Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSoD Virus? Already used MalwareBytes and HitmanPro


  • Please log in to reply
9 replies to this topic

#1 YetAnotherGirl

YetAnotherGirl

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 25 April 2017 - 02:59 PM

MSSE earlier detected a strange "Update.exe" file and followed up with multiple Trojan.B!cert viruses, just as I thought this would be the end. This virus has constantly forced my computer to crash / restart numerous times...

 

I don't think MalwareBytes and HitmanPro detects this, but just later today, after numerous scans, I noticed a strange file on C:/ named qqss77889900.exe and I placed it to virustotal and got 17 detections.. I used HitmanPro to try and remove it but I currently don't have a subscription, ugh...

 

Any help would be really appreciated at this point... Will be installing ESET NOD32 to try to remove the virus. Also, whenever I use Resource Monitor, I can't see anything on the Disk or Network tab...

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-04-2017 01
Ran by User (administrator) on USER-PC (26-04-2017 03:48:34)
Running from C:\Users\User\Downloads
Loaded Profiles: User (Available Profiles: User)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
() C:\Windows\SysWOW64\ASGT.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
(VIA Technologies, Inc.) C:\Windows\System32\ViakaraokeSrv.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cis.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Hammer & Chisel, Inc.) C:\Users\User\AppData\Local\Discord\app-0.0.297\Discord.exe
(Hammer & Chisel, Inc.) C:\Users\User\AppData\Local\Discord\app-0.0.297\Discord.exe
(Hammer & Chisel, Inc.) C:\Users\User\AppData\Local\Discord\app-0.0.297\Discord.exe
(Microsoft Corporation) C:\Windows\System32\perfmon.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\HitmanPro.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MpCmdRun.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1487552 2017-04-25] (COMODO)
HKLM-x32\...\Run: [HDAudDeck] => C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe [5015040 2012-02-09] (VIA)
HKLM-x32\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe [2650576 2017-04-18] (Malwarebytes Corporation)
HKU\S-1-5-21-1417505777-701657441-1589347498-1000\...\Run: [ASUSPRP] => C:\Program Files (x86)\ASUS\APRP\APRP.EXE [3330800 2011-11-21] (ASUSTek Computer Inc.)
HKU\S-1-5-21-1417505777-701657441-1589347498-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8551848 2015-11-07] (Piriform Ltd)
HKU\S-1-5-21-1417505777-701657441-1589347498-1000\...\Run: [THPanel] => C:\Program Files (x86)\Thunder Master\THPanel.exe [2027352 2016-12-30] (Palit Microsystems Ltd.)
BootExecute: autocheck autochk /p \??\C:autocheck autochk *

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyServer: [S-1-5-21-1417505777-701657441-1589347498-1000] => localhost:8080
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 124.106.6.37 122.2.165.173
Tcpip\..\Interfaces\{092F5BB8-6D0D-46EE-BCD7-59F34DFFEE76}: [NameServer] 8.8.4.4,8.8.8.8
Tcpip\..\Interfaces\{092F5BB8-6D0D-46EE-BCD7-59F34DFFEE76}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{548F4C39-3871-471E-97AA-009B2B8F853C}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{548F4C39-3871-471E-97AA-009B2B8F853C}: [DhcpNameServer] 124.106.6.37 122.2.165.173
Tcpip\..\Interfaces\{6B5E7F0F-AD8D-4C0B-BCE1-31FFD2543D32}: [DhcpNameServer] 192.168.11.1
Tcpip\..\Interfaces\{A780645F-B267-4A6D-BB11-7D67FE7FFA3E}: [DhcpNameServer] 8.8.8.8 8.8.4.4 124.106.6.37

Internet Explorer:
==================
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nf6i0hag.default [2017-04-26]
FF user.js: detected! => C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nf6i0hag.default\user.js [2015-02-25]
FF Extension: (NoScript) - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nf6i0hag.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2017-04-22]
FF Extension: (Adblock Plus) - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nf6i0hag.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-24]
FF Plugin: @java.com/DTPlugin,version=10.40.2 -> C:\Windows\system32\npDeployJava1.dll [2013-12-21] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> D:\Mozilla Plugins\npitunes.dll [2014-02-20] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2016-12-30] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2016-12-30] (NVIDIA Corporation)
FF Plugin-x32: @t.garena.com/garenatalk -> C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [No File]
FF Plugin HKU\S-1-5-21-1417505777-701657441-1589347498-1000: @nsroblox.roblox.com/launcher -> C:\Users\User\AppData\Local\Roblox\Versions\version-ffefd1c450cf4303\\NPRobloxProxy.dll [2013-01-01] ( ROBLOX Corporation)
FF Plugin HKU\S-1-5-21-1417505777-701657441-1589347498-1000: @nsroblox.roblox.com/launcher64 -> C:\Users\User\AppData\Local\Roblox\Versions\version-ffefd1c450cf4303\\NPRobloxProxy64.dll [2013-01-01] ( ROBLOX Corporation)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ASGT; C:\Windows\SysWOW64\ASGT.exe [55296 2012-01-17] () [File not signed]
R2 CmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [10512032 2017-04-25] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2876096 2017-04-25] (COMODO)
S2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [135488 2017-04-10] (SurfRight B.V.)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [165144 2012-05-10] (Intel Corporation)
R2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [155088 2017-04-18] (Malwarebytes Corporation)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
R2 NVDisplay.ContainerLocalSystem; C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [459832 2016-12-30] (NVIDIA Corporation)
R2 VIAKaraokeService; C:\Windows\system32\viakaraokesrv.exe [27760 2011-11-11] (VIA Technologies, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [31664 2017-03-29] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [848736 2017-03-29] (COMODO)
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [57504 2017-03-29] (COMODO)
R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [77432 2017-04-18] ()
R3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [54736 2017-04-26] ()
R1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [119392 2017-03-29] (COMODO)
R4 IOMap; C:\Windows\system32\drivers\IOMap64.sys [23680 2010-02-23] (ASUSTeK Computer Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
S3 NVFLASH; C:\Windows\system32\drivers\nvflash.sys [15168 2012-03-10] ()
S3 RtlWlanu; C:\Windows\System32\DRIVERS\rtwlanu.sys [2976472 2013-12-29] (Realtek Semiconductor Corporation                           )
S3 ssdevfactory; C:\Windows\System32\DRIVERS\ssdevfactory.sys [40576 2016-04-24] (SteelSeries ApS)
S3 sshid; C:\Windows\System32\DRIVERS\sshid.sys [51400 2016-04-24] (SteelSeries ApS)
S3 cpuz137; \??\C:\Users\User\AppData\Local\Temp\cpuz137\cpuz137_x64.sys [X] <==== ATTENTION
S3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena Plus\Room\safedrv.sys [X]
S3 gkernel; \??\C:\Users\User\AppData\Local\Temp\gkernel.sys [X] <==== ATTENTION
S4 nvvad_WaveExtensible; system32\drivers\nvvad64v.sys [X]
S3 WinRing0_1_2_0; \??\C:\Program Files (x86)\IObit\Game Booster 3\Driver\WinRing0x64.sys [X]
S3 X6va062; \??\C:\Windows\SysWOW64\Drivers\X6va062 [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-04-26 03:48 - 2017-04-26 03:48 - 00011597 _____ C:\Users\User\Downloads\FRST.txt
2017-04-26 03:47 - 2017-04-26 03:47 - 02426368 _____ (Farbar) C:\Users\User\Downloads\FRST64.exe
2017-04-26 03:45 - 2017-04-26 03:45 - 00054736 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2017-04-26 03:01 - 2017-04-26 03:01 - 01000960 _____ (Client Server Process) C:\qqss77889900.exe
2017-04-25 12:05 - 2017-04-25 12:06 - 00200768 _____ C:\TDSSKiller.3.1.0.15_25.04.2017_12.05.05_log.txt
2017-04-25 12:03 - 2017-04-25 13:29 - 00149062 _____ C:\Windows\ntbtlog.txt
2017-04-25 11:36 - 2017-04-25 11:38 - 00203424 _____ C:\TDSSKiller.3.1.0.15_25.04.2017_11.36.04_log.txt
2017-04-25 11:13 - 2017-04-25 11:16 - 00202092 _____ C:\TDSSKiller.3.1.0.15_25.04.2017_11.13.13_log.txt
2017-04-25 10:56 - 2017-04-25 10:56 - 00000000 ____D C:\ProgramData\Comodo Downloader
2017-04-25 10:56 - 2017-04-23 06:28 - 00230592 _____ (COMODO) C:\Windows\system32\cmdshim64.dll
2017-04-25 10:56 - 2017-04-23 06:26 - 00194752 _____ (COMODO) C:\Windows\SysWOW64\cmdshim32.dll
2017-04-25 10:44 - 2017-04-25 10:44 - 00004584 _____ C:\Users\User\Documents\cc_20170425_104454.reg
2017-04-25 10:41 - 2017-04-25 10:41 - 00027842 _____ C:\Users\User\Documents\cc_20170425_104104.reg
2017-04-25 10:27 - 2017-04-25 10:32 - 00401634 _____ C:\TDSSKiller.3.1.0.15_25.04.2017_10.27.08_log.txt
2017-04-25 10:25 - 2017-04-25 10:26 - 04830473 _____ C:\Users\User\Downloads\tdsskiller.zip
2017-04-25 10:25 - 2017-04-25 10:25 - 00000364 _____ C:\TDSSKiller.3.1.0.9_25.04.2017_10.25.25_log.txt
2017-04-25 10:15 - 2017-04-25 10:15 - 04102600 _____ C:\Users\User\Downloads\adwcleaner_6.046.exe
2017-04-25 09:59 - 2017-04-25 09:59 - 00000000 ____D C:\Windows\dell
2017-04-25 09:59 - 2017-04-25 09:59 - 00000000 ____D C:\ProgramData\dbg
2017-04-22 13:07 - 2017-04-22 13:07 - 00000560 _____ C:\Users\User\Desktop\BSoD.txt
2017-04-22 13:06 - 2017-04-25 10:44 - 00000000 ____D C:\Windows\Minidump
2017-04-20 22:06 - 2017-04-22 07:51 - 00000000 ____D C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Roblox
2017-04-20 21:01 - 2017-04-22 07:51 - 00001346 _____ C:\Users\User\Desktop\ROBLOX Player.lnk
2017-04-20 20:50 - 2017-04-22 07:51 - 00001165 _____ C:\Users\User\Desktop\ROBLOX Studio.lnk
2017-04-20 20:50 - 2017-04-20 21:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Roblox
2017-04-20 20:50 - 2017-04-20 20:50 - 00000000 ____D C:\ProgramData\Roblox
2017-04-20 20:49 - 2017-04-20 20:49 - 00000000 ____D C:\Program Files (x86)\Roblox
2017-04-20 18:11 - 2017-04-20 18:40 - 00000000 ____D C:\Users\User\AppData\Local\Roblox
2017-04-18 17:02 - 2017-04-25 10:26 - 04922400 _____ (AO Kaspersky Lab) C:\Users\User\Desktop\TDSSKiller.exe
2017-04-18 14:51 - 2017-04-18 14:51 - 00003338 _____ C:\Users\User\AppData\Local\recently-used.xbel
2017-04-12 22:07 - 2017-04-12 22:07 - 00000123 _____ C:\Users\User\Desktop\Thai M16 Drill.txt
2017-04-12 18:27 - 2017-04-12 19:03 - 00000000 ____D C:\Users\User\Desktop\Counter Terror
2017-04-12 04:26 - 2017-04-12 04:26 - 00000083 _____ C:\Users\User\Desktop\doc.txt
2017-04-12 03:42 - 2017-04-12 03:45 - 00000000 ____D C:\Users\User\Desktop\Dividing
2017-04-11 12:41 - 2017-04-11 12:41 - 00000184 _____ C:\Users\User\Desktop\SEAL Pilot.txt
2017-04-10 23:15 - 2017-04-22 16:02 - 00000000 ____D C:\Users\User\Desktop\Why you love doge
2017-04-01 05:13 - 2017-04-01 05:13 - 00000721 _____ C:\Users\User\Desktop\New Text Document (4).txt
2017-03-29 17:41 - 2017-03-29 17:41 - 00000025 _____ C:\Users\User\Desktop\New Text Document (2).txt
2017-03-28 09:28 - 2017-03-30 19:23 - 00000019 _____ C:\Users\User\Desktop\Ataxa.txt
2017-03-27 23:18 - 2017-03-27 23:18 - 00000000 ____D C:\Users\User\Desktop\Woof

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-04-26 03:48 - 2015-01-31 19:24 - 00000000 ____D C:\FRST
2017-04-26 03:47 - 2015-06-16 05:29 - 00007599 _____ C:\Users\User\AppData\Local\Resmon.ResmonCfg
2017-04-26 03:37 - 2014-07-29 19:08 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-04-26 03:35 - 2016-07-31 07:10 - 00000000 ____D C:\Users\User\Desktop\mbar
2017-04-26 03:35 - 2015-01-31 11:13 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2017-04-26 03:14 - 2014-07-29 19:08 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2017-04-26 03:07 - 2016-12-05 00:26 - 00000000 ____D C:\Users\User\AppData\Roaming\discord
2017-04-26 03:04 - 2016-11-18 21:06 - 00000000 ____D C:\Users\User\AppData\LocalLow\Mozilla
2017-04-26 03:03 - 2015-02-04 14:28 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit
2017-04-26 03:03 - 2013-06-08 16:22 - 00000000 ____D C:\ProgramData\NVIDIA
2017-04-26 03:03 - 2009-07-14 13:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-04-26 01:58 - 2009-07-14 12:45 - 00017168 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-04-26 01:58 - 2009-07-14 12:45 - 00017168 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-04-25 18:05 - 2015-10-21 06:04 - 00000000 ____D C:\AdwCleaner
2017-04-25 18:00 - 2017-03-07 01:47 - 00000000 ____D C:\Users\User\Desktop\Folders March 2017
2017-04-25 11:10 - 2016-06-17 23:12 - 00000000 ___RD C:\Users\User\Desktop\XAXA Bnet
2017-04-25 11:06 - 2014-12-04 22:24 - 00000000 ____D C:\Windows\System32\Tasks\COMODO
2017-04-25 10:59 - 2013-06-10 13:18 - 00000000 ____D C:\Users\User\AppData\Local\ElevatedDiagnostics
2017-04-25 10:59 - 2009-07-14 11:20 - 00000000 ____D C:\Windows\inf
2017-04-25 10:56 - 2014-12-04 22:25 - 00001939 _____ C:\Users\Public\Desktop\COMODO Firewall 10.lnk
2017-04-25 10:44 - 2013-06-10 06:45 - 00000000 ____D C:\Users\User\AppData\Local\CrashDumps
2017-04-25 10:38 - 2014-11-16 11:39 - 00002854 _____ C:\Windows\System32\Tasks\Driver Booster SkipUAC (User)
2017-04-25 10:38 - 2014-10-06 15:38 - 00002862 _____ C:\Windows\System32\Tasks\Driver Booster SkipUAC (SYSTEM)
2017-04-25 10:34 - 2013-06-08 16:07 - 00000000 ____D C:\Users\User\AppData\Local\Google
2017-04-25 10:34 - 2013-06-08 16:07 - 00000000 ____D C:\Program Files (x86)\Google
2017-04-25 10:00 - 2016-01-08 01:47 - 02609152 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2017-04-25 10:00 - 2014-01-10 18:02 - 00849920 _____ (Microsoft Corporation) C:\Windows\system32\qmgr.dll
2017-04-25 07:26 - 2009-07-14 11:20 - 00000000 ____D C:\Windows\system32\NDF
2017-04-23 06:31 - 2014-11-13 10:52 - 00051808 _____ (COMODO) C:\Windows\system32\cmdcsr.dll
2017-04-23 06:30 - 2014-11-13 10:52 - 00942792 _____ (COMODO) C:\Windows\system32\guard64.dll
2017-04-23 06:30 - 2014-11-13 10:52 - 00733456 _____ (COMODO) C:\Windows\SysWOW64\guard32.dll
2017-04-23 06:28 - 2014-11-13 10:52 - 00457408 _____ (COMODO) C:\Windows\system32\cmdvrt64.dll
2017-04-23 06:26 - 2014-11-13 10:52 - 00363200 _____ (COMODO) C:\Windows\SysWOW64\cmdvrt32.dll
2017-04-22 13:06 - 2017-03-18 13:16 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-04-22 13:06 - 2013-07-29 01:22 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-04-20 21:01 - 2017-02-16 16:57 - 00000252 _____ C:\Users\User\AppData\LocalLow\rbxcsettings.rbx
2017-04-20 11:53 - 2017-02-23 00:00 - 00000031 _____ C:\Users\User\Desktop\Rob.txt
2017-04-19 19:08 - 2016-06-18 23:07 - 00000000 ____D C:\Users\User\AppData\Local\Battle.net
2017-04-19 16:33 - 2016-07-31 07:43 - 00000000 ____D C:\Program Files (x86)\Battle.net
2017-04-18 14:51 - 2016-04-18 02:05 - 00000000 ____D C:\Users\User\.gimp-2.8
2017-04-18 05:32 - 2015-02-04 14:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit
2017-04-18 05:32 - 2015-02-04 14:28 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Exploit
2017-04-16 01:41 - 2016-02-12 18:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Garena
2017-04-08 06:06 - 2013-08-08 19:41 - 00532136 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2017-04-04 18:05 - 2016-04-18 02:13 - 00000000 ____D C:\Users\User\AppData\Local\gtk-2.0
2017-04-04 12:39 - 2016-08-20 00:59 - 00000000 ____D C:\Users\User\Desktop\Images
2017-03-30 19:23 - 2017-03-09 10:57 - 00000023 _____ C:\Users\User\Desktop\Snia.txt
2017-03-29 04:33 - 2014-11-13 10:53 - 00848736 _____ (COMODO) C:\Windows\system32\Drivers\cmdguard.sys
2017-03-29 04:33 - 2014-11-13 10:53 - 00119392 _____ (COMODO) C:\Windows\system32\Drivers\inspect.sys
2017-03-29 04:33 - 2014-11-13 10:53 - 00057504 _____ (COMODO) C:\Windows\system32\Drivers\cmdhlp.sys
2017-03-29 04:33 - 2014-11-13 10:53 - 00031664 _____ (COMODO) C:\Windows\system32\Drivers\cmderd.sys

==================== Files in the root of some directories =======

2016-02-12 18:56 - 2016-03-26 22:47 - 0045270 _____ () C:\Users\User\AppData\Roaming\room_v3.dat
2015-02-04 13:23 - 2015-05-08 09:26 - 0000600 _____ () C:\Users\User\AppData\Local\PUTTY.RND
2017-04-18 14:51 - 2017-04-18 14:51 - 0003338 _____ () C:\Users\User\AppData\Local\recently-used.xbel
2015-06-16 05:29 - 2017-04-26 03:47 - 0007599 _____ () C:\Users\User\AppData\Local\Resmon.ResmonCfg
2017-01-26 15:55 - 2017-01-26 16:19 - 0005110 _____ () C:\ProgramData\NvTelemetryContainer.log

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-04-23 21:18

==================== End of FRST.txt ============================

Attached Files


Edited by YetAnotherGirl, 25 April 2017 - 03:11 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:58 PM

Posted 26 April 2017 - 09:49 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

FF user.js: detected! => C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nf6i0hag.default\user.js [2015-02-25]
FF @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @t.garena.com/garenatalk -> C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [No File]
S3 cpuz137; \??\C:\Users\User\AppData\Local\Temp\cpuz137\cpuz137_x64.sys [X] <==== ATTENTION
S3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena Plus\Room\safedrv.sys [X]
S3 gkernel; \??\C:\Users\User\AppData\Local\Temp\gkernel.sys [X] <==== ATTENTION
S4 nvvad_WaveExtensible; system32\drivers\nvvad64v.sys [X]
S3 WinRing0_1_2_0; \??\C:\Program Files (x86)\IObit\Game Booster 3\Driver\WinRing0x64.sys [X]
S3 X6va062; \??\C:\Windows\SysWOW64\Drivers\X6va062 [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
AlternateDataStreams: C:\ProgramData\TEMP:8C35AEA7 [330]
C:\qqss77889900.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

When completed it will create a log. Please post the content on your next reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Please post the logs and let me know what problem persists with this computer.

#3 YetAnotherGirl

YetAnotherGirl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 26 April 2017 - 06:38 PM

Done! But umm.. Rkill didn't exactly put out a log, weirdly enough... Oh and I've also used ESET NOD32 prior to this, replaced my MSSE with it.

 

Lastly, RogueKiller detected 8 PUMs but none of them were Red as you've instructed, so I'm not sure if I should still remember them or not.

 

Anyways, here are the logs!

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:58 PM

Posted 27 April 2017 - 06:42 AM


No problems with the RogueKiller log.

Also, whenever I use Resource Monitor, I can't see anything on the Disk or Network tab...


Check the integrity of the operating system files.
How to run sfc /Scannow
http://support.microsoft.com/kb/929833

When completed refer to the Microsoft article again and follow the instructions to view details of the System File Checker process

Post the contents of the sfcdetails.txt file for my review.

Let me know what problem persists.
<<<>>>

#5 YetAnotherGirl

YetAnotherGirl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 27 April 2017 - 06:53 AM

No problems with the RogueKiller log.
 

Also, whenever I use Resource Monitor, I can't see anything on the Disk or Network tab...


Check the integrity of the operating system files.
How to run sfc /Scannow
http://support.microsoft.com/kb/929833

When completed refer to the Microsoft article again and follow the instructions to view details of the System File Checker process

Post the contents of the sfcdetails.txt file for my review.

Let me know what problem persists.
<<<>>>

 

 

My PC did a BSoD earlier this morning after I did all what you instructed, (prior to this sfc scan) I really hope it would stop BSoDing after this scan! Will keep you updated.

 

P.S. I can see Resource Monitor stuffs after I did everything you instructed prior to this.


Edited by YetAnotherGirl, 27 April 2017 - 06:54 AM.


#6 YetAnotherGirl

YetAnotherGirl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 27 April 2017 - 07:04 AM

Here you go, sir!



#7 YetAnotherGirl

YetAnotherGirl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 27 April 2017 - 07:05 AM

Whoops, here it is now, my bad.

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:58 PM

Posted 27 April 2017 - 10:02 AM

Lets see what is causing the BSOD.

Please download the free home edition of WhoCrashed to your Desktop from here whocra10.png and install it by double-clicking "whocrashedSetup.exe".
At the end, it will open automatically. Click the "Analyze" button.

Please scroll down the Information window to copy and paste the results in your next reply.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:58 PM

Posted 03 May 2017 - 07:36 AM

Are you still with me?



#10 YetAnotherGirl

YetAnotherGirl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 04 May 2017 - 08:44 AM

Hold on, please. Life problems rising, my sincerest apologies...






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users