Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible ZeroAccess infection, complicated by my own stupidity


  • This topic is locked This topic is locked
24 replies to this topic

#1 MadJohnFinn

MadJohnFinn

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 05 August 2014 - 03:49 AM

Hello.

 

Whilst drunk one night I attempted to use a streaming video site on my Windows 7 64-bit PC. I know. Immediately my browsers suffered attempted redirections & I lost my connection to the Internet (the PC was there in the diagram as was the network (consisting of just the router) with a broken connection to the Internet).

 

& this is where I complicated matters & expect & deserve the collective wrath of Bleeping Computer to come down upon my head.

 

As there was obviously something wrong with my PC, & my installed A/V (more on this later) was insisting that everything was a-okay, I shrugged & did a system restore.

 

"Ha," I thought, drunkenly. "Gotcha!"

Feeling smug, I ran RogueKiller (sorry). RogueKiller found & killed a running process that it called ZeroAccess. A quick 'net search about this virus later, & I kinda went into panic mode.

 

I now realise that this isn't what you recommend, but in trying to fix the problem myself I ran Combofix (sorry), ESET (sorry) & MBAM (sorry). MBAM & Combofix found nothing, ESET found some stuff it said it removed but upon running RogueKiller again it finds the same ZeroAccess process (log appended).

 

Now, I am an idiot, for many reasons. In trying to fix this myself--attempts which I assure you I have now halted in their entirety--I appear to have myself a functioning PC, despite what RogueKiller is telling me. 

It's running a touch slow, perhaps, but it appears all redirect attempts halted as soon as I did a System Restore (within hours of getting infected).

However, I am concerned by what I've read on Google about this virus & its aftermath & really would appreciate some help having it removed should my PC still be at risk. It's my documents rather than anything else that I'm worried about.

I do understand that I am stupid & have probably doomed myself by my addle-pated attempts at saving my own computer. I realise this isn't SOP & truly apologise if I've made anyone's attempts to help harder.

Also, to compound my idiocy & further bring opprobrium upon myself, you'll see in the logs that I recently had two A/V scanners running.

 

This was at the insistence of my ISP, Supanet, who a couple of months back added Norman AntiVirus to my contract in an attempt to contain some virus threat (the one that was on the news?). I spoke to them at the time regarding this, as I already used AVG & was perfectly happy with it, & they swore blind that having both would present no problems, & in fact add an "extra layer of protection". 

 

In Googling my current problems, it appears that they were talking out their ear-holes, so in preparation for debasing myself here I took the liberty of removing AVG from my system, as you'll see from my logs.

 

I hope this was the right thing to do.

I apologise if my neophyte efforts have complicated matters or made your attempts to help harder, & I would just like to both make it clear that I am definitely not going to touch anything further unless you expressly tell me to (not even the power switch!) & that I really appreciate the existence of sites like this & the efforts people make to help stupid people like me.

Thanking you in advance for any time you can spare on this.

Attached Files


Edited by MadJohnFinn, 05 August 2014 - 03:51 AM.


BC AdBot (Login to Remove)

 


m

#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:12 AM

Posted 07 August 2014 - 05:14 PM

Hi MadJohnFinn

Please take note of the following:

1. Please do not run any other tools unless instructed.
2. Please don't install or uninstall anything unless asked.
3. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean.
4. If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
5. Please reply to this thread. Do not start a new topic.

Whilst drunk one night I attempted to use a streaming video site on my Windows 7 64-bit PC.

A friend of mine ordered a stainless steel exhaust system for his car off Ebay whilst drunk.
Didn't realise until it was delivered a few days later....... and he already had one fitted to his car. :)

you'll see in the logs that I recently had two A/V scanners running.

But you have removed one... so that's good.

ESET found some stuff it said it removed but upon running RogueKiller again it finds the same ZeroAccess process (log appended).

Yes i can see that in the report.
Did Eset save a report?
It normally saves a report here:
C:\Program Files\ESET\ESET Online Scanner\log.txt
or
C:\Program Files (86)\ESET\ESET Online Scanner\log.txt

Please post the report if you still have it.

Let's get a better look at your system:

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your Desktop.
  • Double-click the downloaded icon to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator

    frsticon_zpsdc3cbdc3.png
  • When the tool opens click Yes to disclaimer.

    frstdis_zps7f598f12.png
  • Make sure that Addition.txt is selected at the bottom
  • Press Scan button.

    newfrst_zpsa63ffa3d.png
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please copy and paste it to your reply also.
In your next reply, please submit:
Both reports from FRST
and the Eset report if you have it.


Thanks.

BBPP6nz.png


#3 MadJohnFinn

MadJohnFinn
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 08 August 2014 - 02:30 AM

Hello! 

 

RE: Ebay. Ha! Luckily, I have no car.

I don't think I got an ESET report, it was using their online thingy. I've searched my HDD just in case, but it's coming up with nothing.

Attached are the two FRST reports.

Just an aside, but I may not be able to get on my computer over the weekend,certainly not from Saturday afternoon until Sunday evening, would it be okay to leave my case open please (should you be able to respond in time) as I'd like to make it clear I really do appreciate all this & I'm not about to wander off in the middle of it?

Sorry to be a pain.


Thank you very much for taking the time to help me, Starbuck, & please insert a gratuitous Battlestar Galactica reference of your choice here.

Attached Files



#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:12 AM

Posted 08 August 2014 - 09:22 AM

Hi MJF,
Keeping the thread open is not a problem.
It won't be closed until we have finished.
Am just in from work so will take a look at the reports later and will advise on the next step afterwards.

BBPP6nz.png


#5 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:12 AM

Posted 08 August 2014 - 11:38 AM

Hi MJF,

please insert a gratuitous Battlestar Galactica reference of your choice here.

Lol. The name was taken from a glass coffee cup that was bought for me 14 years ago..... and i still use it.

th_20140808_171414_zps2be3af8c.jpg

I don't think I got an ESET report, it was using their online thingy. I've searched my HDD just in case, but it's coming up with nothing.

That's ok, it was worth a try.

There's nothing malicious showing in the reports.
Some leftovers from AVG.... which we'll clear.
Let's try a different type of scan and see if that shows us anything.

Step 1
Please download the attached fixlist.txt file (bottom of this post) and save it to the Desktop.
NOTE.
It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Re-run FRST/FRST64 (which ever is installed ) and press the Fix button just once and wait.

frstfix_zps7db0c905.png

The tool will make a log on the Desktop (Fixlog.txt). Please post this in your next reply.



Step 2
Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    tdss_1.jpg
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    tdss_2.jpg
  • Click the Start Scan button.

    tdss_3.jpg
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    tdss_4.jpg
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure SKIP is selected, then click Continue => Reboot now to finish the cleaning process.

    tdss_5.jpg
  • Note: Do not choose Delete unless instructed.
A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.



In your next reply, please submit:
Fixlog.txt
TdssKiller report


Thanks.

Attached Files


BBPP6nz.png


#6 MadJohnFinn

MadJohnFinn
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 08 August 2014 - 06:48 PM

Hello, ran both as instructed...

TDSS Killer didn't, er, kill anything, though, & my system did not reboot after that one. I didn't turn off my antivirus to run the program though, will that queer the pitch, so to speak?

Thank you again for your help.

Attached Files


Edited by MadJohnFinn, 08 August 2014 - 06:49 PM.


#7 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:12 AM

Posted 09 August 2014 - 05:11 AM

Hi MJF

It would appear that the 'Zero Access' infection is no longer present.
Maybe Rogue Killer is picking it up from one of the quarantine folders.
Let's double check that.

Let's re-run Eset online scanner and RK and see what they say now.


Step 1
64Bit users, please see note at the bottom.

You may find it beneficial to close your resident AV program before running the scan.

It's been found that on some systems the Eset's Online Scan fails during the database download ( around 20% )
To prevent this happening:
When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):

Enable Anti-Stealth technology

eset.png
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetOnline.png button.
  • If asked, allow the activex control to install
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetSmartInstall.png to download the ESET Smart Installer.
      Save it to your desktop.
    • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Check esetScanArchives.png
  • Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push esetListThreats.png
  • Click esetExport.png, and save the file to your desktop using a unique name, such as ESETScan.
    Include the contents of this report in your next reply.
  • Click the esetBack.png button.
  • Click esetFinish.png
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Note:
As you are running a 64bit system:
The ESET Online Scanner is a 32-bit application, which means it must be run through in the 32-bit version of Internet Explorer, and as an Administrator. To do so, right-click on the Internet Explorer (32-bit) icon in the Start Menu and select "Run as administrator" from the context menu.
Or you can use Firefox or Chrome which almost certainly be 32bit versions.


Step 2
Remove your copy of Rogue Killer. (right click on the icon and select delete )

Download RogueKiller and save it to your desktop.
  • Close all running processes (security programs etc )
  • Double click RogueKiller icon to run the program
    Vista/Win7/Win8 users should right click the icon and select Run as Administrator.
  • Wait for the Prescan to finish.
  • Now click the Scan button.
  • Please copy and paste the report in your next reply.
A copy of the RKreport.txt can be found on your desktop.

Note:
If RogueKiller is blocked, do not hesitate to try running it again.
If it still fails to run, right click on the downloaded icon and select 'Rename'.....rename it to winlogon and try again.


In your next reply, please submit:
Eset scan report
RKreport.txt


Thanks.

BBPP6nz.png


#8 MadJohnFinn

MadJohnFinn
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 11 August 2014 - 04:07 AM

Hello. 

This time, the ESET report found nothing, & didn't give me the option to save a log (did I mess that up? If so, sorry, I can run it again. It *definitely* didn't find anything, though.

The Roguekiller report is attached to this post.

 

Thank you again for your help.

Attached Files



#9 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:12 AM

Posted 11 August 2014 - 12:09 PM

Hi MJF

the ESET report found nothing, & didn't give me the option to save a log

Ok, that's fine.
If nothing is found it doesn't always save the report.
So that's good news. :)

Zero Access is no longer showing in the RK report.... so another good sign.

We can remove those 2 lines in the report.
  • Close all the running processes
  • Double click the RogueKiller icon to run the program again.
    Vista/Win7/Win8 users should right click the icon and select Run as Administrator.
  • Wait for the Prescan to finish.
  • Make sure the following is selected:
    [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
    [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
  • Now click the Delete button.
  • Please copy and paste the report in your next reply.
A copy of the RKreport.txt can be found in the same directory that RK was run.

Also let me know how the system is running now.


Thanks

BBPP6nz.png


#10 MadJohnFinn

MadJohnFinn
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 11 August 2014 - 02:01 PM

Hokaaaaaaaay....

 

I followed your instructions, & after completing the "scan" portion, Roguekiller opened my browser & pointed me here:

http://www.adlice.com/kernelmode-rootkits-part-3-kernel-filters/

 

This obviously scared the Bejesus out of me, so I hastened to close Opera & hit the "DELETE" button.

 

Roguekiller was happy to comply.

However, no report was generated & I can find no record of one anywhere on my HDD (not even the Roguekiller directory).

 

Apologies if I've done anything wrong here or I appear to be wasting your time. I am confused.



#11 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:12 AM

Posted 11 August 2014 - 02:25 PM

Hi MJF

Apologies if I've done anything wrong here or I appear to be wasting your time. I am confused.

Don't worry, you're not wasting my time.

Like the link says.... it may be nothing but a legit driver.
But we'll take nothing for granted.

Please remove the copy of Combofix ( if it's still on your system ) just right click on the icon and select delete.
Now we'll get a fresh copy.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

CF_download_FF.gif


CF_download_rename.gif

This is an example, you may rename ComboFix to anything you want.
Then:

Vista/Windows 7 users right-click and select Run As Administrator. on Combo-Fix.exe
  • Please follow any prompts
  • Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall


    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    Thanks

BBPP6nz.png


#12 MadJohnFinn

MadJohnFinn
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 11 August 2014 - 02:58 PM

Combofix log attached, thank you again!

ComboFix 14-08-06.02 - user 11/08/2014 20:45:45.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3956.2563 [GMT 1:00]
Running from: c:\users\user\Desktop\Boxing columns\Bork.exe
AV: Norman Security Suite *Disabled/Updated* {F86A2F90-6CAD-D491-E1E0-29799D9EE21F}
FW: Norman Security Suite *Enabled* {E8034BA5-6C9C-91E7-BFF5-AAF12796A11A}
SP: Norman Security Suite *Disabled/Updated* {430BCE74-4A97-DB1F-DB50-120BE619A8A2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2014-07-11 to 2014-08-11 )))))))))))))))))))))))))))))))
.
.
2014-08-11 19:52 . 2014-08-11 19:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-08-04 09:38 . 2014-08-04 09:50 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-07-31 07:02 . 2014-05-14 16:23 44512 ----a-w- c:\windows\system32\wups2.dll
2014-07-31 07:02 . 2014-05-14 16:23 58336 ----a-w- c:\windows\system32\wuauclt.exe
2014-07-31 07:02 . 2014-05-14 16:23 2477536 ----a-w- c:\windows\system32\wuaueng.dll
2014-07-31 07:02 . 2014-05-14 16:21 2620928 ----a-w- c:\windows\system32\wucltux.dll
2014-07-31 07:01 . 2014-05-14 16:23 38880 ----a-w- c:\windows\system32\wups.dll
2014-07-31 07:01 . 2014-05-14 16:23 36320 ----a-w- c:\windows\SysWow64\wups.dll
2014-07-31 07:01 . 2014-05-14 16:23 700384 ----a-w- c:\windows\system32\wuapi.dll
2014-07-31 07:01 . 2014-05-14 16:23 581600 ----a-w- c:\windows\SysWow64\wuapi.dll
2014-07-31 07:01 . 2014-05-14 16:20 97792 ----a-w- c:\windows\system32\wudriver.dll
2014-07-31 07:01 . 2014-05-14 16:17 92672 ----a-w- c:\windows\SysWow64\wudriver.dll
2014-07-31 07:00 . 2014-05-14 08:23 198600 ----a-w- c:\windows\system32\wuwebv.dll
2014-07-31 07:00 . 2014-05-14 08:23 179656 ----a-w- c:\windows\SysWow64\wuwebv.dll
2014-07-31 07:00 . 2014-05-14 08:20 36864 ----a-w- c:\windows\system32\wuapp.exe
2014-07-31 07:00 . 2014-05-14 08:17 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
2014-07-30 09:56 . 2014-07-30 09:59 -------- d-----w- C:\HELEN
2014-07-23 17:02 . 2014-07-24 11:48 -------- d-----w- c:\users\user\AppData\Local\Audible
2014-07-23 16:33 . 2014-07-23 16:33 255352 ----a-w- c:\windows\SysWow64\awrdscdc.ax
2014-07-23 16:33 . 2003-03-18 20:20 1060864 ------w- c:\windows\SysWow64\mfc71.dll
2014-07-23 16:33 . 2003-03-18 19:14 499712 ------w- c:\windows\SysWow64\msvcp71.dll
2014-07-23 16:33 . 2003-02-21 03:42 348160 ------w- c:\windows\SysWow64\msvcr71.dll
2014-07-23 16:33 . 2001-08-17 21:43 24576 ------w- c:\windows\SysWow64\msxml3a.dll
2014-07-23 16:32 . 2014-07-23 16:33 -------- d-----w- c:\program files (x86)\Audible
2014-07-23 09:18 . 2014-08-11 09:17 163504 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10145.bin
2014-07-15 11:18 . 2014-07-15 11:18 -------- d-----w- c:\users\user\AppData\Local\id Software
2014-07-14 22:42 . 2014-07-14 22:42 -------- d-----w- c:\program files (x86)\Quake Live
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-08-04 09:38 . 2014-03-27 14:31 128728 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-08-04 09:35 . 2014-03-27 14:31 92888 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-07-09 23:44 . 2014-03-26 16:28 96441528 ----a-w- c:\windows\system32\MRT.exe
2014-06-30 02:09 . 2014-07-09 23:21 519168 ----a-w- c:\windows\system32\aepdu.dll
2014-06-30 02:04 . 2014-07-09 23:21 424448 ----a-w- c:\windows\system32\aeinv.dll
2014-06-26 19:44 . 2014-06-26 19:44 4320256 ----a-r- c:\users\user\AppData\Roaming\Microsoft\Installer\{428CF694-7D31-4C42-8F7D-7187F5EF6937}\PapersPlease.exe
2014-06-20 20:14 . 2014-07-09 23:20 266424 ----a-w- c:\windows\system32\iedkcs32.dll
2014-06-19 01:39 . 2014-07-09 23:20 23464448 ----a-w- c:\windows\system32\mshtml.dll
2014-06-19 01:06 . 2014-07-09 23:20 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-06-19 01:06 . 2014-07-09 23:20 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-06-19 00:48 . 2014-07-09 23:20 2768384 ----a-w- c:\windows\system32\iertutil.dll
2014-06-19 00:42 . 2014-07-09 23:20 548352 ----a-w- c:\windows\system32\vbscript.dll
2014-06-19 00:42 . 2014-07-09 23:20 66048 ----a-w- c:\windows\system32\iesetup.dll
2014-06-19 00:41 . 2014-07-09 23:20 48640 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-06-19 00:41 . 2014-07-09 23:20 83968 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-06-19 00:32 . 2014-07-09 23:20 51200 ----a-w- c:\windows\system32\jsproxy.dll
2014-06-19 00:31 . 2014-07-09 23:20 33792 ----a-w- c:\windows\system32\iernonce.dll
2014-06-19 00:26 . 2014-07-09 23:20 598016 ----a-w- c:\windows\system32\ieui.dll
2014-06-19 00:24 . 2014-07-09 23:20 139264 ----a-w- c:\windows\system32\ieUnatt.exe
2014-06-19 00:24 . 2014-07-09 23:20 111616 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-06-19 00:23 . 2014-07-09 23:20 752640 ----a-w- c:\windows\system32\jscript9diag.dll
2014-06-19 00:14 . 2014-07-09 23:20 940032 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-06-19 00:09 . 2014-07-09 23:20 452608 ----a-w- c:\windows\system32\dxtmsft.dll
2014-06-18 23:59 . 2014-07-09 23:20 38400 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-06-18 23:56 . 2014-07-09 23:20 2724864 ----a-w- c:\windows\SysWow64\mshtml.tlb
2014-06-18 23:53 . 2014-07-09 23:20 195584 ----a-w- c:\windows\system32\msrating.dll
2014-06-18 23:51 . 2014-07-09 23:20 5721088 ----a-w- c:\windows\system32\jscript9.dll
2014-06-18 23:50 . 2014-07-09 23:20 85504 ----a-w- c:\windows\system32\mshtmled.dll
2014-06-18 23:48 . 2014-07-09 23:20 292864 ----a-w- c:\windows\system32\dxtrans.dll
2014-06-18 23:39 . 2014-07-09 23:20 608768 ----a-w- c:\windows\system32\ie4uinit.exe
2014-06-18 23:38 . 2014-07-09 23:20 455168 ----a-w- c:\windows\SysWow64\vbscript.dll
2014-06-18 23:37 . 2014-07-09 23:20 61952 ----a-w- c:\windows\SysWow64\iesetup.dll
2014-06-18 23:36 . 2014-07-09 23:20 51200 ----a-w- c:\windows\SysWow64\ieetwproxystub.dll
2014-06-18 23:35 . 2014-07-09 23:20 62464 ----a-w- c:\windows\SysWow64\MshtmlDac.dll
2014-06-18 23:33 . 2014-07-09 23:20 631808 ----a-w- c:\windows\system32\msfeeds.dll
2014-06-18 23:27 . 2014-07-09 23:20 1249280 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-06-18 23:27 . 2014-07-09 23:20 2040832 ----a-w- c:\windows\system32\inetcpl.cpl
2014-06-18 23:23 . 2014-07-09 23:20 112128 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2014-06-18 23:22 . 2014-07-09 23:20 592896 ----a-w- c:\windows\SysWow64\jscript9diag.dll
2014-06-18 23:06 . 2014-07-09 23:20 32256 ----a-w- c:\windows\SysWow64\JavaScriptCollectionAgent.dll
2014-06-18 22:58 . 2014-07-09 23:20 2266112 ----a-w- c:\windows\system32\wininet.dll
2014-06-18 22:52 . 2014-07-09 23:20 4254720 ----a-w- c:\windows\SysWow64\jscript9.dll
2014-06-18 22:51 . 2014-07-09 23:20 13527040 ----a-w- c:\windows\system32\ieframe.dll
2014-06-18 22:46 . 2014-07-09 23:20 1068032 ----a-w- c:\windows\SysWow64\mshtmlmedia.dll
2014-06-18 22:45 . 2014-07-09 23:20 1964544 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2014-06-18 22:34 . 2014-07-09 23:20 1393664 ----a-w- c:\windows\system32\urlmon.dll
2014-06-18 22:15 . 2014-07-09 23:20 846336 ----a-w- c:\windows\system32\ieapfltr.dll
2014-06-18 22:13 . 2014-07-09 23:20 1791488 ----a-w- c:\windows\SysWow64\wininet.dll
2014-06-18 02:18 . 2014-07-09 23:21 692736 ----a-w- c:\windows\system32\osk.exe
2014-06-18 01:51 . 2014-07-09 23:21 646144 ----a-w- c:\windows\SysWow64\osk.exe
2014-06-18 01:10 . 2014-07-09 23:21 3157504 ----a-w- c:\windows\system32\win32k.sys
2014-06-06 10:10 . 2014-07-09 23:21 624128 ----a-w- c:\windows\system32\qedit.dll
2014-06-06 09:44 . 2014-07-09 23:21 509440 ----a-w- c:\windows\SysWow64\qedit.dll
2014-06-05 14:45 . 2014-07-09 23:19 1460736 ----a-w- c:\windows\system32\lsasrv.dll
2014-06-05 14:26 . 2014-07-09 23:19 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2014-06-05 14:25 . 2014-07-09 23:19 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2014-05-30 08:08 . 2014-07-09 23:20 210944 ----a-w- c:\windows\system32\wdigest.dll
2014-05-30 08:08 . 2014-07-09 23:20 86528 ----a-w- c:\windows\system32\TSpkg.dll
2014-05-30 08:08 . 2014-07-09 23:20 340992 ----a-w- c:\windows\system32\schannel.dll
2014-05-30 08:08 . 2014-07-09 23:20 314880 ----a-w- c:\windows\system32\msv1_0.dll
2014-05-30 08:08 . 2014-07-09 23:20 307200 ----a-w- c:\windows\system32\ncrypt.dll
2014-05-30 08:08 . 2014-07-09 23:20 728064 ----a-w- c:\windows\system32\kerberos.dll
2014-05-30 08:08 . 2014-07-09 23:20 22016 ----a-w- c:\windows\system32\credssp.dll
2014-05-30 07:52 . 2014-07-09 23:20 172032 ----a-w- c:\windows\SysWow64\wdigest.dll
2014-05-30 07:52 . 2014-07-09 23:20 65536 ----a-w- c:\windows\SysWow64\TSpkg.dll
2014-05-30 07:52 . 2014-07-09 23:20 247808 ----a-w- c:\windows\SysWow64\schannel.dll
2014-05-30 07:52 . 2014-07-09 23:20 220160 ----a-w- c:\windows\SysWow64\ncrypt.dll
2014-05-30 07:52 . 2014-07-09 23:20 259584 ----a-w- c:\windows\SysWow64\msv1_0.dll
2014-05-30 07:52 . 2014-07-09 23:20 550912 ----a-w- c:\windows\SysWow64\kerberos.dll
2014-05-30 07:52 . 2014-07-09 23:20 17408 ----a-w- c:\windows\SysWow64\credssp.dll
2014-05-30 06:45 . 2014-07-09 23:21 497152 ----a-w- c:\windows\system32\drivers\afd.sys
2014-05-16 13:04 . 2014-06-26 21:04 254240 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2014-05-16 13:03 . 2014-06-26 21:04 128288 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-12-21 959904]
"Norman ZANDA"="c:\program files\Norman\Npm\Bin\ZLH.EXE" [2013-03-08 66888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux9"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 GUCI_AVS;Philips SPZ2000 Webcam;c:\windows\system32\DRIVERS\GUCI_AVS.sys;c:\windows\SYSNATIVE\DRIVERS\GUCI_AVS.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 NvcMFlt;NvcMFlt;c:\windows\system32\DRIVERS\nvcv64mf.sys;c:\windows\SYSNATIVE\DRIVERS\nvcv64mf.sys [x]
R3 nvcoas;Norman Virus Control on-access component;c:\program files\Norman\Nvc\Bin\nvcoas.exe;c:\program files\Norman\Nvc\Bin\nvcoas.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S1 ALE_NF;Norman Network Filter ALE driver;c:\windows\system32\drivers\ale7_nf64.sys;c:\windows\SYSNATIVE\drivers\ale7_nf64.sys [x]
S1 NGS;Norman General Security Driver;c:\program files\norman\ngs\bin\ngs64.sys;c:\program files\norman\ngs\bin\ngs64.sys [x]
S1 NPROSEC;Norman Security driver;c:\program files\Norman\Ngs\Bin\nprosec64.sys;c:\program files\Norman\Ngs\Bin\nprosec64.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 NHS;Norman Hash Server;c:\program files\Norman\Nvc\bin\nhs.exe;c:\program files\Norman\Nvc\bin\nhs.exe [x]
S2 NNFSVC;Norman Network Filtering service;c:\program files\Norman\Ngs\Bin\Nnf.exe;c:\program files\Norman\Ngs\Bin\Nnf.exe [x]
S2 NPFSvc32;Norman Personal Firewall Service;c:\program files\Norman\npf\bin\npfsvc32.exe;c:\program files\Norman\npf\bin\npfsvc32.exe [x]
S2 NPROSECSVC;Norman Security service;c:\program files\Norman\Ngs\Bin\Nprosec.exe;c:\program files\Norman\Ngs\Bin\Nprosec.exe [x]
S2 nregsec;Norman Registry Security driver;c:\program files\Norman\Ngs\Bin\nregsec64.sys;c:\program files\Norman\Ngs\Bin\nregsec64.sys [x]
S2 nvoy;Norman Resource Provider (NICCA);c:\program files\Norman\Npm\Bin\nvoy.exe;c:\program files\Norman\Npm\Bin\nvoy.exe [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
S3 NIG;Norman Intrusion Guard;c:\program files\Norman\nig\bin\nigsvc32.exe;c:\program files\Norman\nig\bin\nigsvc32.exe [x]
S3 nsesvc;Norman Scanner Engine Service;c:\program files\Norman\Nse\Bin\NSESVC.EXE;c:\program files\Norman\Nse\Bin\NSESVC.EXE [x]
S3 Scheduler;Norman Scheduler Service;c:\program files\Norman\Npm\Bin\scheduler.exe;c:\program files\Norman\Npm\Bin\scheduler.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - TrueSight
.
.
--------- X64 Entries -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_182_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_182_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_182_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_182_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_182.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.13"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_182.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_182.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_182.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-08-11 20:54:05
ComboFix-quarantined-files.txt 2014-08-11 19:54
.
Pre-Run: 107,877,609,472 bytes free
Post-Run: 107,819,941,888 bytes free
.
- - End Of File - - 15C954E3E3913E64EF864CDCDDB0E52B
A36C5E4F47E84449FF07ED3517B43A31

Attached Files


Edited by Starbuck, 11 August 2014 - 03:23 PM.


#13 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:12 AM

Posted 11 August 2014 - 03:41 PM

There is nothing malicious showing in the report.
As you have MalwareBytes AntiMalware installed, run a scan with that.
If that comes back clean we know it was just a false positive.
Post the report that MBAM creates.

BBPP6nz.png


#14 MadJohnFinn

MadJohnFinn
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 11 August 2014 - 05:28 PM

Here you go mate. Says all clear.

 

However, there's some *very* odd things running in my Task Manager's services list. Would you mind ever so much having a quick butcher's at them, please? If it's okay I'll attach screenshots...

Some of them are tied to a program called netsvcs. This, if I remember rightly, was the name of the original file that Roguekiller reported, & which threw me into a tizzy in my original post?

 

Also, there was definitely nothing called "workstation" or "server" running on my PC a couple of weeks ago, nor do I remember things called "remote access connection manager".

 

Sorry to be paranoid & thank you once again for your help. I shall only post the screenies if you think they sound dodgy, I don't want to waste your time but the idea of a keylogger makes me very nervous.
 

Attached Files


Edited by MadJohnFinn, 11 August 2014 - 05:29 PM.


#15 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:12 AM

Posted 12 August 2014 - 11:42 AM

Hi MJF

However, there's some *very* odd things running in my Task Manager's services list. Would you mind ever so much having a quick butcher's at them, please? If it's okay I'll attach screenshots...

Yes, by all means post some screenshots.

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users