[RKinner]

Copy the next line:

sfc /scanfile=C:\Windows\System32\drivers\WUDFRd.sys >\junk.txt

notepad \junk.txt

Open an elevated Command Prompt again.  

http://www.howtogeek...-in-windows-10/

 

 

 

Right click and Paste (or Edit then Paste) and the copied lines should appear.

Hit Enter if notepad does not open.  Copy and paste the text from notepad into a reply. 

 

[Advertisements]

Windows Resource Protection did not find any integrity violations.

[younggeeza]

Windows Resource Protection did not find any integrity violations.

[RKinner]

Odd that it says it can't find the file.

 

Does

sc start WUDFRd

say it is already started?

[younggeeza]

TYPE: 1 KERNEL_DRIVER

STATE: 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

WIN32_EXIT_CODE: 0 (0X0)

CHECKPOINT: 0 (0X0)

WAIT_HINT: 0X0

PID: 0

FLAGS:

[RKinner]

How is it running now?

[younggeeza]

Chrome profile has survived four restarts so far which is has done before. Here's hoping everything is resolved now. The fans seem like they're okay now too. 

 

Based on what you've seen any everything you've asked me to do, do you think my PC is secure again?

Edited by younggeeza, 08 August 2017 - 09:37 AM.

[RKinner]

I don't see anything but we can run a few more scans to make sure.

 

Try MBAR:

 

https://www.malwareb...om/antirootkit/

 

Don't have a write up for it but it should be pretty self explanatory.

 

 

Let's run Rogue Killer

 

http://www.adlice.co...iller/#download

 

Portable 64 bits <==Use this one

 

Download and Save.

 

 

 

Right click on the downloaded file (RogueKillerX64.exe)  and Run As admin

 

Start Scan

Start Scan

 

Will take about 20 minutes to complete.

 

Open Report

Export TXT (save it to your desktop as rk) Save

 

Do not let Rogue Killer remove anything until you hear from me as it has a tendency to False Positives.  Leave Rogue Killer up (but minimized) so you won't have to rescan.

 

Open rk.txt and copy and paste it to your next Reply. 

[younggeeza]

The MBAR scan didn't show anything. Here's the RogueKiller scan result. I would like to keep KMSpico...Everything else looks good to my layman eye! My PC has seemed back to normal for the last 10 or so hours which is amazing. I want to say thank you for taking the time to help me. I'd have probably spent days doing a clean install and pulling my hair out over having to save all the files I wanted and reinstall everything to get back to normal. I doubt it means anything to you at all but I've given you a 5star rating on your profile and I promise to be more vigilant in the future. 

 

RogueKiller V12.11.9.0 (x64) [Aug  3 2017] (Free) by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : https://forum.adlice.com

Website : http://www.adlice.co...ad/roguekiller/

Blog : http://www.adlice.com

 

Operating System : Windows 10 (10.0.15063) 64 bits version

Started in : Normal mode

User : Kamuran [Administrator]

Started from : C:\Program Files\RogueKiller\RogueKiller64.exe

Mode : Scan -- Date : 08/08/2017 20:41:32 (Duration : 00:16:29)

 

¤¤¤ Processes : 2 ¤¤¤

[PUP.HackTool|VT.HackTool:Win32/AutoKMS] Service_KMS.exe(2352) -- C:\Program Files\KMSpico\Service_KMS.exe[-] -> Found

[PUP.HackTool|VT.HackTool:Win32/AutoKMS] (SVC) Service KMSELDI -- C:\Program Files\KMSpico\Service_KMS.exe[-] -> Found

 

¤¤¤ Registry : 4 ¤¤¤

[PUP.HackTool|VT.HackTool:Win32/AutoKMS] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Service KMSELDI (C:\Program Files\KMSpico\Service_KMS.exe) -> Found

[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-18e01325 -> Found

[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1796459480-2700951773-158243115-1002\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-18e01325 -> Found

[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1796459480-2700951773-158243115-1002\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-18e01325 -> Found

 

¤¤¤ Tasks : 1 ¤¤¤

[PUP.HackTool|VT.HackTool:Win32/AutoKMS] \AutoPico Daily Restart -- "C:\Program Files\KMSpico\AutoPico.exe" (/silent) -> Found

 

¤¤¤ Files : 6 ¤¤¤

[PUP.Gen0][File] C:\Windows\SECOH-QAD.exe -> Found

[PUP.HackTool][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\AutoPico.lnk [LNK@] C:\PROGRA~1\KMSpico\AutoPico.exe -> Found

[PUP.HackTool][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\KMSpico.lnk [LNK@] C:\PROGRA~1\KMSpico\KMSELDI.exe -> Found

[PUP.HackTool][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\Log KMSpico.lnk [LNK@] C:\PROGRA~1\KMSpico\scripts\Log.cmd -> Found

[PUP.HackTool][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico\Uninstall KMSpico.lnk [LNK@] C:\PROGRA~1\KMSpico\UninsHs.exe /u0=KMSpico -> Found

[PUP.HackTool][Folder] C:\Program Files\KMSpico -> Found

 

¤¤¤ WMI : 0 ¤¤¤

 

¤¤¤ Hosts File : 0 ¤¤¤

 

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: SanDisk SDSSDA240G +++++

--- User ---

[MBR] 78a178bf044370c2646fc9d4878aa64b

[BSP] 6f837f2e64d22392537e77acbe22a47c : Windows Vista/7/8|VT.Unknown MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 228484 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]

1 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 467937280 | Size: 450 MB

User = LL1 ... OK

User = LL2 ... OK

 

+++++ PhysicalDrive1: WDC WD2003FZEX-00Z4SA0 +++++

--- User ---

[MBR] 0086f36f0b7bc8b257f89fc226376c3d

[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code

Partition table:

0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB

1 - Basic data partition | Offset (sectors): 264192 | Size: 1907600 MB

User = LL1 ... OK

User = LL2 ... OK

 

[RKinner]

OK RK found nothing to worry about.  You can just close it.

 

I think we can clean up now:

 

 

To delete the Quarantine Folder used by FRST create a fixlist.txt file with just the following line:

 

DeleteQuarantine:

 

Save the fixlist.txt to the same folder as FRST then run FRST and hit Fix.  You can easily delete any other folders and logs.

 

If we installed Speccy it needs to be uninstalled.  Process Explorer, VEW, AdwCleaner, JRT  and their logs and Speccy's log can just be deleted.

 

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.  Flash is now the most malware targeted program so it must be kept up to date.  Be careful with Adobe.  They are fond of offering optional downloads like yahoo or Ask toolbars or that worthless McAfee Security Scan.  Go slow and uncheck the optional stuff.

 

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program.  There is an exploit out there now that can use it to get on your PC.  For Adobe Reader:  Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript.  OK Close program.  It's the same for Foxit reader except you uncheck Enable Javascript Actions. 

 

 

If you use Chrome/Firefox then get the Ublock Origin  Add-on from https://www.ublock.org/.  For IE go to adblockplus.org  and get the add-on.  (It's actually a program for IE)

 

If Chrome/Firefox is slow loading make sure it only has the current Java add-on.  Then download and run Speedy Fox.

http://www.crystalidea.com/speedyfox.  Close Chrome/Firefox/Skpe. Hit Optimize.   You can run it any time that Chrome/Firefox seems slow starting..

 

To prevent a relatively new phishing attack:  In Firefox, type:

 

about:config

 

in the URL box and hit Enter.  You should get a new page of options (if you get a notice about voiding the warranty just cancel the warning).  In the Search box put in 

 

puny

 

You should only get one option:

network.IDN_show_punycode

We want it to say True but by default it is False so double click on it to toggle from False to True.

Close and restart firefox.

 

To test it you can go to:

 

https://www.xn--80ak6aa92e.com/

 

If the value is false you will see https://www.apple.cominstead of the correct value

 

 

If you are a Facebook user get the FB Purity extension for your browser:

http://www.fbpurity.com/

This will stop all of the suggested pages and ads so that Facebook loads much quicker.

 

 

Be warned:  If you use Limewire, utorrent or any of the other P2P programs you will probably be coming back to the Malware Removal forum.  If you must use P2P then submit any files you get to http://virustotal.combefore you open them.

 

Due to a recent rise in the number of Crytolocker infections I am now recommending you install:

 

CryptoPrevent

 

http://www.foolishIT.../cryptoprevent/

 

The free version does not update on its own so you should check for updated versions once in a while. When you install it the default is NONE which is kind of worthless so change it to Standard or default. If you have problems after installing CryptoPrevent you can just uninstall it.

 

If you have a router, log on to it today and change the default password!  If using a Wireless router you really should be using encryption on the link.  Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business.  See http://www.king5.com...0637284.htmlandhttp://www.seattlepi...ted-1344185.php for why encryption is important.  If you don't know how, visit the router maker's website.  They all have detailed step by step instructions or a wizard you can download.

 

Special note on Java.  Old Java versions should be removed after first clearing the Java Cache by following the instructions in:

http://www.java.com/...lugin_cache.xml

Then remove the old versions by going to Control Panel, Programs and Features and Uninstall all Java programs which are not Java Version 7 update 25 or better.  These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE.  Get the latest version from Java.com.  They will usually attempt to foist some garbage like the Ask toolbar, Yahoo toolbar or McAfee Security Scan on you as part of the download.  Just uncheck the garbage before the download (or install) starts.  If you use a 64-bit browser and want the 64-bit version of Java you need to use it to visit java.com.

Due to multiple security problems with Java we are now recommending that it not be installed unless you absolutely know you need it.  IF that is the case then go to Control Panel, Java, Security and slide it up to the highest level.  OK.

 

 

My help is free but if you wish to show your appreciation, please donate to Kwiaht instead of me. It's an Orcas Island environmental organization that I volunteered with: http://www.kwiaht.org/donate.htm

(The name means something like "clean place" in one of the local native-American dialects)

[younggeeza]

I donated I'll follow your remaining instructions tomorrow once I'm back from work and post to confirm that there have been no more problems. Goodnight from me and thanks again.

[RKinner]

Thanks a lot!

[younggeeza]

Everything seems to be working perfectly still. Regarding my router password, I changed it the moment we had the internet hooked up here. You only mean to change it if I haven't changed it already right?

 

No need to answer if that's fine and there's nothing else I need to do.

 

Best regards, Kam.

[RKinner]

Yes.  That's correct.  We jsut don't want it to be the default.  There is a family of malware that likes to reprogram your router.  Changing the password from the default prevents it.