Jump to content
Sign in to follow this  
Followers 0
DanteYoda

Infected Badly, Never seen this before?

By DanteYoda, in Malware Diagnosis and Help

Recommended Posts

DanteYoda   

DanteYoda
Posted

Hello to everyone, I believe my system is heavily infected yet i cannot see anything, i can use my system fine, but odd things keep happening, re-directions in web browsers, my system randomly linking to russian and chinese ips and every single Antivirus scan comes back clean, like they just cannot see this thing..

 

I've tried running a lot, I've reformatted 3 times, i've cleaned my  master boot record and reset my modem/router to factory 3 times (all at once) i've scanned my drives on external caddy.. Nothing.

 

Today i'm seeing this in Superantispyware VirusTrigger 1.2.lnk Its doesn't remove it, just scans past it like its not there. When i search for the file nothing, I decided i'd seek help from you as your far more in the know than i am these days.

 

Added a screenshot of what i've seen.

Share this post

Link to post
Share on other sites

GuiltySpark   

GuiltySpark
Posted

Does seem clean.

 

Download and run Hitman Pro and post the logs (you don't need to activate a full license the trial is fine).

 

Download and run TDSSKiller and post the logs.

 

Download and run MBAM and post log files.

 

Your original picture is not working are you sure it was attached?

 

Do you still get re-directs when in Safe Mode with Networking?

Share this post

Link to post
Share on other sites

DanteYoda   

DanteYoda
Posted

Hi yes i get all sorts of odd stuff in safe mode, i even tried Kaspersky rescue disk and after it loads GUI, as soon as i touch my mouse to go to scan it shuts down and turns off my PC.. every time.. I've never seen anything like that before.

 

Here are the Logs you requested, I think.

 

When i try to upload the hitman log i get this

 

Error You aren't permitted to upload this kind of file

 

As per the first picture it seems my PC wont allow me to upload it..when i click browse and choose the picture the open changes instantly and no picture is selected..

 

Ok i zipped it up, please scan it well...

 

Hitman Log

 

HitmanPro 3.7.14.265
www.hitmanpro.com

   Computer name . . . . : ANT-PC
   Windows . . . . . . . : 6.1.1.7601.X64/4
   User name . . . . . . : Ant-PC\Ant
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2016-07-30 00:16:33
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 41s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 1

   Objects scanned . . . : 1,145,580
   Files scanned . . . . : 48,087
   Remnants scanned  . . : 260,850 files / 836,643 keys

Cookies _____________________________________________________________________

   C:\Users\Ant\AppData\Roaming\Mozilla\Firefox\Profiles\wef2my4y.default\cookies.sqlite:2o7.net

 

Virus Trigger.zip

Mbam Log.txt

TDSSKiller.3.1.0.9_30.07.2016_00.35.24_log.txt

Share this post

Link to post
Share on other sites

GuiltySpark   

GuiltySpark
Posted

There does seem to be a remnant of Virus Trigger which should not be there in the Quick launch although it is in the Roaming folder which can be removed manually if you'd prefer by typing into the search bar on the Windows menu:

 

C:\Users\Dante(or whatever your username for the computer is)\AppData\

You should then get a list of folders such as Local, Local Low, Roaming

 

Open up the Roaming folder and see what's inside (you may have to select "view all files from the Folder Options menu".

 

As there seems to be nothing being picked up by the other scans I would like you to Download FRST Run it in Safe Mode (save it to the desktop log files will be collected in that folder).

 

You will be presented with two log files please attach those here using the attach function under the More Reply Options in the text box (bottom right)

We may be able to find out what is causing the redirects through this.

 

Also, what extensions (add-ons) are you using in your browser(s)?

Share this post

Link to post
Share on other sites

DanteYoda   

DanteYoda
Posted

Hi thanks for looking into this. I had to sleep last night it was 1:00am.

 

Here are the files as per requested.

 

The issue with the Virus Trigger is Superantispyware can see it apparently but when i navigate there, there is nothing in the folder, even if i show hidden files and operating system files.. Pretty sure its hidden some how as SAS can still see it.

 

My Default web browser is Firefox using

 

Noscript 2.9.0.12

Ad block plus 2.7.3

Classic Theme Restorer 1.5.4.2

Download Status Bar 13.4.2.2

Element hiding helper for Adblock plus 1.3.8

Kaspersky Protection 4.6.3-7

 

For some reason it wont let me upload the addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 27-07-2016
Ran by Ant (2016-07-30 18:09:29)
Running from C:\Users\Ant\Desktop
Windows 7 Home Premium Service Pack 1 (X64) (2016-07-14 02:10:47)
Boot Mode: Safe Mode (minimal)
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1135079375-1989960327-2245839541-500 - Administrator - Disabled)
Ant (S-1-5-21-1135079375-1989960327-2245839541-1000 - Administrator - Enabled) => C:\Users\Ant
Guest (S-1-5-21-1135079375-1989960327-2245839541-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1135079375-1989960327-2245839541-1002 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Kaspersky Internet Security (Enabled - Up to date) {86367591-4BE4-AE08-2FD9-7FCB8259CD98}
AS: Kaspersky Internet Security (Enabled - Up to date) {3D579475-6DDE-A186-1569-44B9F9DE8725}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Internet Security (Enabled) {BE0DF4B4-018B-AF50-0486-D6FE7C8A8AE3}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 16.02 (x64) (HKLM\...\7-Zip) (Version: 16.02 - Igor Pavlov)
Asmedia ASM104x USB 3.0 Host Controller Driver (HKLM-x32\...\{E4FB0B39-C991-4EE7-95DD-1A1A7857D33D}) (Version: 1.14.1.0 - Asmedia Technology)
CCleaner (HKLM\...\CCleaner) (Version: 5.20 - Piriform)
Defraggler (HKLM\...\Defraggler) (Version: 2.21 - Piriform)
GlassWire 1.2 (remove only) (HKLM-x32\...\GlassWire 1.2) (Version: 1.2.71 - SecureMix LLC)
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.14.265 - SurfRight B.V.)
Intel® Network Connections 15.6.25.0 (HKLM\...\PROSetDX) (Version: 15.6.25.0 - Intel)
Kaspersky Internet Security (HKLM-x32\...\InstallWIX_{F575F386-57EF-4943-B003-A13F13B05EEB}) (Version: 16.0.1.445 - Kaspersky Lab)
Kaspersky Internet Security (x32 Version: 16.0.1.445 - Kaspersky Lab) Hidden
Logitech Gaming Software 8.83 (HKLM\...\Logitech Gaming Software) (Version: 8.83.85 - Logitech Inc.)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Mozilla Firefox 47.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 47.0.1 (x86 en-US)) (Version: 47.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 47.0.1 - Mozilla)
MPC-HC 1.7.10 (64-bit) (HKLM\...\{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1) (Version: 1.7.10 - MPC-HC Team)
NetSpeedMonitor 2.5.4.0 x64 (HKLM\...\{88F41EE2-949B-4B52-933D-C7F8F67BC1D2}) (Version: 2.5.4.0 - Florian Gilles)
Nexus Mod Manager (HKLM\...\6af12c54-643b-4752-87d0-8335503010de_is1) (Version: 0.61.23 - Black Tree Gaming)
NVIDIA Graphics Driver 364.47 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 364.47 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.34.4 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.34.4 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.15.0428 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.15.0428 - NVIDIA Corporation)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6251 - Realtek Semiconductor Corp.)
Samsung Magician (HKLM-x32\...\{29AE3F9F-7158-4ca7-B1ED-28A73ECDB215}_is1) (Version: 4.9.7 - Samsung Electronics)
SteelSeries Engine 3.8.3 (HKLM\...\SteelSeries Engine 3) (Version: 3.8.3 - SteelSeries ApS)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1222 - SUPERAntiSpyware.com)
Windows Driver Package - Microsoft (xusb21) XnaComposite  (08/13/2009 2.1.0.1349) (HKLM\...\0AEBEF6F936CFE16E003F7E141631FAB754D9816) (Version: 08/13/2009 2.1.0.1349 - Microsoft)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {989F730D-9DB7-4079-BE70-07D788672176} - System32\Tasks\SamsungMagician => C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe [2016-05-13] (Samsung Electronics.)
Task: {DE3BD765-43FB-4F09-8F35-8877F38EC1B8} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-07-14] (Piriform Ltd)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============


==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="1"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 12:34 - 2016-07-28 18:32 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1       localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1135079375-1989960327-2245839541-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Ant\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{7D2E6F0C-B027-4BEA-B8C6-533F8E22CF03}] => (Allow) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
FirewallRules: [{6A0500E5-ADC9-4F83-92F6-C14611FB84B4}] => (Allow) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
FirewallRules: [{D44C29EB-3D8D-444C-922C-FAD9445C220E}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{53C9C4F0-760C-4D00-9786-29404C867DB2}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{5AEC7C13-C183-4DFD-ACDB-2EA32195CAF1}] => (Allow) E:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{8C8C37AD-5AF9-4CB0-9498-6CD733717D02}] => (Allow) E:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{A72FFBDB-2780-4B2B-8422-635585A1AE9E}] => (Allow) E:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{63166BFD-5D87-4843-96DC-E2CA335F2958}] => (Allow) E:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{ADBC105B-1304-45B6-9428-A09A1A8BE201}] => (Allow) E:\Program Files (x86)\Steam\SteamApps\common\Fallout 4\Fallout4Launcher.exe
FirewallRules: [{D7DE8F79-0F8A-44AC-B354-62909C76B6C2}] => (Allow) E:\Program Files (x86)\Steam\SteamApps\common\Fallout 4\Fallout4Launcher.exe
StandardProfile\AuthorizedApplications: [C:\Users\Ant\Downloads\adsfix_3_24.07.2016.1.exe] => Enabled:adsfix_3_24.07.2016.1

==================== Restore Points =========================

28-07-2016 19:04:04 ComboFix created restore point
29-07-2016 23:42:18 Installed DirectX

==================== Faulty Device Manager Devices =============

Name: Kaspersky Lab power events provider
Description: Kaspersky Lab power events provider
Class Guid: {4d36e97d-e325-11ce-bfc1-08002be10318}
Manufacturer: KL
Service: klhk
Problem: : Windows cannot initialize the device driver for this hardware. (Code 37)
Resolution: The driver returned failure from its DriverEntry routine. Uninstall the driver, and then click "Scan for hardware changes" to reinstall or upgrade the driver.

Name: Security Processor Loader Driver
Description: Security Processor Loader Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: spldr
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


==================== Event log errors: =========================

Application errors:
==================
Error: (07/30/2016 06:02:26 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/29/2016 11:12:49 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/29/2016 03:33:42 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/29/2016 01:44:00 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC90.MFC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Dependent Assembly Microsoft.VC90.MFC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/29/2016 11:31:19 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/29/2016 12:11:49 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/28/2016 07:18:09 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/28/2016 06:33:46 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/28/2016 06:19:32 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/28/2016 04:46:07 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (07/30/2016 06:08:48 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084NVSvc{DCAB0989-1301-4319-BE5F-ADE89F88581C}

Error: (07/30/2016 06:08:10 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068 = The dependency service or group failed to start.


Error: (07/30/2016 06:08:10 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068 = The dependency service or group failed to start.


Error: (07/30/2016 06:08:10 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068 = The dependency service or group failed to start.


Error: (07/30/2016 06:08:10 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068 = The dependency service or group failed to start.


Error: (07/30/2016 06:08:10 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068 = The dependency service or group failed to start.


Error: (07/30/2016 06:08:10 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068 = The dependency service or group failed to start.


Error: (07/30/2016 06:08:10 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068 = The dependency service or group failed to start.


Error: (07/30/2016 06:08:09 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068 = The dependency service or group failed to start.


Error: (07/30/2016 06:08:09 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1068netprofm{A47979D2-C419-11D9-A5B4-001185AD2B89}


CodeIntegrity:
===================================
  Date: 2016-07-19 14:35:14.934
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-07-19 14:35:14.919
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-07-14 19:05:42.016
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-07-14 19:05:42.016
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-07-14 19:05:42.016
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-07-14 19:05:42.016
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel® Core i5-2500 CPU @ 3.30GHz
Percentage of memory in use: 7%
Total physical RAM: 16351.14 MB
Available physical RAM: 15178.09 MB
Total Virtual: 32700.46 MB
Available Virtual: 31572.41 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:232.79 GB) (Free:177.29 GB) NTFS
Drive e: (New Volume) (Fixed) (Total:931.51 GB) (Free:569.41 GB) NTFS
Drive f: (New Volume) (Fixed) (Total:2794.39 GB) (Free:2202.05 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: EA17CBDD)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=232.8 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 2794.5 GB) (Disk ID: AF104DC1)

Partition: GPT.

========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 2988E40C)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

========================================================
Disk: 3 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: A0E8DCD4)

========================================================
Disk: 4 (MBR Code: Windows XP) (Size: 596.2 GB) (Disk ID: C48DB665)

==================== End of Addition.txt ============================

FRST.txt

Share this post

Link to post
Share on other sites

GuiltySpark   

GuiltySpark
Posted

Ok Dante

 

Before you run this fix I would like you to make sure Combofix has been removed as you seem to have used this tool already (hope you had help as it can brick a machine if not used correctly).

Select Start Orb,

Enter combofix /uninstall (note the gap between fix and /),

Press Enter if combofix uninstall shows up.

(You may get a security warning pop up) Click Run.

 

 

Copy and paste this into Notepad and save as Fixlist.txt within that same FRST folder.

 

Select Fix on the FRST control panel.

 

Start
CreateRestorePoint:
CloseProcesses:
Emptytemp:
SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1135079375-1989960327-2245839541-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CMD: ipconfig /flushdns
End

Paste txt file back here.

Share this post

Link to post
Share on other sites

DanteYoda   

DanteYoda
Posted

Yes Combofix has been uninstalled. I only ran it as a last ditched effort honestly.

 

Can i ask will i need to do this in safe mode or normal?

 

I ran it in standard windows.

 

I noticed after i restarted i saw a CMD box pop up for a second and my screen went black two or three times.. just mentioning this in case that's not normal.

Fixlog.txt

Share this post

Link to post
Share on other sites

GuiltySpark   

GuiltySpark
Posted

It may be the background processes shutting down causing the black screens.

 

Run a full cookie clean with CCleaner.

 

Attempt to use the computer normally and see if there are still issues.

Share this post

Link to post
Share on other sites

DanteYoda   

DanteYoda
Posted

Hi yes i use Ccleaner already, i noticed last night while using steam my whole monitor was going black for a second randomly like something was taking control.. I'll keep monitoring my issues..

 

Superantispyware is still seeing VirusTrigger 1.2.lnk in my quick launch yet i cannot see it there, i don't understand that at all, could it be running outside of windows some how..

 

Tempted just to save up and buy a whole new system honestly..

Share this post

Link to post
Share on other sites

GuiltySpark   

GuiltySpark
Posted

I can't find anything on the system from those scans that suggest a malware issue, the black screens could be from a driver.

 

If you're still unsure and would like a diagnostic done then create a ticket with SAS www.superantispyware.com/precreateticket.html as there is not much I can do from this end.

 

They will run a diagnostic scan and help you through any problems.

 

Incidentally, is SAS updated fully?

Share this post

Link to post
Share on other sites

DanteYoda   

DanteYoda
Posted

Hi thanks for your help either way, Yes Superantispyware is updated, or at least looks updated, i wondered if it was actually updating myself, that includes my Malwarebytes and Kaspersky.

 

Again thanks for your time.

Share this post

Link to post
Share on other sites

ezekial52787   

ezekial52787
Posted
On 7/31/2016 at 5:07 PM, DanteYoda said:

Hi thanks for your help either way, Yes Superantispyware is updated, or at least looks updated, i wondered if it was actually updating myself, that includes my Malwarebytes and Kaspersky.

 

Again thanks for your time.

did the sas support fix your problem dante? if not, might I suggest your internet connection may have been infected with a worm type malware. the malware doesn't reside in your your computer, but rather it is directly on your connection.

Share this post

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0
Go To Topic Listing Malware Diagnosis and Help
×