Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by Trovi Search and...?


  • This topic is locked This topic is locked
12 replies to this topic

#1 RadaRada

RadaRada

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 04 March 2018 - 08:22 PM

When trying to surf I get redirected to a Trovi url, though my Kaspersky warns me before continuing. This is across multiple browsers - chrome, firefox, and i.e. Also, sometimes the browser won't connect to a site or is unable to, even though I have an internet connection and can use it through other applications. I am unable to open System Restore even in safe mode it doesn't open. I've gotten the blue screen of death a few times and it actually happened just now so I had to boot into SafeMode to make this post again with it saying, System_Service_Exceptions as the reason. I'm not that computer illiterate so I just been trying to find a fix through google. *Looking through the Additions.txt attachment it does show some malicious sites, but I'm not knowledgeable enough to know what to do to fix them. Heres the logs that came up after the scans:

 

 

 

 

 

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 3/4/18
Scan Time: 4:13 PM
Log File: 05464506-200a-11e8-8d65-00ffe11ce7bd.json
Administrator: Yes
 
-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.4208
License: Trial
 
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: RADARADA\Young
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 289962
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 9 min, 47 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 0
(No malicious items detected)
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)
 
 
 
 
 
 
 
 
# AdwCleaner 7.0.8.0 - Logfile created on Mon Mar 05 00:28:57 2018
# Updated on 2018/08/02 by Malwarebytes 
# Database: 03-02-2018.1
# Running on Windows 7 Home Premium (X64)
# Mode: scan
 
***** [ Services ] *****
 
No malicious services found.
 
***** [ Folders ] *****
 
No malicious folders found.
 
***** [ Files ] *****
 
No malicious files found.
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
***** [ WMI ] *****
 
No malicious WMI found.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts found.
 
***** [ Tasks ] *****
 
No malicious tasks found.
 
***** [ Registry ] *****
 
No malicious registry entries found.
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries.
 
*************************
 
C:/AdwCleaner/AdwCleaner[C0].txt - [16705 B] - [2016/9/5 2:49:51]
C:/AdwCleaner/AdwCleaner[C1].txt - [5370 B] - [2018/3/2 5:48:43]
C:/AdwCleaner/AdwCleaner[S0].txt - [17479 B] - [2016/9/5 2:48:20]
C:/AdwCleaner/AdwCleaner[S1].txt - [6293 B] - [2018/3/2 5:48:4]
C:/AdwCleaner/AdwCleaner[S2].txt - [1217 B] - [2018/3/4 11:54:35]
C:/AdwCleaner/AdwCleaner[S3].txt - [1284 B] - [2018/3/4 23:0:43]
C:/AdwCleaner/AdwCleaner[S4].txt - [1350 B] - [2018/3/4 23:45:18]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[S5].txt ##########

 

 

 

 

 

 

 

 

Rkill 2.9.1 by Lawrence Abrams (Grinler)
Copyright 2008-2018 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 03/04/2018 04:30:56 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 03/04/2018 04:37:33 PM
Execution time: 0 hours(s), 6 minute(s), and 36 seconds(s)
 

Attached Files



BC AdBot (Login to Remove)

 


#2 Android8888

Android8888

  • Malware Response Team
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:06:33 PM

Posted 05 March 2018 - 09:33 AM

Hello RadaRada and  :welcome:  to Bleeping Computer Forums.

My screen name is Android8888 but if you wish you can call me Rui which is my real name. I will be helping you with your malware issues. Please ask questions if anything is unclear.

I suggest printing out each set of instructions or copy them to a Notepad file and reading the entire post before proceeding. It will make following them easier.

Please read the instructions carefully and follow the directions in the order listed. DO NOT run any tools on your own otherwise you can worsen the situation rather than solve it.

Make sure to run all tools from the computer Desktop and with Administrator privileges (i.e. right-click the tool icon and select 'Run as administrator').

Please run one scan at a time.

Once started the malware removal process has to be completed in order to ensure the success of the clean-up. Even if your computer appears to be running better after performing a first set of instructions, it may still be infected as some infections are difficult to remove and can leave remnants on the System. Please consider it clean only when I declare it free of malware.


That being said, let's start.

 

I see that you have a P2P (Peer-to-Peer) file sharing program installed (Torrent). I highly recommend that you consider uninstalling it since P2P programs represent a security threat to the information on your system as they allow others to access your system. It is pretty much certain that if you continue to use P2P programs, sooner or later you will get infected again. It is just a question of time.
If you choose to remove it, you can do so via Start > Control Panel > Programs and Features.
If you wish to keep it, please DO NOT use it until the removal process is complete.

 

In your logs I also see signs of a rootkit infection. Please proceed with the following instructions in Normal mode. If you can't run the tool in Normal mode, then try to run it in Safe mode.

Download Malwarebytes Anti-Rootkit BETA and save it to your computer Desktop.

  • Right-click on the icon and select Run as administrator to start the extraction of the program;
  • Click Yes to accept the security warning that may appear;
  • Click OK to extract it to your Desktop (MBAR will be launched shortly after the extraction);
  • Click on Next, and then on the Update button to let it update its database. Once the database has been successfully updated, click on Next;
  • Make sure all the checkboxes are checked, then click on the Scan button, and let it completes its scan (this can take a while);
  • Once the scan is done, if threats are found, make sure that every item is checked, and click on the Cleanup button (a reboot might be required);
  • After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt;

Please copy and paste the entire content of that log in your next reply for my review.

Thank you.

Android8888
(Rui)


Proud graduate of SpywareInfo

Member of UNITE - Unified Network of Instructors and Trusted Eliminators

Website: http://android8888.comlu.com

Tavira - Here's where I live!


#3 RadaRada

RadaRada
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 05 March 2018 - 12:34 PM

Hello Rui. Thank you for the welcome! I've uninstalled the P2P to not further cause any more harm. I don't know if it's worth mentioning, but I'll do so anyway to see if it provides any indication of something to might help. So I have to restart the laptop at times since the browsers won't make a connection even though I have internet. This time, I was able to restart and have Chrome work to be able to download the Anti-Rootkit and run the scan. But after when trying to make this post and post the log Chrome wasn't able to to make an internet connection so I saved the log to a usb to post on my chromebook. The scan showed no indication of malicious files. 

 

 

 

 

Malwarebytes Anti-Rootkit BETA 1.10.3.1001
www.malwarebytes.org

Database version:
main: v2018.03.05.03
rootkit: v2018.02.28.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17420
Young :: RADARADA [administrator]

3/5/2018 8:25:35 AM
mbar-log-2018-03-05 (08-25-35).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 238538
Time elapsed: 37 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)



#4 Android8888

Android8888

  • Malware Response Team
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:06:33 PM

Posted 05 March 2018 - 04:54 PM

Hello RadaRada.

Thank you for providing me the log and also for the additional information.

The rootkit signs are show in your FRST logs so I will ask you to run the fix script below. Also, your disk have some integrity errors so I added a Disk Check to the script. Please let it run to the end.

 

Now and before doing so I would ask you to remove the following Chrome extensions since they have dubious purposes.

Open Google Chrome;
Type chrome://extensions in the address bar and press Enter;
Click the trash can icon by the extensions:

  • InvisibleHand
  • BetterTTV
  • Tampermonkey

A confirmation dialog appears, click Remove.


Next step,

NOTICE: The script below was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Press the Windows key + R on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and click the OK button.
Please copy the entire contents of the code box below. To do this highlight the contents of the box and right click on it and select Copy.
Paste this into the open Notepad.
 

Start::
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
CHR HKU\S-1-5-21-1117267480-380562962-2416441162-1005\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SNYVDF&pc=MASA&src=IE-SearchBox
BHO: No Name -> {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -> No File
BHO-x32: No Name -> {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} -> No File
BHO-x32: No Name -> {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -> No File
BHO-x32: No Name -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> No File
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKU\S-1-5-21-1117267480-380562962-2416441162-1005 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Handler: WSKVAllmytubechrome - No CLSID Value
FF ProfilePath: C:\ProgramData\Kaspersky Lab\SafeBrowser\S-1-5-21-1117267480-380562962-2416441162-1005\FireFox [not found] <==== ATTENTION
FF HKLM-x32\...\Firefox\Extensions: [{F53C93F1-07D5-430c-86D4-C9531B27DFAF}] - C:\Program Files (x86)\AVG\AVG2012\Firefox\DoNotTrack => not found
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [No File]
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found>
CHR HKU\S-1-5-21-1117267480-380562962-2416441162-1005\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [dhdgffkkebhmkfjojejmpbldmpobfkfo] - hxxp://clients2.google.com/service/update2/crx
HKLM\SYSTEM\CurrentControlSet\Services\nlixmgd <==== ATTENTION (Rootkit!)
S3 WsDrvInst; C:\Program Files (x86)\KeepVid\KeepVid Music\DriverInstall.exe [X]
S3 BTCFilterService; system32\DRIVERS\motfilt.sys [X]
R3 filpsv; system32\drivers\lpsvyc.sys [X]
S3 fimpsv; system32\drivers\lpsvyc.sys [X]
S3 motccgp; system32\DRIVERS\motccgp.sys [X]
S3 motccgpfl; system32\DRIVERS\motccgpfl.sys [X]
S3 motmodem; system32\DRIVERS\motmodem.sys [X]
S3 MotoSwitchService; system32\DRIVERS\motswch.sys [X]
S3 Motousbnet; system32\DRIVERS\Motousbnet.sys [X]
S3 motusbdevice; system32\DRIVERS\motusbdevice.sys [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 RTL8192su; system32\DRIVERS\RTL8192su.sys [X]
2018-03-01 19:42 - 2018-03-01 19:42 - 000021528 _____ C:\Windows\System32\Tasks\BRJzhXwv7uCp
2018-03-04 04:02 - 2013-08-28 18:16 - 001732032 _____ (Microsoft Corporation) C:\Users\Young\AppData\Local\Temp\dllnt_dump.dll
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} =>  -> No File
Task: {06119FEA-239D-4EB7-9462-1747EDD1EFEB} - System32\Tasks\BRJzhXwv7uCp => brjzhxwv7ucp.exe <==== ATTENTION
Task: {786BE2D2-1BDD-4EA8-BF8A-86F9B1B307AC} - \{0B0B0547-7E0E-0A7A-0B11-080B0B7E117D} -> No File <==== ATTENTION
Task: {994C86AD-A929-4B2C-88A0-4E25A107A029} - \Microsoft\Windows\SystemRestore\SR -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:A303874F [280]
AlternateDataStreams: C:\Users\Public\AppData:CSM [466]
AlternateDataStreams: C:\Users\Young\Downloads\drw_free.exe:BDU [0]
AlternateDataStreams: C:\Users\Young\Downloads\rcsetup152.exe:BDU [0]
FirewallRules: [{891CCE2C-2904-4339-9F6D-4578126F76E9}] => (Allow) C:\Program Files (x86)\uTorrent\uTorrent.exe
FirewallRules: [{B6D48D54-E869-4422-AE0C-95519ED43889}] => (Allow) C:\Program Files (x86)\uTorrent\uTorrent.exe
Folder: C:\Users\Young\AppData\Local\zanbopd
Folder: C:\Windows\b31749908
VirusTotal: C:\Program Files (x86)\Follette\tassel.exe;C:\Program Files (x86)\manley\gallia.exe;C:\Program Files (x86)\Borislav\tassel.exe;C:\Program Files (x86)\tactics\tactics.exe;C:\Windows\system32\Drivers\comybehl.sys
CMD: ECHO Y|CHKDSK C: /R
EmptyTemp:
End::

Save the file as fixlist.txt in to the same folder as FRST.
Right-click the FRST icon and select Run as administrator to run the tool.
Click the Fix button only once and wait.
When finished FRST will generate a log (Fixlog.txt) on the same folder as FRST. Please post its entire content to your next reply.

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

 


Next step,

I see that you have RogueKiller installed on the computer. Please follow the instructions below to run a scan with this tool and DO NOT remove any entry it finds. They may not all be malicious and need to be carefully analyzed.

  • Close all programs and Internet browsers.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • Right-click on the RogueKiller icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Scan tab and then click the Start Scan button.
  • Wait until the scan has finished. This may take some time consuming.
  • Once finished click on Open Report. It will open a new window.
  • Click Export TXT to export the report as a text file, give a name to the file such as RKlog.txt and save it to your Desktop.
  • Close RogueKiller.

Please copy and paste the entire content of RKlog.txt to your next reply.


To summarize, in your next reply please copy and paste the entire content of the following logs:
Fixlog.txt
RKlog.txt

Let me know how is the computer behaving and wait for further instructions.

Thank you.

Rui


Proud graduate of SpywareInfo

Member of UNITE - Unified Network of Instructors and Trusted Eliminators

Website: http://android8888.comlu.com

Tavira - Here's where I live!


#5 RadaRada

RadaRada
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 05 March 2018 - 06:44 PM

Hello Rui, So as of now I still have the issue with chrome not establishing an internet connection so I'm following this topic on my Chromebook. I don't know if this was okay or not, but in order to follow your instructions I had to use my Chromebook to copy/paste the fixlist.txt and save it to a usb drive then insert it to my laptop to transfer over the file to put in the FRST folder. It seems as to whatever is infecting my laptop has spread over to my internet settings and is applying to application programs as they're not able to connect to the net either. As when opening to run FRST, it failed to update and there was also an updated version of the RogueKiller that came out today, but the update button wasn't clickable, though I still ran the scan. So again, after these scans are completed, I'm having to put them into a usb drive and use in my chromebook in order to post these logs. Idk if this would void them or not.

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 04.03.2018
Ran by Young (05-03-2018 14:19:18) Run:1
Running from C:\Users\Young\Desktop\FRST
Loaded Profiles: Young (Available Profiles: Young)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           
*****************
 
 
 
 = = = =   E n d   o f   F i x l o g   1 4 : 1 9 : 1 9   = = = = 
 
 
 
 
RogueKiller V12.12.6.0 (x64) [Feb 26 2018] (Free) by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Young [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 03/05/2018 14:32:18 (Duration : 00:42:40)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 4 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 0.0.0.0 ([-][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 0.0.0.0 ([-][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{FD00B7C7-2008-44B7-9907-7C5E3B198A19} | DhcpNameServer : 192.168.0.1 0.0.0.0 ([-][])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{FD00B7C7-2008-44B7-9907-7C5E3B198A19} | DhcpNameServer : 192.168.0.1 0.0.0.0 ([-][])  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST950032 5AS SCSI Disk Device +++++
--- User ---
[MBR] 3908c5f2bb805865523688a205d31eab
[BSP] cbc84282a55f9837845e2615643ee25b : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10584 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 21678080 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 21882880 | Size: 466254 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 


#6 Android8888

Android8888

  • Malware Response Team
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:06:33 PM

Posted 05 March 2018 - 07:47 PM

Hello RadaRada.

Your computer is infected with a SmartService Rootkit which is a very nasty infection to deal with. To remove this infection you will need to get access to another clean PC and also to a USB flash drive with 4 GB or above. The USB flash drive will need to be formatted on a clean PC before use. After formatting, DO NOT plug the USB flash drive in to the infected PC!

For now please do the following:

Open FRST, then copy the text inside the code box below and paste it into the 'Search' box of FRST. Once done, click on the Fix button. A file called fixlog.txt should appear on your computer Desktop or in the folder you ran FRST from. Please copy and paste its content to your next reply.
 

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: fltmc instances
CMD: dir /a:-d /o:d C:\windows\system32\drivers
End:: 

Now just let me know when you are ready to have access to another PC and to a USB flash drive. I will post the instructions that you will need when you're ready.

Thank you.

 

Android8888
(Rui)


Proud graduate of SpywareInfo

Member of UNITE - Unified Network of Instructors and Trusted Eliminators

Website: http://android8888.comlu.com

Tavira - Here's where I live!


#7 RadaRada

RadaRada
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 05 March 2018 - 08:31 PM

Hello Rui. Getting access to another PC I'd have to go to my campus or a library, which is fine. I tried booting into safemode with networking which works to get access to internet to come here and post. Does it make a difference whether the scans are done in normal vs safemode? All previous were done in normal mode as of this log too. Just going into safemode in order to communicate with you instead of my chromebook. 

 

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 04.03.2018
Ran by Young (05-03-2018 17:21:59) Run:2
Running from C:\Users\Young\Desktop\FRST
Loaded Profiles: Young (Available Profiles: Young)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: fltmc instances
CMD: dir /a:-d /o:d C:\windows\system32\drivers
 
*****************
 
 
========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========
 
The operation completed successfully.
 
========= End of CMD: =========
 
 
========= bcdedit.exe /set {default} recoveryenabled yes =========
 
The operation completed successfully.
 
========= End of CMD: =========
 
 
========= fltmc instances =========
 
Filter                Volume Name                              Altitude        Instance Name      Frame  VlStatus
--------------------  -------------------------------------  ------------  ---------------------  -----  --------
KLIF                  \Device\Mup                             320400       KLIF                     0    
KLIF                  C:                                      320400       KLIF                     0    
KLIF                                                          320400       KLIF                     0    
luafv                 C:                                      135000       luafv                    0    
klbackupflt           C:                                      100800       klbackupflt              0    
klbackupflt                                                   100800       klbackupflt              0    
ZAM                   \Device\Mup                              80681       ZAMDefaultFilter         0    
ZAM                   C:                                       80681       ZAMDefaultFilter         0    
ZAM                                                            80681       ZAMDefaultFilter         0    
nruxbe                C:                                       45888       nruxbe Instance          0    
nruxbe                                                         45888       nruxbe Instance          0    
nlixmgd               \Device\Mup                              45666       nlixmgd Instance         0    
nlixmgd               C:                                       45666       nlixmgd Instance         0    
FileInfo              \Device\Mup                              45000       FileInfo                 0    
FileInfo              C:                                       45000       FileInfo                 0    
FileInfo                                                       45000       FileInfo                 0    
 
========= End of CMD: =========
 
 
========= dir /a:-d /o:d C:\windows\system32\drivers =========
 
 Volume in drive C has no label.
 Volume Serial Number is 1488-5360
 
 Directory of C:\windows\system32\drivers
 
12/31/1999  04:00 PM           359,128 RtsPStor.sys
12/31/1999  04:00 PM           313,048 RtsBaStor.sys
12/31/1999  04:00 PM           788,696 RtsPer.sys
12/31/1999  04:00 PM           294,104 RtsP2Stor.sys
12/31/1999  04:00 PM           377,560 RtsUer.sys
05/26/2009  01:32 PM            19,968 ArcSoftKsUFilter.sys
06/10/2009  12:30 PM         3,440,660 gm.dls
06/10/2009  12:30 PM               646 gmreadme.txt
06/10/2009  12:31 PM            31,232 hcw85cir.sys
06/10/2009  12:34 PM           270,848 b57nd60a.sys
06/10/2009  12:34 PM           468,480 bxvbda.sys
06/10/2009  12:34 PM         3,286,016 evbda.sys
06/10/2009  12:35 PM           281,088 e1y60x64.sys
06/10/2009  12:37 PM            23,040 secdrv.sys
06/10/2009  12:41 PM            18,432 BrFiltLo.sys
06/10/2009  12:41 PM             8,704 BrFiltUp.sys
06/10/2009  12:41 PM            47,104 BrSerWdm.sys
06/10/2009  12:41 PM            14,976 BrUsbMdm.sys
06/10/2009  12:41 PM            14,720 BrUsbSer.sys
06/10/2009  12:48 PM           426,496 spsys.sys
07/13/2009  03:19 PM            60,928 amdppm.sys
07/13/2009  03:19 PM            64,512 amdk8.sys
07/13/2009  03:19 PM            62,464 intelppm.sys
07/13/2009  03:19 PM            60,416 processr.sys
07/13/2009  03:19 PM             6,144 null.sys
07/13/2009  03:19 PM            92,160 cdfs.sys
07/13/2009  03:19 PM            26,112 msfs.sys
07/13/2009  03:19 PM            44,032 npfs.sys
07/13/2009  03:19 PM           105,472 i8042prt.sys
07/13/2009  03:21 PM            24,576 nsiproxy.sys
07/13/2009  03:23 PM           204,800 fastfat.sys
07/13/2009  03:23 PM           195,072 exfat.sys
07/13/2009  03:25 PM            34,304 filetrace.sys
07/13/2009  03:26 PM           113,152 luafv.sys
07/13/2009  03:31 PM            14,336 wmiacpi.sys
07/13/2009  03:31 PM            17,664 CmBatt.sys
07/13/2009  03:31 PM             9,728 errdev.sys
07/13/2009  03:31 PM            26,624 hidbatt.sys
07/13/2009  03:35 PM            45,056 blbdrive.sys
07/13/2009  03:37 PM            40,448 discache.sys
07/13/2009  03:37 PM            42,496 watchdog.sys
07/13/2009  03:38 PM            16,896 dxapi.sys
07/13/2009  03:38 PM            98,816 dxg.sys
07/13/2009  03:38 PM            29,184 vga.sys
07/13/2009  03:38 PM            29,184 vgapnp.sys
07/13/2009  03:38 PM           129,024 videoprt.sys
07/13/2009  03:38 PM            30,208 monitor.sys
07/13/2009  04:00 PM             6,656 beep.sys
07/13/2009  04:00 PM           145,920 Dot4.sys
07/13/2009  04:00 PM             6,784 mspqm.sys
07/13/2009  04:00 PM             7,168 mspclock.sys
07/13/2009  04:00 PM             8,064 mstee.sys
07/13/2009  04:00 PM            11,136 mskssrv.sys
07/13/2009  04:00 PM            20,992 ksthunk.sys
07/13/2009  04:00 PM            26,624 sermouse.sys
07/13/2009  04:00 PM            43,008 Dot4usb.sys
07/13/2009  04:00 PM            31,232 mouhid.sys
07/13/2009  04:00 PM            23,552 serenum.sys
07/13/2009  04:00 PM            20,992 smclib.sys
07/13/2009  04:00 PM            94,208 serial.sys
07/13/2009  04:00 PM            97,280 parport.sys
07/13/2009  04:00 PM            24,576 flpydisk.sys
07/13/2009  04:00 PM            29,696 fdc.sys
07/13/2009  04:01 PM            14,336 sffdisk.sys
07/13/2009  04:01 PM            16,896 sfloppy.sys
07/13/2009  04:01 PM            13,824 sffp_mmc.sys
07/13/2009  04:01 PM            29,184 tape.sys
07/13/2009  04:01 PM            22,016 mcd.sys
07/13/2009  04:01 PM           679,936 xnacc.sys
07/13/2009  04:02 PM            27,776 wacompen.sys
07/13/2009  04:02 PM            15,360 MTConfig.sys
07/13/2009  04:06 PM             5,632 drmkaud.sys
07/13/2009  04:06 PM            68,864 stream.sys
07/13/2009  04:06 PM            46,592 hidir.sys
07/13/2009  04:06 PM             8,192 mshidkmdf.sys
07/13/2009  04:06 PM            45,568 circlass.sys
07/13/2009  04:06 PM            68,096 1394bus.sys
07/13/2009  04:06 PM            72,832 ohci1394.sys
07/13/2009  04:06 PM           100,864 hidbth.sys
07/13/2009  04:06 PM            72,192 bthmodem.sys
07/13/2009  04:06 PM             9,728 umpass.sys
07/13/2009  04:07 PM            24,576 vwifibus.sys
07/13/2009  04:07 PM            59,904 vwififlt.sys
07/13/2009  04:07 PM           318,976 nwifi.sys
07/13/2009  04:07 PM            17,920 vwifimp.sys
07/13/2009  04:08 PM            35,328 ndiscap.sys
07/13/2009  04:08 PM            77,312 mpsdrv.sys
07/13/2009  04:08 PM            76,800 rspndr.sys
07/13/2009  04:08 PM            60,928 lltdio.sys
07/13/2009  04:08 PM            17,920 irenum.sys
07/13/2009  04:09 PM           120,320 irda.sys
07/13/2009  04:09 PM            93,184 smb.sys
07/13/2009  04:09 PM            44,544 netbios.sys
07/13/2009  04:09 PM            12,800 wfplwf.sys
07/13/2009  04:09 PM            46,592 qwavedrv.sys
07/13/2009  04:10 PM            24,064 ndistapi.sys
07/13/2009  04:10 PM           116,224 ipnat.sys
07/13/2009  04:10 PM            14,848 rasacd.sys
07/13/2009  04:10 PM            23,040 asyncmac.sys
07/13/2009  04:10 PM            92,672 raspppoe.sys
07/13/2009  04:10 PM            60,416 agilevpn.sys
07/13/2009  04:10 PM            83,968 rassstp.sys
07/13/2009  04:10 PM            21,504 ws2ifsl.sys
07/13/2009  04:10 PM            11,264 rootmdm.sys
07/13/2009  04:10 PM            40,448 modem.sys
07/13/2009  04:16 PM            15,872 tdpipe.sys
07/13/2009  04:16 PM             7,680 RDPENCDD.sys
07/13/2009  04:16 PM             7,680 RDPCDD.sys
07/13/2009  04:16 PM             8,192 RDPREFMP.sys
07/13/2009  04:17 PM            24,064 rdpbus.sys
07/13/2009  04:38 PM            25,088 usbprint.sys
07/13/2009  05:01 PM            95,232 bridge.sys
07/13/2009  05:19 PM           286,720 BrSerId.sys
07/13/2009  05:43 PM            55,128 dumpfve.sys
07/13/2009  05:45 PM           128,592 ql40xx.sys
07/13/2009  05:45 PM            43,584 sisraid2.sys
07/13/2009  05:45 PM            12,352 pciide.sys
07/13/2009  05:45 PM           220,752 pcmcia.sys
07/13/2009  05:45 PM            50,768 pcw.sys
07/13/2009  05:45 PM         1,524,816 ql2300.sys
07/13/2009  05:45 PM            80,464 sisraid4.sys
07/13/2009  05:45 PM            48,720 pciidex.sys
07/13/2009  05:45 PM            19,008 spldr.sys
07/13/2009  05:45 PM            12,496 swenum.sys
07/13/2009  05:45 PM            64,080 UAGP35.SYS
07/13/2009  05:45 PM            24,656 stexstor.sys
07/13/2009  05:45 PM            64,592 ULIAGPKX.SYS
07/13/2009  05:45 PM            21,056 wd.sys
07/13/2009  05:45 PM            17,488 viaide.sys
07/13/2009  05:45 PM            36,432 vdrvroot.sys
07/13/2009  05:45 PM           161,872 vsmraid.sys
07/13/2009  05:45 PM            16,464 wmilib.sys
07/13/2009  05:45 PM            22,096 wimmount.sys
07/13/2009  05:47 PM            65,088 GAGP30KX.SYS
07/13/2009  05:47 PM            24,144 crcdisk.sys
07/13/2009  05:47 PM            28,736 Dumpata.sys
07/13/2009  05:47 PM            39,504 crashdmp.sys
07/13/2009  05:47 PM            73,280 disk.sys
07/13/2009  05:47 PM           530,496 elxstor.sys
07/13/2009  05:47 PM            70,224 fileinfo.sys
07/13/2009  05:47 PM            55,376 fsdepends.sys
07/13/2009  05:48 PM            50,768 kbdclass.sys
07/13/2009  05:48 PM            16,960 intelide.sys
07/13/2009  05:48 PM            44,112 iirsp.sys
07/13/2009  05:48 PM           106,560 lsi_sas.sys
07/13/2009  05:48 PM            65,600 lsi_sas2.sys
07/13/2009  05:48 PM           115,776 lsi_scsi.sys
07/13/2009  05:48 PM           114,752 lsi_fc.sys
07/13/2009  05:48 PM            35,392 megasas.sys
07/13/2009  05:48 PM           284,736 MegaSR.sys
07/13/2009  05:48 PM            20,544 isapnp.sys
07/13/2009  05:48 PM           122,960 NV_AGP.SYS
07/13/2009  05:48 PM            51,264 nfrd960.sys
07/13/2009  05:48 PM            15,424 msisadrv.sys
07/13/2009  05:48 PM            49,216 mouclass.sys
07/13/2009  05:48 PM            32,320 mssmbios.sys
07/13/2009  05:48 PM            60,496 mup.sys
07/13/2009  05:52 PM           194,128 amdsbs.sys
07/13/2009  05:52 PM            15,440 aliide.sys
07/13/2009  05:52 PM            87,632 arc.sys
07/13/2009  05:52 PM            24,128 atapi.sys
07/13/2009  05:52 PM           491,088 adp94xx.sys
07/13/2009  05:52 PM            97,856 arcsas.sys
07/13/2009  05:52 PM           182,864 adpu320.sys
07/13/2009  05:52 PM            28,240 battc.sys
07/13/2009  05:52 PM            15,440 amdide.sys
07/13/2009  05:52 PM           339,536 adpahci.sys
07/13/2009  05:52 PM            61,008 AGP440.sys
07/13/2009  05:52 PM            21,584 compbatt.sys
07/13/2009  05:52 PM            17,488 cmdide.sys
04/26/2010  12:20 PM            12,032 SFEP.sys
10/19/2010  03:34 PM            56,344 HECIx64.sys
11/20/2010  07:23 PM            31,232 TsUsbGD.sys
11/20/2010  07:23 PM            41,984 winusb.sys
11/20/2010  07:23 PM           350,208 HdAudio.sys
11/20/2010  07:23 PM            19,968 Dot4Prt.sys
11/20/2010  07:23 PM           140,672 msdsm.sys
11/20/2010  07:23 PM            14,336 sffp_sd.sys
11/20/2010  07:23 PM           155,008 mpio.sys
11/20/2010  07:23 PM            38,912 CompositeBus.sys
11/20/2010  07:23 PM           109,056 sdbus.sys
11/20/2010  07:23 PM            12,800 acpipmi.sys
11/20/2010  07:23 PM           122,368 hdaudbus.sys
11/20/2010  07:23 PM            63,360 termdd.sys
11/20/2010  07:23 PM            71,552 volmgr.sys
11/20/2010  07:23 PM           184,704 pci.sys
11/20/2010  07:23 PM            33,280 kbdhid.sys
11/20/2010  07:23 PM            30,208 hidusb.sys
11/20/2010  07:23 PM           229,888 1394ohci.sys
11/20/2010  07:23 PM           215,936 vhdmp.sys
11/20/2010  07:23 PM            78,720 HpSAMD.sys
11/20/2010  07:23 PM           295,808 volsnap.sys
11/20/2010  07:23 PM           147,456 cdrom.sys
11/20/2010  07:23 PM           103,808 sbp2port.sys
11/20/2010  07:23 PM           334,208 acpi.sys
11/20/2010  07:23 PM            48,640 umbus.sys
11/20/2010  07:23 PM            31,104 msahci.sys
11/20/2010  07:23 PM            78,848 IPMIDrv.sys
11/20/2010  07:23 PM           261,632 netbt.sys
11/20/2010  07:23 PM            94,592 mountmgr.sys
11/20/2010  07:23 PM           753,664 http.sys
11/20/2010  07:23 PM           328,192 udfs.sys
11/20/2010  07:24 PM           171,392 scsiport.sys
11/20/2010  07:24 PM           289,664 fltMgr.sys
11/20/2010  07:24 PM            26,624 tdi.sys
11/20/2010  07:24 PM           164,352 ndiswan.sys
11/20/2010  07:24 PM           131,584 pacer.sys
11/20/2010  07:24 PM           309,248 rdbss.sys
11/20/2010  07:24 PM            29,696 scfilter.sys
11/20/2010  07:24 PM            32,896 USBCAMD2.sys
11/20/2010  07:24 PM            88,576 wanarp.sys
11/20/2010  07:24 PM            57,856 ndproxy.sys
11/20/2010  07:24 PM           366,976 msrpc.sys
11/20/2010  07:24 PM           125,440 tunnel.sys
11/20/2010  07:24 PM           363,392 volmgrx.sys
11/20/2010  07:24 PM           146,432 rmcast.sys
11/20/2010  07:24 PM           243,712 ks.sys
11/20/2010  07:24 PM            14,720 hwpolicy.sys
11/20/2010  07:24 PM           179,072 Classpnp.sys
11/20/2010  07:24 PM            82,944 ipfltdrv.sys
11/20/2010  07:24 PM           119,296 tdx.sys
11/20/2010  07:24 PM           102,400 dfsc.sys
11/20/2010  07:24 PM            56,832 ndisuio.sys
11/20/2010  07:24 PM           111,104 raspptp.sys
11/20/2010  07:24 PM           129,536 rasl2tp.sys
11/20/2010  07:24 PM            59,392 TsUsbFlt.sys
11/20/2010  07:24 PM           213,888 rdyboost.sys
11/20/2010  07:24 PM            31,744 usbrpm.sys
02/01/2011  12:06 PM             8,192 IntelMEFWVer.dll
02/11/2011  01:23 PM            35,344 npf.sys
02/16/2011  07:06 PM           316,024 Apfiltr.sys
02/22/2011  08:55 PM            90,624 bowser.sys
03/10/2011  08:37 PM            91,648 USBSTOR.SYS
03/10/2011  10:41 PM           107,904 amdsata.sys
03/10/2011  10:41 PM            27,008 amdxata.sys
03/10/2011  10:41 PM           410,496 iaStorV.sys
03/10/2011  10:41 PM           148,352 nvraid.sys
03/10/2011  10:41 PM           166,272 nvstor.sys
03/28/2011  10:51 PM           425,064 Rt64win7.sys
03/29/2011  01:11 AM            11,240 nvBridge.kmd
04/03/2011  02:56 PM         2,647,552 athrx.sys
04/26/2011  06:39 PM           128,000 mrxsmb20.sys
04/26/2011  06:40 PM           158,208 mrxsmb.sys
04/28/2011  07:05 PM           168,448 srvnet.sys
04/28/2011  07:05 PM           410,112 srv2.sys
04/28/2011  07:06 PM           467,456 srv.sys
05/10/2011  07:08 PM           437,272 iaStor.sys
07/08/2011  06:46 PM           288,768 mrxsmb10.sys
08/19/2011  05:42 AM                 0 Msft_Kernel_Apfiltr_01009.Wdf
08/19/2011  10:53 AM                 0 104D_Sony_VPCEH190X.mrk
08/23/2011  06:45 PM                 0 Msft_User_WpdFs_01_09_00.Wdf
01/02/2012  03:48 AM                 0 Msft_Kernel_motusbdevice_01007.Wdf
01/02/2012  03:48 AM                 0 Msft_Kernel_motccgp_01007.Wdf
01/02/2012  03:48 AM                 0 Msft_Kernel_motccgpfl_01007.Wdf
01/02/2012  03:48 AM                 0 Msft_User_WpdMtpDr_01_09_00.Wdf
01/02/2012  03:48 AM                 0 Msft_Kernel_motmodem_01007.Wdf
01/02/2012  03:49 AM                 0 Msft_Kernel_Motousbnet_01007.Wdf
01/02/2012  03:49 AM                 0 Msft_Kernel_motfilt_01007.Wdf
02/16/2012  08:57 PM            23,552 tdtcp.sys
02/29/2012  10:46 PM            23,408 fs_rec.sys
03/16/2012  11:58 PM            75,120 partmgr.sys
06/02/2012  06:35 AM                 3 MsftWdf_Kernel_01011_Inbox_Critical.Wdf
06/02/2012  06:57 AM                 3 MsftWdf_User_01_11_00_Inbox_Critical.Wdf
07/04/2012  12:26 PM            41,472 RNDISMP.sys
07/25/2012  06:26 PM           198,656 WUDFRd.sys
07/25/2012  06:26 PM            87,040 WUDFPf.sys
07/25/2012  08:55 PM            54,376 WdfLdr.sys
08/22/2012  10:12 AM           950,128 ndis.sys
10/03/2012  08:07 AM            45,568 tcpipreg.sys
01/17/2013  01:07 AM                 0 Msft_Kernel_avchv_01009.Wdf
01/23/2013  10:01 PM           223,752 fvevol.sys
02/11/2013  08:12 PM            19,968 usb8023.sys
04/03/2013  01:32 PM            29,696 dtscsibus.sys
04/09/2013  10:01 PM           265,064 dxgmms1.sys
04/15/2013  01:50 AM           127,384 scdemu.sys
06/25/2013  02:55 PM           785,624 Wdf01000.sys
07/02/2013  08:05 PM            32,896 hidparse.sys
07/02/2013  08:05 PM            76,800 hidclass.sys
07/02/2013  08:40 PM            42,496 usbscan.sys
07/04/2013  02:11 AM           140,800 mrxdav.sys
07/04/2013  04:18 AM           458,712 cng.sys
07/12/2013  02:41 AM           100,864 usbcir.sys
07/12/2013  02:41 AM           185,344 usbvideo.sys
08/04/2013  06:25 PM           155,584 ataport.sys
10/03/2013  05:36 PM           230,400 portcls.sys
10/03/2013  06:16 PM           116,736 drmk.sys
11/21/2013  07:31 AM           632,168 iaStorA.sys
11/21/2013  07:31 AM            28,008 iaStorF.sys
11/26/2013  03:40 AM           376,768 netio.sys
11/26/2013  05:41 PM             7,808 usbd.sys
11/26/2013  05:41 PM            30,720 usbuhci.sys
11/26/2013  05:41 PM            25,600 usbohci.sys
11/26/2013  05:41 PM            53,248 usbehci.sys
11/26/2013  05:41 PM           325,120 usbport.sys
11/26/2013  05:41 PM            99,840 usbccgp.sys
11/26/2013  05:41 PM           343,040 usbhub.sys
01/23/2014  06:37 PM         1,684,928 ntfs.sys
02/03/2014  06:35 PM            27,584 Diskdump.sys
02/03/2014  06:35 PM           274,880 msiscsi.sys
02/03/2014  06:35 PM           190,912 storport.sys
04/04/2014  06:47 PM           288,192 FWPKCLNT.SYS
04/04/2014  06:47 PM         1,903,552 tcpip.sys
04/11/2014  06:22 PM            95,680 ksecdd.sys
05/29/2014  10:45 PM           497,152 afd.sys
06/15/2014  06:10 PM           985,536 dxgkrnl.sys
07/06/2014  05:52 PM           663,552 PEAuth.sys
07/16/2014  05:21 PM            39,936 tssecsrv.sys
07/16/2014  05:21 PM           212,480 rdpwd.sys
08/18/2014  06:06 PM            61,440 appid.sys
10/13/2014  06:16 PM           155,064 ksecpkg.sys
12/02/2014  06:01 PM           110,488 ssudbus.sys
12/02/2014  06:01 PM           206,104 ssudmdm.sys
08/13/2015  07:19 AM            50,392 rzendpt.sys
08/13/2015  07:19 AM           201,432 rzudd.sys
08/22/2015  10:22 PM                 0 Msft_Kernel_rzendpt_01009.Wdf
08/22/2015  10:22 PM                 0 Msft_Kernel_rzudd_01009.Wdf
02/14/2016  11:57 PM            40,640 RzSurroundVAD.sys
03/05/2016  03:42 PM                 0 Msft_Kernel_WinUsb_01007.Wdf
05/31/2016  11:24 PM            78,216 kldisk.sys
06/07/2016  01:31 AM            52,152 kltap.sys
06/29/2016  02:44 PM        13,523,392 nvlddmkm.sys
06/29/2016  02:44 PM           214,592 nvhda64v.sys
06/29/2016  02:44 PM            56,384 nvvad64v.sys
10/01/2016  02:26 AM           554,408 kl1.sys
12/07/2016  09:38 AM            58,592 klmouflt.sys
12/21/2016  02:52 PM            40,240 revoflt.sys
12/23/2016  09:19 AM            57,568 klkbdflt.sys
12/26/2016  08:27 PM           247,008 cm_km.sys
06/14/2017  01:40 PM            39,016 WsAudioDevice_383S(1).sys
11/27/2017  02:50 PM            54,784 usbaapl64.sys
11/29/2017  09:11 AM            77,432 mbae64.sys
12/24/2017  04:58 AM           140,000 klwtp.sys
12/24/2017  04:58 AM            81,904 kltdi.sys
12/24/2017  04:58 AM            50,672 klpd.sys
12/24/2017  04:58 AM            70,880 klbackupdisk.sys
12/24/2017  04:58 AM           199,392 kneps.sys
03/02/2018  11:42 PM           350,944 klhk.sys
03/02/2018  11:42 PM           206,040 klflt.sys
03/03/2018  12:12 AM           119,496 klbackupflt.sys
03/03/2018  12:13 AM            57,024 klim6.sys
03/03/2018  12:13 AM         1,072,840 klif.sys
03/04/2018  02:33 AM           203,680 zamguard64.sys
03/04/2018  02:33 AM           203,680 zam64.sys
03/04/2018  03:13 PM            84,256 mwac.sys
03/04/2018  06:37 PM           255,928 73A1E270.sys
03/05/2018  08:25 AM           255,928 666242D8.sys
03/05/2018  02:32 PM            28,272 TrueSight.sys
03/05/2018  05:05 PM           145,232 comehlor.sys
             348 File(s)     69,633,120 bytes
               0 Dir(s)  253,014,855,680 bytes free
 
========= End of CMD: =========
 
 
==== End of Fixlog 17:22:01 ====


#8 Android8888

Android8888

  • Malware Response Team
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:06:33 PM

Posted 06 March 2018 - 06:16 AM

Hello RadaRada.

While there is no problem in communicating from the infected computer this infection prevents the tools from running normally and removing the rootkit. As you can see in post #5, the FRST fix did not produced results. You will need to run the next scan from the Recovery Environment. Please read carefully the instructions below before proceed and ask questions if anything is unclear.

 

First you will need to format and prepare the flash drive on the clean computer. Plug in the flash drive, navigate to that drive, right click on it direct and select 'Format'. The quick option is adequate.

Preparing the USB Flash Drive (on the clean computer).

  • Now download FRST from here FRST 64-bit and move it on your USB Flash Drive;

 

Note: Do not plug in the Flash drive into the infected computer until booted in to the Recovery Environment.

 

Boot in the Recovery Environment (on the infected computer).

  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
  • Restart the computer;
  • Once you've seen your BIOS splash screen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears;
  • Use the arrow keys to select Repair your computer, and press on Enter;
  • Select your keyboard layout (US, French, etc.) and click on Next;
  • Click on Command Prompt to open the command prompt;
  • Plug in your USB Flash Drive on the infected computer;
  • Note: If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.

Once in the command prompt

  • In the command prompt, type notepad and press on Enter;
  • Notepad will open. Click on the File menu and select Open;
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad;
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter;
  • Note: Replace the letter e with the drive letter of your USB Flash Drive;
  • FRST will open;
  • Click on Yes to accept the disclaimer;
  • Click on the Scan button and wait for the scan to complete;
  • A log called FRST.txt will be saved on your USB Flash Drive. Please copy and paste its content in your next reply;

 

I will need to review that log and then I will get back to you.

 

Thank you.

Android8888
(Rui)


Proud graduate of SpywareInfo

Member of UNITE - Unified Network of Instructors and Trusted Eliminators

Website: http://android8888.comlu.com

Tavira - Here's where I live!


#9 RadaRada

RadaRada
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 06 March 2018 - 03:09 PM

Hello Rui. Once in the Advanced Boot Options and clicking the option to 'Repair your computer' it doesn't follow up with the Recovery Environment so I'll have to create a Windows Installation disc. You noted that it can be made on the same computer so I was wondering if I can I boot up my laptop into safe mode and create the Windows Installation disc from there? 



#10 Android8888

Android8888

  • Malware Response Team
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:06:33 PM

Posted 06 March 2018 - 04:45 PM

Hi RadaRada.

No, the Safe mode does not help and it is not possible to create a Windows installation/repair media on the infected computer. While you can communicate from the infected computer, it is not advisable to work on it like do online banking, plug-in USB devices, etc. Please do not use the flash drive on the infected computer in Normal or Safe mode, otherwise the Flash drive will get also infected.

So you must create the Windows installation media on a clean computer.

But you can also create a USB Recovery drive on a clean computer. It is preferable to do so on a computer with the same Operating System (Windows 7). Please proceed as follow:

  • Plug in the USB Flash drive on a clean computer;
  • Right-click mouse on the Windows symbol on the left hand corner of the screen;
  • Select 'Search' and type create recovery drive;
  • Click Yes to accept the User Account Control warning that may appear;
  • In the next windows uncheck the box 'Backup system files to recovery drive' and click the Next button and wait;
  • On the following window (Select a USB Flash drive) click the Next button;
  • On the following window (Create a recovery drive) click the Create button. The flash drive will be formatted before the Recovery Drive is created;
  • When you reach the window The recovery drive is ready, click on Finish.

When that is complete you will need to add FRST 64-Bit version again to this flash drive. NOTE: DO NOT plug-in the Flash drive into the infected computer yet.

You now need to boot the infected computer direct to the Recovery Environment which is on the Flash Drive. It will may be necessary to change the boot order in the infected computer to boot from the USB Flash drive. Please read here on how to do it: How to Boot Your Computer from a USB Flash Drive

After changing the boot order to USB in BIOS, plug-in the USB Flash drive with the Recovery Environment tools and FRST64 you created, save and exit from BIOS and now boot in to the Recovery Environment;
Select Advanced Boot Options > Repair your computer > select your keyboard layout (US, French, etc.) and click on Next;
Then click on Command Prompt to open the command prompt;

 

Once in the command prompt

  • In the command prompt, type notepad and press on Enter;
  • Notepad will open. Click on the File menu and select Open;
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad;
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter;
  • Note: Replace the letter e with the drive letter of your USB Flash Drive;
  • FRST will open;
  • Click on Yes to accept the disclaimer;
  • Click on the Scan button and wait for the scan to complete;
  • A log called FRST.txt will be saved on your USB Flash Drive. Please copy and paste its content in your next reply;

 

Please let me know how you get on with the instructions above.

 

Thank you.

 

Rui


Proud graduate of SpywareInfo

Member of UNITE - Unified Network of Instructors and Trusted Eliminators

Website: http://android8888.comlu.com

Tavira - Here's where I live!


#11 Android8888

Android8888

  • Malware Response Team
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:06:33 PM

Posted 09 March 2018 - 09:37 AM

Hello RadaRada,

 

It's been almost 3 days since your last reply.

 

I was wondering if you still need help with your computer. If you have any difficulty following the instructions, just ask. Are you still with me?

 

Thank you.

 

Android8888

(Rui)


Proud graduate of SpywareInfo

Member of UNITE - Unified Network of Instructors and Trusted Eliminators

Website: http://android8888.comlu.com

Tavira - Here's where I live!


#12 RadaRada

RadaRada
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 11 March 2018 - 05:55 AM

Hello Rui,

 

I decided to get rid of my clutter and this problem with a clean install of Windows. As of now, my laptop seems to be working fine now. Thank you for your time and effort though. Much appreciated! :)



#13 Android8888

Android8888

  • Malware Response Team
  • 159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:06:33 PM

Posted 12 March 2018 - 09:05 AM

Hello RadaRada.

 

Thank you for letting me know what you decided to do. I'm glad to know that the problem is solved. :)

 

If you run into more difficulty, we will certainly do what we can to help.
 

Regards,

 

Android8888

(Rui)


Proud graduate of SpywareInfo

Member of UNITE - Unified Network of Instructors and Trusted Eliminators

Website: http://android8888.comlu.com

Tavira - Here's where I live!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users