Search the Community
Showing results for tags 'backdoor zegost'.
Found 1 result
Hello, I'm new to the forum, but already had Malwarebytes Premium (and thank God for that!). Here's my sad story. My Windows 7 Professional 64-bit computer had been connected to a LinkSys AC1200+ wireless router, which was connected to a 3com OfficeConnect hub/switch, which was connected via the uplink to a gateway provided by TimeWarner/Spectrum Business Class. But the other night, the hub/switch failed, and I couldn't get on the Internet. For a while, I connected the computer directly to the gateway, via one of its four ports on the back. (I reconfigured the computer's IP and DNS to a fixed IP address.) It probably was this way for less than a day. I suddenly noticed, though, some strange things: (*) McAfee LiveSafe (which I had in addition to Malwarebytes Anti-Malware Premium, because it came with the computer) was trying to register new. It appears that something took it out. (*) I started getting messages, seemingly one every 5 to 10 minutes, from the real-time protection from Malwarebytes that it was blocking various attacks. I then realized that being connected directly to a port on the "Wild Internet" was really dangerous. So I pulled the plug. At this point, my Wifi finally came alive (honestly, I had never figured out how to force it to do that when connected via Ethernet, but the cable being plugged in seems to have prevented that---I never thought of that!). I'm now connected through the LinkSys AC 1200+ wireless router. The Wireless connection is configured for DHCP, so I should be safe from picking up any new infections?? (At least, that's the way it was before. The LinkSys wireless router is sitting on the Wild Internet, but it is password protected with a good strong password---NOT admin!) I have been alarmed at some of the threats that have been blocked, as they are outbound attempts to connect to a site in Russia at a single IP address, attempting the connection through many different obscure port numbers. The site's two variations are either wmi(dot)my0115(dot)ru or down(dot)my0115(dot)ru and the IP address is 78(dot)142(dot)29(dot)114. There seem to be three executablea that were blocked from connecting, one classified as RiskWare, and the others as Unspecified. The RiskWare is coming from C:\Windows\System32\lsass.exe. The Unspecified are the following: C:\Windows\System32\wbem\scrcons.exe and C:\Windows\System32\svchost.exe. The odd thing is that my Malwarebytes Anti-Malware Premium scan comes up clean, even though I'm still getting messages every so often that another attempt has been blocked! Does this indicate that something is masquerading as a system (whitelisted) program?? (If this is the case, then would running a threat scan in safe mode pick it up?) Here are some miscellaneous things that may be additional infections or part of the same: (*) There were two files that were caught and quarantined: 1) First was "Backdoor Zegost" at C:\adg.exe; 2) Second was "RansomWannaCrypt" at C:\Windows\mssecsvc.exe" Microsoft Security Center says that this file should not be allowed to run, associated with ransomware I think. (*) While backing up some files to DVD-ROM, I noted an odd file in the Documents directory. It is called adxloader.log, and when I opened it with Notepad, it looks as though it was loading things into the Registry maybe. Since I noticed it, it had been modified to a later date, but maybe this happened as a result of opening the file with Notepad. Maybe it's something legit, but I don't recall ever seeing it before. And the stuff inside it looks pretty malicious if it isn't something legit. (*) There is one other thing---maybe it's normal, or maybe not. When I went to try to retrieve the log file from Malwarebytes Threat scan the Documents and Settings folder shows with a padlock icon over it, and says "Access Denied" when I click on it, EVEN WHEN RUNNING WINDOWS EXPLORER AS ADMIN. Is this normal? Maybe this is for safety?? I was able to view the required logs and save them elsewhere, so not critical, but thought I'd ask. I will attach the following files to this post: 1) The MalwareBytes Threat Scan Log (which found nothing), which I called MalwareBytesThreatScanLog.txt; 2) The FRST scan log, FRST.txt; 3) the Addition.txt log; 3) Samples of the MalwareBytes blocked threat reports from the Russian site: They are called MalwarebytesBlocked_1.txt, MalwarebytesBlocked_2, MalwarebytesBlocked_3, MalwarebytesBlocked_4 and MalwarebytesBlocked_5; 4) the adxloader.log file, re-saved as a text file. I think that's all. Let me know if you need something else. My Windows updates are really out of date, sad to say. The updates got stuck at some point, and HP "Smart Friend" deleted a bunch of stuff, including Malwarebytes Anti-Exploit Premium, and really screwed everything up. They wiped out all of the pending updates. But I've been very ill and haven't had the energy to deal with it. I do have a backup I made when I got Acronis Backup, when the system was fairly new. And of course there faling back to a configuration from a few days ago before the hub started failing is an option. I keep all of my important files on a portable drive, though. I won't do anything at all, such as put in the replacement hub I just got through the mail today, until given the okay. I especially won't restore my direct wired connection yet, as this would require reconfiguring my LAN connection, and I don't want to make anything worse. Thanks for your help. MalwareBytesThreatScanLog.txt FRST.txt Addition.txt MalwarebytesBlocked_1.txt MalwarebytesBlocked_2.txt MalwarebytesBlocked_3.txt MalwarebytesBlocked_4.txt MalwarebytesBlocked_5.txt adxloader.txt