Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Firefox patch" drive-by malware attack occurred. (Trojan 32 Kovter)


  • Please log in to reply
10 replies to this topic

#1 Hedgehog83

Hedgehog83

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 29 June 2016 - 08:44 PM

A drive-by malware attack happened today on my pc screen. I was visiting a news website(Guardian), and all of the sudden got a Firefox update screen saying "critical update". And there was a file that automatically popped up on my screen to be downloaded. I did not download it and my MSE notified me about the attack, and that I don't have to do anything on my part. I checked the quarantine, and it said Trojan 32 Kovter.  I removed that from quarantine. Then, I ran rKill, which didn't find anything. Then, I ran Malwarebytes, which didn't find anything, as well. It appears that there is no malware on my pc, but I just wanted to make sure that it is the case. Also, I deleted my history/downloads/cache for the past 1 hour prior to that, so the bad file/anything else is gone. I didn't write down the redirected website's URL, however, it was something weird(not firefox).

 

I am running Vista Enterprise 64-bit. One thing to note is that about 1 hour prior to the event described above, one of my family members was using another pc, and clicked on a phishing link. The site was blocked by Firefox and we navigated from it using "Get me out of here" button, but perhaps the damage was done by that time. Maybe my pc has this problem because of the other pc incident(network hacked?) I ran a Malwarebytes scan on that pc as well, which didn't find any infections. This second pc is using Vista Business SP2 32-bit.

 

Any help would be appreciated.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 29-06-2016
Ran by Yarik (administrator) on TIGER (29-06-2016 18:40:58)
Running from D:\Downloads\Downloads
Loaded Profiles: Yarik (Available Profiles: Yarik)
Platform: Windows Vista ™ Enterprise Service Pack 2 (X64) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(AMD) C:\Windows\System32\atieclxx.exe
() C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
() C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Infrastructure\mms_mini.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
() C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft) C:\Program Files (x86)\USB 2.0 PC CAMERA\Camera Snap.exe
() C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
(Acronis International GmbH) C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
() C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\conime.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_22_0_0_192.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_22_0_0_192.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1340192 2016-01-29] (Microsoft Corporation)
HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [562544 2016-04-26] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596504 2016-04-01] (Oracle Corporation)
HKLM-x32\...\Run: [Snap] => C:\Program Files (x86)\USB 2.0 PC CAMERA\Camera Snap.exe [163840 2011-07-12] (Microsoft)
HKLM-x32\...\Run: [TrueImageMonitor.exe] => C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe [7377424 2016-04-26] ()
HKLM-x32\...\Run: [AcronisTibMounterMonitor] => C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe [421768 2016-04-25] (Acronis International GmbH)
HKU\S-1-5-21-2506397146-1836660899-412650222-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [53123712 2016-05-17] (Skype Technologies S.A.)
HKU\S-1-5-21-2506397146-1836660899-412650222-1000\...\MountPoints2: G - G:\autorun.exe
ShellIconOverlayIdentifiers: [AcronisSyncError] -> {934BC6C0-FEC2-4df5-A100-961DE2C8A0ED} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2016-03-18] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncInProgress] -> {00F848DC-B1D4-4892-9C25-CAADC86A215D} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2016-03-18] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncOk] -> {71573297-552E-46fc-BE3D-3DFAF88D47B7} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2016-03-18] (Acronis)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 192.168.1.1
Tcpip\..\Interfaces\{D9F22EF5-0D44-4459-BC1E-0624A8EAA8A2}: [DhcpNameServer] 75.75.75.75 75.75.76.76 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=itm&hsimp=yhs-001&type=jmb_pwrisofs_16_10&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DJoomborio%26cd%3D2XzuyEtN2Y1L1QzutDtDtByE0EzztC0EtCzzzz0FyCyEyDzytN0D0Tzu0StCyDtAtAtN1L2XzutAtFtCyBtFtCyEtFtBtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyCyB0A0FzztB0D0CtGyDtCyEzztGyDyC0AyBtGtDtAyB0EtGyByB0ByCtAzz0EyCyBtDzytD2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0E0ByCzyzztB0E0AtG0AyC0C0EtGyEtCtCzztG0B0B0AyDtGyEtBzy0E0CtAyCtA0DyDyD0D2QtN0A0LzuyE%26cr%3D1479602433%26a%3Djmb_pwrisofs_16_10%26os_ver%3D6%26os%3DWindows%2B™%2BVista%2BEnterprise
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=itm&hsimp=yhs-001&type=jmb_pwrisofs_16_10&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DJoomborio%26cd%3D2XzuyEtN2Y1L1QzutDtDtByE0EzztC0EtCzzzz0FyCyEyDzytN0D0Tzu0StCyDtAtAtN1L2XzutAtFtCyBtFtCyEtFtBtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyCyB0A0FzztB0D0CtGyDtCyEzztGyDyC0AyBtGtDtAyB0EtGyByB0ByCtAzz0EyCyBtDzytD2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0E0ByCzyzztB0E0AtG0AyC0C0EtGyEtCtCzztG0B0B0AyDtGyEtBzy0E0CtAyCtA0DyDyD0D2QtN0A0LzuyE%26cr%3D1479602433%26a%3Djmb_pwrisofs_16_10%26os_ver%3D6%26os%3DWindows%2B™%2BVista%2BEnterprise
HKU\S-1-5-21-2506397146-1836660899-412650222-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=itm&hsimp=yhs-001&type=jmb_pwrisofs_16_10&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DJoomborio%26cd%3D2XzuyEtN2Y1L1QzutDtDtByE0EzztC0EtCzzzz0FyCyEyDzytN0D0Tzu0StCyDtAtAtN1L2XzutAtFtCyBtFtCyEtFtBtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyCyB0A0FzztB0D0CtGyDtCyEzztGyDyC0AyBtGtDtAyB0EtGyByB0ByCtAzz0EyCyBtDzytD2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0E0ByCzyzztB0E0AtG0AyC0C0EtGyEtCtCzztG0B0B0AyDtGyEtBzy0E0CtAyCtA0DyDyD0D2QtN0A0LzuyE%26cr%3D1479602433%26a%3Djmb_pwrisofs_16_10%26os_ver%3D6%26os%3DWindows%2B™%2BVista%2BEnterprise
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2506397146-1836660899-412650222-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll [2016-04-20] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-04-20] (Oracle Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Yarik\AppData\Roaming\Mozilla\Firefox\Profiles\xlbnixsu.default
FF NewTab: about:newtab
FF DefaultSearchEngine: Search Provided by Yahoo
FF DefaultSearchEngine.US: Google
FF SelectedSearchEngine: Search Provided by Yahoo
FF Homepage: hxxps://us.search.yahoo.com/yhs/web?hspart=itm&hsimp=yhs-001&type=jmb_pwrisofs_16_10&param1=1&param2=f%3D1%26b%3DFirefox%26cc%3Dus%26pa%3DJoomborio%26cd%3D2XzuyEtN2Y1L1QzutDtDtByE0EzztC0EtCzzzz0FyCyEyDzytN0D0Tzu0StCyDtAtAtN1L2XzutAtFtCyBtFtCyEtFtBtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyCyB0A0FzztB0D0CtGyDtCyEzztGyDyC0AyBtGtDtAyB0EtGyByB0ByCtAzz0EyCyBtDzytD2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0E0ByCzyzztB0E0AtG0AyC0C0EtGyEtCtCzztG0B0B0AyDtGyEtBzy0E0CtAyCtA0DyDyD0D2QtN0A0LzuyE%26cr%3D1479602433%26a%3Djmb_pwrisofs_16_10%26os_ver%3D6%26os%3DWindows%2B™%2BVista%2BEnterprise
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_22_0_0_192.dll [2016-06-17] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_192.dll [2016-06-17] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-04-20] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-04-20] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin HKU\S-1-5-21-2506397146-1836660899-412650222-1000: @citrixonline.com/appdetectorplugin -> C:\Users\Yarik\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2016-05-27] (Citrix Online)
FF Extension: Ant Video Downloader - C:\Users\Yarik\AppData\Roaming\Mozilla\Firefox\Profiles\xlbnixsu.default\extensions\anttoolbar@ant.com [2016-06-29]
FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2016-03-06] [not signed]

Chrome:
=======
CHR Profile: C:\Users\Yarik\AppData\Local\Google\Chrome\User Data\Default

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AcrSch2Svc; C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe [1195840 2016-04-26] ()
R2 afcdpsrv; C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [4463592 2016-05-31] ()
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 mmsminisrv; C:\Program Files (x86)\Common Files\Acronis\Infrastructure\mms_mini.exe [4884064 2015-08-11] (Acronis)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2016-01-29] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [374344 2016-01-29] (Microsoft Corporation)
R2 syncagentsrv; C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe [9698296 2016-04-16] ()
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [383544 2008-01-20] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 e1kexpress; C:\Windows\System32\DRIVERS\e1k60x64.sys [279216 2010-04-06] (Intel Corporation)
R0 file_tracker; C:\Windows\System32\DRIVERS\file_tracker.sys [339800 2016-05-31] (Acronis International GmbH)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-06-29] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [65408 2016-03-10] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [289120 2015-11-13] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133816 2015-11-13] (Microsoft Corporation)
R0 tib; C:\Windows\System32\DRIVERS\tib.sys [1267552 2016-05-31] (Acronis International GmbH)
R2 tib_mounter; C:\Windows\System32\DRIVERS\tib_mounter.sys [193376 2016-05-31] (Acronis International GmbH)
S3 tnd; C:\Windows\System32\DRIVERS\tnd.sys [601432 2016-05-31] (Acronis International GmbH)
S3 usbcamcl; C:\Windows\System32\DRIVERS\usbcamcl.sys [62184 2011-12-08] (usb camera)
R2 virtual_file; C:\Windows\System32\DRIVERS\virtual_file.sys [279392 2016-05-31] (Acronis International GmbH)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-29 18:40 - 2016-06-29 18:40 - 00000000 ____D C:\FRST
2016-06-29 12:41 - 2016-06-29 12:42 - 00002210 _____ C:\Users\Yarik\Desktop\Rkill.txt
2016-06-28 10:06 - 2016-06-29 08:36 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-06-28 06:11 - 2016-06-28 16:28 - 00000000 ____D C:\Users\Yarik\Desktop\IT facts
2016-06-15 22:12 - 2016-05-18 08:55 - 00391168 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2016-06-15 22:12 - 2016-05-18 08:34 - 00305152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2016-06-15 22:12 - 2016-05-14 08:54 - 00205824 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2016-06-15 22:12 - 2016-05-14 08:53 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\netevent.dll
2016-06-15 22:12 - 2016-05-14 08:42 - 00077312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2016-06-15 22:12 - 2016-05-14 08:41 - 00175616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2016-06-15 22:12 - 2016-05-14 08:41 - 00017920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\netevent.dll
2016-06-15 22:12 - 2016-05-14 07:38 - 00450560 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv.sys
2016-06-15 22:12 - 2016-05-14 07:38 - 00176128 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv2.sys
2016-06-15 22:12 - 2016-05-14 07:38 - 00147456 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srvnet.sys
2016-06-15 22:12 - 2016-05-11 06:10 - 00516328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2016-06-15 22:09 - 2016-05-14 08:58 - 00383208 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2016-06-15 22:09 - 2016-05-14 08:53 - 00048128 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2016-06-15 22:09 - 2016-05-14 08:47 - 00306408 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2016-06-15 22:09 - 2016-05-14 08:41 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2016-06-15 22:09 - 2016-05-12 07:45 - 02801664 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-06-15 22:09 - 2016-05-12 07:39 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2016-06-15 22:09 - 2016-05-12 07:17 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2016-06-15 22:09 - 2016-05-10 08:55 - 00264704 _____ (Microsoft Corporation) C:\Windows\system32\ws2_32.dll
2016-06-15 22:09 - 2016-05-10 08:54 - 00442880 _____ (Microsoft Corporation) C:\Windows\system32\winhttp.dll
2016-06-15 22:09 - 2016-05-10 08:54 - 00304128 _____ (Microsoft Corporation) C:\Windows\system32\mswsock.dll
2016-06-15 22:09 - 2016-05-10 08:31 - 00377344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winhttp.dll
2016-06-15 22:09 - 2016-05-10 08:31 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mswsock.dll
2016-06-15 22:09 - 2016-05-10 08:31 - 00179200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ws2_32.dll
2016-06-15 22:09 - 2016-05-10 07:55 - 00248320 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netbt.sys
2016-06-15 22:09 - 2016-05-10 07:55 - 00024064 _____ (Microsoft Corporation) C:\Windows\system32\netbtugc.exe
2016-06-15 22:09 - 2016-05-10 07:28 - 00021504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\netbtugc.exe
2016-06-15 22:08 - 2016-05-12 08:56 - 00726016 _____ (Microsoft Corporation) C:\Windows\system32\gpsvc.dll
2016-06-15 22:08 - 2016-05-12 08:56 - 00534528 _____ (Microsoft Corporation) C:\Windows\system32\IPSECSVC.DLL
2016-06-15 22:08 - 2016-05-12 08:56 - 00381952 _____ (Microsoft Corporation) C:\Windows\system32\polstore.dll
2016-06-15 22:08 - 2016-05-12 08:56 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\winipsec.dll
2016-06-15 22:08 - 2016-05-12 08:56 - 00084480 _____ (Microsoft Corporation) C:\Windows\system32\gpapi.dll
2016-06-15 22:08 - 2016-05-12 08:56 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\FwRemoteSvr.dll
2016-06-15 22:08 - 2016-05-12 08:56 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\gpscript.dll
2016-06-15 22:08 - 2016-05-12 08:34 - 00273920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\polstore.dll
2016-06-15 22:08 - 2016-05-12 08:34 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winipsec.dll
2016-06-15 22:08 - 2016-05-12 08:34 - 00028672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gpscript.dll
2016-06-15 22:08 - 2016-05-12 08:33 - 00075264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gpapi.dll
2016-06-15 22:08 - 2016-05-12 08:33 - 00028672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FwRemoteSvr.dll
2016-06-15 22:08 - 2016-05-12 07:48 - 00025088 _____ (Microsoft Corporation) C:\Windows\system32\gpscript.exe
2016-06-15 22:08 - 2016-05-12 07:23 - 00024064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gpscript.exe
2016-06-15 12:54 - 2016-05-12 12:52 - 18804224 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-06-15 12:54 - 2016-05-12 12:49 - 02351616 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-06-15 12:54 - 2016-05-12 12:46 - 00448512 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-06-15 12:54 - 2016-05-12 12:45 - 10940416 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-06-15 12:54 - 2016-05-12 12:44 - 01389056 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-06-15 12:54 - 2016-05-12 12:43 - 01392640 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-06-15 12:54 - 2016-05-12 12:42 - 02159104 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-06-15 12:54 - 2016-05-12 12:42 - 01494528 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-06-15 12:54 - 2016-05-12 12:42 - 00816640 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-06-15 12:54 - 2016-05-12 12:42 - 00729088 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-06-15 12:54 - 2016-05-12 12:42 - 00579584 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-06-15 12:54 - 2016-05-12 12:42 - 00452608 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-06-15 12:54 - 2016-05-12 12:42 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-06-15 12:54 - 2016-05-12 12:42 - 00248320 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-06-15 12:54 - 2016-05-12 12:42 - 00237056 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2016-06-15 12:54 - 2016-05-12 12:42 - 00173568 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-06-15 12:54 - 2016-05-12 12:42 - 00096256 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-06-15 12:54 - 2016-05-12 12:42 - 00086016 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-06-15 12:54 - 2016-05-12 12:42 - 00055296 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2016-06-15 12:54 - 2016-05-12 12:42 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2016-06-15 12:54 - 2016-05-12 12:41 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-06-15 12:54 - 2016-05-12 12:11 - 01815552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2016-06-15 12:54 - 2016-05-12 12:10 - 12840960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2016-06-15 12:54 - 2016-05-12 12:08 - 00367616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2016-06-15 12:54 - 2016-05-12 12:06 - 09755136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2016-06-15 12:54 - 2016-05-12 12:06 - 01140224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2016-06-15 12:54 - 2016-05-12 12:05 - 01129984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2016-06-15 12:54 - 2016-05-12 12:04 - 01804800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2016-06-15 12:54 - 2016-05-12 12:04 - 01427968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2016-06-15 12:54 - 2016-05-12 12:04 - 00719360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2016-06-15 12:54 - 2016-05-12 12:04 - 00607744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2016-06-15 12:54 - 2016-05-12 12:04 - 00425472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2016-06-15 12:54 - 2016-05-12 12:04 - 00231936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2016-06-15 12:54 - 2016-05-12 12:04 - 00142848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2016-06-15 12:54 - 2016-05-12 12:04 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2016-06-15 12:54 - 2016-05-12 12:04 - 00041472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2016-06-15 12:54 - 2016-05-12 12:03 - 02382848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2016-06-15 12:54 - 2016-05-12 12:03 - 00354304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2016-06-15 12:54 - 2016-05-12 12:03 - 00223744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2016-06-15 12:54 - 2016-05-12 12:03 - 00176640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2016-06-15 12:54 - 2016-05-12 12:03 - 00072704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2016-06-15 12:54 - 2016-05-12 12:03 - 00011776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
2016-06-15 12:53 - 2016-05-12 12:42 - 00011264 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2016-06-15 12:53 - 2016-05-12 12:03 - 00010752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2016-06-10 11:28 - 2016-06-10 12:24 - 00000000 ____D C:\Users\Yarik\Desktop\a
2016-06-07 18:37 - 2016-06-07 18:37 - 00000000 ____D C:\Windows\system32\appmgmt
2016-06-07 09:23 - 2016-06-29 08:36 - 00000000 ____D C:\Users\Yarik\AppData\Roaming\Skype
2016-06-07 09:22 - 2016-06-07 09:22 - 00003054 _____ C:\Windows\System32\Tasks\{F12E1299-8E7A-4079-8FAB-B51C54716F1E}
2016-06-07 09:22 - 2016-06-07 09:22 - 00001890 _____ C:\Users\Public\Desktop\Skype.lnk
2016-06-07 09:22 - 2016-06-07 09:22 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-06-07 09:22 - 2016-06-07 09:22 - 00000000 ____D C:\ProgramData\Skype
2016-06-07 09:22 - 2016-06-07 09:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2016-05-31 14:57 - 2016-05-31 14:57 - 00601432 _____ (Acronis International GmbH) C:\Windows\system32\Drivers\tnd.sys
2016-05-31 14:57 - 2016-05-31 14:57 - 00279392 _____ (Acronis International GmbH) C:\Windows\system32\Drivers\virtual_file.sys
2016-05-31 14:57 - 2016-05-31 14:57 - 00193376 _____ (Acronis International GmbH) C:\Windows\system32\Drivers\tib_mounter.sys
2016-05-31 14:57 - 2016-05-31 14:57 - 00001058 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acronis True Image.lnk
2016-05-31 14:57 - 2016-05-31 14:57 - 00001046 _____ C:\Users\Public\Desktop\Acronis True Image.lnk
2016-05-31 14:29 - 2016-05-31 15:04 - 00000000 ____D C:\ProgramData\Acronis
2016-05-31 14:29 - 2016-05-31 14:57 - 00339800 _____ (Acronis International GmbH) C:\Windows\system32\Drivers\file_tracker.sys
2016-05-31 14:29 - 2016-05-31 14:29 - 00000000 ____D C:\Users\Yarik\AppData\Roaming\Acronis
2016-05-31 14:28 - 2016-05-31 14:57 - 01267552 _____ (Acronis International GmbH) C:\Windows\system32\Drivers\tib.sys
2016-05-31 14:28 - 2016-05-31 14:57 - 00340312 _____ (Acronis International GmbH) C:\Windows\system32\Drivers\snapman.sys
2016-05-31 14:28 - 2016-05-31 14:57 - 00163160 _____ (Acronis International GmbH) C:\Windows\system32\Drivers\fltsrv.sys
2016-05-31 14:28 - 2016-05-31 14:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acronis
2016-05-31 14:28 - 2016-05-31 14:28 - 00000000 ____D C:\Program Files (x86)\Acronis

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-29 17:51 - 2006-11-02 08:21 - 00002704 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-06-29 17:51 - 2006-11-02 08:21 - 00002704 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-06-29 17:50 - 2016-03-12 05:07 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-06-29 17:10 - 2016-03-06 14:53 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-06-29 08:38 - 2006-11-02 06:33 - 00000000 ____D C:\Windows\inf
2016-06-29 08:38 - 2006-11-02 05:46 - 00758370 _____ C:\Windows\system32\PerfStringBackup.INI
2016-06-29 08:36 - 2016-03-06 10:46 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-06-29 08:31 - 2006-11-02 08:40 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-06-28 21:39 - 2006-11-02 08:40 - 00032588 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-06-17 08:50 - 2016-03-12 05:07 - 00796352 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-06-17 08:50 - 2016-03-12 05:07 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-06-17 08:50 - 2016-03-12 05:07 - 00003682 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-06-16 08:11 - 2006-11-02 06:33 - 00000000 ____D C:\Windows\rescache
2016-06-16 07:55 - 2006-11-02 08:21 - 00296784 _____ C:\Windows\system32\FNTCACHE.DAT
2016-06-15 22:12 - 2016-03-06 09:46 - 00000000 ____D C:\Windows\system32\MRT
2016-06-15 22:10 - 2006-11-02 05:35 - 142482544 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2016-06-15 13:40 - 2016-03-06 08:16 - 00484008 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2016-06-07 18:38 - 2016-05-27 12:35 - 00000000 ____D C:\Users\Yarik\AppData\Local\Citrix
2016-06-03 20:04 - 2016-03-06 14:57 - 00000000 ____D C:\Users\Yarik\Desktop\Fin

==================== Files in the root of some directories =======

2016-03-05 20:47 - 2016-03-06 08:12 - 0000732 _____ () C:\Users\Yarik\AppData\Local\d3d9caps64.dat
2016-03-25 03:49 - 2016-05-28 17:32 - 0185856 _____ () C:\Users\Yarik\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-03-13 11:43 - 2016-03-13 11:43 - 0224165 _____ () C:\Users\Yarik\AppData\Local\dd_depcheck_VS_VSTD_100.txt
2016-03-13 11:43 - 2016-03-13 11:43 - 0000002 _____ () C:\Users\Yarik\AppData\Local\dd_error_vs_vstdcore_100.txt
2016-03-13 11:43 - 2016-03-13 11:48 - 0193498 _____ () C:\Users\Yarik\AppData\Local\dd_install_vs_vstdcore_100.txt
2016-05-27 10:48 - 2016-05-27 10:48 - 0417216 _____ () C:\Users\Yarik\AppData\Local\dd_vcredistMSI57B6.txt
2016-05-27 10:48 - 2016-05-27 10:48 - 0011382 _____ () C:\Users\Yarik\AppData\Local\dd_vcredistUI57B6.txt
2016-03-13 11:43 - 2016-03-13 11:48 - 0002550 _____ () C:\Users\Yarik\AppData\Local\uxeventlog.txt

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-06-29 08:38

==================== End of FRST.txt ============================

Attached Files


Edited by Hedgehog83, 29 June 2016 - 08:46 PM.


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:08:06 PM

Posted 01 July 2016 - 03:04 PM

hi,

 

Dont see much to worry about in the log other than some clean up.Looks like you just hit a semi-malicious web page or web page ad that tried to install something. The phishing attempt earlier was a coincidence not related.

 

So we will use FRST to remove some things. You can copy/paste whats below into notepad and save it as fixlist.txt in the same location that you have FRST. Start FRST like before except this time click on the Fix button once. Machine may reboot to finish. Upon reboot it will display a fixlog.txt that you can copy/paste in your reply.

 

Usually only online once or twice here per day so you may not get a reply back from me until the following day.

CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=itm&hsimp=yhs-001&type=jmb_pwrisofs_16_10&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DJoomborio%26cd%3D2XzuyEtN2Y1L1QzutDtDtByE0EzztC0EtCzzzz0FyCyEyDzytN0D0Tzu0StCyDtAtAtN1L2XzutAtFtCyBtFtCyEtFtBtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyCyB0A0FzztB0D0CtGyDtCyEzztGyDyC0AyBtGtDtAyB0EtGyByB0ByCtAzz0EyCyBtDzytD2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0E0ByCzyzztB0E0AtG0AyC0C0EtGyEtCtCzztG0B0B0AyDtGyEtBzy0E0CtAyCtA0DyDyD0D2QtN0A0LzuyE%26cr%3D1479602433%26a%3Djmb_pwrisofs_16_10%26os_ver%3D6%26os%3DWindows%2B™%2BVista%2BEnterprise
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=itm&hsimp=yhs-001&type=jmb_pwrisofs_16_10&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DJoomborio%26cd%3D2XzuyEtN2Y1L1QzutDtDtByE0EzztC0EtCzzzz0FyCyEyDzytN0D0Tzu0StCyDtAtAtN1L2XzutAtFtCyBtFtCyEtFtBtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyCyB0A0FzztB0D0CtGyDtCyEzztGyDyC0AyBtGtDtAyB0EtGyByB0ByCtAzz0EyCyBtDzytD2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0E0ByCzyzztB0E0AtG0AyC0C0EtGyEtCtCzztG0B0B0AyDtGyEtBzy0E0CtAyCtA0DyDyD0D2QtN0A0LzuyE%26cr%3D1479602433%26a%3Djmb_pwrisofs_16_10%26os_ver%3D6%26os%3DWindows%2B™%2BVista%2BEnterprise
HKU\S-1-5-21-2506397146-1836660899-412650222-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=itm&hsimp=yhs-001&type=jmb_pwrisofs_16_10&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DJoomborio%26cd%3D2XzuyEtN2Y1L1QzutDtDtByE0EzztC0EtCzzzz0FyCyEyDzytN0D0Tzu0StCyDtAtAtN1L2XzutAtFtCyBtFtCyEtFtBtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyCyB0A0FzztB0D0CtGyDtCyEzztGyDyC0AyBtGtDtAyB0EtGyByB0ByCtAzz0EyCyBtDzytD2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0E0ByCzyzztB0E0AtG0AyC0C0EtGyEtCtCzztG0B0B0AyDtGyEtBzy0E0CtAyCtA0DyDyD0D2QtN0A0LzuyE%26cr%3D1479602433%26a%3Djmb_pwrisofs_16_10%26os_ver%3D6%26os%3DWindows%2B™%2BVista%2BEnterprise
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2506397146-1836660899-412650222-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
2016-03-05 20:47 - 2016-03-06 08:12 - 0000732 _____ () C:\Users\Yarik\AppData\Local\d3d9caps64.dat
2016-03-25 03:49 - 2016-05-28 17:32 - 0185856 _____ () C:\Users\Yarik\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-03-13 11:43 - 2016-03-13 11:43 - 0224165 _____ () C:\Users\Yarik\AppData\Local\dd_depcheck_VS_VSTD_100.txt
2016-03-13 11:43 - 2016-03-13 11:43 - 0000002 _____ () C:\Users\Yarik\AppData\Local\dd_error_vs_vstdcore_100.txt
2016-03-13 11:43 - 2016-03-13 11:48 - 0193498 _____ () C:\Users\Yarik\AppData\Local\dd_install_vs_vstdcore_100.txt
2016-05-27 10:48 - 2016-05-27 10:48 - 0417216 _____ () C:\Users\Yarik\AppData\Local\dd_vcredistMSI57B6.txt
2016-05-27 10:48 - 2016-05-27 10:48 - 0011382 _____ () C:\Users\Yarik\AppData\Local\dd_vcredistUI57B6.txt
2016-03-13 11:43 - 2016-03-13 11:48 - 0002550 _____ () C:\Users\Yarik\AppData\Local\uxeventlog.txt
hxxp://www.skype.com/go/downloading?source=lightinstaller&amp;ver=7.24.0.104&amp;LastError=-3
HKLM\...\cmdfile\DefaultIcon: %SystemRoot%\System32\shell32.dll,-153 <===== ATTENTION
Empty Temp:

How Can I Reduce My Risk to Malware?


#3 Hedgehog83

Hedgehog83
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 01 July 2016 - 07:32 PM

Thanks for the fast reply. So, you think that everything is completely good? It seems that things might have been far worse if I have installed the actual file...

 

By the way, I forgot to mention that when this happened I did a quick search on this link: https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Kovter

 

It said that the symptoms might be some values in the registry. The symptom section in that link show that there is a zero for each of the registry sections. I checked, and it looks like I have those zeroes on the computer. Should this be a warning flag?

 

I mentioned before that there was a Trojan Win32/Kovter situation. Don't know if it tried to install itself or already installed itself when I visited a site, but MSE saw it and removed it. Do I need to be concerned about the potential remnants of it?

 

Thanks in advance.



#4 Hedgehog83

Hedgehog83
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 01 July 2016 - 07:38 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 29-06-2016 Ran by Yarik (2016-07-01 17:35:31) Run:1 Running from D:\Downloads\Downloads Loaded Profiles: Yarik (Available Profiles: Yarik) Boot Mode: Normal ============================================== fixlist content: ***************** CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=itm&hsimp=yhs-001&type=jmb_pwrisofs_16_10&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DJoomborio%26cd%3D2XzuyEtN2Y1L1QzutDtDtByE0EzztC0EtCzzzz0FyCyEyDzytN0D0Tzu0StCyDtAtAtN1L2XzutAtFtCyBtFtCyEtFtBtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyCyB0A0FzztB0D0CtGyDtCyEzztGyDyC0AyBtGtDtAyB0EtGyByB0ByCtAzz0EyCyBtDzytD2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0E0ByCzyzztB0E0AtG0AyC0C0EtGyEtCtCzztG0B0B0AyDtGyEtBzy0E0CtAyCtA0DyDyD0D2QtN0A0LzuyE%26cr%3D1479602433%26a%3Djmb_pwrisofs_16_10%26os_ver%3D6%26os%3DWindows%2B%2BVista%2BEnterprise HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=itm&hsimp=yhs-001&type=jmb_pwrisofs_16_10&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DJoomborio%26cd%3D2XzuyEtN2Y1L1QzutDtDtByE0EzztC0EtCzzzz0FyCyEyDzytN0D0Tzu0StCyDtAtAtN1L2XzutAtFtCyBtFtCyEtFtBtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyCyB0A0FzztB0D0CtGyDtCyEzztGyDyC0AyBtGtDtAyB0EtGyByB0ByCtAzz0EyCyBtDzytD2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0E0ByCzyzztB0E0AtG0AyC0C0EtGyEtCtCzztG0B0B0AyDtGyEtBzy0E0CtAyCtA0DyDyD0D2QtN0A0LzuyE%26cr%3D1479602433%26a%3Djmb_pwrisofs_16_10%26os_ver%3D6%26os%3DWindows%2B%2BVista%2BEnterprise HKU\S-1-5-21-2506397146-1836660899-412650222-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=itm&hsimp=yhs-001&type=jmb_pwrisofs_16_10&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DJoomborio%26cd%3D2XzuyEtN2Y1L1QzutDtDtByE0EzztC0EtCzzzz0FyCyEyDzytN0D0Tzu0StCyDtAtAtN1L2XzutAtFtCyBtFtCyEtFtBtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyCyB0A0FzztB0D0CtGyDtCyEzztGyDyC0AyBtGtDtAyB0EtGyByB0ByCtAzz0EyCyBtDzytD2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0E0ByCzyzztB0E0AtG0AyC0C0EtGyEtCtCzztG0B0B0AyDtGyEtBzy0E0CtAyCtA0DyDyD0D2QtN0A0LzuyE%26cr%3D1479602433%26a%3Djmb_pwrisofs_16_10%26os_ver%3D6%26os%3DWindows%2B%2BVista%2BEnterprise SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-2506397146-1836660899-412650222-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = S3 IpInIp; system32\DRIVERS\ipinip.sys [X] S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X] S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X] 2016-03-05 20:47 - 2016-03-06 08:12 - 0000732 _____ () C:\Users\Yarik\AppData\Local\d3d9caps64.dat 2016-03-25 03:49 - 2016-05-28 17:32 - 0185856 _____ () C:\Users\Yarik\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2016-03-13 11:43 - 2016-03-13 11:43 - 0224165 _____ () C:\Users\Yarik\AppData\Local\dd_depcheck_VS_VSTD_100.txt 2016-03-13 11:43 - 2016-03-13 11:43 - 0000002 _____ () C:\Users\Yarik\AppData\Local\dd_error_vs_vstdcore_100.txt 2016-03-13 11:43 - 2016-03-13 11:48 - 0193498 _____ () C:\Users\Yarik\AppData\Local\dd_install_vs_vstdcore_100.txt 2016-05-27 10:48 - 2016-05-27 10:48 - 0417216 _____ () C:\Users\Yarik\AppData\Local\dd_vcredistMSI57B6.txt 2016-05-27 10:48 - 2016-05-27 10:48 - 0011382 _____ () C:\Users\Yarik\AppData\Local\dd_vcredistUI57B6.txt 2016-03-13 11:43 - 2016-03-13 11:48 - 0002550 _____ () C:\Users\Yarik\AppData\Local\uxeventlog.txt hxxp://www.skype.com/go/downloading?source=lightinstaller&ver=7.24.0.104&LastError=-3 HKLM\...\cmdfile\DefaultIcon: %SystemRoot%\System32\shell32.dll,-153 <===== ATTENTION Empty Temp: ***************** "HKLM\SOFTWARE\Policies\Google" => key removed successfully HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully HKU\S-1-5-21-2506397146-1836660899-412650222-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully HKU\S-1-5-21-2506397146-1836660899-412650222-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully IpInIp => service removed successfully NwlnkFlt => service removed successfully NwlnkFwd => service removed successfully C:\Users\Yarik\AppData\Local\d3d9caps64.dat => moved successfully C:\Users\Yarik\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini => moved successfully C:\Users\Yarik\AppData\Local\dd_depcheck_VS_VSTD_100.txt => moved successfully C:\Users\Yarik\AppData\Local\dd_error_vs_vstdcore_100.txt => moved successfully C:\Users\Yarik\AppData\Local\dd_install_vs_vstdcore_100.txt => moved successfully C:\Users\Yarik\AppData\Local\dd_vcredistMSI57B6.txt => moved successfully C:\Users\Yarik\AppData\Local\dd_vcredistUI57B6.txt => moved successfully C:\Users\Yarik\AppData\Local\uxeventlog.txt => moved successfully hxxp://www.skype.com/go/downloading?source=lightinstaller&ver=7.24.0.104&LastError=-3 => Error: No automatic fix found for this entry. HKLM\Software\Classes\cmdfile\DefaultIcon\\Default => value restored successfully =========== EmptyTemp: ========== BITS transfer queue => 8388608 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 20321455 B Java, Flash, Steam htmlcache => 9007 B Windows/system/drivers => 7634450 B Edge => 0 B Chrome => 0 B Firefox => 383897761 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 66228 B Public => 0 B ProgramData => 0 B systemprofile => 66295 B systemprofile32 => 66034 B LocalService => 0 B LocalService => 0 B NetworkService => 424534 B NetworkService => 0 B Yarik => 57982228 B RecycleBin => 25150380 B EmptyTemp: => 480.7 MB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 17:35:40 ====

#5 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:08:06 PM

Posted 02 July 2016 - 08:56 AM

Yes,It would have been worse if you actually installed the file, but you know better than that, right.

Your good, i wouldnt worry about to two settings in the registry as a indication of malware. I looked and mine are the same as the article mentions.

​Have you updated and run Malwarebytes recently just as another check? You can also run Adwcleaner:

​Please download adwcleaner and save to your desktop.

    http://www.bleepingcomputer.com/download/adwcleaner/

    Right click AdwCleaner.exe and select "run as admin"
    Accept the disclaimer
    Click on the Scan button.
    Once the scan is done, Click the Clean button
    Press OK when asked to close all programs and follow the onscreen prompts.
    Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
    After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically
    Copy and paste the contents of that logfile in your next reply.
    A copy of that logfile will also be saved in the C:\AdwCleaner folder.
 


How Can I Reduce My Risk to Malware?


#6 Hedgehog83

Hedgehog83
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 03 July 2016 - 10:38 AM

Yes, I know that saving the file and running it would be bad. My Malwarebytes updates automatically and I ran it just before posting here, a few days ago.

 

Adwcleaner ran but I didn't see any option to deselect to keep. Only when the pc rebooted, the log showed that some entries were deleted. As you can see, there is something called "tracing keys". Any ideas on what that is?

 

 

 

# AdwCleaner v5.201 - Logfile created 03/07/2016 at 08:33:26
# Updated 30/06/2016 by ToolsLib
# Database : 2016-07-01.1 [Server]
# Operating system : Windows ™ Vista Enterprise Service Pack 2 (X64)
# Username : Yarik - TIGER
# Running from : D:\Downloads\Downloads\AdwCleaner.exe
# Option : Clean
# Support : https://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[#] Folder Deleted : C:\Users\Yarik\AppData\Roaming\Mozilla\Firefox\Profiles\xlbnixsu.default\extensions\anttoolbar@ant.com

***** [ Files ] *****


***** [ DLLs ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****

[-] [C:\Users\Yarik\AppData\Roaming\Mozilla\Firefox\Profiles\xlbnixsu.default\prefs.js] Deleted : user_pref("browser.search.defaultenginename", "Search Provided by Yahoo");
[-] [C:\Users\Yarik\AppData\Roaming\Mozilla\Firefox\Profiles\xlbnixsu.default\prefs.js] Deleted : user_pref("browser.search.selectedEngine", "Search Provided by Yahoo");
[-] [C:\Users\Yarik\AppData\Roaming\Mozilla\Firefox\Profiles\xlbnixsu.default\prefs.js] Deleted : user_pref("browser.startup.homepage", "hxxps://us.search.yahoo.com/yhs/web?hspart=itm&hsimp=yhs-001&type=jmb_pwrisofs_16_10&param1=1&param2=f%3D1%26b%3DFirefox%26cc%3Dus%26pa%3DJoomborio%26cd%3D2XzuyE[...]

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [1509 bytes] - [03/07/2016 08:33:26]
C:\AdwCleaner\AdwCleaner[S1].txt - [1548 bytes] - [03/07/2016 08:32:03]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1655 bytes] ##########
 


Edited by Hedgehog83, 03 July 2016 - 10:39 AM.


#7 Hedgehog83

Hedgehog83
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 03 July 2016 - 01:01 PM

Do you think there might be any remnants of Kovter that Malwarebytes or MSE doesn't pick up? In other words,  how sure can we be that there is no Kovter without reinstalling the OS?



#8 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:08:06 PM

Posted 03 July 2016 - 01:39 PM

Looks ok. I believe the tracing keys could be used by malware. Some items adwcleaner "cleans" are set by default.

 

https://www.microsoft.com/resources/documentation/WindowsServ/2003/all/ADS/en-us/ads_using_tracing.mspx?mfr=true


How Can I Reduce My Risk to Malware?


#9 Hedgehog83

Hedgehog83
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 03 July 2016 - 04:00 PM

Okay thanks. At this point, is there anything else that needs to be done?



#10 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:08:06 PM

Posted 03 July 2016 - 06:29 PM

 

how sure can we be that there is no Kovter without reinstalling the OS

Just have to trust the tools you ran.

If you open up Adwcleaner, there is a uninstall option. For FRST you can delete the icons the logs and the FRST folder in your root drive C.

If all is good on your end:  happy safe surfing out there.


How Can I Reduce My Risk to Malware?


#11 Hedgehog83

Hedgehog83
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 03 July 2016 - 09:42 PM

Alright. Thanks for your help!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users