Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

back door trojan/worm in 2 computers. resets arent working

trojan

  • Please log in to reply

#1
frustrated604

frustrated604

    New Member

  • Member
  • Pip
  • 7 posts

I have been fighting this for months. these are the scans I took almost immediately after my most recent reset. I really am not sure how it is persisting. I used my bios to format disk and without connecting I still had symptoms. I am scared to reboot because it fully reinstalls. I feel like there are multiple triggers but this is the cleanest I can get it without help. please advise

 

 

 

RogueKiller V12.11.8.0 (x64) [Jul 24 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.co...ad/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : d [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 08/01/2017 13:43:55 (Duration : 00:16:26)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000LPVX-75V0TT0 +++++
--- User ---
[MBR] e3e5247fec49aa8f7c5a6cfd1500eb6e
[BSP] 82bf2d08dea6517322e3ae1982c2b704 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 476588 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 31-07-2017
Ran by d (01-08-2017 13:47:49)
Running from C:\Users\d\AppData\Local\Microsoft\Windows\INetCache\IE\SYUMA8ML
Windows 8.1 (Update) (X64) (2017-08-01 15:32:17)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-1767307679-248002309-4077378662-500 - Administrator - Disabled)
d (S-1-5-21-1767307679-248002309-4077378662-1001 - Administrator - Enabled) => C:\Users\d
Guest (S-1-5-21-1767307679-248002309-4077378662-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: ESET NOD32 Antivirus (Enabled - Up to date) {EC1D6F37-E411-475A-DF50-12FF7FE4AC70}
AS: ESET NOD32 Antivirus (Enabled - Up to date) {577C8ED3-C22B-48D4-E5E0-298D0463E6CD}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

ESET NOD32 Antivirus (HKLM\...\{3B4AB7BA-0734-4547-9604-3FCC40873B3D}) (Version: 10.1.219.0 - ESET, spol. s r.o.)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.14.4264 - Intel Corporation)
RogueKiller version 12.11.8.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.11.8.0 - Adlice Software)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1767307679-248002309-4077378662-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel Corporation)
ContextMenuHandlers1: [ESET Smart Security - Context Menu Shell Extension] -> {B089FE88-FB52-11D3-BDF1-0050DA34150D} => C:\Program Files\ESET\ESET Security\shellExt.dll [2017-06-13] (ESET)
ContextMenuHandlers2: [ESET Smart Security - Context Menu Shell Extension] -> {B089FE88-FB52-11D3-BDF1-0050DA34150D} => C:\Program Files\ESET\ESET Security\shellExt.dll [2017-06-13] (ESET)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\Windows\system32\igfxDTCM.dll [2015-08-09] (Intel Corporation)
ContextMenuHandlers6: [ESET Smart Security - Context Menu Shell Extension] -> {B089FE88-FB52-11D3-BDF1-0050DA34150D} => C:\Program Files\ESET\ESET Security\shellExt.dll [2017-06-13] (ESET)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {28D1C1B0-A927-4C9E-A857-A3F306AA078E} - System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser => %windir%\system32\rundll32.exe aepdu.dll,AePduRunUpdate -nolegacy

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2015-08-09 04:50 - 2015-08-09 04:50 - 000404376 _____ () C:\Windows\system32\igfxTray.exe
2017-08-01 13:43 - 2017-07-24 14:22 - 026543176 _____ () C:\Program Files\RogueKiller\RogueKiller64.exe

==================== Alternate Data Streams (Whitelisted) =========

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 06:25 - 2013-08-22 06:25 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1767307679-248002309-4077378662-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 192.168.42.129
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Restore Points =========================

01-08-2017 13:46:06 Windows Update

==================== Faulty Device Manager Devices =============

Name: Network Controller
Description: Network Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: USB2.0-CRW
Description: USB2.0-CRW
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

==================== Event log errors: =========================

Application errors:
==================
Error: (08/01/2017 01:36:01 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: tkuhjhng)
Description: Package winstore_1.0.0.0_neutral_neutral_cw5n1h2txyewy+Windows.Store was terminated because it took too long to suspend.

Error: (08/01/2017 06:52:07 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: tkuhjhng)
Description: Package winstore_1.0.0.0_neutral_neutral_cw5n1h2txyewy+Windows.Store was terminated because it took too long to suspend.

Error: (08/01/2017 08:51:38 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80072EE7
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c7c00280-b24d-4e82-89ca-4f1288eb1d9e;NotificationInterval=1440;Trigger=NetworkAvailable

Error: (08/01/2017 08:51:37 AM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0x80072EE7
Sku Id=c7c00280-b24d-4e82-89ca-4f1288eb1d9e

Error: (08/01/2017 08:51:37 AM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0x80072EE7

Error: (08/01/2017 08:51:37 AM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0x80072EE7
Sku Id=c7c00280-b24d-4e82-89ca-4f1288eb1d9e

Error: (08/01/2017 08:51:37 AM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0x80072EE7

Error: (08/01/2017 08:33:47 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80072EE7
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c7c00280-b24d-4e82-89ca-4f1288eb1d9e;NotificationInterval=1440;Trigger=TimerEvent

Error: (08/01/2017 08:33:47 AM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0x80072EE7
Sku Id=c7c00280-b24d-4e82-89ca-4f1288eb1d9e

Error: (08/01/2017 08:33:47 AM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0x80072EE7

System errors:
=============
Error: (08/01/2017 01:33:40 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Intel® Content Protection HECI Service service terminated with the following error:
%%2147942659 = No more data is available.

Error: (08/01/2017 01:32:50 PM) (Source: DCOM) (EventID: 10010) (User: tkuhjhng)
Description: The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.

Error: (08/01/2017 01:32:50 PM) (Source: DCOM) (EventID: 10010) (User: tkuhjhng)
Description: The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.

Error: (08/01/2017 07:32:41 AM) (Source: DCOM) (EventID: 10010) (User: tkuhjhng)
Description: The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.

Error: (08/01/2017 07:32:41 AM) (Source: DCOM) (EventID: 10010) (User: tkuhjhng)
Description: The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.

Error: (08/01/2017 07:32:41 AM) (Source: DCOM) (EventID: 10010) (User: tkuhjhng)
Description: The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.

Error: (08/01/2017 08:28:16 AM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: The server {A47979D2-C419-11D9-A5B4-001185AD2B89} did not register with DCOM within the required timeout.

Error: (08/01/2017 08:26:16 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Network List Service service terminated with the following error:
The device is not ready.

Error: (08/01/2017 08:26:08 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The IP Helper service terminated with the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Error: (08/01/2017 08:25:05 AM) (Source: volmgr) (EventID: 46) (User: )
Description: Crash dump initialization failed!

==================== Memory info ===========================

Processor: Intel® Pentium® 3558U @ 1.70GHz
Percentage of memory in use: 31%
Total physical RAM: 8096.02 MB
Available physical RAM: 5509.65 MB
Total Virtual: 10016.02 MB
Available Virtual: 8262.23 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.42 GB) (Free:446.68 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 91BF7A00)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.4 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

+++++ PhysicalDrive0: WDC WD5000LPVX-75V0TT0 +++++
--- User ---
[MBR] e3e5247fec49aa8f7c5a6cfd1500eb6e
[BSP] 82bf2d08dea6517322e3ae1982c2b704 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 476588 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

 

 

 

 

malwarebytes anti rootkit beta v1.09.3.1001 said I am clean


  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP

Need the FRST log.

 

What exactly are you seeing for symptoms?


  • 0

#3
frustrated604

frustrated604

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

Need the FRST log.

 

What exactly are you seeing for symptoms?

 

<script src="/cdn-cgi/apps/head/WF48Gl3PKYxHrReiZymeg1SEI3M.js"></script>

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-07-2017
Ran by d (administrator) on TKUHJHNG (01-08-2017 13:46:55)
Running from C:\Users\d\AppData\Local\Microsoft\Windows\INetCache\IE\SYUMA8ML
Loaded Profiles: d (Available Profiles: d)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ESET) C:\Program Files\ESET\ESET Security\ekrn.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
() C:\Windows\System32\igfxTray.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(ESET) C:\Program Files\ESET\ESET Security\egui.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
() C:\Program Files\RogueKiller\RogueKiller64.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17246_none_fa4ae8e99b1f603c\TiWorker.exe
(Microsoft Corporation) C:\Windows\System32\SrTasks.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{CF41B4CB-BF0D-4FCD-9B79-6EA4A63347C2}: [DhcpNameServer] 192.168.42.129

Internet Explorer:
==================
HKU\S-1-5-21-1767307679-248002309-4077378662-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/en-ca/?ocid=iehp

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ekrn; C:\Program Files\ESET\ESET Security\ekrn.exe [2625368 2017-06-13] (ESET)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [355232 2015-08-09] (Intel Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347880 2014-11-21] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2014-11-21] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 DellRbtn; C:\Windows\System32\drivers\DellRbtn.sys [10752 2013-01-24] (OSR Open Systems Resources, Inc.)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [132824 2017-06-22] (ESET)
R0 edevmon; C:\Windows\System32\DRIVERS\edevmon.sys [107344 2017-05-04] (ESET)
S0 eelam; C:\Windows\System32\DRIVERS\eelam.sys [14880 2017-05-04] (ESET)
R1 ehdrv; C:\Windows\system32\DRIVERS\ehdrv.sys [178056 2017-05-04] (ESET)
R1 epfwwfpr; C:\Windows\system32\DRIVERS\epfwwfpr.sys [77224 2017-05-04] (ESET)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [28272 2017-08-01] ()
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [35856 2014-11-21] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [257880 2014-11-21] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123224 2014-11-21] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-08-01 13:45 - 2017-08-01 13:46 - 000195602 _____ C:\TDSSKiller.3.1.0.15_01.08.2017_13.45.02_log.txt
2017-08-01 13:43 - 2017-08-01 13:43 - 000028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2017-08-01 13:43 - 2017-08-01 13:43 - 000000870 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2017-08-01 13:43 - 2017-08-01 13:43 - 000000000 ____D C:\ProgramData\RogueKiller
2017-08-01 13:43 - 2017-08-01 13:43 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2017-08-01 13:43 - 2017-08-01 13:43 - 000000000 ____D C:\Program Files\RogueKiller
2017-08-01 13:41 - 2017-08-01 13:46 - 000000000 ____D C:\FRST
2017-08-01 13:33 - 2017-08-01 13:33 - 000000401 _____ C:\Windows\system32\{F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat
2017-08-01 13:33 - 2017-08-01 13:33 - 000000000 __SHD C:\Users\d\IntelGraphicsProfiles
2017-08-01 09:24 - 2017-08-01 08:32 - 000000000 ____D C:\Windows\Panther
2017-08-01 08:50 - 2017-08-01 08:50 - 000000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdMtpDr_01_11_00.Wdf
2017-08-01 08:38 - 2017-08-01 13:38 - 000003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1767307679-248002309-4077378662-1001
2017-08-01 08:33 - 2017-08-01 08:33 - 000000000 ____D C:\Windows\System32\Tasks\WPD
2017-08-01 08:32 - 2017-08-01 13:33 - 000000000 ____D C:\Users\d
2017-08-01 08:32 - 2017-08-01 08:33 - 000000000 ____D C:\Users\d\AppData\Local\Packages
2017-08-01 08:32 - 2017-08-01 08:32 - 000001442 _____ C:\Users\d\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2017-08-01 08:32 - 2017-08-01 08:32 - 000000020 ___SH C:\Users\d\ntuser.ini
2017-08-01 08:32 - 2017-08-01 08:32 - 000000000 ____D C:\Users\d\AppData\Roaming\Adobe
2017-08-01 08:32 - 2017-08-01 08:32 - 000000000 ____D C:\Users\d\AppData\Local\VirtualStore
2017-08-01 08:32 - 2014-11-21 01:52 - 000000369 _____ C:\Users\d\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk
2017-08-01 08:32 - 2014-11-21 01:52 - 000000369 _____ C:\Users\d\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk
2017-08-01 07:10 - 2017-08-01 13:33 - 000000000 ____D C:\Intel
2017-08-01 07:10 - 2017-08-01 07:10 - 000000000 ____D C:\Program Files\Intel
2017-08-01 07:10 - 2017-08-01 07:10 - 000000000 ____D C:\Program Files (x86)\Intel
2017-08-01 07:10 - 2015-08-09 04:50 - 000096752 _____ (Khronos Group) C:\Windows\SysWOW64\OpenCL.DLL
2017-08-01 07:10 - 2015-08-09 04:50 - 000092648 _____ (Khronos Group) C:\Windows\system32\OpenCL.DLL
2017-08-01 07:06 - 2017-08-01 07:06 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET
2017-08-01 07:06 - 2017-08-01 07:06 - 000000000 ____D C:\ProgramData\ESET
2017-08-01 07:06 - 2017-08-01 07:06 - 000000000 ____D C:\Program Files\ESET
2017-08-01 06:55 - 2017-08-01 06:55 - 000000000 ____D C:\Users\d\AppData\Roaming\Macromedia
2017-08-01 06:54 - 2017-08-01 13:39 - 000003910 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{505BB6CA-0CF9-4E9A-BB5A-F5873DBE5530}
2017-08-01 06:54 - 2017-08-01 06:54 - 000000000 __SHD C:\Users\d\AppData\LocalLow\EmieUserList
2017-08-01 06:54 - 2017-08-01 06:54 - 000000000 __SHD C:\Users\d\AppData\LocalLow\EmieBrowserModeList
2017-08-01 06:54 - 2017-08-01 06:54 - 000000000 __SHD C:\Users\d\AppData\Local\EmieUserList
2017-08-01 06:54 - 2017-08-01 06:54 - 000000000 __SHD C:\Users\d\AppData\Local\EmieSiteList
2017-08-01 06:54 - 2017-08-01 06:54 - 000000000 __SHD C:\Users\d\AppData\Local\EmieBrowserModeList
2017-08-01 06:53 - 2017-08-01 06:54 - 000000000 __SHD C:\Users\d\AppData\LocalLow\EmieSiteList

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-08-01 13:47 - 2013-08-22 08:20 - 000000000 ____D C:\Windows\CbsTemp
2017-08-01 13:46 - 2013-08-22 06:36 - 000000000 ____D C:\Windows\system32\AdvancedInstallers
2017-08-01 13:37 - 2014-11-21 01:44 - 000818732 _____ C:\Windows\system32\PerfStringBackup.INI
2017-08-01 13:37 - 2013-08-22 06:36 - 000000000 ____D C:\Windows\Inf
2017-08-01 13:33 - 2013-08-22 07:45 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-08-01 13:32 - 2013-08-22 06:25 - 000262144 ___SH C:\Windows\system32\config\BBI
2017-08-01 09:19 - 2013-08-22 08:36 - 000262144 _____ C:\Windows\system32\config\BCD-Template
2017-08-01 08:40 - 2013-08-22 08:36 - 000000000 ____D C:\Windows\AppReadiness
2017-08-01 08:33 - 2013-08-22 08:36 - 000000000 ___HD C:\Program Files\WindowsApps
2017-08-01 08:33 - 2013-08-22 08:36 - 000000000 ____D C:\Windows\rescache
2017-08-01 07:06 - 2013-08-22 08:36 - 000000000 ___HD C:\Windows\ELAMBKUP

Some files in TEMP:
====================
2017-08-01 13:43 - 2014-11-21 02:15 - 001733952 _____ (Microsoft Corporation) C:\Users\d\AppData\Local\Temp\dllnt_dump.dll

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-08-01 08:25

==================== End of FRST.txt ============================

 

 

 

 

 

 

sorry thought I added the file.

 

symptoms are redirects. random shutdowns. poor performance. hidden drives with partitions that are unable to be accessed one was labelled "." and another ".." no uefi boot access. I have saved a bunch of hidden log data to a USB that I have but I don't even want to insert it for fear of reinstalling it again.  but as far as I can tell my ACL is very altered and there is remote access to my system despite me disabling it.

 

when trying to access some files I get access denied so I run the powershell scripts to grant access but despite help from more knowledgeable people and 100 hours of non interactive research I am unable to get past that. in the registry I see users that should  not be on there. The same ones are not present in the results I just posted because as I said I just reset.

 

I am unable to get  updates through from  windows. my firewall has been altered and I get denied access. I should say that the scan results I just posted are way cleaner than before the reset but if I reboot they will be far worse (I have done this many times)

 

as for the results I did post I have only downloaded the antimalware software. I did dot update intentionally from windows and I did not even activate windows after the reset. when I reset the system I used the bios to format the disk. I did it several times by adding partition/formatting/extending/formatting and then repeating. there is still my personal information and settings in the newly installed OS. this is before I even connected it.

 

I believe that one or more of the drivers is suspect so I don't even want to install them until I know they are legit. his particular reinstall I did by microsoft's official usb 8.1 bootable recovery download. it gave me a build 9600 to start. not sure if that is normal but  when I had it before that 9600 stayed until I phone activated the install. this time it started at 9600 and without activating it is now gone.

 

I have an installed Intel graphics driver listed in as an installed program (version 10.18.14.4264) which wasn't registering immediately after the install but it is there now. maybe ESET brought it in but I am not sure. I have not connected to anything other than my IE browser to download or run the scanners you see in my results and to this forum. I have  not created any other user or adjusted any permissions other that to grant ESET privileges.

 

I don't know who the user "tkuhjhng" is. in my earlier attempts I hit one wrong button and the computer would start working real hard for 2-3 min and then I notices subtle changes in fonts/webpage layouts and even the bios has different options and  layout if I stop the first load after post but before the first boot.

 

like I say I have a pile of log data on a usb but it isn't all relevant and I I want to start looking through it again it is like a minefield. I would open a .txt file and a browser would pop up of it would send me an error message like no certificate is chosen to be installed (or something similar).

 

now I know that some of the symptoms I described can be explained and are not abnormal. I don't want  you to think I don't understand how to format or what an acl batch file is. I include them in the info because they are sometimes triggers. I am not sure if I am supposed to have windows updates already installed without activating but I have 33 thee most recent being (KB3020370).

 

I can try and get some more of that log info. I may have to reset again but I am ok with that at this point.

 

Here is the best part....it is in my kids new computer too!

 

btw.. some of the weird things I saw and may be in the USB I have are things that refer to Bluetooth and (BLE) also very strange to me was a reference to the MBR being on the RAM. that was totally throwing me off so I was researching how  to format that too but the best I came up with for an ide was to run the EPSA diagnostics on it before I installed and after I formatted.i ran the thorough test on the whole system and then did the RAM and HD two more times before I installed. Like I said this is as clean as its been in months. weird weird stuff that I am hoping I can explain and even more weird stuff that I don't even want to post cuz you will think I am sitting in my bunker with tinfoil over my head talking about conspiracies.

 

I have to admit...despite the frustration the whole thinks  is pretty amazing.

 

ask me whatever else and Ill do my best


  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP

tkuhjhng appears to be the name of your computer and not a user.  See if you can change it:

 

https://www.eightfor...indows-8-a.html

 

I don't see any malware now but let's look and see if something is slowing it down:

 

Get Process Explorer
 
Save it to your desktop then run it (Vista or Win7+ - right click and Run As Administrator).  
 
View, Select Column, check Verified Signer, OK
Options, Verify Image Signatures
 
 
Click twice on the CPU column header  to sort things by CPU usage with the big hitters at the top.  
 
Wait a full minute then:
 
File, Save As, Save.  Note the file name.   Open the file  on your desktop and copy and paste the text to a reply.
 
 
 
 
 
Get the free version of Speccy:
 
http://www.filehippo...download_speccy (Look in the upper right for the Download
Latest Version button  - Do NOT press the large Start Download button on the upper left!)  
Download, Save and Install it.  Tell it you do not need CCLEANER.    Run Speccy.  When it finishes (the little icon in the bottom left will stop moving), 
File, Save as Text File,  (to your desktop) note the name it gives. OK.  Open the file in notepad and delete the line that gives the serial number of your Operating System.  
(It will be near the top,  10-20  lines down.) Save the file.  Attach the file to your next post.  Attaching the log is the best option as it is too big for the forum.  Attaching is a multi step process.
 
First click on More Reply Options
Then scroll down to where you see
Choose File and click on it.  Point it at the file and hit Open.
Now click on Attach this file.

  • 0

#5
frustrated604

frustrated604

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
OK I will do that PDQ. Thank you for your help so far. I had speccy in before. I am curious about the meaning of the hxxp when referring to my IE link.

Just at dinner but I'll get to it right away after
  • 0

#6
frustrated604

frustrated604

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
ok here it is. so as for the name of my cptr....my computer just randomly named itself after a weapon I never heard of?

"I should edit this as I probably just hit rando letters as I was going to change it again."

Attached Files


Edited by frustrated604, 01 August 2017 - 09:17 PM.

  • 0

#7
frustrated604

frustrated604

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Please excuse my not following your directions in order. My son jumped in there while I was out. He is eager as well but will not intervene again. New post with correct order in 5 min
  • 0

#8
frustrated604

frustrated604

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

Process CPU Private Bytes Working Set PID Verified Signer
iexplore.exe 11.70 386,172 K 525,160 K 1236 (Verified) Microsoft Corporation
procexp64.exe 5.53 16,884 K 38,092 K 6532 (Verified) Microsoft Corporation
iexplore.exe 1.21 61,996 K 247,656 K 2936 
explorer.exe 0.66 65,944 K 430,952 K 1344 (Verified) Microsoft Windows
Speccy64.exe 0.42 12,336 K 35,264 K 6928 
TabTip.exe 0.34 2,852 K 68,992 K 2628 
FRST64.exe 0.26 24,016 K 160,728 K 1964 
iexplore.exe 0.07 143,852 K 339,548 K 1880 (Verified) Microsoft Corporation
iexplore.exe 0.06 78,996 K 108,472 K 2088 (Verified) Microsoft Corporation
iexplore.exe 0.03 45,384 K 70,680 K 2616 
iexplore.exe 0.02 27,344 K 199,704 K 3036 (Verified) Microsoft Corporation
RuntimeBroker.exe 0.01 2,116 K 34,368 K 2888 (Verified) Microsoft Windows
iexplore.exe 0.01 12,732 K 165,200 K 2932 
iexplore.exe < 0.01 110,120 K 299,912 K 2912 (Verified) Microsoft Corporation
egui.exe < 0.01 19,548 K 32,664 K 2528 (Verified) ESET
iexplore.exe < 0.01 56,980 K 222,212 K 1740 (Verified) Microsoft Corporation
RogueKiller64.exe < 0.01 332,816 K 353,908 K 780 
WWAHost.exe Suspended 14,460 K 7,040 K 4884 (Verified) Microsoft Windows
taskhostex.exe  8,632 K 73,676 K 1320 (Verified) Microsoft Windows
TabTip32.exe  872 K 21,360 K 2684 
RuntimeBroker.exe  4,188 K 11,036 K 4688 (Verified) Microsoft Windows
rundll32.exe  3,780 K 108,588 K 1224 (Verified) Microsoft Windows
procexp.exe  2,256 K 7,112 K 6536 (Verified) Microsoft Corporation
notepad.exe  1,600 K 8,580 K 188 
notepad.exe  1,640 K 8,628 K 572 
notepad.exe  1,520 K 6,988 K 1776 
notepad.exe  1,552 K 7,416 K 4320 
notepad.exe  1,880 K 8,448 K 7016 (Verified) Microsoft Windows
mmc.exe  8,672 K 122,492 K 1960 
igfxTray.exe  3,132 K 69,460 K 1568 (Verified) Intel Corporation - pGFX
igfxHK.exe  2,916 K 48,648 K 1588 (Verified) Intel Corporation - pGFX
igfxEM.exe  3,432 K 72,744 K 2068 (Verified) Intel Corporation - pGFX
FlashUtil_ActiveX.exe  11,164 K 100,236 K 3872 (Verified) Microsoft Windows Third Party Application Component
conhost.exe  1,348 K 5,920 K 5072 
cmd.exe  1,488 K 2,336 K 5064 

 


  • 0

#9
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP

The order does not matter this time.  I have deleted the second speccy log because the serial number was not removed.

 

Please do the Process Explorer log again.  Make sure you get all of it as it looks like several lines are missing.

 

Your speccy log shows IE is connecting to a lot of ad sites.  Try installing the adblock plus program:

 

https://adblockplus.org/

 

Your temps look OK for a notebook but Speccy is no longer trustworthy as far as temps go so let's get a second opinion

 

Run Speedfan to monitor your temps in real time:
 
 
 
 
Download, save and Install it (Win 7+ or Vista right click and Run As Admin.) then run it (Win 7+ or Vista right click and Run As Admin.).
 
It will tell you your temps in real time tho the default is to show the hard drive temp in the systray.  You can change it:  Hit Configure then click on the highest temp and check Show in Tray.
 
What is the highest temp shown when the PC is idle?  Run a video or an anti-virus scan and look at it again after 5 minutes.  What is the highest now?

  • 0

#10
frustrated604

frustrated604

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I am sorry about the delay. The system now is not letting me tether from my phone. I also had rogue killer detect a file with the detection code MalPE.43 file name wbengine.exe. c \windows\ system32 \ wbengine.exe VT score -2.

I am unable to run sfc and both speccy and process explorer are gone. I am trying to get the driver installed so I can download the two programs again.

On boot i am getting a pop up that says the recycle bin on drive c is corrupted. Do you want to empty the recycle bin for this drive

There is a hidden file called uninstall information but the permissions are set to access denied. I am getting other pop ups trying to get me to click for permissions but I don't trust them.

I tried to call Microsoft to verify if my install is even legit but when they asked for remote access to check the whole system rebooted twice and I never called back. I basically feel like resetting again but it clearly is not working.

I am afraid the best I could do so far was run a bunch of powershell diagnostics most of which are useless bUT some are interesting. I am going to try to put those in a file as well as try to figure out how to get this thing online.

I dI'd also save a couple of files where u ran process explorer and speccy. I will put toget her what I have shortly.

Again I am sorry about the delay.
  • 0

#11
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP

No problem with delays.  I don't keep track.

 

If Windows had problems loading your profile it might have given you a temp profile.  Then you wouldn't see files that were on your desktop or in your downloads,


  • 0






Similar Topics


Also tagged with one or more of these keywords: trojan

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP