Unknown, persistent malware (3rd System)

[pallino]

How probale is it that my router got hacked and so all other devices on the network?  I m loosing trust in all devices right now....

 

Can we test deeply the router?

 

After all the scans we did, how restoring the system to an earlier point would help to detect a today still undetected malware? What do I do after restoring, can I update all (windows, AV, programs... ) or what do you want me to do? To scan immediately with FBAR and AVZ ad EMSI of after all is updated?

 

Can you please check all my questions? Since we have only one contact per day it's best to save time/days as much as possible.

 

 

thank you again for your help and time!

[ShadowPuterDude]

I have no way to test the router. The best thing to do is disconnect it from everything and reset it to factor defaults and reconfigure it.

Do a system restore can and probably will bring back some of the malware, but we can deal with that after the system restore.

Once the System Restore has completed run fresh scans with EEK and FRST. I'll take a look and figure what to do next.

[pallino]

So before updating all?

As suggested before i already resetted the router but thought that if it got hacked before with custom setti gs it shouldn t be a problem to hack ut again...that s why i adked if it is possible to test it in a way.

[ShadowPuterDude]

IF your router has up to date firmware, then it should be OK. Of course there is no guarantee that it won't get hacked again. There is no way for me to test the router for malware.

[pallino]

I have good and bad news..

The good news are that the backups were created on 19 and 20th of November....the "bad" that EMSI IS (paranoia mode, custom scan with direct access) doesn't find anything suspect nor infected.

Where, in what folder should vhjrap.sys and icquni.sys and other suspect file be?

 

I run Combofix, please find attached the new report.

How does it look like?

What do we do now?

thank you!

 

 

I just checked the FBAR log and saw that now also in this laptop we have IE policy restrictions....there were not there on my last scan on the 11th.....is this related to the other laptop and a sign of a particlar kind of infection?

I also saw that the system corrupted files as the policies restrictions appeared out of the blue on the 15th...can this be relate on his laptop to combofix so caused by it or by a still present malware after combofix was run)?

 

If I restore windows to november we might get some deleted malware/files back but will still have the undetected one that we might have now (maybe not if they were dowloaded/"updated" later)....just to understand, if we didn't find the malware till now, how shoud it be easyer to find it with/after a restore?

 

Does this make sense?

thank you

[ShadowPuterDude]

Your logs show no malware. I cannot fix want I cannot see.

[pallino]

But we have things that appear and we don t know how and why....corrupted system files, policy restrictions...maybe we should look deeper, if possible, or with other tools....

Thank you

[ShadowPuterDude]

Based on your logs. I am unable to determine what is the cause.

We have exhausted the tools that are known to be reliable.

[pallino]

 

What about OTL, DDS, are they similar to FBAR?  What are the advantages/disadvantages of these tools?

If I reset to Novemebr and we use the same tool as we did before, why should the result be different?

I m asking since it's a time consuming work to reset and updae all. ..but'm redy and more than happy to do it if it helps to find unknown malware!

[ShadowPuterDude]

OTL is outdated and no longer being actively developed. DDS will show me nothing that the other logs don't already show, and it is not compatible with Windows 8.1.

[pallino]

Hi Kevin,

 

I restored to the 20th of november and run the scans.

 

What do we do now? I hope, we can get it this time and "by name"!

 

Thank you

 

P.S> To save time I already scanned with Tdsskiller and Roguekiller...

Addition.txt

FRST.txt

a2scan_150202-122000.txt

virusinfo_syscheck.zip

RKreport_SCN_02022015_132354.log

TDSSKiller.3.0.0.44_02.02.2015_13.14.20_log.txt

[ShadowPuterDude]

Nothing has changed the system still has several corrupt files.

[pallino]

What/ where are these corrupted files?

Since we had them only after mid January and not before and now we have them also after restoring, can t it be that something malicious is corrupting them as it did in January.

Laptop is runnong "fine", crashes nor blue screen.

What do we do now to find this malware?

I saw the 2 removed entries, Service('vhjrap') and Service('icquni')as the files ('icquni.sys','32')and ('vhjrap.sys','32')  reappeared.

Can t we investigate them more this time?

[ShadowPuterDude]

What/ where are these corrupted files?

R2 AMD External Events Utility; C:\Windows\SysWOW64\atiesrxx.exe [0 2013-11-13] () <==== ATTENTION (zero size file/folder)
R2 EFS; C:\Windows\SysWOW64\lsass.exe [0 2013-11-13] () <==== ATTENTION (zero size file/folder)
R2 hpsrv; C:\Windows\SysWOW64\Hpservice.exe [0 2013-11-13] () <==== ATTENTION (zero size file/folder)
R3 KeyIso; C:\Windows\SysWOW64\lsass.exe [0 2013-11-13] () <==== ATTENTION (zero size file/folder)
S3 Netlogon; C:\Windows\SysWOW64\lsass.exe [0 2013-11-13] () <==== ATTENTION (zero size file/folder)
R3 ProtectedStorage; C:\Windows\SysWOW64\lsass.exe [0 2013-11-13] () <==== ATTENTION (zero size file/folder)
R2 SamSs; C:\Windows\SysWOW64\lsass.exe [0 2013-11-13] () <==== ATTENTION (zero size file/folder)
R2 Spooler; C:\Windows\SysWOW64\spoolsv.exe [0 2013-11-13] () <==== ATTENTION (zero size file/folder)
R2 UI0Detect; C:\Windows\SysWOW64\UI0Detect.exe [0 2013-11-13] () <==== ATTENTION (zero size file/folder)
R3 VaultSvc; C:\Windows\SysWOW64\lsass.exe [0 2013-11-13] () <==== ATTENTION (zero size file/folder)


Some zero byte size files/folders:
==========================
C:\Windows\SysWOW64\atieclxx.exe
C:\Windows\SysWOW64\atiesrxx.exe
C:\Windows\SysWOW64\conhost.exe
C:\Windows\SysWOW64\csrss.exe
C:\Windows\SysWOW64\dwm.exe
C:\Windows\SysWOW64\hkcmd.exe
C:\Windows\SysWOW64\hpservice.exe
C:\Windows\SysWOW64\igfxpers.exe
C:\Windows\SysWOW64\igfxtray.exe
C:\Windows\SysWOW64\lsass.exe
C:\Windows\SysWOW64\lsm.exe
C:\Windows\SysWOW64\services.exe
C:\Windows\SysWOW64\smss.exe
C:\Windows\SysWOW64\spoolsv.exe
C:\Windows\SysWOW64\taskhost.exe
C:\Windows\SysWOW64\UI0Detect.exe
C:\Windows\SysWOW64\winlogon.exe
C:\Windows\SysWOW64\WUDFHost.exe

Since we had them only after mid January and not before and now we have them also after restoring, can t it be that something malicious is corrupting them as it did in January.

Laptop is runnong "fine", crashes nor blue screen.

What do we do now to find this malware?

I saw the 2 removed entries, Service('vhjrap') and Service('icquni')as the files ('icquni.sys','32')and ('vhjrap.sys','32')  reappeared.

Can t we investigate them more this time?

Your logs give me no hint or clue where to look for Malware. They do not show any.

[pallino]

What about Service('vhjrap') and Service('icquni')as the files ('icquni.sys','32')and ('vhjrap.sys','32')?

[ShadowPuterDude]

What about them? Their presence or absence has nothing to do with the fact that the OS on this system is corrupt and should be reinstalled.

[pallino]

Since you deleted these before and we had issues you couldn t expalin (LSA, restriction policies, sudden corrupted files...) we decided to restore the laptop to an earlier point to try to find the cause of all of this.

I thought we could isolate and analize the 2 files and find out what they are.

 

If the laptop is and was infected and this malware wasn't completely deleted/detected I thought it would be more than impotant to find out what it is, for me as for other users...maybe I was wrong.

 

The system is wrking and ddnt have all of the above before..if it's malware related I would really prefer to find out what caused it instead of just reinstall all since NO AV/ nor AV TOOL detected anything before.

[ShadowPuterDude]

You newest logs shows that the corruption existed before we started.

You are asking me to look for a needle in the haystack. I do not have the time or tools to do a complete forensics analysis of your system.

[pallino]

I understand but it s a huge pity we cannot find it!

After all we did and had on this and the other laptop, what do you think it was?

Thank you

[ShadowPuterDude]

Thread Closed

Reason: Clean Install of Windows Recommended

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

[ShadowPuterDude]

Support thread opened at original posters request.

[pallino]

Hello Kevin,

 

thank you for reopening the thread!

 

I reinstalled all from cds created as soon as I git the laptop. Updated windows and HP programs as AV.

 

How does it look like for a fresh install? I see weird error messages....are these normal for a fresh install?

 

If all looks 100% fine and without concerns I'll connect the first laptop to internet and update that too...but only if this one is safe and clean...if not it means there is some malware somewhere that keeps infectiong the laptops and the router (although it was resetted and psw as u\ser name changed before).

I uploaded 2 AVZ logs, the one I did yesterday and the one I did today....today explorer crashed when I opened Cdburner xp (open candy free one)....and programs start slowlier....

 

 

Thank you

FRST.txt

Addition.txt

virusinfo_syscheck10-2-15.zip

virusinfo_syscheck.zip

a2scan_150210-201613.txt

[ShadowPuterDude]

The Event log is going to have errors, it is normal.

Your logs look fine.

[pallino]

I just thought, these wete errors that shouldn't be in a fresh install, so your answer us the best news I got in the ladt 2 months!thank you

Can I now restore my files (pst, doc, exl) from my back up?

-just to be sure, it is safe to connect the usb backup drive andto scan it with all av I have(unless I have a bad usb malware), or?

thank you

[pallino]

Iasked the above also because two days ago I connected the usb hd to my 4th brand new pc and started a scan with Emsi IS that froze during the scan....

[ShadowPuterDude]

Yes, you can reload you files.

If the Emsisoft scan froze, it very likely was caused by a corrupt file, or an extremely large file.

[pallino]

so no risk that that computer got infected during the scan while emsi froze, correct?

Thanks

[ShadowPuterDude]

It is always possible for a system to get infected when accessing a USB device, if it was infected. However, if Emsisoft did not alert when the files on the drive were accessed, then it is unlikely that the system was infected.

[pallino]

for info, I restarted that desktop and windows couldn't load thw desktop icons. After another restart all loaded as "normal".

I connected the usb hd to the laptop today and restored the .pst. Hope all is fine.

 

Thank you

 

 

Addition.txt

FRST.txt

virusinfo_syscheck.zip

[ShadowPuterDude]

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM-x32\...\Run: [] => [X]
2015-02-13 13:36 - 2015-02-13 13:36 - 00000000 ____H () C:\Users\angel\BITB48F.tmp
2015-02-09 13:39 - 2015-02-09 13:39 - 00000000 ____D () C:\ProgramData\{65AB91D4-DDD0-48D4-804D-C24E1FC90D44}

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[pallino]

Hello Kevin,

 

how does it look like now? All safe and clean?

 

What is the kerncap.vbs that autoruns didn't find?

 

thank you!!!

 

Addition.txt

FRST.txt

Fixlog.txt

virusinfo_syscheck.zip

RKreport_SCN_02172015_104851.log

[ShadowPuterDude]

Your logs look fine.

[pallino]

What is the kerncap.vbs that autoruns didn't find?

Nothing to worry about?

Roguekiller logs are fine too?

That would be great

thks

[ShadowPuterDude]

If the vbs file is not present, then it should be safe to remove the associated autorun.

Your logs are fine.

[pallino]

Isn't the kerncap.vbs a bad sign?

Just asking again since this is the pc for online banking...

thanks

[ShadowPuterDude]

No

[pallino]

hi Kevin,

 

attached the new reports.

 

KIS as laptop are slow today...

 

How do the logs look like? all safe?

 

What about roguekiller ' s log and PUM? Something to worry about and to delete/fix?

 

 

thank you!

 

RKreport_SCN_02202015_122558.log

Addition.txt

FRST.txt

virusinfo_syscheck.zip

[ShadowPuterDude]

Your logs are fine.

[pallino]

Great!

Thank you!

[ShadowPuterDude]

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

Download Delfix from here and save it to your desktop.

• Ensure Remove disinfection tools is checked.
• Also place a checkmark next to:
  • Create registry backup
  • Purge system restore
• Click the Run button.

When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad.

Empty the Recycle Bin

Download to your Desktop:

- CCleaner Portable

• UnZip CCleaner Portable to a folder on your Desktop named CCleaner

Run CCleaner

• Open the CCleaner Folder on your Desktop and double click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit)
• Click "Options" and choose "Advanced"
• Uncheck "Only delete files in Windows Temp folders older than 24 hours"
• Then go back to "Cleaner" and click the "RunCleaner" button.
• Exit CCleaner.

Turn off System restore to flush all your restore points then turn system restore back on. See How To Enable and Disable System Restore.

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Run Windows Update and update your Windows Operating System.

Install and run the Secunia Personal Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

Articles to read:

How to Protect Your Computer From Malware

How to keep you and your Windows PC happy

Web, email, chat, password and kids safety

10 Sources of Malware Infections

That should take care of everything.

Safe Surfing!

[pallino]

Hello Kevin,

 

unfortunately the system is running "strange"....outlook restarts 1 time after I close it, every time.

KIS 95% of time gets less database records after an update (I had 8500000+ and now 8350000)

I cannot use firefox in sandboxie since KIS tells me that he cannot confirm the authenticity of the server I'm connecting to (or of the certificate).

Yesterday I didn't pass the test on

https://filippo.io/Badfish/    and had certificate issues also on firefox in normal (not sandboxed ) mode...

 

I deleted KIS certificate and restarted the laptop.

Today I had the problem with outlook that didn't trust the server certificate.

After disabling scanning of SSL connections outlook managed to connect and download mails and I passed the test above.

Still have  the issue with firefox sanboxed.

Opening download folder took very long many times...

 

 

Can you please check the logs one more time?

 

thank you!!!!

 

 

 

Addition.txt

FRST.txt

virusinfo_syscheck.zip

a2scan_150225-000606.txt

TDSSKiller.3.0.0.44_25.02.2015_12.52.23_log.txt

RKreport_SCN_02252015_133350.log

[ShadowPuterDude]

It could very well be the Firefox NoScript extension that is responsible for breaking SSL in Firefox.  In order for it to determine the content of an encrypted data stream, it has to snoop on it.  That is just wrong on so many levels.  SSL data streams are encrypted for a reason, and any tool that snoops on that data stream, is rendering your system vulnerable to attack.

[pallino]

Thanks...so all logs look fine?

I never had this problem before, nor with noscript....

I ll disable it and see if it disappears. ..

[ShadowPuterDude]

Yes, disable NoScript, and let me know if Firefox still fails the SuperFish test.

[pallino]

I didn t yry yo disable noscript yet..i chevked the daq and appare tly nosctipt doesn t block/scan https...

apparently is a Kis isdue..i said apparrntly since dissbling ssl scan didn t vhange the athenticuty certificate issue.

the tedt faoled when i accrpted the connection with google, ....informaction.com in sanboxed firefox..the test failed then in normal firefox too.

Isn't that weird?

[pallino]

I disabled noscript and restarted te pc....still get the warnings about KIS not being able to guarantee the authenticity of the domain to which encrypted connection is established.

Same if I disable ssl check in KIS , if I put google as trusted site, if I import KIS certificate in firefox as suggested on KIS forum.(also after restarting the pc).

 

I saw that in AVZ, all ping test are OK, the only ones that didn't pass are the one to kaspersky sites...

in FBARs addition.txt  a opensource (x32 Version: 1.0.14960.3876 - Your Company Name) Hidden...

C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\b2363cf94faf59386ab4778a39c16e2b\IsdiInterop.ni.dll  are these safe?

 

today I have

//./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Now I have a security issue with the virustotal check in process explorer as in autoruns...pls check attached image.

 

What do you think, what can it be and what do we do?

 

Does it make sense to disinstall KIS and to insyall EMSI? I wanted to have 2 different AVs on my 2 laptops just in case one detects something the other doesn't yet...

 

thank you

 

P.S. Today I saw that KIS installs his certificate in Firefox even if I disabled to scan secure connections.

Now I get warnings in firefox (not sandboxed), also for emsi forum page.

 

:angry:

Does EMSI IS and/or EAM scan for bad CA certificates?

 

 

 

Addition.txt

FRST.txt

[ShadowPuterDude]

Certificates are handled by the browser, and each has its own certificate store.

I do not believe KIS is functioning properly. Parts of it are not loading correctly.

Error: (02/23/2015 08:38:55 PM) (Source: Application Popup) (EventID: 1060) (User: )

Description: \??\C:\Windows\SysWow64\Drivers\uteyndy4.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Date: 2015-02-14 11:56:30.324

Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-02-14 11:56:30.288

Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.

IsdiInterop.ni.dll is a valid MS DLL.

[pallino]

What do you suggest?

Is it malware related?

Thank you

[ShadowPuterDude]

Uninstall KIS, restart the system twice and install KIS again.

[pallino]

Thank you.

Would you trust this laptop as it is if it was yours?

Isin't it suspicious that KIs had these problems even if it was installed after a fresh reinstall?

What about the authenticity warnings?  I still get the one for google.com.

 

thank you

 

Addition.txt

FRST.txt

virusinfo_syscheck.zip