Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Process Manager Virus


  • This topic is locked This topic is locked
12 replies to this topic

#1 jimmy_vz5

jimmy_vz5

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 02 May 2018 - 06:54 PM

I've received these nasty viruses, and it seems as if they're impossible to remove. In my task manager, three fake processes are running: Windows Process Manager (32 bit), Printer Driver Host, and wmcagent.exe. The name of the Windows process manager exe is 'svbdtpx.exe' and the name of the printer driver host exe is 'ninepbh.exe'. The folder the first 2 are located are in C:\Users\Admin\AppData\Local\ninepbh. wmcagent.exe is located in C:\Users\Admin\AppData\Local\wmcagent. When I try to 'open file location' in the task manager, I get a message stating: "Access is denied". Please help, for I'm anxious about what these suspicious programs are doing to my computer.

Attached Files



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 03 May 2018 - 09:10 AM

Hi jimmy_vz5 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the right version of FRST for your system:
    • FRST 32-bit
    • FRST 64-bit
      Note: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using.
  • Move the executable (FRST.exe or FRST64.exe) on your Desktop
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Copy/paste the following inside the text area:
    Start::
    CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
    CMD: bcdedit.exe /set {default} recoveryenabled yes
    End::
    
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 jimmy_vz5

jimmy_vz5
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 03 May 2018 - 02:35 PM

Alright, thanks for the reply. Here's the fixlog:
 
Fix result of Farbar Recovery Scan Tool (x64) Version: 03.05.2018
Ran by Admin (03-05-2018 15:33:38) Run:4
Running from C:\Users\Admin\Desktop
Loaded Profiles: Admin (Available Profiles: Admin)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
 
*****************
 
 
========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========
 
The operation completed successfully.
 
========= End of CMD: =========
 
 
========= bcdedit.exe /set {default} recoveryenabled yes =========
 
The operation completed successfully.
 
========= End of CMD: =========
 
 
==== End of Fixlog 15:33:38 ====

Attached Files



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 03 May 2018 - 02:43 PM

For the next part, you'll need to download the FRST executable a clean computer, and move them on your USB Flash Drive. That USB can only be inserted in the infected computer if it is either shutdown, or in the Windows RE. Otherwise, the infection will mess with the files on the USB and you'll have to restart.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Recovery Environment Scan
Follow the instructions below to download and execute a scan on your system with FRST from the Recovery Environment, and provide the logs in your next reply.

Item(s) required:
  • USB Flash Drive (size depend on if you have to create a USB Recovery or Installation media)
  • Another computer (clean of infection)
  • CD/DVD (optional: only needed if you need to create a Recovery or Installation media and your USB Flash Drive is too small)
Preparing the USB Flash Drive
  • Download the right version of FRST for your system from a clean computer:
    • FRST 32-bit
    • FRST 64-bit
      Note: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using.
  • Move the executable (FRST.exe or FRST64.exe) on your USB Flash Drive
Boot in the Recovery Environment
  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
    • Restart the computer
    • Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
    • Use the arrow keys to select Repair your computer, and press on Enter
    • Select your keyboard layout (US, French, etc.) and click on Next
    • Click on Command Prompt to open the command prompt
      Note: If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.
  • To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.
  • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.
  • Once in the Windows RE, plug the USB Flash Drive in the computer
Once in the command prompt
  • In the command prompt, type notepad and press on Enter
  • Notepad will open. Click on the File menu and select Open
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
  • Note: Replace the letter e with the drive letter of your USB Flash Drive
  • FRST will open
  • Click on Yes to accept the disclaimer
  • Click on the Scan button and wait for the scan to complete
  • A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 jimmy_vz5

jimmy_vz5
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 03 May 2018 - 03:03 PM

Alright, I scanned in the repair environment. Here's the file

Attached Files

  • Attached File  FRST.txt   46.56KB   5 downloads

Edited by jimmy_vz5, 03 May 2018 - 05:16 PM.


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 03 May 2018 - 06:33 PM

Good, now let's run a scan with Malwarebytes.

j1Bynr2.pngMalwarebytes - Clean Mode
  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 jimmy_vz5

jimmy_vz5
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 03 May 2018 - 07:22 PM

Alright, here's the export summary. In my task manager, I no longer see the malware programs running, and I have access to their folders again. The scan didn't detect the folders , so I deleted them myself permanently

Attached Files



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 04 May 2018 - 07:15 AM

Good :) Now let's do a sweep with RogueKiller and AdwCleaner.

RQKuhw1.pngRogueKiller
  • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
  • Once done, move the executable file to your Desktop, right-click on it and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Check every single entry (threat found), and click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
    V7SD4El.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply
Your next reply(ies) should therefore contain:
  • Copy/pasted RogueKiller clean log
  • Copy/pasted AdwCleaner clean log

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 jimmy_vz5

jimmy_vz5
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 06 May 2018 - 07:25 PM

Heres the Rogue Killer log:
RogueKiller V12.12.16.0 (x64) [May  4 2018] (Free) by Adlice Software
 
Operating System : Windows 10 (10.0.10586) 64 bits version
Started in : Normal mode
User : Admin [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 05/06/2018 19:19:23 (Duration : 00:38:04)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 32 ¤¤¤
[Suspicious.Path] (X64) HKEY_CLASSES_ROOT\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E} (C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6799.0327\amd64\FileSyncShell64.dll) -> Found
[Suspicious.Path] (X64) HKEY_CLASSES_ROOT\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C} (C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6799.0327\amd64\FileSyncShell64.dll) -> Found
[Suspicious.Path] (X64) HKEY_CLASSES_ROOT\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E} (C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6799.0327\amd64\FileSyncShell64.dll) -> Found
[PUP.Gen1] (X64) HKEY_USERS\RK_cia_ON_G_A3AE\Software\OB -> Found
[PUP.StormWatch|PUP.Gen1] (X64) HKEY_USERS\RK_cia_ON_G_A3AE\Software\StormWatch -> Found
[PUP.Gen1] (X86) HKEY_USERS\RK_cia_ON_G_A3AE\Software\OB -> Found
[PUP.StormWatch|PUP.Gen1] (X86) HKEY_USERS\RK_cia_ON_G_A3AE\Software\StormWatch -> Found
[PUP.Conduit|PUP.Gen1] (X64) HKEY_USERS\RK_Owner_ON_E_6FC6\Software\Conduit -> Found
[PUP.Gen1] (X64) HKEY_USERS\RK_Owner_ON_E_6FC6\Software\DriverToolkit -> Found
[PUP.Gen1] (X64) HKEY_USERS\RK_Owner_ON_E_6FC6\Software\IM -> Found
[PUP.SpeedingUpMyPC|PUP.Gen1] (X64) HKEY_USERS\RK_Owner_ON_E_6FC6\Software\InterStat -> Found
[PUP.Gen1] (X64) HKEY_USERS\RK_Owner_ON_E_6FC6\Software\SlimWare Utilities Inc -> Found
[PUP.Gen1] (X64) HKEY_USERS\RK_Owner_ON_E_6FC6\Software\Vittalia -> Found
[PUP.Conduit|PUP.Gen1] (X86) HKEY_USERS\RK_Owner_ON_E_6FC6\Software\Conduit -> Found
[PUP.Gen1] (X86) HKEY_USERS\RK_Owner_ON_E_6FC6\Software\DriverToolkit -> Found
[PUP.Gen1] (X86) HKEY_USERS\RK_Owner_ON_E_6FC6\Software\IM -> Found
[PUP.SpeedingUpMyPC|PUP.Gen1] (X86) HKEY_USERS\RK_Owner_ON_E_6FC6\Software\InterStat -> Found
[PUP.Gen1] (X86) HKEY_USERS\RK_Owner_ON_E_6FC6\Software\SlimWare Utilities Inc -> Found
[PUP.Gen1] (X86) HKEY_USERS\RK_Owner_ON_E_6FC6\Software\Vittalia -> Found
[PUP.Gen1] (X64) HKEY_USERS\RK_cia_ON_G_A3AE\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Yahoo! SearchSet -> Found
[PUP.Gen1] (X86) HKEY_USERS\RK_cia_ON_G_A3AE\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Yahoo! SearchSet -> Found
[Tr.Gen0] (X64) HKEY_USERS\RK_Owner_ON_E_6FC6\Software\Microsoft\Windows\CurrentVersion\Run | tsiVideo : C:\WINDOWS\SysWOW64\rundll32.exe C:\Users\Owner\AppData\Local\Temp\mdi064.dll,fwnewsdf [x] -> Found
[Tr.Gen0] (X86) HKEY_USERS\RK_Owner_ON_E_6FC6\Software\Microsoft\Windows\CurrentVersion\Run | tsiVideo : C:\WINDOWS\SysWOW64\rundll32.exe C:\Users\Owner\AppData\Local\Temp\mdi064.dll,fwnewsdf [x] -> Found
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1381804265-1348168825-2395672735-1003\Software\Microsoft\Windows\CurrentVersion\Run | taonoa : rundll32.exe "C:\Users\Admin\AppData\Local\taonoa.dll",taonoa [x] -> Found
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1381804265-1348168825-2395672735-1003\Software\Microsoft\Windows\CurrentVersion\Run | taonoa : rundll32.exe "C:\Users\Admin\AppData\Local\taonoa.dll",taonoa [x] -> Found
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) :   -> Found
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_G_B10C\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_G_B10C\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.HomePage] (X64) HKEY_USERS\RK_cia_ON_G_A3AE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.HomePage] (X86) HKEY_USERS\RK_cia_ON_G_A3AE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_E_3094\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_E_3094\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 7 ¤¤¤
[PUP.Gen1][File] C:\Users\Public\Desktop\Driver Easy.lnk [LNK@] C:\PROGRA~1\Easeware\DRIVER~1\DRIVER~1.EXE -> Found
[PUP.Gen1][Folder] C:\Users\Admin\AppData\Roaming\Easeware -> Found
[PUP.Gen1][File] C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\netr28ux.inf.lnk [LNK@] C:\Users\Admin\AppData\Roaming\Easeware\DRIVER~1\drivers\3vbvxtlx.1d1\netr28ux.inf -> Found
[PUP.Gen1][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Easy\Driver Easy.lnk [LNK@] C:\PROGRA~1\Easeware\DRIVER~1\DRIVER~1.EXE -> Found
[PUP.Gen1][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Easy\Uninstall Driver Easy.lnk [LNK@] C:\PROGRA~1\Easeware\DRIVER~1\unins000.exe -> Found
[PUP.Gen1][Folder] C:\Program Files\Easeware -> Found
[PUP.Gen1][File] C:\Users\Public\Desktop\Driver Easy.lnk [LNK@] C:\PROGRA~1\Easeware\DRIVER~1\DRIVER~1.EXE -> Found
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 [Too big!] ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 3 ¤¤¤
[PUP.Gen0][Chrome:Addon] Default : Honey [bmnlcjabgnpnenekpadlanbbkooimhnj] -> Found
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [http://start.toshiba.com/?cid=C001B2Y] -> Found
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://search.swagbucks.com/|https://www.google.com/] -> Found
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS542525K9SA00 ATA Device +++++
--- User ---
[MBR] c063c9843f11bb6881e50aea22663e23
[BSP] 08ce43d2d4cf8b84a9cd8cdf7ff52917 : HP|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 236974 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: WDC WD10EARS-00Z5B1 ATA Device +++++
--- User ---
[MBR] 5cfb6da8e22afeea9f07c5c3c7456216
[BSP] 916b87c9a4976ce0197e7f4e3c925990 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 114470 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 234438656 | Size: 839395 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive2: SAMSUNG HD160JJ/P ATA Device +++++
--- User ---
[MBR] a802261ac61f3ab3740c792deaee20e8
[BSP] 26fe7d691f9edb5d824e85e8f49dc627 : Dell MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 80325 | Size: 111192 MB [Windows XP Bootstrap | Windows XP Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 227801700 | Size: 38130 MB [Windows XP Bootstrap | Windows XP Bootloader]
3 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 305893665 | Size: 3223 MB
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive3: TOSHIBA MQ01ABD100 ATA Device +++++
--- User ---
[MBR] cd0e8fb219137bbf4eb51388e5b82bf8
[BSP] d5640a567dcf13899d0dd619341690e9 : HP|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 936491 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 1921007616 | Size: 450 MB
3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1921929216 | Size: 15427 MB[Invalid]
User = LL1 ... OK
User = LL2 ... OK
 
Here's the ADW cleaner log:
# -------------------------------
# Malwarebytes AdwCleaner 7.1.1.0
# -------------------------------
# Build:    04-27-2018
# Database: 2018-05-02.2
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start:    05-06-2018
# Duration: 00:00:31
# OS:       Windows 10 Pro
# Scanned:  40818
# Detected: 0
 
 
***** [ Services ] *****
 
No malicious services found.
 
***** [ Folders ] *****
 
No malicious folders found.
 
***** [ Files ] *****
 
No malicious files found.
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
***** [ WMI ] *****
 
No malicious WMI found.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts found.
 
***** [ Tasks ] *****
 
No malicious tasks found.
 
***** [ Registry ] *****
 
No malicious registry entries found.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries found.
 
***** [ Chromium URLs ] *****
 
No malicious Chromium URLs found.
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries found.
 
***** [ Firefox URLs ] *****
 
No malicious Firefox URLs found.
 
 
 
########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S04].txt ##########


#10 jimmy_vz5

jimmy_vz5
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 06 May 2018 - 08:03 PM

Turns out I didn't delete the stuff detected by Rogue Killer, I rescanned and here's the updated log:
 

RogueKiller V12.12.16.0 (x64) [May  4 2018] (Free) by Adlice Software
 
Operating System : Windows 10 (10.0.10586) 64 bits version
Started in : Normal mode
User : Admin [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 05/06/2018 20:26:10 (Duration : 00:33:38)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 30 ¤¤¤
[Suspicious.Path] (X64) HKEY_CLASSES_ROOT\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E} (C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6799.0327\amd64\FileSyncShell64.dll) -> Deleted
[Suspicious.Path] (X64) HKEY_CLASSES_ROOT\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C} (C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6799.0327\amd64\FileSyncShell64.dll) -> Deleted
[Suspicious.Path] (X64) HKEY_CLASSES_ROOT\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E} (C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6799.0327\amd64\FileSyncShell64.dll) -> Deleted
[PUP.Gen1] (X64) HKEY_USERS\RK_cia_ON_G_C03C\Software\OB -> Deleted
[PUP.StormWatch|PUP.Gen1] (X64) HKEY_USERS\RK_cia_ON_G_C03C\Software\StormWatch -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\RK_cia_ON_G_C03C\Software\OB -> Deleted
[PUP.StormWatch|PUP.Gen1] (X86) HKEY_USERS\RK_cia_ON_G_C03C\Software\StormWatch -> Deleted
[PUP.Conduit|PUP.Gen1] (X64) HKEY_USERS\RK_Owner_ON_E_9EA5\Software\Conduit -> Deleted
[PUP.Gen1] (X64) HKEY_USERS\RK_Owner_ON_E_9EA5\Software\DriverToolkit -> Deleted
[PUP.Gen1] (X64) HKEY_USERS\RK_Owner_ON_E_9EA5\Software\IM -> Deleted
[PUP.SpeedingUpMyPC|PUP.Gen1] (X64) HKEY_USERS\RK_Owner_ON_E_9EA5\Software\InterStat -> Deleted
[PUP.Gen1] (X64) HKEY_USERS\RK_Owner_ON_E_9EA5\Software\SlimWare Utilities Inc -> Deleted
[PUP.Gen1] (X64) HKEY_USERS\RK_Owner_ON_E_9EA5\Software\Vittalia -> Deleted
[PUP.Conduit|PUP.Gen1] (X86) HKEY_USERS\RK_Owner_ON_E_9EA5\Software\Conduit -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\RK_Owner_ON_E_9EA5\Software\DriverToolkit -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\RK_Owner_ON_E_9EA5\Software\IM -> Deleted
[PUP.SpeedingUpMyPC|PUP.Gen1] (X86) HKEY_USERS\RK_Owner_ON_E_9EA5\Software\InterStat -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\RK_Owner_ON_E_9EA5\Software\SlimWare Utilities Inc -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\RK_Owner_ON_E_9EA5\Software\Vittalia -> Deleted
[PUP.Gen1] (X64) HKEY_USERS\RK_cia_ON_G_C03C\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Yahoo! SearchSet -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\RK_cia_ON_G_C03C\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Yahoo! SearchSet -> Deleted
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1381804265-1348168825-2395672735-1003\Software\Microsoft\Windows\CurrentVersion\Run | taonoa : rundll32.exe "C:\Users\Admin\AppData\Local\taonoa.dll",taonoa [x] -> Deleted
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1381804265-1348168825-2395672735-1003\Software\Microsoft\Windows\CurrentVersion\Run | taonoa : rundll32.exe "C:\Users\Admin\AppData\Local\taonoa.dll",taonoa [x] -> ERROR [2]
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) :   -> Deleted
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_G_E178\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.toshibadirect.com/dpdstart  -> Replaced (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome)
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_G_E178\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.toshibadirect.com/dpdstart  -> Replaced (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome)
[PUM.HomePage] (X64) HKEY_USERS\RK_cia_ON_G_C03C\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.toshibadirect.com/dpdstart  -> Replaced (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome)
[PUM.HomePage] (X86) HKEY_USERS\RK_cia_ON_G_C03C\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.toshibadirect.com/dpdstart  -> Replaced (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome)
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_E_EBB8\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Replaced (2)
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_E_EBB8\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Replaced (2)
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 [Too big!] ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 3 ¤¤¤
[PUP.Gen0][Chrome:Addon] Default : Honey [bmnlcjabgnpnenekpadlanbbkooimhnj] -> Deleted
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [http://start.toshiba.com/?cid=C001B2Y] -> Deleted
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://search.swagbucks.com/|https://www.google.com/] -> Deleted
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS542525K9SA00 ATA Device +++++
--- User ---
[MBR] c063c9843f11bb6881e50aea22663e23
[BSP] 08ce43d2d4cf8b84a9cd8cdf7ff52917 : HP|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 236974 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: WDC WD10EARS-00Z5B1 ATA Device +++++
--- User ---
[MBR] 5cfb6da8e22afeea9f07c5c3c7456216
[BSP] 916b87c9a4976ce0197e7f4e3c925990 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 114470 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 234438656 | Size: 839395 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive2: SAMSUNG HD160JJ/P ATA Device +++++
--- User ---
[MBR] a802261ac61f3ab3740c792deaee20e8
[BSP] 26fe7d691f9edb5d824e85e8f49dc627 : Dell MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 80325 | Size: 111192 MB [Windows XP Bootstrap | Windows XP Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 227801700 | Size: 38130 MB [Windows XP Bootstrap | Windows XP Bootloader]
3 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 305893665 | Size: 3223 MB
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive3: TOSHIBA MQ01ABD100 ATA Device +++++
--- User ---
[MBR] cd0e8fb219137bbf4eb51388e5b82bf8
[BSP] d5640a567dcf13899d0dd619341690e9 : HP|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 936491 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 1921007616 | Size: 450 MB
3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1921929216 | Size: 15427 MB[Invalid]
User = LL1 ... OK
User = LL2 ... OK


#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 07 May 2018 - 05:47 AM

Good :) I'll wait for the AdwCleaner log.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 11 May 2018 - 11:51 AM

Hi jimmy_vz5,

Are you still with me?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 14 May 2018 - 08:52 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users