Show Posts
1
Malware removal help / Malware ?
« on: September 02, 2016, 09:28:32 PM »
Hi, after reinstalling windows after an malware infection (hj.name) i got it back again somehow with a lot of other stuff that Rougekiller detected.
I googled the result and found out that some are belonging to my AV Kaspersky Internett Security, but the rest of the detections i could not vertify if they where legit or not. I play csgo on high level so its impossible to play a smooth game with this infection(s)..
I hope someone can explain theese prosecess to me and how to fix it so this nightmare will end
Rougekiller log :
RogueKiller V12.5.2.0 (x64) [Aug 29 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 10 (10.0.10586) 64 bits version
Started in : Normal mode
User : KB [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 09/02/2016 04:56:44 (Duration : 00:07:20)
¤¤¤ Processes : 1 ¤¤¤
[Suspicious.Path] (SVC) klids -- \??\C:\ProgramData\Kaspersky Lab\AVP17.0.0\Bases\klids.sys
¤¤¤ Registry : 12 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\klids (\??\C:\ProgramData\Kaspersky Lab\AVP17.0.0\Bases\klids.sys) -> Not selected
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\klupd_klif_arkmon (System32\Drivers\klupd_klif_arkmon.sys) -> Not selected
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\klupd_klif_klark (System32\Drivers\klupd_klif_klark.sys) -> Not selected
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\klupd_klif_klbg (System32\Drivers\klupd_klif_klbg.sys) -> Not selected
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\klupd_klif_mark (System32\Drivers\klupd_klif_mark.sys) -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PAExec (C:\Windows\PAExec.exe -service) -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\klids (\??\C:\ProgramData\Kaspersky Lab\AVP17.0.0\Bases\klids.sys) -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PAExec (C:\Windows\PAExec.exe -service) -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 193.213.112.4 130.67.15.198 ([X][X]) -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 193.213.112.4 130.67.15.198 ([X][X]) -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{91d9b5c4-498d-474b-9238-295f120b9d7b} | DhcpNameServer : 193.213.112.4 130.67.15.198 ([X][X]) -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{91d9b5c4-498d-474b-9238-295f120b9d7b} | DhcpNameServer : 193.213.112.4 130.67.15.198 ([X][X]) -> Not selected
¤¤¤ Tasks : 1 ¤¤¤
[Hj.Name] %WINDIR%\Tasks\CreateExplorerShellUnelevatedTask.job -- C:\Windows\explorer.exe (/NOUACCHECK) -> Deleted
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 850 EVO 250GB +++++
--- User ---
[MBR] de58c31392e6e5ac11cc5beec60456fb
[BSP] 824e939082b0d1ac4cc5ea0f94e92bb6 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 450 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 923648 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1128448 | Size: 16 MB
3 - Basic data partition | Offset (sectors): 1161216 | Size: 237908 MB
User = LL1 ... OK
User = LL2 ... OK
I googled the result and found out that some are belonging to my AV Kaspersky Internett Security, but the rest of the detections i could not vertify if they where legit or not. I play csgo on high level so its impossible to play a smooth game with this infection(s)..
I hope someone can explain theese prosecess to me and how to fix it so this nightmare will end
Rougekiller log :
RogueKiller V12.5.2.0 (x64) [Aug 29 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 10 (10.0.10586) 64 bits version
Started in : Normal mode
User : KB [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 09/02/2016 04:56:44 (Duration : 00:07:20)
¤¤¤ Processes : 1 ¤¤¤
[Suspicious.Path] (SVC) klids -- \??\C:\ProgramData\Kaspersky Lab\AVP17.0.0\Bases\klids.sys
- -> Found
¤¤¤ Registry : 12 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\klids (\??\C:\ProgramData\Kaspersky Lab\AVP17.0.0\Bases\klids.sys) -> Not selected
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\klupd_klif_arkmon (System32\Drivers\klupd_klif_arkmon.sys) -> Not selected
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\klupd_klif_klark (System32\Drivers\klupd_klif_klark.sys) -> Not selected
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\klupd_klif_klbg (System32\Drivers\klupd_klif_klbg.sys) -> Not selected
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\klupd_klif_mark (System32\Drivers\klupd_klif_mark.sys) -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PAExec (C:\Windows\PAExec.exe -service) -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\klids (\??\C:\ProgramData\Kaspersky Lab\AVP17.0.0\Bases\klids.sys) -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PAExec (C:\Windows\PAExec.exe -service) -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 193.213.112.4 130.67.15.198 ([X][X]) -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 193.213.112.4 130.67.15.198 ([X][X]) -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{91d9b5c4-498d-474b-9238-295f120b9d7b} | DhcpNameServer : 193.213.112.4 130.67.15.198 ([X][X]) -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{91d9b5c4-498d-474b-9238-295f120b9d7b} | DhcpNameServer : 193.213.112.4 130.67.15.198 ([X][X]) -> Not selected
¤¤¤ Tasks : 1 ¤¤¤
[Hj.Name] %WINDIR%\Tasks\CreateExplorerShellUnelevatedTask.job -- C:\Windows\explorer.exe (/NOUACCHECK) -> Deleted
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 850 EVO 250GB +++++
--- User ---
[MBR] de58c31392e6e5ac11cc5beec60456fb
[BSP] 824e939082b0d1ac4cc5ea0f94e92bb6 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 450 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 923648 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1128448 | Size: 16 MB
3 - Basic data partition | Offset (sectors): 1161216 | Size: 237908 MB
User = LL1 ... OK
User = LL2 ... OK
