Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possibly one of my laptops in my LAN infected with a rootkit


  • This topic is locked This topic is locked
8 replies to this topic

#1 LASERzzzzzz

LASERzzzzzz

  • Members
  • 47 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Europe/Germany
  • Local time:08:28 AM

Posted 07 March 2017 - 11:50 AM

hi

 

i already posted a detailed description of the infection in this thread:

https://www.bleepingcomputer.com/forums/t/641539/possibly-rootkit-infection-on-my-lan-message-from-mbam-2211043/

 

Here are both  log files (Addition.txt and FRST.txt). from my laptop "Packard Bell TSX62" (that is possibly infected).

 

 

 

Untersuchungsergebnis von Farbar Recovery Scan Tool (FRST) (x64) Version: 05-03-2017
durchgeführt von NRG1 (Administrator) auf NRG1TSX (07-03-2017 17:06:07)
Gestartet von C:\Users\NRG1\Desktop
Geladene Profile: UpdatusUser & NRG1 (Verfügbare Profile: UpdatusUser & NRG1)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Sprache: Deutsch (Deutschland)
Internet Explorer Version 11 (Standard-Browser: FF)
Start-Modus: Normal
Anleitung für Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Prozesse (Nicht auf der Ausnahmeliste) =================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Prozess geschlossen. Die Datei wird nicht verschoben.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Acer Incorporated) C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMworker.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMutilps32.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Internet Security\fshoster32.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Internet Security\fshoster32.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Internet Security\apps\CCF_Reputation\fsorsp.exe
(Acer Incorporated) C:\Program Files (x86)\Packard Bell\Registration\GREGsvc.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Internet Security\fshoster32.exe
(Acer Incorporated) C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Internet Security\apps\ComputerSecurity\Anti-Virus\fsgk32.exe
(Copyright 2017.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(CyberGhost S.R.L) C:\Program Files\CyberGhost 6\CyberGhost.Service.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Atheros Communications) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Acer Incorporated) C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerTray.exe
(Copyright 2017.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Logitech, Inc.) C:\Program Files\Logitech\LogiOptions\LogiOptions.exe
(Spotify Ltd) C:\Users\NRG1\AppData\Roaming\Spotify\SpotifyWebHelper.exe
() C:\Program Files (x86)\Audials\Audials 2016\AudialsNotifier.exe
(Acer Incorporated) C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerEvent.exe
(Bongiovi Acoustics) C:\Program Files\Bongiovi Acoustics\Bongiovi DPS\Bongiovi DPS.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
(Logitech, Inc.) C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOptionsMgr.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Internet Security\apps\ComputerSecurity\Common\FSMA32.EXE
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Internet Security\apps\ComputerSecurity\Anti-Virus\fssm32.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Internet Security\apps\ComputerSecurity\Common\FSHDLL64.EXE
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

==================== Registry (Nicht auf der Ausnahmeliste) ====================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Registryeintrag auf den Standardwert zurückgesetzt oder entfernt. Die Datei wird nicht verschoben.)

HKLM\...\Run: [IntelTBRunOnce] => wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs"
HKLM\...\Run: [AtherosBtStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [976032 2011-09-16] (Atheros Communications)
HKLM\...\Run: [AthBtTray] => C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe [799904 2011-09-16] (Atheros Commnucations)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2589992 2011-04-05] (ELAN Microelectronics Corp.)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11785832 2011-03-10] (Realtek Semiconductor)
HKLM\...\Run: [Power Management] => C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerTray.exe [1831016 2011-08-02] (Acer Incorporated)
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [14416624 2017-02-02] (Copyright 2017.)
HKLM\...\Run: [LogiOptions] => C:\Program Files\Logitech\LogiOptions\LogiOptions.exe [1735288 2016-09-30] (Logitech, Inc.)
HKLM-x32\...\Run: [LManager] => C:\Program Files (x86)\Launch Manager\LManager.exe [1103440 2011-07-01] (Dritek System Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
HKLM\...\Policies\Explorer: [NoDrives] 4096
HKU\S-1-5-21-735665274-2204444491-4031484975-1000\...\RunOnce: [ScrSav] => C:\Program Files (x86)\Packard Bell\Screensaver\run_Packard Bell.exe [154144 2010-07-29] ()
HKU\S-1-5-21-735665274-2204444491-4031484975-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Packard Bell.scr [456224 2010-07-29] ()
HKU\S-1-5-21-735665274-2204444491-4031484975-1001\...\Run: [pCloud] => [X]
HKU\S-1-5-21-735665274-2204444491-4031484975-1001\...\Run: [Spotify Web Helper] => C:\Users\NRG1\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1433712 2016-12-03] (Spotify Ltd)
HKU\S-1-5-21-735665274-2204444491-4031484975-1001\...\Run: [AudialsNotifier] => C:\Program Files (x86)\Audials\Audials 2016\AudialsNotifier.exe [4535192 2016-10-20] ()
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [226920 2011-03-30] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [193128 2011-03-30] (NVIDIA Corporation)
SSODL: EldosMountNotificator-cbfs6 - {91E56A63-10CD-465F-88CE-02F618F815CC} - C:\Windows\system32\cbfsMntNtf6.dll (/n software, Inc.)
SSODL-x32: EldosMountNotificator-cbfs6 - {91E56A63-10CD-465F-88CE-02F618F815CC} - C:\Windows\SysWOW64\cbfsMntNtf6.dll (/n software, Inc.)
ShellExecuteHooks: Directory Opus Shell Execute Hook - {3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE} - C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll [1808760 2016-09-22] (GP Software)
ShellExecuteHooks-x32: Directory Opus Shell Execute Hook - {EE761688-C137-4b04-8FAB-3C9CDF0886F0} - C:\Program Files\GPSoftware\Directory Opus\dopuslib32.dll [381304 2016-09-22] (GP Software)
ShellIconOverlayIdentifiers: [EldosIconOverlay-cbfs6] -> {E4F8F9A6-5B47-4218-8202-E024B94D03D6} => C:\Windows\system32\cbfsMntNtf6.dll [2016-09-21] (/n software, Inc.)
ShellIconOverlayIdentifiers-x32: [EldosIconOverlay-cbfs6] -> {E4F8F9A6-5B47-4218-8202-E024B94D03D6} => C:\Windows\SysWOW64\cbfsMntNtf6.dll [2016-09-21] (/n software, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bongiovi DPS.lnk [2017-01-20]
ShortcutTarget: Bongiovi DPS.lnk -> C:\Program Files\Bongiovi Acoustics\Bongiovi DPS\Bongiovi DPS.exe (Bongiovi Acoustics)

==================== Internet (Nicht auf der Ausnahmeliste) ====================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Eintrag entfernt oder auf den Standardwert zurückgesetzt, wenn es sich um einen Registryeintrag handelt.)

Tcpip\Parameters: [DhcpNameServer] 80.69.96.12 81.210.129.4
Tcpip\..\Interfaces\{326D6045-AE03-49BA-9140-95B4696C26DD}: [DhcpNameServer] 80.69.96.12 81.210.129.4
Tcpip\..\Interfaces\{84034BCD-707D-415B-B4EF-96A2EF5DCD4F}: [DhcpNameServer] 80.69.96.12 81.210.129.4

Internet Explorer:
==================
HKU\S-1-5-21-735665274-2204444491-4031484975-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://packardbell.msn.com/
HKU\S-1-5-21-735665274-2204444491-4031484975-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://packardbell.msn.com
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=APBTDF&pc=MAPB&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=APBTDF&pc=MAPB&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=APBTDF&pc=MAPB&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=APBTDF&pc=MAPB&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-735665274-2204444491-4031484975-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-735665274-2204444491-4031484975-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Browsing Protection by F-Secure -> {45BBE08D-81C5-4A67-AF20-B2A077C67747} -> C:\Program Files (x86)\F-Secure\Internet Security\apps\CCF_Scanning\bin\browser\install\fs_ie_https\fs_ie_https64.dll [2017-02-15] (F-Secure Corporation)
BHO: Search by F-Secure -> {690EF1CF-5775-4CB3-A5B8-85A63FD0262B} -> C:\Program Files (x86)\F-Secure\Internet Security\apps\SafeSearch\IE\FSSafeSearch64.dll [2016-10-24] (F-Secure Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-29] (Microsoft Corp.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-11-16] (Adobe Systems Incorporated)
BHO-x32: Browsing Protection by F-Secure -> {45BBE08D-81C5-4A67-AF20-B2A077C67747} -> C:\Program Files (x86)\F-Secure\Internet Security\apps\CCF_Scanning\bin\browser\install\fs_ie_https\fs_ie_https.dll [2017-02-15] (F-Secure Corporation)
BHO-x32: Search by F-Secure -> {690EF1CF-5775-4CB3-A5B8-85A63FD0262B} -> C:\Program Files (x86)\F-Secure\Internet Security\apps\SafeSearch\IE\FSSafeSearch.dll [2016-10-24] (F-Secure Corporation)
BHO-x32: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll [2011-09-16] (Atheros Commnucations)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-29] (Microsoft Corp.)
Toolbar: HKLM - Search by F-Secure Toolbar - {B242FC32-2B60-48EA-A8E3-2E280EDBC48F} - C:\Program Files (x86)\F-Secure\Internet Security\apps\SafeSearch\IE\FSSafeSearch64.dll [2016-10-24] (F-Secure Corporation)
Toolbar: HKLM-x32 - Search by F-Secure Toolbar - {B242FC32-2B60-48EA-A8E3-2E280EDBC48F} - C:\Program Files (x86)\F-Secure\Internet Security\apps\SafeSearch\IE\FSSafeSearch.dll [2016-10-24] (F-Secure Corporation)

FireFox:
========
FF DefaultProfile: z332agxm.default
FF ProfilePath: C:\Users\NRG1\AppData\Roaming\Mozilla\Firefox\Profiles\z332agxm.default [2017-03-06]
FF Extension: (SHA-1 deprecation staged rollout) - C:\Users\NRG1\AppData\Roaming\Mozilla\Firefox\Profiles\z332agxm.default\features\{2c998daf-7b6b-4e82-823f-9524ffe25ab4}\disableSHA1rollout@mozilla.org.xpi [2017-03-06]
FF Extension: (Search by F-Secure) - C:\Program Files (x86)\F-Secure\Internet Security\apps\SafeSearch\\Firefox\main.xpi [2016-10-24]
FF HKLM\...\Firefox\Extensions: [ols@f-secure.com] - C:\Program Files (x86)\F-Secure\Internet Security\apps\CCF_Scanning\bin\browser\install\fs_firefox_https\fs_firefox_https.xpi
FF Extension: (Browsing Protection by F-Secure) - C:\Program Files (x86)\F-Secure\Internet Security\apps\CCF_Scanning\bin\browser\install\fs_firefox_https\fs_firefox_https.xpi [2017-02-15]
FF HKLM-x32\...\Firefox\Extensions: [ols@f-secure.com] - C:\Program Files (x86)\F-Secure\Internet Security\apps\CCF_Scanning\bin\browser\install\fs_firefox_https\fs_firefox_https.xpi
FF HKU\S-1-5-21-735665274-2204444491-4031484975-1001\...\Firefox\Extensions: [safesearch@f-secure.com] - C:\Program Files (x86)\F-Secure\Internet Security\apps\SafeSearch\\Firefox\main.xpi
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin HKU\S-1-5-21-735665274-2204444491-4031484975-1001: @my.com/Games -> C:\Users\NRG1\AppData\Local\MyComGames\NPMyComDetector.dll [2017-02-03] (MY.COM B.V.)

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [jmjjnhpacphpjmnnlnccpfmhkcloaade] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [jmjjnhpacphpjmnnlnccpfmhkcloaade] - hxxps://clients2.google.com/service/update2/crx

==================== Dienste (Nicht auf der Ausnahmeliste) ====================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)

R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [105120 2011-09-16] (Atheros Commnucations) [Datei ist nicht signiert]
R2 CG6Service; C:\Program Files\CyberGhost 6\CyberGhost.Service.exe [76848 2017-02-06] (CyberGhost S.R.L)
R2 ePowerSvc; C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe [872552 2011-08-02] (Acer Incorporated)
R2 fshoster; C:\Program Files (x86)\F-Secure\Internet Security\fshoster32.exe [181216 2016-10-25] (F-Secure Corporation)
R3 FSMA; C:\Program Files (x86)\F-Secure\Internet Security\apps\ComputerSecurity\Common\FSMA32.EXE [218080 2016-10-26] (F-Secure Corporation)
R2 fsnethoster; C:\Program Files (x86)\F-Secure\Internet Security\fshoster32.exe [181216 2016-10-25] (F-Secure Corporation)
R2 FSORSPClient; C:\Program Files (x86)\F-Secure\Internet Security\apps\CCF_Reputation\fsorsp.exe [62432 2016-05-20] (F-Secure Corporation)
R2 GREGService; C:\Program Files (x86)\Packard Bell\Registration\GREGsvc.exe [36456 2011-05-30] (Acer Incorporated)
R2 Live Updater Service; C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe [244624 2011-04-22] (Acer Incorporated)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [14416624 2017-02-02] (Copyright 2017.)

===================== Treiber (Nicht auf der Ausnahmeliste) ======================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)

R1 cbfs6; C:\Windows\system32\drivers\cbfs6.sys [460992 2016-09-21] (/n software, Inc.)
R3 digitalpower; C:\Windows\System32\drivers\digitalpower.sys [29184 2015-09-10] (Bongiovi Acoustics)
R3 F-Secure Gatekeeper; C:\Program Files (x86)\F-Secure\Internet Security\apps\ComputerSecurity\Anti-Virus\minifilter\FSgk.sys [229080 2017-02-03] (F-Secure Corporation)
R1 F-Secure HIPS; C:\Program Files (x86)\F-Secure\Internet Security\apps\ComputerSecurity\HIPS\drivers\fshs.sys [106712 2017-02-03] (F-Secure Corporation)
R0 fsbts; C:\Windows\System32\Drivers\fsbts.sys [73928 2016-11-03] ()
R3 fsni; C:\Program Files (x86)\F-Secure\Internet Security\apps\CCF_Scanning\bin\fsni64.sys [110288 2017-02-15] (F-Secure Corporation)
R1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [140672 2016-03-10] (Malwarebytes)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)
R1 RrNetCapFilterDriver; C:\Windows\System32\DRIVERS\RrNetCapFilterDriver.sys [25256 2016-10-20] (Audials AG)
R3 vpnpbus; C:\Windows\System32\DRIVERS\vpnpbus.sys [18624 2016-09-09] (/n software, Inc.)
R1 ZAM; C:\Windows\System32\drivers\zam64.sys [203680 2016-11-12] (Zemana Ltd.)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [203680 2016-11-12] (Zemana Ltd.)

==================== NetSvcs (Nicht auf der Ausnahmeliste) ===================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)


==================== Ein Monat: Erstellte Dateien und Ordner ========

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird die Datei/der Ordner verschoben.)

2017-03-07 17:06 - 2017-03-07 17:06 - 00017813 _____ C:\Users\NRG1\Desktop\FRST.txt
2017-03-07 17:05 - 2017-03-07 17:06 - 00000000 ____D C:\FRST
2017-03-07 17:01 - 2017-03-07 16:51 - 02423808 _____ (Farbar) C:\Users\NRG1\Desktop\FRST64.exe
2017-03-07 14:12 - 2017-03-07 14:26 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2017-03-07 14:10 - 2017-03-07 14:10 - 00000000 ____D C:\Users\NRG1\Desktop\MBAR
2017-03-06 15:20 - 2017-03-06 15:20 - 00021712 _____ (Phoenix Technologies) C:\Windows\SysWOW64\Drivers\DrvAgent64.SYS
2017-03-06 15:20 - 2017-03-06 15:20 - 00000000 ____D C:\Users\NRG1\AppData\Local\eSupport.com
2017-03-06 15:12 - 2017-03-06 15:12 - 00002231 _____ C:\Users\Public\Desktop\Majorgeeks.com Software Updates and News.lnk
2017-03-06 15:12 - 2017-03-06 15:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Majorgeeks.com
2017-03-06 15:12 - 2017-03-06 15:12 - 00000000 ____D C:\Program Files (x86)\Majorgeeks.com
2017-03-06 11:16 - 2017-03-06 11:16 - 00000000 ____D C:\Users\NRG1\AppData\Local\ExpanDrive
2017-03-06 11:02 - 2017-03-06 11:02 - 00000000 ____D C:\Users\NRG1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ExpanDrive
2017-03-06 11:02 - 2016-09-21 08:52 - 00196000 _____ (/n software, Inc.) C:\Windows\system32\cbfsMntNtf6.dll
2017-03-06 11:02 - 2016-09-21 08:52 - 00134560 _____ (/n software, Inc.) C:\Windows\system32\cbfsNetRdr6.dll
2017-03-06 11:02 - 2016-09-21 08:51 - 00170400 _____ (/n software, Inc.) C:\Windows\SysWOW64\cbfsMntNtf6.dll
2017-03-06 11:01 - 2017-03-06 11:16 - 00000000 ____D C:\Users\NRG1\AppData\Local\Apps\ExpanDrive
2017-02-24 14:21 - 2017-03-06 15:48 - 00000000 ____D C:\Users\NRG1\AppData\LocalLow\Mozilla
2017-02-24 14:21 - 2017-03-06 15:24 - 00000000 ____D C:\Users\NRG1\AppData\Local\Mozilla
2017-02-24 14:21 - 2017-02-24 14:21 - 00000000 ____D C:\Users\NRG1\AppData\Roaming\Mozilla
2017-02-24 14:20 - 2017-02-24 14:20 - 00001131 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2017-02-24 14:20 - 2017-02-24 14:20 - 00001119 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2017-02-24 14:20 - 2017-02-24 14:20 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-02-24 14:20 - 2017-02-24 14:20 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-02-15 16:24 - 2017-03-07 13:48 - 00000000 ____D C:\Users\NRG1\AppData\Local\CrashDumps
2017-02-15 15:54 - 2017-02-15 15:54 - 00000000 ___RD C:\Users\NRG1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices
2017-02-15 15:50 - 2017-02-15 15:50 - 00000000 ____D C:\Users\NRG1\AppData\Local\ElevatedDiagnostics

==================== Ein Monat: Geänderte Dateien und Ordner ========

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird die Datei/der Ordner verschoben.)

2017-03-07 17:06 - 2016-11-12 15:24 - 00050477 _____ C:\Windows\ZAM.krnl.trace
2017-03-07 17:06 - 2016-11-12 15:24 - 00020108 _____ C:\Windows\ZAM_Guard.krnl.trace
2017-03-07 16:58 - 2016-11-12 14:54 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-03-07 16:58 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-03-07 16:12 - 2009-07-14 05:45 - 00016752 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-03-07 16:12 - 2009-07-14 05:45 - 00016752 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-03-07 16:08 - 2016-11-04 03:28 - 00698926 _____ C:\Windows\system32\perfh007.dat
2017-03-07 16:08 - 2016-11-04 03:28 - 00149034 _____ C:\Windows\system32\perfc007.dat
2017-03-07 16:08 - 2009-07-14 06:13 - 01618320 _____ C:\Windows\system32\PerfStringBackup.INI
2017-03-07 16:08 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\inf
2017-03-07 14:10 - 2016-11-05 21:41 - 00000000 ___RD C:\_xNET_DL
2017-03-07 13:28 - 2017-02-03 18:11 - 00000000 ____D C:\Users\NRG1\AppData\Local\MyComGames
2017-03-07 13:28 - 2017-02-03 11:05 - 00000000 ____D C:\Program Files (x86)\Steam
2017-03-07 13:18 - 2017-02-03 18:12 - 00000000 ____D C:\MyGames
2017-03-06 10:56 - 2016-11-12 21:35 - 00000000 ____D C:\Windows\system32\inf32
2017-03-01 23:22 - 2017-01-30 13:55 - 00000000 ___RD C:\_acronis_test_A
2017-03-01 23:22 - 2017-01-30 13:53 - 00000000 ___RD C:\acronis_sync_test
2017-03-01 23:22 - 2016-11-03 20:42 - 00000000 ___RD C:\soft_4_tsx_nov_16
2017-02-27 15:32 - 2016-12-19 04:19 - 00000000 ____D C:\Users\NRG1\AppData\Roaming\AIMP
2017-02-25 21:27 - 2016-12-24 00:47 - 00000000 ____D C:\Users\NRG1\AppData\Roaming\Genie9
2017-02-24 14:07 - 2009-07-14 06:08 - 00032616 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-02-23 17:58 - 2016-11-06 17:57 - 00000000 ____D C:\Windows\system32\MRT
2017-02-23 17:56 - 2016-11-06 17:57 - 138020592 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-02-23 17:36 - 2016-11-03 18:41 - 00000000 ____D C:\Users\UpdatusUser
2017-02-15 15:49 - 2016-11-03 21:05 - 00000000 ____D C:\ProgramData\F-Secure

==================== Dateien im Wurzelverzeichnis einiger Verzeichnisse =======

2006-09-22 22:26 - 2006-09-22 22:26 - 0000000 ____H () C:\ProgramData\sdpsenv.dat

Dateien, die verschoben oder gelöscht werden sollten:
====================
C:\ProgramData\sdpsenv.dat


Einige Dateien in TEMP:
====================
2017-01-20 16:05 - 2017-01-20 16:05 - 7301336 _____ (Bongiovi Acoustics                                          ) C:\Users\NRG1\AppData\Local\Temp\Bongiovi_DPS_Setup_2.0.1.11.exe
2016-12-24 00:46 - 2016-12-24 00:46 - 9846272 _____ () C:\Users\NRG1\AppData\Local\Temp\redistFull.exe
2016-12-07 15:32 - 2016-12-07 15:33 - 43872728 _____ (Skype Technologies S.A.) C:\Users\NRG1\AppData\Local\Temp\SkypeSetup.exe

==================== Bamital & volsnap ======================

(Es ist kein automatischer Fix für Dateien vorhanden, die an der Verifikation gescheitert sind.)

C:\Windows\system32\winlogon.exe => Datei ist digital signiert
C:\Windows\system32\wininit.exe => Datei ist digital signiert
C:\Windows\SysWOW64\wininit.exe => Datei ist digital signiert
C:\Windows\explorer.exe => Datei ist digital signiert
C:\Windows\SysWOW64\explorer.exe => Datei ist digital signiert
C:\Windows\system32\svchost.exe => Datei ist digital signiert
C:\Windows\SysWOW64\svchost.exe => Datei ist digital signiert
C:\Windows\system32\services.exe => Datei ist digital signiert
C:\Windows\system32\User32.dll => Datei ist digital signiert
C:\Windows\SysWOW64\User32.dll => Datei ist digital signiert
C:\Windows\system32\userinit.exe => Datei ist digital signiert
C:\Windows\SysWOW64\userinit.exe => Datei ist digital signiert
C:\Windows\system32\rpcss.dll => Datei ist digital signiert
C:\Windows\system32\dnsapi.dll => Datei ist digital signiert
C:\Windows\SysWOW64\dnsapi.dll => Datei ist digital signiert
C:\Windows\system32\Drivers\volsnap.sys => Datei ist digital signiert

LastRegBack: 2017-03-06 11:42

==================== Ende von FRST.txt ============================


....i dont like CHAOS but CHAOS likes me! ....live from EUROPE/germany !!! ....live from EUROPE/germany !!!


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:28 AM

Posted 08 March 2017 - 10:23 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please post the Addition.txt file for my review.

I need to review both logs before giving you any sound advice.

nasdaq

#3 LASERzzzzzz

LASERzzzzzz
  • Topic Starter

  • Members
  • 47 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Europe/Germany
  • Local time:08:28 AM

Posted 08 March 2017 - 10:49 AM

Hi nasdaq!

 

thx for Your support ! Sorry for that: forgot to upload this file.....

But OK here is the file attached to this POST.

Attached Files


....i dont like CHAOS but CHAOS likes me! ....live from EUROPE/germany !!! ....live from EUROPE/germany !!!


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:28 AM

Posted 08 March 2017 - 11:50 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
HKU\S-1-5-21-735665274-2204444491-4031484975-1001\...\Run: [pCloud] => [X]
AlternateDataStreams: C:\ProgramData\sdpsenv.dat:naughtypirates [322]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======


ADOBE READER
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.
<<<>>>

ADOBE FLASH PLAYER

Go to this page with Firefox or Opera to download the current version for your browser:
https://get.adobe.com/flashplayer/

Note:
Flash Player is pre-installed in Google Chrome and updates automatically!
Flash Player is pre-installed in IE/Hedge and updates automatically!
===

ADOBE AIR

Navigate to this page and follow the instructions and get the latest version.
https://get.adobe.com/air/

Remove these old programs in bold via the Control Panel > Programs > Programs and Features if still present.
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.5.3.9130 - Adobe Systems Inc.)
Adobe Flash Player 10 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 10.3.181.34 - Adobe Systems Incorporated)
Adobe Reader X MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}) (Version: 10.0.0 - Adobe Systems Incorporated)
===


Please post the logs and let me know what problem persists.

#5 LASERzzzzzz

LASERzzzzzz
  • Topic Starter

  • Members
  • 47 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Europe/Germany
  • Local time:08:28 AM

Posted 08 March 2017 - 02:37 PM

hi,

below I pasted the content of the file "Fixlog.txt".  Should i now try to run RogueKiller ?

 

 

 

Entferungsergebnis von Farbar Recovery Scan Tool (x64) Version: 08-03-2017
durchgeführt von NRG1 (08-03-2017 20:18:35) Run:1
Gestartet von C:\Users\NRG1\Desktop
Geladene Profile: UpdatusUser & NRG1 (Verfügbare Profile: UpdatusUser & NRG1)
Start-Modus: Normal
==============================================

fixlist Inhalt:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
HKU\S-1-5-21-735665274-2204444491-4031484975-1001\...\Run: [pCloud] => [X]
AlternateDataStreams: C:\ProgramData\sdpsenv.dat:naughtypirates [322]

End
*****************

Wiederherstellungspunkt wurde erfolgreich erstellt.
Prozesse erfolgreich geschlossen.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\EnableShellExecuteHooks => Wert erfolgreich entfernt
HKU\S-1-5-21-735665274-2204444491-4031484975-1001\Software\Microsoft\Windows\CurrentVersion\Run\\pCloud => Wert erfolgreich entfernt
C:\ProgramData\sdpsenv.dat => ":naughtypirates" ADS erfolgreich entfernt.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 18673335 B
Java, Flash, Steam htmlcache => 65419416 B
Windows/system/drivers => 29756646 B
Edge => 0 B
Chrome => 0 B
Firefox => 25484790 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 132772 B
systemprofile32 => 82612 B
LocalService => 0 B
NetworkService => 0 B
UpdatusUser => 0 B
NRG1 => 891692070 B

RecycleBin => 751378496 B
EmptyTemp: => 1.7 GB temporäre Dateien entfernt.

================================


Das System musste neu gestartet werden.

==== Ende von Fixlog 20:20:09 ====


Edited by LASERzzzzzz, 08 March 2017 - 02:38 PM.

....i dont like CHAOS but CHAOS likes me! ....live from EUROPE/germany !!! ....live from EUROPE/germany !!!


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:28 AM

Posted 09 March 2017 - 08:22 AM

Run the RogueKiller if you have any difficulties with this computer.

Let me know what the problems are.

#7 LASERzzzzzz

LASERzzzzzz
  • Topic Starter

  • Members
  • 47 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Europe/Germany
  • Local time:08:28 AM

Posted 10 March 2017 - 11:22 AM

hi

 

on this laptop everything is still working fine: no problems/difficulties. So thanks a lot for Your support/help !

 

After the rootkit detection i was quite confused and i simply forgot that i made two screenshots of a message box from Malwarebytes Anti-Rootkit.

I started this tool on all my laptops to check if there is a rootkit infection. I saw this message box (see below) after starting  Malwarebytes Anti-Rootkit

on this laptops: "Packard Bell TSX62" and "msi-GE60". There was no message box from Malwarebytes Anti-Rootkit on the laptop msi-GT72.

Sorry for this delay !

 

thx a lot and greets from Germany !

 

 

kquQqyu.jpg


....i dont like CHAOS but CHAOS likes me! ....live from EUROPE/germany !!! ....live from EUROPE/germany !!!


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:28 AM

Posted 10 March 2017 - 02:15 PM

We do not service 2 computers on the same topic.

Please start a new topic for this second computer.

Run the Farbar tool on it and post the FRST and Addition.txt log for my review.

When to topic has been created return here and post the Topic no. (URL).
I will expedite the matter.

#9 LASERzzzzzz

LASERzzzzzz
  • Topic Starter

  • Members
  • 47 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Europe/Germany
  • Local time:08:28 AM

Posted 10 March 2017 - 06:49 PM

hi

 

OK... here is the separate thread for my second Laptop (msi-GE60):

 

https://www.bleepingcomputer.com/forums/t/641776/possibly-a-rootkit-separate-thread-for-my-2nd-laptop-in-my-lan/

 

cu and greets from Germany !


....i dont like CHAOS but CHAOS likes me! ....live from EUROPE/germany !!! ....live from EUROPE/germany !!!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users