Jump to content

Unknown, persistent malware (Laptop 1)


pallino
 Share

Recommended Posts

Hello Kevin,

 

thank you for the honest answer!

 

I reinstalled all from the rescue cds I created as soon as I started the laptop the first time.

I installed few programs and updated all.

When I then tryed to lanch IE to change the settings I got a warning from EMET for a EAF that then closed IE......what can this be?

In the FRST under Internet I saw www.amazon.com ..but I didn't visit this site on this laptop...

 

Pls find attached the new reports.

How do they look like?

 

I just had a quick look at the additon.txt, what does the error below mean? (Claudio-HP is a laptop that was connected to the same router as I worked on mine.)

 

Error: (02/01/2015 07:42:57 PM) (Source: BROWSER) (EventID: 8009) (User: )
Description: The browser was unable to promote itself to master browser.  The computer that currently
believes it is the master browser is CLAUDIO-HP.

 

thank you

 

 

 

Addition.txt

FRST.txt

virusinfo_syscheck.zip

Link to comment
Share on other sites

In the meatime I found out what caused EMET to find an EAF mitigation...it was because of Malwarebytes antiexploit..if I stop Malwarebytes AE protetion, EMET stays quite....hope this s "normal".

Or I have to uncheck EAF, EAF+ and SiM Exe Flow in EMET.  If I uncheck only EAF and EAF+, when I start IE, EMET blocks it for a SiM Exe Flow...hope this helps.

Link to comment
Share on other sites

Same here even if I cannot use IE, but this is not bad since i use firefox...the info above was for info hoping it could help.

How do the logs look like and

2. I just had a quick look at the additon.txt, what does the error below mean? (Claudio-HP is a laptop that was connected to the same router as I worked on mine.)

 

Error: (02/01/2015 07:42:57 PM) (Source: BROWSER) (EventID: 8009) (User: )

Description: The browser was unable to promote itself to master browser.  The computer that currently

believes it is the master browser is CLAUDIO-HP.

thks

Link to comment
Share on other sites

The system should be reinstalled.

Error: (02/01/2015 07:42:57 PM) (Source: BROWSER) (EventID: 8009) (User: )

Description: The browser was unable to promote itself to master browser.  The computer that currently believes it is the master browser is CLAUDIO-HP.

See:

http://support.microsoft.com/kb/143153

https://msdn.microsoft.com/en-us/library/ms841537.aspx

Link to comment
Share on other sites

As suggested I just had reinstalled all! ..and not from recovery partition since it could have been compromised but from resue disks created as soon as the laptop started the first time.

 

How could this have happened? Is this "normal" or a clear sign of malware presence? Is this windows or router related?

 

As info, as I installed windows, the laptop was not connected to internet and I can connect to internet with the laptop.

 

 

 

Please help!!!

Thank you

Link to comment
Share on other sites

I reset it twice in the past, one when you suggested me and one another time but not immediately before reconnecting te laptop after reinstalling al.

 

If it's the outer, than it gets reinfected easily after resetting it...or resetting doesn 't delete the malware (if the router got haked) or the problem is elsewhere...before resetting I didn't have this roblem......

 

What do you think and what can I do now? What would you do if it was your laptop?

Link to comment
Share on other sites

After all what happened on this laptop and othe the other one I run also Roguekiller and NPE. They both found a oonqp.sys file (I managed to cut&paste it, then it disappeared from /system/32/drivers)...apparently is a malwarebytes file but I cannot find it on any other devices I have.

Attached the new logs.

 

 

 

I also keep getting warnings from Emsi that HP Hpsa (helpsupport) is being modified or the youcam program, most when I scan with AV (always with a blank page if I want additional informations) ...is it normal or is it suspect?

 

What do you think?

 

Thank you!

virusinfo_syscheck.zip

Addition.txt

FRST.txt

post-34031-0-05304900-1423202041_thumb.png

post-34031-0-74045400-1423202054_thumb.png

post-34031-0-33922800-1423202067_thumb.png

RKreport_SCN_02052015_184543.log

oonqp.zip

Link to comment
Share on other sites

oonqp.sys is a Malwarebytes file.

Norton is wrong.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

2015-02-05 11:47 - 2015-02-05 11:47 - 00000000 ____D () C:\ProgramData\{65AB91D4-DDD0-48D4-804D-C24E1FC90D44}
2015-02-04 14:46 - 2015-02-04 14:46 - 00000000 ____D () C:\Users\Default\AppData\Local\Pokki
2015-02-04 14:46 - 2015-02-04 14:46 - 00000000 ____D () C:\Users\Default User\AppData\Local\Pokki
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to comment
Share on other sites

Hi Kevin,

 

please find attached the new logs.

 

- What can the utizmzqw.sys error be about? :blink:

 

- What is this error blow?

Error: (02/05/2015 09:06:03 PM) (Source: NetBT) (EventID: 4311) (User: )
Description: Initialization failed because the driver device could not be created.
Use the string "9CAD979D61B4" to identify the interface for which initialization
failed. It represents the MAC address of the failed interface or the
Globally Unique Interface Identifier (GUID) if NetBT was unable to
map from GUID to MAC address. If neither the MAC address nor the GUID were
available, the string represents a cluster device name. :blink:

 

- Why do i keep getting warnings from EMSI that HPSA.exe or youcam.exe got modified every time I scan the pc?

If I ask Emsi to update the rule, the scan get closed. If I say remove rule, I might get another warning but I can completee the scan....I have then the same warning the next time I rescan... :(

 

What do you think?

 

thank you!

Addition.txt

FRST.txt

Fixlog.txt

post-34031-0-92971500-1423499342_thumb.png

virusinfo_syscheck.zip

Link to comment
Share on other sites

Hi Kevin,

 

thank you!

Since this laptop is new and will be used for online/safe stuff only it should be clean and "doudt free".

This was my 2nd fresh reinstall and we still have strange/unaxplainable things...I decided to reinstall all again. I'll update all logs as soon as ready, probably tomorrow (I m working on the other laptop right now. If that one is safe, I'll connect this one to internet and update all programs).

 

Thank you

Link to comment
Share on other sites

Hi Kevin, please find attached the new logs.

 

Why are windows and Fbar telling me that Emsi is not active/off? :blink::mad: According to Emsi IS, my computer is protected..... who is right?

According to NPE (and 2 scanners on virustotal), the attached zip temp file that was in c:/windows/temp is infected too...

 

What do  you think?

 

thank you

 

P.S. Since I didn't like the findings till now as the problem with Emsi above I also run rogue killer and attached the log....

Addition.txt

post-34031-0-57657700-1424143538_thumb.png

post-34031-0-20549800-1424143549_thumb.png

FRST.txt

virusinfo_syscheck.zip

Addition.txt

WAXB928.zip

RKreport_SCN_02162015_222627.log

Link to comment
Share on other sites

Hi Kevin,

 

thank you!

 

 

What about roguekiller 's PUM ? Can you please check this too?

 

I attached new logs since today I had to go online and accessed all my accounts.

 

If all is clean and safe I'll be super happy.....and the thread could be closed. :) :)   

 

thank you!!!

Addition.txt

FRST.txt

virusinfo_syscheck.zip

RKreport_SCN_02202015_115829.log

Link to comment
Share on other sites

again,

I uploaded new logs not because I like it but because I had something that till today wasn't found/ recognised but that infected the router and 2 pcs at least and forced me to reinstall all many times and on different pcs.

Since I use this laptop for online banking I think it s normal to ask to double check if all is still safe after all what happened and 3 reinstalls and 3 router resets...and roguekiller pum (that in the past you asked me to fix) didn t help as the tmp file!

Thank you for your help, time and patience till now!

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...