Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seeking Help


  • This topic is locked This topic is locked
8 replies to this topic

#1 Vaxhy

Vaxhy

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 27 July 2014 - 03:45 AM

Hi and good day to all!

 

Can anyone please help me?  :( 

I'm having trouble with this tr/rootkit.gen thingy that my Avira Free Antivirus keeps on detecting every time I launch my favorite online game.

 

I already posted my problem in the game's forum but unfortunately no GMs, FMs or Tech Support representatives have reply in our post. A fellow forum-er there told us that it is not the game's fault and that our computer has been infected and posted some links that could help us clean our desktop (TDSSKiller, ComboFix, Adwcleaner, CCleaner) and I did but unfortunately nothing works for me. Well I am no expert so maybe I didn't do it right and hopefully didn't do anything stupid that could further harm my computer :axe:. That is why I am here to seek help from the experts.

 

Can you also please confirm to me if the problem is in our desktop and not in the game cause this sudden warning started after the game's latest patch and upon checking other online games there is no problem and detection, just with this specific game that when launch the Avira is detecting something.

 

Any help would be greatly appreciated.  :hug:

 

Here is the screenshot of the warning:

3rmtKpt.jpg

 

And a fellow forum-er also have the same problem as mine and has a better screenshot:

First

ivKKMd5.png

 

Second

AcbATmZ.png

 

Third

WR7ieNu.jpg

 

 

 

 

 



BC AdBot (Login to Remove)

 


m

#2 Vaxhy

Vaxhy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 28 July 2014 - 04:29 AM

Good day! 

 

I just want to bump and update my post.

And also say sorry about the title  :unsure: I should have been more specific about my concern in the title.

I did try to edit it but unfortunately the title cannot be changed and I don't want to cause any more trouble by posting twice just to correct my title. I'm really sorry.

 

Back to my update.

One of the Game Moderator replied in our post saying that they already forwarded the concern to Avira conflict to the game but they didn't clarify to us if the game is at fault or if it's our desktop that is infected. Still I can't stop thinking that there is a big possibility that the game is at fault based on the GMs reply but I don't want to be at ease and I really want to make sure that my desktop is free from virus or any unwanted program so I am still seeking help cause I don't want to risk my desktop's safety and security.

 

Other players that have same problem with me already solved their problems by using the programs (combofix,adwcleaner,tdsskiller,ccleaner etc) that was posted by a fellow knowledgeable player and as I said I also did but didn't work for me and don't want to take the risk again because when I was exploring your site I read that programs such as ComboFix shouldn't be use unless under the supervision of an expert since it might cause more serious trouble if misused by an amateur like me.  :blush:

 

*can I say the game? well I'm saying it anyway for clarification it's Crossfire Ph.



#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:57 PM

Posted 31 July 2014 - 10:35 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

Let me know what problem persists.

#4 Vaxhy

Vaxhy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 31 July 2014 - 06:02 PM

Hi nasdaq!

I'm Vaxhy and I am very grateful with your assistance.

 

For update:

Yesterday, the game had their regular weekly maintenance.

A while ago, I patched the game and after patching and opening the game, Avira has no detection from that tr/rootkit.gen.

Meaning, regarding about my problem, the game is at fault and already been solved by them.

 

But, I don't want to be at ease and still want to make sure that our desktop is free from virus or any unwanted programs so I am still be needing your help and assistance to assure us that our desktop is clean. Thank you in advance!  :kiss:

 

Here are the logs you are asking for:

Adwcleaner = Attached File  AdwCleanerR1.txt   1002bytes   1 downloads

Farbar FRST= Attached File  FRST.txt   29.54KB   2 downloads

Farbar Addition = Attached File  Addition.txt   41.05KB   2 downloads



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:57 PM

Posted 01 August 2014 - 09:41 AM

Clean these items.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start
SearchScopes: HKLM-x32 - DefaultScope value is missing.
SearchScopes: HKCU - {7182B9C7-8ED9-4844-9C06-B8E2A063BBA0} URL = http://websearch.ask.com/redirect?client=ie&tb=AVR-4&o=APN10269&src=crm&q={searchTerms}&locale=en_PH&apn_ptnrs=^AH0&apn_dtid=^YYYYYY^YY^PH&apn_uid=cdecaa69-edd0-49c3-8b1f-ba640c8ed63b&apn_sauid=CFA50FFA-3681-437F-9FB7-ADE4C4204565
BHO-x32: Groove GFS Browser Helper -> {390C7E87-153C-12DB-2EA6-0BB301EB26E9} -> C:\Windows\SysWOW64\d3dx9_288.dll ()
FF SearchEngineOrder.1: Ask.com
FF SelectedSearchEngine: Ask.com
FF Plugin-x32: @qq.com/npqscall - C:\Program Files (x86)\Common Files\Tencent\NPQSCALL\npqscall.dll No File
FF Plugin-x32: @qq.com/TXSSO - C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.38\Bin\npSSOAxCtrlForPTLogin.dll No File
FF Plugin HKCU: @leeuu.com/npgboxruner;version= - C:\Users\sysamin\AppData\Roaming\gbox\npgboxruner.dll No File
FF Plugin HKCU: ubisoft.com/uplaypc - D:\Settlers7\Data\Base\_Dbg\Bin\Release\orbit\npuplaypc.dll No File
FF Plugin HKCU: xyzgl-plugin@xyz-soft.com - C:\Program Files (x86)\Alfheim\npxyzgl.dll No File
CHR Plugin: (QQ2011) - C:\Program Files (x86)\Common Files\Tencent\NPQSCALL\npqscall.dll No File
CHR Plugin: (NPTXSSO Dynamic Link Library) - C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.38\Bin\npSSOAxCtrlForPTLogin.dll No File
CHR Plugin: (Google Update) - C:\Users\sysamin\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll No File
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S3 GGSAFERDriver; \??\D:\League of Legends\Garena Plus\Room\safedrv.sys [X]
S3 MFE_RR; \??\C:\Users\sysamin\AppData\Local\Temp\mfe_rr.sys [X]
S3 X6va011; \??\C:\Windows\SysWOW64\Drivers\X6va011 [X]
S3 X6va012; \??\C:\Windows\SysWOW64\Drivers\X6va012 [X]
S3 X6va013; \??\C:\Windows\SysWOW64\Drivers\X6va013 [X]
S3 X6va014; \??\C:\Windows\SysWOW64\Drivers\X6va014 [X]
S3 X6va015; \??\C:\Windows\SysWOW64\Drivers\X6va015 [X]
S3 X6va016; \??\C:\Windows\SysWOW64\Drivers\X6va016 [X]
S3 X6va017; \??\C:\Windows\SysWOW64\Drivers\X6va017 [X]
S3 X6va019; \??\C:\Windows\SysWOW64\Drivers\X6va019 [X]
S3 X6va021; \??\C:\Windows\SysWOW64\Drivers\X6va021 [X]
S3 X6va022; \??\C:\Windows\SysWOW64\Drivers\X6va022 [X]
R3 X6va023; \??\C:\Windows\SysWOW64\Drivers\X6va023 [X]
C:\Windows\SysWOW64\d3dx9_288.dll
AlternateDataStreams: C:\ProgramData\TEMP:8EBE034C

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
---

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/
===

How is the computer running now?

#6 Vaxhy

Vaxhy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 01 August 2014 - 05:28 PM

Here's the Fixlog:
Attached File  Fixlog.txt   5.3KB   0 downloads
 
Here's the Security Checkup Log:
 Results of screen317's Security Check version 0.99.86  
 Windows 7  x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Avira Desktop   
 Antivirus up to date!  (On Access scanning disabled!) 
`````````Anti-malware/Other Utilities Check:`````````
 Java 7 Update 21  
 Java version out of Date!
 Adobe Flash Player 14.0.0.145  
 Mozilla Firefox (28.0) 
 Google Chrome 25.0.1359.3  
````````Process Check: objlist.exe by Laurent````````
 Avira Antivir avgnt.exe 
 Avira Antivir avguard.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 12% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 
 
How is the computer running now?
The only change that we notice for now is whenever we start the desktop it loads faster than the way it used to be. 


#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:57 PM

Posted 02 August 2014 - 07:28 AM

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Latest version is Java JRE 7u65.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Add/Remove Programs applet.

Java 7 Update 21

===

For you added security install Windows 7 Service Pack 1 (SP1)
http://windows.microsoft.com/installwindows7sp1
---

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#8 Vaxhy

Vaxhy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 03 August 2014 - 02:25 AM

Thank you so much for your assistance and help nasdaq!  :kiss:

If you didn't see any suspicious files or programs in the logs I posted then I think all is well.

Thanks for the links and I'll try to follow your instructions above and try to learn how to protect my desktop.

Again thank you so much!  :hug:

 

More power to you and your team  :bowdown:



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:57 PM

Posted 03 August 2014 - 06:40 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users