Main Forum > General Computer Support
*solved* I need help *don’t use this software* its a keylogger spy!
Gamezertruth:
hey
I have a big problem with damn Chinese antivirus so I ask for help to removing a Chinese antivirus Program(a keylogger spy) that spy on your laptop camera!
Gamezertruth:
AVZ Antiviral Toolkit log; AVZ version is 4.43
Scanning started at 03.08.2015 19:09:42
Database loaded: signatures - 297605, NN profile(s) - 2, malware removal microprograms - 56, signature database released 03.08.2015 16:00
Heuristic microprograms loaded: 394
PVS microprograms loaded: 9
Digital signatures of system files loaded: 749467
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: enabled
Windows version is: 6.1.7601, Service Pack 1 "Windows 7 Ultimate" ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=16CB00)
Kernel ntkrnlpa.exe found in memory at address E3255000
SDT = E33C1B00
KiST = E32D3F6C (401)
Function NtAlpcSendWaitReceivePort (27) intercepted (E34AB887->B65F3CA0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtAssignProcessToJobObject (2B) intercepted (E3458064->B65F4DB0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateFile (42) intercepted (E34A8ABE->B65F3310), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateKey (46) intercepted (E3459FAF->B65F2DC0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateProcess (4F) intercepted (E353651B->B65F4770), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateProcessEx (50) intercepted (E3536566->B65F4670), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateSection (54) intercepted (E347C66B->B65F3FF0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateSymbolicLinkObject (56) intercepted (E345A97A->B65F4420), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateThread (57) intercepted (E3536322->B65F3900), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateThreadEx (58) intercepted (E34CA157->B65F4B00), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtCreateUserProcess (5D) intercepted (E34C7FEE->B65F4E70), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtDeleteFile (66) intercepted (E33F15E4->B65F3E60), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtDeleteKey (67) intercepted (E34449C5->B65F34F0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtDeleteValueKey (6A) intercepted (E3436368->B65F35B0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtDeviceIoControlFile (6B) intercepted (E34CD3FB->B65F3BA0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtDuplicateObject (6F) intercepted (E348ACA3->B65F39F0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtEnumerateValueKey (77) intercepted (E34C2916->B65F3820), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtGetNextProcess (8B) intercepted (E35382DC->B65F4C10), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtGetNextThread (8C) intercepted (E34E6D66->B65F4930), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtLoadDriver (9B) intercepted (E341EAF1->B65F3AE0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtOpenKeyEx (B7) intercepted (E3469193->BC1EA620), hook C:\Windows\system32\drivers\qutmipc.sys
Function NtOpenProcess (BE) intercepted (E346B093->BC12838A), hook C:\Windows\System32\drivers\zamguard32.sys
Function NtOpenSection (C2) intercepted (E34C30CB->B65F3F20), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtOpenThread (C6) intercepted (E34B7791->B65F4860), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtProtectVirtualMemory (D7) intercepted (E349BC79->B65F4340), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtQueryValueKey (10A) intercepted (E34A3CE3->B65F3740), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtQueueApcThread (10D) intercepted (E3454DE8->B65F4F80), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtRenameKey (122) intercepted (E34F5E4B->B65F45B0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtRequestWaitReplyPort (12B) intercepted (E349714A->B65F3670), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtRestoreKey (12E) intercepted (E34EBA5D->B65F5060), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSetContextThread (13C) intercepted (E3537B8D->B65F44F0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSetInformationFile (149) intercepted (E34B018F->B65F2F70), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSetSecurityObject (15B) intercepted (E345A7AB->B65F5130), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSetSystemInformation (15E) intercepted (E34A79C8->B65F3D90), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSetValueKey (166) intercepted (E34635AC->B65F3150), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSuspendThread (16F) intercepted (E34EEF23->B65F40E0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtSystemDebugControl (170) intercepted (E34DF5B6->B65F4260), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtTerminateProcess (172) intercepted (E34B4429->BC128444), hook C:\Windows\System32\drivers\zamguard32.sys
Function NtTerminateThread (173) intercepted (E34D237A->B65F41A0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtUnmapViewOfSection (181) intercepted (E34BE04A->B65F4CF0), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtWriteFile (18C) intercepted (E34C8ED2->B65F3050), hook C:\Windows\System32\drivers\Bhbase.sys
Function NtWriteVirtualMemory (18F) intercepted (E34B9126->B65F3230), hook C:\Windows\System32\drivers\Bhbase.sys
Functions checked: 401, intercepted: 42, restored: 0
1.3 Checking IDT and SYSENTER
Analyzing CPU 1
Analyzing CPU 2
Analyzing CPU 3
Analyzing CPU 4
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking IRP handlers
Driver loaded successfully
Checking - complete
2. Scanning RAM
Number of processes found: 51
Number of modules loaded: 583
Scanning RAM - complete
3. Scanning disks
C:\Users\b\AppData\Local\Epic Privacy Browser\Application\40.0.2214.91\libegl.dll >>> suspicion for Trojan-PSW.Win32.Sinowal.n ( 0B505210 07CFC386 001CF588 00234CCC 73728)
File quarantined succesfully (C:\Users\b\AppData\Local\Epic Privacy Browser\Application\40.0.2214.91\libegl.dll)
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\Program Files\360\360Safe\safemon\360UDiskGuard.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program Files\360\360Safe\safemon\360UDiskGuard.dll>>> Behaviour analysis
Behaviour typical for keyloggers was not detected
File quarantined succesfully (C:\Program Files\360\360Safe\safemon\360UDiskGuard.dll)
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious software
Checking - disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Remote Desktop Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
Checking - complete
9. Troubleshooting wizard
Checking - complete
Files scanned: 66026, extracted from archives: 31852, malicious software found 0, suspicions - 1
Scanning finished at 03.08.2015 19:24:22
Time of scanning: 00:14:41
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://forum.kaspersky.com/index.php?showforum=19
For automatic scanning of files from the AVZ quarantine you can use the service http://virusdetector.ru/
Julian:
oooooh I remember this one I saw is on a customers laptop last week. I used malware bytes to clean up all the malware ran it like 6 times in safe mode kept finding new things then I used hijack this to find those specific entries! It was annoying but that should be a start gamez!
Samson:
"A Chinese antivirus Program" :rolleyes:
http://www.itproportal.com/2015/05/02/qihoo-360-antivirus-tool-stripped-of-awards-after-cheating/
Gamezertruth:
--- Quote from: Julian on August 03, 2015, 10:44:14 am ---oooooh I remember this one I saw is on a customers laptop last week. I used malware bytes to clean up all the malware ran it like 6 times in safe mode kept finding new things then I used hijack this to find those specific entries! It was annoying but that should be a start gamez!
--- End quote ---
Well it seems I am in trouble since I try to remove this program, but when I try to uninstall it it gives an error message (but I can not understand the message)
I also have another program, a very strong program, which has uninstall software feature (but that feature is for professional version) However, the program is used by found the remains of this program but need to register!
I have finished running multiple anti-virus anti-malware/antis-payware , however no anti-virus/anti-malware/antis-payware found any piece of that program except some Adware and virus!
After multiple infections, the computer has become action Oddly And it became the whole system does not respond and remains stuck for some time! and Internet connection began dropping badly today!
so I power on my laptop today and I was playing around and Suddenly Windows language pack has been removed from my system while I’m typing! and I have to checked that aside with going to Control Panel language options I've found that some of the "language packs" which I used were removed! (There is only a Chinese package ?) very wired :thinking: In addition, a personal files and programs icons have gone from desktop ?
I almost forget to mention that some of the Windows Services was hijacked just like (Window folders and file formats and etc.)
Navigation
[0] Message Index
[#] Next page
Go to full version