Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Found and removed (?) Trojan.Agent.ED using MBAR, now GMER reports rootkit?


  • Please log in to reply
15 replies to this topic

#1 matt_au

matt_au

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:02:35 AM

Posted 25 October 2015 - 02:07 PM

Hi (and thanks).  I've been noticing various suspicious activity on my system, so I scanned with MBAR.  It found/removed Trojan.Agent.ED and a few PUPs.  On next login Windows reported 5 failed logins since the last interactive login, none of which were due to me.  So I scanned with GMER and it is reporting many entries in the rootkit tab (and a much smaller number of roootkit entries when running in safe mode).

 

The trojan was detected in an app from the Leap Motion App Store.  My Leap Motion Controller's has been acting strangely (high CPU even when no Leap Controller plugged in) so I've recently removed the Leap Motion Service (but not the Leap Motion Control Panel software).

 

 

 

Examples of the initial suspicious activity:

 

- Network Connections shows no NIC / is blank (although I'm here on your site now so definitely have one).

 

- Firefox started to show Yahoo as the default search engine about a month ago.  I had it set to Google.  At the time I thought it was because I had accidentally clicked yes to a "Set search default to Yahoo" when running the setup.exe for some free software I had downloaded.  Now Im not sure it was me that made the change to my default search engine.

 

- I disable Internet Connection Sharing but it keeps re-enabling itself and trying to start (but fails to because I have Remote Access Connection Manager disabled).

 

- MSConfig says my pc has several services whose names are just guids.  Things like:  {8E41C0B5-D483-41EE-A3AE-CA7ECF9AEBED}.exe  (no idea of the file path as they dont say).

 

- Right-click > Properties for many system dll's doesn't show the Digiital Signitures tab.

 

- As I write this up while in safe mode, I get the feeling that my event logs contents doesnt match what I see when not in safe mode.  I'll investigate further and post what I find.

 

- I noticed several new directories that contained what look like a basic Windows C: install (i.e. containing subdirectories with the typical Program Files/Windows/AppData etc directories you'd see in a Windows C: install).  NB GWX is running on my (Wiindows 7) pc, but I don't think what I'm seeing is the set of directories it creates.

 

- ipconfig/all reports my NIC having 2 gateways - 192.168.2.1 (correct) and 192.168.1.2 (incorrect - 6 months ago my pc's gateway was 192.168.1.1 but we got a new router and switched to 192.168.2 subnet, I thought I had removed references to this subnet but may just have missed something).

 

- On my local network, my pc and sometimes other devices report DHCP lease issues that I suspect may be due to probing or attempts to accest the local network).

 

- Many varied event log errors (and intermittant hanging when scrolling through event log entries) e.g.:

-- The event logging service encountered an error (res=23) while opening log file for channel Application.

-- The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.

-- Session "Microsoft Security Client OOBE" stopped due to the following error: 0xC000000D.

-- The following boot-start or system-start driver(s) failed to load: discache epp64 MpFilter spldr Wanarpv6

--DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

-- The ScRegSetValueExW call failed for FailureCommand with the following error: Access is denied.

-- Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

-- Name resolution for the name 54.158.225.192.in-addr.arpa timed out after none of the configured DNS servers responded.

-- The driver \Driver\WUDFRd failed to load for the device USB\VID_0FCE&PID_019B\YT910FRKVX.

-- A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.

-- The IP address lease 192.168.1.100 for the Network Card with network address 0x00241D1F7F32 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).

-- Microsoft Antimalware has encountered an error trying to update signatures... The operation timed out.

-- User Logon Notification for Customer Experience Improvement Program  ***NB I am not in the Customer Experience Impprovement Program

-- Retrieve public folder failed.  Details: Unspecified error

-- Error 0x80070005 occurred while creating known folder {3eb685db-65f9-4cf6-a03a-e3ef65729f3d} with path 'C:\Windows\system32\config\systemprofile\AppData\Roaming'.

 

-- Im sure there were some entries for device drives that didn't quite seem right (searching google for the driver .sys file name didnt return any matches for one driver, I recall), but I cant seem to find the event log entries for that driver now when I go looking for it.  Thhat might just be because its 4:45am here currently and Im a tad over-tired :) (I have insomnia).

 

 

- Other event log entries that are not errors but which have caught my attention:

-- File System Filter 'FileInfo' (6.1, ‎2009‎-‎07‎-‎14T09:34:25.000000000Z) has successfully loaded and registered with Filter Manager.

-- One or more of the Plug and Play service's subsystems has changed state. PlugPlay install subsystem enabled: 'true'  PlugPlay caching subsystem enabled: 'true'

-- Windows Firewall blocked an application from accepting incoming connections on the network.  Profiles:        Public  Application:        C:\windows\system32\lsass.exe

-- Windows Firewall did not apply the following rule: CoreNet-ICMP6-LD-In    Reason:    Remote Addresses resolved to an empty set.

-- Many audit entries about accessing privileged services and similar.

-- The Windows Filtering Platform has blocked a connection.

Application Information:
    Process ID:        936
    Application Name:    \device\harddiskvolume2\windows\system32\svchost.exe
Network Information:
    Direction:        Inbound
    Source Address:        255.255.255.255
    Source Port:        67
    Destination Address:    0.0.0.0
    Destination Port:        68
    Protocol:        0
Filter Information:
    Filter Run-Time ID:    69018
    Layer Name:        Receive/Accept
    Layer Run-Time ID:    44

 

 

 

I ran GMER to check foor rootkits.  GMER running in safe mode is reporting the following in the Rootkit tab:

Reg  HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000761fa9867                      
Reg  HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000761fa9867 (not active ControlSet)  
 

I did a partial scan outside safe mode and it was reporting many entries for mmc.exe, services.exe.  I didn't let the scan complete because I wasn't keen to keep my computer running unneccessarily.

 

 

 

 

Other points to note about my pc:

 

- Its a home PC connected via LAN cable to an ASUS router (which connects to our DSL2+ modem).  Other devices on the local network are android tables/phones, tv an d hifi.

 

- Please be aware that I've run various anti-malware on this machine at various times (TDSKiller,RogueKiller,ComboFix etc etc etc) as I've been learning/experiementing with these things. I.e. "Do not attempt to fix any of the entries that you find within these logs as it may cause damage to your computer's configuration" <- I've done this in the past.  I've got 20 years programming experience, but I'm an ameteur at what you do so its possible that my past learning has compounded the problem i.e. false positives, bad confiig are a possiblity.

 

- I've done a lot of tweaking to my pc in attempts to keep it secure and lightweight - lots of services disabled, custom event logs, Group Policy changes to try to keep it locked down.  I probably don't do this very well (I'm a programmer, not a systems admin person - group policy etc is definitely not my strong point :).  It also has my various development tools/software on it - Visual Studio etc.

 

- I use Firefox almost exclusively for web browsing, but IE does accidentally get used occasionally.

 

- I recently switched from bluetooth keyboard and (logitech) mouse to hard-wired ones.  I suspect the bluetoooth drives/software may be infected (they seem to show up in reports a lot when I've run MBAM etc in the past, and there are event log warnings that mention bluetoooth).  The bluetoooth adapters are no longer plugged into the USB ports.

 

- In the FRST report below there are entries for files named QRCopy.exe and InvisibleMouse.exe - their presence is not suspicious to me (I put them there) but they are unsigned apps that may be infected with something.

 

 

 

My priority is to get my pc cleaned, but if you care to share any extra details about *why* you tell me to run a certain tool in particular as we diagnose/fix this would be greatly appreciated :).  One day I'd like to have the skills such that I can be the person helping to fix someone else's pc.  No problem though if you don't have the time for this, I understand how busy you guys must be.  I'm grateful for any help I can get.

 

Thanks,

 

Matt.

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:25-10-2015 02
Ran by Tyson (administrator) on TYSIES-PC (26-10-2015 03:09:14)
Running from C:\Users\Tyson\Desktop
Loaded Profiles: Tyson (Available Profiles: Tyson)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1337000 2015-04-30] (Microsoft Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKU\S-1-5-21-2975365810-1069161605-3862974675-1000\...\Run: [QRCopy] => C:\Program Files (x86)\QRCopy\QRCopy.exe
HKU\S-1-5-21-2975365810-1069161605-3862974675-1000\...\Run: [Leap Control Panel] => C:\Program Files (x86)\Leap Motion\Core Services\LeapControlPanel.exe [3697488 2015-08-21] (Leap Motion, Inc.)
HKU\S-1-5-21-2975365810-1069161605-3862974675-1000\...\Run: [GlassWire] => e:\Program Files (x86)\GlassWire\glasswire.exe [10587432 2015-03-12] (SecureMix LLC)
HKU\S-1-5-18\...\Run: [] => [X]
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\GIGABYTE OC_GURU.lnk [2015-04-05]
ShortcutTarget: GIGABYTE OC_GURU.lnk -> E:\Program Files (x86)\GIGABYTE\GIGABYTE OC_GURU II\OC_GURU.exe (GIGABYTE Technology Co.,Ltd.)
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{F164A884-4CC4-4312-8354-E21533C3C56D}: [NameServer] 208.67.222.222,192.168.1.1,208.67.220.220,192.168.1.2
Tcpip\..\Interfaces\{F164A884-4CC4-4312-8354-E21533C3C56D}: [DhcpNameServer] 192.168.2.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2975365810-1069161605-3862974675-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2975365810-1069161605-3862974675-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} hxxp://content.systemrequirementslab.com/bin/srldetect_intel_4.5.22.0.cab
DPF: HKLM-x32 {D4B68B83-8710-488B-A692-D74B50BA558E} hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: HKLM-x32 {F6ACF75C-C32C-447B-9BEF-46B766368D29} hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/130321/CTPID.cab

FireFox:
========
FF ProfilePath: C:\Users\Tyson\AppData\Roaming\Mozilla\Firefox\Profiles\vc5kkpi6.default
FF SelectedSearchEngine: Yahoo!
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll [2015-02-20] ()
FF Plugin: @java.com/DTPlugin -> C:\Program Files\Java\jre6\bin\npDeployJava1.dll [No File]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-20] ()
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2013-07-03] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2013-07-03] (Foxit Corporation)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2013-10-08] (Google)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-08-07] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-08-07] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll [No File]
FF Extension: CSS Usage - C:\Users\Tyson\AppData\Roaming\Mozilla\Firefox\Profiles\vc5kkpi6.default\Extensions\csscoverage@spaghetticoder.org.xpi [2015-10-04]
FF Extension: Firebug - C:\Users\Tyson\AppData\Roaming\Mozilla\Firefox\Profiles\vc5kkpi6.default\Extensions\firebug@software.joehewitt.com.xpi [2015-10-04]
FF Extension: Ghostery - C:\Users\Tyson\AppData\Roaming\Mozilla\Firefox\Profiles\vc5kkpi6.default\Extensions\firefox@ghostery.com.xpi [2015-10-25]
FF Extension: Tab Tree - C:\Users\Tyson\AppData\Roaming\Mozilla\Firefox\Profiles\vc5kkpi6.default\Extensions\TabsTree@traxium.xpi [2015-10-25]
FF Extension: Tree Style Tab - C:\Users\Tyson\AppData\Roaming\Mozilla\Firefox\Profiles\vc5kkpi6.default\Extensions\treestyletab@piro.sakura.ne.jp.xpi [2015-10-25]
FF Extension: Video WithOut Flash - C:\Users\Tyson\AppData\Roaming\Mozilla\Firefox\Profiles\vc5kkpi6.default\Extensions\vwof@drev.com.xpi [2015-10-25]
FF Extension: Adblock Plus - C:\Users\Tyson\AppData\Roaming\Mozilla\Firefox\Profiles\vc5kkpi6.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-10-25]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt => not found

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 GlassWire; e:\Program Files (x86)\GlassWire\GWCtlSrv.exe [6293288 2015-03-12] (SecureMix LLC)
S4 LiveUpdateSvc; C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe [2151744 2014-02-02] (IObit)
S2 MBAMService; e:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23816 2015-04-30] (Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [366544 2015-04-30] (Microsoft Corporation)
S3 Origin Client Service; E:\Program Files (x86)\Origin\OriginClientService.exe [2078216 2015-10-09] (Electronic Arts)
S4 VsEtwService120; E:\Program Files (x86)\Common7\Packages\Debugger\Services\VsEtwService.exe [87728 2013-10-04] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-11] (Broadcom Corporation)
S1 epp64; E:\AV\EEK\bin\epp64.sys [136456 2015-10-24] (Emsisoft GmbH)
S3 ggsomc; C:\Windows\System32\DRIVERS\ggsomc.sys [30424 2015-04-12] (Sony Mobile Communications)
S3 GPCIDrv; E:\Program Files (x86)\GIGABYTE\GIGABYTE OC_GURU II\GPCIDrv64.sys [14376 2014-08-28] ()
R1 gwdrv; C:\Windows\System32\DRIVERS\gwdrv.sys [33296 2015-03-12] (SecureMix LLC)
S4 kebzlm; no ImagePath
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [280376 2015-03-04] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [124568 2015-03-04] (Microsoft Corporation)
S3 PcaSp60; C:\Windows\SysWOW64\DRIVERS\PcaSp60.sys [38912 2010-09-07] (Printing Communications Assoc., Inc. (PCAUSA))
S4 RT61; C:\Windows\System32\DRIVERS\rt61.sys [438784 2009-06-02] (Ralink Technology, Corp.)
S3 RTL2832UBDA; C:\Windows\SysWOW64\drivers\RTL2832UBDA.sys [225256 2011-05-17] (REALTEK SEMICONDUCTOR Corp.)
S3 RTL2832UUSB; C:\Windows\SysWOW64\Drivers\RTL2832UUSB.sys [39016 2011-05-17] (REALTEK SEMICONDUCTOR Corp.)
S3 RTL2832U_IRHID; C:\Windows\SysWOW64\DRIVERS\RTL2832U_IRHID.sys [48488 2011-06-13] (Realtek)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-10-25] ()
S3 WinRing0_1_0_1; E:\MATT\MemSet\WinRing0x64.sys [14544 2007-12-15] (OpenLibSys.org)
S4 catchme; \??\C:\ComboFixm\catchme.sys [X]
S4 nvvad_WaveExtensible; system32\drivers\nvvad64v.sys [X]
S3 WinRing0_1_2_0; \??\C:\Program Files\Intel Corporation\Intel Processor Diagnostic Tool 64Bit\WinRing0x64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-26 02:02 - 2015-10-26 02:02 - 00380416 _____ C:\Users\Tyson\Desktop\39t2jhri.exe
2015-10-26 01:04 - 2015-10-26 01:06 - 16563352 _____ (Malwarebytes Corp.) C:\Users\Tyson\Desktop\mbar-1.09.3.1001.exe
2015-10-26 01:04 - 2015-10-26 01:05 - 00041186 _____ C:\Users\Tyson\Desktop\Addition.txt
2015-10-26 01:03 - 2015-10-26 03:09 - 00010910 _____ C:\Users\Tyson\Desktop\FRST.txt
2015-10-25 20:35 - 2015-10-25 20:35 - 02870984 _____ (ESET) C:\Users\Tyson\Desktop\esetsmartinstaller_enu.exe
2015-10-25 04:21 - 2015-10-25 04:21 - 00000752 _____ C:\Users\Tyson\Desktop\Start Emsisoft Emergency Kit.lnk
2015-10-25 03:06 - 2015-10-25 03:08 - 22908888 _____ (Malwarebytes ) C:\Users\Tyson\Desktop\mbam-setup-2.2.0.1024.exe
2015-10-25 01:42 - 2015-10-25 01:45 - 00000000 ____D C:\Users\Tyson\AppData\Roaming\ImgBurn
2015-10-25 01:39 - 2015-10-25 01:39 - 00000790 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ImgBurn.lnk
2015-10-25 01:39 - 2015-10-25 01:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ImgBurn
2015-10-25 01:36 - 2015-10-25 01:36 - 00001190 _____ C:\Users\Tyson\Desktop\Continue Free ISO Burner Installation.lnk
2015-10-25 01:36 - 2015-10-25 01:36 - 00000000 ____D C:\Program Files (x86)\isoburner_setup
2015-10-24 20:07 - 2015-10-26 03:06 - 02197504 _____ (Farbar) C:\Users\Tyson\Desktop\FRST64.exe
2015-10-24 20:05 - 2015-10-24 20:05 - 07194312 _____ (Microsoft Corporation) C:\Users\Tyson\Desktop\vcredist_x64.exe
2015-10-24 20:05 - 2015-10-24 20:05 - 06503984 _____ (Microsoft Corporation) C:\Users\Tyson\Desktop\vcredist_x86.exe
2015-10-24 19:49 - 2015-10-24 19:49 - 00321848 _____ (Malwarebytes Corporation) C:\Users\Tyson\Desktop\emmbarrcleeenn.exe
2015-10-24 19:44 - 2015-10-24 19:44 - 22908888 _____ (Malwarebytes ) C:\Users\Tyson\Desktop\embaarrr.exe
2015-10-18 08:20 - 2015-10-18 08:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QRCopy
2015-10-16 19:39 - 2015-10-16 19:39 - 00000096 _____ C:\Users\Tyson\AppData\Roaming\version2.xml
2015-10-16 09:36 - 2015-10-16 11:55 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-10-15 08:52 - 2015-10-15 08:52 - 00001305 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Movie Maker.lnk
2015-10-15 08:52 - 2015-10-15 08:52 - 00000000 ____D C:\Windows\en
2015-10-15 08:51 - 2015-10-15 08:51 - 00001374 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Photo Gallery.lnk
2015-10-15 08:51 - 2015-10-15 08:51 - 00000020 _____ C:\Windows\¸øw
2015-10-15 08:51 - 2015-10-15 08:51 - 00000000 ____D C:\Windows\PCHEALTH
2015-10-15 08:51 - 2015-10-15 08:51 - 00000000 ____D C:\Program Files (x86)\Windows Live
2015-10-15 08:51 - 2015-10-15 08:51 - 00000000 ____D C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2015-10-15 08:09 - 2015-10-26 01:17 - 00000000 ____D C:\Users\Tyson\AppData\Roaming\DVDVideoSoft
2015-10-15 08:03 - 2015-10-15 08:03 - 00000020 _____ C:\Windows\ õÜ
2015-10-14 14:33 - 2015-10-14 14:33 - 00000020 _____ C:\Windows\€óì
2015-10-05 09:19 - 2015-10-05 09:19 - 00000000 ____D C:\Users\Tyson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GlassWire 1.0
2015-10-05 09:17 - 2015-03-12 01:47 - 00008704 _____ C:\Windows\system32\Drivers\gwdrv.cat
2015-10-05 09:17 - 2015-03-12 01:36 - 00033296 _____ (SecureMix LLC) C:\Windows\system32\Drivers\gwdrv.sys
2015-10-04 15:34 - 2015-10-04 15:34 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Total Validator Tool

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-26 03:09 - 2014-10-19 01:52 - 00000000 ____D C:\FRST
2015-10-26 03:01 - 2014-03-01 04:20 - 00000000 ____D C:\Users\Tyson\AppData\Local\CrashDumps
2015-10-26 02:52 - 2009-07-14 15:13 - 00791118 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-26 02:43 - 2014-03-01 04:27 - 00000000 ____D C:\Program Files\Logitech
2015-10-26 02:29 - 2013-08-04 23:42 - 01530148 _____ C:\Windows\WindowsUpdate.log
2015-10-26 02:19 - 2013-08-06 03:40 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Creative
2015-10-26 02:17 - 2013-08-06 03:36 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2015-10-26 01:16 - 2015-04-05 21:38 - 00000000 ____D C:\Swann
2015-10-25 23:49 - 2009-07-14 14:45 - 00022096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-25 23:49 - 2009-07-14 14:45 - 00022096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-25 23:38 - 2015-08-02 19:07 - 00008944 _____ C:\Windows\setupact.log
2015-10-25 23:38 - 2009-07-14 15:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-25 22:55 - 2015-05-07 04:31 - 00000000 ____D C:\Users\Tyson\Desktop\MALWARE TOOLS BACKUP
2015-10-25 06:21 - 2014-10-25 06:25 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-10-25 05:17 - 2014-10-24 08:20 - 00000000 ____D C:\AdwCleaner
2015-10-25 05:04 - 2014-10-24 07:40 - 00035064 _____ C:\Windows\system32\Drivers\TrueSight.sys
2015-10-25 04:42 - 2014-10-25 06:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-10-25 04:37 - 2014-02-13 03:22 - 00025814 _____ C:\Windows\PFRO.log
2015-10-25 03:46 - 2014-10-24 07:40 - 00000000 ____D C:\ProgramData\RogueKiller
2015-10-25 03:36 - 2011-04-12 18:28 - 00000000 ____D C:\Windows\CSC
2015-10-25 03:02 - 2014-10-20 23:44 - 00000000 ____D C:\TDSSKiller_Quarantine
2015-10-25 03:02 - 2013-10-12 18:34 - 00000000 ____D C:\Program Files (x86)\QRCopy
2015-10-25 01:46 - 2014-11-22 22:47 - 00000000 ____D C:\Users\Tyson\AppData\Roaming\QRCopy
2015-10-24 01:29 - 2013-11-28 15:26 - 00000000 ____D C:\ProgramData\Leap Motion
2015-10-22 13:14 - 2014-01-26 08:59 - 00000000 ____D C:\Users\Tyson\Documents\Visual Studio 2013
2015-10-21 19:58 - 2013-08-11 07:45 - 00000000 ____D C:\ProgramData\Origin
2015-10-21 10:24 - 2014-12-19 20:40 - 00000000 ____D C:\Users\Tyson\AppData\Roaming\Leap Motion
2015-10-18 08:20 - 2013-10-12 18:34 - 00000000 ____D C:\ProgramData\Package Cache
2015-10-16 20:36 - 2014-10-20 23:36 - 00004552 _____ C:\Users\Tyson\AppData\Roaming\CamStudio.cfg
2015-10-16 20:36 - 2014-10-20 23:36 - 00000408 _____ C:\Users\Tyson\AppData\Roaming\CamShapes.ini
2015-10-16 20:36 - 2014-10-20 23:36 - 00000408 _____ C:\Users\Tyson\AppData\Roaming\CamLayout.ini
2015-10-16 20:36 - 2014-10-20 23:36 - 00000107 _____ C:\Users\Tyson\AppData\Roaming\Camdata.ini
2015-10-16 11:55 - 2015-07-14 22:23 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-10-16 08:48 - 2014-12-30 00:11 - 00007012 _____ C:\Users\Tyson\Documents\QRCopy.settings.backup.previous.xml
2015-10-16 08:48 - 2014-12-30 00:11 - 00007012 _____ C:\Users\Tyson\Documents\QRCopy.settings.backup.latest.xml
2015-10-15 08:51 - 2009-07-14 13:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2015-10-15 08:50 - 2014-05-14 23:33 - 00028570 _____ C:\Windows\DirectX.log
2015-10-15 08:49 - 2013-12-19 20:37 - 00000000 ____D C:\Users\Tyson\AppData\Local\Windows Live
2015-10-15 08:05 - 2013-08-06 01:47 - 00000000 ____D C:\ProgramData\NVIDIA
2015-10-08 19:29 - 2015-04-12 13:53 - 00002026 _____ C:\Users\Public\Desktop\Sony PC Companion 2.1.lnk
2015-10-08 19:29 - 2015-04-12 13:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sony
2015-10-08 19:29 - 2014-01-18 17:02 - 00710894 _____ C:\Windows\DPINST.LOG
2015-10-05 09:50 - 2014-10-25 06:25 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-10-05 09:50 - 2014-10-25 06:25 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-10-05 09:50 - 2014-10-25 06:25 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2015-09-27 21:25 - 2014-12-14 00:04 - 00000000 ____D C:\Users\Tyson\Documents\simsmovedmods

==================== Files in the root of some directories =======

2014-10-20 23:36 - 2015-10-16 20:36 - 0000107 _____ () C:\Users\Tyson\AppData\Roaming\Camdata.ini
2014-10-20 23:36 - 2015-10-16 20:36 - 0000408 _____ () C:\Users\Tyson\AppData\Roaming\CamLayout.ini
2014-10-20 23:36 - 2015-10-16 20:36 - 0000408 _____ () C:\Users\Tyson\AppData\Roaming\CamShapes.ini
2014-10-20 23:36 - 2015-10-16 20:36 - 0004552 _____ () C:\Users\Tyson\AppData\Roaming\CamStudio.cfg
2015-10-16 19:39 - 2015-10-16 19:39 - 0000096 _____ () C:\Users\Tyson\AppData\Roaming\version2.xml
2013-11-30 22:12 - 2013-11-30 22:12 - 0000019 _____ () C:\Users\Tyson\AppData\Local\Allthecooks.settings
2014-06-07 08:39 - 2014-10-21 12:37 - 0099491 _____ () C:\Users\Tyson\AppData\Local\ars.cache
2014-06-07 08:39 - 2014-10-21 12:37 - 0260181 _____ () C:\Users\Tyson\AppData\Local\census.cache
2013-08-11 03:55 - 2014-01-30 13:26 - 0009728 _____ () C:\Users\Tyson\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-06-07 08:10 - 2014-06-07 08:10 - 0000036 _____ () C:\Users\Tyson\AppData\Local\housecall.guid.cache
2014-06-30 01:30 - 2014-11-30 04:20 - 2177964 _____ () C:\Users\Tyson\AppData\Local\QRCopyDebuggerLogFile.log.txt
2013-08-17 06:55 - 2015-03-29 17:42 - 0007597 _____ () C:\Users\Tyson\AppData\Local\resmon.resmoncfg
2014-10-20 03:41 - 2014-10-20 03:41 - 0000010 _____ () C:\Users\Tyson\AppData\Local\sponge.last.runtime.cache
2014-01-30 08:18 - 2014-01-30 08:19 - 0000001 _____ () C:\ProgramData\LMOTD_Level.txt

Some files in TEMP:
====================
C:\Users\Tyson\AppData\Local\Temp\pyl1EFC.tmp.exe
C:\Users\Tyson\AppData\Local\Temp\sqlite3.dll
C:\Users\Tyson\AppData\Local\Temp\{30BC73EA-A2C2-416B-925D-D06EB95409F5}.exe
C:\Users\Tyson\AppData\Local\Temp\{818FF81A-9219-407C-86E8-E4E95950E965}.exe
C:\Users\Tyson\AppData\Local\Temp\{8E41C0B5-D483-41EE-A3AE-CA7ECF9AEBED}.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-10-21 04:30

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:35 PM

Posted 27 October 2015 - 09:01 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-18\...\Run: [] => [X]
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2975365810-1069161605-3862974675-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin: @java.com/DTPlugin -> C:\Program Files\Java\jre6\bin\npDeployJava1.dll [No File]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll [No File]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt => not found
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
S4 kebzlm; no ImagePath
S4 catchme; \??\C:\ComboFixm\catchme.sys [X]
S4 nvvad_WaveExtensible; system32\drivers\nvvad64v.sys [X]
S3 WinRing0_1_2_0; \??\C:\Program Files\Intel Corporation\Intel Processor Diagnostic Tool 64Bit\WinRing0x64.sys [X]
C:\Users\Tyson\AppData\Local\Temp\pyl1EFC.tmp.exe
C:\Users\Tyson\AppData\Local\Temp\sqlite3.dll
C:\Users\Tyson\AppData\Local\Temp\{30BC73EA-A2C2-416B-925D-D06EB95409F5}.exe
C:\Users\Tyson\AppData\Local\Temp\{818FF81A-9219-407C-86E8-E4E95950E965}.exe
C:\Users\Tyson\AppData\Local\Temp\{8E41C0B5-D483-41EE-A3AE-CA7ECF9AEBED}.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

What are the remaining issues with this computer.

#3 matt_au

matt_au
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:02:35 AM

Posted 27 October 2015 - 09:37 PM

Hi Nasdaq,

Thank you for your help.  The title of my foram post should of course read "MBAM" and not "MBAR"  - apologies, I was doing thhis at about 4am at the time (insomnia).

 

I have followed your instructions (nb I ran FRST from safe mode - let me know if I should do this from a normal bootup - unless I/you say otherwise Im running in safe mode generally at this point until the machine is sorted out).  

Here's what happened when I ran FRST64:

1. FRST ran.  The progress bar got about 2/3 of the way across then the computer shut down and restarted.
2. I let it restart normally, which it did, I got my desktop etc, it behaved as per normal.
3. I then shut it down and restarted (wanting to go into safe mode).  During shhut down it sat for a few seconds waiting for  programs to closed, but the list of programs it was waiting for was empty.
4. On restart, POST/bios startup ran nearly the full way through, going as far as Verifying DMI Pool Data".  It then sat there (I gave it about 3 minutes) doing nothing.  It never got to the final step, (press space to) Boot from CD....
4. After about 3 minutes with nothing further other than a blinking cursor, I pulled the power (Ctrl Alt Del did nothing).
5. I then restarted again.  This time it started normally, and I've now booted into Safe Mode.

Since I did this run of FRST64, Windows is no longer showing me the message about successful/unsuccessful logins after I enter my password on startup of Windows.


FRST log fixlog.txt content is at the end of this message.


Other strange behaviour that is catching my attention
=====================================================

NB This is the most significant items only.  There are otther wierrd behaviours (quite a few), just these are the most obvious (to me at least, and remember I am a total amateur at mthjis stuff :))



No digital certificates in the Properties tab on many exe's and dll's that I would consider "system" files
----------------------------------------------------------------------------------------------------------

E.g. from windows\system32 (this is just a small sample, there are MANY more):

rundll.exe
csrss.exe
conhost.exe
win32.sys
wininit.dll
wininit.exe
winhttp.dll
mshtml.dll

NB SFC reports no issues.



Some files in windows\system32 show recent modified dates
---------------------------------------------------------

E.g. the following show modified dates in September this year:

02/09/2015  11:47 AM           372,736 atmfd.dll
02/09/2015  11:51 AM         3,209,216 win32k.sys
02/09/2015  01:04 PM            46,080 atmlib.dll
02/09/2015  01:04 PM            14,336 dciman32.dll
02/09/2015  01:04 PM           100,864 fontsub.dll
02/09/2015  01:04 PM            41,984 lpk.dll
02/09/2015  10:26 PM           469,776 coin98ip.dll
04/09/2015  07:40 PM           466,736 coin98itp.dll

This could of course be Windows Update (see note below on Windows Update however).



Files in system32\tasks modified recently
-----------------------------------------

e.g. these (and a handful of others) were modified on 25 Oct:

MachineUnlock-5d
Logon-5d
Extractor Definitions Update Taswk
Microsoft Antimalware Scheduled Scan

If I were a hacker/walware writer wanting to keep my tools intact on a target machine, one thing I might do would be to modify some of the scheduled tasks so as to use them to periodically restore any implanted malware that gets removed.



Other
-----


Each part of the Windows startup process takes longer than it used to:
- The initial Windows logo display stays on screen for a longer time.
- After I enter password, there is a much longer delay before the desktop comes up.


Firefox is using a lot of memory, and in the last month or two I've started needing to restart it periodically.  NB I frequently have a LOT of tabs open, but its handled this in the past.

GoogleUpdate.exe and associated scheduled tasks are present on this pc, but Chrome never installed.



WindowsUpdate.log file modified today.  Windows Update is set to notify me of updates but not install any until I do so myself.  For about a month it has not prompted me for new updates.  
- I have recently learned of the certificates issue with Wiindows Update and Microsoft putting out the KB patch to address it, but this patch has not yet been applied to this system.
- I don't ever install "recommended" updates, just the important ones.



My pc is configured so that on login it tells me the last successful/unsuccessful logins.  In the last week it has started reporting e.g. there have been 3 unsuccessfuul logins since your last successful login.  These logins were not by me.



A strange behaviiour with my BIOS:  My mainboard is overclockable.  If I up the clock speed then on bootup POST shows the correct new clock speed.  A few days later on a reboot, the clock speed displayed (and as shown in BIOS setup) is back to the default setting.  All other settings remain correct, so I don't think its because there is a battery problem.  The bios can be updated from windows.  So a possible explanation might be that something has saved a copy of the bios state pre-me-overclocking-it, and is from time to time restoring this saved bios back to the mainboard.  This would be one possible way to explain it reverting to pre-overclocked state but not losing other setting changes I have made.



I have an old swann webcam, which I wanted to use a month or two ago. I plugged it in and dowwnloaded/installed the software for.  The hardware didnt work, so I forgot aboout this and moved on too other things.  I've noticed since that there iis njow a directory c:\swann on my pc and it contains some "funny" hidden folders:

09/08/2015  01:54 AM    <DIR>          $Windows.~BT
08/08/2015  09:29 PM    <DIR>          tys$Windows.~BT
08/08/2015  09:33 PM    <DIR>          xx$Windows.~BT
08/08/2015  09:32 PM    <DIR>          xx$Windows.~WS
08/08/2015  10:49 PM    <DIR>          xxxxx$Windows.~WS

If I right-click > properties on them, they report to be containing e.g. 5 gigabytes of data.




NOTE:

I do not visit warez sites or use bittorrent (I avoid both like the plague, as well as non-legitimate copies of software).  However, I inherited this machine of my cousin ("Tyson", hence his name in c:\Users etc), and he has done both in the past.  He comes over from time to time so there is a possibility he has done so since I inherited this machine about a year ago.




FRST64 FIXLOG.TXT COONTENTS
===========================


Fix result of Farbar Recovery Scan Tool (x64) Version:25-10-2015 02
Ran by Tyson (2015-10-28 12:01:51) Run:1
Running from C:\Users\Tyson\Desktop
Loaded Profiles: Tyson (Available Profiles: Tyson)
Boot Mode: Safe Mode (with Networking)
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-18\...\Run: [] => [X]
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2975365810-1069161605-3862974675-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin: @java.com/DTPlugin -> C:\Program Files\Java\jre6\bin\npDeployJava1.dll [No File]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll [No File]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt => not found
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
S4 kebzlm; no ImagePath
S4 catchme; \??\C:\ComboFixm\catchme.sys [X]
S4 nvvad_WaveExtensible; system32\drivers\nvvad64v.sys [X]
S3 WinRing0_1_2_0; \??\C:\Program Files\Intel Corporation\Intel Processor Diagnostic Tool 64Bit\WinRing0x64.sys [X]
C:\Users\Tyson\AppData\Local\Temp\pyl1EFC.tmp.exe
C:\Users\Tyson\AppData\Local\Temp\sqlite3.dll
C:\Users\Tyson\AppData\Local\Temp\{30BC73EA-A2C2-416B-925D-D06EB95409F5}.exe
C:\Users\Tyson\AppData\Local\Temp\{818FF81A-9219-407C-86E8-E4E95950E965}.exe
C:\Users\Tyson\AppData\Local\Temp\{8E41C0B5-D483-41EE-A3AE-CA7ECF9AEBED}.exe

End
*****************

Error: Restore point can only be created in normal mode.
Processes closed successfully.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\system32\GroupPolicy\User => moved successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-2975365810-1069161605-3862974675-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKLM\Software\MozillaPlugins\@java.com/DTPlugin" => key removed successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9" => key removed successfully
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\{F003DA68-8256-4b37-A6C4-350FA04494DF} => value removed successfully
"HKLM\SOFTWARE\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk" => key removed successfully
kebzlm => service removed successfully
catchme => service removed successfully
nvvad_WaveExtensible => service removed successfully
WinRing0_1_2_0 => service removed successfully
C:\Users\Tyson\AppData\Local\Temp\pyl1EFC.tmp.exe => moved successfully
C:\Users\Tyson\AppData\Local\Temp\sqlite3.dll => moved successfully
C:\Users\Tyson\AppData\Local\Temp\{30BC73EA-A2C2-416B-925D-D06EB95409F5}.exe => moved successfully
C:\Users\Tyson\AppData\Local\Temp\{818FF81A-9219-407C-86E8-E4E95950E965}.exe => moved successfully
C:\Users\Tyson\AppData\Local\Temp\{8E41C0B5-D483-41EE-A3AE-CA7ECF9AEBED}.exe => moved successfully
EmptyTemp: => 991.8 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 12:02:19 ====



#4 matt_au

matt_au
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:02:35 AM

Posted 27 October 2015 - 09:38 PM

Also, please ignore any typoes.  I recently boought a new keyboard, and, well, lets just say I'm not totally pleased with it :)



#5 matt_au

matt_au
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:02:35 AM

Posted 28 October 2015 - 12:01 AM

CORRECTION TO MY ABOVE REPLY
============================

I badly worded the statement about digital certificates.  What I was trying to say is that the "Digital Certificates" tab does not show at all for the listed files if I right click > Properties.



KEYBOARD STRANGENESS
====================

As I mentioned above, I have a new keyboard, about a month a go.  My old keyboard was a wireless bluetooth one, and I've been a little suspicious that there's something up with the bluetooth on this system.  So I switched to a USB wired one.  Likewise for my mouse too.

Ever since I've been using the new keyboard, I've had frequent problems with it double-typing letters.  E.g. on this last sentence I wrote I had double letters appearing in about every third word.  I had pput this doown too me being a heavy typer (this sentennce is an exampple of what I get if I dont correct typos).

While waiting to hear from you, I've been running the computer off a Linux Mint LiveCD and restricting my usage to just web browsing.  While running like so, I've noticed that the keyboard behaves differently to what it does under Windows:

1. CTRL and ALT are both acting instead as if they were the SHIFT key.  If I type either CTL+C or ALT+C I instead get an upper case C.  Pressing just ALT doesnt take me to the menu bar either.

2. Caps Lock works, but the caps lock light doesn't light up (whereas it does under windows).  I.e. if I press caps lock I get all capitals as expected, but the caps lock light doesn't work.


- I might have a faulty keyboard - time to return it?
- or is it something else?  I have zero experience with keyloggers and similar so no idea.

Just thought I'd mention this in case its of help.



GMER CRASHES
============

While waiting for your next reply, I tried to run GMER from a regular boot into Windows (network cable unplugged, GMER downloaded whjhile booted in Mint LiveCD, with GMER random .exe name).

GMER loaded and did its initial thing, and showed the rootkit tab entirely empty.

I checked all options other than "Show All", and had quick scan checked but not C: or E:.

The scan ran for several minutes.  The Rootkit tab filled up with thousands of registry key entries, then crashed.



NB I was doing this to take a look only.  I have no intention of changing anything, clicking "Fix Now" in any anti-malware tool etc, unless instructed to do so by you.
 



#6 matt_au

matt_au
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:02:35 AM

Posted 28 October 2015 - 12:16 AM

In case it helps, I took some screenshots of Task Manager showing what's running when I boot into Windows normally, with nothing running other than Task Manager and a single Explorer window opening.  These were taken about 10 minutes ago, when I booted Windows normally to run GMER (they were taken before I ran GMER).



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:35 PM

Posted 28 October 2015 - 08:54 AM

The problem with your Keyboard and mouse may not be caused by malware.
Hardware problems are not my forte.

If you need help on that issue I suggest you ask in the External Hardware forum
http://www.bleepingcomputer.com/forums/f/138/external-hardware/
An expert should be able to help.

===

We will check your BIOS and Master boot record.

Read carefully and follow these steps.
TDSS
  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    TDSSKillerSuspicious-1.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.
    TDSSKillerMal-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    TDSSKillerCompleted.png
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
===

p.s.

If you have a CD emulator disable it before running the TdssKiller tool.

Disable the CD emulators....

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed. Or when this computer is clean.

HOW TO: Enable the CD Emulators... < restore only when we are finished.

To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.
===

#8 matt_au

matt_au
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:02:35 AM

Posted 28 October 2015 - 08:02 PM

I have run TDSKiller as instructed and it has reported no problems.

 

Do you know if its normal to not see the Digital Certificates tab in Properties for the system files mentioned? (I checked again and its still not showing).  I've looked on the Microsoft site but they sure don't make it easy to find answers to questions like that.



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:35 PM

Posted 29 October 2015 - 07:53 AM

I forgot to add this in my last instructions.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

To answer your question I do not know.

#10 matt_au

matt_au
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:02:35 AM

Posted 30 October 2015 - 07:35 AM

aswMBR log follows, with a couple of edits as noted.  Zipped mrb.dat attached (which perhaps ironically is larger than the unzipped file it contains).

 

I've posted a separate question in the Windows 7 forum asking if other people see the Digital Signatures tab for core windows files:  http://www.bleepingcomputer.com/forums/t/594834/should-the-digital-certificates-tab-appear-in-properties-for-core-system-files

 

 

Thanks again for your help.

 

aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2015-10-30 21:41:34
-----------------------------
21:41:34.508    OS Version: Windows x64 6.1.7601 Service Pack 1
21:41:34.508    Number of processors: 2 586 0xF06
21:41:34.508    ComputerName: I_DELETED_THIS_MANUALLY_IN_THIS_REPLY  UserName: I_DELETED_THIS_MANUALLY_IN_THIS_REPLY
21:41:35.756    Initialize success
21:41:35.771    VM: initialized successfully
21:41:35.787    VM: Intel CPU supported  
21:41:37.120    VM: supported disk I/O ataport.SYS
21:46:51.376    AVAST engine defs: 15103000
21:47:04.043    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
21:47:04.059    Disk 0 Vendor: M4-CT128M4SSD2 040H Size: 122103MB BusType: 3
21:47:04.059    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-2
21:47:04.059    Disk 1 Vendor: ST500DM002-1BD142 KC43 Size: 476940MB BusType: 3
21:47:04.074    Disk 0 MBR read successfully
21:47:04.090    Disk 0 MBR scan
21:47:04.152    Disk 0 Windows 7 default MBR code
21:47:04.152    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
21:47:04.168    Disk 0 default boot code
21:47:04.215    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       122001 MB offset 206848
21:47:04.324    Disk 0 scanning C:\Windows\system32\drivers
21:47:19.830    Service scanning
21:47:53.947    Modules scanning
21:47:53.947    Disk 0 trace - called modules:
21:47:53.963    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys  
21:47:53.963    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004216060]
21:47:53.979    3 CLASSPNP.SYS[fffff880018ed43f] -> nt!IofCallDriver -> [0xfffffa8003de8580]
21:47:53.979    5 ACPI.sys[fffff88000f7a7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8003dea060]
21:47:54.353    AVAST engine scan C:\Windows
21:47:57.988    AVAST engine scan C:\Windows\system32
21:53:28.209    AVAST engine scan C:\Windows\system32\drivers
21:53:41.750    AVAST engine scan C:\Users\Tyson
22:13:26.884    AVAST engine scan C:\ProgramData
22:15:10.032    Disk 0 statistics 5596248/0/0 @ 11.38 MB/s
22:15:10.047    Scan finished successfully
22:17:13.069    Disk 0 MBR has been saved successfully to "C:\Users\Tyson\Desktop\MBR.dat"
22:17:13.116    The log file has been saved successfully to "C:\Users\Tyson\Desktop\aswMBR.txt"
 

Attached Files



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:35 PM

Posted 30 October 2015 - 09:19 AM

Your BIOS is OK.

Quoted from this article.
http://blog.didierstevens.com/2008/01/11/the-case-of-the-missing-digital-signatures-tab/

But when a file is signed via a security catalog file, the Digital Signatures tab is not displayed. Notepad is a good example:


Hope it helps.

===

#12 matt_au

matt_au
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:02:35 AM

Posted 30 October 2015 - 05:50 PM

Thanks Nasdaq.  I scanned a bunch of files in System32 using sigcheck and they are all repporting as signed/valid.

 

So I'm good to go then?



#13 matt_au

matt_au
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:02:35 AM

Posted 30 October 2015 - 06:12 PM

FYI I noticed this (see attached screenshot) while browsing Miicrosoft to make sure my Windows Update is ok.  It doesn't fill me with confidence, seeing this on a web page devoted to keeping Windows secure.

 

The URL was:

https://support.microsoft.com/en-us/gp/windows-update-issues/en-us

Attached Files



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:35 PM

Posted 31 October 2015 - 08:15 AM

Are you concerned about the "the connection is not secure" message?

Check your Time and Date on your computer.

Try to use an other browser to download the fix.

If the computer is connected to a router may be it's the culprit.

How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html
If it is then think about resetting it just in case it was compromised.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====

Keep me posted.

#15 matt_au

matt_au
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:02:35 AM

Posted 03 November 2015 - 03:26 AM

Hi Nasdaq, sorry for the delayed response.  The real world has been keeping me unexpectedly busier than usual the past two days.  Thanks for persevering with me :) I'm free for the evening so I'll be running through everything you've posted above.  I'll reply with more when done.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users