Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I Still Infected ? Quarantined Trojan.Agent/Gen-Zbot


  • Please log in to reply
21 replies to this topic

#1 sikntired

sikntired

  • Members
  • 1,085 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:57 PM

Posted 27 May 2013 - 07:16 PM

Hello to all, and thanks in advance.

 

Just ran SAS after spouse was surfing and playing some games. The results were 3 infected files and 1 memory threat in logs. SAS

quarantined the 4 threats and rebooted. I then did a scan with MBAM and it reported no malware. In addition I ran MSE and it did not detect any threats. Lastly I ran MRT and nothing was found.

 

Computer seems to be functioning okay at present. My OS is Win 7x64 sp-1.

 

Please let me know if you need to see the log or if you need DDS.

 

Very apprehensive as I hope this is not a backdoor trojan.

 

Regards............sik



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:57 PM

Posted 27 May 2013 - 09:48 PM

p22002970.gif Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.

p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


p22002970.gif Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size

Click Go and post the result.

p22002970.gif Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

p22002970.gifDownload Malwarebytes Anti-Rootkit from HERE to your Desktop.
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • DO NOT click on the Cleanup button. Simply exit the program.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt


p22002970.gif Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.


If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

NOTE Do NOT wrap your logs in "quote" or "code" brackets.


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 sikntired

sikntired
  • Topic Starter

  • Members
  • 1,085 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:57 PM

Posted 28 May 2013 - 06:29 AM

Thank you for your time Broni,

 

Security check

 

 Results of screen317's Security Check version 0.99.64 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Microsoft Security Essentials  
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 SpywareBlaster 5.0   
 Secunia PSI (3.0.0.7009)  
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Adobe Reader XI 
````````Process Check: objlist.exe by Laurent```````` 
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````
 

 

 

 Results of screen317's Security Check version 0.99.64 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Microsoft Security Essentials  
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 SpywareBlaster 5.0   
 Secunia PSI (3.0.0.7009)  
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Adobe Reader XI 
````````Process Check: objlist.exe by Laurent```````` 
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````
 

 

 Results of screen317's Security Check version 0.99.64 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Microsoft Security Essentials  
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 SpywareBlaster 5.0   
 Secunia PSI (3.0.0.7009)  
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Adobe Reader XI 
````````Process Check: objlist.exe by Laurent```````` 
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````
 

 

 Results of screen317's Security Check version 0.99.64 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Microsoft Security Essentials  
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 SpywareBlaster 5.0   
 Secunia PSI (3.0.0.7009)  
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Adobe Reader XI 
````````Process Check: objlist.exe by Laurent```````` 
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````
 

 

 Results of screen317's Security Check version 0.99.64 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Microsoft Security Essentials  
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 SpywareBlaster 5.0   
 Secunia PSI (3.0.0.7009)  
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Adobe Reader XI 
````````Process Check: objlist.exe by Laurent```````` 
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````
 



#4 sikntired

sikntired
  • Topic Starter

  • Members
  • 1,085 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:57 PM

Posted 28 May 2013 - 06:57 AM

FSS

 

Farbar Service Scanner Version: 25-05-2013
Ran by Owner (administrator) on 28-05-2013 at 06:33:59
Running from "C:\Users\Owner\Downloads"
Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****



#5 sikntired

sikntired
  • Topic Starter

  • Members
  • 1,085 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:57 PM

Posted 28 May 2013 - 07:02 AM

MiniToolBox

MiniToolBox by Farbar Version:21-04-2013
Ran by Owner (administrator) on 28-05-2013 at 07:00:16
Running from "C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QMLRI1DH"
Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================



========================= IP Configuration: ================================

Realtek PCIe FE Family Controller = Local Area Connection (Connected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : mike-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : gateway.2wire.net

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
Physical Address. . . . . . . . . : 00-25-64-F1-13-1D
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8405:7ad3:a57f:79dd%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.68(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, May 28, 2013 6:10:03 AM
Lease Expires . . . . . . . . . . : Wednesday, May 29, 2013 6:10:04 AM
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DHCPv6 IAID . . . . . . . . . . . : 234890596
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-24-91-EC-00-25-64-F1-13-1D
DNS Servers . . . . . . . . . . . : 192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.gateway.2wire.net:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:9d38:953c:14c5:1590:9cf8:47c1(Preferred)
Link-local IPv6 Address . . . . . : fe80::14c5:1590:9cf8:47c1%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: homeportal
Address: 192.168.1.254

Name: google.com
Addresses: 2001:4860:4002:801::1000
74.125.227.38
74.125.227.39
74.125.227.40
74.125.227.41
74.125.227.46
74.125.227.32
74.125.227.33
74.125.227.34
74.125.227.35
74.125.227.36
74.125.227.37


Pinging google.com [74.125.227.101] with 32 bytes of data:
Reply from 74.125.227.101: bytes=32 time=35ms TTL=50
Reply from 74.125.227.101: bytes=32 time=35ms TTL=50

Ping statistics for 74.125.227.101:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 35ms, Maximum = 35ms, Average = 35ms
Server: homeportal
Address: 192.168.1.254

Name: yahoo.com
Addresses: 98.139.183.24
206.190.36.45
98.138.253.109


Pinging yahoo.com [98.138.253.109] with 32 bytes of data:
Reply from 98.138.253.109: bytes=32 time=648ms TTL=46
Reply from 98.138.253.109: bytes=32 time=707ms TTL=46

Ping statistics for 98.138.253.109:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 648ms, Maximum = 707ms, Average = 677ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
10...00 25 64 f1 13 1d ......Realtek PCIe FE Family Controller
1...........................Software Loopback Interface 1
11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.68 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.68 276
192.168.1.68 255.255.255.255 On-link 192.168.1.68 276
192.168.1.255 255.255.255.255 On-link 192.168.1.68 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.68 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.68 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 58 ::/0 On-link
1 306 ::1/128 On-link
12 58 2001::/32 On-link
12 306 2001:0:9d38:953c:14c5:1590:9cf8:47c1/128
On-link
10 276 fe80::/64 On-link
12 306 fe80::/64 On-link
12 306 fe80::14c5:1590:9cf8:47c1/128
On-link
10 276 fe80::8405:7ad3:a57f:79dd/128
On-link
1 306 ff00::/8 On-link
12 306 ff00::/8 On-link
10 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145648] (Microsoft Corp.)
Catalog5 06 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145648] (Microsoft Corp.)
Catalog5 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 08 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [171760] (Microsoft Corp.)
x64-Catalog5 06 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [171760] (Microsoft Corp.)
x64-Catalog5 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 08 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (05/28/2013 06:15:53 AM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore.exe, version: 9.0.8112.16483, time stamp: 0x515df825
Faulting module name: WS2_32.dll, version: 6.1.7601.17514, time stamp: 0x4ce7ba68
Exception code: 0xc0000005
Fault offset: 0x00006f79
Faulting process id: 0xf64
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (05/27/2013 02:37:29 PM) (Source: Application Hang) (User: )
Description: The program Au_.exe version 2.0.0.4003 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1318

Start Time: 01ce5b106d51801c

Termination Time: 0

Application Path: C:\Users\Owner\AppData\Local\Temp\~nsu.tmp\Au_.exe

Report Id:

Error: (05/20/2013 05:59:56 PM) (Source: Application Hang) (User: )
Description: The program iexplore.exe version 9.0.8112.16483 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: cfc

Start Time: 01ce55947e8d9753

Termination Time: 0

Application Path: C:\Program Files (x86)\internet explorer\iexplore.exe

Report Id:

Error: (05/16/2013 09:52:50 AM) (Source: Application Error) (User: )
Description: Faulting application name: PSIA.exe, version: 3.0.0.7009, time stamp: 0x516fefa1
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec49b8f
Exception code: 0xc0000005
Fault offset: 0x000332a0
Faulting process id: 0x700
Faulting application start time: 0xPSIA.exe0
Faulting application path: PSIA.exe1
Faulting module path: PSIA.exe2
Report Id: PSIA.exe3

Error: (05/15/2013 06:35:51 PM) (Source: ESENT) (User: )
Description: WinMail (2816) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.

Error: (05/15/2013 06:13:35 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Volume/disk not connected or not found.
Error context: DeviceIoControl(\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy17 - 0000000000000128,0x00560038,00000000001AFFA0,0,000000000030E690,4096,[0]).


Operation:
Processing PostFinalCommitSnapshots

Context:
Execution Context: System Provider

Error: (05/15/2013 03:32:32 PM) (Source: Microsoft-Windows-RestartManager) (User: MIKE-PC)
Description: Application or service 'Windows Search' could not be shut down.


System errors:
=============
Error: (05/27/2013 01:53:51 PM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.

Error: (05/27/2013 11:01:07 AM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.

Error: (05/26/2013 05:00:18 PM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.

Error: (05/26/2013 01:22:00 PM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.

Error: (05/26/2013 01:22:00 PM) (Source: DCOM) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}

Error: (05/26/2013 10:52:34 AM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.

Error: (05/24/2013 06:59:01 PM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.

Error: (05/24/2013 04:39:49 PM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.

Error: (05/24/2013 01:46:36 PM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.

Error: (05/24/2013 08:04:21 AM) (Source: DCOM) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}


Microsoft Office Sessions:
=========================
Error: (05/28/2013 06:15:53 AM) (Source: Application Error)(User: )
Description: iexplore.exe9.0.8112.16483515df825WS2_32.dll6.1.7601.175144ce7ba68c000000500006f79f6401ce5b94b58b5525C:\Program Files (x86)\internet explorer\iexplore.exeC:\Windows\syswow64\WS2_32.dllf54f75a3-c787-11e2-a021-002564f1131d

Error: (05/27/2013 02:37:29 PM) (Source: Application Hang)(User: )
Description: Au_.exe2.0.0.4003131801ce5b106d51801c0C:\Users\Owner\AppData\Local\Temp\~nsu.tmp\Au_.exe

Error: (05/20/2013 05:59:56 PM) (Source: Application Hang)(User: )
Description: iexplore.exe9.0.8112.16483cfc01ce55947e8d97530C:\Program Files (x86)\internet explorer\iexplore.exe

Error: (05/16/2013 09:52:50 AM) (Source: Application Error)(User: )
Description: PSIA.exe3.0.0.7009516fefa1ntdll.dll6.1.7601.177254ec49b8fc0000005000332a070001ce521bfe1c0521C:\Program Files (x86)\Secunia\PSI\PSIA.exeC:\Windows\SysWOW64\ntdll.dll4727d49a-be38-11e2-b88b-002564f1131d

Error: (05/15/2013 06:35:51 PM) (Source: ESENT)(User: )
Description: WinMail2816WindowsMail0:

Error: (05/15/2013 06:13:35 PM) (Source: VSS)(User: )
Description: DeviceIoControl(\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy17 - 0000000000000128,0x00560038,00000000001AFFA0,0,000000000030E690,4096,[0])

Operation:
Processing PostFinalCommitSnapshots

Context:
Execution Context: System Provider

Error: (05/15/2013 03:32:32 PM) (Source: Microsoft-Windows-RestartManager)(User: MIKE-PC)
Description: 1SearchIndexer.exeWindows Search03026216123120


=========================== Installed Programs ============================

AdFender (Version: 1.60)
Adobe Flash Player 11 ActiveX (Version: 11.7.700.202)
Adobe Reader XI (11.0.03) (Version: 11.0.03)
D3DX10 (Version: 15.4.2368.0902)
Dell Dock (Version: 2.0)
Epson Event Manager (Version: 2.30.01)
EPSON NX110 Series Printer Uninstall
EPSON Scan
Intel® Graphics Media Accelerator Driver (Version: 8.15.10.1930)
Junk Mail filter update (Version: 16.4.3508.0205)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Security Client (Version: 4.2.0223.1)
Microsoft Security Essentials (Version: 4.2.223.1)
Microsoft Silverlight (Version: 5.1.20125.0)
Microsoft SkyDrive (Version: 17.0.2006.0314)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Movie Maker (Version: 16.4.3508.0205)
MSVCRT (Version: 15.4.2862.0708)
MSVCRT_amd64 (Version: 15.4.2862.0708)
MSVCRT110 (Version: 16.4.1108.0727)
MSVCRT110_amd64 (Version: 16.4.1109.0912)
Photo Gallery (Version: 16.4.3508.0205)
Secunia PSI (3.0.0.7009) (Version: 3.0.0.7009)
SpywareBlaster 5.0 (Version: 5.0.0)
SUPERAntiSpyware (Version: 5.6.1020)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (Version: 1)
Windows Live Communications Platform (Version: 16.4.3508.0205)
Windows Live Essentials (Version: 16.4.3508.0205)
Windows Live Family Safety (Version: 16.4.3508.0205)
Windows Live ID Sign-in Assistant (Version: 7.250.4311.0)
Windows Live Installer (Version: 16.4.3508.0205)
Windows Live Mail (Version: 16.4.3508.0205)
Windows Live Messenger (Version: 16.4.3508.0205)
Windows Live MIME IFilter (Version: 16.4.3508.0205)
Windows Live Photo Common (Version: 16.4.3508.0205)
Windows Live PIMT Platform (Version: 16.4.3508.0205)
Windows Live SOXE (Version: 16.4.3508.0205)
Windows Live SOXE Definitions (Version: 16.4.3508.0205)
Windows Live UX Platform (Version: 16.4.3508.0205)
Windows Live UX Platform Language Pack (Version: 16.4.3508.0205)
Windows Live Writer (Version: 16.4.3508.0205)
Windows Live Writer Resources (Version: 16.4.3508.0205)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 26%
Total physical RAM: 6133.18 MB
Available physical RAM: 4511.8 MB
Total Pagefile: 12264.54 MB
Available Pagefile: 10620.4 MB
Total Virtual: 4095.88 MB
Available Virtual: 3973.77 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:596.07 GB) (Free:557.28 GB) NTFS

========================= Users: ========================================

User accounts for \\MIKE-PC

Administrator Guest Owner
RuthAnn


**** End of log ****

#6 sikntired

sikntired
  • Topic Starter

  • Members
  • 1,085 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:57 PM

Posted 28 May 2013 - 07:15 AM

MBAM

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.28.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Owner :: MIKE-PC [administrator]

5/28/2013 7:06:06 AM
mbam-log-2013-05-28 (07-06-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 233659
Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



#7 sikntired

sikntired
  • Topic Starter

  • Members
  • 1,085 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:57 PM

Posted 28 May 2013 - 08:00 AM

MBAR said congratulations nothing to repair with no logs generated.

 

Rkill

 

Rkill 2.5.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 05/28/2013 07:54:52 AM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * Explorer Policy Removed:  NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
 C:\Users\Owner\Desktop\rkill\rkill-05-28-2013-07-54-53.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 05/28/2013 07:55:01 AM
Execution time: 0 hours(s), 0 minute(s), and 9 seconds(s)



#8 sikntired

sikntired
  • Topic Starter

  • Members
  • 1,085 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:57 PM

Posted 28 May 2013 - 08:11 AM

FWIW yesterday prior to running SAS got a notification that a new version of SAS was available. I hesitated as I have SAS as an on-demand utility and update manually. Thought it was unusual. Never happened before. I did let it update and then ran a scan. The results showed this:

 

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/27/2013 at 06:33 PM

Application Version : 5.6.1020

Core Rules Database Version : 10449
Trace Rules Database Version: 8261

Scan type       : Quick Scan
Total Scan Time : 00:06:55

Operating System Information
Windows 7 Professional 64-bit, Service Pack 1 (Build 6.01.7601)
UAC On - Limited User

Memory items scanned      : 590
Memory threats detected   : 1
Registry items scanned    : 61782
Registry threats detected : 0
File items scanned        : 10632
File threats detected     : 3

Adware.Tracking Cookie
 C:\USERS\RUTHANN\AppData\Roaming\Microsoft\Windows\Cookies\Low\ANUC9Z6E.txt [ Cookie:ruthann@tribalfusion.com/ ]
 C:\USERS\RUTHANN\AppData\Roaming\Microsoft\Windows\Cookies\Low\IU5U54JR.txt [ Cookie:ruthann@statse.webtrendslive.com/ ]

Trojan.Agent/Gen-Zbot
 C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_64\MENUSKINNING\52335209226F951A05556534B3ADBB9C\MENUSKINNING.NI.DLL
 C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_64\MENUSKINNING\52335209226F951A05556534B3ADBB9C\MENUSKINNING.NI.DLL



#9 sikntired

sikntired
  • Topic Starter

  • Members
  • 1,085 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:57 PM

Posted 28 May 2013 - 08:52 AM

Is it possible that the SAS update notification and the scan results are more than coincidental? I wonder that by clicking on update I was allowing SAS to install PUP via memory and files. I would be highly disappointed.

 

Did some extensive research and found that this trojan had been mentioned in SAS Forums as possibly being false/positive?

 

Broni, thank you for your time, I am very appreciative.

 

sik



#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:57 AM

Posted 28 May 2013 - 10:23 AM

Is it possible that the SAS update notification and the scan results are more than coincidental? I wonder that by clicking on update I was allowing SAS to install PUP via memory and files. I would be highly disappointed.

 

Did some extensive research and found that this trojan had been mentioned in SAS Forums as possibly being false/positive?

 

Broni, thank you for your time, I am very appreciative.

 

sik

 

Sorry to jump in here Broni, but I suggest uploading the files to https://www.virustotal.com/en/ and http://virusscan.jotti.org/en and then see what it comes up with. Whilst it is probably is a false positive (since I've seen the threads too) I suggest you change your passwords of important sites such as emails and banking just in case that it isn't a false postive since most Trojans will steal your passwords.


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 sikntired

sikntired
  • Topic Starter

  • Members
  • 1,085 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:57 PM

Posted 28 May 2013 - 11:06 AM

Thanks xXToffeeXx for your input. Did as you suggested and nothing remarkable as 0/47. Thinking about uninstalling SAS and doing a reinstall. Will definitely take appropriate precautionary measures.

 

sik



#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:57 AM

Posted 28 May 2013 - 11:21 AM

I would say it is definitely a false positive, so good on you for asking before removing. I tend to use SAS every so often just as an extra check, I prefer to use Malwarebytes when I think a machine is infected and can be another good security layer along with your anti-virus.

 

If you want to make sure your machine is completely clean and has no items leftover then I can provide you with a scan.


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#13 sikntired

sikntired
  • Topic Starter

  • Members
  • 1,085 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:57 PM

Posted 28 May 2013 - 11:29 AM

That is very kind of you and would be appreciated.



#14 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:57 AM

Posted 28 May 2013 - 11:42 AM

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Post in this topic if it found anything or not.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#15 sikntired

sikntired
  • Topic Starter

  • Members
  • 1,085 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:57 PM

Posted 28 May 2013 - 12:56 PM

Eset scanner said no threats found :) IS THAT EVER A RELIEF. Is there anything else to do? Are there any layers of protection that I might add?

 

Thanks for all the help and advice

 

Best Regards........sik






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users