Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keyboard and mouse problems in all OS at the same HD


  • This topic is locked This topic is locked
6 replies to this topic

#1 Smietaneq

Smietaneq

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 15 May 2016 - 06:28 PM

Problem: It seems like FilterKeys will be activated all time and on all OS in HD, it starts in windows XP, then in Ubuntu (in Ubuntu work fine during first 2-3 reboots, in them all evrything works well first 10 mins, then Utilty shows error) and now in windows 7 lite.
When i try to write its like i will pressing Shift all the time, when i activate caps lock letters ar smal but insed of numbers i still have sings (!"· etc...),in accessibility options filterkeys are disable, in windows registry during first time it vas set on 2 (ON all time) then i change it to 0(OFF) and it didnt change, they i try again and value 0 statys, but didnt work.
I think its any kind of Firmware virus, can be deleted? or need to buy new HD?
Keyboard and mouse are PS/2, i check USB keyboard and mouse but they have the same problem.
Try to reinstal controlers but didnt work
In Live USB system all work normaly. 


Edited by Smietaneq, 15 May 2016 - 06:29 PM.


BC AdBot (Login to Remove)

 


#2 Smietaneq

Smietaneq
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 20 May 2016 - 12:28 PM

ComboFix Log 
 

 

ComboFix 16-05-18.01 - Mesa 20/05/2016  19:48:47.1.2 - x86

Microsoft Windows 7 Ultimate   6.1.7601.1.1252.34.3082.18.1014.667 [GMT 2:00]
Running from: D:\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2016-04-20 to 2016-05-20  )))))))))))))))))))))))))))))))
.
.
2016-05-20 17:59 . 2016-05-20 17:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2016-05-20 06:45 . 2016-05-20 06:51 -------- d-----w- c:\programdata\HitmanPro
2016-05-20 05:25 . 2016-05-20 05:25 -------- d-----w- c:\users\Mesa\Doctor Web
2016-05-20 04:39 . 2016-05-20 17:33 -------- d-----w- c:\programdata\Glarysoft
2016-05-20 04:32 . 2016-05-20 04:32 -------- d-----w- c:\users\Mesa\AppData\Roaming\DiskDefrag
2016-05-20 04:27 . 2016-05-20 17:25 -------- d-----w- c:\users\Mesa\AppData\Roaming\GlarySoft
2016-05-20 04:27 . 2016-05-20 17:33 -------- d-----w- c:\program files\Glarysoft
2016-05-20 00:10 . 2016-05-20 00:10 24688 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2016-05-20 00:07 . 2016-05-20 01:08 -------- d-----w- c:\programdata\RogueKiller
2016-05-19 01:55 . 2016-05-20 17:26 -------- d-----w- c:\programdata\Sophos
2016-05-18 23:41 . 2016-05-18 23:41 -------- d-----w- C:\TDSSKiller_Quarantine
2016-05-18 23:04 . 2016-05-18 23:36 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2016-05-15 23:59 . 2016-05-15 23:59 -------- d-----w- C:\KVRT_Data
2016-05-15 15:26 . 2016-05-15 15:26 19984 ----a-w- c:\windows\system32\drivers\EsgScanner.sys
2016-05-15 04:15 . 2016-05-15 04:15 -------- d-----w- C:\385ca9f09132d1ef29
2016-05-15 04:14 . 2016-05-15 04:14 -------- d-----w- C:\e1be0fcb4a068bc1ea11
2016-05-15 04:10 . 2016-05-15 04:10 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2016-05-15 01:57 . 2016-05-20 04:58 -------- d-----r- C:\ASDSDF
2016-05-14 19:29 . 2016-05-14 19:29 -------- d-----w- c:\programdata\Malwarebytes
2016-05-14 19:29 . 2016-05-14 19:29 -------- d-----w- c:\users\Mesa\AppData\Local\Programs
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"appOnt"="c:\programdata\ESET\ESET NOD32 Antivirus\app\appOnt.exe" [2015-11-09 1390461]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R3 EsgScanner;EsgScanner;c:\windows\system32\DRIVERS\EsgScanner.sys [2016-05-15 19984]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [x]
R3 MFE_RR;MFE_RR;c:\users\Mesa\AppData\Local\Temp\mfe_rr.sys [x]
S3 L1C;Controlador de minipuerto NDIS para controladora Ethernet Atheros AR8131/AR8132 PCI-E (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [2009-07-13 50688]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ   SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2011-02-03 21:26 1186968 ----a-w- c:\program files\Google\Chrome\Application\50.0.2661.102\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2016-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2016-04-13 18:28]
.
2016-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2016-04-13 18:28]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 87.216.1.65 87.216.1.66
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-84988590.sys
SafeBoot-90053976.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2016-05-20  20:04:35
ComboFix-quarantined-files.txt  2016-05-20 18:04
.
Pre-Run: 153.490.927.616 bytes libres
Post-Run: 153.710.206.976 bytes libres
.
- - End Of File - - D539876BF4BC0A5779D35B4623D5D2D1
A36C5E4F47E84449FF07ED3517B43A31
 

Also in those days i try few antyviruses (Malavarebytes, Avast, SpyHunter, Reghunter(383 shows but cannot delete them, manually too, permission denied)Kaspersky etc...)



#3 Smietaneq

Smietaneq
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 20 May 2016 - 01:24 PM

29774 detections in RootkitRevealer, but when i lunch it windows pops detection of interactive services (not sure if i translate it good), so i canot save meak and save the log



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:03 PM

Posted 20 May 2016 - 02:50 PM

Hi , we need to get a deeper look. Repost with an FRST log (see guide)..Start at step 6

Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Smietaneq

Smietaneq
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 20 May 2016 - 03:45 PM

Runed from Desktop, 
White list 
Registry - Yes
Services - Yes
Drivers - Yes
Processes - Yes
Internet - Yes

Optional Scan :
Addition.txt - Yes
(default setings)

FRST.txt
 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:19-05-2016

Ran by Mesa (administrator) on MESA-PC (20-05-2016 23:38:28)
Running from C:\Users\Mesa\Desktop
Loaded Profiles: Mesa (Available Profiles: Mesa)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) Language: Español (España, internacional)
Internet Explorer Version 9 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Google Inc.) C:\Program Files\Google\Update\1.3.30.3\GoogleCrashHandler.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKU\S-1-5-21-94929791-2268304470-4175259798-1000\...\Run: [appOnt] => C:\ProgramData\ESET\ESET NOD32 Antivirus\app\appOnt.exe [1390461 2015-11-09] ()
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [10240 2009-07-14] (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 87.216.1.65 87.216.1.66
Tcpip\..\Interfaces\{7EC81C2D-3279-4A8A-9059-5D8146D05DC7}: [DhcpNameServer] 87.216.1.65 87.216.1.66
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-94929791-2268304470-4175259798-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-94929791-2268304470-4175259798-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
 
FireFox:
========
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2011-02-03] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2011-02-03] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\Mesa\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Mesa\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-04-17]
CHR Extension: (Google Drive) - C:\Users\Mesa\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-04-17]
CHR Extension: (YouTube) - C:\Users\Mesa\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-04-17]
CHR Extension: (Documentos de Google sin conexión) - C:\Users\Mesa\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-04-17]
CHR Extension: (Sistema de pagos de Chrome Web Store) - C:\Users\Mesa\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-13]
CHR Extension: (Gmail) - C:\Users\Mesa\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-04-20]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 KZJI; C:\Users\Mesa\AppData\Local\Temp\KZJI.exe [498560 2016-05-20] (Sysinternals - www.sysinternals.com) [File not signed]
S3 LSQKGPD; C:\Users\Mesa\AppData\Local\Temp\LSQKGPD.exe [588672 2016-05-20] (Sysinternals - www.sysinternals.com) [File not signed]
S3 XZYXJTPOO; C:\Users\Mesa\AppData\Local\Temp\XZYXJTPOO.exe [359296 2016-05-20] (Sysinternals - www.sysinternals.com) [File not signed]
S2 WinDefend; %ProgramFiles%\Windows Defender\mpsvc.dll [X]
S2 wscsvc; %SYSTEMROOT%\system32\wscsvc.dll [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [19984 2016-05-15] ()
S3 catchme; \??\C:\Users\Mesa\AppData\Local\Temp\catchme.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 MFE_RR; \??\C:\Users\Mesa\AppData\Local\Temp\mfe_rr.sys [X]
U5 W32Time; C:\Windows\system32\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-05-20 23:38 - 2016-05-20 23:39 - 00005205 _____ C:\Users\Mesa\Desktop\FRST.txt
2016-05-20 23:38 - 2016-05-20 23:38 - 00000000 ____D C:\FRST
2016-05-20 23:33 - 2016-05-20 23:33 - 01732608 _____ (Farbar) C:\Users\Mesa\Desktop\FRST.exe
2016-05-20 20:53 - 2016-05-20 20:53 - 00001290 _____ C:\Users\Mesa\Desktop\RootkitRevealer - Acceso directo.lnk
2016-05-20 20:04 - 2016-05-20 20:04 - 00004696 _____ C:\ComboFix.txt
2016-05-20 19:45 - 2016-05-20 20:04 - 00000000 ____D C:\Qoobox
2016-05-20 19:45 - 2011-06-26 08:45 - 00256000 _____ C:\Windows\PEV.exe
2016-05-20 19:45 - 2010-11-07 19:20 - 00208896 _____ C:\Windows\MBR.exe
2016-05-20 19:45 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2016-05-20 19:45 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2016-05-20 19:45 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2016-05-20 19:45 - 2000-08-31 02:00 - 00098816 _____ C:\Windows\sed.exe
2016-05-20 19:45 - 2000-08-31 02:00 - 00080412 _____ C:\Windows\grep.exe
2016-05-20 19:45 - 2000-08-31 02:00 - 00068096 _____ C:\Windows\zip.exe
2016-05-20 19:44 - 2016-05-20 20:00 - 00000000 ____D C:\Windows\erdnt
2016-05-20 19:27 - 2016-05-20 19:27 - 00000000 ____D C:\Windows\system32\appmgmt
2016-05-20 12:58 - 2016-05-20 12:58 - 00000000 ____D C:\ProgramData\ESET
2016-05-20 09:15 - 2016-05-20 09:15 - 00830384 _____ C:\Users\Mesa\Downloads\eas_live.exe
2016-05-20 08:56 - 2016-05-20 08:56 - 00784152 _____ (McAfee, Inc.) C:\Users\Mesa\Downloads\rootkitremover.exe
2016-05-20 08:45 - 2016-05-20 08:51 - 00000000 ____D C:\ProgramData\HitmanPro
2016-05-20 08:44 - 2016-05-20 08:46 - 10451640 _____ (SurfRight B.V.) C:\Users\Mesa\Downloads\HitmanPro.exe
2016-05-20 08:27 - 2016-05-20 08:27 - 00024576 _____ C:\Windows\system32\config\SYSTEM.gu
2016-05-20 07:25 - 2016-05-20 07:25 - 00000000 ____D C:\Users\Mesa\Doctor Web
2016-05-20 07:04 - 2016-05-20 07:19 - 191293488 _____ C:\Users\Mesa\Downloads\ze7ka1mo.exe
2016-05-20 06:39 - 2016-05-20 19:33 - 00000000 ____D C:\ProgramData\Glarysoft
2016-05-20 06:32 - 2016-05-20 06:32 - 00000000 ____D C:\Users\Mesa\AppData\Roaming\DiskDefrag
2016-05-20 06:30 - 2016-05-20 06:37 - 149832064 _____ C:\Users\Mesa\Downloads\mhsetup.exe
2016-05-20 06:27 - 2016-05-20 19:33 - 00000000 ____D C:\Program Files\Glarysoft
2016-05-20 06:27 - 2016-05-20 19:25 - 00000000 ____D C:\Users\Mesa\AppData\Roaming\GlarySoft
2016-05-20 06:27 - 2016-05-20 06:31 - 00002223 _____ C:\GUDownLoaddebug.txt
2016-05-20 06:07 - 2016-05-20 06:07 - 00105416 _____ C:\Windows\system32\FNTCACHE.DAT
2016-05-20 06:07 - 2016-05-20 06:07 - 00015416 _____ C:\Users\Mesa\AppData\Local\GDIPFONTCACHEV1.DAT
2016-05-20 04:04 - 2016-05-20 04:04 - 00000000 _____ C:\autoexec.bat
2016-05-20 03:10 - 2016-05-20 03:12 - 14856368 _____ (Enigma Software Group USA, LLC.) C:\Users\Mesa\Downloads\RegHunter-Installer.exe
2016-05-20 02:10 - 2016-05-20 02:10 - 00024688 _____ C:\Windows\system32\Drivers\TrueSight.sys
2016-05-20 02:07 - 2016-05-20 03:08 - 00000000 ____D C:\ProgramData\RogueKiller
2016-05-20 01:09 - 2016-05-20 01:12 - 28891224 _____ (Adlice Software ) C:\Users\Mesa\Downloads\setup.exe
2016-05-19 03:55 - 2016-05-20 19:26 - 00000000 ____D C:\ProgramData\Sophos
2016-05-19 03:42 - 2016-05-19 03:51 - 150347432 _____ (Sophos Limited) C:\Users\Mesa\Downloads\Sophos Virus Removal Tool.exe
2016-05-19 03:31 - 2016-05-19 03:32 - 05198336 _____ (AVAST Software) C:\Users\Mesa\Downloads\aswMBR.exe
2016-05-19 03:28 - 2016-05-20 05:08 - 00000000 ____D C:\Windows\Minidump
2016-05-19 03:05 - 2016-05-19 03:05 - 00000000 _____ C:\Users\Mesa\Downloads\dy3m8hoi.bat
2016-05-19 03:04 - 2016-05-19 03:04 - 00000000 _____ C:\Users\Mesa\Downloads\dy3m8hoi.reg
2016-05-19 01:54 - 2016-05-19 01:54 - 00380928 _____ C:\Users\Mesa\Downloads\dy3m8hoi.exe
2016-05-19 01:50 - 2016-05-19 01:51 - 07269656 _____ (Bitdefender LLC) C:\Users\Mesa\Downloads\BootkitRemoval_x86.exe
2016-05-19 01:42 - 2016-05-19 01:44 - 00416820 _____ C:\TDSSKiller.3.1.0.9_19.05.2016_01.42.22_log.txt
2016-05-19 01:41 - 2016-05-19 01:41 - 00000000 ____D C:\TDSSKiller_Quarantine
2016-05-19 01:39 - 2016-05-19 01:41 - 00418406 _____ C:\TDSSKiller.3.1.0.9_19.05.2016_01.39.01_log.txt
2016-05-19 01:35 - 2016-05-19 01:37 - 00004204 _____ C:\TDSSKiller.3.1.0.9_19.05.2016_01.35.14_log.txt
2016-05-19 01:33 - 2016-05-19 01:33 - 04727984 _____ (Kaspersky Lab ZAO) C:\Users\Mesa\Downloads\tdsskiller.exe
2016-05-19 01:04 - 2016-05-19 01:36 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-05-19 01:03 - 2016-05-19 01:36 - 00000000 ____D C:\Users\Mesa\Desktop\mbar
2016-05-19 01:02 - 2016-05-19 01:03 - 16563352 _____ (Malwarebytes Corp.) C:\Users\Mesa\Downloads\mbar-1.09.3.1001.exe
2016-05-18 22:36 - 2016-05-20 21:00 - 00000000 ____D C:\Users\Mesa\Downloads\RootkitRevealer
2016-05-18 22:36 - 2016-05-18 22:36 - 00231390 _____ C:\Users\Mesa\Downloads\RootkitRevealer.zip
2016-05-16 01:59 - 2016-05-16 01:59 - 00000000 ____D C:\KVRT_Data
2016-05-16 01:42 - 2016-05-16 01:43 - 00046525 _____ C:\Users\Mesa\Downloads\MTB.txt
2016-05-16 01:42 - 2016-05-16 01:42 - 00891392 _____ (Farbar) C:\Users\Mesa\Downloads\MiniToolBox.exe
2016-05-16 01:38 - 2016-05-16 01:39 - 00003761 _____ C:\Users\Mesa\Downloads\FSS.txt
2016-05-16 01:38 - 2016-05-16 01:38 - 00899584 _____ (Farbar) C:\Users\Mesa\Downloads\FSS.exe
2016-05-16 01:18 - 2016-05-16 01:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VirusTotal Uploader 2.2
2016-05-16 01:17 - 2016-05-16 01:17 - 00142744 _____ C:\Users\Mesa\Downloads\vtuploader2.2.exe
2016-05-15 17:26 - 2016-05-15 17:26 - 00019984 _____ C:\Windows\system32\Drivers\EsgScanner.sys
2016-05-15 17:25 - 2016-05-15 17:26 - 03286400 _____ (Enigma Software Group USA, LLC.) C:\Users\Mesa\Downloads\SpyHunter-Installer.exe
2016-05-15 07:45 - 2016-05-15 07:45 - 00000001 _____ C:\Users\Mesa\AppData\Local\llftool.4.40.agreement
2016-05-15 06:15 - 2016-05-15 06:15 - 00000000 ____D C:\385ca9f09132d1ef29
2016-05-15 06:14 - 2016-05-15 06:14 - 00000000 ____D C:\e1be0fcb4a068bc1ea11
2016-05-15 06:10 - 2016-05-15 06:10 - 00000000 ____D C:\ProgramData\Kaspersky Lab Setup Files
2016-05-15 06:02 - 2016-05-15 06:09 - 161413320 _____ (Kaspersky Lab) C:\Users\Mesa\Downloads\kav16.0.0.614es-es.exe
2016-05-15 03:57 - 2016-05-20 06:58 - 00000000 ___RD C:\ASDSDF
2016-05-14 21:29 - 2016-05-14 21:29 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-05-14 21:26 - 2016-05-14 21:28 - 22851472 _____ (Malwarebytes ) C:\Users\Mesa\Downloads\mbam-setup-cnet.35891-2.2.1.1043.exe
2016-04-20 23:49 - 2016-04-20 23:49 - 00000326 _____ C:\Users\Mesa\Desktop\TECLADO.reg
2016-04-20 22:20 - 2016-04-20 22:20 - 00000075 _____ C:\Users\Mesa\Desktop\NUMLOCK.VBS
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-05-20 23:30 - 2016-04-13 20:28 - 00001084 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-05-20 23:30 - 2009-07-14 06:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-05-20 21:35 - 2009-07-14 06:34 - 00053600 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-05-20 21:35 - 2009-07-14 06:34 - 00053600 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-05-20 21:21 - 2016-04-13 20:28 - 00001088 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-05-20 19:59 - 2009-07-14 04:04 - 00000215 _____ C:\Windows\system.ini
2016-05-20 19:34 - 2009-07-14 04:37 - 00000000 ____D C:\Windows\inf
2016-05-20 08:36 - 2010-11-21 02:30 - 00694386 _____ C:\Windows\system32\perfh00A.dat
2016-05-20 08:36 - 2010-11-21 02:30 - 00134448 _____ C:\Windows\system32\perfc00A.dat
2016-05-20 08:36 - 2010-11-20 23:01 - 01530066 _____ C:\Windows\system32\PerfStringBackup.INI
2016-05-20 08:27 - 2016-04-13 20:02 - 00000000 ____D C:\Users\Mesa
2016-05-20 08:27 - 2011-03-20 03:13 - 11796480 _____ C:\Windows\system32\config\SYSTEM.gu.bak
2016-05-20 08:27 - 2011-03-20 03:13 - 00262144 _____ C:\Windows\system32\config\DEFAULT.gu.bak
2016-05-20 08:27 - 2011-03-20 03:12 - 21233664 _____ C:\Windows\system32\config\SOFTWARE.gu.bak
2016-05-20 08:27 - 2009-07-14 04:03 - 00262144 _____ C:\Windows\system32\config\SECURITY.gu.bak
2016-05-20 08:27 - 2009-07-14 04:03 - 00262144 _____ C:\Windows\system32\config\SAM.gu.bak
2016-05-20 05:08 - 2011-03-19 01:31 - 00000000 ____D C:\Windows\Panther
2016-05-15 06:40 - 2016-04-13 20:28 - 00000000 ____D C:\Users\Mesa\AppData\Local\Google
 
==================== Files in the root of some directories =======
 
2016-05-15 07:45 - 2016-05-15 07:45 - 0000001 _____ () C:\Users\Mesa\AppData\Local\llftool.4.40.agreement
 
Some files in TEMP:
====================
C:\Users\Mesa\AppData\Local\temp\KZJI.exe
C:\Users\Mesa\AppData\Local\temp\LSQKGPD.exe
C:\Users\Mesa\AppData\Local\temp\USPWAOJRS.exe
C:\Users\Mesa\AppData\Local\temp\XZYXJTPOO.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2011-03-20 03:12
 
==================== End of FRST.txt ============================

Addition.txt 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version:19-05-2016

Ran by Mesa (2016-05-20 23:39:54)
Running from C:\Users\Mesa\Desktop
Microsoft Windows 7 Ultimate  Service Pack 1 (X86) (2016-04-13 18:02:12)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrador (S-1-5-21-94929791-2268304470-4175259798-500 - Administrator - Disabled)
Invitado (S-1-5-21-94929791-2268304470-4175259798-501 - Limited - Disabled)
Mesa (S-1-5-21-94929791-2268304470-4175259798-1000 - Administrator - Enabled) => C:\Users\Mesa
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Google Chrome (HKLM\...\Google Chrome) (Version: 50.0.2661.102 - Google Inc.)
Google Update Helper (Version: 1.3.30.3 - Google Inc.) Hidden
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {37C8C613-0B07-44D3-8605-6CB43EBD70F9} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2016-04-13] (Google Inc.)
Task: {A6394592-54CE-4E93-8D64-1A068F462632} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Consolidator => C:\Windows\System32\wsqmcons.exe
Task: {F755C9E6-7BAE-4173-AF31-EA91E0D858DB} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2016-04-13] (Google Inc.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)
 
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 04:04 - 2009-06-10 23:39 - 00000824 ____N C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-94929791-2268304470-4175259798-1000\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 87.216.1.65 - 87.216.1.66
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{1332E457-7A94-4D77-B52A-5A15B15C5972}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
ATTENTION: System Restore is disabled
Check "winmgmt" service or repair WMI.
 
 
==================== Faulty Device Manager Devices =============
 
Name: Controladora de vídeo
Description: Controladora de vídeo
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (05/20/2016 11:32:11 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (05/20/2016 09:15:12 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (05/20/2016 09:00:39 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (05/20/2016 08:37:34 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (05/20/2016 07:45:03 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (05/20/2016 07:39:25 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (05/20/2016 07:31:15 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (05/20/2016 07:18:34 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (05/20/2016 07:18:01 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: El programa SpyHunter4.com, versión 4.22.8.4668, dejó de interactuar con Windows y se cerró. Para ver si hay más información disponible acerca del problema, compruebe el historial de problemas en el panel de control Centro de actividades.
 
Identificador de proceso: 69c
 
Hora de inicio: 01d1b2bb6bb0502d
 
Hora de finalización: 2200
 
Ruta de acceso de la aplicación: C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.com
 
Identificador de informe: b8d10a16-1eae-11e6-a5ad-0026229780a4
 
Error: (05/20/2016 07:11:38 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: El programa SpyHunter4.com, versión 4.22.8.4668, dejó de interactuar con Windows y se cerró. Para ver si hay más información disponible acerca del problema, compruebe el historial de problemas en el panel de control Centro de actividades.
 
Identificador de proceso: 6d0
 
Hora de inicio: 01d1b2b4d3a52761
 
Hora de finalización: 453
 
Ruta de acceso de la aplicación: C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.com
 
Identificador de informe: daeb8c9d-1ead-11e6-a8b3-0026229780a4
 
 
System errors:
=============
Error: (05/20/2016 11:32:27 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: El servicio wscsvc no pudo iniciarse debido al siguiente error: 
%%1083
 
Error: (05/20/2016 11:30:25 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: El servicio WinDefend no pudo iniciarse debido al siguiente error: 
%%1053
 
Error: (05/20/2016 11:30:25 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Se agotó el tiempo de espera (30000 ms) para la conexión con el servicio WinDefend.
 
Error: (05/20/2016 11:30:14 PM) (Source: Ntfs) (EventID: 137) (User: )
Description: El administrador de recursos de transacción en el volumen \\?\Volume{c2111cbb-019f-11e6-be2e-806e6f6e6963} detectó un error irreproducible y no se pudo iniciar. Los datos contienen el código de error.
 
Error: (05/20/2016 09:15:30 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: El servicio wscsvc no pudo iniciarse debido al siguiente error: 
%%1083
 
Error: (05/20/2016 09:14:21 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: El servicio XZYXJTPOO ha sido marcado como servicio interactivo. Sin embargo, el sistema está configurado para no permitir servicios interactivos. Este servicio puede tener un funcionamiento incorrecto.
 
Error: (05/20/2016 09:13:27 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: El servicio WinDefend no pudo iniciarse debido al siguiente error: 
%%1053
 
Error: (05/20/2016 09:13:27 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Se agotó el tiempo de espera (30000 ms) para la conexión con el servicio WinDefend.
 
Error: (05/20/2016 09:13:16 PM) (Source: Ntfs) (EventID: 137) (User: )
Description: El administrador de recursos de transacción en el volumen \\?\Volume{c2111cbb-019f-11e6-be2e-806e6f6e6963} detectó un error irreproducible y no se pudo iniciar. Los datos contienen el código de error.
 
Error: (05/20/2016 09:11:24 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: El servicio I ha sido marcado como servicio interactivo. Sin embargo, el sistema está configurado para no permitir servicios interactivos. Este servicio puede tener un funcionamiento incorrecto.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Atom™ CPU N270 @ 1.60GHz
Percentage of memory in use: 82%
Total physical RAM: 1014.06 MB
Available physical RAM: 179.87 MB
Total Virtual: 2038.06 MB
Available Virtual: 1131.75 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:148.95 GB) (Free:143.16 GB) NTFS
Drive d: (MULTIBOOT) (Removable) (Total:3.61 GB) (Free:3.6 GB) FAT32
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149.1 GB) (Disk ID: 000BB037)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=149 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 3.6 GB) (Disk ID: 002D094C)
Partition 1: (Active) - (Size=3.6 GB) - (Type=0B)
 
==================== End of Addition.txt ============================


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:03 PM

Posted 20 May 2016 - 07:27 PM

Please review step 7, thanks.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Smietaneq

Smietaneq
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 20 May 2016 - 08:11 PM

Done, feel free to delete this one, also will be nice if u check my new topic to see if i put something wrong.
http://www.bleepingcomputer.com/forums/t/614619/rootkitbootkit-survive-system-wipe-mouse-and-keyboard-problems/
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users