Dan E

New Member
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 12/23/2015 1:44:16 PM
Event ID: 6281
Task Category: System Integrity
Level: Information
Keywords: Audit Failure
User: N/A
Computer: EppPCool
Description:
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

File Name: \Device\HarddiskVolume4\Windows\System32\guard64.dll
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6281</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-12-23T19:44:16.281035800Z" />
<EventRecordID>67946</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="5276" />
<Channel>Security</Channel>
<Computer>EppPCool</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">\Device\HarddiskVolume4\Windows\System32\guard64.dll</Data>
</EventData>
</Event>
 

TwinHeadedEagle

Level 41
Verified
Hello,


Multiple Resident Protection warning!

Always have one (and no more than one!) AntiVirus program! In this case having more of them will not provide you with better protection - instead they may cause slowness, lock-ups and even mark another ones as harmful, leading to leave your system unstable and even damaged. Please choose only one from the listed below to stay with and uninstall the others:
  • Comodo Antivirus
  • avast! Antivirus

Uninstallation procedure:
  • Press the
    + R on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search for each uninstalled entry, right-click it and select Uninstall.
This should be done until any other steps will be taken.



Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Install the progam and select update.
  • Once updated, click the Settings tab, in the left panel choose Detection & Protection and tick Scan for rootkits.
  • In the same tab, under PUP and PUM detections make sure it is set to Treat detections as malware.
  • Click the Scan tab, choose Threat Scan is checked and click Start Scan.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • At the bottom click Export and choose Text file.
Save the file to your desktop and include its content in your next reply.



Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on
    icon and select
    Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
    Code:
    createsrpoint;
    autoclean;
    emptyclsid;
    emptyalltemp;
    ipconfig /flushdns >>"%temp%\log.txt";b
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Upload it in your next reply.
 

Dan E

New Member
Zoek is stuck on a cmd.exe*32 and the process underneath it says PEVS.EXE*EXE. I found this out since scan was taking too long, and I activated comodo K.switch and seen this, went to online lookup and it was classified as a trojan dropper.
 

Dan E

New Member
Zoek is stuck on a cmd.exe*32 and the process underneath it says PEVS.EXE*EXE. I found this out since scan was taking too long, and I activated comodo K.switch and seen this, went to online lookup and it was classified as a trojan dropper.
correction PEVZ.EXE*32
 

Dan E

New Member
No luck on it, I have tried lots of times, I dont know if its being jammed up from a infection or what the deal is, but I see within kswitch the process showing red, and green both with command above and down below what i described above, rapidly opening and closing. Tell me what to do next boss.
 

Dan E

New Member
No it is infected. Dr. Web katana just block a autorun attempting to access my regedit in the background, then just a second ago right after that voodoo shield detected a positive on a worm it said , 3/4 engines from vt , I quarantined it but the PC somehow restarted automatically on me , so before I let it start back up I shut it down and brought it to emergency mode.
 

Dan E

New Member
I am going to run some scans in emergency mode, without networking, and wait to see if you have any ideas . Thank you.
 

Dan E

New Member
Ok , my guess is I will have to do some kind of wipe of the system, and reinstall windows eventually. Can you tell me what is the best method to go about doing this ? Thanks for taking the time looking at my stuff .
 
Top