janeman
-
Posts
10 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by janeman
-
-
I think the danger is gone. Thank you Yoan for your help.
-
I sent a new one.
Maybe it was caused by performing a scan with another program (ESET) when I scanned with FRST.
-
I just checked the one I sent: (No log file)
It's weird, and unlike the first one I sent to you couple of days ago. I'll do another scan. -
- Both HitmanPro and CCleaner, keep finding "tracking cookies".
- As for the 5 objects found in Roguekiller in my previous post, should I delete them too, or they are false positives?- I ran EmsisoftEmergencyKit and cleaned the followings:
C:\FRST\Quarantine\C\Windows\System32\drivers\vmrqtwad.sys.xBAD Rootkit.SmartService (A)
C:\Windows\System32\config\systemprofile\AppData\Local\vmtdnlh\vmtdnlh.exe Gen:Variant.Razy.227680 (B)
C:\Users\USER\AppData\Local\utcomdl\download\PornoHub.3gp.apk Android.Trojan.Downloader.KZ (B)- I also ran MBAR, it cleaned the followings (I think the 2nd was responsible for preventing me from starting anti-rootkits programs):
C:\Users\AppData\Local\utcomdl\download\flashupdate.exe (Trojan.MalPack)
C:\Windows\System\config\systemprofile\Appdata\Local\vmtdnlh\vmazkpr.exe (Adware.Yelloader)Now I don't see (msdpguvsrv.exe) in: C:\windows/Temp, but the "tracking cookies" problem persists.
- The new FRST logs were sent to you in PM.
-
- AdwCleaner:# AdwCleaner 7.0.7.0 - Logfile created on Wed Feb 07 15:55:04 2018
# Updated on 2018/18/01 by Malwarebytes
# Database: 02-06-2018.1
# Running on Windows 8.1 Enterprise (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support***** [ Services ] *****
No malicious services found.
***** [ Folders ] *****
No malicious folders found.
***** [ Files ] *****
No malicious files found.
***** [ DLL ] *****
No malicious DLLs found.
***** [ WMI ] *****
No malicious WMI found.
***** [ Shortcuts ] *****
No malicious shortcuts found.
***** [ Tasks ] *****
No malicious tasks found.
***** [ Registry ] *****
No malicious registry entries found.
***** [ Firefox (and derivatives) ] *****
No malicious Firefox entries.
***** [ Chromium (and derivatives) ] *****
No malicious Chromium entries.
*************************
- RogueKiller: It found: (PUP.uTorrentAds) utorrentie.exe (Which I deleted)
I included <MalPE Analysis (BETA)> in the scan and rescanned, it found:[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-964639153-3020507707-3992377369-1001\Software\IM -> ???
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-964639153-3020507707-3992377369-1001\Software\IM -> ???
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pxldapow (\??\C:\Users\USER\AppData\Local\Temp\pxldapow.sys) -> ???
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> ???
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> ???Should I delete them too, or they are false positives?
- Tracking Cookies keep apearing again (ex: opencandy, DoubleClick.net, and others) although I cleared Firefox cache and all cookies then also deleted (cookies.sqlite) after closing Firefox.
So I ran the program (rkill.exe) which found the followings:
Checking HOSTS File:
* HOSTS file entries found:
0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
0.0.0.0 media.opencandy.com
0.0.0.0 cdn.opencandy.com
0.0.0.0 tracking.opencandy.com
0.0.0.0 api.opencandy.com
0.0.0.0 api.recommendedsw.com
0.0.0.0 installer.betterinstaller.com
0.0.0.0 installer.filebulldog.com
0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
0.0.0.0 inno.bisrv.com
0.0.0.0 nsis.bisrv.com
0.0.0.0 cdn.file2desktop.com
0.0.0.0 cdn.goateastcach.us
0.0.0.0 cdn.guttastatdk.us
0.0.0.0 cdn.inskinmedia.com
0.0.0.0 cdn.insta.oibundles2.com
0.0.0.0 cdn.insta.playbryte.com
0.0.0.0 cdn.llogetfastcach.us
0.0.0.0 cdn.montiera.com20 out of 35 HOSTS entries shown.
Please review HOSTS file for further entries.
How can I delete all tracking cookies terminaly? -
- I can't see (msdpguvsrv.exe) in Task Manager anymore.HOWEVER IT IS STILL FOUND IN: C:\windows/Temp
- Malwarebytes didn't detect anything.
This is the Export Summary:
Malwarebytes
www.malwarebytes.com-Log Details-
Scan Date: 2/6/18
Scan Time: 7:57 PM
Log File: da976c0a-0b5e-11e8-9edd-a0d3c153b825.json
Administrator: Yes-Software Information-
Version: 3.2.2.2029
Components Version: 1.0.188
Update Package Version: 1.0.2785
License: Free-System Information-
OS: Windows 8.1
CPU: x64
File System: NTFS
User: OOG\USER-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 401518
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 40 min, 45 sec-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect-Scan Details-
Process: 0
(No malicious items detected)Module: 0
(No malicious items detected)Registry Key: 0
(No malicious items detected)Registry Value: 0
(No malicious items detected)Registry Data: 0
(No malicious items detected)Data Stream: 0
(No malicious items detected)Folder: 0
(No malicious items detected)File: 0
(No malicious items detected)Physical Sector: 0
(No malicious items detected)
(end)- Malwarebytes Anti-Rootkit can be opend now, I extracted it then opened it, it gave me a window saying:
Probable rootkit activity detected
Registery value "Applnit_Dlls" has been found, which may be caused by rootkit activity.
Note: Press "No" buttin if you're not sure. If this tool crashes or terminates unexpectedly during a system scan, restart the tool and press "Yes" should this message appeare again.Should I click Yes?
-
Done and sent to you
-
Fix result of Farbar Recovery Scan Tool (x64) Version: 27.01.2018
Ran by USER (06-02-2018 18:43:22) Run:1
Running from C:\Users\USER\Desktop
Loaded Profiles: USER & UpdatusUser (Available Profiles: USER & UpdatusUser)
Boot Mode: Normal
==============================================fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes*****************
========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========The operation completed successfully.
========= End of CMD: =========
========= bcdedit.exe /set {default} recoveryenabled yes =========The operation completed successfully.
========= End of CMD: =========
==== End of Fixlog 18:43:23 ==== -
Hello
I seem to have an infection on my windows 8.1 with at least a ((Rootkit.Smartservice)) and a (Trojan).
I'd appreciate your help.
Multi (Windows Process Manager) tasks used to appear in Task Manager, but not anymore after I changed their permissions.
However, everytime I start my Windows I find in Task Manger a process called (msdpguvsrv.exe), sometimes being the first task for CPU and Disk.
It is Located in C:\windows/Temp, I managed to stop it with a program but it won't get deleted or quarantined.I also find in C:\windows/Temp, a folder called (msidntfs), within it are 2 files (cert.db, SecureTrust Network Root CA 2.cer). I don't know if that is related.
Within the Windows folder I found The Malware (AutoKMS_VL_ALL) Folder, and The (autokms_vl_all.exe) Malware File, and deleted them.
My current situation is..
- EmsisoftEmergencyKit:
Rootkit.SmartService :
C:\Windows\System32\Drivers\vmrgknqt.sysGen:Variant.Razy.227680 :
C:\Windows\System32\config\systemprofile\AppData\Local\vmtdnlh\vmtdnlh.exeAndroid.Trojan.Downloader.KZ :
C:\Users\USER\AppData\Local\utcomdl\download\PornoHub.3gp.apk
- Avast anti rootkit:Service rtkoep C:\Windows\system32\drivers\vmrgknqt.sys **LOCKED**
1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffcf8006880770]
3 CLASSPNP.SYS[fffff8000094cabb] -> nt!IofCallDriver -> [0xffffcf800686eb20]
5 hpdskflt.sys[fffff80000e9542b] -> nt!IofCallDriver -> [0xffffcf80061b4e50]
7 ACPI.sys[fffff800004025f1] -> nt!IofCallDriver -> \Device\0000002e[0xffffcf80061987f0]
- Malwarebytes: now doesn't detect any problem
- AdwCleaner: now doesn't detect any problem
- Zemana AntiMalware: now doesn't detect any problem
- hitmanpro: now doesn't detect any problem, but _except one time_ it hangs on 99% or sometimes less
- mbar: doesn't start
- gmer: doesn't start
- Kaspersky tdss killer: doesn't start
- RogueKiller: doesn't start, and give a message "Windows cannot access the specified device, path, or file"
A (Rootkit.Smartservice) and a (Trojan) Infection
in Resolved Malware Removal Logs
Posted
DelFix done. No that's it.