Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple threat detections, possible Ransomware


  • This topic is locked This topic is locked
8 replies to this topic

#1 Nick_Joly

Nick_Joly

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 24 August 2016 - 01:58 PM

Hi,

 

I've been getting several malware detections from Avast in the last few days, the malware being Win32:Evo-Gen [Susp] and the warnings starting on the 19th of August. The suspicious files are always random dlls located in C:/windows/temp. To make sure it wasn't a false positive, I restored the file from the quarantine chest and had it scanned by virustotal. The result was about 7 other antimalware detecting it. AVG picks it up as "Ransomer.LRV", which really has me worried.

 

So far there have been no symptoms, which I'm guessing is normal considering the nature of ransomware.

 

Avast hasn't picked anything up during normal scans and even thorough scans, just randomly throughout the day and when I uploaded the file to Virustotal. I also noticed that coincidentally someone else on this forum is having a similar problem as me with the same malware, "Ransomer.LRV", and very similar patterns (multiple detections of dlls in window's temp folder). http://www.bleepingcomputer.com/forums/t/624602/ransomerlrv-avg-keeps-detecting-frst-additiontxt-included/

 

Perhaps we're both infected with the same thing?

 

Here are my logs. Thank you.

 

----------

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-08-2016 01
Ran by Prawns (administrator) on DESKTOP-63I4767 (24-08-2016 14:43:18)
Running from C:\Users\Prawns\Desktop\farbar
Loaded Profiles: Prawns (Available Profiles: Prawns)
Platform: Windows 10 Home (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Absolute Software Corp.) C:\Windows\SysWOW64\rpcnet.exe
(HP) C:\Windows\System32\HPSIsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
(Wacom Technology) C:\Program Files\Tablet\Wacom\WacomHost.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\32\WacomDesktopCenter.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Spotify Ltd) C:\Users\Prawns\AppData\Roaming\Spotify\SpotifyWebHelper.exe
(Spotify Ltd) C:\Users\Prawns\AppData\Roaming\Spotify\Spotify.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Spotify Ltd) C:\Users\Prawns\AppData\Roaming\Spotify\SpotifyCrashService.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Spotify Ltd) C:\Users\Prawns\AppData\Roaming\Spotify\Spotify.exe
(Spotify Ltd) C:\Users\Prawns\AppData\Roaming\Spotify\Spotify.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_22_0_0_209.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_22_0_0_209.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\System32\LogiLDA.dll [3933496 2016-05-18] (Logitech, Inc.)
HKLM\...\Run: [nwiz] => C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [2171960 2016-05-10] ()
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [1795120 2016-05-10] (NVIDIA Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [8900328 2016-07-13] (AVAST Software)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3891480950-142719974-3805490866-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [2857248 2016-08-23] (Valve Corporation)
HKU\S-1-5-21-3891480950-142719974-3805490866-1001\...\Run: [Spotify Web Helper] => C:\Users\Prawns\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1523312 2016-08-24] (Spotify Ltd)
HKU\S-1-5-21-3891480950-142719974-3805490866-1001\...\Run: [Spotify] => C:\Users\Prawns\AppData\Roaming\Spotify\Spotify.exe [6930544 2016-08-24] (Spotify Ltd)
HKU\S-1-5-21-3891480950-142719974-3805490866-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [29494400 2016-07-13] (Skype Technologies S.A.)
HKU\S-1-5-21-3891480950-142719974-3805490866-1001\...\MountPoints2: {6bfaf08d-209f-11e6-9bc7-f0def189cc3a} - "D:\SISetup.exe"
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [175368 2016-05-10] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [153392 2016-05-10] (NVIDIA Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-06-30] (AVAST Software)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{b2a281a0-d7c8-41f5-8be3-2d78f5001d8b}: [DhcpNameServer] 192.168.1.1 192.168.1.1

Internet Explorer:
==================
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll [2016-05-18] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-05-18] (Oracle Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Prawns\AppData\Roaming\Mozilla\Firefox\Profiles\5px3meic.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_22_0_0_209.dll [2016-08-06] ()
FF Plugin: @wacom.com/wtPlugin,version=2.1.0.7 -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-08-06] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-05-18] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-05-18] (Oracle Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2016-05-10] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2016-05-10] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-04-26] (VideoLAN)
FF Plugin-x32: @wacom.com/wtPlugin,version=2.1.0.7 -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin-x32: wacom.com/WacomTabletPlugin -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Extension: Adblock Plus - C:\Users\Prawns\AppData\Roaming\Mozilla\Firefox\Profiles\5px3meic.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-05-18]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-07-01]
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-07-01]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF

Chrome:
=======
CHR Profile: C:\Users\Prawns\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Prawns\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-06-11]
CHR Extension: (Google Docs) - C:\Users\Prawns\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-06-11]
CHR Extension: (Google Drive) - C:\Users\Prawns\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-06-11]
CHR Extension: (YouTube) - C:\Users\Prawns\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-06-11]
CHR Extension: (Adblock Plus) - C:\Users\Prawns\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-06-11]
CHR Extension: (Google Sheets) - C:\Users\Prawns\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-06-11]
CHR Extension: (Google Docs Offline) - C:\Users\Prawns\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-06-12]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Prawns\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-11]
CHR Extension: (Gmail) - C:\Users\Prawns\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-06-11]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2016-06-30] (AVAST Software)
S3 vmicvss; C:\Windows\System32\ICSvc.dll [506880 2015-07-10] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [362928 2015-07-10] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-07-10] (Microsoft Corporation)
R2 WTabletServicePro; C:\Program Files\Tablet\Wacom\WTabletServicePro.exe [742864 2016-03-21] (Wacom Technology, Corp.)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-06-30] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-06-30] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [108304 2016-06-30] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-06-30] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-06-30] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1070904 2016-06-30] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [473592 2016-07-14] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [162904 2016-06-30] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [292704 2016-08-05] (AVAST Software)
S3 mvusbews; C:\Windows\System32\Drivers\mvusbews.sys [20480 2010-03-05] (Marvell Semiconductor, Inc.)
R3 NETwNe64; C:\Windows\System32\drivers\NETwew01.sys [3354384 2015-07-10] (Intel Corporation)
S3 UdeCx; C:\Windows\System32\drivers\udecx.sys [44032 2015-07-10] ()
R3 WacHidRouterPro; C:\Windows\System32\drivers\wachidrouter.sys [102864 2016-03-02] (Wacom Technology)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-07-10] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [291680 2015-07-10] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [119648 2015-07-10] (Microsoft Corporation)
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-24 14:43 - 2016-08-24 14:43 - 00000000 ____D C:\FRST
2016-08-24 14:38 - 2016-08-24 14:43 - 00000000 ____D C:\Users\Prawns\Desktop\farbar
2016-08-24 14:17 - 2016-08-24 14:17 - 00016148 _____ C:\Windows\system32\DESKTOP-63I4767_Prawns_HistoryPrediction.bin
2016-08-02 13:45 - 2016-08-23 04:55 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-07-31 08:36 - 2016-08-06 10:32 - 00000000 ____D C:\Users\Prawns\Desktop\monty
2016-07-27 10:00 - 2016-07-27 10:39 - 00000000 ____D C:\Users\Prawns\Documents\Mount&Blade Warband
2016-07-27 10:00 - 2016-07-27 10:00 - 00000000 ____D C:\Users\Prawns\AppData\Roaming\Mount&Blade Warband
2016-07-26 13:06 - 2016-07-26 13:06 - 00000000 ____D C:\Users\Prawns\Documents\Oddworld

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-24 14:33 - 2016-05-19 20:24 - 00000000 ____D C:\Users\Prawns\AppData\Roaming\Skype
2016-08-24 14:21 - 2016-05-18 14:55 - 00000000 ____D C:\Program Files (x86)\Steam
2016-08-24 14:10 - 2016-06-11 10:54 - 00000938 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-08-24 11:33 - 2016-05-18 18:42 - 00000000 ____D C:\Users\Prawns\AppData\Roaming\Spotify
2016-08-24 11:29 - 2016-06-11 10:54 - 00000934 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-08-24 11:29 - 2016-05-18 18:43 - 00000000 ____D C:\Users\Prawns\AppData\Local\Spotify
2016-08-24 11:27 - 2016-05-18 17:16 - 00017920 _____ C:\Windows\system32\rpcnetp.exe
2016-08-23 04:55 - 2016-05-18 14:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-08-22 22:03 - 2016-05-18 17:05 - 00000000 ____D C:\Users\Prawns\AppData\Local\Firestorm
2016-08-18 21:04 - 2016-05-18 14:29 - 00000156 __RSH C:\ProgramData\3002.xml
2016-08-14 21:13 - 2016-05-28 03:06 - 00000000 ____D C:\Users\Prawns\Desktop\art
2016-08-08 18:12 - 2016-06-11 10:56 - 00002272 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-08-08 18:12 - 2016-06-11 10:56 - 00002260 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-08-06 13:30 - 2016-06-08 21:57 - 00000000 ____D C:\Users\Prawns\AppData\Local\Adobe
2016-08-06 13:27 - 2015-07-10 07:04 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-08-06 13:27 - 2015-07-10 07:04 - 00000000 ____D C:\Windows\system32\Macromed
2016-08-05 22:22 - 2016-05-18 15:04 - 00000000 ____D C:\ProgramData\NVIDIA
2016-08-05 22:22 - 2016-05-18 14:27 - 00078032 _____ (Absolute Software Corp.) C:\Windows\SysWOW64\rpcnet.dll
2016-08-05 22:22 - 2015-07-10 08:21 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-08-05 22:22 - 2015-07-10 05:05 - 00131072 ___SH C:\Windows\system32\config\BBI
2016-08-05 13:34 - 2016-05-18 14:58 - 00292704 _____ (AVAST Software) C:\Windows\system32\Drivers\aswvmm.sys
2016-08-02 01:51 - 2016-06-25 13:58 - 00000000 ____D C:\ProgramData\69B6DBD2-8E05-476F-B662-CF8D235FD499
2016-07-28 22:05 - 2016-06-11 10:54 - 00003996 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-07-28 22:05 - 2016-06-11 10:54 - 00003764 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-07-27 21:56 - 2016-05-19 20:24 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-07-27 21:56 - 2016-05-19 20:24 - 00000000 ____D C:\ProgramData\Skype

==================== Files in the root of some directories =======

2016-05-18 14:29 - 2016-05-26 17:26 - 0032432 __RSH () C:\ProgramData\3002.abs
2016-05-18 14:29 - 2016-08-18 21:04 - 0000156 __RSH () C:\ProgramData\3002.xml
2016-05-18 14:29 - 2016-05-18 14:29 - 0015568 __RSH () C:\ProgramData\3029.abs

Some files in TEMP:
====================
C:\Users\Prawns\AppData\Local\Temp\siinst.exe
C:\Users\Prawns\AppData\Local\Temp\strings.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-08-19 09:11

==================== End of FRST.txt ============================

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:15 PM

Posted 26 August 2016 - 09:23 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR Extension: (Chrome Web Store Payments) - C:\Users\Prawns\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-11]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]
C:\Users\Prawns\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.
=========

Do at your convenience.
Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features.
Java 8 Update 91 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218091F0}) (Version: 8.0.910.14 - Oracle Corporation)

#3 Nick_Joly

Nick_Joly
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 26 August 2016 - 12:47 PM

Hi Nasdaq!

 

Good to see you again.

 

I haven't had any detections so far today, but I'll keep vigilant about any possible new warnings.

 

Last detection was yesterday evening. None today, and none after performing both actions you told me.

 

Here's the fixlog:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 21-08-2016 01
Ran by Prawns (26-08-2016 12:52:37) Run:1
Running from C:\Users\Prawns\Desktop\farbar
Loaded Profiles: Prawns (Available Profiles: Prawns)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR Extension: (Chrome Web Store Payments) - C:\Users\Prawns\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-11]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]
C:\Users\Prawns\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda

End
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Users\Prawns\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki" => key removed successfully
wfpcapture => service removed successfully
"C:\Users\Prawns\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda" => not found.

=========== EmptyTemp: ==========

BITS transfer queue => 1395915 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 51538162 B
Java, Flash, Steam htmlcache => 355392557 B
Windows/system/drivers => 51237840 B
Edge => 933333 B
Chrome => 680071593 B
Firefox => 385156616 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 0 B
LocalService => 21332 B
NetworkService => 23881176 B
Prawns => 924524698 B

RecycleBin => 0 B
EmptyTemp: => 2.3 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 12:56:20 ====

 

attaching the zoek results:

 

 

Attached Files



#4 Nick_Joly

Nick_Joly
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 26 August 2016 - 01:35 PM

Here's an update on my current situation.

 

Just got another virus warning from avast.

 

Here's a screenshot of the typical warning I'm getting every now and then.

 

 

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:15 PM

Posted 27 August 2016 - 09:28 AM

If the file still in the Windows\Temp\ folder please submit it to Virus total.
Follow the instructions on this page.
https://www.virustotal.com/

Post the results for my review.

p.s.
If the file was quarantined by Avast it just may be that you will find if in Avast's quarantine folder.

===

Please scan your computer with ESET Online Scanner.
  • Click on this link to open ESET Online Scanner in a new window.
    • Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop.
    • Close all your programs and browsers.
    • Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
    • Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.
  • Check mark Download latest version of ESET Online Scanner and click the Accept button.
  • Accept any security warnings that may appear.
  • Under Computer scan settings, check mark Enable detection of potentially unwanted applications.
  • Then click Advanced settings and check mark the following options:
    • Enable detection of potentially unsafe applications
    • Clean threats automatically
  • Click the Scan button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats.
  • Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
Note: If nothing is found, it will not produce a log.

Please re-enable your antivirus program.

#6 Nick_Joly

Nick_Joly
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 28 August 2016 - 04:53 PM

Hi nasdaq,

 

Here are the results of Virustotal scanning the latest file that was picked up as a threat by Avast:

 

https://www.virustotal.com/en/file/1b2c5e27a2a8b2c04d1e5b20c5a391df3401627b153aa75372e7fd68c36043e1/analysis/1472413665/

 

,and here are the results of the Eset scan:

 

C:\Users\Prawns\AppData\LocalLow\Oracle\Java\jre1.8.0_91\java_sp.dll    a variant of Win32/Bundled.Toolbar.Ask.N potentially unsafe application    cleaned by deleting
C:\Users\Prawns\AppData\LocalLow\Oracle\Java\jre1.8.0_91\java_sp\JavaIC.dll    a variant of Win32/Bundled.Toolbar.Ask.N potentially unsafe application    cleaned by deleting



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:15 PM

Posted 29 August 2016 - 08:53 AM

It could well be that such a file is created when your AVAST is updated.

Next time check the date and time of the new file in the TEMP folder.
Compare it to the date and time of your Avast update.

Keep me posted.

#8 Nick_Joly

Nick_Joly
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 03 October 2016 - 08:12 PM

Sorry for necroing my own thread. I have been away for a month, unable to monitor the computer.

 

However, just to update, there have been no detections since the ESET scan.

 

Hopefully this is the end of the apparent infection it was having.


Edited by Nick_Joly, 03 October 2016 - 08:13 PM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:15 PM

Posted 04 October 2016 - 08:10 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users