Jump to content


  • Posts

  • Joined

  • Last visited

Posts posted by janeman

  1. - Both HitmanPro and CCleaner, keep finding "tracking cookies".

    - As for the 5 objects found in Roguekiller in my previous post, should I delete them too, or they are false positives?


    - I ran EmsisoftEmergencyKit and cleaned the followings:

    C:\FRST\Quarantine\C\Windows\System32\drivers\vmrqtwad.sys.xBAD     Rootkit.SmartService (A)
    C:\Windows\System32\config\systemprofile\AppData\Local\vmtdnlh\vmtdnlh.exe    Gen:Variant.Razy.227680 (B)
    C:\Users\USER\AppData\Local\utcomdl\download\PornoHub.3gp.apk    Android.Trojan.Downloader.KZ (B)


    - I also ran MBAR, it cleaned the followings (I think the 2nd was responsible for preventing me from starting anti-rootkits programs):
    C:\Users\AppData\Local\utcomdl\download\flashupdate.exe (Trojan.MalPack)
    C:\Windows\System\config\systemprofile\Appdata\Local\vmtdnlh\vmazkpr.exe (Adware.Yelloader)

    Now I don't see (msdpguvsrv.exe) in: C:\windows/Temp, but the "tracking cookies" problem persists.


    - The new FRST logs were sent to you in PM.

  2. - AdwCleaner:

    # AdwCleaner - Logfile created on Wed Feb 07 15:55:04 2018
    # Updated on 2018/18/01 by Malwarebytes
    # Database: 02-06-2018.1
    # Running on Windows 8.1 Enterprise (X64)
    # Mode: scan
    # Support: https://www.malwarebytes.com/support

    ***** [ Services ] *****

    No malicious services found.

    ***** [ Folders ] *****

    No malicious folders found.

    ***** [ Files ] *****

    No malicious files found.

    ***** [ DLL ] *****

    No malicious DLLs found.

    ***** [ WMI ] *****

    No malicious WMI found.

    ***** [ Shortcuts ] *****

    No malicious shortcuts found.

    ***** [ Tasks ] *****

    No malicious tasks found.

    ***** [ Registry ] *****

    No malicious registry entries found.

    ***** [ Firefox (and derivatives) ] *****

    No malicious Firefox entries.

    ***** [ Chromium (and derivatives) ] *****

    No malicious Chromium entries.



    - RogueKiller: It found: (PUP.uTorrentAds) utorrentie.exe     (Which I deleted)
    I included <MalPE Analysis (BETA)> in the scan and rescanned, it found:

    [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-964639153-3020507707-3992377369-1001\Software\IM -> ???
    [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-964639153-3020507707-3992377369-1001\Software\IM -> ???
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pxldapow (\??\C:\Users\USER\AppData\Local\Temp\pxldapow.sys) -> ???
    [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> ???
    [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> ???

    Should I delete them too, or they are false positives?


    - Tracking Cookies keep apearing again (ex: opencandy, DoubleClick.net, and others) although I cleared Firefox cache and all cookies then also deleted (cookies.sqlite) after closing Firefox.

    So I ran the program (rkill.exe) which found the followings:

    Checking HOSTS File:

     * HOSTS file entries found: # fix for traceroute and netstat display anomaly tracking.opencandy.com.s3.amazonaws.com media.opencandy.com cdn.opencandy.com tracking.opencandy.com api.opencandy.com api.recommendedsw.com installer.betterinstaller.com installer.filebulldog.com d3oxtn1x3b8d7i.cloudfront.net inno.bisrv.com nsis.bisrv.com cdn.file2desktop.com cdn.goateastcach.us cdn.guttastatdk.us cdn.inskinmedia.com cdn.insta.oibundles2.com cdn.insta.playbryte.com cdn.llogetfastcach.us cdn.montiera.com

      20 out of 35 HOSTS entries shown.
      Please review HOSTS file for further entries.

    How can I delete all tracking cookies terminaly?


  3. - I can't see (msdpguvsrv.exe) in Task Manager anymore.



    - Malwarebytes didn't detect anything.
    This is the Export Summary:


    -Log Details-
    Scan Date: 2/6/18
    Scan Time: 7:57 PM
    Log File: da976c0a-0b5e-11e8-9edd-a0d3c153b825.json
    Administrator: Yes

    -Software Information-
    Components Version: 1.0.188
    Update Package Version: 1.0.2785
    License: Free

    -System Information-
    OS: Windows 8.1
    CPU: x64
    File System: NTFS
    User: OOG\USER

    -Scan Summary-
    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 401518
    Threats Detected: 0
    (No malicious items detected)
    Threats Quarantined: 0
    (No malicious items detected)
    Time Elapsed: 40 min, 45 sec

    -Scan Options-
    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Enabled
    Heuristics: Enabled
    PUP: Detect
    PUM: Detect

    -Scan Details-
    Process: 0
    (No malicious items detected)

    Module: 0
    (No malicious items detected)

    Registry Key: 0
    (No malicious items detected)

    Registry Value: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Data Stream: 0
    (No malicious items detected)

    Folder: 0
    (No malicious items detected)

    File: 0
    (No malicious items detected)

    Physical Sector: 0
    (No malicious items detected)




    - Malwarebytes Anti-Rootkit can be opend now, I extracted it then opened it, it gave me a window saying:

                                      Probable rootkit activity detected

    Registery value "Applnit_Dlls" has been found, which may be caused by rootkit activity.
    Note: Press "No" buttin if you're not sure. If this tool crashes or terminates unexpectedly during a system scan, restart the tool and press "Yes" should this message appeare again.

    Should I click Yes?



  4. Fix result of Farbar Recovery Scan Tool (x64) Version: 27.01.2018
    Ran by USER (06-02-2018 18:43:22) Run:1
    Running from C:\Users\USER\Desktop
    Loaded Profiles: USER & UpdatusUser (Available Profiles: USER & UpdatusUser)
    Boot Mode: Normal

    fixlist content:
    CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
    CMD: bcdedit.exe /set {default} recoveryenabled yes


    ========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========

    The operation completed successfully.

    ========= End of CMD: =========

    ========= bcdedit.exe /set {default} recoveryenabled yes =========

    The operation completed successfully.

    ========= End of CMD: =========

    ==== End of Fixlog 18:43:23 ====

  5. Hello

    I seem to have an infection on my windows 8.1 with at least a ((Rootkit.Smartservice)) and a (Trojan).

    I'd appreciate your help.

    Multi (Windows Process Manager) tasks used to appear in Task Manager, but not anymore after I changed their permissions.

    However, everytime I start my Windows I find in Task Manger a process called (msdpguvsrv.exe), sometimes being the first task for CPU and Disk.
    It is Located in C:\windows/Temp, I managed to stop it with a program but it won't get deleted or quarantined.

    I also find in C:\windows/Temp, a folder called (msidntfs), within it are 2 files (cert.db, SecureTrust Network Root CA 2.cer). I don't know if that is related.

    Within the Windows folder I found The Malware (AutoKMS_VL_ALL) Folder, and The (autokms_vl_all.exe) Malware File, and deleted them.



    My current situation is..

    - EmsisoftEmergencyKit:

    Rootkit.SmartService :

    Gen:Variant.Razy.227680 :

    Android.Trojan.Downloader.KZ :

    - Avast anti rootkit:

    Service rtkoep C:\Windows\system32\drivers\vmrgknqt.sys **LOCKED**

    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffcf8006880770]

    3 CLASSPNP.SYS[fffff8000094cabb] -> nt!IofCallDriver -> [0xffffcf800686eb20]

    5 hpdskflt.sys[fffff80000e9542b] -> nt!IofCallDriver -> [0xffffcf80061b4e50]

    7 ACPI.sys[fffff800004025f1] -> nt!IofCallDriver -> \Device\0000002e[0xffffcf80061987f0]


    - Malwarebytes: now doesn't detect any problem
    - AdwCleaner: now doesn't detect any problem
    - Zemana AntiMalware: now doesn't detect any problem
    - hitmanpro: now doesn't detect any problem, but _except one time_ it hangs on 99% or sometimes less

    - mbar: doesn't start
    - gmer: doesn't start
    - Kaspersky tdss killer: doesn't start
    - RogueKiller: doesn't start, and give a message "Windows cannot access the specified device, path, or file"



Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.