Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Computer hacked


  • Please log in to reply

#151
janji

janji

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 210 posts

I've run Combo fix without the CFScript (accidentally) thought it would install first, however already copied CFSript to desktop :/


Edited by janji, 04 March 2015 - 11:20 AM.

  • 0

Advertisements


#152
janji

janji

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 210 posts

Ok, I've run it a  second time, this time with CFScript, here is the report. Do you want the log from the first time I ran Combofix (without the CFScript) too?
Combofix did a reboot and then logged report.

 

ComboFix 15-03-01.01 - User 03/04/2015  18:21:56.2.2 - x86
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.1787.583 [GMT 1:00]
Running from: c:\users\User\Desktop\ComboFix.exe
Command switches used :: c:\users\User\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\windrvNT.sys"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_windrvNT
-------\Service_windrvNT
.
.
(((((((((((((((((((((((((   Files Created from 2015-02-04 to 2015-03-04  )))))))))))))))))))))))))))))))
.
.
2015-03-04 17:35 . 2015-03-04 17:35    --------    d-----w-    c:\users\Public\AppData\Local\temp
2015-03-04 17:35 . 2015-03-04 17:35    --------    d-----w-    c:\users\Default\AppData\Local\temp
2015-03-04 15:03 . 2015-03-04 15:03    62576    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{ACA9F26A-E949-4A50-8D72-889B2175FCFD}\offreg.dll
2015-03-04 15:01 . 2015-01-29 09:49    9041640    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{ACA9F26A-E949-4A50-8D72-889B2175FCFD}\mpengine.dll
2015-02-25 20:38 . 2015-02-25 20:38    --------    d-sh--w-    c:\users\User\AppData\Local\EmieBrowserModeList
2015-02-25 20:21 . 2015-02-25 20:21    --------    d-----w-    c:\programdata\{BAF091CA-86C4-4627-ADA1-897E2621C1B0}
2015-02-25 20:21 . 2015-02-25 20:21    --------    d-----w-    c:\program files\Common Files\IObit
2015-02-25 20:20 . 2015-02-25 20:20    --------    d-----w-    c:\users\User\AppData\Roaming\ProductData
2015-02-25 20:19 . 2015-02-25 20:22    --------    d-----w-    c:\programdata\ProductData
2015-02-25 20:19 . 2015-02-25 20:20    --------    d-----w-    c:\users\User\AppData\Roaming\IObit
2015-02-10 19:23 . 2015-02-27 13:03    --------    d-----w-    c:\program files\SpeedFan
2015-02-10 19:01 . 2015-02-10 19:09    --------    d-----w-    c:\users\User\AppData\Local\CrashDumps
2015-02-10 17:30 . 2015-02-11 20:39    --------    d-----w-    c:\programdata\RogueKiller
2015-02-10 13:12 . 2015-03-04 16:15    --------    d-----w-    C:\FRST
2015-02-09 20:10 . 2015-02-09 20:10    --------    d-----w-    c:\users\User\AppData\Roaming\ATI
2015-02-09 20:10 . 2015-02-09 20:10    --------    d-----w-    c:\users\User\AppData\Local\ATI
2015-02-09 20:10 . 2015-02-09 20:10    --------    d-----w-    c:\programdata\ATI
2015-02-09 20:06 . 2015-02-09 20:06    --------    d-----w-    c:\program files\DIFX
2015-02-09 20:06 . 2009-12-22 01:26    30392    ----a-w-    c:\windows\system32\drivers\usbfilter.sys
2015-02-09 20:06 . 2015-02-09 20:06    --------    d-----w-    c:\program files\AMD
2015-02-09 01:19 . 2015-02-09 01:19    --------    d-----w-    c:\program files\Hewlett-Packard
2015-02-09 01:19 . 2015-02-09 01:19    --------    d-----w-    c:\program files\Hp
2015-02-06 21:01 . 2015-02-27 12:01    --------    d-----w-    c:\program files\Mozilla Maintenance Service
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-02-26 15:38 . 2013-11-10 14:09    13464    ----a-w-    c:\windows\system32\drivers\SWDUMon.sys
2015-02-25 22:20 . 2012-07-14 22:55    701616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2015-02-25 22:20 . 2012-07-14 22:23    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2015-02-09 03:08 . 2014-07-16 07:25    114904    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-01-25 16:10 . 2014-10-16 15:52    96680    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-12-22 23:50 . 2010-10-29 00:05    249488    ------w-    c:\windows\system32\MpSigStub.exe
2014-12-19 02:43 . 2015-01-14 10:08    164864    ----a-w-    c:\windows\system32\profsvc.dll
2014-12-19 01:34 . 2015-01-14 10:08    116224    ----a-w-    c:\windows\system32\drivers\mrxdav.sys
2014-12-13 03:33 . 2014-12-18 16:06    115712    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-12-12 05:11 . 2015-01-14 10:09    3971512    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2014-12-12 05:11 . 2015-01-14 10:09    3916728    ----a-w-    c:\windows\system32\ntoskrnl.exe
2014-12-11 17:47 . 2015-01-14 10:08    74240    ----a-w-    c:\windows\system32\TSWbPrxy.exe
2014-12-06 03:50 . 2015-01-14 10:08    242688    ----a-w-    c:\windows\system32\nlasvc.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt1"]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt2"]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt3"]
@="{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt4"]
@="{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt5"]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt6"]
@="{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt7"]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt8"]
@="{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\users\User\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-08-01 13:08    578240    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\users\User\AppData\Local\Akamai\netsession_win.exe" [2014-10-29 4673432]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner.exe" [2014-10-29 4826904]
"Spotify Web Helper"="c:\users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2014-12-18 1676344]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2014-12-11 30878816]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2014-12-21 110160]
"Spotify"="c:\users\User\AppData\Roaming\Spotify\Spotify.exe" [2014-12-18 6737976]
"Screen Highlighter"="c:\program files\Screen Highlighter\shl.exe" [2013-12-20 643072]
"KiesPreload"="c:\program files\samsung\kies\kies.exe" [2013-04-23 1561968]
"FreeRAM XP"="c:\program files\yourware solutions\freeram xp pro\freeram xp pro.exe" [2012-11-27 1591808]
"Amazon Music"="c:\users\User\AppData\Local\Amazon Music\Amazon Music Helper.exe" [2014-10-15 6281024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-10-14 2299176]
"APSDaemon"="c:\program files\common files\apple\apple application support\apsdaemon.exe" [2013-04-21 59720]
"BCSSync"="c:\program files\microsoft office\office14\bcssync.exe" [2012-11-05 89184]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-08-01 4085896]
"DivXMediaServer"="c:\program files\divx\divx media server\divxmediaserver.exe" [2014-11-17 448856]
"DivXUpdate"="c:\program files\divx\divx update\divxupdate.exe" [2014-01-10 1861968]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-09 421776]
"KeyScrambler"="c:\program files\KeyScrambler\keyscrambler.exe" [2014-10-26 508744]
"QuickTime Task"="c:\program files\QuickTime Alternative\QTTask.exe" [2014-10-02 421888]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"KiesTrayAgent"="c:\program files\samsung\kies\kiestrayagent.exe" [2013-04-23 311152]
.
c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\User\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2015-2-11 42555824]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2013-11-4 565464]
Stay On Top.lnk - c:\windows\Installer\{5C6C0192-BA75-4932-8931-B2FF88346E49}\_16dd6dc4.exe [2014-3-24 10134]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0bootdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"QuickTime Task"="c:\program files\QuickTime Alternative\QTTask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe"  -osboot
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2014-12-11 315496]
R3 CFcatchme;CFcatchme;c:\users\User\AppData\Local\Temp\CFcatchme.sys [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2013-04-03 83864]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-11-22 102912]
R3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\DRIVERS\mcvidrv.sys [2012-07-20 34432]
R3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [2011-03-07 15896]
R3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv.sys [2012-07-20 25088]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-10-23 14848]
R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2013-10-28 182680]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2013-10-02 49152]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-11-24 1343400]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 SmartDefragDriver;SmartDefragDriver;c:\windows\System32\Drivers\SmartDefragDriver.sys [2013-05-22 15672]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2014-11-22 779536]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2014-08-01 414520]
S1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\DRIVERS\hssdrv6.sys [2014-05-17 39624]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2014-08-22 142648]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-06-17 172032]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-08-01 24184]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-08-01 67824]
S2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys [2014-08-01 71944]
S2 hshld;Hotspot Shield Service;c:\program files\Hotspot Shield\bin\cmw_srv.exe [2014-05-16 919040]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [2014-05-16 430344]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2013-11-04 1228504]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [2013-11-04 660184]
S2 SPDFCreatorReadSpool;SolidPDFCreatorReadSpool;c:\program files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe [2011-10-03 180552]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2013-05-31 209016]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf_x86.sys [2013-11-04 16024]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2000-01-01 197736]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
S3 taphss6;Anchorfree HSS VPN Adapter;c:\windows\system32\DRIVERS\taphss6.sys [2014-05-17 37064]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-02-03 20:38    1086280    ----a-w-    c:\program files\Google\Chrome\Application\40.0.2214.94\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-02-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-14 22:20]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
mStart Page = www.google.com
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = about:blank
IE: &Save the YouTube video as MP3 - c:\users\User\AppData\Roaming\Free YouTube to MP3 Converter Studio\Free YouTube to MP3 Converter Studio.htm
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Customize Menu - file://C:/Program Files/Siber Systems/AI RoboForm/RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://C:/Program Files/Siber Systems/AI RoboForm/RoboFormComFillForms.html
IE: Save Forms - file://C:/Program Files/Siber Systems/AI RoboForm/RoboFormComSavePass.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: Show RoboForm Toolbar - file://C:/Program Files/Siber Systems/AI RoboForm/RoboFormComShowToolbar.html
Trusted Zone: aeriagames.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\rcdgk3lo.default\
FF - prefs.js: browser.startup.homepage - hxxps://my.yahoo.com/
FF - prefs.js: network.proxy.type - 4
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
   1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{2B9F5787-88A5-4945-90E7-C4B18563BC5E}"=hex:51,66,7a,6c,4c,1d,38,12,e9,54,8c,
   2f,97,c6,2b,0c,ef,f1,87,f1,80,3d,f8,4a
"{3049C3E9-B461-4BC5-8870-4C09146192CA}"=hex:51,66,7a,6c,4c,1d,38,12,87,c0,5a,
   34,53,fa,ab,0e,f7,66,0f,49,11,3f,d6,de
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
   76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
   72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
   94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
   b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{D0984FD4-FA9A-46EE-9072-70B0735FF852}"=hex:51,66,7a,6c,4c,1d,38,12,ba,4c,8b,
   d4,a8,b4,80,03,ef,64,33,f0,76,01,bc,46
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
   df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
   2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
"{03EB0E9C-7A91-4381-A220-9B52B641CDB1}"=hex:51,66,7a,6c,4c,1d,38,12,f2,0d,f8,
   07,a3,34,ef,06,dd,36,d8,12,b3,1f,89,a5
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:d4,bc,ca,53,e6,73,cd,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,90,80,8c,07,d4,80,43,a6,35,52,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d3,09,0e,18,2d,a9,8c,4b,a7,56,c8,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,90,80,8c,07,d4,80,43,a6,35,52,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2015-03-04  18:43:35 - machine was rebooted
ComboFix-quarantined-files.txt  2015-03-04 17:43
ComboFix2.txt  2015-03-04 17:12
ComboFix3.txt  2015-02-10 20:06
.
Pre-Run: 143,624,654,848 bytes free
Post-Run: 143,411,625,984 bytes free
.
- - End Of File - - B66165271DF860FF1F9AA56DF8207503
A36C5E4F47E84449FF07ED3517B43A31

 


Edited by janji, 04 March 2015 - 11:54 AM.

  • 0

#153
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP

Sorry for the delay.  Forum was sick yesterday and haven't had much time today.

 

I don't need the first run of Combofix.  The second run appears to have removed the file that wouldn't go away.  Did you have any problems after combofix ran?

 

Let's try 

 
  • Download RogueKiller  and save it on your desktop.  
  • Quit all programs 
  • Start RogueKiller.exe. 
  • Wait until Prescan has finished ...  
  • Click on Scan
  • RGKRScan.png    
  • Wait for the end of the scan.  
  • Send me the RKreport.txt located on your desktop.

    • 0

    #154
    janji

    janji

      Member

    • Topic Starter
    • Member
    • PipPipPip
    • 210 posts

    Hi Ron, thanks for your patience.

     

    After Combofix computer seems to be working just fine. Here is the RK report.txt.

    RogueKiller V10.5.1.0 [Mar  5 2015] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.co...es/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : User [Administrator]
    Started from : C:\Program Files\RogueKiller\RogueKiller.exe
    Mode : Scan -- Date : 03/06/2015  15:26:53

    ¤¤¤ Processes : 4 ¤¤¤
    [Suspicious.Path] SpotifyWebHelper.exe(3536) -- C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[7] -> Killed [TermProc]
    [Suspicious.Path] Amazon Music Helper.exe(4396) -- C:\Users\User\AppData\Local\Amazon Music\Amazon Music Helper.exe[7] -> Killed [TermProc]
    [PUP] (SVC) hshld -- C:\Program Files\Hotspot Shield\bin\cmw_srv.exe[-] -> Stopped
    [PUP] (SVC) HssWd -- C:\Program Files\Hotspot Shield\bin\hsswd.exe[7] -> Stopped

    ¤¤¤ Registry : 23 ¤¤¤
    [PUP] HKEY_CLASSES_ROOT\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96} (C:\PROGRA~1\COMMON~1\WONDER~1\WONDER~1\WSHelper.exe) -> Found
    [Suspicious.Path] HKEY_USERS\S-1-5-21-4165335087-975643669-458432890-1000\Software\Microsoft\Windows\CurrentVersion\Run | Spotify Web Helper : "C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"  -> Found
    [Suspicious.Path] HKEY_USERS\S-1-5-21-4165335087-975643669-458432890-1000\Software\Microsoft\Windows\CurrentVersion\Run | Spotify : "C:\Users\User\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart  -> Found
    [Suspicious.Path] HKEY_USERS\S-1-5-21-4165335087-975643669-458432890-1000\Software\Microsoft\Windows\CurrentVersion\Run | Amazon Music : "C:\Users\User\AppData\Local\Amazon Music\Amazon Music Helper.exe"  -> Found
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\Users\User\AppData\Local\Temp\catchme.sys) -> Found
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CFcatchme (\??\C:\Users\User\AppData\Local\Temp\CFcatchme.sys) -> Found
    [PUP] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hshld (C:\Program Files\Hotspot Shield\bin\cmw_srv.exe) -> Found
    [PUP] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HssTrayService (C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE) -> Found
    [PUP] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HssWd (C:\Program Files\Hotspot Shield\bin\hsswd.exe) -> Found
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme (\??\C:\Users\User\AppData\Local\Temp\catchme.sys) -> Found
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\CFcatchme (\??\C:\Users\User\AppData\Local\Temp\CFcatchme.sys) -> Found
    [PUP] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hshld (C:\Program Files\Hotspot Shield\bin\cmw_srv.exe) -> Found
    [PUP] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\HssTrayService (C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE) -> Found
    [PUP] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\HssWd (C:\Program Files\Hotspot Shield\bin\hsswd.exe) -> Found
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\catchme (\??\C:\Users\User\AppData\Local\Temp\catchme.sys) -> Found
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\CFcatchme (\??\C:\Users\User\AppData\Local\Temp\CFcatchme.sys) -> Found
    [PUP] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hshld (C:\Program Files\Hotspot Shield\bin\cmw_srv.exe) -> Found
    [PUP] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HssTrayService (C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE) -> Found
    [PUP] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HssWd (C:\Program Files\Hotspot Shield\bin\hsswd.exe) -> Found
    [PUM.DesktopIcons] HKEY_USERS\S-1-5-21-4165335087-975643669-458432890-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found
    [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
    [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
    [PUM.DesktopIcons] HKEY_USERS\S-1-5-21-4165335087-975643669-458432890-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

    ¤¤¤ Tasks : 0 ¤¤¤

    ¤¤¤ Files : 0 ¤¤¤

    ¤¤¤ Hosts File : 1 ¤¤¤
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

    ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

    ¤¤¤ Web browsers : 2 ¤¤¤
    [PUP][FIREFX:Addon] rcdgk3lo.default : Hotspot Shield Extension [[email protected]] -> Found
    [PUM.Proxy][FIREFX:Config] rcdgk3lo.default : user_pref("network.proxy.type", 4); -> Found

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: ST9320423AS ATA Device +++++
    --- User ---
    [MBR] 3c1bb1ccfdd1d0cf2275875b1a13427a
    [BSP] c78c6c4c4b493e2099c85c7c34e3fa7e : Windows Vista/7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 230118 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 471298896 | Size: 75116 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    User = LL1 ... OK
    User = LL2 ... OK


    ============================================
    RKreport_SCN_02102015_184033.log
     


    • 0

    #155
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 20,031 posts
    • MVP

    Doesn't look like there is anything left.  It doesn't like your hotspot shield, Amazon Music, Spotify and Wondershare but they aren't truly evil.  Just PUPs (Potentially unwanted Programs) or running from a location other than a folder in Program Files.  You have some desktop icons hidden but I assume that's the way you want it.

     

    I guess we can try gmer:

     

    Download GMER from http://www.gmer.net/download.php  Note the file's name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on http://www.bleepingc...opic114351.html to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.
  •  
     
    Haven't used it recently so if things have changed let me know.

    • 0

    #156
    janji

    janji

      Member

    • Topic Starter
    • Member
    • PipPipPip
    • 210 posts

    Had to run Firefox as admin to download the file.
    On the right side is the option of Quick scan or C:\  and G:\, which one should I check?


    Edited by janji, 06 March 2015 - 09:42 AM.

    • 0

    #157
    janji

    janji

      Member

    • Topic Starter
    • Member
    • PipPipPip
    • 210 posts

    Capture.PNG


    • 0

    #158
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 20,031 posts
    • MVP

    click on the c:\ so it checks your whole drive.  Won't hurt to also check the G:\ drive.  Then press Scan.


    • 0

    #159
    janji

    janji

      Member

    • Topic Starter
    • Member
    • PipPipPip
    • 210 posts

    Thanks, here is GMER Results log:

    GMER 2.1.19357 - http://www.gmer.net
    Rootkit scan 2015-03-06 20:55:06
    Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9320423AS rev.0006HPM1 298.09GB
    Running: 78yq37hz.exe; Driver: C:\Users\User\AppData\Local\Temp\kxldapob.sys


    ---- System - GMER 2.1 ----

    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwAddBootEntry [0x8FA41BA6]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwAssignProcessToJobObject [0x8FA42684]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwCreateEvent [0x8FA4E6F8]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwCreateEventPair [0x8FA4E744]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwCreateIoCompletion [0x8FA4E8DE]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwCreateMutant [0x8FA4E666]
    SSDT            \SystemRoot\system32\drivers\aswSP.sys                                                                                  ZwCreateSection [0x8FAF8DF0]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwCreateSemaphore [0x8FA4E6AE]
    SSDT            \SystemRoot\system32\drivers\aswSP.sys                                                                                  ZwCreateThread [0x8FAF9080]
    SSDT            \SystemRoot\system32\drivers\aswSP.sys                                                                                  ZwCreateThreadEx [0x8FAF916A]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwCreateTimer [0x8FA4E898]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwDebugActiveProcess [0x8FA43472]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwDeleteBootEntry [0x8FA41C0C]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwDuplicateObject [0x8FA46C68]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwLoadDriver [0x8FA417F8]
    SSDT            \SystemRoot\system32\drivers\aswSP.sys                                                                                  ZwMapViewOfSection [0x8FAF8ED0]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwModifyBootEntry [0x8FA41C72]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwNotifyChangeKey [0x8FA4705E]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwNotifyChangeMultipleKeys [0x8FA43F5A]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwOpenEvent [0x8FA4E722]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwOpenEventPair [0x8FA4E766]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwOpenIoCompletion [0x8FA4E902]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwOpenMutant [0x8FA4E68C]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwOpenProcess [0x8FA46560]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwOpenSection [0x8FA4E816]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwOpenSemaphore [0x8FA4E6D6]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwOpenThread [0x8FA4694C]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwOpenTimer [0x8FA4E8BC]
    SSDT            \SystemRoot\system32\drivers\aswSP.sys                                                                                  ZwProtectVirtualMemory [0x8FAF8C6E]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwQueryObject [0x8FA43DCE]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwQueueApcThreadEx [0x8FA43ADC]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwSetBootEntryOrder [0x8FA41CD8]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwSetBootOptions [0x8FA41D3E]
    SSDT            \SystemRoot\system32\drivers\aswSP.sys                                                                                  ZwSetContextThread [0x8FAF8FCC]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwSetSystemInformation [0x8FA41892]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwSetSystemPowerState [0x8FA41A64]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwShutdownSystem [0x8FA419F2]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwSuspendProcess [0x8FA4363C]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwSuspendThread [0x8FA4379E]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwSystemDebugControl [0x8FA41AEC]
    SSDT            \SystemRoot\system32\drivers\aswSP.sys                                                                                  ZwTerminateProcess [0x8FAF8D3C]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwTerminateThread [0x8FA432CC]
    SSDT            \SystemRoot\system32\drivers\aswSnx.sys                                                                                 ZwVdmControl [0x8FA41DA4]
    SSDT            \SystemRoot\system32\drivers\aswSP.sys                                                                                  ZwWriteVirtualMemory [0x8FAF8BA0]

    ---- Kernel code sections - GMER 2.1 ----

    .text           ntkrnlpa.exe!ZwRequestWaitReplyPort + 14A5                                                                              84283A15 1 Byte  [06]
    .text           ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                                                  842BD372 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text           ntkrnlpa.exe!KeRemoveQueueEx + 10CB                                                                                     842C45C0 4 Bytes  [A6, 1B, A4, 8F]
    .text           ntkrnlpa.exe!KeRemoveQueueEx + 1153                                                                                     842C4648 4 Bytes  [84, 26, A4, 8F]
    .text           ntkrnlpa.exe!KeRemoveQueueEx + 11A7                                                                                     842C469C 8 Bytes  [F8, E6, A4, 8F, 44, E7, A4, ...]
    .text           ntkrnlpa.exe!KeRemoveQueueEx + 11B3                                                                                     842C46A8 4 Bytes  [DE, E8, A4, 8F]
    .text           ntkrnlpa.exe!KeRemoveQueueEx + 11CF                                                                                     842C46C4 4 Bytes  [66, E6, A4, 8F]
    .text           ...                                                                                                                     
    .text           ntkrnlpa.exe!ZwRequestWaitReplyPort + 14A5                                                                              84283A15 1 Byte  [06]
    .text           ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                                                  842BD372 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text           ntkrnlpa.exe!KeRemoveQueueEx + 10CB                                                                                     842C45C0 4 Bytes  [A6, 1B, A4, 8F]
    .text           ntkrnlpa.exe!KeRemoveQueueEx + 1153                                                                                     842C4648 4 Bytes  [84, 26, A4, 8F]
    .text           ntkrnlpa.exe!KeRemoveQueueEx + 11A7                                                                                     842C469C 8 Bytes  [F8, E6, A4, 8F, 44, E7, A4, ...]
    .text           ntkrnlpa.exe!KeRemoveQueueEx + 11B3                                                                                     842C46A8 4 Bytes  [DE, E8, A4, 8F]
    .text           ntkrnlpa.exe!KeRemoveQueueEx + 11CF                                                                                     842C46C4 4 Bytes  [66, E6, A4, 8F]
    .text           ...                                                                                                                     
    .text           C:\Windows\system32\DRIVERS\atikmdag.sys                                                                                section is writeable [0x9163E000, 0x2ED000, 0xE8000020]
    .text           C:\Windows\system32\DRIVERS\atikmdag.sys                                                                                section is writeable [0x9163E000, 0x2ED000, 0xE8000020]

    ---- User code sections - GMER 2.1 ----

    .text           C:\Program Files\CCleaner\CCleaner.exe[152] kernel32.dll!GetBinaryTypeW + 70                                            76EC6AAC 1 Byte  [62]
    .text           C:\Program Files\CCleaner\CCleaner.exe[152] kernel32.dll!GetBinaryTypeW + 70                                            76EC6AAC 1 Byte  [62]
    .text           C:\Windows\system32\taskeng.exe[312] kernel32.dll!GetBinaryTypeW + 70                                                   76EC6AAC 1 Byte  [62]
    .text           C:\Windows\system32\taskeng.exe[312] kernel32.dll!GetBinaryTypeW + 70                                                   76EC6AAC 1 Byte  [62]
    .text                                                                                                                                   
    .text           ...                                                                                                                     76EC6AAC 1 Byte  [62]
    .text           C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1468] kernel32.dll!SetUnhandledExceptionFilter                       76EAF5AB 8 Bytes  [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP }
    .text           C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1468] kernel32.dll!GetBinaryTypeW + 70                               76EC6AAC 1 Byte  [62]
    .text           C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1468] kernel32.dll!SetUnhandledExceptionFilter                       76EAF5AB 8 Bytes  [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP }
    .text           C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1468] kernel32.dll!GetBinaryTypeW + 70                               76EC6AAC 1 Byte  [62]
    .text           C:\Users\User\AppData\Local\Akamai\netsession_win.exe[1516] kernel32.dll!GetBinaryTypeW + 70                            76EC6AAC 1 Byte  [62]
    .text           C:\Users\User\AppData\Local\Akamai\netsession_win.exe[1516] kernel32.dll!GetBinaryTypeW + 70                            76EC6AAC 1 Byte  [62]
    .text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1544] kernel32.dll!GetBinaryTypeW + 70                                    76EC6AAC 1 Byte  [62]
    .text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1544] kernel32.dll!GetBinaryTypeW + 70                                    76EC6AAC 1 Byte  [62]
    .text           ...                                                                                                                     
    .text           C:\Program Files\AVAST Software\Avast\AvastUI.exe[1996] kernel32.dll!SetUnhandledExceptionFilter                        76EAF5AB 8 Bytes  [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP }
    .text                                                                                                                                   
    .text           C:\Program Files\AVAST Software\Avast\AvastUI.exe[1996] kernel32.dll!GetBinaryTypeW + 70                                76EC6AAC 1 Byte  [62]
    .text           C:\Program Files\AVAST Software\Avast\AvastUI.exe[1996] kernel32.dll!GetBinaryTypeW + 70                                76EC6AAC 1 Byte  [62]
    .text           C:\Program Files\Secunia\PSI\PSIA.exe[2076] kernel32.dll!GetBinaryTypeW + 70                                            76EC6AAC 1 Byte  [62]
    .text           C:\Program Files\Secunia\PSI\PSIA.exe[2076] kernel32.dll!GetBinaryTypeW + 70                                            76EC6AAC 1 Byte  [62]
    .text           C:\Program Files\DivX\DivX Update\DivXUpdate.exe[2124] kernel32.dll!GetBinaryTypeW + 70                                 76EC6AAC 1 Byte  [62]
    .text           ...                                                                                                                     

    ---- User IAT/EAT - GMER 2.1 ----

    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc]                                         [73E9249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup]                                    [73E75652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown]                                   [73E75710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree]                                          [73E9251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics]                                [73E8857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage]                                  [73E84D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth]                                 [73E850D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]                                [73E851AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP]                       [73E866DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC]                                 [73E882D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]                            [73E88824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode]                          [73E89085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI]                                [73E8E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage]                                    [73E84C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc]                                         [73E9249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup]                                    [73E75652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown]                                   [73E75710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree]                                          [73E9251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics]                                [73E8857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage]                                  [73E84D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth]                                 [73E850D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]                                [73E851AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP]                       [73E866DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC]                                 [73E882D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]                            [73E88824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode]                          [73E89085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI]                                [73E8E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
    IAT             C:\Windows\Explorer.EXE[1716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage]                                    [73E84C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll

    ---- Devices - GMER 2.1 ----

    AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                                                 Wdf01000.sys
    AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                                                 Wdf01000.sys
    AttachedDevice  \FileSystem\fastfat \Fat                                                                                                fltmgr.sys

    ---- Threads - GMER 2.1 ----

    Thread          System Idle [0:0]                                                                                                       842BD420
    Thread          System Idle [0:0]                                                                                                       842BD420
    Thread          System [4:168]                                                                                                          89391C80
    Thread          System [4:176]                                                                                                          8938C95E
    Thread          System [4:180]                                                                                                          89836945
    Thread          System [4:184]                                                                                                          89826001
    Thread          System [4:188]                                                                                                          8981B2B1
    Thread          System [4:204]                                                                                                          89BCCEB0
    Thread          System [4:208]                                                                                                          89BCCEB0
    Thread          System [4:212]                                                                                                          89BCCEB0
    Thread          System [4:216]                                                                                                          89BCCEB0
    Thread          System [4:220]                                                                                                          89BCCEB0
    Thread          System [4:224]                                                                                                          89BCCEB0
    Thread          System [4:228]                                                                                                          89BCCEB0
    Thread          System [4:232]                                                                                                          89BCCEB0
    Thread          System [4:236]                                                                                                          89BCCEB0
    Thread          System [4:248]                                                                                                          8FA6D4C8
    Thread          System [4:252]                                                                                                          8FA6D4C8
    Thread          System [4:256]                                                                                                          8FA6D4C8
    Thread          System [4:260]                                                                                                          8FA6D4C8
    Thread          System [4:264]                                                                                                          8FA6D4C8
    Thread          System [4:268]                                                                                                          8FA60A74
    Thread          System [4:272]                                                                                                          8FB05838
    Thread          System [4:276]                                                                                                          8FB1C10A
    Thread          System [4:280]                                                                                                          8FAF04AC
    Thread          System [4:284]                                                                                                          8FB89522
    Thread          System [4:288]                                                                                                          8EE94932
    Thread          System [4:292]                                                                                                          8EF59BCB
    Thread          System [4:296]                                                                                                          908B6E8A
    Thread          System [4:316]                                                                                                          9097F646
    Thread          System [4:320]                                                                                                          9096DF39
    Thread          System [4:324]                                                                                                          91C40650
    Thread          System [4:328]                                                                                                          91C3A090
    Thread          System [4:332]                                                                                                          91C3F420
    Thread          System [4:336]                                                                                                          91C40C80
    Thread          System [4:340]                                                                                                          9211AE32
    Thread          System [4:344]                                                                                                          924DF860
    Thread          System [4:348]                                                                                                          924E2750
    Thread          System [4:416]                                                                                                          9080243A
    Thread          System [4:444]                                                                                                          9080124A
    Thread          System [4:448]                                                                                                          90801180
    Thread          System [4:452]                                                                                                          91B45CF6
    Thread          System [4:456]                                                                                                          918443B6
    Thread          System [4:460]                                                                                                          91670336
    Thread          System [4:464]                                                                                                          9166F77E
    Thread          System [4:468]                                                                                                          917A8DE0
    Thread          System [4:472]                                                                                                          91BD653E
    Thread          System [4:592]                                                                                                          916901F6
    Thread          System [4:812]                                                                                                          8EE09740
    Thread          System [4:816]                                                                                                          8FA05082
    Thread          System [4:1760]                                                                                                         994CA005
    Thread          System [4:1764]                                                                                                         994CA005
    Thread          System [4:1768]                                                                                                         994CA6CB
    Thread          System [4:1840]                                                                                                         99547FC0
    Thread          System [4:396]                                                                                                          994CA005
    Thread          System [4:2408]                                                                                                         9086B268
    Thread          System [4:2412]                                                                                                         9086B268
    Thread          System [4:2536]                                                                                                         8EF6AD18
    Thread          System [4:3040]                                                                                                         A3F1D18C
    Thread          System [4:3044]                                                                                                         A3F1D18C
    Thread          System [4:3060]                                                                                                         A3F1D18C
    Thread          System [4:3064]                                                                                                         A3F1D18C
    Thread          System [4:3068]                                                                                                         A3F1D18C
    Thread          System [4:3072]                                                                                                         A3F6F844
    Thread          System [4:3076]                                                                                                         A3F6F844
    Thread          System [4:3080]                                                                                                         A3F6F844
    Thread          System [4:3084]                                                                                                         A3F6F844
    Thread          System [4:3556]                                                                                                         8EF6AD18
    Thread          System [4:3560]                                                                                                         8EF6AD18
    Thread          System [4:668]                                                                                                          A3FC7370
    Thread          csrss.exe [512:568]                                                                                                     98B56C14
    Thread          csrss.exe [512:572]                                                                                                     98B54950

    ---- Registry - GMER 2.1 ----

    Reg             HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\00247eb4d9f4 (not active ControlSet)                         
    Reg             HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\00247eb4d9f4 (not active ControlSet)                         
    Reg             HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247eb4d9f4                                             
    Reg             HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247eb4d9f4                                             
    Reg             HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\00247eb4d9f4 (not active ControlSet)                         
    Reg             HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\00247eb4d9f4 (not active ControlSet)                         
    Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active                                      
    Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\[email protected]                             
    Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active                                      3596
    Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\[email protected]                             3596
    Reg             HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\[email protected]{3E5C21CD-5CDD-11E3-84E3-806E6F6E6963}  31308768352
    Reg             HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\[email protected]{3E5C21CD-5CDD-11E3-84E3-806E6F6E6963}  31308768352

    ---- Disk sectors - GMER 2.1 ----

    Disk            \Device\Harddisk0\DR0                                                                                                   Windows 7 default MBR code found via API
    Disk            \Device\Harddisk0\DR0                                                                                                   unknown MBR code

    ---- EOF - GMER 2.1 ----


    • 0

    #160
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 20,031 posts
    • MVP

    GMER is not finding anything to worry about.  It and Avast don't get along that well so it flags a lot of Avast processes and the rest look like programs we already know about.  

     

    I've got one more scan we can try:

     

    Please click http://devbuilds.kas...builds/AVPTool/ to download AVP Tool by Kaspersky.
    [list]
    [*]Save it to your desktop.
    [*]Reboot your computer into SafeMode.
    [color="#008000"][indent][i]You can do this by restarting your computer and continually tapping the [b]F8[/b] key until a menu appears.
    Use your up arrow key to highlight SafeMode then hit [b]enter[/i].[/b][/indent][/color]
    [*]Double click the setup file to run it.
    [*]Click Next to continue.
    [*]It will by default install it to your desktop folder.Click Next.
    [*]Hit ok at the prompt for scanning in Safe Mode.
    [*]It will then open a box There will be a tab that says Automatic scan.
    [*]Under Automatic scan make sure these are checked.
    [/list]
    [indent] [list][color="#FF0000"]
    [*] System Memory
    [*]Startup Objects
    [*]Disk Boot Sectors.
    [*]My Computer.
    [*]Also any other drives (Removable that you may have) [/color]
    [/list] [/indent]

    After that click on [b][i]Security level[/i][/b] then choose [b][i]Customize[/i][/b] then click on the tab that says [b][color="#FF0000"]Heuristic Analyzer[/color][/b] then choose [b][color="#FF0000"]Enable Deep rootkit search[/color][/b] then choose [b]ok[/b].
    Then choose OK again then you are back to the main screen.

    [list]
    [*]Then click on Scan at the to right hand Corner.
    [*]It will automatically Neutralize any objects found.
    [*]If some objects are left un-neutralized then click the button that says Neutralize all
    [*]If it says it cannot be Neutralized then chooose The delete option when prompted.
    [*]After that is done click on the reports button at the bottom and save it to file name it [b]Kas[/b].
    [*]Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under [b]Detected[/b] post those results in your next reply.

    [b][indent][i]Note: This tool will self uninstall when you close it so please save the log before closing it.[/i]
    [/list][/indent][/b]


    • 0

    Advertisements


    #161
    janji

    janji

      Member

    • Topic Starter
    • Member
    • PipPipPip
    • 210 posts

    After selecting run it says that: Extended monitoring driver is required for extended thread detection.
    Press' reboot now' button to install driver and reboot, or 'Continue' to run program in standard mode.

    I just select continue for now.


    Edited by janji, 06 March 2015 - 03:39 PM.

    • 0

    #162
    janji

    janji

      Member

    • Topic Starter
    • Member
    • PipPipPip
    • 210 posts

    It's quite different from your description, I can add C:/ drive and G:/ Drive but there's no option for security level/ Heuristic analyser etc. or scanning in Safe Mode etc-

    I'm cancelling to wait for your answer to see if I should reboot to install additional driver .
     


    • 0

    #163
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 20,031 posts
    • MVP

    Looks like they have updated the program.  Since we are looking for rootkits you need to reboot in order to let it install its driver.


    • 0

    #164
    janji

    janji

      Member

    • Topic Starter
    • Member
    • PipPipPip
    • 210 posts

    It reboots, seems to load driver (shows command prompt briefly) then says it's ready to scan. So I turned off computer to start again in Safe Mode, then get pop up window saying it can't perform scan, needs to reboot to load drivers. I let them do the reboot thing and now they want to scan but it's not in Safe Mode.


    Edited by janji, 07 March 2015 - 06:14 AM.

    • 0

    #165
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 20,031 posts
    • MVP

    OK.  Looks like it's broken.  I expected better of Kaspersky.

     

    Use IE and go to http://eset.com/onlinescan  and click on ESET online Scanner.  Accept the terms then press Start (If you get a warning from your browser tell it you want to run it).  
     
    # Check Scan Archives
    # Push the Start button.
    # ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    # When the scan completes, push LIST OF THREATS FOUND
    # Push EXPORT TO TEXT FILE , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    # Push the BACK button.
    # Push Finish
    # Once the scan is completed, you may close the window.
    # Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    # Copy and paste that log as a reply.
     
     
    Let's also try the bitdefender quickscan.
     
     
    When it finishes there is a View Report option at the bottom.  Click on it and copy and paste the report (even if it says nothing found).

    • 0






    Similar Topics

    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users

    As Featured On:

    Microsoft Yahoo BBC MSN PC Magazine Washington Post HP