Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix scan detects a rootkit each time it scans, doesn't seem to remove it


  • Please log in to reply
11 replies to this topic

#1 wojtasys

wojtasys

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 17 February 2017 - 01:07 PM

Hi, I'm new here so I'm not sure how to use this forum yet.

The problem:

I have an old laptop running Windows XP professional.

My laptop got unresponsive all of sudden a couple of weeks ago. Each time I click on anything , try to open anything, be it Firefox or just a file manager, the hourglass icon aappears as if it was trying to do something which it is unable to do. Then it unfreezes after a while and when I try to do something else it freezes again, the situation repeats on and on. So it looks like repetitive freezes triggered by clicking anything, opening a tab, closing something, etc.

Completely iImpossible to work on.

I scanned with ComboFix and it says it discovered a rootkit infection, then proceeds with the scan. Another scan - same situation happens again. Here's today's scan log:

 

ComboFix 17-01-29.01 - Wojtek 2017-02-17  17:37:57.20.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1250.48.1045.18.2047.1677 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Wojtek\Pulpit\ComboFix.exe
AV: Kingsoft Antivirus System Defense *Disabled/Updated* {B3DDB456-E18B-4D81-9EB0-E23ABB4D2B12}
.
.
(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\tmp.reg
.
.
(((((((((((((((((((((((((   Pliki utworzone od 2017-01-17 do 2017-02-17  )))))))))))))))))))))))))))))))
.
.
2017-02-15 14:45 . 2017-02-15 14:45    --------    d-----w-    c:\documents and settings\Wojtek\Dane aplikacji\CrystalIdea Software
2017-02-14 15:45 . 2017-02-15 14:40    --------    d---a-w-    C:\Kaspersky Rescue Disk 10.0
2017-02-07 14:03 . 2008-04-13 23:09    5504    -c--a-w-    c:\windows\system32\dllcache\mstee.sys
2017-02-07 14:03 . 2008-04-13 23:09    5504    ----a-w-    c:\windows\system32\drivers\MSTEE.sys
2017-02-07 14:02 . 2008-04-13 23:16    10880    -c--a-w-    c:\windows\system32\dllcache\ndisip.sys
2017-02-07 14:02 . 2008-04-13 23:16    10880    ----a-w-    c:\windows\system32\drivers\NdisIP.sys
2017-02-07 14:02 . 2008-04-13 23:16    15232    -c--a-w-    c:\windows\system32\dllcache\streamip.sys
2017-02-07 14:02 . 2008-04-13 23:16    15232    ----a-w-    c:\windows\system32\drivers\StreamIP.sys
2017-02-07 14:02 . 2008-04-14 21:51    16384    ----a-w-    c:\windows\system32\ipsink.ax
2017-02-07 14:02 . 2008-04-13 23:16    11136    -c--a-w-    c:\windows\system32\dllcache\slip.sys
2017-02-07 14:02 . 2008-04-13 23:16    11136    ----a-w-    c:\windows\system32\drivers\SLIP.sys
2017-02-07 14:00 . 2008-04-13 23:16    19200    -c--a-w-    c:\windows\system32\dllcache\wstcodec.sys
2017-02-07 14:00 . 2008-04-13 23:16    19200    ----a-w-    c:\windows\system32\drivers\WSTCODEC.SYS
2017-02-07 14:00 . 2008-04-13 23:16    85248    -c--a-w-    c:\windows\system32\dllcache\nabtsfec.sys
2017-02-07 14:00 . 2008-04-13 23:16    85248    ----a-w-    c:\windows\system32\drivers\NABTSFEC.sys
2017-02-07 13:58 . 2008-04-13 23:16    17024    -c--a-w-    c:\windows\system32\dllcache\ccdecode.sys
2017-02-07 13:58 . 2008-04-13 23:16    17024    ----a-w-    c:\windows\system32\drivers\CCDECODE.sys
2017-02-07 13:55 . 2008-04-14 21:51    28672    ----a-w-    c:\windows\system32\vidcap.ax
2017-02-07 13:55 . 2008-04-14 21:51    91648    ----a-w-    c:\windows\system32\kswdmcap.ax
2017-02-07 13:55 . 2008-04-14 21:51    61952    ----a-w-    c:\windows\system32\kstvtune.ax
2017-02-07 13:55 . 2008-04-14 21:50    54784    -c--a-w-    c:\windows\system32\dllcache\vfwwdm32.dll
2017-02-07 13:55 . 2008-04-14 21:50    54784    ----a-w-    c:\windows\system32\vfwwdm32.dll
2017-02-07 13:55 . 2008-04-14 21:51    20992    ----a-w-    c:\windows\system32\dshowext.ax
2017-02-07 13:55 . 2008-04-14 21:51    43008    ----a-w-    c:\windows\system32\ksxbar.ax
.
.
.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2017-02-15 14:45 . 2012-04-03 15:27    802904    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2017-02-15 14:45 . 2011-08-31 08:38    144472    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-25 . C8BDAD4065118558B3DC360FC96D81DB . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane  
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\  GoogleDriveBlacklisted]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2016-11-30 15:59    575448    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\  GoogleDriveSynced]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2016-11-30 15:59    575448    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\  GoogleDriveSyncing]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2016-11-30 15:59    575448    ----a-w-    c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GGDriveOverlay1]
@="{E68D0A50-3C40-4712-B90D-DCFA93FF2534}"
[HKEY_CLASSES_ROOT\CLSID\{E68D0A50-3C40-4712-B90D-DCFA93FF2534}]
2013-01-17 14:43    1232896    ----a-w-    c:\documents and settings\All Users\Dane aplikacji\GG\ggdrive\ggdrive-overlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GGDriveOverlay2]
@="{E68D0A51-3C40-4712-B90D-DCFA93FF2534}"
[HKEY_CLASSES_ROOT\CLSID\{E68D0A51-3C40-4712-B90D-DCFA93FF2534}]
2013-01-17 14:43    1232896    ----a-w-    c:\documents and settings\All Users\Dane aplikacji\GG\ggdrive\ggdrive-overlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GGDriveOverlay3]
@="{E68D0A52-3C40-4712-B90D-DCFA93FF2534}"
[HKEY_CLASSES_ROOT\CLSID\{E68D0A52-3C40-4712-B90D-DCFA93FF2534}]
2013-01-17 14:43    1232896    ----a-w-    c:\documents and settings\All Users\Dane aplikacji\GG\ggdrive\ggdrive-overlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GGDriveOverlay4]
@="{E68D0A53-3C40-4712-B90D-DCFA93FF2534}"
[HKEY_CLASSES_ROOT\CLSID\{E68D0A53-3C40-4712-B90D-DCFA93FF2534}]
2013-01-17 14:43    1232896    ----a-w-    c:\documents and settings\All Users\Dane aplikacji\GG\ggdrive\ggdrive-overlay.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2013-05-30 96056]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-11-08 188416]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"kxesc"="c:\program files\kingsoft\kingsoft antivirus\kxetray.exe" [2014-07-11 1595056]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
.
c:\documents and settings\Wojtek\Menu Start\Programy\Autostart\
Powiadomienia monitorowania tuszu - HP Deskjet 1050 J410 series.lnk - c:\windows\system32\RunDll32.exe "c:\program files\HP\HP Deskjet 1050 J410 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=CN2931DHGF05QT;CONNECTION=USB;MONITOR=1; [2008-4-14 33280]
.
c:\documents and settings\All Users\Menu Start\Programy\Autostart\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-11-16 12:12    88209    ----a-w-    c:\windows\AGRSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2006-03-08 19:05    344064    ----a-w-    c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 20:51    15360    ----a-w-    c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2007-10-19 11:05    177456    ----a-w-    c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2015-12-17 01:12    50378880    ----a-r-    c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 07:11    1388544    ----a-w-    c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07    2260480    --sha-r-    c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-09-15 00:27    1015808    ----a-w-    c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPStart]
2007-09-15 00:29    102400    ----a-w-    c:\program files\Synaptics\SynTP\SynTPStart.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Wojtek\\Dane aplikacji\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Wojtek\\Ustawienia lokalne\\Dane aplikacji\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\VoipConnect.com\\VoipConnect\\VoipConnect.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R0 kavbootc;kavbootc;c:\windows\system32\drivers\kavbootc.sys [2014-07-11 27240]
R0 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2016-02-16 17160]
R1 KDHacker;KDHacker;c:\program files\kingsoft\kingsoft antivirus\security\kxescan\kdhacker.sys [2014-07-11 125784]
R2 kisknl;kisknl;c:\windows\system32\drivers\kisknl.sys [2014-07-11 165176]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-05-03 80384]
R3 ksapi;ksapi;c:\windows\system32\drivers\ksapi.sys [2014-07-11 82264]
S3 CpqDtct;CpqDtct;\??\c:\windows\system32\Drivers\Cpqdtct.sys --> c:\windows\system32\Drivers\Cpqdtct.sys [?]
S3 cpuz131;cpuz131;\??\c:\docume~1\Wojtek\USTAWI~1\Temp\cpuz131\cpuz_x32.sys --> c:\docume~1\Wojtek\USTAWI~1\Temp\cpuz131\cpuz_x32.sys [?]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2014-06-09 54232]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-06-10 113880]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2016-02-16 13064]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2009-06-01 721904]
.
Zawartość folderu 'Zaplanowane zadania'
.
2017-02-03 c:\windows\Tasks\Adobe Flash Player PPAPI Notifier.job
- c:\windows\system32\Macromed\Flash\FlashUtil32_24_0_0_194_pepper.exe [2017-02-03 15:14]
.
2017-02-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 14:45]
.
2017-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-06-07 14:09]
.
2017-02-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-06-07 14:09]
.
2017-02-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-18Core.job
- c:\windows\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2014-02-09 22:01]
.
2017-02-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-18UA.job
- c:\windows\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2014-02-09 22:01]
.
2017-02-17 c:\windows\Tasks\Opera scheduled Autoupdate 1482005465.job
- c:\program files\Opera\launcher.exe [2016-12-17 12:29]
.
2017-02-08 c:\windows\Tasks\Powiadomienie o zakończeniu obsługi systemu Microsoft Windows XP — co miesiąc.job
- c:\windows\system32\xp_eos.exe [2014-04-22 23:28]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.google.pl/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Wyślij do urządzenia &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Wojtek\Dane aplikacji\Mozilla\Firefox\Profiles\y7cn4q1r.default\
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
FF - prefs.js: network.proxy.type - 4
.
- - - - USUNIĘTO PUSTE WPISY - - - -
.
SafeBoot-Wdf01000.sys
.
.
.
**************************************************************************
.
disk not found C:\
.
please note that you need administrator rights to perform deep scan
skanowanie ukrytych procesów ...  
.
skanowanie ukrytych wpisów autostartu ...
.
skanowanie ukrytych plików ...  
.
skanowanie pomyślnie ukończone
ukryte pliki:
.
**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
.
- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\Ati2evxx.dll
.
Czas ukończenia: 2017-02-17  18:21:14
ComboFix-quarantined-files.txt  2017-02-17 17:20
ComboFix2.txt  2016-12-18 16:28
ComboFix3.txt  2014-07-10 23:13
ComboFix4.txt  2014-07-06 22:44
ComboFix5.txt  2017-02-17 16:27
.
Przed: 8 440 516 608 bajtów wolnych
Po: 8 469 757 952 bajtów wolnych
.
- - End Of File - - AFBA18154B6F1B6511CC672BA9F9346A
32052574BF9F325AE309ABC7BFD04460
 

 

That's the Gmer log before the last ComboFix scan:

 

GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2017-02-14 14:54:53
Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST9808211A rev.3.02 74,53GB
Running: dnku73qi.exe; Driver: C:\DOCUME~1\Wojtek\USTAWI~1\Temp\fwncqpoc.sys


---- System - GMER 2.2 ----

SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwClose [0xAE60650E]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwCreateKey [0xAE606914]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwCreateSection [0xAE60E2D5]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwCreateThread [0xAE60ED64]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwDebugActiveProcess [0xAE60DBA8]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwDeleteKey [0xAE60596B]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwDeleteValueKey [0xAE605A8F]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwDeviceIoControlFile [0xAE614C17]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwEnumerateKey [0xAE61F327]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwEnumerateValueKey [0xAE61E232]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwFreeVirtualMemory [0xAE60DDDB]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwFsControlFile [0xAE615603]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwInitiatePowerAction [0xAE61362F]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwLoadDriver [0xAE613F6B]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwOpenKey [0xAE61E42D]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwOpenProcess [0xAE60DE28]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwOpenSection [0xAE6125D7]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwProtectVirtualMemory [0xAE60D0F4]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwQueryKey [0xAE61E886]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwQueryValueKey [0xAE6062A6]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwQueueApcThread [0xAE60CE93]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwRaiseHardError [0xAE613668]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwRenameKey [0xAE606C8D]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwRequestWaitReplyPort [0xAE614307]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwRestoreKey [0xAE60654D]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwSetContextThread [0xAE60D591]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwSetSystemInformation [0xAE612B8E]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwSetSystemPowerState [0xAE6135F6]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwSetSystemTime [0xAE6135B3]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwSetValueKey [0xAE605CAA]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwShutdownSystem [0xAE612A6F]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwSuspendProcess [0xAE60D516]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwSuspendThread [0xAE60CED4]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwSystemDebugControl [0xAE612A9E]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwTerminateJobObject [0xAE60D32C]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwTerminateProcess [0xAE60D2ED]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwTerminateThread [0xAE60D554]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwTestAlert [0xAE60E070]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwUnmapViewOfSection [0xAE60DD80]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwWriteFile [0xAE613E05]
SSDT            \??\C:\WINDOWS\system32\drivers\kisknl.sys                                                            ZwWriteVirtualMemory [0xAE60D098]

---- Kernel code sections - GMER 2.2 ----

.text           ntkrnlpa.exe!ZwCallbackReturn + 2540                                                                  80501D9C 2 Bytes  [27, F3]
.text           ntkrnlpa.exe!ZwCallbackReturn + 2548                                                                  80501DA4 2 Bytes  [32, E2] {XOR AH, DL}
.text           ntkrnlpa.exe!ZwCallbackReturn + 2600                                                                  80501E5C 2 Bytes  [2D, E4]
.text           ntkrnlpa.exe!ZwCallbackReturn + 26A4                                                                  80501F00 2 Bytes  [86, E8] {XCHG AL, CH}
.text           ntkrnlpa.exe!ZwCallbackReturn + 27E4                                                                  80502040 12 Bytes  [8E, 2B, 61, AE, F6, 35, 61, ...] {MOV GS, [EBX]; POPA ; SCASB ; DIV BYTE [0x35b3ae61]; POPA ; SCASB }
.text           ...                                                                                                   
init            C:\WINDOWS\system32\drivers\tifm21.sys                                                                entry point in "init" section [0xB8FD73BF]
init            C:\WINDOWS\system32\DRIVERS\gtipci21.sys                                                              entry point in "init" section [0xB8F9BA80]

---- User code sections - GMER 2.2 ----

.text           C:\program files\kingsoft\kingsoft antivirus\kxetray.exe[1788] SHELL32.dll!ShellExecuteW              7CAB5FDD 5 Bytes  JMP 00408C04 C:\program files\kingsoft\kingsoft antivirus\kxetray.exe
.text           C:\WINDOWS\Explorer.EXE[3488] kernel32.dll!CreateProcessW                                             7C802336 5 Bytes  JMP 027E5840 C:\program files\kingsoft\kingsoft antivirus\kswebshield.dll
.text           C:\WINDOWS\Explorer.EXE[3488] kernel32.dll!CreateProcessInternalW                                     7C8185EC 5 Bytes  JMP 027E40E0 C:\program files\kingsoft\kingsoft antivirus\kswebshield.dll
.text           C:\WINDOWS\Explorer.EXE[3488] kernel32.dll!CreateProcessInternalA                                     7C81CE78 5 Bytes  JMP 027E44E0 C:\program files\kingsoft\kingsoft antivirus\kswebshield.dll
.text           C:\WINDOWS\Explorer.EXE[3488] kernel32.dll!CopyFileExW                                                7C826B8A 7 Bytes  JMP 02812B80 C:\program files\kingsoft\kingsoft antivirus\kswebshield.dll
.text           C:\WINDOWS\Explorer.EXE[3488] ADVAPI32.dll!RegQueryValueExW                                           77DC6FFF 5 Bytes  JMP 027E53F0 C:\program files\kingsoft\kingsoft antivirus\kswebshield.dll
.text           C:\WINDOWS\Explorer.EXE[3488] ADVAPI32.dll!RegQueryValueExA                                           77DC7ABB 5 Bytes  JMP 027E5030 C:\program files\kingsoft\kingsoft antivirus\kswebshield.dll
.text           C:\WINDOWS\Explorer.EXE[3488] ADVAPI32.dll!RegSetValueExA                                             77DCEAE7 7 Bytes  JMP 027E6FA0 C:\program files\kingsoft\kingsoft antivirus\kswebshield.dll
.text           C:\WINDOWS\Explorer.EXE[3488] SHLWAPI.dll!SHRegGetUSValueW                                            77F68D02 5 Bytes  JMP 027E4E90 C:\program files\kingsoft\kingsoft antivirus\kswebshield.dll
.text           C:\WINDOWS\Explorer.EXE[3488] SHELL32.dll!StrStrW                                                     7C9CFA5C 4 Bytes  [04, 00, 36, 02]
.text           C:\WINDOWS\Explorer.EXE[3488] SHELL32.dll!ShellExecuteExW                                             7CA0995B 5 Bytes  JMP 027E3F80 C:\program files\kingsoft\kingsoft antivirus\kswebshield.dll

---- Devices - GMER 2.2 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                kisknl.sys
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                              kdhacker.sys
AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass0                                                               SynTP.sys
AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass1                                                               SynTP.sys
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                             kdhacker.sys
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                             kdhacker.sys
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                           kdhacker.sys

---- Registry - GMER 2.2 ----

Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                       0
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                    0x7A 0x79 0xF0 0x3A ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                       0
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                    0x7A 0x79 0xF0 0x3A ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                       0
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                    0x7A 0x79 0xF0 0x3A ...
Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                       0
Reg             HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                    0x7A 0x79 0xF0 0x3A ...
Reg             HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                       0
Reg             HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                    0x7A 0x79 0xF0 0x3A ...
Reg             HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                       0
Reg             HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                    0x7A 0x79 0xF0 0x3A ...
Reg             HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                       0
Reg             HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                    0x7A 0x79 0xF0 0x3A ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04                      
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                   0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                0x7A 0x79 0xF0 0x3A ...
Reg             HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0                       0
Reg             HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew                    0x7A 0x79 0xF0 0x3A ...

---- EOF - GMER 2.2 ----

 

I'd be very grateful for any suggestions how to sort out that issue.

 

Wojciech
 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 35,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:14 PM

Posted 18 February 2017 - 09:09 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Please post the logs.

Wait for further instructions.

#3 wojtasys

wojtasys
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 19 February 2017 - 07:47 PM

Hi

 

Thanks for getting back to me.

Here's the requested files.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 35,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:14 PM

Posted 20 February 2017 - 09:09 AM


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellExecuteHooks: Brak nazwy - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  -> Brak pliku
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
HKU\S-1-5-21-329068152-1343024091-1177238915-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxp://www.mysites123.com/?type=hp&ts=1455753505&z=595f266d53a2d70ebf285a7g7z8wew4mdwcc7w8eew&from=amt&uid=st380011a_5jv59rms"
CHR Plugin: (Chrome PDF Viewer) - C:\Documents and Settings\Wojtek\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\45.0.2454.101\pdf.dll => Brak pliku
CHR Plugin: (Google Gears 0.5.33.0) - C:\Documents and Settings\Wojtek\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\45.0.2454.101\gears.dll => Brak pliku
CHR Plugin: (Shockwave Flash) - C:\Documents and Settings\Wojtek\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\45.0.2454.101\gcswf32.dll => Brak pliku
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll => Brak pliku
CHR Plugin: (Java Deployment Toolkit 6.0.220.4) - C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll => Brak pliku
CHR Plugin: (Java(TM) Platform SE 6 U22) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll => Brak pliku
CHR Plugin: (Google Update) - C:\Documents and Settings\Wojtek\Ustawienia lokalne\Dane aplikacji\Google\Update\1.2.183.39\npGoogleOneClick8.dll => Brak pliku
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll => Brak pliku
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.0.50917.0\npctrl.dll => Brak pliku
CHR Extension: (Platnosci w sklepie Chrome Web Store) - C:\Documents and Settings\Wojtek\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-02-08]
S3 RNI; C:\DOCUME~1\Wojtek\USTAWI~1\Temp\RNI.exe [X]
S3 catchme; \??\C:\DOCUME~1\Wojtek\USTAWI~1\Temp\catchme.sys [X]
S3 CpqDtct; \??\C:\WINDOWS\system32\Drivers\Cpqdtct.sys [X]
S3 cpuz131; \??\C:\DOCUME~1\Wojtek\USTAWI~1\Temp\cpuz131\cpuz_x32.sys [X]
U1 eabfiltr; Brak ImagePath
S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X]
U0 Partizan; system32\drivers\Partizan.sys [X]



End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixldog.txt and let me know what problem persists.

P.S.
Please post the Malwarebyte log so I can see what is being reported.

#5 wojtasys

wojtasys
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 20 February 2017 - 02:53 PM

It's most certainly made a difference but the problem persists to a smaller extent - ie occasional shorter lasting freezes with programs not responding and the hourglass appearing for a while.

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 35,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:14 PM

Posted 21 February 2017 - 07:55 AM



--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.


Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141
===

How is it now?

#7 wojtasys

wojtasys
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 21 February 2017 - 07:47 PM

I attached the ReportRogue. It still keeps on freezing (Firefox not responding), very frustrating. It's a very old laptop but for basic web browsing it ran like a torpedo before this situation now, there were no such freezes at all.

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 35,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:14 PM

Posted 22 February 2017 - 09:51 AM



Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.iu.edu/d/ahic#firefox
<<<>>>

If that fails to solve the problem remove and reinstall Firefox.

Remove Firefox using the instructions one this page.
https://support.mozilla.org/en-US/kb/uninstall-firefox-from-your-computer

Before proceeding save your Bookmarks.
https://support.mozilla.org/en-US/kb/export-firefox-bookmarks-to-backup-or-transfer

Install the latest version of the application.

You can then import your Bookmarks to the new version of Firefox.

Firefox Password manager -
Remember, delete and change saved passwords in Firefox
https://support.mozilla.org/en-US/kb/password-manager-remember-delete-change-passwords
<<<>>>

#9 wojtasys

wojtasys
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 24 February 2017 - 08:50 AM

Honestly I don't think it will do anything. Before these steps I'm performing here, it was just the browsers (not only Firefox, Chrome and Opera too) that hung, now everything does - opening any programme or window.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 35,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:14 PM

Posted 24 February 2017 - 09:22 AM


Your problem is not caused by Malware.
If unable to run anything now while it was previously getting better is not good.

I can only suggest you start a new topic in the Windows XP forum.
Someone can give you better advice than I can.

https://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/

Good luck.

#11 wojtasys

wojtasys
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 24 February 2017 - 10:26 AM

Thanks, I've posted a question there. Come to think of it, this model of laptop - HP Compaq nx8220, had a manufacturering defect with the chipset - which got unsoldered and needed BGA resoldering. I had it done by a specialised firm a few years ago and ever since it has been fine. Could it be the same problem reoccurring as the symptoms are slightly similar, though the steps performed in accordance with the instructions I got here seem to affect in various ways the way the device works, which, if the chipset were to blame, it would probably not.

All in all, I'd like to be able to back up the browsers setup (bookmarks, and in the case of Firefox - the Pocket addon, which has some stuff I need for work), and - if the hardware is OK, I'll just clean it up and see if it's capable of running Windows 7.



#12 nasdaq

nasdaq

  • Malware Response Team
  • 35,244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:14 PM

Posted Yesterday, 07:53 AM


If unable to do this is Normal mode try Safe mode.

Save your Bookmarks.
https://support.mozilla.org/en-US/kb/export-firefox-bookmarks-to-backup-or-transfer

You can then import them to the new version of Firefox.

Firefox Password manager -
Remember, delete and change saved passwords in Firefox
https://support.mozilla.org/en-US/kb/password-manager-remember-delete-change-passwords
<<<>>>

Padlock issue.
https://support.mozilla.org/t5/Sync-and-Save/Where-is-the-quot-Pocket-for-Firefox-quot-button/ta-p/30108




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users