Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware SysWow 64 or any may be other


  • This topic is locked This topic is locked
11 replies to this topic

#1 arun2970

arun2970

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 29 April 2016 - 03:49 AM

Hello
i am having some strange problem on my laptop from past few weeks. To make it easier to understand i am writing what i faced and still facing. i never had any issue with virus or malware due to extensive softwares installed for protection. my laptop was equipped with avast anti virus ( internet protection), Malwarebytes Anti-Malware, old macdonald auto run eater and never had any issue of virus or any other hijacking. to keep my system working at top speed ( even though i have core 2 duo) i had auslogics defragmentation and other utilities, top up with this i had ccleaner to keep my system junk free and also controlled startup programs to further improve the speed, boot time and response of my system. i dont use any pirated or crack softwares to keep my system safe and secure. But little time ago my system just crashed and windows didnt booted, i tried to diagnose windows, repair and even tried to check for issues with safe mode but windows didn't booted.
 
i was forced to reinstall windows, so to keep my data safe i initially installed second window 7 ( dell company provided it with my system) and then with second window 7 on same laptop i took backup of my all data in other drives and transferred it on external harddrive). then i did a complete fresh formatting of system and full fresh installation of windows 7 and then get my data back on drives. it then started hanging and causing issues. it never shut down normally and i was forced to shut down system abnormally/forcefully. i was again forced to format system and reinstall windows.
 
i am still struggling with this issue, on new window 7 installation avira ( anti virus ) didnt installed, so i again went to avast ( licenses version) when i tried to find out the issue again, i zeroed the issue using Malwarebytes Anti-Malware and avast. each time scan runs it took excessively time on C:\windows\Syswow64\NllsDataXXXX.Dll, both the scans halted and i didnt came up. i need to force shut down and then again i saw C:\windows\Syswow64\NllsDataXXXX.Dll casing issue on boot time scan. i remember once it also showed me issue with api-ms-win-crt-runtime-|1-1-0.dll entery point not found ( before this new installation, after 2-3 i again formatted my system due to abnormalities in system ). it sometime shows issues with assembly in windows as well. the strange thing is even after fresh installation of windows 7 and avast installation ( without any other s/w installed) this sysWow 64 causes error). 
 
computer still hangs and goes for abnormal shutdown. Malwarebytes Anti-Malware and avast both hangs on reaching this SysWow64 files,  even task manager get stuck when CPU resource utilization is under 10% and these files are getting scanned. simple shut down does not happen and i need to force shut down it. Strange thing, this happens with new and fresh installation of window7 when no other software has been downloaded yet. then how come this come to system.
 
on further analyzing and checking event logs i encountered few more things ( under new installation of windows and no hard drive or external item attached except internet)
Multiple Errors:
The driver detected a controller error on \Device\Ide\IdePort0.
The shadow copies of volume C: were aborted because of an IO failure on volume C:.
 
multiple warnings:
Name resolution for the name m.adnxs.com timed out after none of the configured DNS servers responded.
Name resolution for the name ib.adnxs.com timed out after none of the configured DNS servers responded.
 
i am suspecting that my external harddirve and may be the router is also infected.
please help
 
attaching FRST and Additional files for reference
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:27-04-2016
Ran by Dell (administrator) on DELL-PC (29-04-2016 13:38:24)
Running from C:\Users\Dell\Downloads
Loaded Profiles: Dell (Available Profiles: Dell)
Platform: Windows 7 Home Basic (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Windows NT\Accessories\wordpad.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7391632 2016-04-28] (AVAST Software)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-04-28] (AVAST Software)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{EF30D11A-75A9-4556-A451-E36D00836B94}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2016-04-28] (AVAST Software)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-28] (Google Inc.)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-04-28] (AVAST Software)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-28] (Google Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-28] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-28] (Google Inc.)
Toolbar: HKU\S-1-5-21-1908441267-889099081-3635874752-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-28] (Google Inc.)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2009-07-14] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2009-07-14] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2009-07-14] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2009-07-14] (Microsoft Corporation)
 
FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-04-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-04-28] (Google Inc.)
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-04-28]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
 
Chrome: 
=======
CHR Profile: C:\Users\Dell\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Dell\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-04-28]
CHR Extension: (Google Drive) - C:\Users\Dell\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-04-28]
CHR Extension: (Google Docs Offline) - C:\Users\Dell\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-04-28]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Dell\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-28]
CHR Extension: (Gmail) - C:\Users\Dell\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-04-28]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [243296 2016-04-28] (AVAST Software)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-04-28] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-04-28] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [107792 2016-04-28] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-04-28] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-04-28] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1070904 2016-04-28] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [465792 2016-04-28] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [166432 2016-04-28] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [287528 2016-04-28] (AVAST Software)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-11] (Broadcom Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-04-28] (Malwarebytes)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-04-29 13:38 - 2016-04-29 13:38 - 00007384 _____ C:\Users\Dell\Downloads\FRST.txt
2016-04-29 13:37 - 2016-04-29 13:38 - 00000000 ____D C:\FRST
2016-04-29 13:36 - 2016-04-29 13:36 - 02376704 _____ (Farbar) C:\Users\Dell\Downloads\FRST64.exe
2016-04-29 11:29 - 2016-04-28 22:06 - 00000000 ____D C:\Windows\Panther
2016-04-29 11:29 - 2009-08-08 22:52 - 00000021 ___RH C:\Windows\DELL_version
2016-04-29 11:29 - 2009-08-08 22:52 - 00000013 ____R C:\Windows\csup.txt
2016-04-29 10:31 - 2016-04-29 10:31 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2016-04-28 23:31 - 2016-04-28 23:31 - 00000000 ____D C:\Users\Dell\AppData\Roaming\Google
2016-04-28 22:48 - 2016-04-29 00:11 - 00000000 ____D C:\Users\Dell\AppData\Local\Google
2016-04-28 22:47 - 2016-04-28 22:47 - 00003904 _____ C:\Windows\System32\Tasks\SafeZone scheduled Autoupdate 1461863867
2016-04-28 22:47 - 2016-04-28 22:47 - 00001037 _____ C:\Users\Public\Desktop\Avast SafeZone Browser.lnk
2016-04-28 22:47 - 2016-04-28 22:47 - 00001037 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2016-04-28 22:47 - 2016-04-28 22:47 - 00000000 ____D C:\ProgramData\Google
2016-04-28 22:47 - 2016-04-28 22:47 - 00000000 ____D C:\Program Files\Google
2016-04-28 22:46 - 2016-04-28 22:46 - 00002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-04-28 22:46 - 2016-04-28 22:46 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-04-28 22:42 - 2016-04-29 12:53 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-04-28 22:42 - 2016-04-28 23:53 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-04-28 22:42 - 2016-04-28 23:48 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-04-28 22:42 - 2016-04-28 23:48 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-04-28 22:42 - 2016-04-28 22:47 - 00000000 ____D C:\Program Files (x86)\Google
2016-04-28 22:42 - 2016-04-28 22:42 - 00037144 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys
2016-04-28 22:35 - 2016-04-28 22:35 - 00000000 ____D C:\Users\Dell\AppData\Roaming\AVAST Software
2016-04-28 22:34 - 2016-04-29 12:29 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2016-04-28 22:34 - 2016-04-28 22:34 - 00001922 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2016-04-28 22:34 - 2016-04-28 22:34 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software
2016-04-28 22:34 - 2016-04-28 22:34 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2016-04-28 22:34 - 2016-04-28 22:34 - 00000000 ____D C:\Program Files\Common Files\AV
2016-04-28 22:34 - 2016-04-28 22:33 - 01070904 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2016-04-28 22:34 - 2016-04-28 22:33 - 00465792 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2016-04-28 22:34 - 2016-04-28 22:33 - 00398152 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2016-04-28 22:34 - 2016-04-28 22:33 - 00287528 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2016-04-28 22:34 - 2016-04-28 22:33 - 00166432 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2016-04-28 22:34 - 2016-04-28 22:33 - 00107792 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2016-04-28 22:34 - 2016-04-28 22:33 - 00103064 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2016-04-28 22:34 - 2016-04-28 22:33 - 00074544 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2016-04-28 22:34 - 2016-04-28 22:33 - 00037656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2016-04-28 22:33 - 2016-04-28 22:33 - 00052184 _____ (AVAST Software) C:\Windows\avastSS.scr
2016-04-28 22:27 - 2016-04-28 22:42 - 00000000 ____D C:\Program Files\AVAST Software
2016-04-28 22:26 - 2016-04-28 22:42 - 00000000 ____D C:\ProgramData\AVAST Software
2016-04-28 22:26 - 2016-04-28 22:26 - 05168776 _____ (AVAST Software) C:\Users\Dell\Downloads\avast_free_antivirus_setup_online.exe
2016-04-28 22:26 - 2016-04-28 22:26 - 00057560 _____ C:\Users\Dell\AppData\Local\GDIPFONTCACHEV1.DAT
2016-04-28 22:26 - 2016-04-21 15:05 - 00453288 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2016-04-28 22:11 - 2016-04-28 22:46 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-04-28 22:11 - 2016-04-28 22:40 - 00000613 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-04-28 22:11 - 2016-04-28 22:40 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-04-28 22:11 - 2016-04-28 22:11 - 00000000 ____D C:\Users\Dell\Desktop\malwarebytes anti malware
2016-04-28 22:11 - 2016-04-28 22:11 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-04-28 22:11 - 2016-03-10 14:09 - 00064896 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-04-28 22:11 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-04-28 22:11 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-04-28 22:06 - 2016-04-28 23:05 - 00000000 ____D C:\Users\Dell
2016-04-28 22:06 - 2016-04-28 22:48 - 00000000 ____D C:\Users\Dell\AppData\Local\VirtualStore
2016-04-28 22:06 - 2016-04-28 22:06 - 00001443 _____ C:\Users\Dell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-04-28 22:06 - 2016-04-28 22:06 - 00001409 _____ C:\Users\Dell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2016-04-28 22:06 - 2016-04-28 22:06 - 00000020 ___SH C:\Users\Dell\ntuser.ini
2016-04-28 22:06 - 2016-04-28 22:06 - 00000000 _SHDL C:\Users\Dell\My Documents
2016-04-28 22:06 - 2016-04-28 22:06 - 00000000 _SHDL C:\Users\Dell\Documents\My Videos
2016-04-28 22:06 - 2016-04-28 22:06 - 00000000 _SHDL C:\Users\Dell\Documents\My Pictures
2016-04-28 22:06 - 2016-04-28 22:06 - 00000000 _SHDL C:\Users\Dell\Documents\My Music
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-04-29 12:52 - 2009-07-14 10:43 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI
2016-04-29 12:52 - 2009-07-14 08:50 - 00000000 ____D C:\Windows\inf
2016-04-29 11:29 - 2009-07-14 11:02 - 00028672 _____ C:\Windows\system32\config\BCD-Template
2016-04-29 11:29 - 2009-07-14 10:15 - 00000000 ____D C:\Windows\Setup
2016-04-29 11:29 - 2009-07-14 08:50 - 00000000 ____D C:\Windows\system32\oobe
2016-04-29 10:34 - 2009-07-14 10:15 - 00266544 _____ C:\Windows\system32\FNTCACHE.DAT
2016-04-29 10:33 - 2009-07-14 08:50 - 00000000 ____D C:\Windows\system32\sysprep
2016-04-28 23:36 - 2009-07-14 10:15 - 00014016 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-04-28 23:36 - 2009-07-14 10:15 - 00014016 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-04-28 23:29 - 2009-07-14 10:38 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-04-28 22:06 - 2009-07-14 08:50 - 00000000 ____D C:\Windows\rescache
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-04-29 10:29
 
==================== End of FRST.txt ============================
 
 
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version:27-04-2016
Ran by Dell (2016-04-29 13:38:57)
Running from C:\Users\Dell\Downloads
Windows 7 Home Basic (X64) (2016-04-28 16:36:08)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1908441267-889099081-3635874752-500 - Administrator - Disabled)
Dell (S-1-5-21-1908441267-889099081-3635874752-1000 - Administrator - Enabled) => C:\Users\Dell
Guest (S-1-5-21-1908441267-889099081-3635874752-501 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Avast Free Antivirus (HKLM-x32\...\Avast) (Version: 11.2.2262 - AVAST Software)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 50.0.2661.87 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.7619.1252 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.21.169 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.29.5 - Google Inc.) Hidden
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
SafeZone Stable 1.48.2066.101 (x32 Version: 1.48.2066.101 - Avast Software) Hidden
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {3AF948FC-D975-4AB8-9198-C6E11F692A8C} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-04-28] (Google Inc.)
Task: {3EF98E1A-58FF-4976-A510-7E4819DC8354} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2016-04-28] (AVAST Software)
Task: {8AB0E7D8-90D8-4450-BCCE-6B65D953221D} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-04-28] (Google Inc.)
Task: {9262F7BF-C5EB-4346-B10E-828A528C491B} - System32\Tasks\SafeZone scheduled Autoupdate 1461863867 => C:\Program Files\AVAST Software\SZBrowser\launcher.exe [2016-04-15] (Avast Software)
Task: {E46C48CB-065C-432C-AADA-98D207232822} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2016-04-28] (AVAST Software)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-04-28 22:33 - 2016-04-28 22:33 - 00123344 _____ () C:\Program Files\AVAST Software\Avast\log.dll
2016-04-28 22:33 - 2016-04-28 22:33 - 00135816 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2016-04-28 22:42 - 2016-04-28 22:42 - 02891264 _____ () C:\Program Files\AVAST Software\Avast\defs\16042801\algo.dll
2016-04-28 22:33 - 2016-04-28 22:33 - 00479680 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2016-04-28 23:30 - 2016-04-28 23:30 - 02891264 _____ () C:\Program Files\AVAST Software\Avast\defs\16042802\algo.dll
2016-04-28 22:33 - 2016-04-28 22:33 - 40539648 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 08:04 - 2009-06-11 02:30 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1908441267-889099081-3635874752-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Dell\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{288A3DB8-880B-46EA-94E5-9CC264C54DEE}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
 
System errors:
=============
Error: (04/28/2016 11:29:24 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 11:04:49 PM on ‎4/‎28/‎2016 was unexpected.
 
Error: (04/28/2016 10:58:22 PM) (Source: volsnap) (EventID: 14) (User: )
Description: The shadow copies of volume C: were aborted because of an IO failure on volume C:.
 
Error: (04/28/2016 10:54:08 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort0.
 
Error: (04/28/2016 10:54:08 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort0.
 
Error: (04/28/2016 10:54:08 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort0.
 
Error: (04/28/2016 10:54:08 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort0.
 
Error: (04/28/2016 10:54:08 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort0.
 
Error: (04/28/2016 10:54:08 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort0.
 
Error: (04/28/2016 10:54:08 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort0.
 
Error: (04/28/2016 10:54:08 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort0.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™2 Duo CPU T6600 @ 2.20GHz
Percentage of memory in use: 43%
Total physical RAM: 3032.36 MB
Available physical RAM: 1702.36 MB
Total Virtual: 6062.88 MB
Available Virtual: 4507.7 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:99.9 GB) (Free:85.84 GB) NTFS
Drive d: () (Fixed) (Total:100 GB) (Free:99.91 GB) NTFS
Drive e: () (Fixed) (Total:98.09 GB) (Free:97.82 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: B8000000)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=99.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=100 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=98.1 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:17 AM

Posted 29 April 2016 - 05:20 AM

Hi arun2970 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
  • Since I'm still a trainee, all my posts have to be reviewed by an instructor prior to be posted to make sure that you receive the best assistance possible. Sorry for the inconvenience. This being said, I have a full time job, and I also have night classes on Mondays and Wednesdays, which means that if you reply during these two days, it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Please give me a few hours to review your logs and prepare a reply.

Thank you!

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 arun2970

arun2970
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 29 April 2016 - 06:25 AM

Hi Yoan, Thankyou for assisting

As i have mentioned that i have formatted the system to deal with this issue, but the issue still remains (even without installing any other application: except avast and anti malware). Computer is still hanging when avast anti virus or Malwarebytes Anti-Malware is scanning SysWow64 files. It hangs the system and system starts lagging. When Task manager is checked it shows CPU is used less than 10%, still it hangs.

in order to bring computer to atleast in zone where i can work, i have installed ms office, adobe pdf.

avast is still made to run twice a day and Malwarebytes Anti-Malware is also installed for protection, they both did not found any thing suspecious but hangs the entire system when syswow64 is scanned.

hope to remove this issue and will be very happy to understand why and what happened

 

Take care  Yoan   :thumbup2:



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:17 AM

Posted 30 April 2016 - 02:46 PM

Thank you for waiting :)

I looked at your logs, and they do not show anything malicious on your system. It's also unlikely that you'll still be infected after a clean install of Windows, so to me, malware isn't the issue here. The real problem is below:
The driver detected a controller error on \Device\Ide\IdePort0.
The shadow copies of volume C: were aborted because of an IO failure on volume C:.
It looks like you could be victim of hardware failure: failing hard drive, failing controller on the motherboard, faulty cable, etc. In order to determine that, I'll need a few information on your system.

What is your computer model? I know it's a Dell, but I need to know the model.
How old is your computer?
Did you open your computer recently to change, touch, etc. the components inside?

We also need to know which device is on the IdePort0. In the Start Menu, type in cmd, then right-click on it and select Run as Administrator. Copy/paste the command below in the command prompt and press on Enter.
reg query "HKEY_LOCAL_MACHINE\Hardware\Devicemap\Atdisk" > %userprofile%\Desktop\IdeDevices.txt
Once done, a file called IdeDevices.txt will have appeared on your desktop. Open it, and copy/paste its content here please.

Your next reply(ies) should contain answers to all the questions I asked above, and the copy/pasted content of the IdeDevices.txt file.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 arun2970

arun2970
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 01 May 2016 - 02:36 AM

Hi Yoan
Thanks for replying and Support :)
 
As you asked, i ran the cmd: reg query "HKEY_LOCAL_MACHINE\Hardware\Devicemap\Atdisk" > %userprofile%\Desktop\IdeDevices.txt
 
It shows error: the system was unable to find the specified registry key or value. on opening the txt file it shows blank.
 
Even now when i try to run Malwarebytes Anti-Malware or Avast anti virus it get stopped on any random file ( now it just halt on sys64 for a while and then jumps to another file) but system do halt on any other random file and process never completes which forces me to force shut down the window. ( resource consumption in task manager still shows 8-10% only, task manager also opens pretty late during this process )
 
Regarding My dell laptop model, it is Inspiron 1545, year 2010 model with genuine Windows 7 home basic ( which came with Dell Laptop from Dell company),Intel core 2 duo CPU with T6600 @ 2.2  GHz power,  3 Gb GB RAM.
 
My system does not have any external device except mouse and condition is pretty exceptional ( no damage/ scratches etc), it still runs at good speed, battery and charger got replaced once ( last year ) but still performing good ( battery back up of upto 3 hrs )
 
I have checked in Manage Devices there is no warring or any error/ warring shown for any hardware which is not working properly. it also does not have any entry for IdePort0.
 
while further investigating i also found the following error under event which also raise my concerns 
multiple occurrences:
 
(first variant ) Name resolution for the name secure.adnxs.com timed out after none of the configured DNS servers responded.
(Second variant ) Name resolution for the name ib.adnxs.com timed out after none of the configured DNS servers responded.
(third variant ) Name resolution for the name m.adnxs.com timed out after none of the configured DNS servers responded.
 
and this another error which seems to be pretty low value :
Name resolution for the name teredo.ipv6.microsoft.com timed out after none of the configured DNS servers responded.
 
i am actually suspecting it to be related to adnx.com somehow, which again is a malware.
 
the other events which might be the cause are attached here ( at attachment area) they were also caught in events area ( computer management ). i thought it might help so attaching file.
 
Another thing which raised my concern while typing this message was G Drive ( which i did not created ) as you can see in Additional logs created by FRST.exe, the application attached on your respective site, there was no G drive and no space allocated to it, so i have just deleted that from Computer management ( as neither it has any space nor it was created while installation ), it might be conflicting as Input/ output device.
====================Drives===========================
 Drive c: () (Fixed) (Total:99.9 GB) (Free:85.84 GB) NTFS
Drive d: () (Fixed) (Total:100 GB) (Free:99.91 GB) NTFS
Drive e: () (Fixed) (Total:98.09 GB) (Free:97.82 GB) NTFS
 ==================== MBR & Partition Table=================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: B8000000)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=99.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=100 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=98.1 GB) - (Type=07 NTFS)
 ============== End of Addition.txt=========================== 
 
ill keep checking system for further errors until your next reply and will let you know if something comes under suspicion.
 
please let me know how to proceed further,
thanks for help and support :)

Attached Files



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:17 AM

Posted 02 May 2016 - 10:24 AM

As you asked, i ran the cmd: reg query "HKEY_LOCAL_MACHINE\Hardware\Devicemap\Atdisk" > %userprofile%\Desktop\IdeDevices.txt

It shows error: the system was unable to find the specified registry key or value. on opening the txt file it shows blank.


This is weird, since this key contain information about Ide devices/peripherals on your system, and from your errors, we know that there's a presence of Ide hardware. Let's see what happens if we query the key for Scsi peripherals then. Open another command prompt with Admin Rights, but this time, enter this command:
reg query "HKEY_LOCAL_MACHINE\Hardware\Devicemap\Scsi" > %userprofile%\Desktop\ScsiDevices.txt
A file called ScsiDevices.txt will appear on your desktop. Copy/paste its content in your next reply.

From my research, I saw that your hard drive could be the device plugged in IdePort0. That aside, all your issues seems to be related to a slow and/or failing hard drive, so I would like to check that right away by running a test with GSmartControl.

S8ANNnz.pngGSmartControl
Follow the instructions below to test your hard drive health with GSmartControl:
  • Download GSmartControl and save it on your Desktop;
  • Extract the content of the GSmartControl .zip archive and execute gsmartcontrol.exe;
  • Identify your drive in the list, and double-click on it to bring up it's window (usually you'll find your drive by it's size or it's brand name);
  • Go in the Perform Tests tab, then select Extended Self-test in the Test type drop-down list and click on Execute (this test can take a few hours to complete);
  • Once the test is over, the results will be displayed at the bottom of the window. Please copy and paste these results in your next reply;
  • Also, go in the Attributes tab and if you have any entries highlighted in red or pink, copy and paste their name in your next reply (or take a screenshot of the GSmartControl window and attach it in your next reply);
    info_failing.png
The DNS errors aren't that important. It just means that some domains couldn't be contacted. I couldn't ping 2 of the Adnsx.com addresses you listed, and I couldn't ping the Microsoft.com one either.

As for the G: drive, if it happens again, can you take a screenshot of it in the Disk Management utility, so I can see what it looks like?

Your next reply(ies) should include:
  • Copy/pasted content of the ScsiDevices.txt file;
  • GSmartControl test results;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 arun2970

arun2970
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 02 May 2016 - 02:07 PM

Hi Yoan,

This time when i ran: reg query "HKEY_LOCAL_MACHINE\Hardware\Devicemap\Scsi" > %userprofile%\Desktop\ScsiDevices.txt

the output comes as follows:

HKEY_LOCAL_MACHINE\Hardware\Devicemap\Scsi\Scsi Port 0
 
As you have asked, i have ran GSmartControl and outputs are as follows:
Name                                              failed      Norm-ed value  worst  Threshold    Raw Value   Type                updated               flag
1)Reallocated Sector Count        Never                   86               86        6            121779910   pre-failure  continuously         0x000f  
2) Current Pending
Sector Count                                Never            100                100      0              36                old age        continuosly             0x0012
3) offline uncorrectable                 Never            100                 100      0              36               old age  on offline data collect   0x0010
 
( i tried to upload pic from several photo sharing sites but bleepingcomputer server denied uploading and using extension, please let me know from where i can share pics as well )
 
and output file reads as
 
Complete selective self-test log:
 
SMART Selective self-test log data structure revision number 1
 SPAN  MIN_LBA  MAX_LBA  CURRENT_TEST_STATUS
    1        0        0  Not_testing
    2        0        0  Not_testing
    3        0        0  Not_testing
    4        0        0  Not_testing
    5        0        0  Not_testing
Selective self-test flags (0x0):
  After scanning selected spans, do NOT read-scan remainder of disk.
If Selective self-test is pending on power-up, resume after 0 minute delay.
 
but surprisingly even when it said it will take approx 90 minutes, it just ended in less than 10 seconds.
 
Regarding G drive: it did not appeared again yet.
 
Thankyou for your support Yoan :)
 

Attached Files



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:17 AM

Posted 03 May 2016 - 04:22 PM

Thank you for the logs :)

Sadly I have bad news for you: your hard drive is currently failing and needs to be replaced. As soon as a hard drive shows a "Raw Value" greater than 0 on a critical SMART attribute (such as the three ones that are highlighted in pink in your case), its a sign that the drive is currently failing. Right now, your hard drive cannot be trusted to safely hold your data anymore, and you should start shopping for a new one as soon as possible (as well as backing up your data right away). There's nothing that can be done when a hard drive is failing, you need to change it. Also, once you get your new hard drive, I strongly suggest you to reinstall Windows on it, and not clone your current system and restore it on the new drive, or do an image. Since the drive is failing, you don't know what kind of issues could be transferred by doing that.

Your failing hard drive is also the cause of the "Controller error" in your Event Viewer, and the reason why your scans hangs on some files in certain directories. I immediately suspected a failing hard drive when you described your issues, but the GSmartControl test just confirmed it.

To sum it up, none of your issues were caused by malware, but by your failing hard drive.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 arun2970

arun2970
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 04 May 2016 - 06:44 AM

Thankyou Yoan,

After several test even i was doubting the hard disk, thats why i did took some measures to deal with the situation. Which currently brought back the system to life and thats again at its top speed ( benchmark done ). i have bought an external hard drive and all my data has been backed up on hard drive and on servers.

i would appreciate if you could tell some additional steps to safeguard the system in terms of virus, malware, root kit, adware and many other harmful programs growing on internet community.

 

Take Care and thank-you for your time and support :)


Edited by arun2970, 04 May 2016 - 06:45 AM.


#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:17 AM

Posted 05 May 2016 - 05:31 PM

After several test even i was doubting the hard disk, thats why i did took some measures to deal with the situation. Which currently brought back the system to life and thats again at its top speed ( benchmark done ). i have bought an external hard drive and all my data has been backed up on hard drive and on servers.


That's good to know :)

i would appreciate if you could tell some additional steps to safeguard the system in terms of virus, malware, root kit, adware and many other harmful programs growing on internet community.


I do have a little text prepared that answer these questions, so I'm sure you'll find what you're looking for in it :)

Qt25440.pngTips, tricks, advice and recommendations

Now it's time to give you some tips, tricks, advice and recommendations on how to protect your system and prevent you from being infected in the future. This is where I'll explain basic security measures that you should take to protect and harden your system, and also make sure it stays as safe and secure as possible against hackers and malware. You are free to ignore the recommendations listed below, although I obviously do not recommend it. If you have any questions about one of the points covered in the speech below, feel free to ask me your questions here directly so I can answer them and guide you.

Windows Updates

Keeping Windows up to date is one of the first steps in having a safe and secure system. The Security Updates that Windows receives are meant to fix exploits and flaws in it that makes it more secure and not exploitable by hackers. In order to do that, you should always install the Security Updates, known as "Important Updates" on your Windows system. These updates are released on the second Tuesday of every month, but some are also released before if they are emergency/critical Security Updates. Let's make sure that you have all your Important Updates and Recommended Updates installed and that your Windows Updates are set to be installed automatically.Keeping your programs up-to-date

Like keeping Windows updated, keeping your installed programs up-to-date is another important step in having a safe and secure system. Outdated programs can be exploited by hackers and malware to infect a system and take it over. This is especially true today with the rise of Exploit Kits which is one of the biggest attack vectors to distribute malware. Therefore, you should always keep vulnerable programs like Adobe Flash Player, Adobe Shockwave Player, Java, Silverlight, etc. updated to their most recent version (even better, you don't have to install them if you don't use them). Programs like eLDnJfI.pngSecuniaPSI and dqVs5wj.pngHeimdal Free will scan your system for outdated programs, and help you identify them, as well as update them.

Antivirus, Antimalware, Firewall and Anti-Exploit/Ransomware

Having a decent security setup (led by an Antivirus) is the most crucial step to protect a system. These programs are a layer of defence that will prevent a system from being infected, or if it somehow ends up infected, help mitigate the infection and remediate it. Ideally, you should have on your system one Antivirus (never more than one installed at the time), one Antimalware (you can install multiple of these, assuming they do not conflict with each other and the other security programs installed), one Firewall and if you wish, one Anti-Exploit and/or Anti-Ransomware (since Ransomware are currently the most dangerous threat around and it can hit anywhere). Here are a few programs worth checking out if you don't have one yet.

Note: The programs listed below are all free to use or they have some sort of trial. Some of them have a paid version that provides more features, while a lot of other good programs only have a paid version but aren't listed there (such as Kaspersky and ESET Antivirus products).

AntivirusAntimalwareFirewall
Starting in Windows Vista, the Windows Firewall greatly improved and will satisfy the needs of most users. If you do not have an Internet Suite Antivirus program (which includes a firewall) and you want to use a 3rd party firewall, you can consider the options below.
  • 7p3JzTS.pngGlassWire - Has both a free and paid version (with different packages);
  • MQIMh6k.pngWindows Firewall Control - Gives you more control over your Windows Firewall;
  • 5RXGshU.pngTinyWall - Lightweight firewall implementing the Windows Firewall and giving you more control over it;
Anti-Exploit/Anti-RansomwareWeb Browsers and Web Browsing

Web Browsers could be considered as the closest door between a malware and your system. This is where most malware goes through to infect a system, and therefore it should be the program(s) you want to secure the most. There are two ways of going about it: hardening your web browser via extensions, and having good browsing habits.

Hardening your web browser means to install extensions that will help it protect itself (and your system on the same occasion) against Exploit Kits, MiTM attacks, etc. but also you at the same time. Here are a few extensions that I recommend you to install.
  • uBlock Origin: Efficient multi-purpose blocker that is lightweight on RAM and CPU usage (Google Chrome and Mozilla Firefox, called uBlock on Opera);
  • HTTPS Everywhere: Extension that converts your HTTP (unencrypted) requests to HTTPS (encrypted) ones (Google Chrome, Mozilla Firefox and Opera);
  • Web of Trust: Website reputation, rating and review extension that will help you quickly identify bad and suspicious sites from good ones (every web browsers);
  • NoScript: NoScript is a script blocker (Java, Flash, JavaScript, etc.) for Mozilla Firefox and Firefox-based browsers (Mozilla Firefox and Firefox-based web browsers);
  • uMatrix: For advanced users, a point and click matrix-like extensions that allow you to control requests done on a webpage (based on source, destination and type) (Google Chrome, Mozilla Firefox and Opera);
  • LastPass: Secure password manager allowing you to create, manage, and use passwords you save in your LastPass account (every web browser);
As for safe browsing habits, you can find tons of guides, tutorials, articles, etc. online that will highlight the basics you need to follow (only visit websites you trust, do not click on ads, do not download files from untrusted sources, use a password manager, always verify the URL of a website and make sure it's correctly typed, etc.), and even what you can do if you want to take it a step further (create a fake email address for spam emails, browse the web in a privacy mode, etc.). Here are a few:As you can see, there are plenty of resources out there. Simply Googling "good browsing habits" or "safe browsing habits" should allow you to find a lot of them.

Other recommendations

Even if you follow every recommendation that I listed here, in the end, it's also your job to be careful when browsing the web and downloading files if you don't want to get infected. Therefore, if you use your brain (common sense) when browsing the web, downloading programs and files, etc., you have far less chances to get infected by a malware. If for example you're not sure if a website is legitimate or not, or if a file is safe to download and execute, or if a program looks "too good" to be free, I suggest you to avoid going to that website, downloading that file or using that program.

Here are a few guides, tutorials, articles, etc. that you could read in order to learn more about computer protection and security to improve your current computer protection setup but also improve your good web browsing and computer usage practices :gRvSooB.pngThe End!

And that's it! Now that you know more about how to protect your computer and secure it, you're good to go back to your online activities, but in a safe and secure way! You are also free to stay on BleepingComputer and ask for help in different topics if you ever need to. Just make sure that you post your question/issue in the right section to get the best assistance possible. And if you ever get infected again (which I hope you wont!), you can always comeback in this section to get another checkup with one of our trained malware removal member.

Take Care and thank-you for your time and support :)


No problem arun, you're welcome!

Do you have any questions before I close this thread? :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 arun2970

arun2970
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 06 May 2016 - 09:56 AM

Thankyou Yoan...!!!

For your time and sharing precious information.

ill incorporate what all you have told me and try to narrow the loop holes in between.

you can close the Thread.

Appreciate your help and support

 

Take Care

 

With Regards

Arun 



#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,076 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:17 PM

Posted 08 May 2016 - 06:33 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users