Jump to content

(It's) back again! Browsers compromised, HD full of hidden files


Recommended Posts

Hello, I am not sure if this will post correctly; by browser is completely compromised. please see below and attached for Farbar txts. I will find another computer to tell you what is going on and to check back.

S0 amdkmafd; C:\Windows\System32\drivers\amdkmafd.sys [21160 2012-09-22] (Advanced Micro Devices, Inc.)

R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2014-01-27] ()

R1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2014-02-24] ()

R3 ASUSFILTER; C:\Windows\SysWow64\drivers\ASUSFILTER.sys [46152 2011-09-19] (MCCI Corporation)

R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [222720 2013-09-24] (Advanced Micro Devices)

R0 cm_km_w; C:\Windows\System32\DRIVERS\cm_km_w.sys [238288 2013-01-14] (Kaspersky Lab UK Ltd)

R3 e1dexpress; C:\Windows\system32\DRIVERS\e1d64x64.sys [457496 2014-02-03] (Intel Corporation)

R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [468576 2014-03-31] (Kaspersky Lab ZAO)

R2 kldisk; C:\Windows\system32\DRIVERS\kldisk.sys [56008 2015-05-01] (Kaspersky Lab ZAO)

S0 klelam; C:\Windows\System32\DRIVERS\klelam.sys [29616 2012-07-27] (Kaspersky Lab)

R3 klflt; C:\Windows\system32\DRIVERS\klflt.sys [151240 2014-11-28] (Kaspersky Lab ZAO)

R1 klhk; C:\Windows\system32\DRIVERS\klhk.sys [247496 2014-10-22] (Kaspersky Lab ZAO)

R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [824008 2015-05-01] (Kaspersky Lab ZAO)

R1 KLIM6; C:\Windows\system32\DRIVERS\klim6.sys [30920 2014-10-10] (Kaspersky Lab ZAO)

R3 klkbdflt; C:\Windows\system32\DRIVERS\klkbdflt.sys [31432 2014-10-30] (Kaspersky Lab ZAO)

R3 klmouflt; C:\Windows\system32\DRIVERS\klmouflt.sys [29280 2013-08-08] (Kaspersky Lab ZAO)

R1 klpd; C:\Windows\system32\DRIVERS\klpd.sys [15456 2013-04-12] (Kaspersky Lab ZAO)

R1 klwfp; C:\Windows\system32\DRIVERS\klwfp.sys [69320 2014-11-20] (Kaspersky Lab ZAO)

R1 Klwtp; C:\Windows\system32\DRIVERS\klwtp.sys [77000 2014-11-22] (Kaspersky Lab ZAO)

R1 kneps; C:\Windows\system32\DRIVERS\kneps.sys [181960 2014-11-10] (Kaspersky Lab ZAO)

R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [129312 2014-09-30] (Intel Corporation)

S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-03] (Microsoft Corporation)

S3 IOMap; \??\C:\WINDOWS\system32\drivers\IOMap64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-05-28 10:35 - 2015-05-28 10:36 - 00017963 _____ () C:\Users\io8\Downloads\FRST.txt

2015-05-28 10:35 - 2015-05-28 10:35 - 00000000 ___DC () C:\FRST

2015-05-28 10:34 - 2015-05-28 10:34 - 02108928 _____ (Farbar) C:\Users\io8\Downloads\FRST64.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-05-28 10:15 - 2013-08-22 08:36 - 00000000 ____D () C:\WINDOWS\system32\sru

==================== Files in the root of some directories =======

2015-05-02 08:36 - 2015-05-17 17:59 - 0000033 _____ () C:\Users\io8\AppData\Roaming\AdobeWLCMCache.dat

2015-05-01 11:39 - 2015-05-01 11:39 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed

C:\Windows\System32\wininit.exe => File is digitally signed

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\SysWOW64\explorer.exe => File is digitally signed

C:\Windows\System32\svchost.exe => File is digitally signed

C:\Windows\SysWOW64\svchost.exe => File is digitally signed

C:\Windows\System32\services.exe => File is digitally signed

C:\Windows\System32\User32.dll => File is digitally signed

C:\Windows\SysWOW64\User32.dll => File is digitally signed

C:\Windows\System32\userinit.exe => File is digitally signed

C:\Windows\SysWOW64\userinit.exe => File is digitally signed

C:\Windows\System32\rpcss.dll => File is digitally signed

C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-05-24 13:04

==================== End of log ============================

Link to post
Share on other sites

Hello again,

 So I am on another computer now, so I can safely stay online for a while. The problems I am having are as follows:

 This morning I woke my computer up and on my desktop was a message reading that my Epic Browser did not close correctly, and gave me an option to restore the session or cancel; I cancelled. I opened the browser, after running CCleaner, and 6 pages popped up in succession with the same message I just wrote about. I opened my Mozilla browser and all of my bookmarks were gone. Also, any page I tried to load, on either browser, only loaded in a list form- there were no graphics at all.

 I am also unable to update my Kaspersky internet security and it keeps shutting off.

 I am taking screen shots, but they are not working. After I take the shot and go to "my pictures" and click on the file, an error pops up that the file is empty.

 I am unable to download anything, when I do, an error pops up that my HD is full; I have 2 250GB drives with little on them.

 I had to delete some files to download Farbar, but my computer would not give me the option to save it to the desktop, and my Microsoft screening feature is disabled. 

 I am able to do searches in the Epic browser but no pages load. I am not able to use Mozilla, when I type anything and hit enter, the screen just reloads.

 When I reboot the computer, there is an error message that a program has been terminated in an unusual manner and an error on line 250 (can't take a screenie of it).

 I am unable to load/run malwarebytes from a thumb drive on the computer.

 When I do restart the computer and my toolbar loads the programs programs, an icon pops up for a split second then disappears.

 

 I think that is it.

 Thanks in advance for any help.

5p

Link to post
Share on other sites

Hello and welcome,

 

P2P/Piracy Warning:

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

As you have access to another PC  create the Widows Defender Offline Tool, I give the instructions to load to a USB flash drive.  It can also be run from a CD, just change to that option in the instructions…

It can be created from the PC with issues, but a different clean PC is preferred!

 

Download the tool from here :- http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline and save to the Desktop.

 

You will have to select the correct version for your system, either 32 or 64 bit

 

Run the tool, Windows 7 or Vista user right click and select "Run as Administrator"

 

Read the instructions in the new window and select "Next"

 

WD2.png

 

In the new window accept the agreement:

 

WD2a.png

 

In the new window select your USB Flash Drive, then select "Next"

 

WD3.png

 

In the new window ensure you Flash drive is selected, if not click on "Refresh" then select "Next"

 

WD3a.png

 

In the new window accept the formatting alert by selecting "Next"

 

WD3b.png

 

Files will be Downloaded:

 

WD4.png

 

Files will be processed and created

 

WD5.png

 

Flash drive will be formatted and prepared

 

WD6.png

 

Files will be added to the Flash Drive and the tool will be created.

 

WD7.png

 

The procedure is finished and the Tool created, click on "Finish" to complete.

 

WD8.png

 

Plug the USB into the sick PC and boot up, if it does not boot from the flash drive change the boot options as required,  Use F12 as it boots, change options...

As it boots you`ll see files being loaded and the windows splash screen, eventually the tool will run a "Quick Scan" follow the prompts and deal with what it finds.

When complete do a full scan, deal with what it finds.

When finished, remove the USB stick then press the Esc key to boot into regular windows.

Navigate to the following file:

 

"C:\Windows\Windows Defender Offline\Support\MPLog-MM/DD/YYYY-HH/MM/SS .txt"

 

Open with notepad and copy and paste it into a reply.

 

See how your system responds after booting to regular windows..

 

Thanks,

 

Kevin

Link to post
Share on other sites

Hello,

 I was able to create a disk from a clean computer, but when I tried to boot from it the following message occurred:

Window Defender Offline

This app can't be started.

ERROR: unable to detect Windows system drive. This could be due to missing drivers, and encrypted drive, or a corrupt Windows installation.
Error Code 0x8004cc01

 

I deleted several programs to try to frre up space, but as soon as I do, the free space is taken over by whatever has filled my HD.

Also, the book marks in my Firefox did reappear, and my Kaspersky internet security keeps shutting off (I am waiting to hear back from them...) with the message "Failed to start anti-banner."

 

Also, I looked at the properties on my C drive under security and there is a new group/username that read "Authorized users."

 

Any suggestions?
Thanks again!

Link to post
Share on other sites

I did a bit of sleuthing and downloaded TreeSize free to check where the massive files were hiding and it looks like I have a 822.1GB Program Data file that is hidden. On the properties tab the group.username simply says Creator Owner. I will try to attach a screenine.

Link to post
Share on other sites

Creator Owner is nothing to worry about, if you look at permissions none are listed for Creator Owner except "Special". If you select each group/user in turn you should see what permissions each one has...

 

System will be all except for "Special"

Administrator (user name)\ Administrator will be all except for "Special"

User accout will only have "Read and execute" "List folder contents" and "Read"

 

Obviously as the Program Data folder is holding an unusal amount of data, more or less filling up your HD. Can you disconnect the sick PC from the internet for now. Go back to and open the program data folder, see what is inside and try to delete anything you do not recognize.

 

Next,

 

Please download Farbar Recovery Scan Tool from the following link (use clean pc), 

                                                                  

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

 

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit

 

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 

Plug the flash drive into the infected PC.

 

If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt Here: http://www.bleepingcomputer.com/tutorials/windows-8-recovery-environment-command-prompt/ to enter System Recovery Command prompt.

 

If you are using Vista or Windows 7 enter System Recovery Options.

 

Plug the flashdrive into the infected PC.

 

Enter System Recovery Options I give two methods, use whichever is convenient for you.

 

To enter System Recovery Options from the Advanced Boot Options:


Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select Your Country as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

 

To enter System Recovery Options by using Windows installation disc:


Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select Your Country as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

 

On the System Recovery Options menu you may get the following options:

Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Command Prompt

 


Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type  e:\frst64 or e:\frst depending on your version. Press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

Post that log...

 

Thanks,

 

Kevin..

Link to post
Share on other sites

ok, I had a coputure crash while deleteing the rest of the files- WHEA uncontrollable error. I was able to delete the main file on restart. Here's a screenie of what's left.

I am heaingto campus then work, so I will not be able to post the new Farbar results to you for about 6 hrs.

Link to post
Share on other sites

Hello 5potatoes,

 

A colleague has made me aware of a common problem similar to yours with HD filling up with data. This issue can be due to a setting in Kaspesrky IS, we will need to check that first.

 

Open Kaspersky to the main GUI, at bottom left corner select > Support > Support Tools > In that window ensure "Traces" is disabled, if it is enabled disable that setting. Close out Kaspersky.

 

I want you to open the "Program Data" folder in windows, that is a normally hidden folder. Go to the following entry, follow the instructions to show hidden files and folders:

 

http://www.thewindowsclub.com/show-hidden-files-and-folders-missing

 

Now navigate C:\Program Data\Kaspersky Lab Inside that folder there should only be 3 sub folders AVP, SafeBrowser and UCPStorage

 

All other entries can be deleted...

 

Re-hide files and folders, see if you can now do the following:

 

Please open Malwarebytes Anti-Malware.

 


On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
A Threat Scan will begin.
With some infections, you may or may not see this message box.
 
        'Could not load DDA driver'
 
Click 'Yes' to this message, to allow the driver to load after a restart.
Allow the computer to restart. Continue with the rest of these instructions.
When the scan is complete, click Apply Actions.
Wait for the prompt to restart the computer to appear, then click on Yes.
After the restart once you are back at your desktop, open MBAM once more.

 

To get the log from Malwarebytes do the following:

 


Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click Export > From export you have three options:
 
  Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
  Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
 
Recommend you use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

 

 

If Malwarebytes is not installed follow these instructions first:

 

Download Malwarebytes Anti-Malware to your desktop.


Double-click mbam-setup and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
Launch Malwarebytes Anti-Malware
A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
Click Finish. Follow the instructions above....

 

Next,

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Thanks,

 

Kevin...

Link to post
Share on other sites

BTW, I should have mentioned:
 Since I was able to delete all the Kaspersky files, I have not had a computer crash and my disk space reflects the proper space used/available.

I am still having major issues going to site online that require graphics use; Hulu for instance, just loads an all white page and MSN loads with all broken pic icons where pics should be.

thanks!

Link to post
Share on other sites

I do not see any malware/infection in your logs, do you refer to Internet Explorer starting with a white page? it would seem no home page is set...

 

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank

 

Regarding broken pic icons can you check if Flash Player needs to be updated or possibly re-installed altogether....

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.