--------------------------------------- Malwarebytes Anti-Rootkit BETA 1.10.3.1001 (c) Malwarebytes Corporation 2011-2012 OS version: 10.0.9200 Windows 10 x64 Account is Administrative Internet Explorer version: 11.726.15063.0 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 1.992000 GHz Memory total: 8436027392, free: 5179015168 Downloaded database version: v2017.12.12.01 Downloaded database version: v2017.11.28.01 ======================================= Initializing... Driver version: 4.3.0.15 ------------ Kernel report ------------ 12/12/2017 02:28:59 ------------ Loaded modules ----------- \SystemRoot\system32\ntoskrnl.exe \SystemRoot\system32\hal.dll \SystemRoot\system32\kd.dll \SystemRoot\system32\mcupdate_GenuineIntel.dll \SystemRoot\System32\drivers\msrpc.sys \SystemRoot\System32\drivers\ksecdd.sys \SystemRoot\System32\drivers\werkernel.sys \SystemRoot\System32\drivers\CLFS.SYS \SystemRoot\System32\drivers\tm.sys \SystemRoot\system32\PSHED.dll \SystemRoot\system32\BOOTVID.dll \SystemRoot\System32\drivers\FLTMGR.SYS \SystemRoot\System32\drivers\clipsp.sys \SystemRoot\System32\drivers\cmimcext.sys \SystemRoot\System32\drivers\ntosext.sys \SystemRoot\system32\CI.dll \SystemRoot\System32\drivers\cng.sys \SystemRoot\system32\drivers\Wdf01000.sys \SystemRoot\system32\drivers\WDFLDR.SYS \SystemRoot\system32\drivers\SleepStudyHelper.sys \SystemRoot\System32\Drivers\acpiex.sys \SystemRoot\System32\Drivers\WppRecorder.sys \SystemRoot\System32\drivers\ACPI.sys \SystemRoot\System32\drivers\WMILIB.SYS \SystemRoot\System32\drivers\msisadrv.sys \SystemRoot\System32\drivers\pci.sys \SystemRoot\System32\drivers\tpm.sys \SystemRoot\System32\drivers\intelpep.sys \SystemRoot\system32\drivers\WindowsTrustedRT.sys \SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys \SystemRoot\System32\drivers\pcw.sys \SystemRoot\System32\drivers\vdrvroot.sys \SystemRoot\system32\drivers\pdc.sys \SystemRoot\system32\drivers\CEA.sys \SystemRoot\System32\drivers\partmgr.sys \SystemRoot\System32\drivers\spaceport.sys \SystemRoot\System32\drivers\volmgr.sys \SystemRoot\System32\drivers\volmgrx.sys \SystemRoot\System32\drivers\mountmgr.sys \SystemRoot\System32\drivers\iaStorA.sys \SystemRoot\System32\drivers\storport.sys \SystemRoot\System32\drivers\EhStorClass.sys \SystemRoot\System32\drivers\fileinfo.sys \SystemRoot\System32\Drivers\Wof.sys \SystemRoot\system32\drivers\mfehidk.sys \SystemRoot\System32\Drivers\NTFS.sys \SystemRoot\System32\Drivers\Fs_Rec.sys \SystemRoot\system32\drivers\ndis.sys \SystemRoot\system32\drivers\NETIO.SYS \SystemRoot\System32\Drivers\ksecpkg.sys \SystemRoot\System32\drivers\tcpip.sys \SystemRoot\System32\drivers\fwpkclnt.sys \SystemRoot\System32\drivers\wfplwfs.sys \SystemRoot\system32\drivers\mfewfpk.sys \SystemRoot\System32\DRIVERS\fvevol.sys \SystemRoot\System32\drivers\volume.sys \SystemRoot\System32\drivers\volsnap.sys \SystemRoot\System32\drivers\rdyboost.sys \SystemRoot\System32\Drivers\mup.sys \SystemRoot\system32\drivers\iorate.sys \SystemRoot\System32\drivers\disk.sys \SystemRoot\System32\drivers\CLASSPNP.SYS \SystemRoot\System32\Drivers\crashdmp.sys \SystemRoot\System32\drivers\cdrom.sys \SystemRoot\system32\drivers\filecrypt.sys \SystemRoot\system32\drivers\tbs.sys \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \SystemRoot\System32\drivers\BasicDisplay.sys \SystemRoot\System32\drivers\watchdog.sys \SystemRoot\System32\drivers\dxgkrnl.sys \SystemRoot\System32\drivers\vmbkmclr.sys \SystemRoot\System32\drivers\BasicRender.sys \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\system32\DRIVERS\tdx.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\System32\DRIVERS\netbt.sys \SystemRoot\system32\drivers\afd.sys \SystemRoot\System32\drivers\vwififlt.sys \SystemRoot\System32\drivers\pacer.sys \SystemRoot\system32\drivers\netbios.sys \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\drivers\csc.sys \SystemRoot\system32\drivers\nsiproxy.sys \SystemRoot\System32\drivers\npsvctrig.sys \SystemRoot\System32\drivers\mssmbios.sys \SystemRoot\System32\drivers\gpuenergydrv.sys \SystemRoot\System32\Drivers\dfsc.sys \SystemRoot\system32\drivers\dam.sys \??\C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys \SystemRoot\system32\DRIVERS\ahcache.sys \SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_de4c68ea4fb1be53\CompositeBus.sys \SystemRoot\System32\drivers\kdnic.sys \SystemRoot\System32\drivers\umbus.sys \SystemRoot\System32\drivers\CAD.sys \SystemRoot\System32\DriverStore\FileRepository\igdlh64.inf_amd64_f2308ff1d90596bf\igdkmd64.sys \SystemRoot\System32\drivers\dptf_cpu.sys \SystemRoot\System32\drivers\USBXHCI.SYS \SystemRoot\system32\drivers\ucx01000.sys \SystemRoot\System32\drivers\iaLPSS2_I2C.sys \SystemRoot\system32\drivers\SpbCx.sys \SystemRoot\System32\drivers\TeeDriverW8x64.sys \SystemRoot\system32\DRIVERS\RtsPer.sys \SystemRoot\System32\drivers\Netwtw06.sys \SystemRoot\system32\DRIVERS\wdiwifi.sys \SystemRoot\System32\drivers\vwifibus.sys \SystemRoot\System32\drivers\iaLPSS2_UART2.sys \SystemRoot\system32\drivers\SerCx2.sys \SystemRoot\System32\drivers\iaLPSS2_SPI.sys \SystemRoot\System32\drivers\CmBatt.sys \SystemRoot\System32\drivers\BATTC.SYS \SystemRoot\System32\drivers\dptf_acpi.sys \SystemRoot\System32\drivers\i8042prt.sys \SystemRoot\System32\drivers\kbdclass.sys \SystemRoot\System32\drivers\HDAudBus.sys \SystemRoot\System32\drivers\portcls.sys \SystemRoot\System32\drivers\drmk.sys \SystemRoot\System32\drivers\ks.sys \SystemRoot\System32\drivers\iaLPSS2_GPIO2.sys \SystemRoot\System32\Drivers\msgpioclx.sys \SystemRoot\System32\drivers\intelppm.sys \SystemRoot\System32\drivers\acpipagr.sys \SystemRoot\System32\drivers\wmiacpi.sys \SystemRoot\System32\drivers\AsRadioControl.sys \SystemRoot\System32\drivers\HIDCLASS.SYS \SystemRoot\System32\drivers\HIDPARSE.SYS \SystemRoot\System32\Drivers\fastfat.SYS \SystemRoot\System32\drivers\UEFI.sys \SystemRoot\System32\drivers\NdisVirtualBus.sys \SystemRoot\System32\drivers\swenum.sys \SystemRoot\System32\drivers\rdpbus.sys \SystemRoot\System32\drivers\UsbHub3.sys \SystemRoot\System32\drivers\USBD.SYS \SystemRoot\System32\drivers\hidi2c.sys \SystemRoot\System32\drivers\mshidkmdf.sys \SystemRoot\system32\drivers\RTKVHD64.sys \SystemRoot\system32\drivers\ksthunk.sys \SystemRoot\system32\DRIVERS\IntcDAud.sys \SystemRoot\System32\drivers\mouhid.sys \SystemRoot\System32\drivers\mouclass.sys \SystemRoot\System32\drivers\AsusPTPFilter.sys \SystemRoot\System32\drivers\MTConfig.sys \SystemRoot\System32\drivers\usbccgp.sys \SystemRoot\System32\Drivers\usbvideo.sys \SystemRoot\system32\DRIVERS\ibtusb.sys \SystemRoot\System32\drivers\BTHUSB.sys \SystemRoot\System32\drivers\bthport.sys \SystemRoot\system32\drivers\mfeaack.sys \SystemRoot\system32\drivers\mfeplk.sys \SystemRoot\system32\drivers\mfeavfk.sys \SystemRoot\system32\drivers\mfefirek.sys \SystemRoot\system32\DRIVERS\mfencbdc.sys \SystemRoot\System32\win32k.sys \SystemRoot\System32\win32kfull.sys \SystemRoot\System32\win32kbase.sys \SystemRoot\System32\Drivers\dump_diskdump.sys \SystemRoot\System32\Drivers\dump_iaStorA.sys \SystemRoot\System32\Drivers\dump_dumpfve.sys \SystemRoot\System32\drivers\dxgmms2.sys \SystemRoot\System32\drivers\monitor.sys \SystemRoot\System32\TSDDD.dll \SystemRoot\System32\cdd.dll \SystemRoot\system32\drivers\WudfPf.sys \SystemRoot\system32\DRIVERS\esif_lf.sys \SystemRoot\System32\drivers\WUDFRd.sys \SystemRoot\system32\drivers\wcifs.sys \SystemRoot\system32\drivers\luafv.sys \SystemRoot\system32\drivers\mmcss.sys \SystemRoot\system32\drivers\storqosflt.sys \SystemRoot\System32\drivers\condrv.sys \SystemRoot\System32\drivers\registry.sys \SystemRoot\system32\drivers\lltdio.sys \SystemRoot\system32\drivers\mslldp.sys \SystemRoot\system32\drivers\rspndr.sys \SystemRoot\System32\DRIVERS\wanarp.sys \SystemRoot\system32\drivers\ndisuio.sys \SystemRoot\system32\DRIVERS\nwifi.sys \SystemRoot\system32\drivers\HTTP.sys \SystemRoot\system32\DRIVERS\bowser.sys \SystemRoot\System32\drivers\mpsdrv.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\system32\DRIVERS\mrxsmb20.sys \SystemRoot\System32\DRIVERS\srvnet.sys \SystemRoot\system32\DRIVERS\mrxsmb10.sys \SystemRoot\system32\drivers\Ndu.sys \SystemRoot\system32\drivers\peauth.sys \SystemRoot\System32\DRIVERS\srv2.sys \SystemRoot\System32\drivers\tcpipreg.sys \SystemRoot\System32\DRIVERS\srv.sys \SystemRoot\System32\drivers\vwifimp.sys \??\C:\Program Files (x86)\McAfee\SiteAdvisor\x64\mfesapsn.sys \SystemRoot\system32\drivers\cfwids.sys \SystemRoot\System32\drivers\rassstp.sys \SystemRoot\System32\DRIVERS\NDProxy.sys \SystemRoot\System32\drivers\AgileVpn.sys \SystemRoot\System32\drivers\rasl2tp.sys \SystemRoot\System32\drivers\raspptp.sys \SystemRoot\System32\drivers\raspppoe.sys \SystemRoot\System32\DRIVERS\ndistapi.sys \SystemRoot\System32\drivers\ndiswan.sys \??\C:\Windows\system32\drivers\mbamchameleon.sys \??\C:\Windows\system32\drivers\7624D7F0.sys ----------- End ----------- Done! Scan started Database versions: main: v2017.12.12.01 rootkit: v2017.10.14.01 <<<2>>> Physical Sector Size: 512 Drive: 0, DevicePointer: 0xffff9b88c0040510, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffff9b88bdd829f0, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xffff9b88c0040510, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xffff9b88bcf29da0, DeviceName: Unknown, DriverName: \Driver\ACPI\ DevicePointer: 0xffff9b88bcf29060, DeviceName: \Device\0000003f\, DriverName: \Driver\iaStorA\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 <<<3>>> Volume: C: Volume is encrypted by BITLOCKER <<<2>>> <<<3>>> Volume: C: Volume is encrypted by BITLOCKER Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers... Done! Drive 0 This is a System drive Scanning MBR on drive 0... Inspecting partition table: This drive is a GPT Drive. MBR Signature: 55AA Disk Signature: 6F072854 GPT Protective MBR Partition information: Partition 0 type is EFI-GPT (0xee) Partition is NOT ACTIVE. Partition starts at LBA: 1 Numsec = 4294967295 Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 GPT Partition information: GPT Header Signature 4546492050415254 GPT Header Revision 65536 Size 92 CRC 1583950638 GPT Header CurrentLba = 1 BackupLba 1000215215 GPT Header FirstUsableLba 34 LastUsableLba 1000215182 GPT Header Guid 4f68675d-5b1f-4a6c-b637-d7925cf815d3 GPT Header Contains 128 partition entries starting at LBA 2 GPT Header Partition entry size = 128 Backup GPT header Signature 4546492050415254 Backup GPT header Revision 65536 Size 92 CRC 1583950638 Backup GPT header CurrentLba = 1000215215 BackupLba 1 Backup GPT header FirstUsableLba 34 LastUsableLba 1000215182 Backup GPT header Guid 4f68675d-5b1f-4a6c-b637-d7925cf815d3 Backup GPT header Contains 128 partition entries starting at LBA 1000215183 Backup GPT header Partition entry size = 128 Partition 0 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b Partition ID 430cc831-9e5-465c-ac34-4faafbbe83e FirstLBA 2048 Last LBA 534527 Attributes 0 Partition Name EFI system partition GPT Partition 0 is bootable Partition 1 Type e3c9e316-b5c-4db8-817d-f92df0215ae Partition ID a48642f4-bc35-4519-85db-6ee4f928f64f FirstLBA 534528 Last LBA 567295 Attributes 0 Partition Name Microsoft reserved partition Partition 2 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7 Partition ID 533424b2-914a-4f7b-835a-5ed1ffbda66c FirstLBA 567296 Last LBA 998576127 Attributes 0 Partition Name Basic data partition Partition 3 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac Partition ID 53632522-3495-4df7-a51b-ca23391bfee2 FirstLBA 998576128 Last LBA 1000214527 Attributes 1 Partition Name Basic data partition Disk Size: 512110190592 bytes Sector size: 512 bytes Done! Infected: HKU\S-1-5-21-4009766753-2876665748-4057158324-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{C0D38E5A-7CF8-4105-8FE8-31B81443A114} --> [Adware.NeoBar] Infected: C:\Program Files (x86)\B1dMyRtuobPX\b1dmyrtuobpx.exe --> [Adware.CloudGuard.TskLnk] Infected file C:\Program Files\WinRAR\Default.SFX could not be remediated because backup file is not available Infected: C:\Users\siteh\AppData\Local\Temp\psfALkdCizfRj2ftQWTa(Z).exe --> [Adware.InstallMonster] Infected: C:\Users\siteh\AppData\Local\Temp\psfALkdCizfRj2ftQWTa.exe --> [Adware.InstallMonster] Infected: C:\Users\siteh\AppData\Local\Temp\revomc.exe --> [Trojan.UbarServ] Infected: C:\Users\siteh\AppData\Local\Temp\s2s.exe --> [Adware.Wajam] Infected: C:\Users\siteh\AppData\Local\Temp\6kXvcK0rr\ytab_m_1_big.exe --> [Adware.Neoreklami] Infected: C:\Users\siteh\AppData\Local\Temp\E1I2BMUUFZ\SecondL.exe --> [Adware.Tuto4PC] Infected: C:\Users\siteh\AppData\Local\Temp\LHwARYabS\setup.exe --> [Adware.DNSUnlocker.Generic] Infected: C:\Users\siteh\AppData\Local\Temp\pOz29ar4D\pOz29ar4D.exe --> [Adware.Tuto4PC] Infected: C:\Users\siteh\AppData\Local\Temp\prPRPGoZt\prPRPGoZt.exe --> [Adware.Tuto4PC] Infected: C:\Users\siteh\AppData\Local\Temp\vA2f487jw\vA2f487jw.exe --> [Adware.Tuto4PC] Infected: C:\Windows\Temp\UDDE0CE.tmp --> [Adware.Wajam] Infected: C:\Windows\7a531e26489e946c70f9d5af73440364.exe --> [Adware.Wajam] Infected: C:\Users\siteh\AppData\Roaming\ZHP\Quarantine --> [Trojan.UbarServ] Infected: C:\Users\siteh\AppData\Local\po.db --> [Adware.Linkury.Generic] Infected: C:\Users\siteh\AppData\Local\Temp\is-IRS7N.tmp\letswork.exe.config --> [Adware.Tuto4PC.Generic] Infected: C:\Users\siteh\AppData\Local\Temp\is-IRS7N.tmp --> [Adware.Tuto4PC.Generic] Infected: C:\Users\siteh\AppData\Local\Temp\is-IRS7N.tmp\itdownload.dll --> [Adware.Tuto4PC.Generic] Infected: C:\Users\siteh\AppData\Local\Temp\is-IRS7N.tmp\psvince.dll --> [Adware.Tuto4PC.Generic] Infected: C:\Users\siteh\AppData\Local\Temp\is-IRS7N.tmp\_isetup --> [Adware.Tuto4PC.Generic] Infected: C:\Users\siteh\AppData\Local\Temp\is-IRS7N.tmp\_isetup\_setup64.tmp --> [Adware.Tuto4PC.Generic] Infected: C:\Users\siteh\AppData\Local\Temp\svchost.exe --> [Trojan.Agent.Gen] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SVCHOST.EXE --> [Trojan.Agent.Gen] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SVCHOST.EXE --> [Trojan.Agent.Gen] Infected: HKLM\SOFTWARE\MICROSOFT\APreSam --> [Adware.Tuto4PC] Infected: HKLM\SOFTWARE\MICROSOFT\MPrForShutT --> [Adware.Tuto4PC] Infected: HKLM\SOFTWARE\MICROSOFT\NSaveA --> [Adware.Tuto4PC] Infected: HKLM\SOFTWARE\MICROSOFT\PrAmNP --> [Adware.Tuto4PC] Infected: HKLM\SOFTWARE\MICROSOFT\PrIncub --> [Adware.Tuto4PC] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\11598763487076930564 --> [Adware.DNSUnlocker.ACMB2] Infected: HKU\S-1-5-21-4009766753-2876665748-4057158324-1001\SOFTWARE\MICROSOFT\BIGTIME|partner --> [Adware.Tuto4PC] Infected: HKU\S-1-5-21-4009766753-2876665748-4057158324-1001\SOFTWARE\MICROSOFT\BIGTIME --> [Adware.Tuto4PC] Infected: HKU\S-1-5-21-4009766753-2876665748-4057158324-1001\SOFTWARE\MICROSOFT\EWMON|partner --> [Adware.Tuto4PC] Infected: HKU\S-1-5-21-4009766753-2876665748-4057158324-1001\SOFTWARE\MICROSOFT\EWMON --> [Adware.Tuto4PC] Infected: HKU\S-1-5-21-4009766753-2876665748-4057158324-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|5148008 --> [Adware.Tuto4PC.Generic] Infected: HKU\S-1-5-21-4009766753-2876665748-4057158324-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|XUSUHCP12AXDWMY --> [Adware.Tuto4PC.Generic] Infected: HKU\S-1-5-21-4009766753-2876665748-4057158324-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|LECYY8DSEEPGQQ7 --> [Adware.Tuto4PC.Generic] Infected: HKU\S-1-5-21-4009766753-2876665748-4057158324-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|7481549 --> [Adware.Tuto4PC.Generic] Infected: HKU\S-1-5-21-4009766753-2876665748-4057158324-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|1157340 --> [Adware.Tuto4PC.Generic] Infected: HKU\S-1-5-21-4009766753-2876665748-4057158324-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|6608634 --> [Adware.Tuto4PC.Generic] Infected: HKU\S-1-5-21-4009766753-2876665748-4057158324-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|HO9U4E7JB2DZHPP --> [Adware.Tuto4PC.Generic] Infected: HKU\S-1-5-21-4009766753-2876665748-4057158324-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|3556551 --> [Adware.Tuto4PC.Generic] Infected: HKU\S-1-5-21-4009766753-2876665748-4057158324-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|C1WL06BSJNZAYJV --> [Adware.Tuto4PC.Generic] Infected: C:\Program Files (x86)\B1dMyRtuobPX\settings.ini --> [Adware.DNSUnlocker.ACMB2] Infected: C:\Program Files (x86)\B1dMyRtuobPX --> [Adware.DNSUnlocker.ACMB2] Infected: C:\Program Files (x86)\B1dMyRtuobPX\B1dMyRtuobPX.cer --> [Adware.DNSUnlocker.ACMB2] Infected: C:\Program Files (x86)\B1dMyRtuobPX\config.ini --> [Adware.DNSUnlocker.ACMB2] Infected: C:\Program Files (x86)\B1dMyRtuobPX\Info.rtf --> [Adware.DNSUnlocker.ACMB2] Infected: C:\Program Files (x86)\B1dMyRtuobPX\License.rtf --> [Adware.DNSUnlocker.ACMB2] Infected: C:\Program Files (x86)\B1dMyRtuobPX\unins000.dat --> [Adware.DNSUnlocker.ACMB2] Infected: C:\Program Files (x86)\B1dMyRtuobPX\unins000.exe --> [Adware.DNSUnlocker.ACMB2] Infected: C:\Program Files (x86)\SDownloader\cast.config --> [Adware.Tuto4PC.Generic] Infected: C:\Program Files (x86)\SDownloader --> [Adware.Tuto4PC.Generic] Infected: C:\Program Files (x86)\SDownloader\2WVL1.exe --> [Adware.Tuto4PC.Generic] Infected: HKU\S-1-5-21-4009766753-2876665748-4057158324-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|YVCGO6LR8L806SY --> [Adware.Tuto4PC.Generic] Infected: C:\Program Files (x86)\SDownloader\2WVL1.exe --> [Adware.Tuto4PC.Generic] Infected: C:\Program Files (x86)\SDownloader\2WVL1.exe.config --> [Adware.Tuto4PC.Generic] Infected: C:\Program Files (x86)\SDownloader\8SQIIR6SHD1YI18.exe.config --> [Adware.Tuto4PC.Generic] Infected: C:\Program Files (x86)\SDownloader\config.conf --> [Adware.Tuto4PC.Generic] Infected: C:\Program Files (x86)\SDownloader\S4O.exe --> [Adware.Tuto4PC.Generic] Infected: C:\Users\siteh\AppData\Local\InstallationConfiguration.xml --> [Adware.Linkury.TskLnk] Scan finished Creating System Restore point... Cleaning up... Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action reg.exe... Success! Executing an action cmd.exe... Success! Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action reg.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Queuing an action cmd.exe Executing an action cmd.exe... Success! Executing an action cmd.exe... Success! Executing an action cmd.exe... Success! Executing an action cmd.exe... Success! Executing an action cmd.exe... Success! Executing an action cmd.exe... Success! Executing an action cmd.exe... Success! Executing an action cmd.exe... Success! Executing an action cmd.exe... Success! Executing an action cmd.exe... Success! Executing an action cmd.exe... Success! Executing an action cmd.exe... Success! Executing an action cmd.exe... Success! Executing an action cmd.exe... Success! Executing an action cmd.exe... Success! Executing an action reg.exe... Success! Queuing an action reg.exe Executing an action cmd.exe... Success! Executing an action cmd.exe... Success! Executing an action cmd.exe... Success! Executing an action cmd.exe... Success! Queuing an action reg.exe Removal scheduling successful. System shutdown needed. System shutdown occurred ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.10.3.1001 (c) Malwarebytes Corporation 2011-2012 OS version: 10.0.15063 Windows 10 x64 Account is Administrative Internet Explorer version: 11.726.15063.0 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 1.992000 GHz Memory total: 8436027392, free: 6306131968 --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.10.3.1001 (c) Malwarebytes Corporation 2011-2012 OS version: 10.0.9200 Windows 10 x64 Account is Administrative Internet Explorer version: 11.726.15063.0 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 1.992000 GHz Memory total: 8436027392, free: 5902860288 Downloaded database version: v2017.12.12.01 Downloaded database version: v2017.11.28.01 ======================================= Initializing... Driver version: 4.3.0.15 ------------ Kernel report ------------ 12/12/2017 02:37:55 ------------ Loaded modules ----------- \SystemRoot\system32\ntoskrnl.exe \SystemRoot\system32\hal.dll \SystemRoot\system32\kd.dll \SystemRoot\system32\mcupdate_GenuineIntel.dll \SystemRoot\System32\drivers\msrpc.sys \SystemRoot\System32\drivers\ksecdd.sys \SystemRoot\System32\drivers\werkernel.sys \SystemRoot\System32\drivers\CLFS.SYS \SystemRoot\System32\drivers\tm.sys \SystemRoot\system32\PSHED.dll \SystemRoot\system32\BOOTVID.dll \SystemRoot\System32\drivers\FLTMGR.SYS \SystemRoot\System32\drivers\clipsp.sys \SystemRoot\System32\drivers\cmimcext.sys \SystemRoot\System32\drivers\ntosext.sys \SystemRoot\system32\CI.dll \SystemRoot\System32\drivers\cng.sys \SystemRoot\system32\drivers\Wdf01000.sys \SystemRoot\system32\drivers\WDFLDR.SYS \SystemRoot\system32\drivers\SleepStudyHelper.sys \SystemRoot\System32\Drivers\acpiex.sys \SystemRoot\System32\Drivers\WppRecorder.sys \SystemRoot\System32\drivers\ACPI.sys \SystemRoot\System32\drivers\WMILIB.SYS \SystemRoot\System32\drivers\msisadrv.sys \SystemRoot\System32\drivers\pci.sys \SystemRoot\System32\drivers\tpm.sys \SystemRoot\System32\drivers\intelpep.sys \SystemRoot\system32\drivers\WindowsTrustedRT.sys \SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys \SystemRoot\system32\drivers\CLASSPNP.SYS \SystemRoot\System32\drivers\pcw.sys \SystemRoot\System32\drivers\vdrvroot.sys \SystemRoot\system32\drivers\pdc.sys \SystemRoot\system32\drivers\CEA.sys \SystemRoot\System32\drivers\partmgr.sys \SystemRoot\System32\drivers\spaceport.sys \SystemRoot\System32\drivers\volmgr.sys \SystemRoot\System32\drivers\volmgrx.sys \SystemRoot\System32\drivers\mountmgr.sys \SystemRoot\System32\drivers\iaStorA.sys \SystemRoot\System32\drivers\storport.sys \SystemRoot\System32\drivers\EhStorClass.sys \SystemRoot\System32\drivers\fileinfo.sys \SystemRoot\System32\Drivers\Wof.sys \SystemRoot\system32\drivers\mfehidk.sys \SystemRoot\System32\Drivers\NTFS.sys \SystemRoot\System32\Drivers\Fs_Rec.sys \SystemRoot\system32\drivers\ndis.sys \SystemRoot\system32\drivers\NETIO.SYS \SystemRoot\System32\Drivers\ksecpkg.sys \SystemRoot\System32\drivers\tcpip.sys \SystemRoot\System32\drivers\fwpkclnt.sys \SystemRoot\System32\drivers\wfplwfs.sys \SystemRoot\system32\drivers\mfewfpk.sys \SystemRoot\System32\DRIVERS\fvevol.sys \SystemRoot\System32\drivers\volume.sys \SystemRoot\System32\drivers\volsnap.sys \SystemRoot\System32\drivers\rdyboost.sys \SystemRoot\System32\Drivers\mup.sys \SystemRoot\system32\drivers\iorate.sys \SystemRoot\System32\drivers\disk.sys \SystemRoot\System32\Drivers\crashdmp.sys \SystemRoot\System32\drivers\cdrom.sys \SystemRoot\system32\drivers\filecrypt.sys \SystemRoot\system32\drivers\tbs.sys \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \SystemRoot\System32\drivers\BasicDisplay.sys \SystemRoot\System32\drivers\watchdog.sys \SystemRoot\System32\drivers\dxgkrnl.sys \SystemRoot\System32\drivers\vmbkmclr.sys \SystemRoot\System32\drivers\BasicRender.sys \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\system32\DRIVERS\tdx.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\System32\DRIVERS\netbt.sys \SystemRoot\system32\drivers\afd.sys \SystemRoot\System32\drivers\vwififlt.sys \SystemRoot\System32\drivers\pacer.sys \SystemRoot\system32\drivers\netbios.sys \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\drivers\csc.sys \SystemRoot\system32\drivers\nsiproxy.sys \SystemRoot\System32\drivers\npsvctrig.sys \SystemRoot\System32\drivers\mssmbios.sys \SystemRoot\System32\drivers\gpuenergydrv.sys \SystemRoot\System32\Drivers\dfsc.sys \SystemRoot\system32\drivers\dam.sys \??\C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys \SystemRoot\system32\DRIVERS\ahcache.sys \SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_de4c68ea4fb1be53\CompositeBus.sys \SystemRoot\System32\drivers\kdnic.sys \SystemRoot\System32\drivers\umbus.sys \SystemRoot\System32\drivers\CAD.sys \SystemRoot\System32\DriverStore\FileRepository\igdlh64.inf_amd64_f2308ff1d90596bf\igdkmd64.sys \SystemRoot\System32\drivers\dptf_cpu.sys \SystemRoot\System32\drivers\USBXHCI.SYS \SystemRoot\system32\drivers\ucx01000.sys \SystemRoot\System32\drivers\iaLPSS2_I2C.sys \SystemRoot\system32\drivers\SpbCx.sys \SystemRoot\System32\drivers\TeeDriverW8x64.sys \SystemRoot\system32\DRIVERS\RtsPer.sys \SystemRoot\System32\drivers\Netwtw06.sys \SystemRoot\system32\DRIVERS\wdiwifi.sys \SystemRoot\System32\drivers\vwifibus.sys \SystemRoot\System32\drivers\iaLPSS2_UART2.sys \SystemRoot\system32\drivers\SerCx2.sys \SystemRoot\System32\drivers\iaLPSS2_SPI.sys \SystemRoot\System32\drivers\CmBatt.sys \SystemRoot\System32\drivers\BATTC.SYS \SystemRoot\System32\drivers\dptf_acpi.sys \SystemRoot\System32\drivers\i8042prt.sys \SystemRoot\System32\drivers\kbdclass.sys \SystemRoot\System32\drivers\HDAudBus.sys \SystemRoot\System32\drivers\portcls.sys \SystemRoot\System32\drivers\drmk.sys \SystemRoot\System32\drivers\ks.sys \SystemRoot\System32\drivers\iaLPSS2_GPIO2.sys \SystemRoot\System32\Drivers\fastfat.SYS \SystemRoot\System32\Drivers\msgpioclx.sys \SystemRoot\System32\drivers\intelppm.sys \SystemRoot\System32\drivers\acpipagr.sys \SystemRoot\System32\drivers\wmiacpi.sys \SystemRoot\System32\drivers\AsRadioControl.sys \SystemRoot\System32\drivers\HIDCLASS.SYS \SystemRoot\System32\drivers\HIDPARSE.SYS \SystemRoot\System32\drivers\UEFI.sys \SystemRoot\System32\drivers\NdisVirtualBus.sys \SystemRoot\System32\drivers\swenum.sys \SystemRoot\System32\drivers\rdpbus.sys \SystemRoot\System32\drivers\UsbHub3.sys \SystemRoot\System32\drivers\USBD.SYS \SystemRoot\System32\drivers\hidi2c.sys \SystemRoot\System32\drivers\mshidkmdf.sys \SystemRoot\system32\drivers\RTKVHD64.sys \SystemRoot\system32\drivers\ksthunk.sys \SystemRoot\system32\DRIVERS\IntcDAud.sys \SystemRoot\System32\drivers\mouhid.sys \SystemRoot\System32\drivers\mouclass.sys \SystemRoot\System32\drivers\AsusPTPFilter.sys \SystemRoot\System32\drivers\MTConfig.sys \SystemRoot\System32\drivers\usbccgp.sys \SystemRoot\System32\Drivers\usbvideo.sys \SystemRoot\system32\DRIVERS\ibtusb.sys \SystemRoot\System32\drivers\BTHUSB.sys \SystemRoot\System32\drivers\bthport.sys \SystemRoot\system32\drivers\mfeaack.sys \SystemRoot\system32\drivers\mfeplk.sys \SystemRoot\system32\drivers\mfeavfk.sys \SystemRoot\system32\drivers\mfefirek.sys \SystemRoot\system32\DRIVERS\mfencbdc.sys \SystemRoot\System32\win32k.sys \SystemRoot\System32\win32kfull.sys \SystemRoot\System32\win32kbase.sys \SystemRoot\System32\Drivers\dump_diskdump.sys \SystemRoot\System32\Drivers\dump_iaStorA.sys \SystemRoot\System32\Drivers\dump_dumpfve.sys \SystemRoot\System32\drivers\dxgmms2.sys \SystemRoot\System32\drivers\monitor.sys \SystemRoot\System32\TSDDD.dll \SystemRoot\System32\cdd.dll \SystemRoot\system32\drivers\WudfPf.sys \SystemRoot\system32\DRIVERS\esif_lf.sys \SystemRoot\System32\drivers\WUDFRd.sys \SystemRoot\system32\drivers\luafv.sys \SystemRoot\system32\drivers\wcifs.sys \SystemRoot\system32\drivers\mmcss.sys \SystemRoot\system32\drivers\storqosflt.sys \SystemRoot\System32\drivers\registry.sys \SystemRoot\System32\drivers\condrv.sys \SystemRoot\system32\drivers\lltdio.sys \SystemRoot\system32\drivers\mslldp.sys \SystemRoot\system32\drivers\rspndr.sys \SystemRoot\System32\DRIVERS\wanarp.sys \SystemRoot\system32\drivers\ndisuio.sys \SystemRoot\system32\DRIVERS\nwifi.sys \SystemRoot\system32\drivers\HTTP.sys \SystemRoot\System32\drivers\mpsdrv.sys \SystemRoot\system32\DRIVERS\bowser.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\system32\DRIVERS\mrxsmb20.sys \SystemRoot\System32\DRIVERS\srvnet.sys \SystemRoot\system32\DRIVERS\mrxsmb10.sys \SystemRoot\System32\DRIVERS\srv2.sys \SystemRoot\system32\drivers\Ndu.sys \SystemRoot\system32\drivers\peauth.sys \SystemRoot\System32\DRIVERS\srv.sys \SystemRoot\System32\drivers\tcpipreg.sys \SystemRoot\System32\drivers\vwifimp.sys \??\C:\Program Files (x86)\McAfee\SiteAdvisor\x64\mfesapsn.sys \SystemRoot\system32\drivers\cfwids.sys \??\C:\Windows\system32\drivers\mbamchameleon.sys \??\C:\Windows\system32\drivers\1181446D.sys ----------- End ----------- Done! Scan started Database versions: main: v2017.12.12.01 rootkit: v2017.10.14.01 <<<2>>> Physical Sector Size: 512 Drive: 0, DevicePointer: 0xffffd989ecf16510, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffd989eccf39f0, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xffffd989ecf16510, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xffffd989e9d90e40, DeviceName: Unknown, DriverName: \Driver\ACPI\ DevicePointer: 0xffffd989e9d97060, DeviceName: \Device\0000003f\, DriverName: \Driver\iaStorA\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 <<<3>>> Volume: C: Volume is encrypted by BITLOCKER <<<2>>> <<<3>>> Volume: C: Volume is encrypted by BITLOCKER Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers... Done! Drive 0 This is a System drive Scanning MBR on drive 0... Inspecting partition table: This drive is a GPT Drive. MBR Signature: 55AA Disk Signature: 6F072854 GPT Protective MBR Partition information: Partition 0 type is EFI-GPT (0xee) Partition is NOT ACTIVE. Partition starts at LBA: 1 Numsec = 4294967295 Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 GPT Partition information: GPT Header Signature 4546492050415254 GPT Header Revision 65536 Size 92 CRC 1583950638 GPT Header CurrentLba = 1 BackupLba 1000215215 GPT Header FirstUsableLba 34 LastUsableLba 1000215182 GPT Header Guid 4f68675d-5b1f-4a6c-b637-d7925cf815d3 GPT Header Contains 128 partition entries starting at LBA 2 GPT Header Partition entry size = 128 Backup GPT header Signature 4546492050415254 Backup GPT header Revision 65536 Size 92 CRC 1583950638 Backup GPT header CurrentLba = 1000215215 BackupLba 1 Backup GPT header FirstUsableLba 34 LastUsableLba 1000215182 Backup GPT header Guid 4f68675d-5b1f-4a6c-b637-d7925cf815d3 Backup GPT header Contains 128 partition entries starting at LBA 1000215183 Backup GPT header Partition entry size = 128 Partition 0 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b Partition ID 430cc831-9e5-465c-ac34-4faafbbe83e FirstLBA 2048 Last LBA 534527 Attributes 0 Partition Name EFI system partition GPT Partition 0 is bootable Partition 1 Type e3c9e316-b5c-4db8-817d-f92df0215ae Partition ID a48642f4-bc35-4519-85db-6ee4f928f64f FirstLBA 534528 Last LBA 567295 Attributes 0 Partition Name Microsoft reserved partition Partition 2 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7 Partition ID 533424b2-914a-4f7b-835a-5ed1ffbda66c FirstLBA 567296 Last LBA 998576127 Attributes 0 Partition Name Basic data partition Partition 3 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac Partition ID 53632522-3495-4df7-a51b-ca23391bfee2 FirstLBA 998576128 Last LBA 1000214527 Attributes 1 Partition Name Basic data partition Disk Size: 512110190592 bytes Sector size: 512 bytes Done! Infected file C:\Program Files\WinRAR\Default.SFX could not be remediated because backup file is not available Scan finished ======================================= Removal queue found; removal started Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam... Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam... Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Default.SFX-k.mbam... Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Default.SFX-u.mbam... Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Default.SFX-r.mbam... Removal finished