Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zekos.root


  • This topic is locked This topic is locked
2 replies to this topic

#1 Travis Wayne

Travis Wayne

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa
  • Local time:05:29 AM

Posted 03 August 2014 - 09:19 AM

Hey guys, my computer got a virus I'm assuming and wouldn't boot, I was able to get it restored and running again, but when I installed Avast, it started picking up all kinds of things constantly while it was running. I ran RogueKiller and I saw something called Zekos.root and then it quit running halfway through and the computer restarted, then it said my version of Windows 7 wasn't genuine..

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 11.0.9600.17207  BrowserJavaVersion: 10.51.2
Run by Kevin and Chris at 8:53:18 on 2014-08-03
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2037.257 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TightVNC\tvnserver.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
C:\Program Files\Common Files\Apple\Internet Services\AppleIEDAV.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Apple\Internet Services\APSDaemon.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
.
============== Pseudo HJT Report ===============
.
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [iCloudServices] c:\program files\common files\apple\internet services\iCloudServices.exe
uRun: [ApplePhotoStreams] c:\program files\common files\apple\internet services\ApplePhotoStreams.exe
uRun: [AppleIEDAV] c:\program files\common files\apple\internet services\AppleIEDAV.exe
uRun: [2675907305] c:\windows\system32\rundll32.exe "c:\users\kevin and chris\appdata\roaming\1334384767\inputserver.dll",DllRegisterServer
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [{edacb017-6fed-15a0-0249-5661c817103d}] "c:\programdata\microsoft\{edacb017-6fed-15a0-0249-5661c817103d}\{edacb017-6fed-15a0-0249-5661c817103d}.exe"
mRun: [2675907305] c:\windows\system32\rundll32.exe "c:\windows\temp\pxrcxpi.dll",DllRegisterServer
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_12_0_0_38_ActiveX.exe -update activex
mExplorerRun: [{edacb017-6fed-15a0-0249-5661c817103d}] "c:\programdata\microsoft\{edacb017-6fed-15a0-0249-5661c817103d}\{edacb017-6fed-15a0-0249-5661c817103d}.exe"
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: SoftwareSASGeneration = dword:1
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{A56F28F8-A0C1-4598-9CC0-9E5DCA0685F2} : DHCPNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - 
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\36.0.1985.125\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - 
.
============= SERVICES / DRIVERS ===============
.
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-6-10 394856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-8-2 108032]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-3-22 14848]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-3-22 49664]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2013-3-22 27136]
.
=============== Created Last 30 ================
.
2014-08-03 13:40:07 29160 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-08-03 13:40:05 -------- d-----w- c:\programdata\RogueKiller
2014-08-03 13:30:32 -------- d-----w- c:\windows\ERUNT
2014-08-03 13:25:26 536576 ----a-w- c:\windows\system32\sqlite3.dll
2014-08-03 13:24:22 -------- d-----w- C:\AdwCleaner
2014-08-03 07:56:39 -------- d-----w- c:\users\kevin and chris\appdata\roaming\4000878151
2014-08-03 07:56:18 -------- d-----w- c:\users\kevin and chris\appdata\local\1627188282
2014-08-03 07:56:17 -------- d-----w- c:\users\kevin and chris\appdata\roaming\1334384767
2014-08-03 05:36:28 253987 ----a-w- c:\programdata\microsoft\{edacb017-6fed-15a0-0249-5661c817103d}\{edacb017-6fed-15a0-0249-5661c817103d}.exe
2014-08-03 04:47:08 8217224 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{38b211b9-2e9b-4438-b18d-b156af37b2ff}\mpengine.dll
2014-08-03 04:47:07 231584 ------w- c:\windows\system32\MpSigStub.exe
2014-08-02 23:52:00 -------- d-----w- c:\users\kevin and chris\appdata\roaming\AVAST Software
2014-08-02 23:47:39 -------- d-----w- c:\program files\AVAST Software
2014-08-02 23:47:00 -------- d-----w- c:\programdata\AVAST Software
2014-08-02 21:43:02 0 ----a-w- c:\windows\system32\seetla.dll
2014-08-02 20:21:10 -------- d-----w- c:\windows\pss
2014-08-02 19:48:59 592896 ----a-w- c:\windows\system32\jscript9diag.dll
2014-08-02 19:36:35 2425856 ----a-w- c:\windows\system32\wucltux.dll
2014-08-02 19:36:04 92672 ----a-w- c:\windows\system32\wudriver.dll
2014-08-02 19:35:46 33792 ----a-w- c:\windows\system32\wuapp.exe
2014-08-02 19:35:46 179656 ----a-w- c:\windows\system32\wuwebv.dll
2014-07-15 16:59:13 -------- d-----w- c:\users\kevin and chris\appdata\roaming\10c360
2014-07-15 16:59:11 -------- d-----w- c:\users\kevin and chris\appdata\local\10c360
.
==================== Find3M  ====================
.
2014-06-30 01:40:16 404480 ----a-w- c:\windows\system32\aepdu.dll
2014-06-30 01:36:00 302592 ----a-w- c:\windows\system32\aeinv.dll
2014-06-18 23:56:37 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-06-18 23:56:03 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-06-18 23:38:40 455168 ----a-w- c:\windows\system32\vbscript.dll
2014-06-18 23:37:23 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-06-18 23:36:35 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-06-18 23:35:55 62464 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-06-18 23:23:27 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-06-18 23:23:24 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-06-18 23:16:33 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-06-18 23:06:10 32256 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-06-18 22:52:18 4254720 ----a-w- c:\windows\system32\jscript9.dll
2014-06-18 22:46:23 1068032 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-06-18 22:45:59 1964544 ----a-w- c:\windows\system32\inetcpl.cpl
2014-06-18 22:13:59 1791488 ----a-w- c:\windows\system32\wininet.dll
2014-06-18 01:51:32 646144 ----a-w- c:\windows\system32\osk.exe
2014-06-18 00:52:00 2350080 ----a-w- c:\windows\system32\win32k.sys
2014-06-06 09:44:17 509440 ----a-w- c:\windows\system32\qedit.dll
2014-06-05 14:26:50 1059840 ----a-w- c:\windows\system32\lsasrv.dll
2014-05-30 07:52:51 172032 ----a-w- c:\windows\system32\wdigest.dll
2014-05-30 07:52:49 65536 ----a-w- c:\windows\system32\TSpkg.dll
2014-05-30 07:52:45 247808 ----a-w- c:\windows\system32\schannel.dll
2014-05-30 07:52:41 220160 ----a-w- c:\windows\system32\ncrypt.dll
2014-05-30 07:52:40 259584 ----a-w- c:\windows\system32\msv1_0.dll
2014-05-30 07:52:36 550912 ----a-w- c:\windows\system32\kerberos.dll
2014-05-30 07:52:30 17408 ----a-w- c:\windows\system32\credssp.dll
2014-05-30 06:36:07 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2014-05-08 09:06:54 2742784 ----a-w- c:\windows\system32\rdpcorets.dll
2014-05-08 09:06:54 13824 ----a-w- c:\windows\system32\RdpGroupPolicyExtension.dll
.
============= FINISH:  9:04:26.73 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Travis Wayne

Travis Wayne
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa
  • Local time:05:29 AM

Posted 03 August 2014 - 10:14 AM

After thinking about it I think I'm just going to do a fresh install of Windows, so could you guys please delete this post and the other one that somehow got created? Thank you! :)



#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:29 AM

Posted 03 August 2014 - 10:23 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened. 


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users