Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.lameshield,upatre,EOPEgen and PUP...


  • This topic is locked This topic is locked
11 replies to this topic

#1 live_73

live_73

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 06 February 2017 - 07:05 AM

Hello!

 

First time here! Sorry if i´m in wrong forum - I have used finnish forum before, but they have ended analyze these logs.

 

I have tried to repair my fathers laptop - Windows 7 home prmium.

 

The whole computer is in stuck in normal mode, safe mode works quite well. Software doesn´t open at all. Windows starts very slow. I scanned with Malwarebytes, OTL.exe (loki.txt), eset online, Trend micro scanner, Norton power eraser, Spybot and FRST. Malwarebytes found trojans and PUP and i removed those, but nothing special in other software (some cookies).

 

Here are my logs, if someone can help me anyways or should i just reinstall Windows?

Attached Files


Edited by live_73, 06 February 2017 - 07:13 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:10 AM

Posted 06 February 2017 - 09:46 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please run the Malwarebyte program and delete everything that was found.

===

Disable Avast for the moment. Leave it disable until this computer is working in normal mode.
AV: Avast Antivirus (Enabled - Out of date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Avast Antivirus (Enabled - Out of date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\PepperFlash\pepflashplayer.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\gcswf32.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll => No File
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\pdf.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll => No File
CHR Plugin: (Java(TM) Platform SE 6 U32) - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll => No File
CHR Plugin: (Java Deployment Toolkit 6.0.320.5) - C:\Windows\SysWOW64\npdeployJava1.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll => No File
CHR Extension: (Chrome Web Storen maksut) - C:\Users\Seppo\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-16]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
S4 RtVOsdService; "C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe" [X]
S3 ewusbnet; system32\DRIVERS\ewusbnet.sys [X]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Download Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

---

While I check your logs please run this SFC.exe tool if you have NOT already run it recently.

Check the integrity of the operating system files.
How to run sfc /Scannow
http://support.microsoft.com/kb/929833

When completed refer to the Microsoft article again and follow the instructions to view details of the System File Checker process

Post also the contents of the sfcdetails.txt file for my review.

#3 live_73

live_73
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 07 February 2017 - 09:57 AM

Hello again!

 

All scans are made in safe mode! Normal mode is still after scans slow. Softwares doesn´t open correctly. I tried Firefox, Avast etc... Malwarebytes scan was clean - malware.log also included Also windows closing normally stucks!

 

Zoek.exe log might be short. This computer shutted down during the scan after 50 min scan (too hot) after i went to sleep!

________

 
Report.roque.txt

 

RogueKiller V12.9.7.0 (x64) [Feb  6 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode with network support
User : Seppo [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/06/2017 21:56:24 (Duration : 00:39:36)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 6 ¤¤¤
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2435819539-621283541-197821731-1000\Software\YahooPartnerToolbar -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2435819539-621283541-197821731-1000\Software\YahooPartnerToolbar -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {6C7E58CE-4147-4813-8A61-EF125AEFC29D} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Seppo\AppData\Local\Temp\7zSCAEC.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {06F5000C-9398-4D6A-BE2C-57256EFB17EA} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Seppo\AppData\Local\Temp\7zSCAEC.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {6C7E58CE-4147-4813-8A61-EF125AEFC29D} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Seppo\AppData\Local\Temp\7zSCAEC.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {06F5000C-9398-4D6A-BE2C-57256EFB17EA} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Seppo\AppData\Local\Temp\7zSCAEC.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD2500BEKT-60A25T1 +++++
--- User ---
[MBR] 02c9c9882015873ba391efb450c575a7
[BSP] aa4ebf5f06d06fddf4b8cf52ca13eb5d : HP|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 199 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600 | Size: 222312 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 455704576 | Size: 15859 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 488183808 | Size: 103 MB
User = LL1 ... OK
User = LL2 ... OK
_______

 

FSS.txt

 

Farbar Service Scanner Version: 27-01-2016
Ran by Seppo (administrator) on 07-02-2017 at 07:23:20
Running from "C:\Users\Seppo\Desktop"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Network
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Policy:
========================


Action Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem service is OK.
The ServiceDll of EventSystem service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys
[2015-11-11 10:13] - [2015-10-13 18:41] - 0497664 ____A (Microsoft Corporation) 9A4A1EEE802BF2F878EE8EAB407B21B7

C:\Windows\System32\drivers\tdx.sys
[2015-11-11 10:13] - [2015-10-13 18:40] - 0118272 ____A (Microsoft Corporation) AA77EB517D2F07A947294F260E3ACA83

C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll
[2011-04-14 09:39] - [2011-03-03 08:24] - 0357888 ____A (Microsoft Corporation) 492D07D79E7024CA310867B526D9636D

C:\Windows\SysWOW64\dnsapi.dll
[2011-04-14 09:39] - [2011-03-03 07:38] - 0270336 ____A (Microsoft Corporation) B40420876B9288E0A1C8CCA8A84E5DC9

C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll
[2016-03-09 17:07] - [2016-02-12 20:22] - 2610688 ____A (Microsoft Corporation) 86F11B85102AFA6A1A6101DCE2F09386

C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll
[2015-07-15 13:46] - [2015-04-27 21:23] - 0188416 ____A (Microsoft Corporation) 7BC3E861F7E8EB543A630090FAE779E0

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2016-04-14 17:38] - [2016-02-02 20:57] - 0511488 ____A (Microsoft Corporation) 622C96AFB07BB82C8650B47172137AC4



**** End of log ****

______

 

 

 

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:10 AM

Posted 07 February 2017 - 02:10 PM

Check the integrity of the operating system files.
How to run sfc /Scannow
http://support.microsoft.com/kb/929833

When completed refer to the Microsoft article again and follow the instructions to view details of the System File Checker process

Post the contents of the sfcdetails.txt file for my review.

Let me know if the problem persists.
<<<>>>

#5 live_73

live_73
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 07 February 2017 - 03:19 PM

Hi!

 

Actually i tried to get that sfc /scannow to work but without success. I ran SFC and it hangs up at 33%, stops and display the message "Windows Resource Protection could not perform the requested operation" I have those two folders PendingNames and PendingDeletes there in right place.

 

So any idea what to do next and get that work?



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:10 AM

Posted 08 February 2017 - 10:32 AM


Download to your Desktop the Junkware Removal Tool Download from this link.
http://www.bleepingcomputer.com/download/junkware-removal-tool/

Shutdown your antivirus to avoid any conflicts.
Right click the icon - disable for say 20 mins.
Right-mouse click JRT.exe and select Run as administrator (If using XP just double click on the icon to run it.)
The tool will open and start scanning your system.
Please be patient as this can take a while to complete.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.
======

Run the SFC.exe /scannow one more time.

If the problem does not complete as prevously execute the intructions on this page.

https://answers.microsoft.com/en-us/windows/forum/windows_vista-update/verification-69-complete-windows-resource/f37d3334-5b92-4f87-a2e5-33c14b421225

DO Methods, 1, 2 and 3..

Stop after.

Let me know what problem persists.

p.s.
Are these folders very large?
I have those two folders PendingNames and PendingDeletes there in right place.

#7 live_73

live_73
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 09 February 2017 - 04:30 PM

Hello!

 

Sorry, so little time to fix this.

 

I got that JRT.txt log, but no success with that sfc /scannow with many tries. i also tried that scan hdd for errors and got one report (four bad sectors). i include here cbs.log file what i found if it helps you anyways.

 

Maybe reinstall or have you got any ideas what to try?

 

Attached Files

  • Attached File  CBS.log   624.77KB   1 downloads
  • Attached File  JRT.txt   7.53KB   1 downloads


#8 live_73

live_73
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 09 February 2017 - 04:32 PM

and i forgot to say that those pendingnames and pendingdeletes folders have disappeared? No idea when!



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:10 AM

Posted 10 February 2017 - 09:21 AM

Please Download Tweaking.com - Windows Repair from Here

  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click Repairs - Open Repairs in the bottom right corner
  • Uncheck the All repair button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    06 - Repair Windows Firewall
    10 - Remove Policies Set By Infections
    17 - Repair Windows Updates
    21 - Repair MSI (Windows Installer)
    26 - Restore Important Windows Services
    27 - Set Windows Service to Default Startup
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.

  • ===

    Restart the computer normally.

    How is the computer running now?



#10 live_73

live_73
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 10 February 2017 - 04:44 PM

HI!

Is it normal that even pre-scan takes more than 1,5h in safe-mode? It never stopped and i decided to stop it after 1h 40 mins. Everything seems to be so slow in this machine!

I also tried in normal-mode and "startup check" took about 20 mins to check 468 files? Normal?

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:10 AM

Posted 11 February 2017 - 08:50 AM


Try this.


Restore your Windows 7 to the Last known good configuration
Follow the instructions on this page.

https://www.sevenforums.com/tutorials/666-advanced-boot-options.html?ltr=A

how is the computer running now?

#12 live_73

live_73
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 13 February 2017 - 07:34 AM

Hello!

I tried restore to "last known good configuration" but it Windows didn't work any better that.

So i decided to reinstall Windows 7 from scratch and now the machine working properly again!

Thank you very much for your help!

Case closed!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users