Asus n50vn rootkit

Question

mario81 0 Newbie Poster

9 Years Ago

Hello . I have a problem , my laptop ASUS n50vn been compromised . For a good few months, I'm trying to deal with it but none of my treatments do not work . I decided to ask for help . I discovered this at the beginning of this year, when I was windows 7 , reset the cmos , completely back to zero hard drive and installed Linux Mint . The joy did not last long , it turned out that it is business as usual . Please review the ComboFix log .

ComboFix 14-12-07.01 - Mariusz 2014-12-07 11:47:42.2.2 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1250.48.1045.18.4095.2067 [GMT 1:00]
Uruchomiony z: c:\users\Mariusz\Downloads\ComboFix.exe

ComboFix 14-12-07.01 - Mariusz 2014-12-07  11:47:42.2.2 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1250.48.1045.18.4095.2067 [GMT 1:00]
Uruchomiony z: c:\users\Mariusz\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Recycler
.
.
(((((((((((((((((((((((((   Pliki utworzone od 2014-11-07 do 2014-12-07  )))))))))))))))))))))))))))))))
.
.
2014-12-07 10:53 . 2014-12-07 10:53 --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-12-07 10:41 . 2014-10-01 10:20 93400   ----a-w-    c:\windows\system32\drivers\is-GJ4SP.tmp
2014-12-07 10:41 . 2014-12-07 10:41 --------    d-----w-    C:\Program Files )
2014-12-07 10:41 . 2014-10-01 10:20 25816   ----a-w-    c:\windows\system32\drivers\is-HRU1D.tmp
2014-12-07 08:01 . 2014-12-07 08:01 --------    d-----w-    c:\programdata\SUPERAntiSpyware.com
2014-12-07 07:48 . 2014-12-07 08:27 --------    d-----w-    c:\programdata\Spybot - Search & Destroy
2014-12-07 07:44 . 2014-12-07 07:44 --------    d-----w-    c:\programdata\HitmanPro
2014-12-07 03:23 . 2014-12-07 03:23 --------    d-----w-    c:\program files\WinRAR
2014-12-06 19:43 . 2014-12-06 19:43 --------    d-----w-    c:\program files (x86)\Mozilla Maintenance Service
2014-12-06 19:43 . 2014-12-06 19:43 --------    d-----w-    c:\program files\Nightly
2014-12-06 17:44 . 2014-12-06 17:44 --------    d-----w-    c:\programdata\GlassWire
2014-12-06 17:44 . 2014-11-05 05:41 33296   ----a-w-    c:\windows\system32\drivers\gwdrv.sys
2014-12-06 17:44 . 2014-12-06 17:44 --------    d-----w-    c:\program files (x86)\GlassWire
2014-12-06 17:33 . 2014-11-17 01:08 11632448    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{9840109A-ACB0-46A3-8ED1-C7A31D26BED5}\mpengine.dll
2014-12-06 17:15 . 2014-12-06 17:18 --------    d-----w-    c:\windows\system32\catroot2
2014-12-06 16:26 . 2014-12-06 17:05 --------    d-----w-    c:\windows\SysWow64\wbem\Performance
2014-12-06 16:18 . 2014-12-06 16:18 --------    d-----w-    C:\RegBackup
2014-12-06 15:58 . 2014-12-06 15:58 --------    d-----w-    c:\program files (x86)\WinDirStat
2014-12-06 15:49 . 2014-12-06 15:49 --------    d-----w-    c:\program files (x86)\Secunia
2014-12-06 15:48 . 2014-12-06 15:48 --------    d-----w-    c:\program files (x86)\Tweaking.com
2014-12-06 15:44 . 2014-12-07 10:40 --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-12-06 15:36 . 2014-12-06 15:36 --------    d-----w-    c:\program files (x86)\Zemana AntiLogger Free
2014-12-06 15:36 . 2014-12-06 15:36 --------    d-----w-    c:\program files (x86)\KeyCryptSDK
2014-12-06 15:36 . 2014-11-28 11:15 71400   ----a-w-    c:\windows\system32\drivers\KeyCrypt64.sys
2014-12-06 15:32 . 2014-12-06 15:32 --------    d-----w-    c:\programdata\InstallMate
2014-12-06 15:32 . 2014-12-06 15:32 --------    d-----w-    c:\program files (x86)\Ruiware
2014-12-06 15:21 . 2014-12-07 10:29 --------    d-----w-    c:\programdata\Malwarebytes Anti-Exploit
2014-12-06 15:21 . 2014-12-06 15:21 --------    d-----w-    c:\program files (x86)\Malwarebytes Anti-Exploit
2014-12-06 12:50 . 2014-12-06 12:50 129752  ----a-w-    c:\windows\system32\drivers\06E03FF8.sys
2014-12-05 19:08 . 2014-12-06 17:21 --------    d-----w-    c:\programdata\Skype
2014-11-28 12:02 . 2014-11-28 12:02 18456   ----a-w-    c:\windows\system32\drivers\psi_mf_amd64.sys
2014-11-25 18:39 . 2014-05-14 16:23 44512   ----a-w-    c:\windows\system32\wups2.dll
2014-11-25 18:39 . 2014-05-14 16:23 58336   ----a-w-    c:\windows\system32\wuauclt.exe
2014-11-25 18:39 . 2014-05-14 16:23 2477536 ----a-w-    c:\windows\system32\wuaueng.dll
2014-11-25 18:39 . 2014-05-14 16:21 2620928 ----a-w-    c:\windows\system32\wucltux.dll
2014-11-25 18:39 . 2014-05-14 16:23 38880   ----a-w-    c:\windows\system32\wups.dll
2014-11-25 18:39 . 2014-05-14 16:23 36320   ----a-w-    c:\windows\SysWow64\wups.dll
2014-11-25 18:39 . 2014-05-14 16:23 700384  ----a-w-    c:\windows\system32\wuapi.dll
2014-11-25 18:39 . 2014-05-14 16:23 581600  ----a-w-    c:\windows\SysWow64\wuapi.dll
2014-11-25 18:39 . 2014-05-14 16:20 97792   ----a-w-    c:\windows\system32\wudriver.dll
2014-11-25 18:39 . 2014-05-14 16:17 92672   ----a-w-    c:\windows\SysWow64\wudriver.dll
2014-11-25 18:38 . 2014-05-14 08:23 198600  ----a-w-    c:\windows\system32\wuwebv.dll
2014-11-25 18:38 . 2014-05-14 08:23 179656  ----a-w-    c:\windows\SysWow64\wuwebv.dll
2014-11-25 18:38 . 2014-05-14 08:20 36864   ----a-w-    c:\windows\system32\wuapp.exe
2014-11-25 18:38 . 2014-05-14 08:17 33792   ----a-w-    c:\windows\SysWow64\wuapp.exe
2014-11-25 14:22 . 2014-11-25 14:22 --------    d-----w-    c:\programdata\Package Cache
2014-11-25 14:21 . 2014-11-25 14:21 --------    d-----w-    c:\program files (x86)\Seagate
2014-11-25 14:17 . 2014-11-25 14:17 --------    d-----w-    c:\program files (x86)\Microsoft.NET
2014-11-25 14:08 . 2014-10-31 22:26 103374192   ----a-w-    c:\windows\system32\MRT.exe
2014-11-25 13:51 . 2014-11-25 13:51 --------    d-----w-    C:\TDSSKiller_Quarantine
2014-11-25 13:45 . 2014-12-06 20:11 71344   ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-11-25 13:45 . 2014-12-06 20:11 701104  ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2014-11-25 13:45 . 2014-11-25 13:45 --------    d-----w-    c:\windows\SysWow64\Macromed
2014-11-25 13:45 . 2014-11-25 13:45 --------    d-----w-    c:\windows\system32\Macromed
2014-11-25 13:26 . 2014-12-07 10:39 135384  ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-11-25 13:26 . 2014-12-07 07:27 --------    d-----w-    c:\programdata\Malwarebytes
2014-11-25 13:26 . 2014-12-06 17:29 96472   ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-11-25 13:26 . 2014-12-06 15:28 --------    d-----w-    c:\program files (x86)\Malwarebytes Anti-Malware
2014-11-25 13:26 . 2014-11-21 05:14 25816   ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-11-25 13:26 . 2014-10-01 10:20 63704   ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-11-25 13:19 . 2014-12-06 13:21 --------    d-----w-    c:\program files (x86)\Opera
2014-11-25 13:16 . 2009-06-25 23:38 57856   ----a-w-    c:\windows\system32\drivers\rixdpx64.sys
2014-11-25 13:16 . 2007-07-25 19:48 172032  ----a-w-    c:\windows\system32\rixdicon.dll
2014-11-25 13:16 . 2009-06-26 00:04 67584   ----a-w-    c:\windows\system32\drivers\rimmpx64.sys
2014-11-25 13:16 . 2009-06-25 23:13 55296   ----a-w-    c:\windows\system32\drivers\rimspx64.sys
2014-11-25 13:16 . 2004-09-04 10:00 90112   ----a-w-    c:\windows\system32\snymsico.dll
2014-11-25 13:13 . 2014-11-25 13:14 --------    d-----w-    c:\programdata\NVIDIA
2014-11-25 13:12 . 2009-05-11 10:49 81952   ----a-w-    c:\windows\system32\drivers\nvhda64v.sys
2014-11-25 13:12 . 2009-05-11 10:49 62976   ----a-w-    c:\windows\system32\nvapo64v.dll
2014-11-25 13:12 . 2009-05-11 10:48 22528   ----a-w-    c:\windows\system32\nvhdap64.dll
2014-11-25 13:12 . 2009-05-08 14:50 159232  ----a-w-    c:\windows\system32\nvcohda6.dll
2014-11-25 13:12 . 2009-05-08 14:50 506400  ----a-w-    c:\windows\system32\nvuhda6.exe
2014-11-25 13:11 . 2009-06-11 09:09 508448  ----a-w-    c:\windows\system32\nvudisp.exe
2014-11-25 13:11 . 2009-06-22 11:28 539168  ----a-w-    c:\windows\system32\NVUNINST.EXE
2014-11-25 13:06 . 2009-07-20 16:29 15416   ----a-w-    c:\windows\system32\drivers\kbfiltr.sys
2014-11-25 13:05 . 2009-08-23 04:24 5435904 ----a-w-    c:\windows\system32\drivers\NETw5v64.sys
2014-11-25 13:04 . 2014-11-25 13:53 --------    d-----w-    c:\program files\ATKGFNEX
2014-11-25 13:04 . 2014-11-25 13:04 --------    d-----w-    c:\program files (x86)\InstallShield Installation Information
2014-11-25 13:03 . 2014-11-25 13:04 --------    d-----w-    c:\program files (x86)\ASUS
2014-11-25 13:02 . 2014-12-05 19:08 --------    d-sh--w-    c:\windows\Installer
2014-11-25 12:56 . 2014-11-25 12:57 --------    d-----w-    c:\users\Mariusz
2014-11-25 12:49 . 2014-11-25 12:56 --------    d-----w-    c:\windows\Panther
.
.
.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-11-24 13:04 . 2010-11-21 03:27 275080  ------w-    c:\windows\system32\MpSigStub.exe
.
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane  
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="c:\users\Mariusz\Desktop\HijackThis\HijackThis.exe" [2011-04-11 1306624]
"SUPERAntiSpyware"="c:\users\Mariusz\Desktop\SuperAntiSpyware\PROGRAM64.COM" [2011-10-17 5500800]
"HW_OPENEYE_OUC_blueconnect"="c:\program files (x86)\blueconnect\UpdateDog\ouc.exe" [2011-03-26 116064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Exploit"="c:\program files (x86)\Malwarebytes Anti-Exploit\mbae.exe" [2014-12-04 2558776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys;c:\windows\SYSNATIVE\DRIVERS\ew_hwusbdev.sys [x]
R3 nmwcdnsux64;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsux64.sys;c:\windows\SYSNATIVE\drivers\nmwcdnsux64.sys [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf_amd64.sys;c:\windows\SYSNATIVE\DRIVERS\psi_mf_amd64.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R4 GlassWire;GlassWire Control Service;c:\program files (x86)\GlassWire\GWCtlSrv.exe;c:\program files (x86)\GlassWire\GWCtlSrv.exe [x]
R4 HWDeviceService64.exe;HWDeviceService64.exe;c:\programdata\DatacardService\HWDeviceService64.exe;c:\programdata\DatacardService\HWDeviceService64.exe [x]
R4 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe;c:\program files (x86)\Secunia\PSI\PSIA.exe [x]
R4 Secunia Update Agent;Secunia Update Agent;c:\program files (x86)\Secunia\PSI\sua.exe;c:\program files (x86)\Secunia\PSI\sua.exe [x]
S1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae64.sys;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [x]
S1 gwdrv;GlassWire Driver;c:\windows\system32\DRIVERS\gwdrv.sys;c:\windows\SYSNATIVE\DRIVERS\gwdrv.sys [x]
S1 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
S1 SASDIFSV;SASDIFSV;c:\users\Mariusz\Desktop\SuperAntiSpyware\SASDIFSV64.SYS;c:\users\Mariusz\Desktop\SuperAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\users\Mariusz\Desktop\SuperAntiSpyware\SASKUTIL64.SYS;c:\users\Mariusz\Desktop\SuperAntiSpyware\SASKUTIL64.SYS [x]
S2 ASMMAP64;ASMMAP64;c:\program files\ATKGFNEX\ASMMAP64.sys;c:\program files\ATKGFNEX\ASMMAP64.sys [x]
S2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [x]
S3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\DRIVERS\ew_jucdcacm.sys;c:\windows\SYSNATIVE\DRIVERS\ew_jucdcacm.sys [x]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys;c:\windows\SYSNATIVE\DRIVERS\ew_jubusenum.sys [x]
S3 keycrypt;keycrypt;c:\windows\system32\DRIVERS\KeyCrypt64.sys;c:\windows\SYSNATIVE\DRIVERS\KeyCrypt64.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
S3 RTL8167;Sterownik Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
--- Inne Usługi/Sterowniki w Pamięci ---
.
*NewlyCreated* - MBAMSWISSARMY
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files (x86)\Ruiware\WinPatrol\winpatrol.exe" [2014-07-21 1154112]
.
------- Skan uzupełniający -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.msn.com
mLocal Page = c:\windows\SYSTEM32\blank.htm
FF - ProfilePath - c:\users\Mariusz\AppData\Roaming\Mozilla\Firefox\Profiles\qq6gtik4.default\
.
- - - - USUNIĘTO PUSTE WPISY - - - -
.
SafeBoot-41186125.sys
.
.
.
Czas ukończenia: 2014-12-07  11:55:17
ComboFix-quarantined-files.txt  2014-12-07 10:55
.
Przed: 476 243 406 848 bajtów wolnych
Po: 476 322 066 432 bajtów wolnych
.
- - End Of File - - 5D4B5A8100FE671EBB2AA40024FF2FCE
A36C5E4F47E84449FF07ED3517B43A31

windows-virus

3 Contributors
3 Replies
224 Views
1 Day Discussion Span
Latest Post 9 Years Ago Latest Post by gerbil

rubberman 1,355 Nearly a Posting Virtuoso

9 Years Ago

You say you wiped the system and installed Linux Mint (a Ubuntu derivative)? Why does the virus scanner still show windows files?

Reset bios and wipe firmware (may require removing battery and shorting out some contacts on the motherboard).
Boot from a live cd/dvd/usb linux drive and use the "dd" command to wipe the entire drive (including the boot sector).
Re-install the operating system.

Many of the more pernicious viruses these days will be installed in the bios firmware and/or boot sector of the system drive, resulting in re-infecting the system on next boot. I've had to perform the above (1,2,3) for clients in the past to deal with this cruft.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

mario81 0 Newbie Poster · Answer 1 · 2014-12-07T17:54:46+00:00

Thanks for your reply . Right now I have installed windows . I know this may be something in the BIOS or somewhere on the disc. Reset the bios, completely cleaning the disc , along with the mbr (ie . Active kill disk , reset )

gerbil 216 Industrious Poster · Answer 2 · 2014-12-09T00:25:37+00:00

MBAM, SAS, HJT (useless in 64bit systems), ComboFix, Defender (useless in any system), TDSS (could you post this log?), Secunia, Ruiware... but no evidence of malware. This orphaned key was removed: SafeBoot-41186125.sys...
You might try Farbar Recovery Scanner from http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
When the tool opens check Additions.txt and then scan. Post the log with the log. And some comment about how the problem manifests.