Author Topic: Need help interpreting report and removing problems  (Read 6274 times)

0 Members and 1 Guest are viewing this topic.

November 19, 2014, 04:40:56 pm

Gman

  • Guest
Need help interpreting report and removing problems
« on: November 19, 2014, 04:40:56 pm »
Hello,
I recently tried to install Teamviewer and Malwarebytes. Both processes failed to install. I came across your software and downloaded. I have the report but have no idea what it means. Would appreciate some help with this.

 Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Grahams Laptop [Administrator]
Mode : Scan -- Date : 11/19/2014  10:27:16

Processes : 0

Registry : 4
[PUP] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> Found
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

Tasks : 0

Files : 0

Hosts File : 0

Antirootkit : 18 (Driver: Loaded)
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetConnectW : Unknown @ 0x3a90670
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpQueryInfoW : Unknown @ 0x3a906f0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpQueryInfoA : Unknown @ 0x3a906d0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetSetStatusCallbackA : Unknown @ 0x3a90650
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetQueryDataAvailable : Unknown @ 0x3a90710
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetReadFile : Unknown @ 0x3a90730
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetReadFileExW : Unknown @ 0x3a90750
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpOpenRequestW : Unknown @ 0x3a90690
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpSendRequestW : Unknown @ 0x3a906b0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetConnectW : Unknown @ 0x3060050
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpQueryInfoW : Unknown @ 0x30600d0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpQueryInfoA : Unknown @ 0x30600b0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetSetStatusCallbackA : Unknown @ 0x3060030
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetQueryDataAvailable : Unknown @ 0x30600f0
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetReadFile : Unknown @ 0x3060110
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - InternetReadFileExW : Unknown @ 0x3060130
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpOpenRequestW : Unknown @ 0x3060070
[IAT:Addr] (iexplore.exe @ urlmon.dll) WININET.dll - HttpSendRequestW : Unknown @ 0x3060090

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: TOSHIBA MK7559GSXP +++++
--- User ---
[MBR] 983e04d4beab6cd277cc397d39fced64
[BSP] 42ffbd40dff2404068f33784a88b98d1 : HP MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 673742 MB
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1382897664 | Size: 26105 MB
3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1436360704 | Size: 14056 MB
User = LL1 ... OK
User = LL2 ... OK

« Last Edit: November 19, 2014, 04:45:09 pm by Gman »

Reply #1November 19, 2014, 05:48:51 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 945
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Need help interpreting report and removing problems
« Reply #1 on: November 19, 2014, 05:48:51 pm »
mmh there's somethign highly suspicious.
I'd stop making online banking for now.

Can you check what Gmer is telling? http://www.gmer.net/

Reply #2November 19, 2014, 07:56:17 pm

Gman

  • Guest
Re: Need help interpreting report and removing problems
« Reply #2 on: November 19, 2014, 07:56:17 pm »
I just ran the Gmer scan and this is the report:



GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-11-19 13:53:11
Windows 6.1.7601 Service Pack 1
Running: o0gfggjo.exe; Driver: C:\Users\GRAHAM~1\AppData\Local\Temp\kxlirkog.sys


---- Registry - GMER 2.1 ----

Reg  HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch                                                         3676
Reg  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active                                     
Reg  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@043DDB67                             271
Reg  HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{9DD0A3C6-F550-11E0-8B35-806E6F6E6963}  3328894752

---- EOF - GMER 2.1 ----

Reply #3November 20, 2014, 11:13:36 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 945
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Need help interpreting report and removing problems
« Reply #3 on: November 20, 2014, 11:13:36 am »
I think you need to click on "start scan", it's much longer

Reply #4November 23, 2014, 10:23:37 pm

Gman

  • Guest
Re: Need help interpreting report and removing problems
« Reply #4 on: November 23, 2014, 10:23:37 pm »
Ok, I think this is what you are looking for:
I've attached as a .txt file

Reply #5November 24, 2014, 09:34:31 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 945
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Need help interpreting report and removing problems
« Reply #5 on: November 24, 2014, 09:34:31 am »
Yes it is, but Gmer doesn't find the same hooks.
Could you make a dump of iexplorer.exe (with Process Hacker) and upload it to Dropbox/Google drive? (attach the link here, or if you prefer to keep it private send it through the contact link of adlice.com and mention this forum thread)

Reply #6November 24, 2014, 02:00:20 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 945
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Need help interpreting report and removing problems
« Reply #6 on: November 24, 2014, 02:00:20 pm »
Are you able to reproduce the same log with RogueKiller?
I don't see anything in the dump...