBAR folder on your Desktop.
Please attach both files in your next reply.
 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 originaljgf

originaljgf
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 01 February 2018 - 07:41 PM

mbar.log:

 

 

Malwarebytes Anti-Rootkit BETA 1.10.3.1001
www.malwarebytes.org

Database version:
  main:    v2018.02.01.09
  rootkit: v2018.01.23.01

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
animary :: LAPTOP [administrator]

2/1/2018 7:10:58 PM
mbar-log-2018-02-01 (19-10-58).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 169568
Time elapsed: 17 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Users\animary\AppData\Local\Temp\2A4B.tmp (Trojan.Yelloader) -> Delete on reboot. [0b020dd38e29fb3b60c5960c70919769]
C:\Users\animary\AppData\Local\Temp\9B08.tmp (Trojan.Yelloader) -> Delete on reboot. [8786924ead0a1620968f2a7818e9cd33]
C:\Users\animary\AppData\Local\Temp\BB4.tmp (Trojan.Yelloader) -> Delete on reboot. [57b6914f1c9bd1656cb91b87c23f748c]
C:\Users\animary\AppData\Local\Temp\FEB9.tmp (Trojan.Yelloader) -> Delete on reboot. [52bb32aef5c2d3630322277b5ca539c7]

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 


system.log:

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.10.3.1001

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x86

Account is Administrative

Internet Explorer version: 8.0.7600.16385

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.193000 GHz
Memory total: 2145431552, free: 536813568

Downloaded database version: v2018.02.01.09
Downloaded database version: v2018.01.23.01
Downloaded database version: v2018.01.20.01
=======================================
Initializing...
Driver version: 4.3.0.15
------------ Kernel report ------------
     02/01/2018 19:10:47
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\halmacpi.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\csezdgjm.sys
\SystemRoot\system32\drivers\FLTMGR.SYS
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\DRIVERS\kl1.sys
\SystemRoot\system32\DRIVERS\ACPI.sys
\SystemRoot\system32\DRIVERS\WMILIB.SYS
\SystemRoot\system32\DRIVERS\msisadrv.sys
\SystemRoot\system32\DRIVERS\pci.sys
\SystemRoot\system32\DRIVERS\vdrvroot.sys
\SystemRoot\system32\DRIVERS\cm_km.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\DRIVERS\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\DRIVERS\intelide.sys
\SystemRoot\system32\DRIVERS\PCIIDEX.SYS
\SystemRoot\system32\DRIVERS\klbackupdisk.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\atapi.sys
\SystemRoot\system32\DRIVERS\ataport.SYS
\SystemRoot\system32\DRIVERS\msahci.sys
\SystemRoot\system32\DRIVERS\amdxata.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\DRIVERS\vmstorfl.sys
\SystemRoot\system32\DRIVERS\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\drivers\knquxa.sys
\SystemRoot\system32\drivers\svycfi.sys
\SystemRoot\system32\DRIVERS\klhk.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\klbackupflt.sys
\SystemRoot\system32\DRIVERS\klflt.sys
\SystemRoot\system32\DRIVERS\klif.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\klpd.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\kltdi.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\klwtp.sys
\SystemRoot\system32\DRIVERS\klim6.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\kneps.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\netw5v32.sys
\SystemRoot\system32\DRIVERS\bcm4sbxp.sys
\SystemRoot\system32\DRIVERS\1394ohci.sys
\SystemRoot\system32\DRIVERS\sdbus.sys
\SystemRoot\system32\DRIVERS\rixdptsk.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\klmouflt.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\klkbdflt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\kltap.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\VSTAZL3.SYS
\SystemRoot\system32\DRIVERS\VSTDPV3.SYS
\SystemRoot\system32\DRIVERS\VSTCNXT3.SYS
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_msahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\kldisk.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\34156674.sys
\Windows\System32\ntdll.dll
\Windows\System32\drivers\klhk.sys
\Windows\System32\drivers\klflt.sys
\Windows\System32\drivers\klbackupflt.sys
\Windows\System32\drivers\klif.sys
\Windows\System32\drivers\klpd.sys
\Windows\System32\drivers\kltdi.sys
\Windows\System32\drivers\klwtp.sys
\Windows\System32\drivers\klim6.sys
\Windows\System32\drivers\kneps.sys
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\drivers\nvlddmkm.sys
\Windows\System32\autochk.exe
\Windows\System32\drivers\klmouflt.sys
\Windows\System32\drivers\klkbdflt.sys
\Windows\System32\msvcrt.dll
\Windows\System32\lpk.dll
\Windows\System32\urlmon.dll
\Windows\System32\sechost.dll
\Windows\System32\shell32.dll
\Windows\System32\usp10.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\nsi.dll
\Windows\System32\ole32.dll
\Windows\System32\iertutil.dll
\Windows\System32\normaliz.dll
\Windows\System32\setupapi.dll
\Windows\System32\clbcatq.dll
\Windows\System32\difxapi.dll
\Windows\System32\msctf.dll
\Windows\System32\kernel32.dll
\Windows\System32\advapi32.dll
\Windows\System32\wininet.dll
\Windows\System32\psapi.dll
\Windows\System32\ws2_32.dll
\Windows\System32\imagehlp.dll
\Windows\System32\oleaut32.dll
\Windows\System32\user32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\imm32.dll
\Windows\System32\comdlg32.dll
\Windows\System32\Wldap32.dll
\Windows\System32\gdi32.dll
\Windows\System32\crypt32.dll
\Windows\System32\devobj.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\comctl32.dll
\Windows\System32\KernelBase.dll
\Windows\System32\wintrust.dll
\Windows\System32\msasn1.dll
----------- End -----------
Done!
Module: \??\C:\Windows\system32\drivers\csezdgjm.sys could not be loaded
Scan started
Database versions:
  main:    v2018.02.01.09
  rootkit: v2018.01.23.01

<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff86d5da78, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff86d5d6b8, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff86d5da78, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff868d5908, DeviceName: \Device\Ide\IdeDeviceP1T0L0-2\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
File user open failed: C:\WINDOWS\SYSTEM32\drivers\csezdgjm.sys (0x00000005)
File kernel read failed: C:\WINDOWS\SYSTEM32\drivers\csezdgjm.sys
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 2094749C

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800
    Partition is bootable
    Partition file system is NTFS

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848  Numsec = 156092416
    Partition is not bootable
    Partition file system is NTFS

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
    Partition is not bootable

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
    Partition is not bootable

Disk Size: 80026361856 bytes
Sector size: 512 bytes

Done!
Infected: C:\Users\animary\AppData\Local\Temp\2A4B.tmp --> [Trojan.Yelloader]
Infected: C:\Users\animary\AppData\Local\Temp\9B08.tmp --> [Trojan.Yelloader]
Infected: C:\Users\animary\AppData\Local\Temp\BB4.tmp --> [Trojan.Yelloader]
Infected: C:\Users\animary\AppData\Local\Temp\FEB9.tmp --> [Trojan.Yelloader]
Scan finished
Creating System Restore point...
Cleaning up...
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-206848-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
 



#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:24 AM

Posted 01 February 2018 - 08:06 PM

I don't believe was destroyed.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure that under Optional Scans, there is a checkmark on Addition.txt.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also produce another log (Addition.txt ). Please attach this to your reply.

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 originaljgf

originaljgf
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 01 February 2018 - 09:13 PM

Yes, still have two instances of "client" in Task Manager-Programs and still have the gibberish named files in processes.  But we're making progress (or you are, I'm a long distance robot, lol).   Have FRST on flashdrive, downloaded earlier on my other system.



#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:24 AM

Posted 01 February 2018 - 09:23 PM

Let me see a FRST64 scan on your computer. Make sure there is a checkmark on the Addition.txt, and post both logs.

 

Which OS is installed on your other system?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users