Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I infected? Rougekiller, adwcleaner, hitmanpro, frst


  • This topic is locked This topic is locked
15 replies to this topic

#1 Jaqen

Jaqen

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 19 March 2017 - 01:13 AM

Hello good people !

 

I just scanned with adwcleaner, hitmanpro and roguekiller and rogue~ log is worrisome.

Please help me to know it's false positive or i'am infected.

 

Thanks!

Attached Files


Edited by Jaqen, 19 March 2017 - 01:14 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:46 PM

Posted 20 March 2017 - 09:27 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} =>  -> Brak pliku
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} =>  -> Brak pliku
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} =>  -> Brak pliku
ShellIconOverlayIdentifiers-x32: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} =>  -> Brak pliku
ShellIconOverlayIdentifiers-x32: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} =>  -> Brak pliku
ShellIconOverlayIdentifiers-x32: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} =>  -> Brak pliku
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
FF HKLM\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.8.0.50\coFFAddon => nie znaleziono
FF HKLM-x32\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.8.0.50\coFFAddon => nie znaleziono
FF HKU\S-1-5-21-3030704806-701468817-929145477-1000\...\Firefox\Extensions: [acewebextension_unlisted@acestream.org] - C:\Users\jaqx\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi => nie znaleziono
FF Plugin: @microsoft.com/GENUINE -> disabled [Brak pliku]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [Brak pliku]
FF Plugin HKU\S-1-5-21-3030704806-701468817-929145477-1000: @acestream.net/acestreamplugin,version=3.1.15 -> C:\Users\jaqx\AppData\Roaming\ACEStream\player\npace_plugin.dll [Brak pliku]
CHR Extension: (Ace Stream Web Extension) - C:\Users\jaqx\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjbepbhonbojpoaenhckjocchgfiaofo [2017-02-25]
CHR Extension: (Platnosci w sklepie Chrome Web Store) - C:\Users\jaqx\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-18]
CHR Extension: (Chrome Media Router) - C:\Users\jaqx\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-25]
CHR HKU\S-1-5-21-3030704806-701468817-929145477-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mjbepbhonbojpoaenhckjocchgfiaofo] - hxxps://clients2.google.com/service/update2/crx
OPR Extension: (Speed Dial [FVD] - New Tab Page, 3D, Sync...) - C:\Users\jaqx\AppData\Roaming\Opera Software\Opera Stable\Extensions\llaficoajjainaijghjlofdfmbjpebpa [2017-03-11]
OPR Extension: (SaveFrom.net helper) - C:\Users\jaqx\AppData\Roaming\Opera Software\Opera Stable\Extensions\npdpplbicnmpoigidfdjadamgfkilaak [2017-03-06]
S4 nvvad_WaveExtensible; system32\drivers\nvvad64v.sys [X]
S4 nvvhci; system32\DRIVERS\nvvhci.sys [X]
S3 PCASp60; System32\Drivers\PCASp60.sys [X]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixldog.txt and let me know what problem persists.

=========

Your RogueKiller log is good.
Nothing to worry about.

#3 Jaqen

Jaqen
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 23 March 2017 - 08:52 AM

Hello! Thank you for help!

Done, what u say.

I will scan pc again and reply.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:46 PM

Posted 29 March 2017 - 07:32 AM

Are you still with me?

#5 Jaqen

Jaqen
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 01 April 2017 - 12:18 AM

Yes. Sorry for the delay.

What more can I use to deep scan?

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:46 PM

Posted 01 April 2017 - 07:46 AM

Run the AdwCleaner tool and delete every items reported.

===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winsock: Catalog9 01 C:\Windows\SysWOW64\lp.dll [307200 2011-10-31] (LowerPing)
Winsock: Catalog9 02 C:\Windows\SysWOW64\lp.dll [307200 2011-10-31] (LowerPing)
Winsock: Catalog9 03 C:\Windows\SysWOW64\lp.dll [307200 2011-10-31] (LowerPing)
Winsock: Catalog9 04 C:\Windows\SysWOW64\lp.dll [307200 2011-10-31] (LowerPing)
Winsock: Catalog9 11 C:\Windows\SysWOW64\lp.dll [307200 2011-10-31] (LowerPing)
Winsock: Catalog9-x64 01 C:\Windows\system32\lp64.dll [421376 2011-10-31] (LowerPing)
Winsock: Catalog9-x64 02 C:\Windows\system32\lp64.dll [421376 2011-10-31] (LowerPing)
Winsock: Catalog9-x64 03 C:\Windows\system32\lp64.dll [421376 2011-10-31] (LowerPing)
Winsock: Catalog9-x64 04 C:\Windows\system32\lp64.dll [421376 2011-10-31] (LowerPing)
Winsock: Catalog9-x64 11 C:\Windows\system32\lp64.dll [421376 2011-10-31] (LowerPing)
OPR Extension: (Speed Dial [FVD] - New Tab Page, 3D, Sync...) - C:\Users\jaqx\AppData\Roaming\Opera Software\Opera Stable\Extensions\llaficoajjainaijghjlofdfmbjpebpa [2017-04-01]
OPR Extension: (SaveFrom.net helper) - C:\Users\jaqx\AppData\Roaming\Opera Software\Opera Stable\Extensions\npdpplbicnmpoigidfdjadamgfkilaak [2017-03-21]
C:\Windows\SysWOW64\lp.dll
C:\Windows\system32\lp64.dll

cmd: netsh winsock reset catalog

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:46 PM

Posted 07 April 2017 - 09:54 AM

Are you still with me?

#8 Jaqen

Jaqen
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 08 April 2017 - 06:32 PM

Yes, thank You so much, u're pro =). Here's fixlog report.

I'll add new scan logs in next post.

 

Attached Files


Edited by Jaqen, 08 April 2017 - 06:33 PM.


#9 Jaqen

Jaqen
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 08 April 2017 - 07:04 PM

PC working quite fine.

New scans, new logs.

Can You also help me with internet? I have lags in internet games, normal 70 ping but often it comes to 1000+.Or, even make QoS, to other user would take max 20% of internet?

Thank's!

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:46 PM

Posted 09 April 2017 - 08:12 AM


Quoted from the Addition.txt log.
Please run the Troubleshooting wizard as suggested.

Name: NVIDIA Virtual Audio Device (Wave Extensible) (WDM)
Description: NVIDIA Virtual Audio Device (Wave Extensible) (WDM)
Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318}
Manufacturer: NVIDIA
Service: nvvad_WaveExtensible
Problem: : Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)
Resolution: A registry problem was detected.
This can occur when more than one service is defined for a device, if there is a failure opening the service subkey, or if the driver name cannot be obtained from the service subkey. Try these options:
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
Click "Uninstall", and then click "Scan for hardware changes" to load a usable driver.

Name: NVVHCI Enumerator
Description: NVVHCI Enumerator
Class Guid: {4d36e97d-e325-11ce-bfc1-08002be10318}
Manufacturer: NVIDIA
Service: nvvhci
Problem: : Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)
Resolution: A registry problem was detected.
This can occur when more than one service is defined for a device, if there is a failure opening the service subkey, or if the driver name cannot be obtained from the service subkey. Try these options:
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
Click "Uninstall", and then click "Scan for hardware changes" to load a usable driver.


Was this downloader process running while you were running the Farbar tool?
If it's still running I would stop the process.
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2017\downloader.exe

===

Check also for new versions of 3rd party drivers.

Navigate to this page.
http://learn.flexerasoftware.com/SVM-EVAL-Personal-Software-Inspector

Download and run the Flexera Software Personal Software Inspector.

===

Keep me posted.

#11 Jaqen

Jaqen
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 09 April 2017 - 11:48 AM

PSI has 98% score, just gimp is outdated.

Can't install two drivers. Troubleshooting wizard also doesn't recognize it.

I will point out, that speakers 5.1 have not been working properly for some time. They only run 2.0 and can hear squeaks, but, I think it's a hardware fault of the motherboard.

New logs, a lot of gmer, choose what u think usefull.

 

Attached Files


Edited by Jaqen, 09 April 2017 - 11:49 AM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:46 PM

Posted 09 April 2017 - 01:27 PM



I will point out, that speakers 5.1 have not been working properly for some time

The error are about the Audio Device. That could be the reason.
Name: NVIDIA Virtual Audio Device (Wave Extensible) (WDM)
Description: NVIDIA Virtual Audio Device (Wave Extensible) (WDM)

===

Please Download Tweaking.com - Windows Repair from Here
[list]
  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click Repairs - Open Repairs in the bottom right corner
  • Uncheck the All repair button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    10 - Remove Policies Set By Infections
    17 - Repair Windows Updates
    21 - Repair MSI (Windows Installer)
    26 - Restore Important Windows Services
    27 - Set Windows Service to Default Startup
    
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.

  • ===

    Restart the computer normally.

    Now try to install the drivers that you were not able to do previously.




#13 Jaqen

Jaqen
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 14 April 2017 - 06:26 PM

Still can't auto instal drivers.

Tweak / FRST logs.

And audio still works only in 2.0 and hear squeaks.

 

@Edit: more logs- OTL/aswMBR

 

Attached Files


Edited by Jaqen, 15 April 2017 - 06:36 AM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:46 PM

Posted 15 April 2017 - 08:09 AM

Again your Winsock has been compromised.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winsock: Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => Brak pliku
Winsock: Catalog5 09 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => Brak pliku
Winsock: Catalog5-x64 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => Brak pliku
Winsock: Catalog5-x64 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => Brak pliku
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
HKU\S-1-5-21-3030704806-701468817-929145477-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <======= UWAGA
CHR Extension: (Chrome Media Router) - C:\Users\jaqx\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-09]
OPR Extension: (Speed Dial [FVD] - New Tab Page, 3D, Sync...) - C:\Users\jaqx\AppData\Roaming\Opera Software\Opera Stable\Extensions\llaficoajjainaijghjlofdfmbjpebpa [2017-04-13]
S4 NVHDA; system32\drivers\nvhda64v.sys [X]
Adobe Flash Player 25 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI) (Version: 25.0.0.148 - Adobe Systems Incorporated)
AlternateDataStreams: C:\ProgramData\TEMP:B755D674 [134]
AlternateDataStreams: C:\Users\jaqx\Downloads\HijackThis.exe:BDU [0]
AlternateDataStreams: C:\Users\jaqx\Downloads\MediaCreationTool.exe:BDU [0]
AlternateDataStreams: C:\Users\jaqx\Downloads\RogueKillerX64.exe:BDU [0]
AlternateDataStreams: C:\Users\jaqx\Downloads\TCPOptimizer.exe:BDU [0]
AlternateDataStreams: C:\Users\jaqx\Downloads\tdsskiller.exe:BDU [0]

cmd: netsh winsock reset catalog

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

p.s.
If the problem persists please run these programs.

We will check your BIOS and Master boot record.

Read carefully and follow these steps.
TDSS
  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    TDSSKillerSuspicious-1.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.
    TDSSKillerMal-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    TDSSKillerCompleted.png
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
aswMBRScan.gif
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
  • There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
    ===

    p.s.
    If you use a CD emulator disable it before running the TdssKiller and awsMBR programs.

    Disable the CD emulators....

    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed. Or when this computer is clean.

    HOW TO: Enable the CD Emulators... < restore only when we are finished.

    To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

    Your Emulation drivers are now re-enabled.
    ===





#15 Jaqen

Jaqen
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 15 April 2017 - 08:45 PM

Done.

I had bsod at the evening. 

MBR.dat and event logs

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users