Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The requested recource is in use.


  • This topic is locked This topic is locked
48 replies to this topic

#1 deluett

deluett

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 28 March 2017 - 08:31 PM

When I stared by computer there was a blue screen, which had an error message. Although I forgot what it was I know it started with a B. Then it restarted by computer and the issue began here. My security system ( Kasperky) shows this message when opens, as do a good portion of other programs. Ive restarted by computer several times but I wasn't able to fix it. So am I infected? If so, what of I do? (As I am posting this late, I wont be able to respond until about 4:00 pm tomorrow due to my schedule, I apologize in advance.) I am using a windows 10 computer.

 

 

Mod Edit

 

Moved to MRL at Aura's request.

 

NickAu


Edited by NickAu, 28 March 2017 - 09:03 PM.
Mod edit.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 AM

Posted 30 March 2017 - 12:02 PM

Hi deluett :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Follow the instructions in the article below to run a scan with MBAR. Once done, copy/paste the content of the log in your next reply (the log will be located in the MBAR folder).

https://support.malwarebytes.com/customer/portal/articles/2097176?b_id=6400

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 deluett

deluett
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 30 March 2017 - 04:31 PM

This is the log. Thank you for the help.

 

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.3.1001
 
© Malwarebytes Corporation 2011-2012
 
OS version: 10.0.14393 Windows 10 x64
 
Account is Administrative
 
Internet Explorer version: 11.576.14393.0
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 2.304000 GHz
Memory total: 4162592768, free: 1115508736
 
=======================================
Driver version: 0.3.0.4
------------ Kernel report ------------
     03/30/2017 17:12:58
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kd.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\System32\drivers\werkernel.sys
\SystemRoot\System32\drivers\CLFS.SYS
\SystemRoot\System32\drivers\tm.sys
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\System32\drivers\FLTMGR.SYS
\SystemRoot\System32\drivers\msrpc.sys
\SystemRoot\System32\drivers\ksecdd.sys
\SystemRoot\System32\drivers\clipsp.sys
\SystemRoot\System32\drivers\cmimcext.sys
\SystemRoot\System32\drivers\ntosext.sys
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\cng.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\acpiex.sys
\SystemRoot\System32\Drivers\WppRecorder.sys
\SystemRoot\System32\drivers\ACPI.sys
\SystemRoot\System32\drivers\WMILIB.SYS
\SystemRoot\System32\drivers\msisadrv.sys
\SystemRoot\System32\drivers\pci.sys
\SystemRoot\System32\drivers\tpm.sys
\SystemRoot\System32\drivers\intelpep.sys
\SystemRoot\system32\drivers\WindowsTrustedRT.sys
\SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\system32\drivers\ndistpr64.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\system32\drivers\NDIS.SYS
\SystemRoot\system32\drivers\TDI.SYS
\SystemRoot\System32\Drivers\klupd_klif_arkmon.sys
\SystemRoot\System32\drivers\vdrvroot.sys
\SystemRoot\system32\DRIVERS\cm_km.sys
\SystemRoot\system32\drivers\pdc.sys
\SystemRoot\system32\drivers\CEA.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\System32\drivers\spaceport.sys
\SystemRoot\System32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\DRIVERS\klbackupdisk.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\System32\drivers\iaStorA.sys
\SystemRoot\System32\drivers\storport.sys
\SystemRoot\System32\drivers\EhStorClass.sys
\SystemRoot\System32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Wof.sys
\SystemRoot\system32\drivers\WdFilter.sys
\SystemRoot\System32\Drivers\NTFS.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\drivers\wfplwfs.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\System32\drivers\volume.sys
\SystemRoot\System32\drivers\volsnap.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\Drivers\klupd_klif_klbg.sys
\SystemRoot\system32\DRIVERS\kl1.sys
\SystemRoot\system32\drivers\iorate.sys
\SystemRoot\System32\drivers\disk.sys
\SystemRoot\System32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\drivers\klhk.sys
\SystemRoot\System32\drivers\cdrom.sys
\SystemRoot\system32\DRIVERS\klbackupflt.sys
\SystemRoot\system32\DRIVERS\klflt.sys
\SystemRoot\system32\drivers\filecrypt.sys
\SystemRoot\system32\drivers\tbs.sys
\SystemRoot\system32\DRIVERS\klif.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\klpd.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\BasicDisplay.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\BasicRender.sys
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\system32\DRIVERS\klwfp.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\klim6.sys
\SystemRoot\system32\DRIVERS\klwtp.sys
\SystemRoot\System32\drivers\vwififlt.sys
\SystemRoot\System32\drivers\pacer.sys
\SystemRoot\system32\drivers\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\drivers\npsvctrig.sys
\SystemRoot\System32\drivers\mssmbios.sys
\SystemRoot\system32\DRIVERS\kneps.sys
\SystemRoot\System32\drivers\gpuenergydrv.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\CLVirtualDrive.sys
\SystemRoot\system32\DRIVERS\ahcache.sys
\SystemRoot\System32\drivers\kltap.sys
\SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_a140581a8f8b58b7\CompositeBus.sys
\SystemRoot\System32\drivers\kdnic.sys
\SystemRoot\System32\drivers\umbus.sys
\SystemRoot\System32\DriverStore\FileRepository\ki118510.inf_amd64_86ba6994ef30d25b\igdkmd64.sys
\SystemRoot\System32\drivers\USBXHCI.SYS
\SystemRoot\system32\drivers\ucx01000.sys
\SystemRoot\System32\drivers\TeeDriverW8x64.sys
\SystemRoot\System32\drivers\rt640x64.sys
\SystemRoot\System32\drivers\Qcamain10x64.sys
\SystemRoot\system32\DRIVERS\wdiwifi.sys
\SystemRoot\System32\drivers\vwifibus.sys
\SystemRoot\System32\drivers\i8042prt.sys
\SystemRoot\system32\DRIVERS\ETD.sys
\SystemRoot\system32\DRIVERS\klkbdflt.sys
\SystemRoot\System32\drivers\kbdclass.sys
\SystemRoot\system32\DRIVERS\klmouflt.sys
\SystemRoot\System32\drivers\mouclass.sys
\SystemRoot\System32\drivers\AcpiVpc.sys
\SystemRoot\System32\drivers\CmBatt.sys
\SystemRoot\System32\drivers\BATTC.SYS
\SystemRoot\System32\drivers\HDAudBus.sys
\SystemRoot\System32\drivers\portcls.sys
\SystemRoot\System32\drivers\drmk.sys
\SystemRoot\System32\drivers\wmiacpi.sys
\SystemRoot\System32\drivers\intelppm.sys
\SystemRoot\System32\drivers\acpipagr.sys
\SystemRoot\System32\drivers\UEFI.sys
\SystemRoot\System32\drivers\NdisVirtualBus.sys
\SystemRoot\System32\drivers\swenum.sys
\SystemRoot\System32\drivers\iwdbus.sys
\SystemRoot\System32\drivers\rdpbus.sys
\SystemRoot\System32\drivers\UsbHub3.sys
\SystemRoot\System32\drivers\USBD.SYS
\SystemRoot\system32\drivers\CHDRT64.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\system32\DRIVERS\btfilter.sys
\SystemRoot\System32\drivers\BTHUSB.sys
\SystemRoot\System32\drivers\bthport.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\drivers\usbccgp.sys
\SystemRoot\system32\DRIVERS\rtsuvc.sys
\SystemRoot\System32\drivers\BthLEEnum.sys
\SystemRoot\System32\drivers\rfcomm.sys
\SystemRoot\System32\drivers\BthEnum.sys
\SystemRoot\System32\drivers\bthpan.sys
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_iaStorA.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\win32kfull.sys
\SystemRoot\System32\HIDPARSE.SYS
\SystemRoot\System32\win32kbase.sys
\SystemRoot\System32\Drivers\hidparse.sys
\SystemRoot\System32\drivers\dxgmms2.sys
\SystemRoot\System32\drivers\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\System32\drivers\WUDFRd.sys
\SystemRoot\System32\drivers\mshidumdf.sys
\SystemRoot\System32\drivers\HIDCLASS.SYS
\SystemRoot\system32\drivers\wcifs.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\storqosflt.sys
\SystemRoot\system32\drivers\wcnfs.sys
\SystemRoot\System32\drivers\registry.sys
\SystemRoot\system32\drivers\lltdio.sys
\SystemRoot\system32\drivers\mslldp.sys
\SystemRoot\system32\drivers\rspndr.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\ndisuio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\??\C:\Windows\system32\Drivers\qwfp64.sys
\SystemRoot\system32\drivers\bckd.sys
\SystemRoot\system32\DRIVERS\kldisk.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\drivers\mmcss.sys
\SystemRoot\system32\drivers\Ndu.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\drivers\rassstp.sys
\SystemRoot\System32\DRIVERS\NDProxy.sys
\SystemRoot\System32\drivers\AgileVpn.sys
\SystemRoot\System32\drivers\rasl2tp.sys
\SystemRoot\System32\drivers\raspptp.sys
\SystemRoot\System32\drivers\raspppoe.sys
\SystemRoot\System32\DRIVERS\ndistapi.sys
\SystemRoot\System32\drivers\ndiswan.sys
\SystemRoot\System32\drivers\vwifimp.sys
\SystemRoot\System32\drivers\tunnel.sys
\SystemRoot\system32\Drivers\WdNisDrv.sys
\SystemRoot\System32\drivers\condrv.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
----------- End -----------
Done!
 
Scan started
Database versions:
  main:    v2014.11.18.05
  rootkit: v2014.11.12.01
 
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffbe86f2f15060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffbe86f2e859e0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffbe86f2f15060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffbe86ee5d3cf0, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffbe86ed462400, DeviceName: \Device\00000030\, DriverName: \Driver\iaStorA\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
File user open failed: C:\WINDOWS\SYSTEM32\drivers\ndistpr64.sys (0x00000005)
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: CA78B323
 
GPT Protective MBR Partition information:
 
    Partition 0 type is EFI-GPT (0xee)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1  Numsec = 4294967295
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
GPT Partition information:
 
    GPT Header Signature 4546492050415254
    GPT Header Revision 65536 Size 92 CRC 857052278
    GPT Header CurrentLba = 1 BackupLba 1953525167
    GPT Header FirstUsableLba 34  LastUsableLba 1953525134
    GPT Header Guid 7b3d305d-1299-4f0f-86a3-4ead12fc154
    GPT Header Contains 128 partition entries starting at LBA 2
    GPT Header Partition entry size = 128
 
    Backup GPT header Signature 4546492050415254
    Backup GPT header Revision 65536 Size 92 CRC 857052278
    Backup GPT header CurrentLba = 1953525167 BackupLba 1
    Backup GPT header FirstUsableLba 34  LastUsableLba 1953525134
    Backup GPT header Guid 7b3d305d-1299-4f0f-86a3-4ead12fc154
    Backup GPT header Contains 128 partition entries starting at LBA 1953525135
    Backup GPT header Partition entry size = 128
 
    Partition 0 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b
    Partition ID c135e945-32c0-443c-9f9b-5633f452ca92
    FirstLBA 2048  Last LBA 534527
    Attributes 0
    Partition Name                 EFI system partition
 
    GPT Partition 0 is bootable
    Partition 1 Type e3c9e316-b5c-4db8-817d-f92df0215ae
    Partition ID 1f2ec4de-22b4-4ed4-ae8d-e96f961cab5
    FirstLBA 534528  Last LBA 567295
    Attributes 0
    Partition Name         Microsoft reserved partition
 
    Partition 2 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID b139e2f8-6eeb-4665-b896-db15caff2e25
    FirstLBA 567296  Last LBA 1872551935
    Attributes 0
    Partition Name                 Basic data partition
 
    Partition 3 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID bd983ce1-eaf6-4251-a86f-fcff674c5f76
    FirstLBA 1872551936  Last LBA 1924980735
    Attributes 0
    Partition Name                 Basic data partition
 
    Partition 4 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
    Partition ID 9acc5642-b9e3-4808-9f64-2ba09016b4b
    FirstLBA 1924980736  Last LBA 1927028735
    Attributes 1
    Partition Name                 Basic data partition
 
    Partition 5 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
    Partition ID c8318904-744b-4e2c-bb8d-eb7f293294b2
    FirstLBA 1927028736  Last LBA 1951475711
    Attributes 1
    Partition Name                 Basic data partition
 
    Partition 6 Type bfbfafe7-a34f-448a-9a5b-6213eb736c22
    Partition ID 958c8537-6c9a-476d-bad4-118f76cbd766
    FirstLBA 1951475712  Last LBA 1953523711
    Attributes 1
    Partition Name                 Basic data partition
 
Disk Size: 1000204886016 bytes
Sector size: 512 bytes
 
Done!
Infected: C:\Users\Devontay Eluett\Documents\eXplorer.exe --> [Trojan.Agent]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXPLORER.EXE --> [Trojan.Agent]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXPLORER.EXE --> [Trojan.Agent]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe --> [Trojan.Agent]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe --> [Security.Hijack]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\svchost.exe --> [Security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe --> [Trojan.Agent]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe --> [Security.Hijack]
Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\svchost.exe --> [Security.Hijack]
Scan finished

Edited by deluett, 30 March 2017 - 04:31 PM.


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 AM

Posted 30 March 2017 - 05:07 PM

I don't think this is the right log. The right log is called:
mbar-log-TODAY'S-DATE.txt
Can you check in the MBAR folder again?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 deluett

deluett
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 30 March 2017 - 05:22 PM

Sorry about that. I think this is the correct log. 

 

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2014.11.18.05
  rootkit: v2014.11.12.01
 
Windows 10 x64 NTFS
Internet Explorer 11.576.14393.0
Devontay Eluett :: LAPTOP-4VUTR211 [administrator]
 
3/30/2017 5:13:11 PM
mbar-log-2017-03-30 (17-13-11).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 370110
Time elapsed: 15 minute(s), 22 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 8
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXPLORER.EXE (Trojan.Agent) -> No action taken. [88b546f71666f640519487acde2605fb]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXPLORER.EXE (Trojan.Agent) -> No action taken. [88b546f71666f640519487acde2605fb]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe (Trojan.Agent) -> No action taken. [28154df0a9d3f640834a38bc669d4cb4]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe (Security.Hijack) -> No action taken. [14296fce6715a096e9fdd321a45f0cf4]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\svchost.exe (Security.Hijack) -> No action taken. [f944ca734c301d193ccab146cb389c64]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe (Trojan.Agent) -> No action taken. [69d4083519630f2700cd2cc8bc4702fe]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe (Security.Hijack) -> No action taken. [231a320b2755e155ac3a04f0ed169a66]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\svchost.exe (Security.Hijack) -> No action taken. [8bb2ab922755e74ff51136c105fea957]
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 1
C:\Users\Devontay Eluett\Documents\eXplorer.exe (Trojan.Agent) -> No action taken. [88b546f71666f640519487acde2605fb]
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 AM

Posted 30 March 2017 - 05:27 PM

It is. It looks like you didn't delete the threats MBAR detected. Can you run it again but this time delete them once the scan is complete?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 deluett

deluett
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 30 March 2017 - 05:29 PM

Will do.



#8 deluett

deluett
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 30 March 2017 - 05:50 PM

Finished. This is the new log.

 

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2014.11.18.05
  rootkit: v2014.11.12.01
 
Windows 10 x64 NTFS
Internet Explorer 11.576.14393.0
Devontay Eluett :: LAPTOP-4VUTR211 [administrator]
 
3/30/2017 6:30:03 PM
mbar-log-2017-03-30 (18-30-03).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 370109
Time elapsed: 14 minute(s), 32 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 8
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXPLORER.EXE (Trojan.Agent) -> Delete on reboot. [f548b28bbdbf66d0776e43f034d0ac54]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXPLORER.EXE (Trojan.Agent) -> Delete on reboot. [f548b28bbdbf66d0776e43f034d0ac54]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe (Trojan.Agent) -> Delete on reboot. [46f78eaf205c20165b72e50fef140cf4]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe (Security.Hijack) -> Delete on reboot. [0439ba83720abb7b43a339bbcb38966a]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\svchost.exe (Security.Hijack) -> Delete on reboot. [6ad31e1fec90f73faa5c47b0699a31cf]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe (Trojan.Agent) -> Delete on reboot. [e756de5f601c270f428b1cd8a360857b]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe (Security.Hijack) -> Delete on reboot. [bc8164d9ed8f90a6d016e50f659eda26]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\svchost.exe (Security.Hijack) -> Delete on reboot. [92abed502e4ebf7748be7b7c7e85aa56]
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 1
C:\Users\Devontay Eluett\Documents\eXplorer.exe (Trojan.Agent) -> Delete on reboot. [f548b28bbdbf66d0776e43f034d0ac54]
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)


#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 AM

Posted 30 March 2017 - 05:52 PM

You need to update the database (click on the Update button) when you launch MBAR, before running the scan. Please do it again and make sure to update the database first, otherwise, the current infection won't be detected.
Database version:
  main:    v2014.11.18.05
  rootkit: v2014.11.12.01

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 deluett

deluett
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 30 March 2017 - 06:13 PM

I scanned after updating, and now malware was found despite the problem still being there. 

 

Here is the new log. 

 

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2014.11.18.05
  rootkit: v2014.11.12.01
 
Windows 10 x64 NTFS
Internet Explorer 11.576.14393.0
Devontay Eluett :: LAPTOP-4VUTR211 [administrator]
 
3/30/2017 6:52:18 PM
mbar-log-2017-03-30 (18-52-18).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 370258
Time elapsed: 16 minute(s), 3 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 

Attached Files



#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 AM

Posted 30 March 2017 - 06:15 PM

It doesn't look like the update worked.
Database version:
  main:    v2014.11.18.05
  rootkit: v2014.11.12.01
Boot in Safe Mode with Networking, and try to run MBAR from there.

https://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 deluett

deluett
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 30 March 2017 - 06:32 PM

After I selected "restart now," under advanced options. The computer restarted and just took me to the normal sign in page. Is there any way to fix this?



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 AM

Posted 30 March 2017 - 06:37 PM

I forgot for a moment that this infection disables Safe Mode. Can you launch MBAR again and try to update the database? I want to see if the infection is causing this.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 deluett

deluett
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 30 March 2017 - 06:41 PM

Attached File  Capture.PNG   151.24KB   0 downloadsIt returned with the same message.



#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 AM

Posted 30 March 2017 - 06:48 PM

This is the MBAR I downloaded and updated, then put in a .zip file. See if you can open it, and check if the database versions are from 2017. If they are, run the scan and delete the threats it detects, then provide me the log.

https://www.dropbox.com/s/t87psxu30nn87l0/mbar-1.09.3.1001.zip?dl=0

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users