Jump to content


  • Posts

  • Joined

  • Last visited


0 Neutral
  1. I just ran a few scans with MBAM and another scan with bitdefender...all scans came up clean. I don't notice any issues either. I updated flash and java to the latest versions. Please let me know if there is anything I should looking for in terms of any remnants of this infection. Thanks again for all your help!
  2. That's good to know. I havent done much with the PC since the last MBAM scan i posted. I had to go to bed as i was due to get up in a out 4 hours for work. When I get a chance, I will reply with an update...probably sometime later today/evening. I did kick off an mbam full scan and a scheduled bitdefender full scan of C:\. This morning. How is this malware passes on? As I mentioned, I did not go to any sites i havent been to before and none were "shady". Could it be from ads? Thanks again
  3. Thanks. It came up clean this time around. I appreciate your time Based on what you have seen in the logs, would you characterize this as an active infection--by which, I mean processes were running which was gathering/transmitting data or was more it more less dormant? I am still trying to figure out where I might have picked this up, why my real time protection didn't stop this, and why did I have a few scans which came up clean. I admit it is disconcerting that MBAM and Bitdefender showed clean scans after the initial round of detections/removal. Here is the log from the last scan: Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 6/18/2015Scan Time: 1:01:09 AMLogfile: 20150618_0118_mbam_threatscan_log.txtAdministrator: YesVersion: Database: v2015.06.18.02Rootkit Database: v2015.06.15.01License: PremiumMalware Protection: EnabledMalicious Website Protection: EnabledSelf-protection: EnabledOS: Windows 8.1CPU: x64File System: NTFSUser: FrankScan Type: Threat ScanResult: CompletedObjects Scanned: 383514Time Elapsed: 7 min, 22 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 0(No malicious items detected)Modules: 0(No malicious items detected)Registry Keys: 0(No malicious items detected)Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 0(No malicious items detected)Files: 0(No malicious items detected)Physical Sectors: 0(No malicious items detected)(end)
  4. Here are the results of the latest Zoek run: Zoek.exe v5.0.0.0 Updated 04-May-2015Tool run by Frank on Thu 06/18/2015 at 0:21:08.78.Microsoft Windows 8.1 Pro 6.3.9600 x64Running in: Normal Mode No Internet Access DetectedLaunched: E:\Downloads\Utilities\Zoek\zoek.exe [Scan all users] [Script inserted] ==== Older Logs ======================C:\zoek-results1.log 22747 bytes==== System Restore Info ======================6/18/2015 12:23:18 AM Zoek.exe System Restore Point Created Successfully.==== Empty Folders Check ======================C:\Users\Frank\AppData\Roaming\Malwarebytes==== Deleting CLSID Registry Keys ========================== Deleting CLSID Registry Values ========================== Deleting Services ========================== Deleting Files \ Folders ======================"C:\WINDOWS\tasks\Adobe Flash Player Updater.job" deleted"C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-4018866473-579818650-643738085-1001Core.job" deleted"C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-4018866473-579818650-643738085-1001UA.job" deleted"C:\WINDOWS\Temp\Calvin-20150617-2353.log" not deleted"C:\WINDOWS\Temp\FXSAPIDebugLogFile.txt" not deleted"C:\WINDOWS\Temp\FXSTIFFDebugLogFile.txt" not deleted"C:\WINDOWS\Temp\officeclicktorun.exe_c2ruidll(20150617235344998).log" not deleted"C:\WINDOWS\Temp\officeclicktorun.exe_streamserver(20150617235344998).log" not deleted"C:\WINDOWS\Temp\tmp00007498\tmp00000000" not deleted"C:\WINDOWS\Temp\vmware-SYSTEM\vmauthd.log" not deleted"C:\WINDOWS\Temp\vmware-SYSTEM\vmware-usbarb-3788.log" not deleted"C:\WINDOWS\Temp\NVIDIA Corporation\NV_Cache\9e53cac1f699e676ccc302d9cb5a5f_fce8395f8fd8a84b_6229ccd76215aea1_0_0.bin" not deleted"C:\WINDOWS\Temp\NVIDIA Corporation\NV_Cache\9e53cac1f699e676ccc302d9cb5a5f_fce8395f8fd8a84b_6229ccd76215aea1_0_0.toc" not deleted"C:\WINDOWS\Temp\NVIDIA Corporation\NV_Cache\9e53cac1f699e676ccc302d9cb5a5f_fce8395f8fd8a84b_6229ccd76215aea1_0_1.bin" not deleted"C:\WINDOWS\Temp" not deleted"C:\WINDOWS\Temp\NVIDIA Corporation" not deleted"C:\WINDOWS\Temp\tmp00007498" not deleted"C:\WINDOWS\Temp\vmware-SYSTEM" not deleted"C:\WINDOWS\Temp\NVIDIA Corporation\NV_Cache" not deleted==== Firefox Start and Search pages ======================ProfilePath: C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\u494zqca.defaultuser_pref("browser.search.defaultenginename", "Google");user_pref("browser.search.defaultenginename.US", "Google");==== Firefox Extensions Registry ======================[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]"bdwteff@bitdefender.com"="C:\Program Files\Bitdefender\Bitdefender 2015\antispam32\bdwteff" [12/17/2014 04:19 PM]==== Firefox Extensions ======================AppDir: C:\Program Files (x86)\Mozilla Firefox- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}==== Firefox Plugins ======================Profilepath: C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\u494zqca.default18CF51689186AEB9D1D149AEB0E92D03 - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\NPSPWRAP.DLL - Microsoft Office 20139291708CCD967887AF94BE708B43D64D - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll - Microsoft Office 20132E661988463BCFA1B95D4DAAB9B0B6FA - C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_188.dll - Shockwave Flash08ACECEB47FAF053C468D8AFE44709AD - C:\Users\Frank\AppData\Local\Google\Update\\npGoogleUpdate3.dll - Google Update49D429EBF5305FC9ADD7545B7C914333 - C:\Users\Frank\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll - Google Talk Plugin6BEAD7859E8A087BE04556AB5A78855C - C:\Users\Frank\AppData\Roaming\Mozilla\plugins\npo1d.dll - Google Talk Plugin Video Renderer==== Chromium Look ========================== Set IE to Default ======================Old Values:[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]New Values:[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"==== All HKCU SearchScopes ======================HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes"DefaultScope"="{5F825012-F7CA-4334-AE5A-C217BF6A8D55}"{012E1000-F331-11DB-8314-0800200C9A66} Google Url="http://www.google.com/search?q={searchTerms}"{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"{5F825012-F7CA-4334-AE5A-C217BF6A8D55} Google Url="http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}"==== Empty IE Cache ======================C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfullyC:\Users\Frank\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfullyC:\Users\Frank\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfullyC:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfullyC:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfullyC:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfullyC:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfullyC:\Users\Frank\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfullyC:\Users\Frank\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfullyC:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfullyC:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully==== Empty FireFox Cache ======================No FireFox Cache found==== Empty Chrome Cache ======================No Chrome User Data found==== Empty All Flash Cache ======================Flash Cache Emptied Successfully==== Empty All Java Cache ======================Java Cache cleared successfully==== C:\zoek_backup content ======================C:\zoek_backup (files=37 folders=31 21530841 bytes)==== Empty Temp Folders ======================C:\Users\Default\AppData\Local\Temp emptied successfullyC:\Users\Default User\AppData\Local\Temp emptied successfullyC:\Users\Frank\AppData\Local\Temp will be emptied at rebootC:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp emptied successfullyC:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp emptied successfullyC:\WINDOWS\Temp will be emptied at reboot==== After Reboot ========================== Empty Temp Folders ======================C:\Users\Frank\AppData\Local\Temp successfully emptied==== Empty Recycle Bin ======================C:\$RECYCLE.BIN successfully emptied==== Deleting Files / Folders ======================"C:\WINDOWS\Temp\Calvin-20150617-2353.log" not found"C:\WINDOWS\Temp\FXSAPIDebugLogFile.txt" not found"C:\WINDOWS\Temp\FXSTIFFDebugLogFile.txt" not found"C:\WINDOWS\Temp\officeclicktorun.exe_c2ruidll(20150617235344998).log" not found"C:\WINDOWS\Temp\officeclicktorun.exe_streamserver(20150617235344998).log" not found"C:\WINDOWS\Temp\tmp00007498\tmp00000000" not found"C:\WINDOWS\Temp\vmware-SYSTEM\vmauthd.log" not deleted"C:\WINDOWS\Temp\vmware-SYSTEM\vmware-usbarb-3788.log" not found"C:\WINDOWS\Temp\NVIDIA Corporation\NV_Cache\9e53cac1f699e676ccc302d9cb5a5f_fce8395f8fd8a84b_6229ccd76215aea1_0_0.bin" not deleted"C:\WINDOWS\Temp\NVIDIA Corporation\NV_Cache\9e53cac1f699e676ccc302d9cb5a5f_fce8395f8fd8a84b_6229ccd76215aea1_0_0.toc" not deleted"C:\WINDOWS\Temp\NVIDIA Corporation\NV_Cache\9e53cac1f699e676ccc302d9cb5a5f_fce8395f8fd8a84b_6229ccd76215aea1_0_1.bin" not found"C:\WINDOWS\Temp" not deleted==== EOF on Thu 06/18/2015 at 0:38:13.35 ======================Are you still seeing an infection or is this more ensuring everything is cleaned up? I'd like to know a little more about what you are seeing in the logs. Thanks again
  5. Here is the Zoek log. Also, it turns out I was mistaken. Bitdefender was detecting some of the infected files. For some reason, it was quarantining them but not alerting me. These were all still tmp files in the windows\temp folder. zoek-results.txt
  6. Thanks Argus I ran the fixlist and rescanned with MBAM - threat scan detected 19 files this time--again, in C:\Windows\Temp. I removed them and restarted. I reran FRST in case you needed another scan of that as well. I am really puzzled now. 20150617_mbam_threatscan_log.txt FRST.txt
  7. Good evening, I was wondering if there were any reported false positives associated with Spyware.Passwords.XGen. Here is why I am asking: For AV/Malware protection, I am running: MBAM premium homeMalware Bytes Anti-exploit free editionBitdefender Antivirus When I am not actively using my PC, I either shut it down or, at the very least, I disable the NIC in windows and/or unplug the Ethernet cable. No one uses my PC but me. ***************** This evening, I turned my PC on and as my usual routine, update MBAM and Bitdefender as one of the first things I do. I browsed a couple of sites I normally go to which are generally considered safe (I have not had an issue with the sites in the past). For example, MSN.com, Bing, google, etc. I did not install anything. I hadn't gotten been online for very long when MBAM scan results detected some threats which is unusual, but I wasn't particularly concerned. When I looked at the log, I was surprised to find 15 temp files infected with Spyware.Passwords.Xgen. Spyware.Passwords.XGen, c:\windows\temp\tmp000008b8\tmp0005327a, Quarantined, [a32612a94d3d340270eff592de2213ed] I was surprised because I hadn't been to any place I haven't been to many time before. I quarantined the files and rebooted as prompted. I then ran another threat scan and this time, 22 files were found--again, in C:\Windows\temp. I checked MBAM's quarantine to see if maybe some of the 22 detected files this time around were detected in the previous scan. The quarantine was empty. I quarantined these files and rebooted as prompted again. By this time, I had disabled my network connectivity again and ran another scan. This time, it came up clean. I also ran a bitdefender system scan on C:\ which also came up clean (I should note that both Bitdefender and MBAM run a quickscan/hyperscan on startup both of which came up clean). I once again checked the MBAM quarantine for the 22 files and it was still empty. No trace of the infected files. If it is not a false positive, Spyware.Passwords.XGen has been around for quite a while. I am a bit surprised it would get through all my real time protection I have running. I had my PC on overnight doing some backup routines. The network cable was unplugged (which is why it couldn't update). The last MBAM threat scan at 3:08AM this came up clean. The PC was powered off between 6:30 AM and 6:30 PM. So, the infection, if it was a valid detection, must happened in the first 15-20 mins of my PC being on this evening. I have attached MBAM log files and FRST logs. I have skimmed them over and there doesn't appear to be any issues, but I would like someone else who may be more experienced at reading the logs to look them over. There is one change. MSN is usually my home page and now, my home page is set to "blank" or nothing. I don't know if MBAM did this or something else. I'd like some feed back on whether or not this was a false positive and, more importantly, confirmation that my PC is indeed clean. Thanks! FRST.txt Addition.txt 20150617_1918_052_mbam_threatscan_log.txt 20150617_1905_40_mbam_threatscan_log.txt 20150617_1851_32_mbam_threatscan_log.txt 20150617__mbam_daily_protection_log.txt
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.