Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Google Enables Safe Browsing Support in Android's WebView Browser

Featured Deal: Get 92% off a Microsoft Azure Mastery Bundle Deal

(Security.Hijack) / (Trojan.Agent)

Started by LetGetStarted , Dec 07 2016 11:28 AM

Please log in to reply

2 replies to this topic

#1 LetGetStarted

Members
2 posts
OFFLINE

Local time:09:09 AM

Posted 07 December 2016 - 11:28 AM

Hello. I've performed some scans with tools found in some of the threads here for example: Malwarebytes Anti-Rootkit which as you can see has picked up something what a paid Norton subscription could not. Below are all of what has been removed and every scan using this very tool has come back clean ever since. Something still lurks in the svchost...I think., (probably) and I'll post the RKill results shortly after.

================================================================================================

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org

Database version:
main: v2014.11.18.05
rootkit: v2014.11.12.01

Windows 10 x64 NTFS
Internet Explorer 11.447.14393.0
AM-I-INFECTED :: DESKTOP-ACTI** [administrator]

06/12/2016 21:39:06
mbar-log-2016-12-06 (21-39-06).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 389178
Time elapsed: 44 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 6
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe (Trojan.Agent) -> Delete on reboot. [a79685b85d1ff046ceffbb39c43fcf31]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe (Security.Hijack) -> Delete on reboot. [211c66d7265672c4d313748001022ed2]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\svchost.exe (Security.Hijack) -> Delete on reboot. [192477c66f0d5bdb0105d225cb38bb45]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe (Trojan.Agent) -> Delete on reboot. [cd7039045923b18539949b595fa4ad53]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe (Security.Hijack) -> Delete on reboot. [8db0b38a48343cfa8e582bc9649f6898]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\svchost.exe (Security.Hijack) -> Delete on reboot. [c5788eafef8d1d19d036fdfa45be50b0]

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

Edited by LetGetStarted, 07 December 2016 - 11:33 AM.

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 LetGetStarted

Topic Starter

Members
2 posts
OFFLINE

Local time:09:09 AM

Posted 07 December 2016 - 11:37 AM

Rkill keeps coming up with items in the svchost. Can anyone help me out with all this, please? Need to make sure pc totally clean of EVERYTHING if that possible? Thanks

=======================================================================================

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 12/07/2016 03:17:02 PM in x64 mode.
Windows Version: Windows 10 Home

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

* gagp30kx [Missing Service]
* IEEtwCollectorService [Missing Service]
* IoQos [Missing Service]
* nv_agp [Missing Service]
* TimeBroker [Missing Service]
* uagp35 [Missing Service]
* uliagpkx [Missing Service]
* WcsPlugInService [Missing Service]
* wpcfltr [Missing Service]
* WSService [Missing Service]

* agp440 [Missing ImagePath]

* AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
* WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]

* vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
* vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 12/07/2016 03:19:38 PM
Execution time: 0 hours(s), 2 minute(s), and 36 seconds(s)