Jump to content

False Positive? Spyware.Passwords.XGen


Recommended Posts

Good evening,

 

I was wondering if there were any reported false positives associated with Spyware.Passwords.XGen.

 

Here is why I am asking:

 

For AV/Malware protection, I am running:

 

  • MBAM premium home
  • Malware Bytes Anti-exploit free edition
  • Bitdefender Antivirus

 

When I am not actively using my PC, I either shut it down or, at the very least, I disable the NIC in windows and/or unplug the Ethernet cable.  No one uses my PC but me.

 

*****************

 

This evening, I turned my PC on and as my usual routine, update MBAM and Bitdefender as one of the first things I do.

 

I browsed a couple of sites I normally go to which are generally considered safe (I have not had an issue with the sites in the past).  For example, MSN.com, Bing, google, etc.  I did not install anything.

 

I hadn't gotten been online for very long when MBAM scan results detected some threats which is unusual, but I wasn't particularly concerned.

 

When I looked at the log, I was surprised to find 15 temp files infected with Spyware.Passwords.Xgen.

 

Spyware.Passwords.XGen, c:\windows\temp\tmp000008b8\tmp0005327a, Quarantined, [a32612a94d3d340270eff592de2213ed]

 

I was surprised because I hadn't been to any place I haven't been to many time before.

 

I quarantined the files and rebooted as prompted.

 

I then ran another threat scan and this time, 22 files were found--again, in C:\Windows\temp.

 

I checked MBAM's quarantine to see if maybe some of the 22 detected files this time around were detected in the previous scan.  The quarantine was empty.

 

I quarantined these files and rebooted as prompted again.

 

By this time, I had disabled my network connectivity again and ran another scan.  This time, it came up clean.  I also ran a bitdefender system scan on C:\ which also came up clean (I should note that both Bitdefender and MBAM run a quickscan/hyperscan on startup both of which came up clean).

 

I once again checked the MBAM quarantine for the 22 files and it was still empty.  No trace of the infected files.

 

 

If it is not a false positive, Spyware.Passwords.XGen has been around for quite a while.  I am a bit surprised it would get through all my real time protection I have running.

 

I had my PC on overnight doing some backup routines.  The network cable was unplugged (which is why it couldn't update).  The last MBAM threat scan at 3:08AM this came up clean.  The PC was powered off between 6:30 AM and 6:30 PM.  So, the infection, if it was a valid detection, must happened in the first 15-20 mins of my PC being on this evening.

 

I have attached MBAM log files and FRST logs.  I have skimmed them over and there doesn't appear to be any issues, but I would like someone else who may be more experienced at reading the logs to look them over.

 

There is one change.  MSN is usually my home page and now, my home page is set to "blank" or nothing.  I don't know if MBAM did this or something else.

 

I'd like some feed back on whether or not this was a false positive and, more importantly, confirmation that my PC is indeed clean.

 

Thanks!

 

 

 

 

 

FRST.txt

Addition.txt

20150617_1918_052_mbam_threatscan_log.txt

20150617_1905_40_mbam_threatscan_log.txt

20150617_1851_32_mbam_threatscan_log.txt

20150617__mbam_daily_protection_log.txt

Link to post
Share on other sites

Helllo,

My name is Argus and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not be able to help you if you do not follow my instructions.





warning.gif Rules and policies

We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.
 
 
 
 
 
FRST.gif Fix with Farbar Recovery Scan Tool

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif


Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.



Please attach it to your reply.

 

 

 

 

 

 

Scan Malwarebytes again and attach here report.

fixlist.txt

Link to post
Share on other sites

51a612a8b27e2-Zoek.png Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
 

  • Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
    createsrpoint;autoclean;QuickScan;emptyalltemp;bitsadmin /reset /allusers;bipconfig /flushdns;b
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

 

Link to post
Share on other sites

Re-run zoek and run this script:

C:\WINDOWS\Temp;fsC:\WINDOWS\tasks\Adobe Flash Player Updater.job;fC:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-4018866473-579818650-643738085-1001Core.job;fC:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-4018866473-579818650-643738085-1001UA.job;fcreatesrpoint;autoclean;emptyalltemp;

Post its content into your next reply.

Link to post
Share on other sites

Here are the results of the latest Zoek run:

Zoek.exe v5.0.0.0 Updated 04-May-2015Tool run by Frank on Thu 06/18/2015 at  0:21:08.78.Microsoft Windows 8.1 Pro 6.3.9600  x64Running in: Normal Mode No Internet Access DetectedLaunched: E:\Downloads\Utilities\Zoek\zoek.exe [Scan all users] [Script inserted] ==== Older Logs ======================C:\zoek-results1.log	22747 bytes==== System Restore Info ======================6/18/2015 12:23:18 AM Zoek.exe System Restore Point Created Successfully.==== Empty Folders Check ======================C:\Users\Frank\AppData\Roaming\Malwarebytes==== Deleting CLSID Registry Keys ========================== Deleting CLSID Registry Values ========================== Deleting Services ========================== Deleting Files \ Folders ======================"C:\WINDOWS\tasks\Adobe Flash Player Updater.job" deleted"C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-4018866473-579818650-643738085-1001Core.job" deleted"C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-4018866473-579818650-643738085-1001UA.job" deleted"C:\WINDOWS\Temp\Calvin-20150617-2353.log" not deleted"C:\WINDOWS\Temp\FXSAPIDebugLogFile.txt" not deleted"C:\WINDOWS\Temp\FXSTIFFDebugLogFile.txt" not deleted"C:\WINDOWS\Temp\officeclicktorun.exe_c2ruidll(20150617235344998).log" not deleted"C:\WINDOWS\Temp\officeclicktorun.exe_streamserver(20150617235344998).log" not deleted"C:\WINDOWS\Temp\tmp00007498\tmp00000000" not deleted"C:\WINDOWS\Temp\vmware-SYSTEM\vmauthd.log" not deleted"C:\WINDOWS\Temp\vmware-SYSTEM\vmware-usbarb-3788.log" not deleted"C:\WINDOWS\Temp\NVIDIA Corporation\NV_Cache\9e53cac1f699e676ccc302d9cb5a5f_fce8395f8fd8a84b_6229ccd76215aea1_0_0.bin" not deleted"C:\WINDOWS\Temp\NVIDIA Corporation\NV_Cache\9e53cac1f699e676ccc302d9cb5a5f_fce8395f8fd8a84b_6229ccd76215aea1_0_0.toc" not deleted"C:\WINDOWS\Temp\NVIDIA Corporation\NV_Cache\9e53cac1f699e676ccc302d9cb5a5f_fce8395f8fd8a84b_6229ccd76215aea1_0_1.bin" not deleted"C:\WINDOWS\Temp" not deleted"C:\WINDOWS\Temp\NVIDIA Corporation" not deleted"C:\WINDOWS\Temp\tmp00007498" not deleted"C:\WINDOWS\Temp\vmware-SYSTEM" not deleted"C:\WINDOWS\Temp\NVIDIA Corporation\NV_Cache" not deleted==== Firefox Start and Search pages ======================ProfilePath: C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\u494zqca.defaultuser_pref("browser.search.defaultenginename", "Google");user_pref("browser.search.defaultenginename.US", "Google");==== Firefox Extensions Registry ======================[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]"bdwteff@bitdefender.com"="C:\Program Files\Bitdefender\Bitdefender 2015\antispam32\bdwteff" [12/17/2014 04:19 PM]==== Firefox Extensions ======================AppDir: C:\Program Files (x86)\Mozilla Firefox- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}==== Firefox Plugins ======================Profilepath: C:\Users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\u494zqca.default18CF51689186AEB9D1D149AEB0E92D03	- C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\NPSPWRAP.DLL -	Microsoft Office 20139291708CCD967887AF94BE708B43D64D	- C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll -	Microsoft Office 20132E661988463BCFA1B95D4DAAB9B0B6FA	- C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_188.dll -	Shockwave Flash08ACECEB47FAF053C468D8AFE44709AD	- C:\Users\Frank\AppData\Local\Google\Update\1.3.27.5\npGoogleUpdate3.dll -	Google Update49D429EBF5305FC9ADD7545B7C914333	- C:\Users\Frank\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll -	Google Talk Plugin6BEAD7859E8A087BE04556AB5A78855C	- C:\Users\Frank\AppData\Roaming\Mozilla\plugins\npo1d.dll -	Google Talk Plugin Video Renderer==== Chromium Look ========================== Set IE to Default ======================Old Values:[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]New Values:[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"==== All HKCU SearchScopes ======================HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes"DefaultScope"="{5F825012-F7CA-4334-AE5A-C217BF6A8D55}"{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"{5F825012-F7CA-4334-AE5A-C217BF6A8D55} Google  Url="http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}"==== Empty IE Cache ======================C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfullyC:\Users\Frank\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfullyC:\Users\Frank\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfullyC:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfullyC:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfullyC:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfullyC:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfullyC:\Users\Frank\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfullyC:\Users\Frank\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfullyC:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfullyC:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully==== Empty FireFox Cache ======================No FireFox Cache found==== Empty Chrome Cache ======================No Chrome User Data found==== Empty All Flash Cache ======================Flash Cache Emptied Successfully==== Empty All Java Cache ======================Java Cache cleared successfully==== C:\zoek_backup content ======================C:\zoek_backup (files=37 folders=31 21530841 bytes)==== Empty Temp Folders ======================C:\Users\Default\AppData\Local\Temp emptied successfullyC:\Users\Default User\AppData\Local\Temp emptied successfullyC:\Users\Frank\AppData\Local\Temp will be emptied at rebootC:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp emptied successfullyC:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp emptied successfullyC:\WINDOWS\Temp will be emptied at reboot==== After Reboot ========================== Empty Temp Folders ======================C:\Users\Frank\AppData\Local\Temp successfully emptied==== Empty Recycle Bin ======================C:\$RECYCLE.BIN successfully emptied==== Deleting Files / Folders ======================"C:\WINDOWS\Temp\Calvin-20150617-2353.log"  not found"C:\WINDOWS\Temp\FXSAPIDebugLogFile.txt"  not found"C:\WINDOWS\Temp\FXSTIFFDebugLogFile.txt"  not found"C:\WINDOWS\Temp\officeclicktorun.exe_c2ruidll(20150617235344998).log"  not found"C:\WINDOWS\Temp\officeclicktorun.exe_streamserver(20150617235344998).log"  not found"C:\WINDOWS\Temp\tmp00007498\tmp00000000"  not found"C:\WINDOWS\Temp\vmware-SYSTEM\vmauthd.log"  not deleted"C:\WINDOWS\Temp\vmware-SYSTEM\vmware-usbarb-3788.log"  not found"C:\WINDOWS\Temp\NVIDIA Corporation\NV_Cache\9e53cac1f699e676ccc302d9cb5a5f_fce8395f8fd8a84b_6229ccd76215aea1_0_0.bin"  not deleted"C:\WINDOWS\Temp\NVIDIA Corporation\NV_Cache\9e53cac1f699e676ccc302d9cb5a5f_fce8395f8fd8a84b_6229ccd76215aea1_0_0.toc"  not deleted"C:\WINDOWS\Temp\NVIDIA Corporation\NV_Cache\9e53cac1f699e676ccc302d9cb5a5f_fce8395f8fd8a84b_6229ccd76215aea1_0_1.bin"  not found"C:\WINDOWS\Temp"  not deleted==== EOF on Thu 06/18/2015 at  0:38:13.35 ======================

Are you still seeing an infection or is this more ensuring everything is cleaned up?

 

I'd like to know a little more about what you are seeing in the logs.

 

Thanks again

 

Link to post
Share on other sites

Thanks.  It came up clean this time around.  I appreciate your time

 

 

Based on what you have seen in the logs, would you characterize this as an active infection--by which, I mean processes were running which was gathering/transmitting data or was more it more less dormant?

 

I am still trying to figure out where I might have picked this up, why my real time protection didn't stop this, and why did I have a few scans which came up clean.

 

I admit it is disconcerting that MBAM and Bitdefender showed clean scans after the initial round of detections/removal.

 

Here is the log from the last scan:

Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 6/18/2015Scan Time: 1:01:09 AMLogfile: 20150618_0118_mbam_threatscan_log.txtAdministrator: YesVersion: 2.01.6.1022Malware Database: v2015.06.18.02Rootkit Database: v2015.06.15.01License: PremiumMalware Protection: EnabledMalicious Website Protection: EnabledSelf-protection: EnabledOS: Windows 8.1CPU: x64File System: NTFSUser: FrankScan Type: Threat ScanResult: CompletedObjects Scanned: 383514Time Elapsed: 7 min, 22 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 0(No malicious items detected)Modules: 0(No malicious items detected)Registry Keys: 0(No malicious items detected)Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 0(No malicious items detected)Files: 0(No malicious items detected)Physical Sectors: 0(No malicious items detected)(end)
Link to post
Share on other sites

Based on what you have seen in the logs, would you characterize this as an active infection--by which, I mean processes were running which was gathering/transmitting data or was more it more less dormant?

 

 

 

Is not active infection, only in are sleeping in temp folder.

Link to post
Share on other sites

That's good to know.

I havent done much with the PC since the last MBAM scan i posted. I had to go to bed as i was due to get up in a out 4 hours for work.

When I get a chance, I will reply with an update...probably sometime later today/evening. I did kick off an mbam full scan and a scheduled bitdefender full scan of C:\. This morning.

How is this malware passes on? As I mentioned, I did not go to any sites i havent been to before and none were "shady". Could it be from ads?

Thanks again

Link to post
Share on other sites

I just ran a few scans with MBAM and another scan with bitdefender...all scans came up clean.  I don't notice any issues either.

 

I updated flash and java to the latest versions.

 

Please let me know if there is anything I should looking for in terms of any remnants of this infection.

 

Thanks again for all your help! 

Link to post
Share on other sites

Your System is absolutely clean.

 

 

Glad we could help.

The following will implement some post-cleanup procedures:


Download DelFix by Xplode and save it to your desktop.

  • Run the tool by right click on the 51a5ce45263de-delfix.png icon and Run as administrator option.
  • Make sure that these ones are checked:
    • Remove disinfection tools
    • Purge system restore
    • Reset system settings

    [*]Push Run and wait until the tool completes his work. [*]All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)


The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.