Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I infected with Gonzi and Nivdort???


  • This topic is locked This topic is locked
11 replies to this topic

#1 3J Kernel

3J Kernel

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 09 August 2017 - 05:41 AM

Good morning everyone:

I have a tool called CONAN mobile in my tablet, and the other day it noticed me that one of the devices connected to my network was infected with Nivdort... I have the same tool on my computer, and yesterday my computer and my tablet started noticing me that I have Gozi on my network!!! 

I have tried with Avast, ESET Online Scanner, Kaspersky Virus Removal Tool and Kaspersky found trojan.win32.fsysna.ekjt

and trojan.win32.fsysna.egjs on an executable, but I know that that executable is trustworthy... so I don't know if it's false positive...
The rest didn't found nothing about Gozi nor Nivdort...
What could I do?
I think that Gozi and Nivdort are viruses which work on Windows, and I have a laptop with Windows, and a smartphone and a tablet with Android, so the only place where it can be is on my computer right?
When I change to another network (for example, in library) there aren't any notices...
 
Please, help. Thank you!


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:11 PM

Posted 11 August 2017 - 07:09 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Reset your router. It may be infected.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html

===


If the problem persists please run these tools and post the logs for my review.



:step1: Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

:step2: Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

:step3: Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===


Please post the logs.

Let me know what problems persists.
==============================

#3 3J Kernel

3J Kernel
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 11 August 2017 - 05:59 PM

Good night and thank you for your help.

Yesterday I didn't receive any warning... nor in my computer nor my tablet... All the antivirus analysis I did this previous days didn't detected nothing... but the CONAN app now says that there is no infection... should I follow anyways the steps you told me?

Thanks a lot.


Edited by 3J Kernel, 11 August 2017 - 06:00 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:11 PM

Posted 12 August 2017 - 07:01 AM

Your call I will review them if submitted.

Edited by nasdaq, 12 August 2017 - 10:33 AM.


#5 3J Kernel

3J Kernel
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 12 August 2017 - 09:49 AM

Your call I will review them is submitted.

Sorry, I don't understand you... I mean that before you wrote me I made some analysis on computer and tablet and it didn't detect nothing... and now suddenly the CONAN app don't detect Gonzi nor Nivdort... Anyways... I'm going to make the analysis you ask me and I send you asap.

Thank you so much



#6 3J Kernel

3J Kernel
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 12 August 2017 - 02:02 PM

Malwarebytes log:

 

Malwarebytes
www.malwarebytes.com
 
-Detalles del registro-
Fecha del análisis: 12/8/17
Hora del análisis: 17:06
Archivo de registro: malwarebytes.txt
Administrador: Sí
 
-Información del software-
Versión: 3.1.2.1733
Versión de los componentes: 1.0.139
Versión del paquete de actualización: 1.0.2568
Licencia: Prueba
 
-Información del sistema-
SO: Windows 10
CPU: x64
Sistema de archivos: NTFS
Usuario: LAPTOP-9TUCH60U\win10
 
-Resumen del análisis-
Tipo de análisis: Análisis personalizado
Resultado: Completado
Objetos analizados: 419978
Amenazas detectadas: 0
(No hay elementos maliciosos detectados)
Amenazas en cuarentena: 0
(No hay elementos maliciosos detectados)
Tiempo transcurrido: 3 hr, 28 min, 1 seg
 
-Opciones de análisis-
Memoria: Activado
Inicio: Activado
Sistema de archivos: Activado
Archivo: Activado
Rootkits: Activado
Heurística: Activado
PUP: Activado
PUM: Activado
 
-Detalles del análisis-
Proceso: 0
(No hay elementos maliciosos detectados)
 
Módulo: 0
(No hay elementos maliciosos detectados)
 
Clave del registro: 0
(No hay elementos maliciosos detectados)
 
Valor del registro: 0
(No hay elementos maliciosos detectados)
 
Datos del registro: 0
(No hay elementos maliciosos detectados)
 
Secuencia de datos: 0
(No hay elementos maliciosos detectados)
 
Carpeta: 0
(No hay elementos maliciosos detectados)
 
Archivo: 0
(No hay elementos maliciosos detectados)
 
Sector físico: 0
(No hay elementos maliciosos detectados)
 
 
(end)

Adwcleaner log:

 

# AdwCleaner 7.0.1.0 - Logfile created on Sat Aug 12 18:46:35 2017
# Updated on 2017/05/08 by Malwarebytes 
# Running on Windows 10 Home (X64)
# Mode: clean
 
***** [ Services ] *****
 
No malicious services deleted.
 
***** [ Folders ] *****
 
Deleted: C:\Program Files (x86)\Cain
Deleted: C:\Users\win10\AppData\Local\VirtualStore\Program Files (x86)\rnamfler
Deleted: C:\ProgramData\Auslogics
Deleted: C:\Users\All Users\Auslogics
 
 
***** [ Files ] *****
 
No malicious files deleted.
 
***** [ DLL ] *****
 
No malicious DLLs cleaned.
 
***** [ WMI ] *****
 
No malicious WMI cleaned.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts cleaned.
 
***** [ Tasks ] *****
 
No malicious tasks deleted.
 
***** [ Registry ] *****
 
Deleted: [Key] - HKU\S-1-5-21-3364853348-3172056635-2473695338-1001\Software\cain
Deleted: [Key] - HKCU\Software\cain
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32|wrna3ls
Deleted: [Key] - HKLM\SOFTWARE\Auslogics
 
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries deleted.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries deleted.
 
*************************
 
::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0
 
 
 
*************************
 
C:/AdwCleaner/AdwCleaner[C0].txt - [1579 B] - [2017/2/5 2:5:56]
C:/AdwCleaner/AdwCleaner[C2].txt - [1536 B] - [2017/5/25 22:27:30]
C:/AdwCleaner/AdwCleaner[S0].txt - [1754 B] - [2017/2/5 2:5:29]
C:/AdwCleaner/AdwCleaner[S1].txt - [1532 B] - [2017/3/6 14:15:2]
C:/AdwCleaner/AdwCleaner[S2].txt - [1738 B] - [2017/5/25 13:27:53]
C:/AdwCleaner/AdwCleaner[S3].txt - [1821 B] - [2017/8/12 18:45:3]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt ##########


#7 3J Kernel

3J Kernel
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 12 August 2017 - 02:03 PM

Here you have the 2 logs of Farbar.

Thank you so much!!!

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:11 PM

Posted 13 August 2017 - 07:47 AM

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
HKU\S-1-5-21-3364853348-3172056635-2473695338-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
CHR Extension: (Sistema de pagos de Chrome Web Store) - C:\Users\win10\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-09]
CHR Extension: (Chrome Media Router) - C:\Users\win10\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-08-08]
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
Task: {474E9EC1-840B-49F4-A1E9-3204BE68D007} - System32\Tasks\AutoKMS => C:\WINDOWS\AutoKMS\AutoKMS.exe [2017-04-13] ()
Task: {94D20E96-C51E-4757-ABF9-C14163647D83} - System32\Tasks\66J14uJYP => C:\Users\win10\AdXAIyKF\5wfLUJQJy1iLt.exe [2017-05-12] ()
C:\WINDOWS\AutoKMS
C:\Users\win10\AdXAIyKF

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after these updates remove these old version(s) via the Control Panel > Programs > Programs and Features.
Java 8 Update 111 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)
Java SE Development Kit 8 Update 111 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180111}) (Version: 8.0.1110.14 - Oracle Corporation)

Please let me know if you have any issues with this computer.

#9 3J Kernel

3J Kernel
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 13 August 2017 - 09:19 AM

Fixlog content:

Fix result of Farbar Recovery Scan Tool (x64) Version: 12-08-2017
Ran by win10 (13-08-2017 15:30:13) Run:1
Running from C:\Users\win10\Desktop\Farbar
Loaded Profiles: win10 (Available Profiles: win10 & DefaultAppPool)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
HKU\S-1-5-21-3364853348-3172056635-2473695338-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
CHR Extension: (Sistema de pagos de Chrome Web Store) - C:\Users\win10\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-09]
CHR Extension: (Chrome Media Router) - C:\Users\win10\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-08-08]
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
Task: {474E9EC1-840B-49F4-A1E9-3204BE68D007} - System32\Tasks\AutoKMS => C:\WINDOWS\AutoKMS\AutoKMS.exe [2017-04-13] ()
Task: {94D20E96-C51E-4757-ABF9-C14163647D83} - System32\Tasks\66J14uJYP => C:\Users\win10\AdXAIyKF\5wfLUJQJy1iLt.exe [2017-05-12] ()
C:\WINDOWS\AutoKMS
C:\Users\win10\AdXAIyKF
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION => restored successfully
HKU\S-1-5-21-3364853348-3172056635-2473695338-1001\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
CHR Extension: (Sistema de pagos de Chrome Web Store) - C:\Users\win10\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-09] => Error: No automatic fix found for this entry.
CHR Extension: (Chrome Media Router) - C:\Users\win10\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-08-08] => Error: No automatic fix found for this entry.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw => key removed successfully
HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found. 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast => key removed successfully
HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{474E9EC1-840B-49F4-A1E9-3204BE68D007} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{474E9EC1-840B-49F4-A1E9-3204BE68D007} => key removed successfully
C:\WINDOWS\System32\Tasks\AutoKMS => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{94D20E96-C51E-4757-ABF9-C14163647D83} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{94D20E96-C51E-4757-ABF9-C14163647D83} => key removed successfully
C:\WINDOWS\System32\Tasks\66J14uJYP => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\66J14uJYP => key removed successfully
C:\WINDOWS\AutoKMS => moved successfully
C:\Users\win10\AdXAIyKF => moved successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 10772480 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 31832396 B
Java, Flash, Steam htmlcache => 506 B
Windows/system/drivers => 12560445 B
Edge => 1919 B
Chrome => 70307083 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 9637 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 0 B
win10 => 28100527 B
DefaultAppPool => 9637 B
 
RecycleBin => 0 B
EmptyTemp: => 146.5 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 15:32:10 ====


#10 3J Kernel

3J Kernel
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 13 August 2017 - 09:22 AM

Java is now updated to Java 8 Update 144.

CONAN app hasn't noticed me about Gonzi nor Nivdort...

Thank you.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:11 PM

Posted 13 August 2017 - 12:23 PM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#12 3J Kernel

3J Kernel
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 14 August 2017 - 11:55 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

Thank you so much






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users