Jump to content

pallino

Member
  • Posts

    309
  • Joined

  • Last visited

  • Days Won

    2

Everything posted by pallino

  1. Hello Kevin, since this laptop was and will be used for online banking and and safe stuff I also scanned with rogue killer. I atach all reports available as of today...how do tey look like? To be on the even safer side (since I still get the warning from Hitmanpro.aert), can I scan with another tool / do something else? thank you as usual for your time and support!!! Addition.txt FRST.txt RKreport_SCN_01212015_104156.log virusinfo_syscheck.zip
  2. Hello Kevin, thank you! I checked AVZ infected and quarantined folder (file/open infected, quarantined files" but both were empty.....Is this normal? Did AVZ find and deleted them or were these ramdom names and "disappeared"? How/where can I find them? What do we do now? Thank you! Addition.txt FRST.txt RKreport_SCN_01212015_003641.log virusinfo_syscheck.zip
  3. How did the last AVZ log look like? I saw a lof of "red" items...is all right now? Did you see sign of infection or something unusual for a system that is 3 months old and was only used few times and only for safe things? Can I use it now for online banking/payments? thank you!
  4. Thank you! What can we scan the laptop with now? What can we use as a 2nd or 3rd opinion software? What can we do now? I checked the backups I have but I cannot find the older 2 deleted files, nor in windows/system32/drivers ,nor in system 32, nor in windows...Where, in what folder should vhjrap.sys and icquni.sys and other suspect file be? Would they get copyed by a backup program? Wha program coud I use to see them if hidden to winsdows explorer? thank you!
  5. Hello Kevin, is this program not a legit one, Gdata's Usb Keyboard guard? Is this a false positive? https://www.gdatasof...-keyboard-guard Just to be sure before I delete it... I checked the backups I have but I cannot find the older 2 deleted files, nor in windows/system32/drivers ,nor in system 32, nor in windows...Where, in what folder should vhjrap.sys and icquni.sys and other suspect file be? Would they get copyed by a backup program? Wha program coud I use to see them if hidden to winsdows explorer? Thank you
  6. Hello Kevin, is this program not a legit one, Gdata's Usb Keyboard guard? Is this a false positive? https://www.gdatasoftware.com/en-usb-keyboard-guard Thank you
  7. Hello Kevin, please find attached the new logs. Did you see sign of infection or something unusual for a system that is 3 months old and was only used few times and only for safe things? thank you! Fixlog.txt virusinfo_syscheck.zip FRST.txt Addition.txt
  8. After running combofix and restarting the laptop, after all the alerts from KIS I run AVZ. I might have restarted the system one more time before running AVZ. First it stopped working with " rich edit line insert error", then with "out of memory while expanding memoru steam"...then one log was created (attached log15-1-15) Today I could run it .... I attached the log. Thank you! virusinfo_syscheck 15-1-15.zip virusinfo_syscheck.zip
  9. Thank you! Are these sign of infection? Strange that this appeared now..like the corrupted files in my other laptop....very suspicious. . thank you for your support
  10. I hope this is not all that can be done!!!!...all it s not normal...how can this laptop get so many corrupted files "overnight" or just after little updates? How did the latest reports look like? Avz for example had many red lines....... Thank you
  11. That s too strange ..I just installed wi dows, kasperky s update and herd protect. Then combofix...nothing more...no crashes... what can i use now to scan?
  12. Hello Kevin, yesterday I tried to start Emsi but I couldn't...I restarted the laptop ad run an updae. It took 8 minutes (3-4 days old database), then I run a scan. Now Emsi finds Value: HKEY_USERS\S-1-5-21-899035793-1407862790-891569072-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A) Value: HKEY_USERS\S-1-5-21-899035793-1407862790-891569072-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A) AVZ report is also attached....saw a lot of red marked items.... What do we do now? In the lst days I only updated Emsi's and Bitdefender's database, Firefox and Windows... Is this all normal or still something to be checked? I'm still waiting to use this laptop again for online banking till all is quite and safe... thank you a2scan_150115-115229.txt Addition.txt FRST.txt virusinfo_syscheck.zip
  13. Very very strange..this would be the 3rd system with damaged files or corrupted ones in 6 months..and this laptop is 2 years old!!!!...was it like this in the previous logs? Can t it be malware not discovered yet? What about the files deleted by combofix in c and in windows folder? What do we do now? What can I scan with now???? I don t think we had any signs of corrupted files before...........windows was working fine till now, no alerts from any AV, windows scannow command reported only a problem with beep.sys.......very strange and worrying situation..... Please, let me know what I can scan with over the weekend!!! thank you
  14. As soon as I restarted Kaspersky on this laptop I got alerted that a new program c:\newtool\pv.3exe wanted to connect to internet...I cannot see it nor the folder in explorer and I blocked it.... Checked the report and other files were blocked or added to restricted.. Addition.txt FRST.txt
  15. I have good and bad news.. The good news are that the backups were created on 19 and 20th of November....the "bad" that EMSI IS (paranoia mode, custom scan with direct access) doesn't find anything suspect nor infected. Where, in what folder should vhjrap.sys and icquni.sys and other suspect file be? I run Combofix, please find attached the new report. How does it look like? What do we do now? thank you! ComboFix.txt
  16. What about the hitmanpro alert alert message for firefox? Is it a bug or still something to take care of? thank you!
  17. ..my fear is EAM might not detect it since it didn't detect it before on scan.... Where could I find the 2 trojan files on the backup? What tool can I use since I might not see them with explorer? thank you
  18. I'll check with combofix asap....thank you! Yesterday I was thinking that at the moment you found something associated with a trojan horse but we don't know what it was. I was thinking at my other pcs and laptops and at my backups created before today and at how I/we can figure out what trojan it was and if the other HDs are infected too or not since AV and antirootkits didn't fount these trojans until now. I remembered that I created a backup with windows, with Macrium reflect and with paragon backup free.....I have to check if I created the backups before the cleaning or after...I think it was before... How and where can I look for the deleted trojan files? I would like to upload them so that you can analyze them and add detection in Emsisoft.... With what tool/program can I check the usb HDs for this infection (I wouldn't like to reinfect the laptop again)? thank you as usual for your help!
  19. Hello Kevin, some infos/summary that I hope might help........my doubts started mid September 2014 when Bitdefender IS 2015 told me a virus was found in a file in Emsisoft folder on this laptop....I scanned the laptop with all I had and knew I could use(bitdefender, emsisoft EK, Malwarebytes, Hitmanpro, Norton Power eraser, TDSSkiller, ASWmbr, Malwarebytes antirootkit, Emsisofts MBRceck beta, ESET online scan...I also scanned with some AV boot cds created with another laptop)....nothing was found....online I found it was/could have been a false alarm of Bitdefender. .....I kept on scanning but no AV ever found/ alerted about the Service('vhjrap') and Service('icquni')as the files ('icquni.sys','32')and ('vhjrap.sys','32') you found last week ..... I still have the first TDsskiller reports from that time, does it help if I upload them? To save time I upload the first ones.... thank you! TDSSKiller.3.0.0.42_13.01.2015_17.40.27_log.txt TDSSKiller.3.0.0.40_14.09.2014_14.30.01_log.txt TDSSKiller.3.0.0.40_14.09.2014_14.16.57_log.txt TDSSKiller.3.0.0.40_13.09.2014_00.16.38_log.txt
  20. Hello Kevin, until now, do you think this laptop was infected? Can I use this new laptop for online banking? I bought it three months ago just for this and used it only for safe things..... Could this have been infected by the other laptop on the same network (uknown persistent malware 3rd system) or by the desktop that had the "supicious dying motherboard"? What can we do now? thank you TDSSKiller.3.0.0.42_13.01.2015_17.21.00_log.txt
  21. Unfortunately not and I don't know how to find/generate one report.... After seeing the alert page as described before, I can choose to download hitmanpro but cannot start the scan by pressing the "scan with Hitmanpro button in the alert page.... How do we proceed now? Thank you!
  22. yes, please..... Now it's too late to upload the file for analysis, correct? Would have liked to know the name of the trojan that passed" all the defences" I had on my laptop....and managed to stay hidden to all tools/AV I used and Know.....Do you know what kind of trojan it was? Could it infect other devices on the same network? or the router? What should i do now? thank you!
  23. System is running better but still not "smooth", sometimes it is slow to respond (e.g to close a window).... What where the Service('vhjrap') and Service('icquni')as the files ('icquni.sys','32')and ('vhjrap.sys','32') you deleted before? Can I use this laptop again for online banking or is it still not safe/risky? What can I do now? thank you
  24. Hi Kevin, I attached the 2 new logs and Fbar's too. I still get the Hitmanpro.alert warning...can this happen without an infection or is this still a bad sign? Since already on my system I also scanned with roguekiller (hope it helps, sorry if not)....apparently it found something....hopefully it's a false alarm.... thank you! AdwCleanerS0.txt JRT.txt Addition.txt FRST.txt RKreport_SCN_01122015_122045.log
  25. I forgot one question... AVZ's info below from scan report is normal? 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Analysis: ntdll.dll, export table found in section .text Function ntdll.dll:NtAllocateVirtualMemory (198) intercepted, method - APICodeHijack.JmpTo[74A18CE6] Function ntdll.dll:NtFreeVirtualMemory (311) intercepted, method - APICodeHijack.JmpTo[74A18E96] Function ntdll.dll:NtProtectVirtualMemory (396) intercepted, method - APICodeHijack.JmpTo[74A18D76] Function ntdll.dll:ZwAllocateVirtualMemory (1450) intercepted, method - APICodeHijack.JmpTo[74A18CE6] Function ntdll.dll:ZwFreeVirtualMemory (1562) intercepted, method - APICodeHijack.JmpTo[74A18E96] Function ntdll.dll:ZwProtectVirtualMemory (1646) intercepted, method - APICodeHijack.JmpTo[74A18D76] Thank you!
×
×
  • Create New...