Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer hacked days ago, boot wiped reinstalled still malware, clean check


  • This topic is locked This topic is locked
2 replies to this topic

#1 link434

link434

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 01 February 2016 - 03:21 PM

The problem started weeks ago, my desktop computer went down, and now my laptop ended up with suspicious files passing through the antivirus.  When i originally formatted the desktop and got it going again, even after the format it still had rootkits I found through malwarebytes...  I noticed lots of processes going through the live resources and started reading some of them through the text editor.  many contained suspicious invasive gathering information.

 

So I wanted to be sure the laptop is clean before I connect it to my firewall.  This is a clean install of windows without it being connected to the internet.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:27-01-2016
Ran by Black (administrator) on BLACK-PC (02-05-2016 07:03:18)
Running from C:\Users\Black\Desktop
Loaded Profiles: Black (Available Profiles: Black)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Comodo Security Solutions, Inc.) C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
(Comodo) C:\Program Files (x86)\Comodo\Chromodo\chromodo_updater.exe
(Comodo Security Solutions, Inc.) C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe
() C:\Windows\System32\rpcnetp.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
(Comodo Security Solutions, Inc.) C:\Program Files\COMODO\GeekBuddy\unit_manager.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
(Comodo Security Solutions, Inc.) C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe
(Comodo Security Solutions, Inc.) C:\Program Files\COMODO\GeekBuddy\unit.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1427648 2015-08-05] (COMODO)
HKLM-x32\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe [2621240 2015-11-18] (Malwarebytes Corporation)
HKLM-x32\...\Run: [tvncontrol] => C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe [2327248 2015-01-30] (Comodo Security Solutions, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Start GeekBuddy.lnk [2016-04-29]
ShortcutTarget: Start GeekBuddy.lnk -> C:\Program Files\COMODO\GeekBuddy\launcher.exe (Comodo Security Solutions, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 172.31.79.142 172.31.79.144 157.54.104.75 157.54.14.146 157.54.14.162 157.54.80.10

Internet Explorer:
==================
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ChromodoUpdater; C:\Program Files (x86)\Comodo\Chromodo\chromodo_updater.exe [1995448 2015-05-25] (Comodo) [File not signed]
R2 CLPSLauncher; C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe [70872 2015-03-05] (Comodo Security Solutions, Inc.)
R2 CmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [5542472 2015-09-03] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2265792 2015-08-05] (COMODO)
R2 GeekBuddyRSP; C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe [2327248 2015-01-30] (Comodo Security Solutions, Inc.)
R2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [739640 2015-11-18] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [21184 2015-11-18] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [806032 2015-11-18] (COMODO)
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [45856 2015-08-05] (COMODO)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [63064 2015-11-18] ()
R1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [105096 2015-08-05] (COMODO)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-02 07:03 - 2016-05-02 07:03 - 00005975 _____ C:\Users\Black\Desktop\FRST.txt
2016-05-02 07:02 - 2016-05-02 07:03 - 00000000 ____D C:\FRST
2016-05-02 07:01 - 2016-05-02 07:01 - 02370560 _____ (Farbar) C:\Users\Black\Desktop\FRST64.exe
2016-05-02 07:01 - 2016-05-02 07:01 - 01721856 _____ (Farbar) C:\Users\Black\Desktop\FRST.exe
2016-04-29 17:53 - 2016-04-29 17:53 - 00000000 ____D C:\Users\Black\AppData\Local\ElevatedDiagnostics
2016-04-29 09:10 - 2016-04-29 18:02 - 00003872 _____ C:\Windows\system32\Drivers\sfi.dat
2016-04-29 09:10 - 2016-04-29 09:10 - 00057560 _____ C:\Users\Black\AppData\Local\GDIPFONTCACHEV1.DAT
2016-04-29 09:10 - 2016-04-29 09:10 - 00001888 _____ C:\Users\Public\Desktop\COMODO Internet Security.lnk
2016-04-29 09:10 - 2016-04-29 09:10 - 00000000 ____D C:\Windows\System32\Tasks\COMODO
2016-04-29 09:09 - 2016-04-29 09:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Comodo
2016-04-29 09:09 - 2016-04-29 09:09 - 00002013 _____ C:\Users\Public\Desktop\GeekBuddy.lnk
2016-04-29 09:09 - 2016-04-29 09:09 - 00001126 _____ C:\Users\Public\Desktop\Internet (Chromodo).lnk
2016-04-29 09:09 - 2016-04-29 09:09 - 00000000 ____D C:\Users\Black\AppData\Local\Comodo
2016-04-29 09:09 - 2016-04-29 09:09 - 00000000 ____D C:\ProgramData\Shared Space
2016-04-29 09:09 - 2016-04-29 09:09 - 00000000 ____D C:\Program Files\COMODO
2016-04-29 09:09 - 2016-04-29 09:09 - 00000000 ____D C:\Program Files (x86)\Comodo
2016-04-29 09:08 - 2016-04-29 09:10 - 00000000 ____D C:\ProgramData\Comodo
2016-04-29 09:02 - 2016-04-29 09:02 - 00000000 ____D C:\Program Files (x86)\Broadcom
2016-04-29 09:01 - 2016-04-29 09:01 - 00000000 ____D C:\Users\Black\AppData\Local\Dell
2016-04-29 09:00 - 2016-04-29 09:00 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_cvusbdrv_01009.Wdf
2016-04-29 09:00 - 2016-04-29 09:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Broadcom
2016-04-29 09:00 - 2016-04-29 09:00 - 00000000 ____D C:\ProgramData\Broadcom
2016-04-29 09:00 - 2016-04-29 09:00 - 00000000 ____D C:\Program Files\Broadcom Corporation
2016-04-29 09:00 - 2012-10-24 17:09 - 00440208 _____ C:\Windows\system32\brcmbsp.dll
2016-04-29 09:00 - 2012-10-24 17:09 - 00241584 _____ C:\Windows\system32\bipbsp.dll
2016-04-29 08:54 - 2016-04-29 08:54 - 00000000 ____D C:\ProgramData\HitmanPro
2016-04-29 08:53 - 2016-04-29 09:01 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit
2016-04-29 08:53 - 2016-04-29 08:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit
2016-04-29 08:53 - 2016-04-29 08:53 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Exploit
2016-04-29 08:52 - 2016-04-29 08:55 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-04-29 08:52 - 2016-04-29 08:52 - 00001106 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-04-29 08:52 - 2016-04-29 08:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-04-29 08:52 - 2016-04-29 08:52 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-04-29 08:52 - 2016-04-29 08:52 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-04-29 08:52 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-04-29 08:52 - 2015-10-05 09:50 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-04-29 08:52 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-04-29 08:35 - 2016-04-29 08:35 - 00008192 __RSH C:\BOOTSECT.BAK
2016-04-29 08:35 - 2016-04-29 07:43 - 00000000 ____D C:\Windows\Panther
2016-04-29 08:35 - 2010-11-20 20:23 - 00383786 __RSH C:\bootmgr
2016-04-29 08:33 - 2016-04-29 08:33 - 00002946 _____ C:\Windows\System32\Tasks\{4D904B0D-7938-40A9-BE59-3A525576C4A7}
2016-04-29 08:02 - 2016-04-29 08:02 - 00000000 ____D C:\Intel
2016-04-29 08:02 - 2016-04-29 08:02 - 00000000 ____D C:\dell
2016-04-29 07:44 - 2016-04-29 07:44 - 00001413 _____ C:\Users\Black\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2016-04-29 07:43 - 2016-04-29 07:44 - 00001447 _____ C:\Users\Black\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-04-29 07:43 - 2016-04-29 07:43 - 00000020 ___SH C:\Users\Black\ntuser.ini
2016-04-29 07:43 - 2016-04-29 07:43 - 00000000 _SHDL C:\Users\Black\My Documents
2016-04-29 07:43 - 2016-04-29 07:43 - 00000000 _SHDL C:\Users\Black\Documents\My Videos
2016-04-29 07:43 - 2016-04-29 07:43 - 00000000 _SHDL C:\Users\Black\Documents\My Pictures
2016-04-29 07:43 - 2016-04-29 07:43 - 00000000 _SHDL C:\Users\Black\Documents\My Music
2016-04-29 07:43 - 2016-04-29 07:43 - 00000000 ____D C:\Users\Black\AppData\Local\VirtualStore
2016-04-29 07:43 - 2016-04-29 07:43 - 00000000 ____D C:\Users\Black
2016-04-29 07:43 - 2010-11-21 00:16 - 00000000 ____D C:\Users\Black\AppData\Roaming\Media Center Programs
2016-04-29 07:39 - 2016-04-29 07:39 - 00001345 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
2016-04-29 07:39 - 2016-04-29 07:39 - 00001326 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
2016-04-29 07:39 - 2016-04-29 07:39 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WUDFUsbccidDriver_01_09_00.Wdf
2016-04-29 07:38 - 2016-04-29 07:38 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2016-04-29 07:37 - 2016-05-02 07:00 - 00017920 _____ C:\Windows\SysWOW64\rpcnetp.dll
2016-04-29 07:36 - 2016-05-02 07:00 - 00017920 _____ C:\Windows\SysWOW64\rpcnetp.exe
2016-04-29 07:36 - 2016-05-02 07:00 - 00017920 _____ C:\Windows\system32\rpcnetp.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-02 07:02 - 2009-07-13 22:13 - 00890152 _____ C:\Windows\system32\PerfStringBackup.INI
2016-05-02 07:02 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\inf
2016-05-02 07:00 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-04-29 18:01 - 2009-07-13 21:45 - 00016832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-04-29 18:01 - 2009-07-13 21:45 - 00016832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-04-29 18:00 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\system32\NDF
2016-04-29 08:35 - 2009-07-13 22:32 - 00028672 _____ C:\Windows\system32\config\BCD-Template
2016-04-29 07:42 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\rescache
2016-04-29 07:41 - 2009-07-13 21:45 - 00274320 _____ C:\Windows\system32\FNTCACHE.DAT
2016-04-29 07:39 - 2009-07-13 22:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2016-04-29 07:39 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\system32\sysprep
2016-04-29 07:37 - 2010-11-21 00:16 - 00000000 ____D C:\Windows\CSC

Some files in TEMP:
====================
C:\Users\Black\AppData\Local\Temp\msvcp110.dll
C:\Users\Black\AppData\Local\Temp\msvcr110.dll
C:\Users\Black\AppData\Local\Temp\pc-decrapifier.exe
C:\Users\Black\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-04-29 07:36

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:55 PM

Posted 02 February 2016 - 10:45 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Your logs are clean.


Check this out when connected to the net.
AV: COMODO Antivirus (Enabled - Out of date) {F25D0092-CDBE-B303-ADB7-88DE8CDECCF5}

===


If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:55 PM

Posted 07 February 2016 - 08:32 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users