Unknown, persistent malware (3rd System)

[ShadowPuterDude]

Would you trust this laptop as it is if it was yours?

There is nothing in your logs, that would cause me to question the integrity of the system.

 

Isin't it suspicious that KIs had these problems even if it was installed after a fresh reinstall?

There could be any number of cuases for KIS not working properly, and without complete forensics, I would not speculate on the cause.

 

What about the authenticity warnings?  I still get the one for google.com.

That could be because your router is your DNS server. DNS Servers: 192.168.1.1

[pallino]

Is this normal or unusual? Did tbe router get compromised?

what do I have to do with it?

How should it be?

Thanks

p.s. I don t have these issues with 3 other pcs..

[ShadowPuterDude]

Yes, it is normal for a router to act as a DNS server.

[pallino]

Why do I get these authenticity alerts only on this laptop and not on the other 3 pcs and 2 devices conected to the same router (1 through ethernet and all other through wifi as this laptop)?

[ShadowPuterDude]

Send me a screen shot of the authenticity warning dialog.

[pallino]

Pls find them attached (same as in attach of post 91 and 96).

 

I checked and I still get the alert below even after disinstalling KIS and restart many times

Error: (03/05/2015 09:17:58 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Windows\SysWow64\Drivers\uteyndy4.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

 

 

uteyndy4.sys is not on my system and I cannot find it on golole.com.....

thank you

[ShadowPuterDude]

The first KIS alert for google.com I have no idea why that is being presented. The other 3 is because the SSL certificate is not issued by a certificate authority and therefore is not trusted, KIS shows it as a self-signed certificate and they are never trusted.

I am not getting those warnings on FF installed on my system. Viewing the certificate it is signed by GlobalSign nv-sa, and issued to CloudFlare, Inc.. Wnich makes sense, since https://filippo.io/Badfish/is using CloudFlare as its DNS.
 

 

This is a Kaspersky issue, and needs to be taken up with Kaapersky.

Description: \??\C:\Windows\SysWow64\Drivers\uteyndy4.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

uteyndy4.sys is a Kaspersky driver.
 

[pallino]

I installed EMSI IS now and got away from the ssl issues but got also something when opening some images on www.repubblica.it .

 

 

Addition.txt

FRST.txt

[ShadowPuterDude]

Those are being blocked by our surf protection module.

 

Your logs are not showing any malware.

[pallino]

But were apparently FP (no detection on VT nor on other url test sites)...and were not opened by me...was repubblica.it hacked or some ads in the page malware?

Today I checked again, just opened http://www.repubblica.it/esteri/2015/03/09/foto/alla_deriva_su_un_blocco_di_ghiaccio_salvataggio_estremo_sul_lago_michigan-109124957/1/#1and enabled all scripts on the page (to be able to see the images) and got new alerts....no detection on VT...weird....

Are these FP or something is wrong on my laptop (considereing the issues with KIS and these)?

thank you

[ShadowPuterDude]

No, they are not false positives. The URLs were blocked because they were seen serving malware. You would need to submit the URL for reevaluation to our malware research team, that can be done in the False Positives support forum

[pallino]

Hi Kevin,

 

I just waited some days and rescan the computer. Just saw some items that look weird....can you pls check the attached logs? thank you

 

what are e.g HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\09989326.sys?

FF user.js: detected! => C:\Users\angel\AppData\Roaming\Mozilla\Firefox\Profiles\xbs92dq2.default\user.js [2015-02-09]

 

Thank you

 

P.S. Do you recommend or have you something against using "detect" to check for government trojans?

Do you recommend other tools?

 

Addition.txt

FRST.txt

virusinfo_syscheck.zip

[ShadowPuterDude]

Normally the FF Users.js is not present.

The SafeBoot Minimal Key is pretty common to see and are not normally malicious.

[pallino]

So, what do I do?

All otber logs line are fine?

Thank you

[ShadowPuterDude]

You can delete C:\Users\angel\AppData\Roaming\Mozilla\Firefox\Profiles\xbs92dq2.default\user.js if it comes back then we can take a deeper look. I don't need an AVZ log.

[pallino]

luckily it didn't get back.

 

The below is still there, anything to be worried about?

 

Error: (03/18/2015 09:02:11 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

thank you!

[ShadowPuterDude]

Just about everything that you see in the Event log should be ignored. It will be filled with errors, and that is normal.

[ShadowPuterDude]

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.