Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help finding a malware


  • Please log in to reply
8 replies to this topic

#1 Cesarneto6

Cesarneto6

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 31 March 2016 - 11:33 AM

Hey guys first of all good afternoon, the problem is pretty simple, i did 5 installations of Windows 7 and 8.1 in 2 differents hard drives and still got the Windows update infected.. its showing me a activeX killbits update thats useless for me im pretty sure, and maybe it has the wrong size too.. Well, anyways, the problem is, i've just used every program that you guys have here in bleeping computer and rogue killer found 4 registry Keys and deleted them, but the virus is still here, and i just dont know how to deal with it. Maybe its on my router ? is it possible ? anyways, thanks since now

Edited by Queen-Evie, 31 March 2016 - 11:38 AM.
moved from Windows 8 to Am I Infected


BC AdBot (Login to Remove)

 


#2 Cesarneto6

Cesarneto6
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 31 March 2016 - 06:03 PM

i am pretty sure that im infected miss Moderator



#3 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:07:59 AM

Posted 01 April 2016 - 11:03 AM

Please post the Rogue Killer log.


Edited by dc3, 01 April 2016 - 11:04 AM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#4 Cesarneto6

Cesarneto6
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 02 April 2016 - 04:00 PM

RogueKiller V12.1.0.0 (x64) [Mar 29 2016] (Premium) por Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Site : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Sistema Operacional : Windows 8.1 (6.3.9600) 64 bits version
Iniciou : Modo normal
Usuário : Cesar Neto [Administrador]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Modo : Escanear -- Data : 04/02/2016 17:55:09

¤¤¤ Processos : 0 ¤¤¤

¤¤¤ Registro : 4 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.1 ([X])  -> Encontrado
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.1 ([X])  -> Encontrado
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F137A3F0-1FB3-4E72-AC31-6587F05B8029} | DhcpNameServer : 10.0.0.1 ([X])  -> Encontrado
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F137A3F0-1FB3-4E72-AC31-6587F05B8029} | DhcpNameServer : 10.0.0.1 ([X])  -> Encontrado

¤¤¤ Tarefas : 0 ¤¤¤

¤¤¤ Arquivos : 0 ¤¤¤

¤¤¤ Arquivos de hosts : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Carregado) ¤¤¤

¤¤¤ Navegadores : 0 ¤¤¤

¤¤¤ Verificação da MBR : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000LPCX-24C6HT0 ATA Device +++++
--- User ---
[MBR] ef00b01f6e68a719017ce984851df565
[BSP] b96a186880cf700c5c2b3226021be334 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 159649 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK



#5 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:07:59 AM

Posted 03 April 2016 - 09:14 AM

Is this the original log?

 

By the way, I do not speak Spanish.

 

Please list the programs you ran.

 

Did any of the other scans find anything?

 

 

 

still got the Windows update infected

 

Are you getting an error message telling you this?

 

If you are getting an error message what exactly does it state?


Edited by dc3, 03 April 2016 - 01:31 PM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#6 Cesarneto6

Cesarneto6
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 03 April 2016 - 01:12 PM

its the "report.txt" the program gives me after the scan.

 

and well i did combofix, roguekiller, tdss, malwarebytes and mse

 

the error number is 80072ee2 and sometimes its getting 100% of my cpu and 1gb+ of ram the svchost.exe responsible for the update



#7 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:07:59 AM

Posted 03 April 2016 - 01:42 PM

The error 0x80072ee2 is a error in Windows Updates.  Are you having problems getting or installing updates?
 
By the way, a PUM is a Potentially Unwanted Modification.
 
Combofix is a very powerful software and should not be run by yourself unless you have been trained its use.
 
TDSS will not do you any good unless you are trained it the use of this software.
 
Malwarebytes didn't find anything?
 
Please do the following scans and post the complete logs in your topic.  Do not use a host website to post these as this will required downloading the logs.  I will not download anything to my computer unless I know exactly what it contains.
 
Please run AdwCleaner
 
Please download AdwCleaner and install it.
 
When AdwCleaner opens you will see an image like the one below.
 
adwcleaner11_zps48314883.png
 
Click on Scan to start the scan.
 
Once the search is complete a list of the pending items will be displayed.  If you see any which you do not want removed, remove the check mark next to it.
 
If there are no malicious programs are found you will receive the following message.
 
adwcleaner%20111_zpsiduqrrrp.png
 
Click on Clean to remove the selected items.  If you have any questions about any items in the list please copy and paste the list in your topic so we can review it.  
 
You will receive a message telling you that all programs will be closed so that the infections can be removed.  Click on OK.  The computer will be restarted to complete the cleaning process.
 
When the cleaning process is complete a log of what was removed will be presented.  Please copy and the paste this log in your topic.
 
================

Emsisoft Emergency Kit
 
Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).

  •  
  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When update is complete, click Malware Scan. When asked if you want the scanner to scan for Potentially Unwanted Programs, click Yes. Emsisoft Emergency Kit will start scanning.
  • When the scan is completed click Quarantine selected objects. Note:  This option is only available if malicious objects were detected during the scan.  If this is the case select Delete selected.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop and post the contents in your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.

================

 
Please run TDSSKiller.
 
Please download TDSSKiller from here and save it to your Desktop.
 
The log for the TDSSKiller can be very long.  If you go to the bottom of the log to where you find Scan finished you will see the results of the scan.  If it shows Detected object count: 0 and Actual detected object count: 0, this means that nothing malicious was found and you will not need to post the log.
 
1.  Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
 
tdss1_zps90132559.png
 
2.  Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system.
 
If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.
 
tdsskillermultiple_zps472c18eb.png
 
3.  Click Start Scan and allow the scan process to run.
 
tdss4_zps6792a13c.png
 
4.  If threats are detected select Cure (if available) for all of them unless otherwise instructed.
 
***Do NOT select Delete!
 
================

This scan takes quite a long time to run, so be prepared to allow this to run till it is completed.

***Please note. If you run this scan using Internet Explorer you won't need to download the Eset Smartinstaller.***

ESET Online Scanner

  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

Edited by dc3, 03 April 2016 - 01:43 PM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#8 Cesarneto6

Cesarneto6
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 03 April 2016 - 02:47 PM

i could not achieve to run adwcleaner since im "infected", it says "database corrupted, unnistall and download it again"

 

downloading now the eek

 

and how should i use combofix ? i mean, i had always used it when i think im infected

 

thanks for the help sir



#9 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:07:59 AM

Posted 05 April 2016 - 08:41 AM

If you have a problem which requires the use of Combofix I would suggest posting a topic in the Virus, Trojan, Spyware, and Malware Removal Logs forum.

 

Before posting your topic you will need to read and follow the instructions in the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help.
 
The members of the Malware Response Team who respond to these topics are constantly inundated do to the high volume of requests for help in this forum.   For this reason it may take a couple of days before a Team member may be able to get to your topic.  
 
Do not add anything or bump your topic once you have posted your log.  The Malware Removal Team members look for topics which have not been addressed, if you post any additional information it will make it appear that the topic is being addressed.
 
After you have posted your new topic a Moderator will close this topic.  If it is determined that there is a softare or hardware problem after cleaning the infection you can contact a Moderator to have this topic reopened.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users