Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Requested to post topic here to check if infected. Please help.


  • This topic is locked This topic is locked
39 replies to this topic

#1 schweppes4rums

schweppes4rums

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 13 January 2016 - 09:20 AM

Hello All 
 
 
I've been requested to post here to get help with verification if i my system is infected.

 

http://www.bleepingcomputer.com/forums/t/602110/requested-to-post-topic-here-to-check-if-infected-please-help/

 

 

I have been getting dreaded BSODs with the driver ntkrnlpa.exe causing the error. 

 
I've checked if it is rootkit with GMER which log advises rootkit like behaviour but investigating using mdschecker shows that is normal win 7 master boot record , so seems has not been modified in any way. 
 
I've used Hitmanpro, Combofix, Malware bytes and recently EMsisoft which did find Win32 Bunndle variant and has now been deleted. 
 
Rkill log also shows that there were no malware to kill.  However when using Rogue Killer the system crashes with BSOD caused by ntkrnlpa.exe.   It seems it crashes as soon as it looks for rootkits else it was scanning fine. 
 
Please find zipped attach of .txt file created using blue screen view and also .txt files output from frst as advised. 
 
I hope someone can take a look at the logs from combofix, hijackthis etc to determine if i really being caused by some malicious rootkit or other virus.  
 
I can also use Autoruns and killswitch to help diagnose. 
 
Thanks in advance.. Really need to get my system back up and running . . .

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 schweppes4rums

schweppes4rums
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 14 January 2016 - 09:23 AM

Any one have any time to help me out check Combofix, Hikackthis logs etc, need some help i've had no replies yet and i have another issue posted here http://www.bleepingcomputer.com/forums/t/602104/bsods-possible-caused-by-driver-or-virus-etc/  , cant delete registry keys for comodo.  Its becoming a pain as i dont know if i have a virus, rootkit hiding in my system and stopping from reinstalling comodo and i have been getting BSOD. 



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:17 AM

Posted 14 January 2016 - 11:54 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1044779314-988299695-3897411292-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-1044779314-988299695-3897411292-1000 -> DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
S3 catchme; \??\C:\Users\SC\AppData\Local\Temp\catchme.sys [X]
S3 pxkbf; System32\drivers\pxkbf.sys [X]
Task: {3609A2D4-1F3F-404B-8C09-C3BCB4A18511} - \DigitalSite -> No File <==== ATTENTION
Task: {8FD00F85-3AEE-4911-A520-730CC1187C29} - System32\Tasks\CIS_{15198508-521A-4D69-8E5B-B94A6CCFF805} => C:\ProgramData\cis59E2.exe <==== ATTENTION
C:\ProgramData\cis59E2.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Control Panel > Programs and Features applet.
Java 8 Update 31 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)

What issues are persisting?

#4 schweppes4rums

schweppes4rums
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 16 January 2016 - 05:46 AM

Hello Nasdaq , sorry i didn't get back to you quicker , i've been working with Usasma here http://www.bleepingcomputer.com/forums/t/602104/bsods-possible-caused-by-driver-or-virus-etc/  , to solve some BSOD's i have been getting,  Please check out that post if you can as i'm currently unable to download any windows updates as recommended and i can not find the  Asus ATK0110 ACPI Utility driver for my mobo.  Also i require Security Processor Loader Driver    ROOT\LEGACY_SPLDR\0000 windows update   as advised by usasma. 

 

I have followed this guide https://support.microsoft.com/en-us/kb/971058 to rectify the problem but i was unable to reregister some of the BITS files using cmd prompt.  I also ran the ms fix it software and even installed the latest windows update agent. Nothing as yet has solved this problem and i'm still stuck on the rolling bar checking for windows updates.   I can delete all of the files in the software distribution folder as access is denied.  This is a similar problem i am having with reinstalling the latest version of comodo as i have used the comodo's forums Chiron guide to uninstall comodo including its registry entries but particular registry entries such as cmdagent in the machine\system\services\controlset001 still exist and i can not delete these either even with using sysnative psExec to get a higher system level privileges to delete these keys so i can reinstall comodo and have stay put after a system reboot. 

 

I suspect a malware hidden in my system that has changed the security descriptors for windows update and the registry keys for comodo.  

 

Really need some help , i been at this for a week :( 



#5 schweppes4rums

schweppes4rums
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 16 January 2016 - 05:51 AM

I have created the fixlog. txt file as requested , please take a look . thanks .. 

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:17 AM

Posted 16 January 2016 - 09:28 AM

Let see what is missing.

Download Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other services


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.

#7 schweppes4rums

schweppes4rums
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 16 January 2016 - 01:21 PM

Hey nasdaq , ran the farbar , please find the log below. 

 

Farbar Service Scanner Version: 03-01-2016
Ran by SC (administrator) on 16-01-2016 at 18:17:49
Running from "C:\Users\SC\Desktop"
Microsoft Windows 7 Home Premium  Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is unreachable
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
 
 
Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\system32\nsisvc.dll => File is digitally signed
C:\Windows\system32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\system32\dhcpcore.dll => File is digitally signed
C:\Windows\system32\Drivers\afd.sys => File is digitally signed
C:\Windows\system32\Drivers\tdx.sys => File is digitally signed
C:\Windows\system32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\system32\dnsrslvr.dll => File is digitally signed
C:\Windows\system32\mpssvc.dll => File is digitally signed
C:\Windows\system32\bfe.dll => File is digitally signed
C:\Windows\system32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\system32\SDRSVC.dll => File is digitally signed
C:\Windows\system32\vssvc.exe => File is digitally signed
C:\Windows\system32\wscsvc.dll => File is digitally signed
C:\Windows\system32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\system32\wuaueng.dll => File is digitally signed
C:\Windows\system32\qmgr.dll => File is digitally signed
C:\Windows\system32\es.dll => File is digitally signed
C:\Windows\system32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\system32\ipnathlp.dll => File is digitally signed
C:\Windows\system32\iphlpsvc.dll => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
 
 
**** End of log ****


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:17 AM

Posted 16 January 2016 - 02:12 PM

Please Download Tweaking.com - Windows Repair from Here

  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click on Repairs
  • Click Repairs - Open Repairs in the bottom right corner
  • Click the Unselect All button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    02 - Reset File Permissions (2)
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    06 - Repair Windows Firewall
    07 - Repair Internet Explorer
    08 - Repair MDAC/MS Jet
    10 - Remove Policies Set By Infections
    17 - Repair Windows Updates
    21 - Repair MSI (Windows Installer)
    26 - Restore Important Windows Services
    27 - Set Windows Service to Default Startup
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.

  • ===

    Restart the computer normally.

    How is the computer running now?

    =======================

    Do you see an improvement?


#9 schweppes4rums

schweppes4rums
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 16 January 2016 - 05:06 PM

Hello nasdaq, plz find the pre scan below: 

 

Tweaking.com - Windows Repair v3.8.0 - Pre-Scan
│ Computer: SC-PC (Windows 7 Home Premium 6.1.7601 Service Pack 1) (32-bit)
│ [Started Scan - 16/01/2016 20:31:14]
└────────────────────────────────────────────────────────────────────────────────┘
┌────────────────────────────────────────────────────────────────────────────────┐
│ Scanning Windows Packages Files.
│ Started at (16/01/2016 20:31:14)
│ 
│ No problems were found with the Packages Files.
│ 
│ Files Checked & Verified: 6,229
│ 
│ Done Scanning Windows Packages Files.(16/01/2016 20:32:08)
└────────────────────────────────────────────────────────────────────────────────┘
┌────────────────────────────────────────────────────────────────────────────────┐
│ Scanning Reparse Points.
│ Started at (16/01/2016 20:32:08)
│ 
│ Missing Default Reparse Point: (Original Path: C:\Users\Default\Cookies) (Target Path: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies)
│ A Default Reparse Point is missing and this can cause problems on the system.
│ 
│ Problems were found with the Reparse Points.
│ You can use the Repair Reparse Points Tool at the bottom of this Window to try and fix these problems.
│ 
│ Files & Folders Searched: 200,156
│ Reparse Points Found: 59
│ 
│ Done Scanning Reparse Points.(16/01/2016 20:32:42)
└────────────────────────────────────────────────────────────────────────────────┘
┌────────────────────────────────────────────────────────────────────────────────┐
│ Checking Environment Variables.
│ Started at (16/01/2016 20:32:42)
│ 
│ No problems were found with the Environment Variables.
│ 
│ Done Checking Environment Variables. (16/01/2016 20:32:42)
└────────────────────────────────────────────────────────────────────────────────┘
┌────────────────────────────────────────────────────────────────────────────────┐
│ [Finished Scan - 16/01/2016 20:32:42]
│ 
│ [x] Scan Complete - Problems Found!
│ [x] 
│ [x] You can use the Repair Reparse Points or Repair Environment Variables tools at the bottom of this Window if needed.
│ [x] 
│ [x] While problems have been found, you can still run the repairs in the program.
│ [x] But for the best results it is recommended to fix the problems reported in this scan if possible.
│ [x] If you need help fixing any of the items in the log, just post in the forums at Tweaking.com for help.
 
please find also all the log files zipped from tweaking attached.  i do see that there are some errors in these logs.  
 
 
 
 

Attached Files



#10 schweppes4rums

schweppes4rums
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 17 January 2016 - 05:01 AM

I have tried to update windows this morning but have found that it is still continually hung on "checking for updates" .   I have a combo fix and Hijackthis Log would you be able to check these for anything suspicious that may be causing this problem. I'm still not able to be certain if the system is infected or not.

 

thanks for you help so far.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:17 AM

Posted 17 January 2016 - 09:40 AM

Are you using Windows Internet Explorer to update Microsoft?

If yes can you post any error message that you see.

Post the Combofix log for my review.

#12 schweppes4rums

schweppes4rums
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 17 January 2016 - 10:36 AM

I'm not using IE to install windows updates but using the normal control panel/windows update screen.  please find the logs i created a while ago. It includes combo fix, hijackthis, gmer log etc.

 

 

i definetely have traces of spyware in my system just need to get rid of it.

 

 

 

 

 

Attached Files



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:17 AM

Posted 17 January 2016 - 11:08 AM

Please use Internet Explorer

http://windows.microsoft.com/en-ca/windows/get-windows-security-updates#1TC=windows-7

Edited by nasdaq, 17 January 2016 - 11:08 AM.


#14 schweppes4rums

schweppes4rums
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 17 January 2016 - 11:53 AM

i've checked online, i don't know how to go about manually installing windows update using internet explorer, is there any links do that from microsoft ? thanks



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:17 AM

Posted 17 January 2016 - 02:50 PM

Read the information on the link I gave you.

You will find this

http://windows.microsoft.com/en-ca/windows/turn-automatic-updating-on-off#turn-automatic-updating-on-off=windows-7




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users