Jump to content

Possible Infection

aporia

By aporia
in Resolved Malware Removal Logs

 Share

Recommended Posts

aporia

aporia

Posted
Posted

I was using task manager to change a startup option for a program and I noticed "Windows Command Processor" which I had not seen before. These items showed up when i clicked to expand it conhost, conhost, kdbsync, and windows command processor. I wasn't sure what this was so I googled it and found that it could possibly be a virus. Since I have no idea what I'm doing I thought I'd post here for some help.

FRST.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hello and welcome to Malwarebytes,

Please be aware the following P2P/Piracy Warning is a standard opening reply made here at Malwarebytes, we make no accusations but do make you aware of Forum Protocol....

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Next,

 

Please open Malwarebytes Anti-Malware.

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may or may not see this message box.

            'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.



To get the log from Malwarebytes do the following:

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…




If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware to your desktop.

  • Double-click mbam-setup and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish. Follow the instructions above....


 

Next,

 

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the two new logs....

 

Let me see those logs...

 

Thank you,

 

Kevin
 

Link to post
Share on other sites
aporia

aporia

Posted
  • Author
Posted
Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 12/4/2015

Scan Time: 2:41 AM

Logfile: 

Administrator: Yes

 

Version: 2.2.0.1024

Malware Database: v2015.12.04.02

Rootkit Database: v2015.11.26.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

 

OS: Windows 10

CPU: x64

File System: NTFS

User: Jose

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 372388

Time Elapsed: 14 min, 29 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

 

FRST.txt

Addition.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Do not see any obvious malware or infection in those logs.... Continue:

 

Download AdwCleaner by Xplode onto your Desktop.

  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...

 
Next,
 
thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


 

Next,

 

dr_web_cureit_zpse80d87bf.jpg
Download Dr Web Cureit from here http://www.freedrweb.com/cureit save to your desktop. (Scroll to bottom of page)

  • The file will be randomly named
  • Reboot to safe mode <<<<<------------ http://support.eset.com/kb2268/
  • Run Dr Web
  • Tick the I agree box and select continue
  • Click select objects for scanning


    drwebselect.JPG

  • Tick all boxes as shown
  • Click the wrench and select automatically apply actions to threats


    drwebfolders.JPG

  • Press start scan
  • The scan will now commence


    drwebscan.JPG

  • Once the scan has finished click open report <<<--- Do not miss this step


    drwebscancomplete.JPG

  • A notepad will open
  • Select File > Save as..
  • Save it to your desktop



This log will be excessive,  Please attach it to your next reply…
 

Post those logs...

 

Thank you,

 

Kevin

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Thanks for the logs and update, if DrWeb Cureit will not run try the following:

 

ESETOnline.png Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.

Click there Run ESET Online Scanner.

If using Internet Explorer:

  • Accept the Terms of Use and click Start.
  • Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:
  • Download esetsmartinstaller_enu.exe that you'll be given link to.
  • Double click esetsmartinstaller_enu.exe.
  • Allow the Terms of Use and click Start.


To perform the scan:

  • Make sure that Remove found threats is unchecked.
  • Scan archives is checked.
  • In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
  • Under “Enable Stealth Technology select “Change” select any extra drives in that window.
  • Click Start
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When the scan is done, click Finish.
  • A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.



Please include this logfile in your next reply.

Don't forget to re-enable protection software!
 

Thanks,

 

Kevin.....

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Windows Command Processor is a windows service, it can also be malicious depending on where it runs from. Looking at your start up entries in FRST logs it would seem to be active because of the following entry:

 

HKLM-x32\...\Run: [AMD AVT] => C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe [20992 2012-03-19] ()

 

You could open MSConfig and stop that entry, re-boot. Check if that entry is cleared from TaskManager...

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Open CC again, Select > Tools > Start up > Windows tab. the start up entries will populate, select the following entry:

 

Yes    HKLM:Run    AMD AVT    Microsoft Corporation    Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml

 

Look to the right hand pane, from the options select "disable" the command should change from "Yes" to  "No"   re-boot and check Taskmanager

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Ok thanks for the update, does the entry still show in Taskmanager exactly the same as the Taskmanager image you posted earlier?

 

One other point, the ESET log entry flagged was not malicious per se. It was the installer for CCleaner and only flagged because it came bundled with Google Toolbar.

 

Back to the issue in TM, I want you to set up and run your system in a "Clean Boot" mode. Basically windows runs with all 3rd party services (none Windows system services) disabled.

 

Go to this link: https://windowsinstructed.com/clean-boot-windows-windows/ follow the instructions and set up for a clean boot, after the re-boot check TM, is the issue still present?

 

Thank you,

 

Kevin..

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

I`m not convinced there is anything wrong with your system, open an elevated command prompt and do the following. Select the Windows key and X key together from the open list select "Command Prompt (Admin)"

 

At the prompt copy and paste each following command, hit the enter key after each command.

 

wmic startup get Caption, Location, Command /format:list > 0 & notepad 0

 

tasklist > 0 & notepad 0

 

tasklist /svc > 0 & notepad 0

 

Notepad will open after each command, save each log and attach to your reply...

 

Thank you,

 

Kevin.

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Thanks for those logs, continue please:

 

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop
Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Double-click MSRT on your Desktop to run it.

In the "Scan Type" window, select Full Scan

Perform a scan and the Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function

2) Type or Copy/Paste the following command to the "Run Line" and Press Enter

notepad c:\windows\debug\mrt.log
 

Let me see that log....

 

Thank you,

 

Kevin....

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.