Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Undetectable Virus or Malware freezes mouse cursor and makes fan run

Started by koolkat1939 , Jul 27 2016 11:49 AM

Please log in to reply

#16
koolkat1939

Posted 31 July 2016 - 11:23 PM

Member

Topic Starter
Member
27 posts

Virustotal says uphclean.exe and MBR.dat are clean. I forgot to tell you that aswMBR found something on my computer and the fix button came up and so I clicked on fix. Then it asked me to reboot and so I scanned again after and that it created a MBR.dat . Then fixMBR came up but I didn't click on that I just saved the log. I believe Locky and 5AHSH54OwLwn is part of BDAntiRansomware.

:geek: Hum , are FlashBroker, IFlashBroker6 and RAIDTest Trojans or Viruses ?

:yes:

VirusTotal
SHA256:    0e9f08fdf2032a7ebe883ce2c7aef3dc4ce622c2e6f4bebeafa24acf93669c99
File name:    uphclean.exe
Detection ratio:    0 / 53
Analysis date:    2016-08-01 03:48:54 UTC ( 0 minutes ago )
19
7
Probably harmless! There are strong indicators suggesting that this file is safe to use.

    Analysis
    File detail
    Relationships
    Additional information
    Comments
    Votes

Antivirus    Result    Update
ALYac        20160731
AVG        20160801
AVware        20160801
Ad-Aware        20160801
AegisLab        20160801
AhnLab-V3        20160731
Alibaba        20160730
Antiy-AVL        20160801
Arcabit        20160731
Avast        20160801
Avira (no cloud)        20160731
Baidu        20160730
BitDefender        20160801
Bkav        20160727
CAT-QuickHeal        20160730
CMC        20160728
ClamAV        20160801
Comodo        20160801
Cyren        20160801
DrWeb        20160801
ESET-NOD32        20160731
Emsisoft        20160801
F-Prot        20160801
F-Secure        20160801
Fortinet        20160801
GData        20160801
Ikarus        20160731
Jiangmin        20160801
K7AntiVirus        20160731
K7GW        20160801
Kaspersky        20160731
Kingsoft        20160801
Malwarebytes        20160801
McAfee        20160801
McAfee-GW-Edition        20160731
eScan        20160801
Microsoft        20160801
NANO-Antivirus        20160801
Panda        20160731
Qihoo-360        20160801
SUPERAntiSpyware        20160731
Sophos        20160801
Symantec        20160801
Tencent        20160801
TheHacker        20160729
TrendMicro        20160801
TrendMicro-HouseCall        20160801
VBA32        20160729
VIPRE        20160801
ViRobot        20160731
Zillya        20160731
Zoner        20160801
nProtect        20160729
Blog | Twitter | [email protected] | Google groups | ToS | Privacy policy

---------------------------------------------------------------------------------------------------------------------------

:yes:

VirusTotal
SHA256:    6b3b00eb062b2b595eca8eaf08d402be747342f66a800072f82266d099771ed0
File name:    MBR.dat
Detection ratio:    0 / 53
Analysis date:    2016-08-01 03:59:06 UTC ( 0 minutes ago )
0
0

    Analysis
    Additional information
    Comments
    Votes

Antivirus    Result    Update
ALYac        20160731
AVG        20160801
AVware        20160801
Ad-Aware        20160801
AegisLab        20160801
AhnLab-V3        20160731
Alibaba        20160730
Antiy-AVL        20160801
Arcabit        20160731
Avast        20160801
Avira (no cloud)        20160731
Baidu        20160730
BitDefender        20160801
Bkav        20160727
CAT-QuickHeal        20160730
CMC        20160728
ClamAV        20160801
Comodo        20160801
Cyren        20160801
DrWeb        20160801
ESET-NOD32        20160731
Emsisoft        20160801
F-Prot        20160801
F-Secure        20160801
Fortinet        20160801
GData        20160801
Ikarus        20160731
Jiangmin        20160801
K7AntiVirus        20160731
K7GW        20160801
Kaspersky        20160731
Kingsoft        20160801
Malwarebytes        20160801
McAfee        20160801
McAfee-GW-Edition        20160731
eScan        20160801
Microsoft        20160801
NANO-Antivirus        20160801
Panda        20160731
Qihoo-360        20160801
SUPERAntiSpyware        20160731
Sophos        20160801
Symantec        20160801
Tencent        20160801
TheHacker        20160729
TrendMicro        20160801
TrendMicro-HouseCall        20160801
VBA32        20160729
VIPRE        20160801
ViRobot        20160801
Zillya        20160731
Zoner        20160801
nProtect        20160729
Blog | Twitter | [email protected] | Google groups | ToS | Privacy policy

-----------------------------------------------------------------------------------------------------------------------------------

:yes: Combofix log

ComboFix 16-07-25.01 - Owner 07/31/2016 21:24:21.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.523 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Panda Free Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
FW: Panda Firewall *Disabled* {1337562C-110A-4AF8-B12B-750C0B30E802}
FW: ZoneAlarm Free Firewall Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
FILE ::
"c:\documents and settings\All Users\Start Menu\Programs\Startup\Oemreset.lnk"
"c:\documents and settings\Owner\Start Menu\Programs\Startup\_uninst_.lnk"
"c:\program files\Common Files\AOL\Loader\aolload.exe"
"c:\windows\pss\_uninst_.lnkStartup"
"c:\windows\pss\Oemreset.lnk"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\RAIDTest
c:\documents and settings\Owner\My Documents\New Folder\Free Any Burn 1.4
c:\documents and settings\Owner\My Documents\New Folder\Free Any Burn 1.4\freeanyburn_setup.exe
c:\documents and settings\Owner\My Documents\Tools & Programs\Free Any Burn 1.4
c:\documents and settings\Owner\My Documents\Tools & Programs\Free Any Burn 1.4\freeanyburn_setup.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_asdids
.
.
(((((((((((((((((((((((((   Files Created from 2016-07-01 to 2016-08-01 )))))))))))))))))))))))))))))))
.
.
2016-07-31 23:47 . 2015-05-22 08:45   50832   ----a-w-   c:\windows\system32\drivers\PSKMAD.sys
2016-07-30 02:11 . 2016-07-30 02:12   380928   ----a-w-   C:\9ik17ki1.exe
2016-07-29 14:18 . 2016-07-29 14:18   --------   d-----w-   c:\program files\UPHClean
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-07-31 23:59 . 2014-09-01 19:12   121560   ----a-w-   c:\windows\system32\drivers\mbamchameleon.sys
2016-07-31 23:59 . 2014-08-03 00:51   170200   ----a-w-   c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-07-26 14:30 . 2014-08-27 02:07   24688   ----a-w-   c:\windows\system32\drivers\TrueSight.sys
2016-07-18 01:23 . 2014-08-04 01:32   796352   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2016-07-18 01:23 . 2014-08-04 01:32   142528   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 14820864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"Malwarebytes Anti-Exploit"="c:\program files\Malwarebytes Anti-Exploit\mbae.exe" [2016-06-02 2623456]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"nwiz"="nwiz.exe" [2005-09-18 1519616]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904]
"PSUAMain"="c:\program files\Panda Security\Panda Security Protection\PSUAMain.exe" [2015-10-22 54520]
"BDAntiCryptoLocker"="c:\program files\Bitdefender\Tools\BDAntiRansomware\BDAntiRansomware.exe" [2016-05-16 1242144]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2016-03-24 134480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SoftwareSASGeneration"= 1 (0x1)
"MaxGPOScriptWait"= 600 (0x258)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NanoServiceMain]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSUAService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Oemreset.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Oemreset.lnk
backup=c:\windows\pss\Oemreset.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^_uninst_.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\_uninst_.lnk
backup=c:\windows\pss\_uninst_.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-04-22 04:43   59720   ----a-w-   c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42   1695232   ------w-   c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2013-05-01 10:59   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2010-07-04 19:51   17408   ----a-w-   c:\program files\Unlocker\UnlockerAssistant.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\CheckPoint\\ZoneAlarm\\vsmon.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files\Malwarebytes Anti-Exploit\mbae.sys [11/15/2015 6:30 PM 50016]
R1 NNSALPC;NNSAlpc;c:\windows\system32\drivers\NNSAlpc.sys [7/9/2015 8:37 AM 87032]
R1 NNSHTTP;NNSHttp;c:\windows\system32\drivers\NNSHttp.sys [7/9/2015 8:37 AM 202104]
R1 NNSHTTPS;NNSHttps;c:\windows\system32\drivers\NNSHttps.sys [7/9/2015 8:37 AM 109688]
R1 NNSIDS;NNSids;c:\windows\system32\drivers\NNSIds.sys [7/9/2015 8:37 AM 121720]
R1 NNSPICC;NNSPicc;c:\windows\system32\drivers\NNSpicc.sys [7/9/2015 8:37 AM 102264]
R1 NNSPIHS;NNSPihs;c:\windows\system32\drivers\NNSpihs.sys [7/9/2015 8:37 AM 52088]
R1 NNSPOP3;NNSPop3;c:\windows\system32\drivers\NNSPop3.sys [7/9/2015 8:37 AM 120568]
R1 NNSPROT;NNSProt;c:\windows\system32\drivers\NNSProt.sys [7/9/2015 8:37 AM 281720]
R1 NNSPRV;NNSPrv;c:\windows\system32\drivers\NNSPrv.sys [7/9/2015 8:37 AM 209016]
R1 NNSSMTP;NNSSmtp;c:\windows\system32\drivers\NNSSmtp.sys [7/9/2015 8:37 AM 108408]
R1 NNSSTRM;NNSStrm;c:\windows\system32\drivers\NNSStrm.sys [7/9/2015 8:37 AM 240376]
R1 NNSTLSC;NNSTlsc;c:\windows\system32\drivers\NNStlsc.sys [7/9/2015 8:37 AM 94968]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [7/19/2015 9:46 AM 172792]
R2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files\Malwarebytes Anti-Exploit\mbae-svc.exe [11/15/2015 6:30 PM 742368]
R2 NanoServiceMain;Panda Protection Service;c:\program files\Panda Security\Panda Security Protection\PSANHost.exe [10/18/2015 2:32 AM 142072]
R2 PandaAgent;Panda Devices Agent;c:\program files\Panda Security\Panda Devices Agent\AgentSvc.exe [2/22/2016 6:24 PM 73176]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [7/19/2015 9:46 AM 140792]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [7/19/2015 9:46 AM 103288]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [7/19/2015 9:46 AM 114680]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [7/19/2015 9:46 AM 125176]
R2 PSINReg;PSINReg;c:\windows\system32\drivers\PSINReg.sys [7/19/2015 9:46 AM 100600]
R2 PSUAService;Panda Product Service;c:\program files\Panda Security\Panda Security Protection\PSUAService.exe [10/22/2015 9:42 AM 38136]
R2 ZAPrivacyService;ZoneAlarm Privacy Service;c:\program files\CheckPoint\ZoneAlarm\ZAPrivacyService.exe [10/19/2015 10:22 AM 96272]
R3 NNSNAHS;Network Activity Hook Server Service;c:\windows\system32\drivers\NNSNAHS.sys [5/20/2015 3:18 AM 55216]
R3 PSKMAD;PSKMAD;c:\windows\system32\drivers\PSKMAD.sys [7/31/2016 4:47 PM 50832]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mbamchameleon
*Deregistered* - uphcleanhlp
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.yahoo.com/
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\41qyd9cm.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.yahoo.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2016-07-31 21:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\5AHSH54OwLwn]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\.Default\Software\Locky]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\LocalService\Software\5AHSH54OwLwn]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\LocalService\Software\Locky]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\LocalService_Classes\Software\5AHSH54OwLwn]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\LocalService_Classes\Software\Locky]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-20\Software\5AHSH54OwLwn]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-20\Software\Locky]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-20_Classes\Software\5AHSH54OwLwn]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-20_Classes\Software\Locky]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-21-676961170-3691123601-236142853-1003\Software\5AHSH54OwLwn]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-21-676961170-3691123601-236142853-1003\Software\Locky]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-21-842925246-1606980848-1708537768-1003_Classes\Software\5AHSH54OwLwn]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-21-842925246-1606980848-1708537768-1003_Classes\Software\Locky]
@Denied: (B 2 3) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_296_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_296_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3084)
c:\windows\system32\WININET.dll
c:\program files\Bitdefender\Tools\BDAntiRansomware\InjectionDll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2016-07-31 21:54:24 - machine was rebooted
ComboFix-quarantined-files.txt 2016-08-01 04:54
ComboFix2.txt 2016-07-30 15:45
.
Pre-Run: 33,290,543,104 bytes free
Post-Run: 33,231,155,200 bytes free
.
- - End Of File - - F4724DA58F2F828D164690D21711BB89
620801C51A4A223B7167BE50689BA748

Edited by koolkat1939, 01 August 2016 - 11:01 AM.

#17
RKinner

Posted 04 August 2016 - 03:37 PM

Malware Expert

Expert
24,625 posts

Sorry I didn't get notified again. Going to talk to admin about it.

Turns out the two registry entries:

[HKEY_USERS\.Default\Software\5AHSH54OwLwn]

@Denied: (B 2 3) (Everyone)

.

[HKEY_USERS\.Default\Software\Locky]

@Denied: (B 2 3) (Everyone)

are put in by your BitDefender BDAntiRansomware.exe as a method to keep Locky & something else from installing themselves. That's why they came back.

FlashBroker, IFlashBroker6 are normal Adobe Flash. Don't know about RAIDTEST but looks like Combofix didn't like it.

Are you still getting a lot of fan noise & slowness? I'm hoping aswmbr's Fix may have done some good.

#18
koolkat1939

Posted 04 August 2016 - 03:44 PM

Member

Topic Starter
Member
27 posts

It helped after you got rid of RAIDTEST but if I uncheck "Display pointer trails" my mouse will freeze and I still have fan issues.

#19
RKinner

Posted 04 August 2016 - 03:47 PM

Malware Expert

Expert
24,625 posts

Can you make a new Process Explorer log and post it?

Do you still have the same problems in Safe Mode with Networking?

(Reboot and when you see the maker's logo, hear a beep or it talks about F8, start tapping the F8 key slowly. Keep tapping until the Safe Mode Menu appears and choose Safe Mode with Networking. Login with your usual login.)

#20
koolkat1939

Posted 04 August 2016 - 03:55 PM

Member

Topic Starter
Member
27 posts

My mouse will work in Safe Mode but the fan will run if I try using a Anti-virus scan. I forgot how to do the Process Explorer log. Do you want the log while I am in Safe Mode with Networking ?

Edited by koolkat1939, 04 August 2016 - 03:55 PM.

#21
RKinner

Posted 04 August 2016 - 03:57 PM

Malware Expert

Expert
24,625 posts

Get Process Explorer

http://live.sysinter...com/procexp.exe

Save it to your desktop then run it (Vista or Win7 - right click and Run As Administrator).

View, Select Column, check Verified Signer, OK

Options, Verify Image Signatures

Click twice on the CPU column header to sort things by CPU usage with the big hitters at the top.

Wait a full minute then:

File, Save As, Save. Note the file name. Open the file on your desktop and copy and paste the text to a reply.

Let's do a log in both.

#22
koolkat1939

Posted 04 August 2016 - 04:36 PM

Member

Topic Starter
Member
27 posts

:yes: Process Explorer Log in Normal mode :

Process   CPU   Private Bytes   Working Set   PID   Description   Company Name   VirusTotal   Verified Signer
System Idle Process   65.28   0 K   28 K   0
PSUAMain.exe   15.28   16,216 K   9,076 K   2492   AV Console   Panda Security, S.L.       (Verified) Panda Security S.L
Interrupts   12.50   0 K   0 K   n/a   Hardware Interrupts and DPCs
PSUAService.exe   4.17   12,932 K   1,988 K   1708   PSUAService   Panda Security, S.L.       (Verified) Panda Security S.L
svchost.exe   1.39   17,256 K   27,048 K   636   Generic Host Process for Win32 Services   Microsoft Corporation       (No signature was present in the subject) Microsoft Corporation
procexp.exe   1.39   13,108 K   18,948 K   2840   Sysinternals Process Explorer   Sysinternals - www.sysinternals.com       (Verified) Microsoft Corporation
zatray.exe       48,612 K   22,544 K   3060   ZoneAlarm   Check Point Software Technologies Ltd.       (Verified) Check Point Software Technologies Ltd.
ZAPrivacyService.exe       18,220 K   18,124 K   620   ZAPrivacyService   Check Point Software Technologies, Ltd.       (Verified) Check Point Software Technologies Ltd.
wmiprvse.exe       2,604 K   6,868 K   3756   WMI   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
wmiprvse.exe       2,040 K   5,300 K   3872   WMI   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
winlogon.exe       6,348 K   4,352 K   148   Windows NT Logon Application   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
vsmon.exe       24,004 K   24,864 K   1256   ZoneAlarm   Check Point Software Technologies Ltd.       (Verified) Check Point Software Technologies Ltd.
uphclean.exe       588 K   1,348 K   2020   User Profile Hive Cleanup Service   Windows ® Codename Longhorn DDK provider       (No signature was present in the subject) Windows ® Codename Longhorn DDK provider
unsecapp.exe       1,304 K   4,184 K   3672   WMI   Microsoft Corporation       (No signature was present in the subject) Microsoft Corporation
System       0 K   272 K   4
svchost.exe       3,080 K   5,008 K   428   Generic Host Process for Win32 Services   Microsoft Corporation       (No signature was present in the subject) Microsoft Corporation
svchost.exe       1,800 K   4,328 K   488   Generic Host Process for Win32 Services   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
svchost.exe       1,292 K   3,604 K   748   Generic Host Process for Win32 Services   Microsoft Corporation       (No signature was present in the subject) Microsoft Corporation
svchost.exe       3,840 K   5,952 K   1008   Generic Host Process for Win32 Services   Microsoft Corporation       (No signature was present in the subject) Microsoft Corporation
svchost.exe       1,372 K   3,600 K   336   Generic Host Process for Win32 Services   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
svchost.exe       1,532 K   3,468 K   3356   Generic Host Process for Win32 Services   Microsoft Corporation       (No signature was present in the subject) Microsoft Corporation
spoolsv.exe       3,408 K   5,016 K   1856   Spooler SubSystem App   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
smss.exe       172 K   432 K   1964   Windows NT Session Manager   Microsoft Corporation       (No signature was present in the subject) Microsoft Corporation
services.exe       1,844 K   21,116 K   160   Services and Controller app   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
rundll32.exe       2,004 K   3,048 K   3912   Run a DLL as an App   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
RTHDCPL.EXE       18,672 K   22,660 K   3880   Realtek HD Audio Control Panel   Realtek Semiconductor Corp.       (Verified) Microsoft Windows Hardware Compatibility Publisher
readericon45G.exe       1,876 K   3,072 K   2292   Sunkist   Alcor Micro, Corp.       (No signature was present in the subject) Alcor Micro, Corp.
PSANHost.exe       103,348 K   11,948 K   1628   Application Host Service   Panda Security, S.L.       (Verified) Panda Security S.L
PDVDServ.exe       856 K   3,156 K   2240   PowerDVD RC Service   Cyberlink Corp.       (No signature was present in the subject) Cyberlink Corp.
nvsvc32.exe       2,068 K   3,656 K   1656   NVIDIA Driver Helper Service, Version 81.33   NVIDIA Corporation       (Verified) Microsoft Windows Hardware Compatibility Publisher
mbae-svc.exe       9,260 K   12,492 K   1268   Malwarebytes Anti-Exploit Service   Malwarebytes Corporation       (Verified) Malwarebytes Corporation
mbae.exe       8,112 K   11,924 K   1660   Malwarebytes Anti-Exploit   Malwarebytes Corporation       (Verified) Malwarebytes Corporation
lsass.exe       4,012 K   6,644 K   228   LSA Shell (Export Version)   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
explorer.exe       13,380 K   21,548 K   1396   Windows Explorer   Microsoft Corporation       (No signature was present in the subject) Microsoft Corporation
csrss.exe       1,924 K   3,964 K   2036   Client Server Runtime Process   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
CCleaner.exe       9,148 K   7,420 K   1600   CCleaner   Piriform Ltd       (Verified) Piriform Ltd
BDAntiRansomware.exe       17,532 K   22,652 K   2968               (Verified) Bitdefender SRL
alg.exe       1,172 K   3,616 K   3532   Application Layer Gateway Service   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
AgentSvc.exe       11,348 K   15,432 K   1676   Agent Service   Panda Security, S.L.       (Verified) Panda Security S.L

------------------------------------------------------------------------------------------------------

:yes: Process Explorer Log in Safe Mode with Networking :

Process   CPU   Private Bytes   Working Set   PID   Description   Company Name   VirusTotal   Verified Signer
System Idle Process   100.00   0 K   16 K   0
Interrupts   < 0.01   0 K   0 K   n/a   Hardware Interrupts and DPCs
wmiprvse.exe       1,864 K   4,960 K   1784   WMI   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
winlogon.exe       3,288 K   2,052 K   848   Windows NT Logon Application   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
vsmon.exe       22,956 K   23,528 K   1624   ZoneAlarm   Check Point Software Technologies Ltd.       (Verified) Check Point Software Technologies Ltd.
System       0 K   212 K   4
svchost.exe       2,992 K   4,864 K   1060   Generic Host Process for Win32 Services   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
svchost.exe       1,644 K   4,172 K   1128   Generic Host Process for Win32 Services   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
svchost.exe       10,648 K   17,104 K   1344   Generic Host Process for Win32 Services   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
svchost.exe       1,288 K   3,568 K   1364   Generic Host Process for Win32 Services   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
svchost.exe       1,068 K   2,964 K   1480   Generic Host Process for Win32 Services   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
smss.exe       168 K   416 K   740   Windows NT Session Manager   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
services.exe       1,696 K   20,912 K   892   Services and Controller app   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
PSUAService.exe       12,700 K   244 K   784   PSUAService   Panda Security, S.L.       (Verified) Panda Security S.L
PSANHost.exe       84,020 K   9,520 K   624   Application Host Service   Panda Security, S.L.       (Verified) Panda Security S.L
procexp.exe       15,468 K   21,808 K   688   Sysinternals Process Explorer   Sysinternals - www.sysinternals.com       (Verified) Microsoft Corporation
notepad.exe       924 K   336 K   640   Notepad   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
lsass.exe       2,144 K   1,248 K   904   LSA Shell (Export Version)   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
explorer.exe       12,664 K   19,620 K   1764   Windows Explorer   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher
csrss.exe       1,608 K   3,360 K   824   Client Server Runtime Process   Microsoft Corporation       (Verified) Microsoft Windows Component Publisher

#23
RKinner

Posted 04 August 2016 - 04:56 PM

Malware Expert

Expert
24,625 posts

The normal mode has this:

Interrupts 12.50 0 K 0 K n/a Hardware Interrupts and DPCs

That's pretty bad. Anything over 1.5% slows the CPU a lot more than you would think.

In Safe Mode things are really nice:

System Idle Process 100.00 0 K 16 K 0

Interrupts < 0.01 0 K 0 K n/a Hardware Interrupts and DPCs

Start Run, msconfig, OK

Go to Services tab and click on the box to hide Microsoft Services then uncheck

everything that remains. Go to Startup tab and uncheck everything. OK and

reboot. If it doesn't run faster then go back into msconfig and recheck the

things you turned off. If it helps then go back and turn on a few items each

time until you find the culprit.

Will take a while but if you look at Process Explorer each time you can get a quick reading on if it helped or not.

#24
koolkat1939

Posted 04 August 2016 - 06:34 PM

Member

Topic Starter
Member
27 posts

:upset: Yah I did what you said but not much difference. I suspect that the Virus\Malware is disguised or patched as a legitimate file. Looks like I'm going to have to buy a new burner and do a full reinstall of my OS.. :yes: Thanks for your help. OH can you show me how to clean up these tools and logs ?

Edited by koolkat1939, 04 August 2016 - 06:34 PM.

#25
RKinner

Posted 04 August 2016 - 10:12 PM

Malware Expert

Expert
24,625 posts

Since we ran Combofix:

To uninstall combofix, copy the next line:

"c:\documents and settings\Owner\Desktop\ComboFix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

Speccy you just uninstall and delete its log.

Process Explorer and VEW just delete and also delete their logs.

FRST we cleanup with Delfix. This removes our tools and their logs and quarantines and also removes all but the latest System Restore point so there is no chance of the malware coming back with a system restore. Delfix has been a tad too aggressive recently and seems to dislike pdf files in the Downloads folder so if you have any you should move them to a different folder before running Delfix.

Download Delfix from http://general-chang...xplode/9-delfix

Ensure Remove disinfection tools is ticked

Also tick:

Create registry backup

Purge system restore

Click Run

The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply

#26
koolkat1939

Posted 05 August 2016 - 08:37 AM

Member

Topic Starter
Member
27 posts

:yes: Thanks for your help. Do I uninstall UPHClean or do I just leave it ?

Delfix log :

# DelFix v1.013 - Logfile created 05/08/2016 at 07:18:04
# Updated 17/04/2016 by Xplode
# Username : Owner - YOUR-CF6AE05ECC
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

~ Removing disinfection tools ...

Deleted : C:\32788R22FWJFW
Deleted : C:\Combofix
Deleted : C:\FRST
Deleted : C:\ComboFix.txt
Deleted : C:\TDSSKiller.3.1.0.9_30.07.2016_08.56.43_log.txt
Deleted : C:\Documents and Settings\Owner\Desktop\Addition.txt
Deleted : C:\Documents and Settings\Owner\Desktop\aswmbr.exe
Deleted : C:\Documents and Settings\Owner\Desktop\aswMBR.txt
Deleted : C:\Documents and Settings\Owner\Desktop\Fixlog.txt
Deleted : C:\Documents and Settings\Owner\Desktop\FRST.exe
Deleted : C:\Documents and Settings\Owner\Desktop\FRST.txt
Deleted : C:\Documents and Settings\Owner\Desktop\MBR.dat
Deleted : C:\Documents and Settings\Owner\Desktop\TDSSKiller.3.1.0.9_30.07.2016_08.56.43_log.txt
Deleted : C:\Documents and Settings\Owner\Desktop\tdsskiller.exe
Deleted : HKLM\SOFTWARE\OldTimer Tools
Deleted : HKLM\SOFTWARE\Swearware
Deleted : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASWMBR

~ Creating registry backup ... OK

~ Cleaning system restore ...

New restore point created !

########## - EOF - ##########

#27
RKinner

Posted 05 August 2016 - 09:17 AM

Malware Expert

Expert
24,625 posts

Leave UPHClean. It's a fix for Microsoft's mistake.

There is one thing we haven't tried:

http://live.sysinter...om/autoruns.exe

Download Save and Run the program

You can go through the drivers section and see if there are some you can live temporarily live without. Uncheck them then reboot and see if Process Explorer looks better.

#28
koolkat1939

Posted 05 August 2016 - 08:01 PM

Member

Topic Starter
Member
27 posts

:no: I ran autoruns and selected the Drivers tab. There was something in red [not verifed] called ASCTRM. I unchecked it and no difference. I looked up the Driver and it's part of the Real Player. Oh well thanks for your help.