Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Rootkit warning - DgSafe.sys

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Rootkit warning - DgSafe.sys

Unread postby wannabeageek » February 15th, 2014, 11:59 pm

Hi no1so,

I apologize for my poor wording as I am understanding that English is not your first language.

I should have asked you about the different software programs before asking you to uninstall the one(s) you do not want to keep.

Commercial Bank of China Anti-phishing software - If this is a program you must keep in order to complete on line banking, then you must keep it.


In the quote block below is mainly what I am concerned with. If you like or prefer Outpost Anti-Virus suite over AVG - I would have suggested removing AVG. Windows Defender is not an issue. The remaining files from the other anti-virus software can be removed when we start removing undesireable entries.
AVG has a firewall. I do not know if it comes with a Free Version.
==================== Security Center ========================

AV: AVG AntiVirus 2014 (Enabled - Up to date) {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AS: Outpost Firewall Pro (Enabled - Up to date) {578B8A29-863D-0449-EF15-3926A73ACBD3}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG AntiVirus 2014 (Enabled - Up to date) {B5F5C120-2089-702E-0001-553BB0D5A664}
FW: Outpost Firewall Pro (Enabled) {D4D1EAE8-EA68-0A9F-FEFA-AB61226EC615}


Please ask for guidence if you have any question about what to remove or do next.

wbg.
wannabeageek
MRU Master
MRU Master
 
Posts: 1773
Joined: November 23rd, 2009, 10:21 pm
Location: California
Advertisement
Register to Remove

Re: Rootkit warning - DgSafe.sys

Unread postby no1so » February 16th, 2014, 7:24 am

>
Running - more than one - antivirus program is not recommended because:
They can conflict with each other.
Report the other antivirus software as malicious.
Antivirus programs use an enormous amount of computer's resources... actively scanning your computer.
Can cause your computer to run slowly, become unstable and crash.
>

You say they 'can' conflict. In my case they do not.

They report each other as malicious, they do not because Outpost asked if AVG was installed by me.

AV programs use a large amount of CPU, AVG does not, (I have checked) and Outpost is not an antivirus program so only checks input and output when there is input and output to and from the internet. It also doe not have high CPU usage.

Can cause your computer to run slow, they do not.

I understand your concerns but please allow me to say that I have noted them.

Please allow me to explain:

I bought Outpost Firewall Pro. (It is not their Security Suite), and paid for lifetime updates. This does not have any antivirus capabilities. It does have basic adaware facilities.

I downloaded AVG Free which is a pure antivirus program. It does not have any firewall facility.

I do not use Windows Defender.

If you are suggesting I should only have one company supply both a firewall and antivirus then I have a problem.

It would seem that you advise buying Outpost Security Suite at a 2 yearly cost of £57.73 for my three machines, or £70 two yearly for AVG Security Suite.

I fail to see why I need to change the current arrangement if they are installed for different purposes, one a firewall and one antivirus when they do not conflict and Outpost has turned off it's ad-aware facility when it found AVG installed.

Would you please explain why I should pay a lot more money, ignoring what have already paid, foregoing the lifetime updates I have if I don't have a problem?
no1so
Regular Member
 
Posts: 16
Joined: February 2nd, 2014, 9:37 pm

Re: Rootkit warning - DgSafe.sys

Unread postby wannabeageek » February 16th, 2014, 12:28 pm

My most sincerest apologies, no1so.

I would not want anyone to spend more money irregardless of any issues.
Would you please explain why I should pay a lot more money, ignoring what have already paid, foregoing the lifetime updates I have if I don't have a problem?


I am just not understanding how your machine, a dual core x86, is not running slow as it is an older machine.

Would it be possible to tell me the brand of computer it is?

TSG - SysInfo utility
Please download and run SysInfo utility to your desktop.
Right Mouse click SysInfo.exe, select "Run As Administrator" to run it... if UAC prompts, please allow it.
Right click, select copy and then paste in your next post.
wannabeageek
MRU Master
MRU Master
 
Posts: 1773
Joined: November 23rd, 2009, 10:21 pm
Location: California

Re: Rootkit warning - DgSafe.sys

Unread postby no1so » February 16th, 2014, 1:49 pm

This laptop is a Toshiba Satellite Pro A100-830. I do not play games so don't need speed but I wonder why you say, "Is not running slow". The System Idle Process is @ 95 to 96% most of the time.

Yes it is an older machine but it is running at it's normal speed as far as I am concerned and is fast enough for my purposes. Yes, It is slow compared to my wife's laptop, but as I say, speed is not important as long as it is reasonable and not crawling because of to many programs, too much rubbish from sample installs, never been defragged, desktop covered in icons etc.

BTW, I was born in the UK and English is my first and only language ;-)

Scan as requested thank you:

Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows 7 Professional, Service Pack 1, 32 bit
Processor: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz, x64 Family 6 Model 15 Stepping 6
Processor Count: 2
RAM: 3070 Mb
Graphics Card: ATI Mobility Radeon X1600, 256 Mb
Hard Drives: C: Total - 55141 MB, Free - 18886 MB; D: Total - 249999 MB, Free - 127971 MB;
Motherboard: Intel Corporation, CAPELL VALLEY(NAPA) CRB
Antivirus: AVG AntiVirus Free Edition 2014, Updated and Enabled
no1so
Regular Member
 
Posts: 16
Joined: February 2nd, 2014, 9:37 pm

Re: Rootkit warning - DgSafe.sys

Unread postby wannabeageek » February 16th, 2014, 6:15 pm

Hi no1so,

Sorry about that. All those Chinese programs had me fooled.
BTW, I was born in the UK and English is my first and only language ;-)


Please run the following:

Step 1.
Run OTL Script

We need to run an OTL Fix

  • Right-click OTL.exe and select " Run as administrator " to run it.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :commands
    [createrestorepoint]
    
    :OTL
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.mysearchdial.com/results.p ... f=4&q= {searchTerms}&a=irmsd0101&cd=2XzuyEtN2Y1L1QzutDtD0AtD0DtCyDtAyC0E0B0FtD0EyDtCtN0D0Tzu0CyBtAyBtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=1918066720&ir=
    IE - HKU\S-1-5-21-2971882474-1144138496-3696702083-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.mysearchdial.com/results.p ... f=4&q= {searchTerms}&a=irmsd0101&cd=2XzuyEtN2Y1L1QzutDtD0AtD0DtCyDtAyC0E0B0FtD0EyDtCtN0D0Tzu0CyBtAyBtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=1918066720&ir=
    FF - HKLM\Software\MozillaPlugins\@kingsfot.com/npkws: c:\program files\kingsoft\ijinshan_antivierus2013\npkws.dll
    @Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:0B4227B4
    
    :Files
    C:\Program Files\kingsoft
    C:\ProgramData\DriverGenius
    C:\Windows\system32\drivers\kisknl.sys
    C:\Windows\System32\drivers\ksapi.sys
    C:\Windows\System32\drivers\knbdrv.sys
    
    :Commands
    [EMPTYTEMP]
    
  • Click under the Custom Scan/Fixes box and paste the copied text.
  • Click the Run Fix button. If prompted... click OK.
  • When the scan completes, Notepad will open with the scan results. The report is saved in this location: C:\_OTL\Moved Files\MMDDYYY_HHMMSS.log.
  • Please post the contents of report in your next reply.

C:\_OTL\Moved Files\MMDDYYY_HHMMSS.log.


Step 2.
Run CKScanner

  • Please download CKScanner from Here
  • Important: - Save it to your desktop.
  • Right-click CKScanner.exe > select " Run as administrator " then click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved. Please Run the program only once.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.


Step 3.
Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2


  • Right-click SystemLook.exe and select " Run as administrator " to run it.
  • Click on the "Select ALL" link. Rt mouse click - Copy then Paste the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    *Bandoo*
    *Community*
    *Conduit*
    *crack*
    *datamngr*
    *DriverGenius*
    *Fun4IM*
    *iLivid*
    *IObit*
    *Iminent*
    *Kingsoft*
    *Searchqu*
    *Searchnu*
    *Tarma*
    *trolltech*
    *vshare*
    *whitesmoke*
    *Yontoo*
    
    :folderfind
    *Bandoo*
    *Community*
    *Conduit*
    *crack*
    *datamngr*
    *DriverGenius*
    *Fun4IM*
    *iLivid*
    *IObit*
    *Iminent*
    *Kingsoft*
    *Searchqu*
    *Searchnu*
    *Tarma*
    *trolltech*
    *vshare*
    *whitesmoke*
    *Yontoo*
    
    :Regfind
    Bandoo
    Community
    Conduit
    crack
    datamngr
    DriverGenius
    Fun4IM
    iLivid
    IObit
    Iminent
    Kingsoft
    Searchqu
    Searchnu
    Tarma
    trolltech
    vshare
    whitesmoke
    Yontoo
    
  • Click the Look button to start the scan.
    Because of the Registry searches, the scan may take 15 minutes or a bit more to run on a large machine. Please be patient.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



Please include in your next reply:
  1. Contents of C:\_OTL\Moved Files\MMDDYYY_HHMMSS.log
  2. Contents of CKFiles.txt
  3. Contents of SystemLook.txt
  4. Any problem executing the instructions?
  5. How is the computer behaving?
Thanks,
wbg
wannabeageek
MRU Master
MRU Master
 
Posts: 1773
Joined: November 23rd, 2009, 10:21 pm
Location: California

Re: Rootkit warning - DgSafe.sys

Unread postby no1so » February 16th, 2014, 7:50 pm

Scans as requested thank you, (Please nore comments at end):

1. OTL (Was saved to desktop but desktop is on D:\)

No such file existed here: C:\_OTL\Moved Files\MMDDYYY_HHMMSS.log

D:\_OTL\MovedFiles\02162014_224958.log

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted

successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry key HKEY_USERS\S-1-5-21-2971882474-1144138496-3696702083-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-

472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@kingsfot.com/npkws\ deleted successfully.
File c:\program files\kingsoft\ijinshan_antivierus2013\npkws.dll not found.
ADS C:\ProgramData\TEMP:0B4227B4 deleted successfully.
========== FILES ==========
File\Folder C:\Program Files\kingsoft not found.
C:\ProgramData\DriverGenius\Backup folder moved successfully.
C:\ProgramData\DriverGenius folder moved successfully.
File\Folder C:\Windows\system32\drivers\kisknl.sys not found.
C:\Windows\System32\drivers\ksapi.sys moved successfully.
C:\Windows\System32\drivers\knbdrv.sys moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: makem
->Temp folder emptied: 75770858 bytes
->Temporary Internet Files folder emptied: 153172252 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 110696141 bytes
->Flash cache emptied: 3739 bytes

User: Public

User: TEMP

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 41821873 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 364.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 02162014_224958

Files\Folders moved on Reboot...
C:\Users\makem\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
===========================================================================================

2. CKScanner:

CKScanner 2.4 - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11.CJAPJZ
----- EOF -----

===========================================================================================

3. SystemLook

SystemLook 30.07.11 by jpshortstuff
Log created at 23:13 on 16/02/2014 by makem
Administrator - Elevation successful

========== filefind ==========

Searching for "*Bandoo*"
No files found.

Searching for "*Community*"
C:\Program Files\Notepad++\user.manual\sites\all\images\NppCommunityLogo.png --a---- 18238 bytes [21:33 18/07/2011] [21:33

18/07/2011] D5191EBF4FFD9AD19580F6038506076A

Searching for "*Conduit*"
No files found.

Searching for "*crack*"
No files found.

Searching for "*datamngr*"
No files found.

Searching for "*DriverGenius*"
C:\Documents and Settings\makem\AppData\Roaming\Microsoft\Office\Recent\2.Step of Installation of DriverGenius.doc.LNK --a---- 950 bytes

[14:13 04/02/2014] [17:02 04/02/2014] CB9CD9BC6EEDFD5FDD171E4803527763
C:\Documents and Settings\makem\AppData\Roaming\Microsoft\Office\Recent\Drivergenius.doc.LNK --a---- 1627 bytes [16:49 04/02/2014]

[12:48 06/02/2014] 2D3A5F3CAE379BF8AA5BA83B3593152C
C:\Documents and Settings\makem\Application Data\Microsoft\Office\Recent\2.Step of Installation of DriverGenius.doc.LNK --a---- 950 bytes

[14:13 04/02/2014] [17:02 04/02/2014] CB9CD9BC6EEDFD5FDD171E4803527763
C:\Documents and Settings\makem\Application Data\Microsoft\Office\Recent\Drivergenius.doc.LNK --a---- 1627 bytes [16:49 04/02/2014]

[12:48 06/02/2014] 2D3A5F3CAE379BF8AA5BA83B3593152C
C:\Users\makem\AppData\Roaming\Microsoft\Office\Recent\2.Step of Installation of DriverGenius.doc.LNK --a---- 950 bytes [14:13

04/02/2014] [17:02 04/02/2014] CB9CD9BC6EEDFD5FDD171E4803527763
C:\Users\makem\AppData\Roaming\Microsoft\Office\Recent\Drivergenius.doc.LNK --a---- 1627 bytes [16:49 04/02/2014] [12:48

06/02/2014] 2D3A5F3CAE379BF8AA5BA83B3593152C
C:\Users\makem\Application Data\Microsoft\Office\Recent\2.Step of Installation of DriverGenius.doc.LNK --a---- 950 bytes [14:13

04/02/2014] [17:02 04/02/2014] CB9CD9BC6EEDFD5FDD171E4803527763
C:\Users\makem\Application Data\Microsoft\Office\Recent\Drivergenius.doc.LNK --a---- 1627 bytes [16:49 04/02/2014] [12:48

06/02/2014] 2D3A5F3CAE379BF8AA5BA83B3593152C

Searching for "*Fun4IM*"
No files found.

Searching for "*iLivid*"
No files found.

Searching for "*IObit*"
No files found.

Searching for "*Iminent*"
No files found.

Searching for "*Kingsoft*"
C:\Windows\System32\winevt\Logs\Kingsoft Internet Security.evtx --a---- 69632 bytes [13:59 15/01/2014] [01:03 01/02/2014]

08E4C04EBFA3F56C009665F3396AD104

Searching for "*Searchqu*"
No files found.

Searching for "*Searchnu*"
No files found.

Searching for "*Tarma*"
No files found.

Searching for "*trolltech*"
No files found.

Searching for "*vshare*"
No files found.

Searching for "*whitesmoke*"
No files found.

Searching for "*Yontoo*"
No files found.

========== folderfind ==========

Searching for "*Bandoo*"
No folders found.

Searching for "*Community*"
No folders found.

Searching for "*Conduit*"
No folders found.

Searching for "*crack*"
No folders found.

Searching for "*datamngr*"
No folders found.

Searching for "*DriverGenius*"
C:\Documents and Settings\makem\AppData\Local\VirtualStore\Program Files\MyDrivers\DriverGenius2013 dr----- [09:43 04/10/2013]
C:\Program Files\MyDrivers\DriverGenius2013 dr----- [17:02 04/02/2014]
C:\Users\makem\AppData\Local\VirtualStore\Program Files\MyDrivers\DriverGenius2013 dr----- [09:43 04/10/2013]

Searching for "*Fun4IM*"
No folders found.

Searching for "*iLivid*"
No folders found.

Searching for "*IObit*"
No folders found.

Searching for "*Iminent*"
No folders found.

Searching for "*Kingsoft*"
C:\Documents and Settings\All Users\Kingsoft d------ [09:44 04/10/2013]
C:\Documents and Settings\makem\AppData\Local\VirtualStore\ProgramData\Kingsoft d------ [09:44 04/10/2013]
C:\ProgramData\Kingsoft d------ [09:44 04/10/2013]
C:\Users\All Users\Kingsoft d------ [09:44 04/10/2013]
C:\Users\makem\AppData\Local\VirtualStore\ProgramData\Kingsoft d------ [09:44 04/10/2013]
C:\Windows\System32\config\systemprofile\AppData\Local\Kingsoft d------ [00:21 01/02/2014]
C:\Windows\System32\config\systemprofile\AppData\Roaming\Kingsoft d------ [13:59 15/01/2014]

Searching for "*Searchqu*"
No folders found.

Searching for "*Searchnu*"
No folders found.

Searching for "*Tarma*"
No folders found.

Searching for "*trolltech*"
No folders found.

Searching for "*vshare*"
No folders found.

Searching for "*whitesmoke*"
No folders found.

Searching for "*Yontoo*"
No folders found.

========== Regfind ==========

Searching for "Bandoo"
No data found.

Searching for "Community"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1372A97E-2034-41ee-A6C1-1B68FAFA75A1}]
@="CLSID_ICommunityTransport"

Searching for "Conduit"
No data found.

Searching for "crack"
No data found.

Searching for "datamngr"
No data found.

Searching for "DriverGenius"
[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\Internet]
"UseRWHlinkNavigation"="http://www.drivergenius.com/"
[HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\MyDrivers\DriverGenius]
[HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\MyDrivers\DriverGenius]
"WorkPath"="C:\Program Files\MyDrivers\DriverGenius2013"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{124B3515-E16D-4B21-A529-058AE6E567C1}]
"LocalService"="DriverGenius Core Service"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kingsoft]
"URL Protocol"="C:\Program Files\MyDrivers\DriverGenius2013\ksoft\softmain.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kingsoft\DefaultIcon]
@="C:\Program Files\MyDrivers\DriverGenius2013\ksoft\softmain.exe,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kingsoft\shell\open\command]
@="C:\Program Files\MyDrivers\DriverGenius2013\ksoft\softmain.exe "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{587C0B9A-8D5D-4866-95AC-A8E5C8AB5689}\1.0\0\win32]
@="C:\Program Files\MyDrivers\DriverGenius2013\dgservice.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\dg.exe]
@="C:\Program Files\MyDrivers\DriverGenius2013\drivergenius.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\qd.exe]
@="C:\Program Files\MyDrivers\DriverGenius2013\drivergenius.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\qudong.exe]
@="C:\Program Files\MyDrivers\DriverGenius2013\drivergenius.exe"
[HKEY_USERS\S-1-5-21-2971882474-1144138496-3696702083-1001\Software\Microsoft\Office\11.0\Common\Internet]
"UseRWHlinkNavigation"="http://www.drivergenius.com/"
[HKEY_USERS\S-1-5-21-2971882474-1144138496-3696702083-1001\Software\Classes\VirtualStore\MACHINE\SOFTWARE\MyDrivers\DriverGenius]
[HKEY_USERS\S-1-5-21-2971882474-1144138496-3696702083-1001\Software\Classes\VirtualStore\MACHINE\SOFTWARE\MyDrivers\DriverGenius]
"WorkPath"="C:\Program Files\MyDrivers\DriverGenius2013"
[HKEY_USERS\S-1-5-21-2971882474-1144138496-3696702083-1001_Classes\VirtualStore\MACHINE\SOFTWARE\MyDrivers\DriverGenius]
[HKEY_USERS\S-1-5-21-2971882474-1144138496-3696702083-1001_Classes\VirtualStore\MACHINE\SOFTWARE\MyDrivers\DriverGenius]
"WorkPath"="C:\Program Files\MyDrivers\DriverGenius2013"

Searching for "Fun4IM"
No data found.

Searching for "iLivid"
No data found.

Searching for "IObit"
No data found.

Searching for "Iminent"
No data found.

Searching for "Kingsoft"
[HKEY_CURRENT_USER\Software\Kingsoft]
[HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\kingsoft]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{367F6AE2-6809-4bed-B09B-228893FB33DD}\InprocServer32]
@="c:\program files\kingsoft\ijinshan_antivierus2013\kwansvc.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kingsoft]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Kingsoft]
@="KingsoftProtocol"
[HKEY_LOCAL_MACHINE\SOFTWARE\kingsoft]
[HKEY_LOCAL_MACHINE\SOFTWARE\kingsoft\Antivirus]
"ProgramPath"="c:\program files\kingsoft\ijinshan_antivierus2013\"
[HKEY_LOCAL_MACHINE\SOFTWARE\kingsoft\Antivirus]
"WorkPath"="c:\program files\kingsoft\ijinshan_antivierus2013"
[HKEY_LOCAL_MACHINE\SOFTWARE\kingsoft\Antivirus]
"ShtWrkPath"="c:\PROGRA~1\kingsoft\IJINSH~2\"
[HKEY_LOCAL_MACHINE\SOFTWARE\kingsoft\Antivirus\recommend]
"DubaPath"="c:\program files\kingsoft\ijinshan_antivierus2013\"
[HKEY_LOCAL_MACHINE\SOFTWARE\kingsoft\KISCommon]
"ProgramPath"="c:\program files\kingsoft\ijinshan_antivierus2013\"
[HKEY_LOCAL_MACHINE\SOFTWARE\kingsoft\kwspriEx]
"path"="c:\program files\kingsoft\ijinshdan_antivirus_2013"
[HKEY_LOCAL_MACHINE\SOFTWARE\kingsoft\kwspriEx]
"main"="c:\program files\kingsoft\ijinshdan_antivirus_2013\kismain.exe /kws"
[HKEY_LOCAL_MACHINE\SOFTWARE\kingsoft\shoujizhushou]
"Install Path"="c:\program files\kingsoft\shoujizhushou"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\bootsafe]
"ProgramPath"="c:\program files\kingsoft\ijinshan_antivierus2013"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Kingsoft]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ksapi]
"Description"="Kingsoft ksapi module."
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\kxescore]
"ImagePath"=""c:\program files\kingsoft\ijinshan_antivierus2013\kxescore.exe" /service kxescore"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\kxescore]
"DisplayName"="Kingsoft Core Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\bootsafe]
"ProgramPath"="c:\program files\kingsoft\ijinshan_antivierus2013"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Kingsoft]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\ksapi]
"Description"="Kingsoft ksapi module."
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\kxescore]
"ImagePath"=""c:\program files\kingsoft\ijinshan_antivierus2013\kxescore.exe" /service kxescore"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\kxescore]
"DisplayName"="Kingsoft Core Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\bootsafe]
"ProgramPath"="c:\program files\kingsoft\ijinshan_antivierus2013"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Kingsoft]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ksapi]
"Description"="Kingsoft ksapi module."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\kxescore]
"ImagePath"=""c:\program files\kingsoft\ijinshan_antivierus2013\kxescore.exe" /service kxescore"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\kxescore]
"DisplayName"="Kingsoft Core Service"
[HKEY_USERS\.DEFAULT\Software\Kingsoft]
[HKEY_USERS\S-1-5-21-2971882474-1144138496-3696702083-1001\Software\Kingsoft]
[HKEY_USERS\S-1-5-21-2971882474-1144138496-3696702083-1001\Software\Classes\VirtualStore\MACHINE\SOFTWARE\kingsoft]
[HKEY_USERS\S-1-5-21-2971882474-1144138496-3696702083-1001_Classes\VirtualStore\MACHINE\SOFTWARE\kingsoft]
[HKEY_USERS\S-1-5-18\Software\Kingsoft]

Searching for "Searchqu"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]
@="ISearchQueryHelper"

Searching for "Searchnu"
No data found.

Searching for "Tarma"
No data found.

Searching for "trolltech"
[HKEY_CURRENT_USER\Software\Trolltech]
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.6\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.7\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QSqlDriverFactoryInterface:]
[HKEY_USERS\S-1-5-21-2971882474-1144138496-3696702083-1001\Software\Trolltech]
[HKEY_USERS\S-1-5-21-2971882474-1144138496-3696702083-1001\Software\Trolltech\OrganizationDefaults\Qt Factory Cache

4.6\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_USERS\S-1-5-21-2971882474-1144138496-3696702083-1001\Software\Trolltech\OrganizationDefaults\Qt Factory Cache

4.7\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_USERS\S-1-5-21-2971882474-1144138496-3696702083-1001\Software\Trolltech\OrganizationDefaults\Qt Factory Cache

4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_USERS\S-1-5-21-2971882474-1144138496-3696702083-1001\Software\Trolltech\OrganizationDefaults\Qt Factory Cache

4.8\com.trolltech.Qt.QSqlDriverFactoryInterface:]

Searching for "vshare"
No data found.

Searching for "whitesmoke"
No data found.

Searching for "Yontoo"
No data found.

-= EOF =-

===========================================================================================

4. No problem executing scans

5. Computer appears to be performing normally

6. I notice that the driver kisknl.sys could not be found. However this is one i asked originally be removed. Has it?

7. Do you have an issue with DriverGenius?

hxxp://www.drivergenius.com/

Download using the link just under the green download button.

I find it a very useful program and as far as I am aware it has not caused any problem. However, you cannot use it unless you can read Mandarin.
no1so
Regular Member
 
Posts: 16
Joined: February 2nd, 2014, 9:37 pm

Re: Rootkit warning - DgSafe.sys

Unread postby wannabeageek » February 17th, 2014, 1:36 am

no1so,

DgSafe.sys is part of DriverGenius 2013.

If you are now stating this, (DgSafe.sys and DriverGenius 2013), is not an issue or a problem by all means let me know and I will have this thread closed.
wannabeageek
MRU Master
MRU Master
 
Posts: 1773
Joined: November 23rd, 2009, 10:21 pm
Location: California

Re: Rootkit warning - DgSafe.sys

Unread postby no1so » February 17th, 2014, 6:20 am

When I started this post I had reports from AVG that there were problems with DriverGenius. This was the reason for asking for help. I wasin ignorance, thinking DriverGenius was ok, hence I ask if it is in your opinion.

If you think it is a problem then of course, I must agree because you have better knowledge. So please remove it if you think it is bad.

During your scans several other things were found. Will you deal with those for me too?

Kingsoft - was uninstalled but still remains
kisknl - a driver which keeps reporting a problem although your scan did not find

C:\Program Files\Mobogenie\nengine.dll Win32/NextLive.A
C:\Program Files\Mobogenie\UpdateMoboGenie.exe

This program does not have an uninstall option.
no1so
Regular Member
 
Posts: 16
Joined: February 2nd, 2014, 9:37 pm

Re: Rootkit warning - DgSafe.sys

Unread postby wannabeageek » February 18th, 2014, 1:21 am

Hello no1so,

This service is provided to you, without charge, by people who volunteer their own time to help.
There is an implied trust that you will respect that donated time, and provide all the information possible to bring the dialog to a successful conclusion.
If false information is provided, that trust is violated, and no further help will be given.

This thread will be closed.
wannabeageek
MRU Master
MRU Master
 
Posts: 1773
Joined: November 23rd, 2009, 10:21 pm
Location: California

Re: Rootkit warning - DgSafe.sys

Unread postby no1so » February 18th, 2014, 5:40 am

I have been told by wannabegeek, “If false information is provided, that trust is violated and no further help will be given”.

I do not know what false information has been given.

I asked for help with a suspected rootkit and was told eventually that the file was in fact part of a program I had installed. I thought this program was safe but it may not be.

As far as I am concerned, I still have a possible rootkit along with other things found on scans and help has been denied.

Would you please explain why?
no1so
Regular Member
 
Posts: 16
Joined: February 2nd, 2014, 9:37 pm

Re: Rootkit warning - DgSafe.sys

Unread postby wannabeageek » February 18th, 2014, 10:17 am

You have been editing your logs.
Would you please explain why?
wannabeageek
MRU Master
MRU Master
 
Posts: 1773
Joined: November 23rd, 2009, 10:21 pm
Location: California

Re: Rootkit warning - DgSafe.sys

Unread postby no1so » February 18th, 2014, 12:01 pm

I was ashamed to find that I had been given a folder by a so-called friend which I had stored unused, in my Archive, which was obviously not legal. It contained a file named "crack". I immediately removed the folder, which I have no use for anyway and didn't want forum members to believe I used illegal software.

I can now understand what you meant by false information and accept your decision which I respect.

I will reformat and reinstall my Windows 7.
no1so
Regular Member
 
Posts: 16
Joined: February 2nd, 2014, 9:37 pm

Re: Rootkit warning - DgSafe.sys

Unread postby Cypher » February 18th, 2014, 1:01 pm

no1so wrote:I will reformat and reinstall my Windows 7.

As your problems will be resolved by a reformat, this topic is now closed.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 24 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware