Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware.Zbot.ED -- Is it Gone?


  • This topic is locked This topic is locked
7 replies to this topic

#1 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:04:49 AM

Posted 15 June 2014 - 09:12 AM

While on another forum this morning I noticed someone has copy/pasted the contents of a suspicious email. The email included what appeared to be a phishing  link. I needed to find out if the link was still active-if yes I would have to remove the post from public view.
 
Clicked the link and was redirected to a page which automatically asked if I wanted to run or save it. I meant to click SAVE, then upload to Virus Total for analysis. Instead of clicking Save, I accidentally hit run.  Nothing opened but the damage was done.
 
The next thing I know Eset popped up a warning  blocking access to something.
 
In total there was 101 warnings. I was notified about the block 1 time for the first one, 10 times for the 3rd one, the rest were for the 2nd entry.
 
6/15/2014 7:02:40 AM Real-time file system protection file C:\Users\Evie\AppData\Local\bxuxnjab.exe Win32/TrojanDownloader.Zortob.F trojan cleaned by deleting - quarantined t38\Evie Event occurred on a new file created by the application: C:\Windows\SysWOW64\svchost.exe.
 
 esetlog.png
 
I did manage to get the file saved. Virus Total reported this about it
 Sophos - Troj/Invo-Zip
Qihoo-360 - Malware.QVM07.Gen

 

After the Virus Total report I ran MBAM.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

 

Scan Date: 6/15/2014
Scan Time: 7:06:12 AM
Logfile: MBAM scan.txt
Administrator: Yes

 

Version: 2.00.2.1012
Malware Database: v2014.06.15.02
Rootkit Database: v2014.06.02.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

 

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Evie

 

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 297306
Time Elapsed: 10 min, 17 sec

 

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

 

Processes: 1
Spyware.Zbot.ED, C:\Users\Evie\AppData\Local\hmfxqxpg.exe, 7456, Delete-on-Reboot, [d1ed92e6c2b9270fcbaf137716eb1de3]

 

Modules: 0
(No malicious items detected)

 

Registry Keys: 0
(No malicious items detected)

 

Registry Values: 0
(No malicious items detected)

 

Registry Data: 0
(No malicious items detected)

 

Folders: 0
(No malicious items detected)

 

Files: 1
Spyware.Zbot.ED, C:\Users\Evie\AppData\Local\hmfxqxpg.exe, Delete-on-Reboot, [d1ed92e6c2b9270fcbaf137716eb1de3],

 

Physical Sectors: 0

(No malicious items detected)(end)

 

I want to make sure it's gone bye bye. Also, if you see anything else let me know.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16555
Run by Evie at 7:46:25 on 2014-06-15
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3989.2164 [GMT -5:00]
.
AV: ESET Smart Security 7.0 *Enabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ESET Smart Security 7.0 *Enabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
FW: ESET Personal firewall *Enabled* {211E1E8B-C9F9-A04B-6D84-BC85190CE5F2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Coupons\CouponPrinterService.exe
C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Program Files\Adblock Plus for IE\AdblockPlusEngine.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://duckduckgo.com/
uSearch Bar = Preserve
mWinlogon: Userinit = userinit.exe,
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Logitech SetPoint: {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll
BHO: Adblock Plus for IE Browser Helper Object: {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll
uRun: [kbwugsev] "C:\Users\Evie\AppData\Local\eimfxhgb.exe"
uRun: [ogmnhnef] "C:\Users\Evie\AppData\Local\bxuxnjab.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\Users\Evie\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\LOGITE~1.LNK - C:\Program Files (x86)\Common Files\LogiShrd\eReg\SetPoint\eReg.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{861C798F-49A5-4C34-A982-6DAB4285499E} : DHCPNameServer = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Logitech SetPoint: {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll
x64-BHO: Adblock Plus for IE Browser Helper Object: {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll
x64-Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
x64-Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 epfwwfp;epfwwfp;C:\Windows\System32\drivers\epfwwfp.sys [2013-9-17 62136]
R1 eamonm;eamonm;C:\Windows\System32\drivers\eamonm.sys [2013-9-17 239320]
R1 EpfwLWF;Epfw NDIS LightWeight Filter;C:\Windows\System32\drivers\EpfwLWF.sys [2013-9-17 44120]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2013-10-10 144152]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2012-6-19 98208]
R2 CouponPrinterService;Coupon Printer Service;C:\Program Files (x86)\Coupons\CouponPrinterService.exe [2014-2-13 177648]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [2013-9-12 1337752]
R2 HPAuto;HP Auto;C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-2-17 682040]
R2 HPSupportSolutionsFrameworkService;HP Support Solutions Framework Service;C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe [2014-5-14 49464]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-6-19 13592]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2011-12-8 607456]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2012-6-19 161560]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-6-19 363800]
R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\System32\drivers\clwvd.sys [2010-7-28 31088]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-12-6 331264]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;C:\Windows\System32\drivers\LEqdUsb.sys [2013-5-23 77592]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;C:\Windows\System32\drivers\LHidEqd.sys [2013-5-23 13080]
R3 SmbDrv;SmbDrv;C:\Windows\System32\drivers\Smb_driver.sys [2012-2-24 21264]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 HP Support Assistant Service;HP Support Assistant Service;"C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe" --> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [?]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-10-23 172192]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2014-4-28 19456]
S3 RSP2STOR;Realtek PCIE CardReader Driver - P2;C:\Windows\System32\drivers\RtsP2Stor.sys [2012-6-19 260712]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-6-19 648808]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 TrueService;TrueAPI Service component;C:\Program Files\Common Files\AuthenTec\TrueService.exe [2011-12-9 269640]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-4-28 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2014-4-28 30208]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2013-3-18 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2014-4-27 1255736]
.
=============== Created Last 30 ================
.
2014-06-15 11:59:59 78848 ----a-w- C:\Users\Evie\AppData\Local\eimfxhgb.exe
2014-06-15 00:36:10 -------- d--h--w- C:\ProgramData\CanonIJMIG
2014-06-13 14:21:46 10702536 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{989CDFD3-6CD1-42D0-AC69-176ED9BEB10B}\mpengine.dll
2014-06-05 21:36:09 -------- d-----w- C:\Users\Evie\AppData\Local\CyberLink
2014-06-04 16:24:24 -------- d--h--w- C:\ProgramData\CanonIJScan
2014-05-27 18:45:36 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2014-05-27 18:44:47 -------- d-----w- C:\Program Files\iPod
2014-05-27 18:44:46 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-05-27 18:44:46 -------- d-----w- C:\Program Files\iTunes
2014-05-27 18:44:46 -------- d-----w- C:\Program Files (x86)\iTunes
2014-05-23 10:28:26 536576 ----a-w- C:\Windows\SysWow64\sqlite3.dll
2014-05-23 03:47:13 -------- d-----w- C:\Program Files (x86)\IrfanView
2014-05-22 21:38:28 53248 ----a-r- C:\Users\Evie\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2014-05-22 21:37:53 18960 ----a-w- C:\Windows\System32\drivers\LNonPnP.sys
2014-05-22 21:35:18 -------- d-----w- C:\Users\Evie\AppData\Roaming\Logishrd
2014-05-22 02:42:50 -------- d-----w- C:\Program Files\Bonjour
2014-05-22 02:42:50 -------- d-----w- C:\Program Files (x86)\Bonjour
2014-05-21 21:49:41 -------- d-----w- C:\Program Files\Defraggler
2014-05-21 14:34:56 63648 ----a-w- C:\Windows\System32\athihvui.dll
2014-05-21 14:34:56 442528 ----a-w- C:\Windows\System32\athihvs.dll
2014-05-21 14:34:56 -------- d-----w- C:\Windows\System32\nn-NO
2014-05-21 14:34:46 -------- d-----w- C:\Program Files (x86)\Cisco
2014-05-21 14:21:17 -------- d-----w- C:\Program Files (x86)\Hp
2014-05-20 16:13:10 -------- d-----w- C:\HP_TOOLS_mountHPSF
2014-05-18 14:10:29 -------- d-----w- C:\Users\Evie\AppData\Roaming\BANDISOFT
2014-05-18 14:09:53 -------- d-----w- C:\Program Files (x86)\Bandicam
2014-05-18 14:09:50 -------- d-----w- C:\Program Files (x86)\BandiMPEG1
.
==================== Find3M  ====================
.
2014-06-15 12:06:07 122584 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-05-28 18:37:06 2338816 ----a-w- C:\Windows\System32\jscript9.dll
2014-05-28 18:31:31 1392128 ----a-w- C:\Windows\System32\wininet.dll
2014-05-28 18:30:24 1494016 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-05-28 18:29:28 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-05-28 18:29:19 599040 ----a-w- C:\Windows\System32\vbscript.dll
2014-05-28 18:28:10 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2014-05-28 18:28:02 12800 ----a-w- C:\Windows\System32\mshta.exe
2014-05-28 16:39:36 1810432 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-05-28 16:32:59 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-05-28 16:32:25 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-05-28 16:30:53 421376 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-05-28 16:30:53 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-05-28 16:29:31 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-05-28 16:29:27 11776 ----a-w- C:\Windows\SysWow64\mshta.exe
2014-05-14 05:23:41 70832 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-05-14 05:23:41 692400 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-05-12 12:26:10 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-05-12 12:26:00 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-05-12 12:25:56 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-05-09 06:14:03 477184 ----a-w- C:\Windows\System32\aepdu.dll
2014-05-09 06:11:23 424448 ----a-w- C:\Windows\System32\aeinv.dll
2014-05-08 09:32:11 3178496 ----a-w- C:\Windows\System32\rdpcorets.dll
2014-05-08 09:32:11 16384 ----a-w- C:\Windows\System32\RdpGroupPolicyExtension.dll
2014-05-01 01:37:54 74703 ----a-w- C:\Windows\SysWow64\mfc45.dat
2014-04-25 02:34:59 801280 ----a-w- C:\Windows\System32\usp10.dll
2014-04-25 02:06:17 626688 ----a-w- C:\Windows\SysWow64\usp10.dll
2014-04-12 02:22:05 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2014-04-12 02:22:05 155072 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2014-04-12 02:19:38 29184 ----a-w- C:\Windows\System32\sspisrv.dll
2014-04-12 02:19:38 136192 ----a-w- C:\Windows\System32\sspicli.dll
2014-04-12 02:19:37 28160 ----a-w- C:\Windows\System32\secur32.dll
2014-04-12 02:19:32 1460736 ----a-w- C:\Windows\System32\lsasrv.dll
2014-04-12 02:19:05 31232 ----a-w- C:\Windows\System32\lsass.exe
2014-04-12 02:12:06 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2014-04-12 02:10:56 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2014-04-05 02:47:20 1903552 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2014-04-05 02:47:09 288192 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2014-04-02 00:05:52 659440 ----a-w- C:\Windows\couponprinter_x64.ocx
2014-04-02 00:05:52 444912 ----a-w- C:\Windows\CouponPrinter.ocx
2014-03-31 14:35:08 270496 ------w- C:\Windows\System32\MpSigStub.exe
2014-03-26 14:44:48 2002432 ----a-w- C:\Windows\System32\msxml6.dll
2014-03-26 14:44:48 1882112 ----a-w- C:\Windows\System32\msxml3.dll
2014-03-26 14:41:39 2048 ----a-w- C:\Windows\System32\msxml6r.dll
2014-03-26 14:41:39 2048 ----a-w- C:\Windows\System32\msxml3r.dll
2014-03-26 14:27:50 1389056 ----a-w- C:\Windows\SysWow64\msxml6.dll
2014-03-26 14:27:50 1237504 ----a-w- C:\Windows\SysWow64\msxml3.dll
2014-03-26 14:25:14 2048 ----a-w- C:\Windows\SysWow64\msxml6r.dll
2014-03-26 14:25:14 2048 ----a-w- C:\Windows\SysWow64\msxml3r.dll
.
============= FINISH:  7:47:26.46 ===============

 

As I was composing this post Eset gave me another warning-no clue if it is related to what happened earlier. (same one just popped up again)

 

6/15/2014 8:56:54 AM Real-time file system protection file C:\Users\Evie\AppData\Local\weumooqj.exe a variant of Win32/Injector.BFWK trojan cleaned by deleting - quarantined t38\Evie  Event occurred on a new file created by the application: C:\Windows\SysWOW64\svchost.exe.

 

*edit to correct spacing*

And to say that I am not opposed to reinstalling Windows if neccessary.


Edited by Queen-Evie, 15 June 2014 - 09:17 AM.


BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:49 AM

Posted 15 June 2014 - 09:16 AM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now :thumbup2:

==========================
 
Hi Queen-Evie,
 
Zbot has indeed taken hold of your system, and it seems ESET could not completely stop it from making run entries. An fyi, VirusTotal has scanning of links on their websites, and they have a utility which can get files from a url and scan them too. 

I must give you this warning:
 
Looking through your logs, one or more of your infections has been identified as a Backdoor Trojan. These threats have backdoor functionality which allows hackers to remotely control your computer, steal critical system information, and download and execute files.
 
I highly suggest you to disconnect this PC from the Internet immediately, and if possible use a clean computer and a flash drive to transfer the programs I request for you to run. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. It would be wise to contact those same financial institutions to notify them of your situation.
 
Due to the nature of this trojan, your computer is very likely to be compromised. There is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
 
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
 
We can still clean this machine, but I can't guarantee that it will be 100% secure afterwards. If you decide to continue cleaning this machine, follow on with the rest of the steps posted below. If you do not want to clean this machine, please let me know.
 
--------------
 
Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.
 
--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • FRST.txt
  • Addition.txt

xXToffeeXx~


Edited by xXToffeeXx, 15 June 2014 - 09:23 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)

  • Topic Starter

  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:04:49 AM

Posted 15 June 2014 - 09:28 AM

Toffee, thanks for your response.

 

Based on the following I think the correct course of action would be a reinstall of Windows 7.

 

 
Due to the nature of this trojan, your computer is very likely to be compromised. There is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

 

While I don't do any banking on this laptop, but I do use it to pay 3 bills online. My payment method is stored on those 3 sites and I would not feel comfortable paying those bills if there is a chance it may not be secure when I do pay them.

 

Fortunately, I have everything I don't want to lose backed up to my external. drive.

 

All this happened because I wasn't paying attention to what I was doing. Also I was waiting on the caffeine to kick in and jump start my brain cells.



#4 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)

  • Topic Starter

  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:04:49 AM

Posted 15 June 2014 - 09:39 AM

Question: should I change my passwords for various things I have signed into for the past few days?

 

What about passwords for my bill paying sites, which were last signed in to on June 1st?

 

I don't know if what I did this morning was the beginning of all this mess or if something has been lurking for a while.

 

I'm usually more aware of what I'm doing.



#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:49 AM

Posted 15 June 2014 - 09:54 AM

Hi Queen-Evie,

 

Reinstalling is up to you as a personal choice. Since you have everything backed up, then reinstalling would not be such a big deal, and would only take time to reinstall and set everything up. Zbot is mostly a downloader of other malware  (before it was taken down; cryptolocker was the most famous) as well as stealing personal information. The problem with zbot is that if you leave even one part of it then will re-create itself and carry on doing what it does normally, so automatic tools aren't so good for removing this.

If you do not feel secure, then I do suggest reinstalling for security of mind. The warning is just a general one and it's just that we cannot ever be completely sure the malware hasn't made any changes which the logs may not show.

 

I would definitely change all passwords, even ones which you have not used recently, if you do not want the account to be accessed. Email, anything which deals with payments, and sites with personal information about you are really ones you should change at least. Other accounts are less likely to be accessed as they do not hold really anything useful about you.

The infection is from this morning though, as shown by the creation times.

 

The malicious files in the logs are as followed:

Zbot:

uRun: [kbwugsev] "C:\Users\Evie\AppData\Local\eimfxhgb.exe"
uRun: [ogmnhnef] "C:\Users\Evie\AppData\Local\bxuxnjab.exe"
2014-06-15 11:59:59 78848 ----a-w- C:\Users\Evie\AppData\Local\eimfxhgb.exe
 
C:\Program Files (x86)\Coupons\CouponPrinterService.exe
R2 CouponPrinterService;Coupon Printer Service;C:\Program Files (x86)\Coupons\CouponPrinterService.exe [2014-2-13 177648]
Coupon Printer for Windows
 
Believe me, it's easy to do, and zbot is very common. Do not blame yourself, and sometimes even downloading can be dangerous waters. One time when downloading a file from a user, I don't know exactly what happened, but my AV reported zbot. Luckily it was only the downloader and was caught before it could do any damage.
 
xXToffeeXx~

Edited by xXToffeeXx, 15 June 2014 - 09:56 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)

  • Topic Starter

  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:04:49 AM

Posted 15 June 2014 - 12:13 PM

Windows has been reinstalled.

 

Eset Security installed, bloatware which is also installed removed.

 

Passwords to bill sites, Bleeping Computer, the other forum and email changed.

 

Pictures, documents, favorites, music, videos copied from external drive back up to the appropriate folders.

 

I will slowly work on getting all my programs reinstalled.

 

Thank you again for your advice. I appreciate all you do here at Bleeping Computer.

 

I'll leave this open for a while in case you have any comments to add. After that one of us can close it.



#7 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:49 AM

Posted 15 June 2014 - 01:20 PM

Hi Queen-Evie,

 

That was a quick reinstall of Windows, sounds like you are almost completely set up again :)

 

You're welcome, I try my best.

 

If you do a lot of checking links then sandboxie or vertical machine software would make sure any infection is contained within the environment.

 

If nothing more is needed, and since you have reinstalled, I do not believe this topic is needed to be kept open too much longer. If you have any queries or questions then you can re-open this or you can PM me.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#8 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)

  • Topic Starter

  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:04:49 AM

Posted 15 June 2014 - 01:29 PM

I don't have to check a lot of links. The ones that do get checked are usually links to websites. If the site opens, we remove the post because it contains an active phishing link.

 

I figured the link from this morning was a site link. Instead it was a file download.

 

Since there is nothing more to do, I'm closing this topic.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users