Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess Infection Discovered by RKill after 'Antivirus Security Pro' Malware


  • This topic is locked This topic is locked
44 replies to this topic

#1 TwiztedTBone

TwiztedTBone

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 21 October 2013 - 03:29 PM

Greetings from Corporate America!

 

Long time listener, first time caller.

 

One of my users complained to me that our AV kept popping up and wouldn't let him open anything. Naturally, I knew right away that wasn't our AV solution, and when I went back and checked, I regrettably confirmed this notion. It was 'Antivirus Security Pro', and I had recognized a few of the symptoms from other Malware I've dealt with in the past.

 

I performed my usual RKill >> MBAM solution (which works most of the time to at least get me into a workable state for deeper cleaning), however I noticed a couple things that were troubling about this particular instance. Firstly, RKill did not fully kill all malicious processes, as AVSP popped right back up after RKill did its work (I was able to kill it via Process Explorer manually, but not until after running RKill a second time, overwriting the original log). Secondly, I noticed a very troubling few lines in the RKill log, which I've pasted below, along with the MBAM Full Scan log. 

 

This is a Win 7 x64 laptop running on a Windows Domain. Our network AV is Trend Micro. I recommend to all of our users to use Chrome or FireFox, however it seems this one was using IE (IE 9, to be specific).

 

Important Note: The issues caught by MBAM where no action was taken are Group Policy implements within our domain; as far as know these are nothing to worry about, except the "don't load|wscui.cpl", I was a little unsure of this one.

 

Huge thanks in advance for the amazing people who volunteer their time here. KCCO!

 

RKill Log:

Rkill 2.6.2 by Lawrence Abrams (Grinler)
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 10/21/2013 02:08:46 PM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * ALERT: ZEROACCESS rootkit symptoms found!
 
     * C:\Program Files (x86)\Google\Desktop\Install\{a1b74c4a-a821-f239-11c3-9ba89446abca}\ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{a1b74c4a-a821-f239-11c3-9ba89446abca}\   \ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{a1b74c4a-a821-f239-11c3-9ba89446abca}\   \...\ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{a1b74c4a-a821-f239-11c3-9ba89446abca}\   \...\ﯹ๛\ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{a1b74c4a-a821-f239-11c3-9ba89446abca}\   \...\ﯹ๛\{a1b74c4a-a821-f239-11c3-9ba89446abca}\ [ZA Dir]
     * C:\Users\tgurtner\AppData\Local\Google\Desktop\Install\{a1b74c4a-a821-f239-11c3-9ba89446abca}\ [ZA Dir]
     * C:\Users\tgurtner\AppData\Local\Google\Desktop\Install\{a1b74c4a-a821-f239-11c3-9ba89446abca}\❤≸⋙\ [ZA Dir]
     * C:\Users\tgurtner\AppData\Local\Google\Desktop\Install\{a1b74c4a-a821-f239-11c3-9ba89446abca}\❤≸⋙\Ⱒ☠⍨\ [ZA Dir]
     * C:\Users\tgurtner\AppData\Local\Google\Desktop\Install\{a1b74c4a-a821-f239-11c3-9ba89446abca}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\ [ZA Dir]
     * C:\Users\tgurtner\AppData\Local\Google\Desktop\Install\{a1b74c4a-a821-f239-11c3-9ba89446abca}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{a1b74c4a-a821-f239-11c3-9ba89446abca}\ [ZA Dir]
 
 * ALERT: ZEROACCESS Reparse Point/Junction found!
 
     * C:\Program Files\Windows Defender\en-US => c:\windows\system32\config\ [Dir]
     * C:\Program Files\Windows Defender\MpAsDesc.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpClient.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpCmdRun.exe => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpCommu.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpEvMsg.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpOAV.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpRTP.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpSvc.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MSASCui.exe => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MsMpCom.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MsMpLics.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MsMpRes.dll => c:\windows\system32\config [File]
 
Checking Windows Service Integrity: 
 
 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic
 
 * Windows Update (wuauserv) is not Running.
   Startup Type set to: Disabled
 
 * PcaSvc [Missing Service]
 * PolicyAgent [Missing Service]
 * RemoteAccess [Missing Service]
 * WinDefend [Missing Service]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 10/21/2013 02:08:55 PM
Execution time: 0 hours(s), 0 minute(s), and 9 seconds(s)
 
MBAM Log:
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.10.21.08
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
tgurtner :: SMX-US-LT063 [administrator]
 
10/21/2013 2:12:36 PM
mbam-log-2013-10-21 (14-12-36).txt
 
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 345940
Time elapsed: 1 hour(s), 1 minute(s), 39 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 3
HKCU\Control Panel\don't load|wscui.cpl (Hijack.SecurityCenter) -> Data: No -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Data: 1 -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|AS2014 (Malware.Packer.CV) -> Data: C:\ProgramData\n3sn9nng\n3sn9nng.exe -> Quarantined and deleted successfully.
 
Registry Data Items Detected: 4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop|NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoSMHelp (PUM.Hijack.Help) -> Bad: (1) Good: (0) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceActiveDesktopOn (PUM.Hijack.Desktop) -> Bad: (1) Good: (0) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|NoDispAppearancePage (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 5
C:\ProgramData\n3sn9nng\n3sn9nng.exe (Malware.Packer.CV) -> Quarantined and deleted successfully.
\\SEMEXUSA-FILE\USERS\tgurtner\Desktop\ANTIVIRUS SECURITY PRO SUPPORT.URL (Rogue.AntiVirusSecurity) -> Quarantined and deleted successfully.
\\SEMEXUSA-FILE\USERS\tgurtner\Desktop\ANTIVIRUS SECURITY PRO.LNK (Rogue.AntiVirusSecurity) -> Quarantined and deleted successfully.
H:\Desktop\ANTIVIRUS SECURITY PRO SUPPORT.URL (Rogue.AntiVirusSecurity) -> Quarantined and deleted successfully.
H:\Desktop\ANTIVIRUS SECURITY PRO.LNK (Rogue.AntiVirusSecurity) -> Quarantined and deleted successfully.
 
(end)
 

One thing worth noting:

I have this user's PC for the remainder of the afternoon (around 2 hours), however I will need to return it to him right away tomorrow morning, so my responses may be delayed as I work around his schedule. 

 

Thanks again!



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:41 AM

Posted 21 October 2013 - 03:38 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Regards,

Georgi


cXfZ4wS.png


#3 TwiztedTBone

TwiztedTBone
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 21 October 2013 - 04:21 PM

Greetings Georgi, thanks for the fast reply!

 

FRST has been running for about 25 minutes now, and it's status has not changed in that time. It is sitting on:

 

Scanning Registry: HKU\Default\Software\Microsoft\Windows NT\CurrentVersion\Winlogon- Shell

 

and has been for about 20 minutes. Should I be concerned or does this usually take awhile? 



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:41 AM

Posted 21 October 2013 - 04:26 PM

Hi,

 

Usually it doesn't take so long. Let me check with the developer and will reply back as soon as possible.

 

 

Regards,

Georgi


cXfZ4wS.png


#5 TwiztedTBone

TwiztedTBone
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 21 October 2013 - 04:46 PM

Thank you.

 

I may take a bit of time to respond...I am leaving my office but will be returning after an appointment to collect the laptop and take it home with me. 

 

I will await your instructions until then. 



#6 TwiztedTBone

TwiztedTBone
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 21 October 2013 - 05:59 PM

I am back in my office now. Would it be advisable to turn off the computer so I can take it home with me and continue working on it?



#7 TwiztedTBone

TwiztedTBone
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 21 October 2013 - 06:23 PM

I am leaving my office for the night. I will resume working on this tomorrow morning. Thank you for your time thus far.



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:41 AM

Posted 22 October 2013 - 02:16 AM

Hi,

 

It seems that we have a different timezone. I hope we can fix it on time then.

Can you please run the scan with FRST in Safe Mode and post back the results?

 

 

Regards,

Georgi


cXfZ4wS.png


#9 TwiztedTBone

TwiztedTBone
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 22 October 2013 - 09:33 AM

Running the program from Safe Mode did the trick. Please find below the FRST log and attached the Addition log.

 

FRST:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 21-10-2013
Ran by Semex USA (administrator) on SMX-US-LT063 on 22-10-2013 09:24:54
Running from C:\Users\Semex USA\Desktop
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Safe Mode (minimal)
 
==================== Processes (Whitelisted) =================
 
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\ssonsvr.exe
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [ForteConfig] - C:\Program Files\Conexant\ForteConfig\fmapp.exe [49056 2010-10-25] ()
HKLM\...\Run: [SmartAudio] - C:\Program Files\CONEXANT\SAII\SAIICpl.exe [316032 2011-03-14] (Conexant systems, Inc.)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2916112 2012-04-08] (Synaptics Incorporated)
HKLM\...\Run: [TpShocks] - C:\Windows\system32\TpShocks.exe [382528 2012-02-25] (Lenovo.)
HKLM\...\Run: [LENOVO.TPKNRRES] - C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe [44096 2012-01-16] (Lenovo Group Limited)
HKLM\...\Run: [ALCKRESI.EXE] - C:\Program Files\Lenovo\AutoLock\ALCKRESI.EXE [388160 2012-03-30] (Lenovo Group Limited)
HKLM\...\Run: [AS2014] - C:\ProgramData\n3sn9nng\n3sn9nng.exe
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
HKLM\...\Winlogon: [Userinit] userinit.exe,C:\ProgramData\n3sn9nng\n3sn9nng.exe -sm,
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\psfus: C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll (UPEK Inc.)
MountPoints2: {f3decddf-2d10-11e2-8673-806e6f6e6963} - Q:\LenovoQDrive.exe
HKLM-x32\...\Run: [RotateImage] - C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe [55808 2008-10-30] (Ricoh co.,Ltd.)
HKLM-x32\...\Run: [IMSS] - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [112152 2011-01-16] (Intel Corporation)
HKLM-x32\...\Run: [PWMTRV] - C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL [5941344 2012-05-15] (Lenovo Group Limited)
HKLM-x32\...\Run: [Lenovo Registration] - C:\Program Files (x86)\Lenovo Registration\LenovoReg.exe [4351712 2011-07-13] (Lenovo, Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [OfficeScanNT Monitor] - C:\Program Files (x86)\TrendMicro\Client Server Security Agent\pccntmon.exe [1505072 2010-03-02] (Trend Micro Inc.)
HKLM-x32\...\Run: [ConnectionCenter] - C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [309184 2012-03-28] (Citrix Systems, Inc.)
HKU\Default\...\RunOnce: [Lenovo.ShowBand] - C:\Program Files\Lenovo\SimpleTap DeskBand\ShowBand.exe [52584 2013-05-17] (Lenovo)
HKU\Default\...\RunOnce: [] - [x]
HKU\Default\...\RunOnce: [Lenovoautoqdrive] - C:\PROGRA~2\Common~1\Lenovo\Lenovo~1\LenovoAutorunreg.exe [159744 2009-03-24] ()
HKU\Default User\...\RunOnce: [Lenovo.ShowBand] - C:\Program Files\Lenovo\SimpleTap DeskBand\ShowBand.exe [52584 2013-05-17] (Lenovo)
HKU\Default User\...\RunOnce: [] - [x]
HKU\Default User\...\RunOnce: [Lenovoautoqdrive] - C:\PROGRA~2\Common~1\Lenovo\Lenovo~1\LenovoAutorunreg.exe [159744 2009-03-24] ()
HKU\tgurtner\...\Run: [ShoreTel Personal Call Manager] - C:\Program Files (x86)\Shoreline Communications\ShoreWare Client\ShoreTel.exe [2473984 2013-07-23] (ShoreTel Inc.)
HKU\tgurtner\...\Run: [Skype] - C:\Program Files (x86)\Skype\Phone\Skype.exe [20472992 2013-10-02] (Skype Technologies S.A.)
HKU\tgurtner\...\Run: [RESTART_STICKY_NOTES] - C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\tgurtner\...\Run: [Google Update] - [x]
HKU\tgurtner\...\Policies\system: [SetVisualStyle] %windir%\resources\Themes\Zune\zune.msstyles
HKU\tgurtner\...\Policies\system: [NoDispAppearancePage] 1
HKU\tgurtner\...\Policies\system: [Wallpaper] \\semexusa-file\Shared\MARKETING\Backgrounds\background.jpg
HKU\tgurtner\...\Policies\system: [WallpaperStyle] 0
Lsa: [Notification Packages] scecli C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/welcome/thinkpad
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=CKMB&bmod=CKMB
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=CKMB&bmod=CKMB
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.google.com/ig/redirectdomain?brand=CKMB&bmod=CKMB
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = 
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.lenovo.com/welcome/thinkpad
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: TmIEPlugInBHO Class - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files (x86)\TrendMicro\Client Server Security Agent\bho\1006\TmIEPlg.dll (Trend Micro Inc.)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Skype add-on for Internet Explorer - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: TmIEPlugInBHO Class - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files (x86)\TrendMicro\Client Server Security Agent\bho\1006\TmIEPlg32.dll (Trend Micro Inc.)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: HKLM-x32 {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files (x86)\TrendMicro\Client Server Security Agent\bho\1006\TmIEPlg.dll (Trend Micro Inc.)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Handler-x32: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files (x86)\TrendMicro\Client Server Security Agent\bho\1006\TmIEPlg32.dll (Trend Micro Inc.)
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1 192.168.1.1
 
Chrome: 
=======
CHR HomePage: hxxp://www.google.com/
CHR RestoreOnStartup: "hxxp://www.google.com/"
CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\23.0.1271.95\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\23.0.1271.95\pdf.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\23.0.1271.95\gcswf32.dll No File
CHR Plugin: (Norton Confidential) - C:\Users\Semex USA\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk\2012.1.0.30_0\npcoplgn.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (Windows Live\u0099 Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll ( Microsoft Corporation)
CHR Plugin: (Default Plug-in) - default_plugin No File
CHR Extension: (YouTube) - C:\Users\SEMEXU~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0
CHR Extension: (Google Search) - C:\Users\SEMEXU~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0
CHR Extension: (Gmail) - C:\Users\SEMEXU~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Services (Whitelisted) =================
 
S3 DozeSvc; C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [320576 2012-05-15] (Lenovo.)
S2 Lenovo.VIRTSCRLSVC; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [133992 2011-07-12] (Lenovo Group Limited)
S2 ntrtscan; C:\Program Files (x86)\TrendMicro\Client Server Security Agent\ntrtscan.exe [1816368 2010-02-26] (Trend Micro Inc.)
S3 SUService; C:\Program Files (x86)\Lenovo\System Update\SUService.exe [22376 2013-06-26] ()
S3 TMBMServer; C:\Program Files (x86)\TrendMicro\BM\TMBMSRV.exe [570632 2009-07-06] (Trend Micro Inc.)
S2 tmlisten; C:\Program Files (x86)\TrendMicro\Client Server Security Agent\tmlisten.exe [2042592 2010-02-26] (Trend Micro Inc.)
S3 TmProxy; C:\Program Files (x86)\TrendMicro\Client Server Security Agent\TmProxy.exe [917768 2009-07-15] (Trend Micro Inc.)
U2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{a1b74c4a-a821-f239-11c3-9ba89446abca}\   \...\???\{a1b74c4a-a821-f239-11c3-9ba89446abca}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
 
==================== Drivers (Whitelisted) ====================
 
R1 PHCORE; C:\Program Files\Lenovo\RapidBoot\PHCORE64.SYS [33344 2012-03-26] (Lenovo Group Limited)
S2 smihlp; C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys [13840 2009-03-13] (UPEK Inc.)
S3 staccel; C:\Windows\System32\DRIVERS\staccel.sys [35168 2013-07-23] (ShoreTel, Inc)
S2 TmFilter; C:\Program Files (x86)\TrendMicro\Client Server Security Agent\TmXPFlt.sys [344864 2013-08-14] (Trend Micro Inc.)
S2 TmPreFilter; C:\Program Files (x86)\TrendMicro\Client Server Security Agent\TmPreFlt.sys [42272 2013-08-14] (Trend Micro Inc.)
S1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [107536 2009-07-15] (Trend Micro Inc.)
S3 TVTI2C; C:\Windows\System32\DRIVERS\Tvti2c.sys [41536 2009-09-24] (Lenovo (United States) Inc.)
S2 VSApiNt; C:\Program Files (x86)\TrendMicro\Client Server Security Agent\VSApiNt.sys [2260768 2013-08-14] (Trend Micro Inc.)
U3 tmpfw; 
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-10-22 09:24 - 2013-10-21 15:51 - 01954670 _____ (Farbar) C:\Users\Semex USA\Desktop\FRST64.exe
2013-10-21 15:57 - 2013-10-21 15:57 - 00000000 ____D C:\FRST
2013-10-21 14:10 - 2013-10-21 14:10 - 00000000 ____D C:\Users\tgurtner\AppData\Roaming\Malwarebytes
2013-10-21 14:10 - 2013-10-21 14:10 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-10-21 14:10 - 2013-10-21 14:10 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-21 14:10 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-10-21 13:46 - 2013-10-21 13:46 - 00207872 _____ C:\Windows\prineown.dll
2013-10-21 13:46 - 2013-10-21 13:46 - 00077312 _____ C:\Windows\prineown64.dll
2013-10-21 13:01 - 2013-10-21 13:01 - 00207872 _____ C:\Windows\SysWOW64\prineown.dll
2013-10-21 13:01 - 2013-10-21 13:01 - 00077312 _____ C:\Windows\system32\prineown64.dll
2013-10-21 13:00 - 2013-10-21 13:00 - 00000000 ____D C:\Users\tgurtner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antivirus Security Pro
2013-10-21 12:52 - 2013-10-21 15:16 - 00000000 ____D C:\ProgramData\n3sn9nng
2013-10-21 12:52 - 2013-10-21 12:52 - 00236568 _____ C:\Windows\RegBootClean64.exe
2013-10-02 12:00 - 2013-10-02 12:00 - 00000000 ____D C:\Users\tpautsch\AppData\Roaming\ICAClient
2013-10-02 12:00 - 2013-10-02 12:00 - 00000000 ____D C:\Users\tpautsch\AppData\Local\Citrix
 
==================== One Month Modified Files and Folders =======
 
2013-10-22 08:47 - 2013-01-07 07:41 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-10-22 08:41 - 2012-11-12 17:02 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-22 07:41 - 2012-11-12 17:02 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-22 03:36 - 2012-11-12 16:59 - 01916564 _____ C:\Windows\WindowsUpdate.log
2013-10-21 17:58 - 2009-07-14 00:13 - 00745014 _____ C:\Windows\system32\PerfStringBackup.INI
2013-10-21 15:57 - 2013-10-21 15:57 - 00000000 ____D C:\FRST
2013-10-21 15:51 - 2013-10-22 09:24 - 01954670 _____ (Farbar) C:\Users\Semex USA\Desktop\FRST64.exe
2013-10-21 15:31 - 2013-02-22 14:34 - 00000000 ____D C:\Users\tgurtner\AppData\Roaming\Skype
2013-10-21 15:31 - 2009-07-13 23:45 - 00031296 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-21 15:31 - 2009-07-13 23:45 - 00031296 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-21 15:26 - 2012-12-06 12:13 - 00000031 _____ C:\tmuninst.ini
2013-10-21 15:23 - 2012-12-07 09:36 - 00001752 _____ C:\Windows\PFRO.log
2013-10-21 15:23 - 2012-12-06 13:47 - 00007696 _____ C:\Windows\setupact.log
2013-10-21 15:23 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-10-21 15:16 - 2013-10-21 12:52 - 00000000 ____D C:\ProgramData\n3sn9nng
2013-10-21 14:10 - 2013-10-21 14:10 - 00000000 ____D C:\Users\tgurtner\AppData\Roaming\Malwarebytes
2013-10-21 14:10 - 2013-10-21 14:10 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-10-21 14:10 - 2013-10-21 14:10 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-21 13:46 - 2013-10-21 13:46 - 00207872 _____ C:\Windows\prineown.dll
2013-10-21 13:46 - 2013-10-21 13:46 - 00077312 _____ C:\Windows\prineown64.dll
2013-10-21 13:45 - 2012-12-06 13:46 - 00000112 _____ C:\Windows\system32\config\netlogon.ftl
2013-10-21 13:01 - 2013-10-21 13:01 - 00207872 _____ C:\Windows\SysWOW64\prineown.dll
2013-10-21 13:01 - 2013-10-21 13:01 - 00077312 _____ C:\Windows\system32\prineown64.dll
2013-10-21 13:00 - 2013-10-21 13:00 - 00000000 ____D C:\Users\tgurtner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antivirus Security Pro
2013-10-21 12:52 - 2013-10-21 12:52 - 00236568 _____ C:\Windows\RegBootClean64.exe
2013-10-21 12:51 - 2012-12-06 13:51 - 00000000 ____D C:\Users\tgurtner\AppData\Local\Google
2013-10-21 12:51 - 2012-11-12 17:01 - 00000000 ____D C:\Program Files (x86)\Google
2013-10-21 06:25 - 2013-02-22 14:34 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-10-21 06:25 - 2013-02-22 14:33 - 00000000 ____D C:\ProgramData\Skype
2013-10-16 07:36 - 2012-11-12 17:02 - 00003908 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-10-16 07:36 - 2012-11-12 17:02 - 00003656 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-10-09 08:48 - 2013-01-07 07:41 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-10-09 08:48 - 2013-01-07 07:41 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-10-09 08:48 - 2013-01-07 07:41 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-10-02 12:01 - 2009-07-14 00:32 - 00000000 ____D C:\Windows\system32\FxsTmp
2013-10-02 12:00 - 2013-10-02 12:00 - 00000000 ____D C:\Users\tpautsch\AppData\Roaming\ICAClient
2013-10-02 12:00 - 2013-10-02 12:00 - 00000000 ____D C:\Users\tpautsch\AppData\Local\Citrix
2013-09-23 09:58 - 2012-12-06 13:58 - 00000000 ____D C:\Users\tgurtner\AppData\Roaming\LSC
 
Files to move or delete:
====================
ZeroAccess:
C:\Users\tgurtner\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install
 
 
Some content of TEMP:
====================
C:\Users\tgurtner\AppData\Local\Temp\jre-7u11-windows-i586-iftw.exe
C:\Users\tgurtner\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\tgurtner\AppData\Local\Temp\SkypeSetup.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
 
 
LastRegBack: 2013-10-21 10:08
 

 

==================== End Of Log ============================
 
Attached File  Addition.txt   22.43KB   2 downloads


#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:41 AM

Posted 22 October 2013 - 11:42 AM

Hi,

 

Did you set these restrictions yourself?

 

HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION

 

 

Regards,

Georgi


cXfZ4wS.png


#11 TwiztedTBone

TwiztedTBone
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 22 October 2013 - 01:32 PM

I believe this is part of our Group Policy in our Domain, however I would say it's safe to make changes to it in case they are infected. I can always just force a Group Policy update to my user. 

 

You can feel free to add them to the fixlist.txt if that's why you were asking 



#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:41 AM

Posted 22 October 2013 - 02:19 PM

Ok then,

 

 

Next please download this file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST again and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#13 TwiztedTBone

TwiztedTBone
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 22 October 2013 - 03:18 PM

FRST has been running with the 'Fixing is in progress. Please wait....' dialogue for around 25 minutes now. Should I attempt this in Safe Mode or is it normal for it to take this long?



#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:41 AM

Posted 22 October 2013 - 04:13 PM

Hi,

 

Try the fix from Safe Mode please...it should take no more then a few minutes to complete.

 

 

Regards,

Georgi


cXfZ4wS.png


#15 TwiztedTBone

TwiztedTBone
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 22 October 2013 - 04:41 PM

Hmm...it seems as though Safe Mode is not the issue. I cannot run FRST as the user in question because his account is a domain account. If I run these tools as a local administrator on the machine it works just fine. 

 

Here is the Fixlog.

 

FRST Fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 21-10-2013

Ran by Semex USA at 2013-10-22 16:33:09 Run:3
Running from C:\Users\Semex USA\Desktop
Boot Mode: Safe Mode (minimal)
==============================================
 
Content of fixlist:
*****************
start
HKLM\...\Run: [AS2014] - C:\ProgramData\n3sn9nng\n3sn9nng.exe
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
HKLM\...\Winlogon: [Userinit] userinit.exe,C:\ProgramData\n3sn9nng\n3sn9nng.exe -sm,
HKU\Default\...\RunOnce: [] - [x]
HKU\Default User\...\RunOnce: [] - [x]
HKU\tgurtner\...\Run: [Google Update] - [x]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
U2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{a1b74c4a-a821-f239-11c3-9ba89446abca}\   \...\???\{a1b74c4a-a821-f239-11c3-9ba89446abca}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
C:\ProgramData\n3sn9nng
C:\Users\tgurtner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antivirus Security Pro
C:\Users\tgurtner\AppData\Local\Google\Desktop\Install
C:\Program Files (x86)\Google\Desktop\Install
C:\Users\tgurtner\AppData\Local\Temp
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
end
 
 
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\AS2014 => Value not found.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => Value was restored successfully.
HKU\Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\\ => Value not found.
HKU\Default User\Software\Microsoft\Windows\CurrentVersion\RunOnce\\ => Value not found.
HKU\tgurtner\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update => Value not found.
HKLM\SOFTWARE\Policies\Google => Key deleted successfully.
*etadpug => Service deleted successfully.
C:\ProgramData\n3sn9nng => Moved successfully.
C:\Users\tgurtner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antivirus Security Pro => Moved successfully.
C:\Users\tgurtner\AppData\Local\Google\Desktop\Install => Moved successfully.
C:\Program Files (x86)\Google\Desktop\Install => Moved successfully.
C:\Users\tgurtner\AppData\Local\Temp => Moved successfully.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCommu.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRTP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.
 
==== End of Fixlog ====





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users