Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ISP reports "likely infected with Zeus/Zbot"


  • Please log in to reply
10 replies to this topic

#1 RickLV

RickLV

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 10 September 2016 - 01:15 PM

I would like assistance verifying that one of my 64-bit Win7 SP1 home computers is not infected with any of the Zeus/Zbot/Gameover variants or Necurs rootkit.

 

I received an email from Cox Communications reporting that, "one or more of the computers behind your cable modem are likely infected with the Zeus Trojan/bot, also known as Zbot."  I called and spoke to a Cox security tech who reviewed their logs and identified "suspicious" traffic to a suspected C2 server at  www.costa-rica-fishingtrips.com. That told me which home computer is the suspect, because I had intentionally visited that web site.

 

Here is a description of the machine I was using:

 

Dell Precision M6500

Windows 7 SP1 64-bit

MS patches are current

MS Security Essentials

Malwarebytes Anti-Malware Corporate

Firefox 48.02

Java 8 update 101

MVPS Host file

 

This machine and several simliar Win7 installations are on my home network behind a LinKsys E3000 router. I am hoping someone can guide me through a methodical process to scan this computer for the supsect malware/rootkit.

 

 

 



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,320 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:59 PM

Posted 10 September 2016 - 02:09 PM

Welcome to BC....

 

Try the AVG tool for removing the malware.

If the infected computer is connected to LAN, disconnect it and re-connect only after all other computers have been checked and cleaned.

  • Download the executable file rmzbot.exe
  • Then run the tool for removal of infected files. The tool will automatically scan all available discs and will try to heal the infected files. If an active virus is found in memory, the tool will ask the user to reboot the computer. Healing will be performed during operating system boot-up sequence, so any active virus cannot interfere with the healing process.

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 RickLV

RickLV
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 11 September 2016 - 03:33 PM

The suspect infected computer remains disconnected from the LAN. I have finished running the AVG tool, CCleaner, and ESET OnlneScan tool on 5 other Win7 computers that share the same LAN. The ESET log files for these 5 computers are included below.


Latitude E6420
16:47:59 Updating
16:48:00 Update Init
16:48:01 Update Download
16:49:38 esets_scanner_reload returned 0
16:49:38 g_uiModuleBuild: 30715
16:49:38 Update Finalize
16:49:38 Call m_esets_charon_send
16:49:38 Call m_esets_charon_destroy
16:49:38 Updated modules version: 30715
16:49:47 Call m_esets_charon_setup_create
16:49:47 Call m_esets_charon_create
16:49:47 m_esets_charon_create OK
16:49:47 Call m_esets_charon_start_send_thread
16:49:47 Call m_esets_charon_setup_set
16:49:47 m_esets_charon_setup_set OK
16:49:47 Scanner engine: 30715
16:53:33 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.12.0
# EOSSerial=cecc8643c56d50459be53198b4b032a3
# engine=30715
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# sfx_checked=true
# utc_time=2016-09-10 23:53:32
# local_time=2016-09-10 16:53:32 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='McAfee VirusScan Enterprise'
# compatibility_mode=5128 16777213 100 100 191063 120851327 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 61830936 225095062 0 0
# scanned=0
# found=0
# cleaned=0
# scan_time=233
16:53:38 Call m_esets_charon_send
16:53:38 Call m_esets_charon_destroy
16:53:39 RecursiveRemoveDirectoryAndAllFiles: C:\Users\maulr\AppData\Local\ESET\ESETOnlineScanner\Quarantine\
16:58:45 Call m_esets_charon_setup_create
16:58:45 Call m_esets_charon_create
16:58:45 m_esets_charon_create OK
16:58:45 Call m_esets_charon_start_send_thread
16:58:45 Call m_esets_charon_setup_set
16:58:45 m_esets_charon_setup_set OK
16:58:45 Updating
16:58:45 Update Init
16:58:54 Call m_esets_charon_setup_create
16:58:54 Call m_esets_charon_create
16:58:54 m_esets_charon_setup_set ERROR
16:58:54 Update Download
16:58:59 esets_scanner_update returned -1 esets_gle=53251
16:58:59 g_uiModuleBuild: 30715
16:58:59 Update Finalize
16:58:59 Call m_esets_charon_send
16:58:59 Call m_esets_charon_destroy
16:58:59 Updated modules version: 30715
16:59:09 Call m_esets_charon_setup_create
16:59:09 Call m_esets_charon_create
16:59:09 m_esets_charon_setup_set ERROR
16:59:09 Scanner engine: 30715
05:54:47 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.12.0
# EOSSerial=cecc8643c56d50459be53198b4b032a3
# engine=30715
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# sfx_checked=true
# utc_time=2016-09-11 12:54:46
# local_time=2016-09-11 05:54:46 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='McAfee VirusScan Enterprise'
# compatibility_mode=5128 16777213 100 100 237937 120898201 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 61877810 225141936 0 0
# scanned=2
# found=0
# cleaned=0
# scan_time=46545



Latitude E5540
16:39:55 Updating
16:39:55 Update Init
16:39:56 Update Download
16:49:15 esets_scanner_update returned -1 esets_gle=12
16:49:15 Update Finalize
16:49:15 Call m_esets_charon_send
16:49:15 Call m_esets_charon_destroy
16:49:15 Retrying Update
16:49:15 Updating
16:49:15 Update Init
16:49:22 Update Download
16:52:56 Call m_esets_charon_send
16:52:56 Call m_esets_charon_destroy
16:53:03 RecursiveRemoveDirectoryAndAllFiles: C:\Users\maulr\AppData\Local\ESET\ESETOnlineScanner\Quarantine\
16:59:00 Updating
16:59:00 Update Init
16:59:07 Update Download
17:06:31 esets_scanner_update returned -1 esets_gle=12
17:06:31 Update Finalize
17:06:31 Call m_esets_charon_send
17:06:31 Call m_esets_charon_destroy
17:06:31 Retrying Update
17:06:31 Updating
17:06:31 Update Init
17:06:37 Update Download
17:16:40 esets_scanner_reload returned 0
17:16:40 g_uiModuleBuild: 30715
17:16:40 Update Finalize
17:16:40 Call m_esets_charon_send
17:16:40 Call m_esets_charon_destroy
17:16:40 Updated modules version: 30715
17:16:50 Call m_esets_charon_setup_create
17:16:50 Call m_esets_charon_create
17:16:50 m_esets_charon_create OK
17:16:50 Call m_esets_charon_start_send_thread
17:16:50 Call m_esets_charon_setup_set
17:16:50 m_esets_charon_setup_set OK
17:16:50 Scanner engine: 30715
18:53:53 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.12.0
# EOSSerial=23d3c35442d7744a80997fc2e5fa02ad
# engine=30715
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# sfx_checked=true
# utc_time=2016-09-11 01:53:51
# local_time=2016-09-10 18:53:51 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='McAfee VirusScan Enterprise'
# compatibility_mode=5128 16777213 100 100 11412940 27106772 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 28327768 225102281 0 0
# scanned=2
# found=0
# cleaned=0
# scan_time=5829



Latitude E6540
06:19:05 Updating
06:19:05 Update Init
06:19:06 Update Download
06:20:41 esets_scanner_reload returned 0
06:20:41 g_uiModuleBuild: 30719
06:20:41 Update Finalize
06:20:41 Call m_esets_charon_send
06:20:41 Call m_esets_charon_destroy
06:20:42 Updated modules version: 30719
06:20:51 Call m_esets_charon_setup_create
06:20:51 Call m_esets_charon_create
06:20:51 m_esets_charon_create OK
06:20:51 Call m_esets_charon_start_send_thread
06:20:51 Call m_esets_charon_setup_set
06:20:51 m_esets_charon_setup_set OK
06:20:51 Scanner engine: 30719
10:00:11 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.12.0
# EOSSerial=e927a7384435c14eb0935102f14ced96
# engine=30719
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# sfx_checked=true
# utc_time=2016-09-11 17:00:10
# local_time=2016-09-11 10:00:10 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='Microsoft Security Essentials'
# compatibility_mode=5895 16777213 100 100 16323184 95643204 0 0
# scanned=2
# found=0
# cleaned=0
# scan_time=13167


Optiplex 9020
08:20:59 Updating
08:20:59 Update Init
08:21:02 Update Download
08:22:35 esets_scanner_reload returned 0
08:22:35 g_uiModuleBuild: 30719
08:22:35 Update Finalize
08:22:35 Call m_esets_charon_send
08:22:35 Call m_esets_charon_destroy
08:22:35 Updated modules version: 30719
08:22:45 Call m_esets_charon_setup_create
08:22:45 Call m_esets_charon_create
08:22:45 m_esets_charon_create OK
08:22:45 Call m_esets_charon_start_send_thread
08:22:45 Call m_esets_charon_setup_set
08:22:45 m_esets_charon_setup_set OK
08:22:45 Scanner engine: 30719
09:34:49 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.12.0
# EOSSerial=8806df441cfdb64193a1ade2ebce1b18
# engine=30719
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# sfx_checked=true
# utc_time=2016-09-11 16:34:48
# local_time=2016-09-11 09:34:48 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='Microsoft Security Essentials'
# compatibility_mode=5895 16777213 100 100 16745082 95641682 0 0
# scanned=2
# found=0
# cleaned=0
# scan_time=4331

Precision M6600 Log
17:00:09 Updating
17:00:09 Update Init
17:00:10 Update Download
17:04:58 esets_scanner_reload returned 0
17:04:58 g_uiModuleBuild: 30715
17:04:58 Update Finalize
17:04:58 Call m_esets_charon_send
17:04:58 Call m_esets_charon_destroy
17:04:58 Updated modules version: 30715
17:05:07 Call m_esets_charon_setup_create
17:05:07 Call m_esets_charon_create
17:05:07 m_esets_charon_create OK
17:05:07 Call m_esets_charon_start_send_thread
17:05:07 Call m_esets_charon_setup_set
17:05:07 m_esets_charon_setup_set OK
17:05:07 Scanner engine: 30715
21:55:22 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.12.0
# EOSSerial=9eae7b1a5860814cb16e40c2f9a0636a
# engine=30715
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# sfx_checked=true
# utc_time=2016-09-11 04:55:21
# local_time=2016-09-10 21:55:21 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='Microsoft Security Essentials'
# compatibility_mode=5895 16777213 100 100 16336494 95599715 0 0
# scanned=2
# found=1
# cleaned=0
# scan_time=17421
sh=732E11F53021D41E4DEF9578388D8CE1A879F06D ft=1 fh=0000000000000000 vn="a variant of Win32/Hao123.A potentially unwanted application" ac=I fn="D:\$RECYCLE.BIN\S-1-5-21-3422532198-1300673938-999526142-1005\$RPWVJPS\dlm1CB4.tmp\FFSetup3.3.2.0.exe"










 



#4 buddy215

buddy215

  • Moderator
  • 13,320 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:59 PM

Posted 11 September 2016 - 03:49 PM

Did AVG find anything to remove? Did you scan the computer you thought might be infected?

 

I see this in the last Eset scan.....sh=732E11F53021D41E4DEF9578388D8CE1A879F06D ft=1 fh=0000000000000000 vn="a variant of Win32/Hao123.A potentially unwanted application" ac=I fn="D:\$RECYCLE.BIN\S-1-5-21-3422532198-1300673938-999526142-1005\$RPWVJPS\dlm1CB4.tmp\FFSetup3.3.2.0.exe"

That is adware. Allow Eset to quarantine or delete it.

 

I think either your security handled the infection if there was an attempt to infect or something on that website triggered the alert....could of

been a link on a page you viewed. Hard to know exactly.

 

Since some adware was found....and it is always a good idea to occassionally run the below two programs...

 

 

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

Edited by buddy215, 11 September 2016 - 03:54 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 buddy215

buddy215

  • Moderator
  • 13,320 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:59 PM

Posted 11 September 2016 - 03:57 PM

I was editing my last post and then noticed you were online...so reload this page.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 RickLV

RickLV
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 12 September 2016 - 08:49 AM

The suspect Zeus infected computer has NOT been reconnected to the LAN yet, and I have not begun scanning that computer. I am still working on getting clean scans of the other 5 computers on the LAN. All 5 of those had clean AVG scans, and 4 of them had clean ESET scans. We are working on removing FFSetup3.3.2.0.exe remnants from one computer, and I think that is done. The logs are below.

 

# AdwCleaner v6.010 - Logfile created 12/09/2016 at 06:08:28
# Updated on 12/08/2016 by ToolsLib
# Database : 2016-09-12.1 [Server]
# Operating System : Windows 7 Professional Service Pack 1 (X64)
# Username : MaulR - CJMLAP
# Running from : C:\Users\MaulR\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : https://toolslib.net/forum



***** [ Services ] *****



***** [ Folders ] *****



***** [ Files ] *****

[-] File deleted: C:\Users\MaulC\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.cmptch.com_0.localstorage
[-] File deleted: C:\Users\MaulC\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.cmptch.com_0.localstorage-journal
[-] File deleted: C:\Users\MaulC\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_ac.qq.com_0.localstorage
[-] File deleted: C:\Users\MaulC\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_ac.qq.com_0.localstorage-journal
[-] File deleted: C:\Users\MaulC\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_speedial.com_0.localstorage
[-] File deleted: C:\Users\MaulC\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_speedial.com_0.localstorage-journal
[-] File deleted: C:\Users\MaulC\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage
[-] File deleted: C:\Users\MaulC\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage-journal


***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****



***** [ Web browsers ] *****

[-] [aol.com] [Search Provider] Deleted: aol.com
[-] [ask.com] [Search Provider] Deleted: ask.com
[-] [aol.com] [Search Provider] Deleted: aol.com
[-] [speedial.com] [Search Provider] Deleted: speedial.com
[-] [ask.com] [Search Provider] Deleted: ask.com
[-] [C:\Users\MaulC\AppData\Local\Google\Chrome\User Data\Default] [startup_urls] Deleted: hxxp://speedial.com/?f=1&a=spd_ir_14_24_ch&cd=2XzuyEtN2Y1L1Qzu0FtDtC0F0A0FtByCtA0B0CzyyE0Bzz0AtN0D0Tzu0SzzzyyBtN1L2XzutBtFtBtCtFyEtFtDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StDyEtDtA0A0AtC0FtGzzzyzz0CtGyD0E0CyEtGyDtD0A0DtGyEtBtAzyzy0BtAyEtDzy0AyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StDyCtDtDyEyCtA0CtG0BtDtAzztG0Ezy0CyDtGzytBtCtDtGtDtD0EyByE0EtDtBzyzy0AtA2Q&cr=1591703744&ir=
[-] [C:\Users\MaulC\AppData\Local\Google\Chrome\User Data\Default] [homepage] Deleted: hxxp://speedial.com/?f=1&a=spd_ir_14_24_ch&cd=2XzuyEtN2Y1L1Qzu0FtDtC0F0A0FtByCtA0B0CzyyE0Bzz0AtN0D0Tzu0SzzzyyBtN1L2XzutBtFtBtCtFyEtFtDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StDyEtDtA0A0AtC0FtGzzzyzz0CtGyD0E0CyEtGyDtD0A0DtGyEtBtAzyzy0BtAyEtDzy0AyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StDyCtDtDyEyCtA0CtG0BtDtAzztG0Ezy0CyDtGzytBtCtDtGtDtD0EyByE0EtDtBzyzy0AtA2Q&cr=1591703744&ir=
[-] [aol.com] [Search Provider] Deleted: aol.com
[-] [ask.com] [Search Provider] Deleted: ask.com


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [387 Bytes] - [16/05/2016 00:12:42]
C:\AdwCleaner\AdwCleaner[C2].txt - [2045 Bytes] - [16/05/2016 00:18:58]
C:\AdwCleaner\AdwCleaner[C3].txt - [3236 Bytes] - [12/09/2016 06:08:28]
C:\AdwCleaner\AdwCleaner[S1].txt - [1690 Bytes] - [16/05/2016 00:11:46]
C:\AdwCleaner\AdwCleaner[S2].txt - [1835 Bytes] - [16/05/2016 00:18:24]
C:\AdwCleaner\AdwCleaner[S3].txt - [3530 Bytes] - [12/09/2016 03:49:40]
C:\AdwCleaner\AdwCleaner[S4].txt - [3603 Bytes] - [12/09/2016 05:40:02]
C:\AdwCleaner\AdwCleaner[S5].txt - [3696 Bytes] - [12/09/2016 05:57:49]
C:\AdwCleaner\AdwCleaner[S6].txt - [3770 Bytes] - [12/09/2016 06:08:20]

########## EOF - C:\AdwCleaner\AdwCleaner[C3].txt - [3747 Bytes] ##########

 

 

 

# AdwCleaner v6.010 - Logfile created 12/09/2016 at 06:23:45
# Updated on 12/08/2016 by ToolsLib
# Database : 2016-09-12.1 [Local]
# Operating System : Windows 7 Professional Service Pack 1 (X64)
# Username : MaulR - CJMLAP
# Running from : C:\Users\MaulR\Desktop\AdwCleaner.exe
# Mode: Scan
# Support : https://toolslib.net/forum



***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

No malicious folders found.


***** [ Files ] *****

No malicious files found.


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

No malicious registry entries found.


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [387 Bytes] - [16/05/2016 00:12:42]
C:\AdwCleaner\AdwCleaner[C2].txt - [2045 Bytes] - [16/05/2016 00:18:58]
C:\AdwCleaner\AdwCleaner[S1].txt - [1690 Bytes] - [16/05/2016 00:11:46]
C:\AdwCleaner\AdwCleaner[S2].txt - [1835 Bytes] - [16/05/2016 00:18:24]
C:\AdwCleaner\AdwCleaner[S3].txt - [3530 Bytes] - [12/09/2016 03:49:40]
C:\AdwCleaner\AdwCleaner[S4].txt - [3603 Bytes] - [12/09/2016 05:40:02]
C:\AdwCleaner\AdwCleaner[S5].txt - [3696 Bytes] - [12/09/2016 05:57:49]
C:\AdwCleaner\AdwCleaner[S6].txt - [1498 Bytes] - [12/09/2016 06:23:45]

########## EOF - C:\AdwCleaner\AdwCleaner[S6].txt - [1571 Bytes] ##########

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.7 (07.03.2016)
Operating System: Windows 7 Professional x64
Ran by MaulR (Administrator) on Mon 09/12/2016 at  6:16:01.92
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 25

Successfully deleted: C:\Windows\system32\Tasks\PCDEventLauncherTask (Task)
Successfully deleted: C:\Users\MaulR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)
Successfully deleted: C:\Users\MaulR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\16PF8DNZ (Temporary Internet Files Folder)
Successfully deleted: C:\Users\MaulR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\16UXYLLS (Temporary Internet Files Folder)
Successfully deleted: C:\Users\MaulR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\MaulR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7PKO6FD4 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\MaulR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8MGETYBZ (Temporary Internet Files Folder)
Successfully deleted: C:\Users\MaulR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A3MAJ6C8 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\MaulR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\MaulR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GUZUVYX5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\MaulR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)
Successfully deleted: C:\Users\MaulR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SG5NBZE5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\MaulR\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQ18X9JA (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\16PF8DNZ (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\16UXYLLS (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7PKO6FD4 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8MGETYBZ (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A3MAJ6C8 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GUZUVYX5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SG5NBZE5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQ18X9JA (Temporary Internet Files Folder)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 09/12/2016 at  6:17:16.13
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

I believe we are ready to move on to the suspect Zeus infected computer. I don't want to connect that computer to the LAN until tonight, when I can disconnect the other 5 computers so I don't risk cross infection.
 



#7 buddy215

buddy215

  • Moderator
  • 13,320 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:59 PM

Posted 12 September 2016 - 09:02 AM

Why not use a flash drive or other medium to move the scanners from one computer to the possibly infected computer?

 

Of course, your plan will work, too.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 RickLV

RickLV
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 13 September 2016 - 12:44 PM

I had jobs running and was not able to disconnect my other computers from the LAN last night. How can I run the ESET OnlineScanner without being online? I get the message "Cannot update virus signature database. Make sure your computer is connected to the internet."



#9 buddy215

buddy215

  • Moderator
  • 13,320 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:59 PM

Posted 13 September 2016 - 02:23 PM

go online to update and then go offline while Eset is scanning. I really don't think the computer is infected. I think either your security programs

blocked it, whatever program it needed to exploit isn't on the computer or was updated to prevent exploiting or whatever triggered the ISP's warning

such as a link on a page you didn't click on.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 RickLV

RickLV
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 13 September 2016 - 08:06 PM

This is the ESET log from the suspect computer.  Happily uneventful!

 

m6500

08:25:55 Updating
08:25:55 Update Init
08:25:56 Update Download
08:26:01 esets_scanner_update returned -1 esets_gle=12
08:26:02 Update Finalize
08:26:02 Call m_esets_charon_send
08:26:02 Call m_esets_charon_destroy
08:26:02 Retrying Update
08:26:02 Updating
08:26:02 Update Init
08:26:08 Update Download
08:26:18 esets_scanner_update returned -1 esets_gle=12
08:26:18 Update Finalize
08:26:18 Call m_esets_charon_send
08:26:18 Call m_esets_charon_destroy
08:26:19 Retrying Update
08:26:19 Updating
08:26:19 Update Init
08:26:25 Update Download
08:26:36 esets_scanner_update returned -1 esets_gle=12
08:26:36 Update Finalize
08:26:36 Call m_esets_charon_send
08:26:36 Call m_esets_charon_destroy
15:57:52 Updating
15:57:52 Update Init
15:57:59 Update Download
16:01:33 esets_scanner_reload returned 0
16:01:33 g_uiModuleBuild: 30745
16:01:33 Update Finalize
16:01:33 Call m_esets_charon_send
16:01:33 Call m_esets_charon_destroy
16:01:33 Updated modules version: 30745
16:01:46 Call m_esets_charon_setup_create
16:01:46 Call m_esets_charon_create
16:01:46 m_esets_charon_create OK
16:01:46 Call m_esets_charon_start_send_thread
16:01:46 Call m_esets_charon_setup_set
16:01:46 m_esets_charon_setup_set OK
16:01:46 Scanner engine: 30745
16:58:18 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.12.0
# EOSSerial=7527b2121299cf4e94b4ae792dce5383
# engine=30745
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# sfx_checked=true
# utc_time=2016-09-13 23:58:18
# local_time=2016-09-13 16:58:18 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='Microsoft Security Essentials'
# compatibility_mode=5895 16777213 100 100 16569212 95841092 0 0
# scanned=2
# found=0
# cleaned=0
# scan_time=3404
 



#11 buddy215

buddy215

  • Moderator
  • 13,320 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:59 PM

Posted 14 September 2016 - 03:38 AM

If you haven't noticed any unusual/ unexpected activity on the computer such as excessive processing, ads, another ISP alert, etc. then I think

you are good to go.

 

Some info you might be interested in:

Safe online banking requires a dedicated PC - CNET

 

How To Beat Ransomware | Malwarebytes Labs (scroll down to encryting ransom ware...check out the links  anti-ransomware and social engineering)


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users