Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Almost positive I have some sort of bot or hijack need expert help


  • This topic is locked This topic is locked
11 replies to this topic

#1 Kman4488

Kman4488

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:the boondocks
  • Local time:08:17 AM

Posted 12 February 2014 - 04:44 PM

I

BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 PM

Posted 13 February 2014 - 09:12 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)

  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Kman4488

Kman4488
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:the boondocks
  • Local time:08:17 AM

Posted 14 February 2014 - 06:22 PM

Sorry it took a little while to respond I was having trouble connecting to  my network. A couple things before I post FRST results and Gmer results. I had previously loaded some other tools before I posted thus thread. I have installed Malwarebytes and Kapersky TDSS killer. Both previous scans came back clean. Also I believe whatever is in my computer has spread to my whole local network including Ipad, Iphone, ect. My computer specs are as follows ASUS K55n, AMD A8- 4500M-APU AMD-A70 Chipset  8GB Memory, Hiatchi 465GB HDD. This seems to be a very complex problem that has been able to evade all AV scans ,Firewall  , and previous help I have received . I have reformatted and re-installed OS and infection / unknown still persist . below are the FRST, Additional, and gmer scan.

 

 

 

FRST

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-02-2014 01
Ran by ASUSADMINX2K (administrator) on ASUSXROM on 15-02-2014 04:50:03
Running from C:\Users\ASUSADMINX2K\Desktop
Windows 8 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:InPrivate
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

==================== Services (Whitelisted) =================

S3 c2wts; C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe [5632 2012-07-25] (Microsoft Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [15440 2012-07-25] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
U3 uftirpoc; \??\C:\Users\ASUSAD~1\AppData\Local\Temp\uftirpoc.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-02-15 04:50 - 2014-02-15 04:50 - 00002533 _____ () C:\Users\ASUSADMINX2K\Desktop\FRST.txt
2014-02-15 04:25 - 2014-02-15 04:25 - 00000117 _____ () C:\Windows\system32\netcfg-3314054.txt
2014-02-15 04:24 - 2014-02-15 04:24 - 00000156 _____ () C:\Windows\system32\netcfg-3233931.txt
2014-02-15 04:24 - 2014-02-15 04:24 - 00000117 _____ () C:\Windows\system32\netcfg-3257176.txt
2014-02-15 04:24 - 2014-02-15 04:24 - 00000117 _____ () C:\Windows\system32\netcfg-3252948.txt
2014-02-15 04:24 - 2014-02-15 04:24 - 00000117 _____ () C:\Windows\system32\netcfg-3249750.txt
2014-02-15 04:23 - 2014-02-15 04:24 - 00000156 _____ () C:\Windows\system32\netcfg-3188254.txt
2014-02-15 03:32 - 2014-02-15 03:32 - 00001430 _____ () C:\Users\ASUSADMINX2K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-02-15 03:31 - 2014-02-15 03:31 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
2014-02-15 03:28 - 2014-02-15 03:28 - 00000000 ____D () C:\Program Files\Windows Identity Foundation
2014-02-15 03:28 - 2014-02-15 03:28 - 00000000 ____D () C:\Program Files\Reference Assemblies
2014-02-15 03:21 - 2014-02-15 03:28 - 00033477 _____ () C:\Windows\WindowsUpdate.log
2014-02-15 02:57 - 2014-02-15 04:50 - 00000000 ____D () C:\FRST
2014-02-15 02:57 - 2014-02-15 02:57 - 00001109 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-02-15 02:57 - 2014-02-15 02:57 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Roaming\Malwarebytes
2014-02-15 02:57 - 2014-02-15 02:57 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-02-15 02:57 - 2014-02-15 02:57 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-02-15 02:57 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-02-15 02:56 - 2014-02-14 13:53 - 00380416 _____ () C:\Users\ASUSADMINX2K\Desktop\y55ftnfl.exe
2014-02-14 19:13 - 2014-02-14 19:13 - 00001139 _____ () C:\Windows\system32\netcfg-33977.txt
2014-02-14 19:13 - 2014-02-14 19:13 - 00001135 _____ () C:\Windows\system32\netcfg-27846.txt
2014-02-14 19:13 - 2014-02-14 19:13 - 00000196 _____ () C:\Windows\system32\netcfg-30654.txt
2014-02-14 17:51 - 2014-02-14 18:06 - 00000000 ____D () C:\Windows\pss
2014-02-14 16:18 - 2014-02-14 16:18 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Roaming\Macromedia
2014-02-14 16:07 - 2014-02-14 16:07 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Local\Apps\2.0
2014-02-14 15:59 - 2014-02-15 03:47 - 00003596 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-402694911-136880857-4288082135-1001
2014-02-14 15:56 - 2014-02-14 15:56 - 00002166 _____ () C:\Users\ASUSADMINX2K\Documents\Default.rdp
2014-02-14 15:53 - 2014-02-15 03:23 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Local\Packages
2014-02-14 15:53 - 2014-02-14 15:53 - 00000000 ___RD () C:\Users\ASUSADMINX2K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-02-14 15:53 - 2014-02-14 15:53 - 00000000 ___RD () C:\Users\ASUSADMINX2K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2014-02-14 15:53 - 2014-02-14 15:53 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Roaming\Adobe
2014-02-14 15:53 - 2014-02-14 15:53 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Local\VirtualStore
2014-02-14 15:52 - 2014-02-14 15:53 - 00000000 ____D () C:\Users\ASUSADMINX2K
2014-02-14 15:52 - 2014-02-14 15:53 - 00000000 ____D () C:\ProgramData\PRICache
2014-02-14 15:52 - 2014-02-14 15:52 - 00000020 ___SH () C:\Users\ASUSADMINX2K\ntuser.ini
2014-02-14 15:52 - 2012-07-26 01:13 - 00000000 ___RD () C:\Users\ASUSADMINX2K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2014-02-14 15:52 - 2012-07-26 01:13 - 00000000 ___RD () C:\Users\ASUSADMINX2K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2014-02-14 15:52 - 2012-07-26 01:13 - 00000000 ___RD () C:\Users\ASUSADMINX2K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2014-02-14 15:52 - 2012-07-26 01:13 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2014-02-14 15:45 - 2014-02-14 15:45 - 00000185 _____ () C:\Windows\system32\netcfg-52291.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000164 _____ () C:\Windows\system32\netcfg-48594.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000161 _____ () C:\Windows\system32\netcfg-52026.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000160 _____ () C:\Windows\system32\netcfg-51667.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000160 _____ () C:\Windows\system32\netcfg-51012.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000160 _____ () C:\Windows\system32\netcfg-48282.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000159 _____ () C:\Windows\system32\netcfg-50684.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000157 _____ () C:\Windows\system32\netcfg-51246.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000157 _____ () C:\Windows\system32\netcfg-47502.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000150 _____ () C:\Windows\system32\netcfg-50419.txt
2014-02-14 15:44 - 2014-02-14 17:54 - 00000844 _____ () C:\Windows\PFRO.log
2014-02-14 15:44 - 2014-02-14 15:52 - 00000000 ____D () C:\Windows\Panther
2014-02-14 15:19 - 2014-02-14 15:20 - 00000156 _____ () C:\Windows\system32\netcfg-429735.txt
2014-02-14 14:00 - 2014-02-14 13:57 - 02152960 _____ (Farbar) C:\Users\ASUSADMINX2K\Desktop\FRST64.exe
2014-02-14 14:00 - 2014-02-14 13:54 - 00388608 _____ (Trend Micro Inc.) C:\Users\ASUSADMINX2K\Desktop\HijackThis.exe
2014-02-14 14:00 - 2014-02-14 13:51 - 10284816 _____ (Malwarebytes Corporation ) C:\Users\ASUSADMINX2K\Desktop\mbam-setup.exe
2014-02-14 14:00 - 2014-02-14 13:51 - 04122976 _____ (Kaspersky Lab ZAO) C:\Users\ASUSADMINX2K\Desktop\tdsskiller.exe

==================== One Month Modified Files and Folders =======

2014-02-15 04:50 - 2014-02-15 04:50 - 00002533 _____ () C:\Users\ASUSADMINX2K\Desktop\FRST.txt
2014-02-15 04:50 - 2014-02-15 02:57 - 00000000 ____D () C:\FRST
2014-02-15 04:25 - 2014-02-15 04:25 - 00000117 _____ () C:\Windows\system32\netcfg-3314054.txt
2014-02-15 04:24 - 2014-02-15 04:24 - 00000156 _____ () C:\Windows\system32\netcfg-3233931.txt
2014-02-15 04:24 - 2014-02-15 04:24 - 00000117 _____ () C:\Windows\system32\netcfg-3257176.txt
2014-02-15 04:24 - 2014-02-15 04:24 - 00000117 _____ () C:\Windows\system32\netcfg-3252948.txt
2014-02-15 04:24 - 2014-02-15 04:24 - 00000117 _____ () C:\Windows\system32\netcfg-3249750.txt
2014-02-15 04:24 - 2014-02-15 04:23 - 00000156 _____ () C:\Windows\system32\netcfg-3188254.txt
2014-02-15 04:18 - 2012-07-26 01:12 - 00000000 ____D () C:\Windows\system32\NDF
2014-02-15 04:00 - 2012-07-26 01:12 - 00000000 ____D () C:\Windows\system32\sru
2014-02-15 03:47 - 2014-02-14 15:59 - 00003596 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-402694911-136880857-4288082135-1001
2014-02-15 03:35 - 2012-07-26 00:28 - 00774148 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-02-15 03:32 - 2014-02-15 03:32 - 00001430 _____ () C:\Users\ASUSADMINX2K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-02-15 03:31 - 2014-02-15 03:31 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
2014-02-15 03:31 - 2012-07-26 00:21 - 00012103 _____ () C:\Windows\setupact.log
2014-02-15 03:30 - 2012-07-26 00:22 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-02-15 03:28 - 2014-02-15 03:28 - 00000000 ____D () C:\Program Files\Windows Identity Foundation
2014-02-15 03:28 - 2014-02-15 03:28 - 00000000 ____D () C:\Program Files\Reference Assemblies
2014-02-15 03:28 - 2014-02-15 03:21 - 00033477 _____ () C:\Windows\WindowsUpdate.log
2014-02-15 03:28 - 2012-07-25 22:26 - 00262144 ___SH () C:\Windows\system32\config\BBI
2014-02-15 03:23 - 2014-02-14 15:53 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Local\Packages
2014-02-15 03:23 - 2012-07-26 01:12 - 00000000 ____D () C:\Windows\AUInstallAgent
2014-02-15 02:57 - 2014-02-15 02:57 - 00001109 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-02-15 02:57 - 2014-02-15 02:57 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Roaming\Malwarebytes
2014-02-15 02:57 - 2014-02-15 02:57 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-02-15 02:57 - 2014-02-15 02:57 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-02-14 19:13 - 2014-02-14 19:13 - 00001139 _____ () C:\Windows\system32\netcfg-33977.txt
2014-02-14 19:13 - 2014-02-14 19:13 - 00001135 _____ () C:\Windows\system32\netcfg-27846.txt
2014-02-14 19:13 - 2014-02-14 19:13 - 00000196 _____ () C:\Windows\system32\netcfg-30654.txt
2014-02-14 18:06 - 2014-02-14 17:51 - 00000000 ____D () C:\Windows\pss
2014-02-14 17:54 - 2014-02-14 15:44 - 00000844 _____ () C:\Windows\PFRO.log
2014-02-14 16:27 - 2012-07-26 01:12 - 00000000 ____D () C:\Windows\system32\spool
2014-02-14 16:27 - 2012-07-26 01:12 - 00000000 ____D () C:\Windows\system32\setup
2014-02-14 16:27 - 2012-07-26 01:12 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-02-14 16:18 - 2014-02-14 16:18 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Roaming\Macromedia
2014-02-14 16:15 - 2012-07-26 01:12 - 00000000 ____D () C:\Windows\system32\restore
2014-02-14 16:07 - 2014-02-14 16:07 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Local\Apps\2.0
2014-02-14 15:56 - 2014-02-14 15:56 - 00002166 _____ () C:\Users\ASUSADMINX2K\Documents\Default.rdp
2014-02-14 15:53 - 2014-02-14 15:53 - 00000000 ___RD () C:\Users\ASUSADMINX2K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-02-14 15:53 - 2014-02-14 15:53 - 00000000 ___RD () C:\Users\ASUSADMINX2K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2014-02-14 15:53 - 2014-02-14 15:53 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Roaming\Adobe
2014-02-14 15:53 - 2014-02-14 15:53 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Local\VirtualStore
2014-02-14 15:53 - 2014-02-14 15:52 - 00000000 ____D () C:\Users\ASUSADMINX2K
2014-02-14 15:53 - 2014-02-14 15:52 - 00000000 ____D () C:\ProgramData\PRICache
2014-02-14 15:53 - 2012-07-26 01:12 - 00000000 ____D () C:\Windows\WinStore
2014-02-14 15:52 - 2014-02-14 15:52 - 00000020 ___SH () C:\Users\ASUSADMINX2K\ntuser.ini
2014-02-14 15:52 - 2014-02-14 15:44 - 00000000 ____D () C:\Windows\Panther
2014-02-14 15:52 - 2012-07-26 01:12 - 00000000 ___RD () C:\Windows\ImmersiveControlPanel
2014-02-14 15:48 - 2012-07-26 01:13 - 00001720 _____ () C:\Windows\DtcInstall.log
2014-02-14 15:45 - 2014-02-14 15:45 - 00000185 _____ () C:\Windows\system32\netcfg-52291.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000164 _____ () C:\Windows\system32\netcfg-48594.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000161 _____ () C:\Windows\system32\netcfg-52026.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000160 _____ () C:\Windows\system32\netcfg-51667.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000160 _____ () C:\Windows\system32\netcfg-51012.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000160 _____ () C:\Windows\system32\netcfg-48282.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000159 _____ () C:\Windows\system32\netcfg-50684.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000157 _____ () C:\Windows\system32\netcfg-51246.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000157 _____ () C:\Windows\system32\netcfg-47502.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000150 _____ () C:\Windows\system32\netcfg-50419.txt
2014-02-14 15:20 - 2014-02-14 15:19 - 00000156 _____ () C:\Windows\system32\netcfg-429735.txt
2014-02-14 13:57 - 2014-02-14 14:00 - 02152960 _____ (Farbar) C:\Users\ASUSADMINX2K\Desktop\FRST64.exe
2014-02-14 13:54 - 2014-02-14 14:00 - 00388608 _____ (Trend Micro Inc.) C:\Users\ASUSADMINX2K\Desktop\HijackThis.exe
2014-02-14 13:53 - 2014-02-15 02:56 - 00380416 _____ () C:\Users\ASUSADMINX2K\Desktop\y55ftnfl.exe
2014-02-14 13:51 - 2014-02-14 14:00 - 10284816 _____ (Malwarebytes Corporation ) C:\Users\ASUSADMINX2K\Desktop\mbam-setup.exe
2014-02-14 13:51 - 2014-02-14 14:00 - 04122976 _____ (Kaspersky Lab ZAO) C:\Users\ASUSADMINX2K\Desktop\tdsskiller.exe
2014-02-14 11:00 - 2012-07-26 01:13 - 00262144 _____ () C:\Windows\system32\config\BCD-Template
2014-02-14 11:00 - 2012-07-26 01:12 - 00000000 ____D () C:\Windows\system32\Recovery

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-02-14 15:44

==================== End Of Log ============================

 

 

 

Additional

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-02-2014 01
Ran by ASUSADMINX2K (administrator) on ASUSXROM on 15-02-2014 04:50:03
Running from C:\Users\ASUSADMINX2K\Desktop
Windows 8 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:InPrivate
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

==================== Services (Whitelisted) =================

S3 c2wts; C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe [5632 2012-07-25] (Microsoft Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [15440 2012-07-25] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
U3 uftirpoc; \??\C:\Users\ASUSAD~1\AppData\Local\Temp\uftirpoc.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-02-15 04:50 - 2014-02-15 04:50 - 00002533 _____ () C:\Users\ASUSADMINX2K\Desktop\FRST.txt
2014-02-15 04:25 - 2014-02-15 04:25 - 00000117 _____ () C:\Windows\system32\netcfg-3314054.txt
2014-02-15 04:24 - 2014-02-15 04:24 - 00000156 _____ () C:\Windows\system32\netcfg-3233931.txt
2014-02-15 04:24 - 2014-02-15 04:24 - 00000117 _____ () C:\Windows\system32\netcfg-3257176.txt
2014-02-15 04:24 - 2014-02-15 04:24 - 00000117 _____ () C:\Windows\system32\netcfg-3252948.txt
2014-02-15 04:24 - 2014-02-15 04:24 - 00000117 _____ () C:\Windows\system32\netcfg-3249750.txt
2014-02-15 04:23 - 2014-02-15 04:24 - 00000156 _____ () C:\Windows\system32\netcfg-3188254.txt
2014-02-15 03:32 - 2014-02-15 03:32 - 00001430 _____ () C:\Users\ASUSADMINX2K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-02-15 03:31 - 2014-02-15 03:31 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
2014-02-15 03:28 - 2014-02-15 03:28 - 00000000 ____D () C:\Program Files\Windows Identity Foundation
2014-02-15 03:28 - 2014-02-15 03:28 - 00000000 ____D () C:\Program Files\Reference Assemblies
2014-02-15 03:21 - 2014-02-15 03:28 - 00033477 _____ () C:\Windows\WindowsUpdate.log
2014-02-15 02:57 - 2014-02-15 04:50 - 00000000 ____D () C:\FRST
2014-02-15 02:57 - 2014-02-15 02:57 - 00001109 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-02-15 02:57 - 2014-02-15 02:57 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Roaming\Malwarebytes
2014-02-15 02:57 - 2014-02-15 02:57 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-02-15 02:57 - 2014-02-15 02:57 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-02-15 02:57 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-02-15 02:56 - 2014-02-14 13:53 - 00380416 _____ () C:\Users\ASUSADMINX2K\Desktop\y55ftnfl.exe
2014-02-14 19:13 - 2014-02-14 19:13 - 00001139 _____ () C:\Windows\system32\netcfg-33977.txt
2014-02-14 19:13 - 2014-02-14 19:13 - 00001135 _____ () C:\Windows\system32\netcfg-27846.txt
2014-02-14 19:13 - 2014-02-14 19:13 - 00000196 _____ () C:\Windows\system32\netcfg-30654.txt
2014-02-14 17:51 - 2014-02-14 18:06 - 00000000 ____D () C:\Windows\pss
2014-02-14 16:18 - 2014-02-14 16:18 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Roaming\Macromedia
2014-02-14 16:07 - 2014-02-14 16:07 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Local\Apps\2.0
2014-02-14 15:59 - 2014-02-15 03:47 - 00003596 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-402694911-136880857-4288082135-1001
2014-02-14 15:56 - 2014-02-14 15:56 - 00002166 _____ () C:\Users\ASUSADMINX2K\Documents\Default.rdp
2014-02-14 15:53 - 2014-02-15 03:23 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Local\Packages
2014-02-14 15:53 - 2014-02-14 15:53 - 00000000 ___RD () C:\Users\ASUSADMINX2K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-02-14 15:53 - 2014-02-14 15:53 - 00000000 ___RD () C:\Users\ASUSADMINX2K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2014-02-14 15:53 - 2014-02-14 15:53 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Roaming\Adobe
2014-02-14 15:53 - 2014-02-14 15:53 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Local\VirtualStore
2014-02-14 15:52 - 2014-02-14 15:53 - 00000000 ____D () C:\Users\ASUSADMINX2K
2014-02-14 15:52 - 2014-02-14 15:53 - 00000000 ____D () C:\ProgramData\PRICache
2014-02-14 15:52 - 2014-02-14 15:52 - 00000020 ___SH () C:\Users\ASUSADMINX2K\ntuser.ini
2014-02-14 15:52 - 2012-07-26 01:13 - 00000000 ___RD () C:\Users\ASUSADMINX2K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2014-02-14 15:52 - 2012-07-26 01:13 - 00000000 ___RD () C:\Users\ASUSADMINX2K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2014-02-14 15:52 - 2012-07-26 01:13 - 00000000 ___RD () C:\Users\ASUSADMINX2K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2014-02-14 15:52 - 2012-07-26 01:13 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2014-02-14 15:45 - 2014-02-14 15:45 - 00000185 _____ () C:\Windows\system32\netcfg-52291.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000164 _____ () C:\Windows\system32\netcfg-48594.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000161 _____ () C:\Windows\system32\netcfg-52026.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000160 _____ () C:\Windows\system32\netcfg-51667.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000160 _____ () C:\Windows\system32\netcfg-51012.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000160 _____ () C:\Windows\system32\netcfg-48282.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000159 _____ () C:\Windows\system32\netcfg-50684.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000157 _____ () C:\Windows\system32\netcfg-51246.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000157 _____ () C:\Windows\system32\netcfg-47502.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000150 _____ () C:\Windows\system32\netcfg-50419.txt
2014-02-14 15:44 - 2014-02-14 17:54 - 00000844 _____ () C:\Windows\PFRO.log
2014-02-14 15:44 - 2014-02-14 15:52 - 00000000 ____D () C:\Windows\Panther
2014-02-14 15:19 - 2014-02-14 15:20 - 00000156 _____ () C:\Windows\system32\netcfg-429735.txt
2014-02-14 14:00 - 2014-02-14 13:57 - 02152960 _____ (Farbar) C:\Users\ASUSADMINX2K\Desktop\FRST64.exe
2014-02-14 14:00 - 2014-02-14 13:54 - 00388608 _____ (Trend Micro Inc.) C:\Users\ASUSADMINX2K\Desktop\HijackThis.exe
2014-02-14 14:00 - 2014-02-14 13:51 - 10284816 _____ (Malwarebytes Corporation ) C:\Users\ASUSADMINX2K\Desktop\mbam-setup.exe
2014-02-14 14:00 - 2014-02-14 13:51 - 04122976 _____ (Kaspersky Lab ZAO) C:\Users\ASUSADMINX2K\Desktop\tdsskiller.exe

==================== One Month Modified Files and Folders =======

2014-02-15 04:50 - 2014-02-15 04:50 - 00002533 _____ () C:\Users\ASUSADMINX2K\Desktop\FRST.txt
2014-02-15 04:50 - 2014-02-15 02:57 - 00000000 ____D () C:\FRST
2014-02-15 04:25 - 2014-02-15 04:25 - 00000117 _____ () C:\Windows\system32\netcfg-3314054.txt
2014-02-15 04:24 - 2014-02-15 04:24 - 00000156 _____ () C:\Windows\system32\netcfg-3233931.txt
2014-02-15 04:24 - 2014-02-15 04:24 - 00000117 _____ () C:\Windows\system32\netcfg-3257176.txt
2014-02-15 04:24 - 2014-02-15 04:24 - 00000117 _____ () C:\Windows\system32\netcfg-3252948.txt
2014-02-15 04:24 - 2014-02-15 04:24 - 00000117 _____ () C:\Windows\system32\netcfg-3249750.txt
2014-02-15 04:24 - 2014-02-15 04:23 - 00000156 _____ () C:\Windows\system32\netcfg-3188254.txt
2014-02-15 04:18 - 2012-07-26 01:12 - 00000000 ____D () C:\Windows\system32\NDF
2014-02-15 04:00 - 2012-07-26 01:12 - 00000000 ____D () C:\Windows\system32\sru
2014-02-15 03:47 - 2014-02-14 15:59 - 00003596 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-402694911-136880857-4288082135-1001
2014-02-15 03:35 - 2012-07-26 00:28 - 00774148 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-02-15 03:32 - 2014-02-15 03:32 - 00001430 _____ () C:\Users\ASUSADMINX2K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-02-15 03:31 - 2014-02-15 03:31 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
2014-02-15 03:31 - 2012-07-26 00:21 - 00012103 _____ () C:\Windows\setupact.log
2014-02-15 03:30 - 2012-07-26 00:22 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-02-15 03:28 - 2014-02-15 03:28 - 00000000 ____D () C:\Program Files\Windows Identity Foundation
2014-02-15 03:28 - 2014-02-15 03:28 - 00000000 ____D () C:\Program Files\Reference Assemblies
2014-02-15 03:28 - 2014-02-15 03:21 - 00033477 _____ () C:\Windows\WindowsUpdate.log
2014-02-15 03:28 - 2012-07-25 22:26 - 00262144 ___SH () C:\Windows\system32\config\BBI
2014-02-15 03:23 - 2014-02-14 15:53 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Local\Packages
2014-02-15 03:23 - 2012-07-26 01:12 - 00000000 ____D () C:\Windows\AUInstallAgent
2014-02-15 02:57 - 2014-02-15 02:57 - 00001109 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-02-15 02:57 - 2014-02-15 02:57 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Roaming\Malwarebytes
2014-02-15 02:57 - 2014-02-15 02:57 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-02-15 02:57 - 2014-02-15 02:57 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-02-14 19:13 - 2014-02-14 19:13 - 00001139 _____ () C:\Windows\system32\netcfg-33977.txt
2014-02-14 19:13 - 2014-02-14 19:13 - 00001135 _____ () C:\Windows\system32\netcfg-27846.txt
2014-02-14 19:13 - 2014-02-14 19:13 - 00000196 _____ () C:\Windows\system32\netcfg-30654.txt
2014-02-14 18:06 - 2014-02-14 17:51 - 00000000 ____D () C:\Windows\pss
2014-02-14 17:54 - 2014-02-14 15:44 - 00000844 _____ () C:\Windows\PFRO.log
2014-02-14 16:27 - 2012-07-26 01:12 - 00000000 ____D () C:\Windows\system32\spool
2014-02-14 16:27 - 2012-07-26 01:12 - 00000000 ____D () C:\Windows\system32\setup
2014-02-14 16:27 - 2012-07-26 01:12 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-02-14 16:18 - 2014-02-14 16:18 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Roaming\Macromedia
2014-02-14 16:15 - 2012-07-26 01:12 - 00000000 ____D () C:\Windows\system32\restore
2014-02-14 16:07 - 2014-02-14 16:07 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Local\Apps\2.0
2014-02-14 15:56 - 2014-02-14 15:56 - 00002166 _____ () C:\Users\ASUSADMINX2K\Documents\Default.rdp
2014-02-14 15:53 - 2014-02-14 15:53 - 00000000 ___RD () C:\Users\ASUSADMINX2K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-02-14 15:53 - 2014-02-14 15:53 - 00000000 ___RD () C:\Users\ASUSADMINX2K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2014-02-14 15:53 - 2014-02-14 15:53 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Roaming\Adobe
2014-02-14 15:53 - 2014-02-14 15:53 - 00000000 ____D () C:\Users\ASUSADMINX2K\AppData\Local\VirtualStore
2014-02-14 15:53 - 2014-02-14 15:52 - 00000000 ____D () C:\Users\ASUSADMINX2K
2014-02-14 15:53 - 2014-02-14 15:52 - 00000000 ____D () C:\ProgramData\PRICache
2014-02-14 15:53 - 2012-07-26 01:12 - 00000000 ____D () C:\Windows\WinStore
2014-02-14 15:52 - 2014-02-14 15:52 - 00000020 ___SH () C:\Users\ASUSADMINX2K\ntuser.ini
2014-02-14 15:52 - 2014-02-14 15:44 - 00000000 ____D () C:\Windows\Panther
2014-02-14 15:52 - 2012-07-26 01:12 - 00000000 ___RD () C:\Windows\ImmersiveControlPanel
2014-02-14 15:48 - 2012-07-26 01:13 - 00001720 _____ () C:\Windows\DtcInstall.log
2014-02-14 15:45 - 2014-02-14 15:45 - 00000185 _____ () C:\Windows\system32\netcfg-52291.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000164 _____ () C:\Windows\system32\netcfg-48594.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000161 _____ () C:\Windows\system32\netcfg-52026.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000160 _____ () C:\Windows\system32\netcfg-51667.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000160 _____ () C:\Windows\system32\netcfg-51012.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000160 _____ () C:\Windows\system32\netcfg-48282.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000159 _____ () C:\Windows\system32\netcfg-50684.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000157 _____ () C:\Windows\system32\netcfg-51246.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000157 _____ () C:\Windows\system32\netcfg-47502.txt
2014-02-14 15:45 - 2014-02-14 15:45 - 00000150 _____ () C:\Windows\system32\netcfg-50419.txt
2014-02-14 15:20 - 2014-02-14 15:19 - 00000156 _____ () C:\Windows\system32\netcfg-429735.txt
2014-02-14 13:57 - 2014-02-14 14:00 - 02152960 _____ (Farbar) C:\Users\ASUSADMINX2K\Desktop\FRST64.exe
2014-02-14 13:54 - 2014-02-14 14:00 - 00388608 _____ (Trend Micro Inc.) C:\Users\ASUSADMINX2K\Desktop\HijackThis.exe
2014-02-14 13:53 - 2014-02-15 02:56 - 00380416 _____ () C:\Users\ASUSADMINX2K\Desktop\y55ftnfl.exe
2014-02-14 13:51 - 2014-02-14 14:00 - 10284816 _____ (Malwarebytes Corporation ) C:\Users\ASUSADMINX2K\Desktop\mbam-setup.exe
2014-02-14 13:51 - 2014-02-14 14:00 - 04122976 _____ (Kaspersky Lab ZAO) C:\Users\ASUSADMINX2K\Desktop\tdsskiller.exe
2014-02-14 11:00 - 2012-07-26 01:13 - 00262144 _____ () C:\Windows\system32\config\BCD-Template
2014-02-14 11:00 - 2012-07-26 01:12 - 00000000 ____D () C:\Windows\system32\Recovery

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-02-14 15:44

==================== End Of Log ============================

 

 

 

 

GMER SCAN LOG

 

 

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-02-15 04:48:29
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000037 Hitachi_HTS545050A7E380 rev.GG2OA6C0 465.76GB
Running: y55ftnfl.exe; Driver: C:\Users\ASUSAD~1\AppData\Local\Temp\uftirpoc.sys

---- Threads - GMER 2.1 ----

Thread  C:\Windows\system32\csrss.exe [404:412]  fffff9600063c5e8

---- Disk sectors - GMER 2.1 ----

Disk    \Device\Harddisk0\DR0                    unknown MBR code

---- EOF - GMER 2.1 ----

 

 

 

 

Thanks I could really use any advice/info you have , its been nothing but a mess.



#4 Kman4488

Kman4488
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:the boondocks
  • Local time:08:17 AM

Posted 14 February 2014 - 08:00 PM

Im confused to why this is but I found an additional log in C folder should I also post ?



#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 PM

Posted 17 February 2014 - 06:08 AM

No, that´s ok.

 

 

Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 Kman4488

Kman4488
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:the boondocks
  • Local time:08:17 AM

Posted 17 February 2014 - 07:53 PM

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2014-02-18 05:53:46
-----------------------------
05:53:46.399    OS Version: Windows x64 6.2.9200
05:53:46.399    Number of processors: 4 586 0x1001
05:53:46.399    ComputerName: ASUSXROM  UserName:
05:53:46.509    Initialze error 1
05:53:53.567    AVAST engine download error: 0
05:54:00.981    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000039
05:54:00.981    Disk 0 Vendor: Hitachi_HTS545050A7E380 GG2OA6C0 Size: 476940MB BusType: 11
05:54:01.028    Disk 0 MBR read successfully
05:54:01.028    Disk 0 MBR scan
05:54:01.043    Disk 0 unknown MBR code
05:54:01.043    Disk 0 Partition 1 00     EE          GPT           2097151 MB offset 1
05:54:01.043    Disk 0 scanning C:\Windows\system32\drivers
05:54:01.043    Service scanning
05:54:01.755    Modules scanning
05:54:01.756    Disk 0 trace - called modules:
05:54:01.787    ntoskrnl.exe CLASSPNP.SYS disk.sys storport.sys hal.dll storahci.sys
05:54:01.787    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800847d060]
05:54:01.803    3 CLASSPNP.SYS[fffff880012028aa] -> nt!IofCallDriver -> \Device\00000039[0xfffffa800795c060]
05:54:01.803    Scan finished successfully
05:54:30.088    Disk 0 MBR has been saved successfully to "C:\Users\ASUSADMINX2K\Cookies\Desktop\MBR.dat"
05:54:30.103    The log file has been saved successfully to "C:\Users\ASUSADMINX2K\Cookies\Desktop\aswMBR.txt"



#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 PM

Posted 18 February 2014 - 05:09 AM

Please upload C:\Users\ASUSADMINX2K\Cookies\Desktop\MBR.dat here: http://www.bleepingcomputer.com/submit-malware.php?channel=156


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#8 Kman4488

Kman4488
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:the boondocks
  • Local time:08:17 AM

Posted 18 February 2014 - 01:53 PM

ok I uploaded that



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 PM

Posted 19 February 2014 - 06:56 AM

I cannot see anythin suspicious witihn the logs. Tell me what exactly your problem is.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 Kman4488

Kman4488
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:the boondocks
  • Local time:08:17 AM

Posted 20 February 2014 - 11:15 PM

hmm I am kinda surprised ,but feel better hearing that from someone who would know better than me. There has just been a lot of odd things , system settings and changes that I set end up changed back . The root directory didn't seem to be correct. I came across lot of different logs that ( to me)  indicated all my settings security/network ect. were being monitored  I also see a lot of drivers that I didn't see before , and settings indicating remote desktop use , which I had set to be disabled. Is it possible that if someone was using Linux based os to try to hack / modify things that it wouldn't be visible to scans running on windows ? I had seen something a while back using kapersky that said it found an unknown item that was named "ServerX.cfg" and did some reading and got me wondering about that. also I noticed that it said I had a VHD volume , I have never created one so that was confusing as well. All these things are hard for me to decipher so I could be wrong. Anyways I appreciate your time looking through all these logs , in the end it will put certain things to rest for me .



#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 PM

Posted 24 February 2014 - 04:27 AM

This .cfg-file is used by many programs based on Linux operating systems, for example some games like Counter Strike. Most live CDs are based on Linux, too

 

If someone would break into your system without using malware, we cannot detect this. We´re here for removing malware. If you want to ensure no one is connecting secretly, format and reinstall.

Perhaps it would be a good idea to seek advice from a lawyer and/or the police.

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  • In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  • In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  • In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process
  • If there is still something left please delete it manualy.

 

 

 

Recommendations: How to protect yourself

  • System Updates
    Please ensure to have automatic updates activated in your control panel.
    For further information and a tutorial, see this Microsoft Support article.
  • Protection
    What you need is one (not more) virus scanner with background protection. Additionally I recommend a special malware scanner to run on demand weekly.
    Personally I am using avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer good protection for free.
    • To keep your browser free of advertising, you may install the Adblock Plus browser extension.
      It will filter unwanted advertising out of the website´s content.
    • To protect yourself from accidentally visiting malicious web sites, install the Web of Trust (WOT) browser extension.
      It will display a green (safe), yellow (unknown) or red (potentially dangerous) icon for a visited website within your browser.
      In addition, before accessing a dangerous classified web site, a warning screen is displayed.

  • Up to date Software
    Keep your Windows and your third party software up to date. The easiest way to get infected is an outdated windows, followed by: browser(s) (including add-ons and plug-ins), Adobe Flash Player and Adobe Reader, Java Runtime Environment, your antivirus program and so on. These links may help you to check:

  • Backup
    Hardware issues, malware, fire, lightning strike: There is a long list of different ways to loose all your data. Back up your files regularly. Use the windows internal backup function or a third party tool and save your data onto an external hard drive, cloud storage, optical media like CDs or DVDs or (if available) a professional network backup system.
  • Behaviour
    The commonest error when using a computer is "error 80" - what means that the error is located about 80cm in front of the monitor. This is a common joke between IT support technicians but it shows that all the safety mechanisms won´t help if you aren´t careful enough.
    • While surfing the internet, don´t click on anything you don´t know. In the worst case, it infects your system with malware.
    • Watch your step in social networks! Many cyber criminals use them to spread malware, mine personal pata (to be sold to advertising companies, for example) or simply do damage to other users. Even if a received hyperlink within a message seems to be coming from one of your friends, have a closer look. In addition, don´t click everything.
    • When installing software, have a look to each of the setup windows and uncheck any additional toolbars or free programs that may be offered additionally. Most of today´s setup procedures contain potentially unwanted programs so keep them off your system.
    • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
      They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 PM

Posted 10 March 2014 - 07:57 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users