Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with infection


  • Please log in to reply
13 replies to this topic

#1 bkyota

bkyota

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 29 May 2016 - 12:13 PM

I have been noticing that my computer has been running extremely slow and my memory usage seems extremely high for an idle computer.  Also, I have been getting some weird error messages on startup and today I went to run TFC and got a blue screen.  I'm pretty sure I have picked up a virus or something bad.  Thanks in advance for your help.  Logs attached.

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:41 AM

Posted 30 May 2016 - 08:50 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove this process in bold via the Control Panel > Programs > Programs and Features applet.
Coupon Printer for Windows (HKLM-x32\...\Coupon Printer for Windows5.0.1.6) (Version: 5.0.1.6 - Coupons.com Incorporated)
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Coupons.com Inc.) C:\Program Files (x86)\Coupons\CouponPrinterService.exe
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2341234274-2778283208-4228006350-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> DefaultScope value is missing
FF Plugin: @java.com/DTPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\dtplugin\npDeployJava1.dll [2015-03-15] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre1.8.0_40\bin\new_plugin\npjp2.dll [No File]
FF Plugin: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-15] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll [2015-05-18] (Coupons, Inc.)
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found
CHR Extension: (Chrome Web Store Payments) - C:\Users\Ste\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-26]
R2 CouponPrinterService; C:\Program Files (x86)\Coupons\CouponPrinterService.exe [1414128 2015-05-18] (Coupons.com Inc.)
S2 HitmanPro37CrusaderBoot; "D:\HitmanPro_x64.exe" /crusader:boot [X]
S3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0; \??\c:\program files\dell support center\pcdsrvc_x64.pkms [X]
C:\Program Files (x86)\Coupons
 C:\Users\Ste\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features applet.
Java 8 Update 40 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418040F0}) (Version: 8.0.400 - Oracle Corporation)
Java 8 Update 40 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218040F0}) (Version: 8.0.400 - Oracle Corporation)

Please post the logs and let me know know if the problem persists.

#3 bkyota

bkyota
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 30 May 2016 - 10:31 AM

Thanks nasdaq for the help!  Below is the logs you requested.  Did you want me to hit the "clean" button?  The computer is still acting slow and after the restart from the scan I got this message. 

 

"NT kernel has changed since the last time you used it"

NTOSKRNL.EXE

Allow access to the network?

 

I also received a power adapter message but that may be nothing.  I tried to uninstall both of the Java's like you recommended but it kept getting hung up because it couldn't close a few processes.

 

Fix result of Farbar Recovery Scan Tool (x64) Version:29-05-2016 02
Ran by Ste (2016-05-30 10:28:58) Run:1
Running from C:\Users\Ste\Desktop
Loaded Profiles: Ste (Available Profiles: Ste)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Coupons.com Inc.) C:\Program Files (x86)\Coupons\CouponPrinterService.exe
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2341234274-2778283208-4228006350-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> DefaultScope value is missing
FF Plugin: @java.com/DTPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\dtplugin\npDeployJava1.dll [2015-03-15] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre1.8.0_40\bin\new_plugin\npjp2.dll [No File]
FF Plugin: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-15] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll [2015-05-18] (Coupons, Inc.)
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found
CHR Extension: (Chrome Web Store Payments) - C:\Users\Ste\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-26]
R2 CouponPrinterService; C:\Program Files (x86)\Coupons\CouponPrinterService.exe [1414128 2015-05-18] (Coupons.com Inc.)
S2 HitmanPro37CrusaderBoot; "D:\HitmanPro_x64.exe" /crusader:boot [X]
S3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0; \??\c:\program files\dell support center\pcdsrvc_x64.pkms [X]
C:\Program Files (x86)\Coupons
 C:\Users\Ste\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda

End
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Program Files (x86)\Coupons\CouponPrinterService.exe => No running process found
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-2341234274-2778283208-4228006350-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=11.40.2" => key removed successfully
C:\Program Files\Java\jre1.8.0_40\bin\dtplugin\npDeployJava1.dll => moved successfully
"HKLM\Software\MozillaPlugins\@java.com/JavaPlugin" => key removed successfully
"HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=11.40.2" => key removed successfully
C:\Program Files\Java\jre1.8.0_40\bin\plugin2\npjp2.dll => moved successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll" => not found.
HKLM\Software\Wow6432Node\Mozilla\Thunderbird\Extensions\\msktbird@mcafee.com => value removed successfully
C:\Users\Ste\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
CouponPrinterService => service not found.
HitmanPro37CrusaderBoot => service removed successfully
PCDSRVC{1E208CE0-FB7451FF-06020101}_0 => service removed successfully
"C:\Program Files (x86)\Coupons" => not found.
"C:\Users\Ste\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda" => not found.
EmptyTemp: => 9.7 GB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 10:34:46 ====

 

 

# AdwCleaner v5.118 - Logfile created 30/05/2016 at 11:04:45
# Updated 23/05/2016 by Xplode
# Database : 2016-05-30.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (X64)
# Username : Ste - STE-PC
# Running from : C:\Users\Ste\Desktop\adwcleaner_5.118.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

Folder Found : C:\Windows\SysWOW64\C2MP

***** [ Files ] *****


***** [ DLL ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Classes\protector_dll.Protector
Key Found : HKLM\SOFTWARE\Classes\protector_dll.Protector.1
Key Found : HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho.1
Key Found : HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib
Key Found : HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}

***** [ Web browsers ] *****

[C:\Users\Ste\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : aol.com
[C:\Users\Ste\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : ask.com

*************************

C:\AdwCleaner\AdwCleaner[R0].txt - [1331 bytes] - [26/11/2013 21:06:51]
C:\AdwCleaner\AdwCleaner[S0].txt - [1404 bytes] - [26/11/2013 21:10:07]
C:\AdwCleaner\AdwCleaner[S1].txt - [1632 bytes] - [30/05/2016 11:04:45]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1705 bytes] ##########
 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:41 AM

Posted 31 May 2016 - 07:12 AM

Similar issues here.

http://www.symantec.com/connect/forums/nt-kernal-system-has-changed-message

and

http://www.symantec.com/connect/forums/network-threat-protection-ntoskrnlexe-new

Change the setting in your Symantec program.

p.s.
(SEPM) IF THE Symantec Endpoint Protection Manager

Keep me posted.

#5 bkyota

bkyota
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 31 May 2016 - 07:35 AM

NASDAQ,

 

I'm a little confused.  I have no trouble changing the setting but am I correct in understanding that this is not a threat and basically a nuisance?  There seems to be some conflicting ideas.  I am at work now and will do it when I get home.  Do the logs show anything malicious?

 

Thanks



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:41 AM

Posted 31 May 2016 - 08:40 AM

I correct in understanding that this is not a threat and basically a nuisance?

Yes.

#7 bkyota

bkyota
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 31 May 2016 - 04:35 PM

Ok, I think I was able to get the message to go away but I did not have a "policies" and the box was under "firewall".  I'm ready for your next step.

 

Thanks



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:41 AM

Posted 01 June 2016 - 08:43 AM

Good work.

What problem persists?

#9 bkyota

bkyota
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 01 June 2016 - 03:11 PM

The computer is still acting extremely slow like something is running in the background. Before last week it wasn't an issue. I noticed that there is quite a bit of traffic through the firewall. Some blocked and most not. Also, I keep getting a reoccurring message that svchost is being blocked.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:41 AM

Posted 02 June 2016 - 06:57 AM

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Please post the logs for my review.

#11 bkyota

bkyota
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 02 June 2016 - 07:44 PM

Below are the logs.  It appears that MBAM didn't find anything but when I looked in the quarantined items, there were many.  I think they are from older scans that have not been deleted.  I'm not sure how to show you them because I can't find the logs. 

 

Rogue Killer did find a few things though but none of them were "red" so I didn't delete them.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/2/2016
Scan Time: 5:38 PM
Logfile: MBAM.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.06.02.05
Rootkit Database: v2016.05.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Ste

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 384682
Time Elapsed: 1 hr, 13 min, 19 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

RogueKiller V12.3.1.0 [May 30 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Ste [Administrator]
Started from : C:\Users\Ste\Desktop\RogueKiller.exe
Mode : Scan -- Date : 06/02/2016 20:14:41

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 5 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\BHDrvx64 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\BASHDefs\20160518.011\BHDrvx64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAVENG (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\VirusDefs\20160530.025\ENG64.SYS) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAVEX15 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\VirusDefs\20160530.025\EX64.SYS) -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2341234274-2778283208-4228006350-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2341234274-2778283208-4228006350-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.Proxy][FIREFX:Config] wwvsylb8.default-1413406142012 : user_pref("network.proxy.type", 1); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9500325AS +++++
--- User ---
[MBR] 3a4722faeb4c197b96c6f82f5c70d749
[BSP] 7a830983e6b361a88d1030bef2225588 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 15000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 30926848 | Size: 461838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:41 AM

Posted 03 June 2016 - 06:33 AM

Run the RogueKiller tool and fix everything that was idenfified.

If default setting will be used.

Keep me posted.

#13 bkyota

bkyota
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 05 June 2016 - 08:23 AM

I ran it twice and below are the logs.

 

RogueKiller V12.3.1.0 [May 30 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Ste [Administrator]
Started from : C:\Users\Ste\Desktop\RogueKiller.exe
Mode : Delete -- Date : 06/03/2016 23:23:49

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 5 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\BHDrvx64 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\BASHDefs\20160518.011\BHDrvx64.sys) -> ERROR [5]
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAVENG (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\VirusDefs\20160530.025\ENG64.SYS) -> ERROR [5]
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAVEX15 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\VirusDefs\20160530.025\EX64.SYS) -> ERROR [5]
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2341234274-2778283208-4228006350-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Replaced (http://search.msn.com/spbasic.htm)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2341234274-2778283208-4228006350-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Replaced (http://search.msn.com/spbasic.htm)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.Proxy][FIREFX:Config] wwvsylb8.default-1413406142012 : user_pref("network.proxy.type", 1); -> Replaced (0)

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9500325AS +++++
--- User ---
[MBR] 3a4722faeb4c197b96c6f82f5c70d749
[BSP] 7a830983e6b361a88d1030bef2225588 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 15000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 30926848 | Size: 461838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

 

RogueKiller V12.3.1.0 [May 30 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Ste [Administrator]
Started from : C:\Users\Ste\Desktop\RogueKiller.exe
Mode : Delete -- Date : 06/04/2016 19:15:51

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 3 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\BHDrvx64 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\BASHDefs\20160518.011\BHDrvx64.sys) -> ERROR [5]
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAVENG (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\VirusDefs\20160530.025\ENG64.SYS) -> ERROR [5]
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAVEX15 (\??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\VirusDefs\20160530.025\EX64.SYS) -> ERROR [5]

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9500325AS +++++
--- User ---
[MBR] 3a4722faeb4c197b96c6f82f5c70d749
[BSP] 7a830983e6b361a88d1030bef2225588 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 15000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 30926848 | Size: 461838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


 



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:41 AM

Posted 05 June 2016 - 09:03 AM

I suggest your get the latest version of Symantec Endpoint Protection (SEP)
https://support.symantec.com/en_US/article.TECH103088.html

When completed restart the computer normally.

How is it now?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users