Author Topic: Hidden service found [aswMBR] (Read 6260 times)

malik99 · « **on:** August 08, 2013, 04:58:30 PM »

I scanned my pc with aswmbr and found hidden service dll something and after that i got a blue screen error,now i dont't find that hidden service again.

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-08-08 17:47:16
-----------------------------
17:47:16.972 OS Version: Windows x64 6.1.7600
17:47:16.972 Number of processors: 4 586 0x403
17:47:16.972 ComputerName: FENRIS-PC UserName: Fenris
17:47:17.142 Initialize success
17:47:39.194 AVAST engine defs: 13080800
17:47:45.764 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
17:47:45.764 Disk 0 Vendor: SAMSUNG_HD502HJ 1AJ10001 Size: 476940MB BusType: 3
17:47:45.794 Disk 0 MBR read successfully
17:47:45.794 Disk 0 MBR scan
17:47:45.794 Disk 0 Windows 7 default MBR code
17:47:45.804 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
17:47:45.814 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 406838 MB offset 206848
17:47:45.824 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 70000 MB offset 833411072
17:47:45.844 Disk 0 scanning C:\Windows\system32\drivers
17:47:52.524 Service scanning
17:48:12.054 Modules scanning
17:48:12.064 Disk 0 trace - called modules:
17:48:12.094 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80039a72c0]<<sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
17:48:12.104 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a3f060]
17:48:12.104 3 CLASSPNP.SYS[fffff880013cf43f] -> nt!IofCallDriver -> [0xfffffa80047e0c60]
17:48:12.114 5 ACPI.sys[fffff8800118f781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80047d8060]
17:48:12.124 \Driver\atapi[0xfffffa80047b7d80] -> IRP_MJ_CREATE -> 0xfffffa80039a72c0
17:48:12.524 AVAST engine scan C:\Windows
17:48:13.634 AVAST engine scan C:\Windows\system32
17:51:27.404 AVAST engine scan C:\Windows\system32\drivers
17:51:35.344 AVAST engine scan C:\Users\Fenris
17:54:38.394 File: C:\Users\Fenris\AppData\Local\Temp\Vea+P99i.exe.part **INFECTED** Win32:Malware-gen
17:55:48.448 AVAST engine scan C:\ProgramData
17:56:31.373 Scan finished successfully
17:57:34.579 Disk 0 MBR has been saved successfully to "C:\Users\Fenris\Desktop\MBR.dat"
17:57:34.589 The log file has been saved successfully to "C:\Users\Fenris\Desktop\aswMBR.txt"

magna86 · « **Reply #1 on:** August 08, 2013, 05:07:07 PM »

Hi,
aswMBR is AntiRootkit, not bad from time to scan & inspect the system with it if you like but keep in mind that this is just antirootkit scanner not an ordinary scanner.

17:54:38.394 File: C:\Users\Fenris\AppData\Local\Temp\Vea+P99i.exe.part **INFECTED** Win32:Malware-gen

This is caught with avast heuristics engine. Unfinished part of something, maybe download.

Let's check system:

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

Double-click to run it. When the tool opens click Yes to disclaimer.
Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

malik99 · « **Reply #2 on:** August 08, 2013, 05:42:37 PM »

cant post it its to large

magna86 · « **Reply #3 on:** August 08, 2013, 06:02:47 PM »

Hi,

You really need to learn what and how you install. You have a lot of sorts of crap on your system.

First ...

Start > Control Panel > Programs and Features

Uninstall following:

Ask Toolbar (x32 Version: 1.15.25.0)
Ask Toolbar Updater (HKCU Version: 1.2.6.44892)
DefaultTab (x32 Version: 2.2.8.0)
mHotspot version 6.3.4.5 (x32 Version: 6.3.4.5)

Reboot your computer.

Next ...

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

START
C:\Users\Fenris\AppData\Roaming\DefaultTab
C:\Program Files (x86)\Ask.com
MountPoints2: F - F:\autorun.exe
MountPoints2: {795575d9-ea21-11e2-91d8-002522abef77} - G:\HTC_Sync_Manager_PC.exe
MountPoints2: {c27d7b40-db7b-11e2-9c86-806e6f6e6963} - F:\autorun.exe
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1648264 2013-04-25] (Ask)
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mhotspot.com/search.html
SearchScopes: HKCU - {A0281FB0-9D98-47B8-8A73-9EA38D39DF4D} URL = http://www.mysearchresults.com/search?c=2402&t=15&q={searchTerms}
BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll No File
BHO-x32: DefaultTab Browser Helper - {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Users\Fenris\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll (Search Results LLC.)
BHO-x32: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKLM-x32 - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
FF user.js: detected! => C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\user.js
FF SelectedSearchEngine: WebSearch
FF Keyword.URL: hxxp://websearch.resulthunters.info/?unqvl=21&l=1&q=
FF SearchPlugin: C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\searchplugins\WebSearch.xml
C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\searchplugins\WebSearch.xml
FF Extension: Ask Toolbar - C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\toolbar@ask.com
C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\toolbar@ask.com
FF Extension: addon - C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\addon@defaulttab.com.xpi
C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\addon@defaulttab.com.xpi
FF Extension: No Name - C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\{10d0b221-588a-4920-9d9f-1f6929149755}.xpi
FF Extension: No Name - C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}.xpi
C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\{10d0b221-588a-4920-9d9f-1f6929149755}.xpi
C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}.xpi
CHR Extension: (Ask Toolbar) - C:\Users\Fenris\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaapnjeoabhkpdiinmomghdncekhiib\7.15.25.54978_0
C:\Users\Fenris\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaapnjeoabhkpdiinmomghdncekhiib
CHR HKLM-x32\...\Chrome\Extension: [aaaapnjeoabhkpdiinmomghdncekhiib] - C:\Users\Fenris\AppData\Local\APN\GoogleCRXs\aaaapnjeoabhkpdiinmomghdncekhiib_7.15.25.0.crx
C:\Users\Fenris\AppData\Local\APN\GoogleCRXs\aaaapnjeoabhkpdiinmomghdncekhiib_7.15.25.0.crx
CHR HKLM-x32\...\Chrome\Extension: [kdidombaedgpfiiedeimiebkmbilgmlc] - C:\Program Files (x86)\DefaultTab\DefaultTab.crx
C:\Program Files (x86)\DefaultTab
S2 DefaultTabSearch; C:\Program Files (x86)\DefaultTab\DefaultTabSearch.exe [572928 2013-02-11] ()
R2 DefaultTabUpdate; C:\Users\Fenris\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe [107520 2013-06-21] ()
C:\Users\Fenris\AppData\Roaming\DefaultTab
CMD: ipconfig /flushdns
END

2. Save notepad as fixlist.txt
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.

Next ...

Re-check:

Please download zoek.exe and save it to your desktop.

Close any open browsers.
Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.
Double click on zoek.exe to run the tool .
Please wait while the tool does not start...
Copy the text present inside the code box below and paste it into the large window in the zoek tool:

Code: [Select]


installedprogs;
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;

Click on button
Please wait until a logreport will open (this can be after reboot)
Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named "zoek-results.log"

malik99 · « **Reply #4 on:** August 08, 2013, 06:20:03 PM »

mHotspot version 6.3.4.5 (x32 Version: 6.3.4.5)

this is a tool that allows me to use my wireless adaptor as wifi router(send internet connection to my phone)

magna86 · « **Reply #5 on:** August 08, 2013, 06:58:43 PM »

Ok, then you instead of above script you will run this FRSTScript. ZOEKScript does remains the same.

Code: [Select]

START
C:\Users\Fenris\AppData\Roaming\DefaultTab
C:\Program Files (x86)\Ask.com
MountPoints2: F - F:\autorun.exe
MountPoints2: {795575d9-ea21-11e2-91d8-002522abef77} - G:\HTC_Sync_Manager_PC.exe
MountPoints2: {c27d7b40-db7b-11e2-9c86-806e6f6e6963} - F:\autorun.exe
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1648264 2013-04-25] (Ask)
SearchScopes: HKCU - {A0281FB0-9D98-47B8-8A73-9EA38D39DF4D} URL = http://www.mysearchresults.com/search?c=2402&t=15&q={searchTerms}
BHO-x32: DefaultTab Browser Helper - {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Users\Fenris\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll (Search Results LLC.)
BHO-x32: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKLM-x32 - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
FF user.js: detected! => C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\user.js
FF SelectedSearchEngine: WebSearch
FF Keyword.URL: hxxp://websearch.resulthunters.info/?unqvl=21&l=1&q=
FF SearchPlugin: C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\searchplugins\WebSearch.xml
C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\searchplugins\WebSearch.xml
FF Extension: Ask Toolbar - C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\toolbar@ask.com
C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\toolbar@ask.com
FF Extension: addon - C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\addon@defaulttab.com.xpi
C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\addon@defaulttab.com.xpi
FF Extension: No Name - C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\{10d0b221-588a-4920-9d9f-1f6929149755}.xpi
FF Extension: No Name - C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}.xpi
C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\{10d0b221-588a-4920-9d9f-1f6929149755}.xpi
C:\Users\Fenris\AppData\Roaming\Mozilla\Firefox\Profiles\0sgl9b3b.default\Extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}.xpi
CHR Extension: (Ask Toolbar) - C:\Users\Fenris\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaapnjeoabhkpdiinmomghdncekhiib\7.15.25.54978_0
C:\Users\Fenris\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaapnjeoabhkpdiinmomghdncekhiib
CHR HKLM-x32\...\Chrome\Extension: [aaaapnjeoabhkpdiinmomghdncekhiib] - C:\Users\Fenris\AppData\Local\APN\GoogleCRXs\aaaapnjeoabhkpdiinmomghdncekhiib_7.15.25.0.crx
C:\Users\Fenris\AppData\Local\APN\GoogleCRXs\aaaapnjeoabhkpdiinmomghdncekhiib_7.15.25.0.crx
CHR HKLM-x32\...\Chrome\Extension: [kdidombaedgpfiiedeimiebkmbilgmlc] - C:\Program Files (x86)\DefaultTab\DefaultTab.crx
C:\Program Files (x86)\DefaultTab
S2 DefaultTabSearch; C:\Program Files (x86)\DefaultTab\DefaultTabSearch.exe [572928 2013-02-11] ()
R2 DefaultTabUpdate; C:\Users\Fenris\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe [107520 2013-06-21] ()
C:\Users\Fenris\AppData\Roaming\DefaultTab
CMD: ipconfig /flushdns
END

magna86 · « **Reply #6 on:** August 09, 2013, 05:25:32 PM »

bump!

Are you still with us?

Author Topic: Hidden service found [aswMBR] (Read 6260 times)

malik99

Hidden service found [aswMBR]

magna86

Re: Hidden service found [aswMBR]

malik99

Re: Hidden service found [aswMBR]

magna86

Re: Hidden service found [aswMBR]

malik99

Re: Hidden service found [aswMBR]

magna86

Re: Hidden service found [aswMBR]

magna86

Re: Hidden service found [aswMBR]