Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit: SSDT:Inl (ZwDeleteAtom)


  • This topic is locked This topic is locked
12 replies to this topic

#1 lovelinn

lovelinn

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 11 January 2016 - 02:38 AM

hi everyone
 
i formatted my pc 3 times but roguekiller keeps showing this rootkit, i'm not sure if i'm infected or is false-positive i hope you can help me

RogueKiller V11.0.6.0 [Jan 4 2016] (Gratuito) di Adlice Software
posta : http://www.adlice.com/contact/
Commenti : http://forum.adlice.com
Sito Web : http://www.adlice.com/software/roguekiller/
Discussione : http://www.adlice.com

Sistema Operativo : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Iniziato in : Modalità Normale
Utente : LAVORO [Amministratore]
Iniziato da : C:\Users\LAVORO\Desktop\RogueKiller32.exe
Modalità : Scansione -- Data : 01/11/2016 08:18:21

¤¤¤ Processi : 0 ¤¤¤

¤¤¤ Registro : 3 ¤¤¤
[Suspicious.Path|Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kxdirpog (\??\C:\Users\LAVORO\AppData\Local\Temp\kxdirpog.sys) -> Trovato
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kxdirpog (\??\C:\Users\LAVORO\AppData\Local\Temp\kxdirpog.sys) -> Trovato
[PUM.StartMenu] HKEY_USERS\S-1-5-21-3034528100-1596100231-2582995443-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Trovato

¤¤¤ Attività : 0 ¤¤¤

¤¤¤ Archivi : 0 ¤¤¤

¤¤¤ Archivio Hosts : 0 ¤¤¤

¤¤¤ Antirootkit : 1 (Driver: Caricato) ¤¤¤
[SSDT:Inl(Hook.SSDT)] ZwDeleteAtom[99] : C:\Windows\System32\win32k.sys @ 0xffffffff81ec59bd (call dword [0x8272cd14])

¤¤¤ Web Browser : 0 ¤¤¤

¤¤¤ Controllo MBR : ¤¤¤
+++++ PhysicalDrive0: ST3250310AS ATA Device +++++
--- User ---
[MBR] 53e23591484d00e1b6baabd4d9ba4ff2
[BSP] 9ce1eff642eeffec981ee681b4a44ee2 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 238373 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Attached Files


Edited by Oh My!, 17 January 2016 - 09:57 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 AM

Posted 16 January 2016 - 02:40 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/601924 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 lovelinn

lovelinn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 17 January 2016 - 08:41 AM

hello
 
i have original Windows DVD, logs attached

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:31-12-2015
Ran by LAVORO (administrator) on LAVORO-PC (17-01-2016 14:34:51)
Running from C:\Users\LAVORO\Desktop
Loaded Profiles: LAVORO (Available Profiles: LAVORO)
Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) Language: Italiano (Italia)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)



==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)


==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)


Internet Explorer:
==================

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-14] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

U3 kxdirpog; \??\C:\Users\LAVORO\AppData\Local\Temp\kxdirpog.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-01-17 14:34 - 2016-01-17 14:35 - 00001938 _____ C:\Users\LAVORO\Desktop\FRST.txt
2016-01-17 14:34 - 2016-01-05 21:25 - 01721856 _____ (Farbar) C:\Users\LAVORO\Desktop\FRST.exe
2016-01-11 08:36 - 2016-01-11 08:36 - 00003626 _____ C:\Users\LAVORO\Desktop\rk_F1DE.txt
2016-01-11 08:35 - 2016-01-17 14:34 - 00000000 ____D C:\FRST
2016-01-11 08:24 - 2016-01-11 08:24 - 00057560 _____ C:\Users\LAVORO\AppData\Local\GDIPFONTCACHEV1.DAT
2016-01-11 08:12 - 2016-01-11 08:36 - 00000000 ____D C:\ProgramData\RogueKiller
2016-01-11 08:12 - 2016-01-11 08:12 - 00030848 _____ C:\Windows\system32\Drivers\TrueSight.sys
2016-01-11 07:57 - 2016-01-11 07:57 - 00001397 _____ C:\Users\LAVORO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-01-11 07:57 - 2016-01-11 07:57 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2016-01-11 07:57 - 2016-01-05 15:56 - 20835400 _____ C:\Users\LAVORO\Desktop\RogueKiller32.exe
2016-01-11 07:57 - 2015-12-11 22:50 - 04727984 _____ (Kaspersky Lab ZAO) C:\Users\LAVORO\Desktop\TDSSKiller.exe
2016-01-11 07:56 - 2016-01-11 07:56 - 00000020 ___SH C:\Users\LAVORO\ntuser.ini
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Public\Documents\Video
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Public\Documents\Musica
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Public\Documents\Immagini
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\LAVORO\Risorse di stampa
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\LAVORO\Risorse di rete
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\LAVORO\Recenti
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\LAVORO\Modelli
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\LAVORO\Menu Avvio
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\LAVORO\Impostazioni locali
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\LAVORO\Documents\Video
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\LAVORO\Documents\Musica
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\LAVORO\Documents\Immagini
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\LAVORO\Documenti
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\LAVORO\Dati applicazioni
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\LAVORO\AppData\Roaming\Microsoft\Windows\Start Menu\Programmi
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\LAVORO\AppData\Local\Dati applicazioni
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\LAVORO\AppData\Local\Cronologia
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Default\Risorse di stampa
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Default\Risorse di rete
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Default\Recenti
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Default\Modelli
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Default\Menu Avvio
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Default\Impostazioni locali
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Default\Documents\Video
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Default\Documents\Musica
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Default\Documents\Immagini
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Default\Documenti
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Default\Dati applicazioni
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programmi
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Default\AppData\Local\Dati applicazioni
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Default\AppData\Local\Cronologia
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Default User\Documents\Video
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Default User\Documents\Musica
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Default User\Documents\Immagini
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programmi
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Default User\AppData\Local\Dati applicazioni
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Users\Default User\AppData\Local\Cronologia
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Programmi
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\ProgramData\Preferiti
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\ProgramData\Modelli
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\ProgramData\Microsoft\Windows\Start Menu\Programmi
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\ProgramData\Menu Avvio
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\ProgramData\Documenti
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\ProgramData\Dati applicazioni
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 _SHDL C:\Program Files\File comuni
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 ____D C:\Users\LAVORO\AppData\Local\VirtualStore
2016-01-11 07:56 - 2016-01-11 07:56 - 00000000 ____D C:\Users\LAVORO
2016-01-11 07:56 - 2011-04-12 05:27 - 00000000 ____D C:\Users\LAVORO\AppData\Roaming\Media Center Programs
2016-01-11 07:52 - 2016-01-11 07:52 - 00001345 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
2016-01-11 07:52 - 2016-01-11 07:52 - 00001326 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
2016-01-11 07:48 - 2016-01-11 07:56 - 00000000 ____D C:\Windows\Panther

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-01-17 14:32 - 2009-07-14 05:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-01-11 08:41 - 2009-07-14 05:34 - 00016656 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-01-11 08:41 - 2009-07-14 05:34 - 00016656 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-01-11 08:37 - 2011-04-12 05:18 - 00689234 _____ C:\Windows\system32\perfh010.dat
2016-01-11 08:37 - 2011-04-12 05:18 - 00124420 _____ C:\Windows\system32\perfc010.dat
2016-01-11 08:37 - 2010-11-20 22:01 - 01516554 _____ C:\Windows\system32\PerfStringBackup.INI
2016-01-11 08:37 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\inf
2016-01-11 08:35 - 2009-07-14 03:37 - 00000000 ____D C:\Windows
2016-01-11 07:56 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\rescache
2016-01-11 07:56 - 2009-07-14 03:37 - 00000000 ____D C:\Program Files\Windows NT
2016-01-11 07:54 - 2009-07-14 05:33 - 00266320 _____ C:\Windows\system32\FNTCACHE.DAT
2016-01-11 07:51 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\system32\sysprep
2016-01-11 07:50 - 2011-04-12 05:27 - 00000000 ____D C:\Windows\CSC
2016-01-11 07:48 - 2009-07-14 05:52 - 00028672 _____ C:\Windows\system32\config\BCD-Template

Some files in TEMP:
====================
C:\Users\LAVORO\AppData\Local\Temp\dllnt_dump.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-01-11 07:49

==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x86) Version:31-12-2015
Ran by LAVORO (2016-01-17 14:35:19)
Running from C:\Users\LAVORO\Desktop
Microsoft Windows 7 Professional Service Pack 1 (X86) (2016-01-11 06:56:30)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3034528100-1596100231-2582995443-500 - Administrator - Disabled)
Guest (S-1-5-21-3034528100-1596100231-2582995443-501 - Limited - Disabled)
LAVORO (S-1-5-21-3034528100-1596100231-2582995443-1000 - Administrator - Enabled) => C:\Users\LAVORO

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)


==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {6AEF0C98-2CB4-4B67-8C70-4C977C7355CC} - System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask => start sppsvc
Task: {D622195C-D680-4FEA-9C56-59660C7C9E94} - System32\Tasks\Microsoft\Windows\UPnP\UPnPHostConfig => config upnphost start= auto

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============


==================== Alternate Data Streams (Whitelisted) =========

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 03:04 - 2009-06-10 22:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3034528100-1596100231-2582995443-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\LAVORO\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe

==================== Restore Points =========================


==================== Faulty Device Manager Devices =============

Name: Porta seriale PCI
Description: Porta seriale PCI
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (01/17/2016 02:34:37 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/11/2016 07:56:27 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============

==================== Memory info ===========================

Processor: Intel® Pentium® Dual CPU E2180 @ 2.00GHz
Percentage of memory in use: 27%
Total physical RAM: 2038.24 MB
Available physical RAM: 1468.95 MB
Total Virtual: 4076.48 MB
Available Virtual: 3477.82 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:232.79 GB) (Free:224.26 GB) NTFS
Drive e: (USB) (Removable) (Total:0.12 GB) (Free:0.02 GB) FAT

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: 06DC06DB)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=232.8 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 123.3 MB) (Disk ID: 70707573)
No partition Table on disk 1.

==================== End of Addition.txt ============================

Attached Files


Edited by Oh My!, 17 January 2016 - 09:56 AM.


#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:22 PM

Posted 17 January 2016 - 09:53 AM

Greetings lovelinn and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

It is Sunday morning for me so I will be away from my computer for a few hours but I just wanted to let you know I will be working on your issue and should post back a little later today.

Thanks for your understanding and patience.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 lovelinn

lovelinn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 17 January 2016 - 02:15 PM

hello oh my! thanks for your help

 

tonight i cant use the computer but  tomorrow i will follow your instructions

 

sorry for my bad english its not my first languange  :bounce:



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:22 PM

Posted 17 January 2016 - 02:52 PM

Thanks, we will do the best we can.

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
File: C:\Users\LAVORO\AppData\Local\Temp\kxdirpog.sys
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 lovelinn

lovelinn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 18 January 2016 - 02:56 AM

Fix result of Farbar Recovery Scan Tool (x86) Version:31-12-2015
Ran by LAVORO (2016-01-18 08:54:20) Run:1
Running from C:\Users\LAVORO\Desktop
Loaded Profiles: LAVORO (Available Profiles: LAVORO)
Boot Mode: Normal
 
==============================================
 
fixlist content:
*****************
File: C:\Users\LAVORO\AppData\Local\Temp\kxdirpog.sys
*****************
 
 
========================= File: C:\Users\LAVORO\AppData\Local\Temp\kxdirpog.sys ========================
 
"C:\Users\LAVORO\AppData\Local\Temp\kxdirpog.sys" => not found.
====== End of File: ======
 
 
==== End of Fixlog 08:54:21 ====


#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:22 PM

Posted 18 January 2016 - 09:49 AM

Thanks, that is different than what RogueKiller is telling us. Let's look for that file another way. Please do this.

===================================================

SystemLook by jpshortstuff

--------------------
  • Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following codebox into the main textfield:
:filefind
*kxdirpog*
:regfind
*kxdirpog*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • SystemLook report

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 lovelinn

lovelinn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 18 January 2016 - 10:48 AM

SystemLook 30.07.11 by jpshortstuff
Log created at 16:46 on 18/01/2016 by LAVORO
Administrator - Elevation successful
 
========== filefind ==========
 
Searching for "*kxdirpog*"
No files found.
 
========== regfind ==========
 
Searching for "*kxdirpog*"
No data found.
 
-= EOF =-


#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:22 PM

Posted 18 January 2016 - 01:22 PM

Thank you,

Your computer is clean. Not all hooks are malicious and this one is not.


Edited by Oh My!, 19 January 2016 - 10:02 AM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 lovelinn

lovelinn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 19 January 2016 - 11:47 AM

ok thanks for your help :clapping:



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:22 PM

Posted 19 January 2016 - 02:46 PM

:thumbsup2:

Now that your computer is running well it is my great pleasure to proclaim to you the Good News!

===================================================

All Clean!

--------------

Your machine appears to be clean and you may delete any programs or logs on your computer as a result of our efforts. If we used Emsisoft Emergency Kit just delete the icon on your desktop and the C:\EEK folder. For everything else you simply delete the log files or desktop icons.

Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :thumbsup:

Lawrence Abrams, the founder of BleepingComputer.com, has developed an excellent tutorial which will provide you with the information you need to know to keep your computer secure and clean. Please take the time to read:In addition, here are some more links you might find of interest:I will leave this topic open for just a brief period of time in case you have any further issues then it will be closed shortly thereafter.

Thank you for placing your trust in BleepingComputer. It was a pleasure serving you. OhMy_done.gif
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:22 PM

Posted 20 January 2016 - 08:37 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users