Jump to content

Unknown, persistent malware (3rd System)


pallino
 Share

Recommended Posts

Would you trust this laptop as it is if it was yours?

There is nothing in your logs, that would cause me to question the integrity of the system.

 

Isin't it suspicious that KIs had these problems even if it was installed after a fresh reinstall?

There could be any number of cuases for KIS not working properly, and without complete forensics, I would not speculate on the cause.

 

What about the authenticity warnings?  I still get the one for google.com.

That could be because your router is your DNS server. DNS Servers: 192.168.1.1
Link to comment
Share on other sites

Pls find them attached (same as in attach of post 91 and 96).

 

I checked and I still get the alert below even after disinstalling KIS and restart many times

Error: (03/05/2015 09:17:58 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Windows\SysWow64\Drivers\uteyndy4.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

 

 

uteyndy4.sys is not on my system and I cannot find it on golole.com.....

thank you

post-34031-0-68347700-1425683238_thumb.png

post-34031-0-83614500-1425683269_thumb.png

post-34031-0-41495600-1425683293_thumb.png

post-34031-0-09650400-1425683333_thumb.png

Link to comment
Share on other sites

The first KIS alert for google.com I have no idea why that is being presented. The other 3 is because the SSL certificate is not issued by a certificate authority and therefore is not trusted, KIS shows it as a self-signed certificate and they are never trusted.

I am not getting those warnings on FF installed on my system. Viewing the certificate it is signed by GlobalSign nv-sa, and issued to CloudFlare, Inc.. Wnich makes sense, since https://filippo.io/Badfish/is using CloudFlare as its DNS.
 

 

This is a Kaspersky issue, and needs to be taken up with Kaapersky.

Description: \??\C:\Windows\SysWow64\Drivers\uteyndy4.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

uteyndy4.sys is a Kaspersky driver.
 

Link to comment
Share on other sites

But were apparently FP (no detection on VT nor on other url test sites)...and were not opened by me...was repubblica.it hacked or some ads in the page malware?

Today I checked again, just opened http://www.repubblica.it/esteri/2015/03/09/foto/alla_deriva_su_un_blocco_di_ghiaccio_salvataggio_estremo_sul_lago_michigan-109124957/1/#1and enabled all scripts on the page (to be able to see the images) and got new alerts....no detection on VT...weird....

Are these FP or something is wrong on my laptop (considereing the issues with KIS and these)?

thank you

post-34031-0-47472100-1425963683_thumb.png

post-34031-0-53499300-1425963690_thumb.png

Link to comment
Share on other sites

Hi Kevin,

 

I just waited some days and rescan the computer. Just saw some items that look weird....can you pls check the attached logs? thank you

 

what are e.g HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\09989326.sys?

FF user.js: detected! => C:\Users\angel\AppData\Roaming\Mozilla\Firefox\Profiles\xbs92dq2.default\user.js [2015-02-09]

 

Thank you

 

P.S. Do you recommend or have you something against using "detect" to check for government trojans?

Do you recommend other tools?

 

Addition.txt

FRST.txt

virusinfo_syscheck.zip

Link to comment
Share on other sites

luckily it didn't get back.

 

The below is still there, anything to be worried about?

 

Error: (03/18/2015 09:02:11 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

thank you!

Link to comment
Share on other sites

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...