Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by pallino

  1. Hp updated ciberlink and few hp programs..I didn t reboot, you are right, but why should Emsi disactivate? Was is still protecting the pc or was it off? The temp file and rogue killer logs were o.k too? Thank you
  2. Hello Kevin, how does it look like now? All safe and clean? What is the kerncap.vbs that autoruns didn't find? thank you!!! Addition.txt FRST.txt Fixlog.txt virusinfo_syscheck.zip RKreport_SCN_02172015_104851.log
  3. Hi Kevin, please find attached the new logs. Why are windows and Fbar telling me that Emsi is not active/off? According to Emsi IS, my computer is protected..... who is right? According to NPE (and 2 scanners on virustotal), the attached zip temp file that was in c:/windows/temp is infected too... What do you think? thank you P.S. Since I didn't like the findings till now as the problem with Emsi above I also run rogue killer and attached the log.... Addition.txt FRST.txt virusinfo_syscheck.zip Addition.txt WAXB928.zip RKreport_SCN_02162015_222627.log
  4. I ll work on this laptop over the weekend, pls keep the tread open. thank you and nice weekend
  5. for info, I restarted that desktop and windows couldn't load thw desktop icons. After another restart all loaded as "normal". I connected the usb hd to the laptop today and restored the .pst. Hope all is fine. Thank you Addition.txt FRST.txt virusinfo_syscheck.zip
  6. so no risk that that computer got infected during the scan while emsi froze, correct? Thanks
  7. Iasked the above also because two days ago I connected the usb hd to my 4th brand new pc and started a scan with Emsi IS that froze during the scan....
  8. I just thought, these wete errors that shouldn't be in a fresh install, so your answer us the best news I got in the ladt 2 months!thank you Can I now restore my files (pst, doc, exl) from my back up? -just to be sure, it is safe to connect the usb backup drive andto scan it with all av I have(unless I have a bad usb malware), or? thank you
  9. Hello Kevin, thank you for reopening the thread! I reinstalled all from cds created as soon as I git the laptop. Updated windows and HP programs as AV. How does it look like for a fresh install? I see weird error messages....are these normal for a fresh install? If all looks 100% fine and without concerns I'll connect the first laptop to internet and update that too...but only if this one is safe and clean...if not it means there is some malware somewhere that keeps infectiong the laptops and the router (although it was resetted and psw as u\ser name changed before). I uploaded 2 AVZ logs, the one I did yesterday and the one I did today....today explorer crashed when I opened Cdburner xp (open candy free one)....and programs start slowlier.... Thank you FRST.txt Addition.txt virusinfo_syscheck10-2-15.zip virusinfo_syscheck.zip a2scan_150210-201613.txt
  10. Hi Kevin, thank you! Since this laptop is new and will be used for online/safe stuff only it should be clean and "doudt free". This was my 2nd fresh reinstall and we still have strange/unaxplainable things...I decided to reinstall all again. I'll update all logs as soon as ready, probably tomorrow (I m working on the other laptop right now. If that one is safe, I'll connect this one to internet and update all programs). Thank you
  11. Hi Kevin, please find attached the new logs. - What can the utizmzqw.sys error be about? - What is this error blow? Error: (02/05/2015 09:06:03 PM) (Source: NetBT) (EventID: 4311) (User: ) Description: Initialization failed because the driver device could not be created. Use the string "9CAD979D61B4" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the Globally Unique Interface Identifier (GUID) if NetBT was unable to map from GUID to MAC address. If neither the MAC address nor the GUID were available, the string represents a cluster device name. - Why do i keep getting warnings from EMSI that HPSA.exe or youcam.exe got modified every time I scan the pc? If I ask Emsi to update the rule, the scan get closed. If I say remove rule, I might get another warning but I can completee the scan....I have then the same warning the next time I rescan... What do you think? thank you! Addition.txt FRST.txt Fixlog.txt virusinfo_syscheck.zip
  12. I understand but it s a huge pity we cannot find it! After all we did and had on this and the other laptop, what do you think it was? Thank you
  13. After all what happened on this laptop and othe the other one I run also Roguekiller and NPE. They both found a oonqp.sys file (I managed to cut&paste it, then it disappeared from /system/32/drivers)...apparently is a malwarebytes file but I cannot find it on any other devices I have. Attached the new logs. I also keep getting warnings from Emsi that HP Hpsa (helpsupport) is being modified or the youcam program, most when I scan with AV (always with a blank page if I want additional informations) ...is it normal or is it suspect? What do you think? Thank you! virusinfo_syscheck.zip Addition.txt FRST.txt RKreport_SCN_02052015_184543.log oonqp.zip
  14. I reinstalled all, then reset the router and immediately changed username and psw. No firmware updates are available. How do the logs look like now? All fine and safe? Thank you Addition.txt FRST.txt virusinfo_syscheck.zip
  15. Since you deleted these before and we had issues you couldn t expalin (LSA, restriction policies, sudden corrupted files...) we decided to restore the laptop to an earlier point to try to find the cause of all of this. I thought we could isolate and analize the 2 files and find out what they are. If the laptop is and was infected and this malware wasn't completely deleted/detected I thought it would be more than impotant to find out what it is, for me as for other users...maybe I was wrong. The system is wrking and ddnt have all of the above before..if it's malware related I would really prefer to find out what caused it instead of just reinstall all since NO AV/ nor AV TOOL detected anything before.
  16. I reset it twice in the past, one when you suggested me and one another time but not immediately before reconnecting te laptop after reinstalling al. If it's the outer, than it gets reinfected easily after resetting it...or resetting doesn 't delete the malware (if the router got haked) or the problem is elsewhere...before resetting I didn't have this roblem...... What do you think and what can I do now? What would you do if it was your laptop?
  17. What about Service('vhjrap') and Service('icquni')as the files ('icquni.sys','32')and ('vhjrap.sys','32')?
  18. As suggested I just had reinstalled all! ..and not from recovery partition since it could have been compromised but from resue disks created as soon as the laptop started the first time. How could this have happened? Is this "normal" or a clear sign of malware presence? Is this windows or router related? As info, as I installed windows, the laptop was not connected to internet and I can connect to internet with the laptop. Please help!!! Thank you
  19. What/ where are these corrupted files? Since we had them only after mid January and not before and now we have them also after restoring, can t it be that something malicious is corrupting them as it did in January. Laptop is runnong "fine", crashes nor blue screen. What do we do now to find this malware? I saw the 2 removed entries, Service('vhjrap') and Service('icquni')as the files ('icquni.sys','32')and ('vhjrap.sys','32') reappeared. Can t we investigate them more this time?
  20. Same here even if I cannot use IE, but this is not bad since i use firefox...the info above was for info hoping it could help. How do the logs look like and 2. I just had a quick look at the additon.txt, what does the error below mean? (Claudio-HP is a laptop that was connected to the same router as I worked on mine.) Error: (02/01/2015 07:42:57 PM) (Source: BROWSER) (EventID: 8009) (User: ) Description: The browser was unable to promote itself to master browser. The computer that currently believes it is the master browser is CLAUDIO-HP. thks
  21. Hi Kevin, I restored to the 20th of november and run the scans. What do we do now? I hope, we can get it this time and "by name"! Thank you P.S> To save time I already scanned with Tdsskiller and Roguekiller... Addition.txt FRST.txt a2scan_150202-122000.txt virusinfo_syscheck.zip RKreport_SCN_02022015_132354.log TDSSKiller.
  22. In the meatime I found out what caused EMET to find an EAF mitigation...it was because of Malwarebytes antiexploit..if I stop Malwarebytes AE protetion, EMET stays quite....hope this s "normal". Or I have to uncheck EAF, EAF+ and SiM Exe Flow in EMET. If I uncheck only EAF and EAF+, when I start IE, EMET blocks it for a SiM Exe Flow...hope this helps.
  23. Hello Kevin, thank you for the honest answer! I reinstalled all from the rescue cds I created as soon as I started the laptop the first time. I installed few programs and updated all. When I then tryed to lanch IE to change the settings I got a warning from EMET for a EAF that then closed IE......what can this be? In the FRST under Internet I saw www.amazon.com ..but I didn't visit this site on this laptop... Pls find attached the new reports. How do they look like? I just had a quick look at the additon.txt, what does the error below mean? (Claudio-HP is a laptop that was connected to the same router as I worked on mine.) Error: (02/01/2015 07:42:57 PM) (Source: BROWSER) (EventID: 8009) (User: ) Description: The browser was unable to promote itself to master browser. The computer that currently believes it is the master browser is CLAUDIO-HP. thank you Addition.txt FRST.txt virusinfo_syscheck.zip
  24. What about OTL, DDS, are they similar to FBAR? What are the advantages/disadvantages of these tools? If I reset to Novemebr and we use the same tool as we did before, why should the result be different? I m asking since it's a time consuming work to reset and updae all. ..but'm redy and more than happy to do it if it helps to find unknown malware!
  • Create New...