Jump to content

Recommended Posts

Hello,

I am writing for some help.

After running Malware Bytes, it finds the following issue or problem:

Rootkit.ADS    Quarantined    c:\Windows\syswow64:win32app_1

When I delete the file in the Malware Bytes quarantine, I noticed the same issue or problem comes back after a week or so.  How can I stop this from coming back and how do I clean this up ,besides emptying the quarantine?  And is this something I should be concerned with or is it a false positive?

Any help is most appreciated. Thanks in advance.

Link to post
Share on other sites

Hello KNOTSLANDING and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Change the download folder setting in the Default Browser only. so all of the tools we may use are saved to the Desktop:

user posted imageGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. user posted image
Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

user posted imageMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. user posted image Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

user posted imageInternet Explorer - Click the Tools menu in the upper right-corner of the browser. user posted image Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

user posted imageChange default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties"

In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK"

Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location.....

Next,

Follow the instructions in the following link to show hidden files:

http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs...

Thank you,

Kevin..
Link to post
Share on other sites

Hello,

As requested, I am now providing the 2 text files: FRST.txt which is copied and pasted below and the other file named additions.txt which is attached.

On a related matter, the full file name with path c:\Windows\syswow64:win32app_1 looks like a weird file name.  The PC has Windows 10 and if I am not mistaken the colon or some type of special symbol is either part of the file name or is a file separator, both of which is unacceptable in Windows 10.  Assuming I can find the file, can it be manually deleted? I thought the file was moved to the quarantine but I may be wrong.  And once in quarantine, the file is no longer a problem or threat. Please let me know and how to completely get rid of this malware as identified by MalwareBytes.  (At the moment the file is still in MalwareBytes quarantine and not deleted but I plan to delete after this issue is resolved or in a day or so.)  Thanks again.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12-02-2017
Ran by ______ (administrator) on ______ (13-02-2017 13:53:06)
Running from C:\Users\______\Desktop
Loaded Profiles: ______
Platform: Windows 10 Pro Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Client Firewall\SCFService.exe
(Microsoft Corporation) C:\Windows\System32\mqsvc.exe
(Sophos Limited) C:\Program Files\Sophos\Sophos Patch Agent\spa.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
(Sophos Limited) C:\Program Files\Sophos\Sophos Network Threat Protection\bin\SntpService.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(AMD) C:\Windows\System32\atieclxx.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version7\TeamViewer.exe
() C:\Program Files\WindowsApps\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\SkypeHost.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version7\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version7\tv_x64.exe
(Google Inc.) C:\Users\mpu4operator\AppData\Local\Google\Update\GoogleUpdate.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes' Managed Client\SCComm.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Client Firewall\SCFManager.exe
() C:\Users\______\AppData\Local\Apps\2.0\X5L894ER.WVA\0OE7BPKA.0ZT\plan..tion_0000000000000000_0001.0000_aab27438d8e6a043\PlantManager.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\AutoUpdate\ALMon.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_filter.exe
(Sophos Limited) C:\Program Files (x86)\Common Files\Sophos\Web Intelligence\swi_fc.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [108144 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [767176 2015-11-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [843712 2012-04-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe [2617824 2016-01-29] (Malwarebytes Corporation)
HKLM-x32\...\Run: [Sophos AutoUpdate Monitor] => C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe [1480688 2017-01-26] (Sophos Limited)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] => C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe [565728 2016-02-09] (Malwarebytes Corporation)
HKU\______\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [517632 2015-10-29] (Microsoft Corporation)
HKU\______\...\Run: [Google Update] => C:\Users\______\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-08-27] (Google Inc.)
AppInit_DLLs: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL => C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured_x64.dll [233120 2017-01-26] (Sophos Limited)
AppInit_DLLs-x32: C:\PROGRA~2\Sophos\SOPHOS~1\\SOPHOS~1.DLL => C:\Program Files (x86)\Sophos\Sophos Anti-Virus\\sophos_detoured.dll [289712 2017-01-26] (Sophos Limited)
AppInit_DLLs-x32: L, C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL => C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured.dll [289712 2017-01-26] (Sophos Limited)
AppInit_DLLs-x32: , C:\PROGRA~2\Sophos\SOPHOS~1\\SOPHOS~1.DLL => C:\Program Files (x86)\Sophos\Sophos Anti-Virus\\sophos_detoured.dll [289712 2017-01-26] (Sophos Limited)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [______] => Proxy is enabled.
ProxyServer: [______] => 0.0.0.0:
Tcpip\Parameters: [DhcpNameServer] 10.2.8.14 10.2.10.14
Tcpip\..\Interfaces\{______}: [DhcpNameServer] 10.2.8.14 10.2.10.14
Tcpip\..\Interfaces\{______}: [DhcpNameServer] 10.2.9.14
ManualProxies: 10.0.0.0:

Internet Explorer:
==================
HKU\______\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
HKU\______\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/
HKU\______\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-04-03] (Adobe Systems Incorporated)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
IE Session Restore: HKU\______ -> is enabled.

FireFox:
========
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2012-04-03] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-4279014033-3366832872-323971244-1370: @tools.google.com/Google Update;version=3 -> C:\Users\______\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin HKU\S-1-5-21-4279014033-3366832872-323971244-1370: @tools.google.com/Google Update;version=9 -> C:\Users\______\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)

Chrome: 
=======
StartMenuInternet: Google Chrome.M3GYI7VCDW66Y6Y2UXCNCQJPQ4 - C:\Users\______\AppData\Local\Google\Chrome\Application\chrome.exe

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [740320 2016-01-29] (Malwarebytes Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [452576 2016-02-09] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [901088 2016-02-09] (Malwarebytes Corporation)
R2 SAVAdminService; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [315800 2017-01-26] (Sophos Limited)
R2 SAVService; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [289448 2017-01-26] (Sophos Limited)
R2 SCCommService; C:\Program Files (x86)\Malwarebytes' Managed Client\SCComm.exe [135680 2016-03-29] (Malwarebytes) [File not signed]
R2 SntpService; C:\Program Files\Sophos\Sophos Network Threat Protection\bin\SntpService.exe [901248 2016-04-12] (Sophos Limited)
R2 Sophos Agent; C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe [413048 2017-01-26] (Sophos Limited)
R2 Sophos AutoUpdate Service; C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe [780944 2017-01-26] (Sophos Limited)
R2 Sophos Client Firewall; C:\Program Files (x86)\Sophos\Sophos Client Firewall\SCFService.exe [852640 2014-05-21] (Sophos Limited)
R2 Sophos Client Firewall Manager; C:\Program Files (x86)\Sophos\Sophos Client Firewall\SCFManager.exe [170280 2014-05-21] (Sophos Limited)
R2 Sophos Message Router; C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe [1098784 2017-01-26] (Sophos Limited)
R2 Sophos Patch Agent; C:\Program Files\Sophos\Sophos Patch Agent\spa.exe [3163432 2015-04-14] (Sophos Limited)
R2 Sophos Web Control Service; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe [360040 2017-01-26] (Sophos Limited)
R2 sophossps; C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe [2499872 2017-01-26] (Sophos Limited)
R2 swi_filter; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_filter.exe [475384 2017-01-26] (Sophos Limited)
R2 swi_service; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [3615280 2017-01-26] (Sophos Limited)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-29] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2016-06-30] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 AtiHDAudioService; C:\WINDOWS\system32\drivers\AtihdWT6.sys [102912 2015-05-28] (Advanced Micro Devices)
R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [66080 2016-01-29] ()
R1 hugoio64; C:\Program Files (x86)\i-Menu\hugoio64.sys [13856 2008-04-29] ()
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [27008 2016-02-09] (Malwarebytes Corporation)
R1 SAVOnAccess; C:\WINDOWS\System32\DRIVERS\savonaccess.sys [201168 2017-01-26] (Sophos Limited)
S1 scfndis; C:\WINDOWS\system32\DRIVERS\scfndis.sys [55072 2012-08-10] (Sophos Limited)
S3 sdcfilter; C:\WINDOWS\system32\DRIVERS\sdcfilter.sys [38144 2016-07-08] (Sophos Limited)
R1 SFWCallout; C:\WINDOWS\system32\DRIVERS\SFWCallout.sys [65280 2014-05-21] (Sophos Limited)
R2 sntp; C:\WINDOWS\system32\DRIVERS\sntp.sys [116144 2016-04-12] (Sophos Limited)
R0 Sophos Endpoint Defense; C:\WINDOWS\System32\DRIVERS\SophosED.sys [200760 2017-01-26] (Sophos Limited)
S4 SophosBootDriver; C:\WINDOWS\system32\DRIVERS\SophosBootDriver.sys [27904 2016-07-08] (Sophos Limited)
R1 swi_callout; C:\WINDOWS\system32\DRIVERS\swi_callout.sys [47760 2017-01-26] (Sophos Limited)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44568 2015-10-29] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [293216 2015-10-29] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [118112 2015-10-29] (Microsoft Corporation)
U3 idsvc; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-13 13:53 - 2017-02-13 13:54 - 00013781 _____ C:\Users\______\Desktop\FRST.txt
2017-02-13 13:52 - 2017-02-13 13:53 - 00000000 ____D C:\FRST
2017-02-13 13:52 - 2017-02-13 12:20 - 02421248 _____ (Farbar) C:\Users\______\Desktop\FRST64.exe
2017-02-07 05:07 - 2017-01-26 06:26 - 00047760 _____ (Sophos Limited) C:\WINDOWS\system32\Drivers\swi_callout.sys
2017-01-26 06:36 - 2017-01-26 06:36 - 00200760 _____ (Sophos Limited) C:\WINDOWS\system32\Drivers\SophosED.sys
2017-01-26 06:36 - 2017-01-26 06:36 - 00000000 ____D C:\Program Files\Common Files\Sophos
2017-01-26 06:30 - 2017-01-26 06:26 - 00043736 _____ (Sophos Limited) C:\WINDOWS\system32\SophosBootTasks.exe
2017-01-26 06:26 - 2017-01-26 06:26 - 00201168 _____ (Sophos Limited) C:\WINDOWS\system32\Drivers\savonaccess.sys
2017-01-20 08:33 - 2017-01-20 08:33 - 00000020 ___SH C:\Users\______\ntuser.ini
2017-01-20 08:33 - 2017-01-20 08:33 - 00000000 ____D C:\Users\______\AppData\Roaming\Malwarebytes

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-13 13:53 - 2016-11-14 05:29 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-02-13 13:16 - 2016-05-10 13:04 - 00000944 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-4279014033-3366832872-323971244-1370UA1d1aaff91721739.job
2017-02-13 13:05 - 2012-08-10 09:25 - 00000944 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-4279014033-3366832872-323971244-1370UA.job
2017-02-13 12:56 - 2012-08-09 15:13 - 00000104 _____ C:\WINDOWS\system32\config\netlogon.ftl
2017-02-13 12:37 - 2012-08-10 08:53 - 00000142 _____ C:\WINDOWS\ODBC.INI
2017-02-13 09:07 - 2012-08-10 15:42 - 00000000 ____D C:\Users\______\AppData\Roaming\TeamViewer
2017-02-13 08:41 - 2016-11-11 11:02 - 00000000 ____D C:\ProgramData\sccomm
2017-02-12 21:04 - 2012-08-10 09:25 - 00000892 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-4279014033-3366832872-323971244-1370Core.job
2017-02-12 17:15 - 2016-05-10 13:04 - 00000892 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-4279014033-3366832872-323971244-1370Core1d1aaff9150b675.job
2017-02-10 16:00 - 2014-02-05 09:32 - 00000562 _____ C:\WINDOWS\Tasks\4pm Scan.job
2017-02-09 17:17 - 2016-11-11 11:02 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit
2017-01-26 06:36 - 2012-08-10 08:50 - 00000000 ____D C:\Program Files\Sophos
2017-01-26 06:36 - 2012-08-10 06:19 - 00000000 ____D C:\ProgramData\Sophos
2017-01-26 06:31 - 2014-02-05 09:32 - 00004066 _____ C:\WINDOWS\System32\Tasks\4pm Scan
2017-01-26 06:31 - 2012-08-10 06:19 - 00000000 ____D C:\Program Files (x86)\Sophos
2017-01-25 14:05 - 2016-06-21 07:35 - 00000000 ____D C:\Users\______\AppData\Local\Deployment
2017-01-20 08:33 - 2016-06-21 07:11 - 00000000 ____D C:\Users\______

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-02-08 00:50

==================== End of FRST.txt ============================


 

Addition.txt

Edited by djacobson
editing private data
Link to post
Share on other sites

Do you know of and trust the following proxy and Dhcp set up..? all of the IP`s are being flagged for spamming

ProxyEnable: [S-1-5-21-4279014033-3366832872-323971244-1370] => Proxy is enabled.
ProxyServer: [S-1-5-21-4279014033-3366832872-323971244-1370] => 0.0.0.0:
Tcpip\Parameters: [DhcpNameServer] 10.2.8.14 10.2.10.14
Tcpip\..\Interfaces\{57b1f2de-5ca0-4fbd-aa0f-98efef147467}: [DhcpNameServer] 10.2.8.14 10.2.10.14
Tcpip\..\Interfaces\{a831c1be-3bda-4095-aac9-9eb57ac7a4b6}: [DhcpNameServer] 10.2.9.14
ManualProxies: 10.0.0.0:

Link to post
Share on other sites

  • Root Admin

Hello @KNOTSLANDING

Is this the Managed business version of Malwarebytes? The reason I ask is that the logs seem to indicate it is and this section of the forum is for the retail consumer version. @kevinf80 can probably assist and get you cleaned up, but he will not be as familiar with the version of the product you're using and you may be best contacting our business support or let me know and I can move your topic into the business section of the forum.

Thank you

Ron

 

Link to post
Share on other sites

Hello,

Yes, we know of and trust these IPs.  (There is one that is no longer being used but that is not the issue.)

As to Ron's question, it is the managed business version of MalwareBytes.  After Kevin helps me, you can move it to the business section if necessary.

One other thing. After this is resolved, would it be possible to delete this entire message thread as it contains sensitive information which I don't want to get out.  It is a security concern.  I only posted the FRST.txt text file as requested but that was a mistake and I shouldn't have done that.   Maybe I should have just attached it but again I was following directions.  For now, please keep this message open until I get this problem resolved.  I would appreciate it.

Thanks.

Link to post
Share on other sites

I hate to be the bearer of bad news, but a search of your forum username on Google turned up your conversation as the #1 item returned.  I don't want to discourage you from using the forums, but if you have to include something that you consider sensitive, its probably best to put it in an attachment and make a generic/neutral reference to it in your post.  If Google does scour them, they would not be as visible to others.

Link to post
Share on other sites

Hello KNOTSLANDING,

I do not have the authority to move or amend your thread or any replies, that needs the intervention of an Administrator or Moderator. Back to the issue quoted, i`ve not come across anything like this before. What you have is an ADS attached to a system folder, syswow64 not as usual a file....

An (ADS) alternate data stream is a feature of Windows New Technology File System (NTFS) that contains metadata for locating a specific files by author or title, obviously malware writers have taken advantage of ADS and used that function to there advantage. ADS is supported by all versions of Windows beginning with Windows NT through the current versions, Windows 7/8/10.

Usually FRST does idententify any listed ADS and a simple fix is available where the ADS is removed from the supporting file, the file is left untouched. I do not see any obvious malware or infection in your logs...

I`m not familiar with the version of Malwarebytes you have installed, this forum only deals with the retail versions. Is your version updated, if MB quarantines the entry have you tried to delete it... As it is attached to a system folder i`m not really sure what the outcome would be...

Can you run RogueKiller and post the produced log, do not attempt to use the delete function to remove any listed entries, just post the log.....

Download and save RogueKiller to your Desktop from this link:

https://www.fosshub.com/RogueKiller.html/setup.exe

Right click setup.exe and select Run as Administrator to start installing RogueKiller.

At the next window Checkmark "Install 32 and 64 bit versions, then select "Next"

user posted image

In the next window skip Licence I.D. and Licence Key, select "Next"

user posted image

In the next window make no changes and select "Next"

user posted image

In the next window leave both "Additional Shortcuts" checkmarked, then select "Next"

user posted image

In the next window make no changes and select "Install"

user posted image

RogueKiller will extract and complete installation, in the new window leave "Launch Roguekiller" checkmarked, then select finish.

user posted image

RogueKiller will launch. Accept UAC, then read and accept "User Agreements"

user posted image

In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan"

user posted image

When the scan completes select "Open Report"

user posted image

In the new Window select "Export text" name that file RK.txt, save to your Desktop and attach to your reply

user posted image
 
Thank you,
 
Kevin
Link to post
Share on other sites

Hello Kevin,

Thanks for your help. 

At the moment, I haven't installed nor ran the RogueKiller program you suggested.  I am a little hesitant to install it as I am unsure if it safe. I read that one user who installed it and then got the update which dumped a lot of malware on his or her system and I certainly don't want that to happen.  I will need to do some research on this program to absolutely make sure it is safe. Some third-party software is bundled with other unwanted programs or even worse contain viruses and malware. So, you can tell I trying to be very careful.

In the meantime, can you tell me what RogueKiller does? And how is it different from MalwareBytes?  I can trust MalwareBytes but I am not so sure about RogueKiller.  I also read that RogueKiller can be really extensive and cause problems.  I know you said to only generate a log so at least that makes sense.  What exactly are you looking for in the log? I just thought I ask.

Besides, the Syswow64:winapp32app_1 file doesn't seem to be a major problem. And according to your latest information, you weren't able to see any problems after reviewing the logs I previously provided.  The good news is that the file in in the MalwareBytes quarantine (to be deleted at the end of this week) and it hasn't been detected again after another MalwareBytes scan. I like to do a scan every day or so just to make sure. 

Thanks again.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.