Jump to content

"shieldapps.ml" Is or Isn't?


Recommended Posts

Aha! Wait! Before we leave Zeok, I found something called PEVZ that looked and acted suspiciously. An article at http://greatis.com/blog/how-to-remove-malware/pevz-exe.htm indicated it is a trojan, and though I couldn't delete it manually, I did suspend it.  At that point, Zeok began running again.  It completed whatever was clogging it, demanded a reboot, then spit out its report. Here is that full Zeok report:

Zoek.exe v5.0.0.1 Updated 27-09-2015
Tool run by Mormo_000 on Fri 10/13/2017 at 15:49:24.81.
Microsoft Windows 10 Home 10.0.15063  x64
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\Mormo_000\Desktop\zoek.exe [Scan all users] [Script inserted] 

==== Older Logs ======================

C:\zoek-results2017-10-13-035927.log    12613 bytes
C:\zoek-results2017-10-13-132921.log    1880 bytes

==== System Restore Info ======================

10/13/2017 3:54:21 PM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\Users\Mormo_000\AppData\Local\DBG deleted successfully

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

Deleted from C:\Users\MORMO_~1\AppData\Roaming\Mozilla\Firefox\Profiles\lxuoyro5.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

Added to C:\Users\MORMO_~1\AppData\Roaming\Mozilla\Firefox\Profiles\lxuoyro5.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

==== Batch Command(s) Run By Tool======================


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\MORMO_~1\AppData\Roaming\Mozilla\Firefox\Profiles\lxuoyro5.default
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"AllMyTube@Wondershare.com"="C:\ProgramData\Wondershare\AllMyTube\AllMyTube@Wondershare.com" [10/09/2017 07:48 AM]

==== Firefox Extensions ======================

ProfilePath: C:\Users\MORMO_~1\AppData\Roaming\Mozilla\Firefox\Profiles\lxuoyro5.default
- Wondershare AllMyTube - C:\ProgramData\Wondershare\AllMyTube\AllMyTube@Wondershare.com

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Undetermined - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi

==== Firefox Plugins ======================


==== Chromium Look ======================


HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions
efaidnbmnnnibpcajpcglclefindmkaj - No path found[]

Chrome Media Router - Mormo_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
4.2.0 - Mormo_000\AppData\Local\Vivaldi\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd
Chrome Media Router - Mormo_000\AppData\Local\Vivaldi\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
Chrome Media Router - C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Vivaldi\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.msn.com/?ocid=U220DHP&pc=U220"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.msn.com/?ocid=U220DHP&pc=U220"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"

==== Reset Google Chrome ======================

C:\Users\Mormo_000\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\Mormo_000\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\Mormo_000\AppData\Local\Vivaldi\User Data\Default\Preferences was reset successfully
C:\Users\Mormo_000\AppData\Local\Vivaldi\User Data\Default\Secure Preferences was reset successfully
C:\Users\Mormo_000\AppData\Local\Google\Chrome\User Data\Default\Web Data will be reset at reboot
C:\Users\Mormo_000\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal will be reset at reboot
C:\Users\Mormo_000\AppData\Local\Vivaldi\User Data\Default\Web Data was reset successfully
C:\Users\Mormo_000\AppData\Local\Vivaldi\User Data\Default\Web Data-journal was reset successfully

==== Empty IE Cache ======================

C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Mormo_000\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Mormo_000\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully

==== Empty FireFox Cache ======================

No FireFox Profiles found

==== Empty Chrome Cache ======================

C:\Users\Mormo_000\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
C:\Users\Mormo_000\AppData\Local\Vivaldi\User Data\Default\Cache will be emptied at reboot
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Vivaldi\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

No Flash Cache Found

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=3537 folders=231 616577369 bytes)

==== Empty Temp Folders ======================

C:\WINDOWS\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\Users\MORMO_~1\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

"C:\Users\Mormo_000\AppData\Local\Google\Chrome\User Data\Default\Web Data" not found
"C:\Users\Mormo_000\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal" not found
"C:\Users\Mormo_000\AppData\Local\Vivaldi\User Data\Default\Cache\data_0" deleted
"C:\Users\Mormo_000\AppData\Local\Vivaldi\User Data\Default\Cache\data_1" deleted
"C:\Users\Mormo_000\AppData\Local\Vivaldi\User Data\Default\Cache\data_2" deleted
"C:\Users\Mormo_000\AppData\Local\Vivaldi\User Data\Default\Cache\data_3" deleted
"C:\Users\Mormo_000\AppData\Local\Vivaldi\User Data\Default\Cache\index" deleted

==== EOF on Sat 10/14/2017 at  6:55:13.29 ======================

Link to post
Share on other sites

Here you are. We ended up being "kidnapped" by our two youngest granddaughters and didn't get back from their home (our daughter and son-in-law live on the way from the grocery) until just an hour ago.  Ran FRST, and looked for pevx.exe  (Search03.txt) as well as pevz.exe (Searches 01 and 02.txt). They found nothing. Those logs (Searches 01, 02, and 03 in ASCII format) are attached.

Where I found pevz.exe? -- That was in the Resource Monitor, where I saw pevz.exe taking up almost the entire CPU.. at least, I think it was the CPU that it hogged. When I googled the article aforementioned,  http://greatis.com/blog/how-to-remove-malware/pevz-exe.htm , I quickly disabled pevz.exe.  Almost immediately after I disabled it (That was the option I got when I right-clicked on it; to disable, not to terminate.) I forgot where in the Resource Monitor I'd seen it.  But as soon as I disabled it, Zeok instantly came to life - and finished.

There is still some minor, infrequent mouse pointer wandering (scrolling the screen completely down and to the right) but that's the only "badness" I've noticed. Shoul I run Zeok again, or the file you recommended 12+ hours ago?

 

Search03.txt

Search02.txt

Search01.txt

Link to post
Share on other sites

FRST logs are clean, have the blocks ceased... If they still happen can you post the last 4 block information:

Open Malwarebytes, select > Reports > then checkmark (tick) most recent "Website Block" entry > then select "View Report" > "Export" > Text File (*.txt) name and save that file to Desktop or somewhere of your choice, attach the last 4 to your reply...
 

 

Link to post
Share on other sites

Since so many of the reports were at the same time and date (I don't know why MBy generated two or more reports for every alert) I've attached the last TEN reports. They cover only 2.5 days. If you need reports that go back further than the 14th, let me know. I can send them right away. Don't want to overwhelm you with Too Much Information.

MBytReport10-14-17b.txt

MBytReport10-14-17a.txt

MBytReport10-15-17b.txt

MBytReport10-15-17a.txt

MBytReport10-16-17ab.txt

MBytReport10-16-17aa.txt

MBytReport10-16-17d.txt

MBytReport10-16-17a.txt

MBytReport10-16-17b.txt

MBytReport10-16-17c.txt

Link to post
Share on other sites

Ok, one more setting I want you to disable totally, this will not make a massive difference to its intended Windows Update via a more efficient route,.. Updates will still come in via MS servers.. This kind of P2P action can have a more sinister action if exploited.....

Have a look at the following link and follow the instruction to totally turn off this action.... reboot when done and see if there is any improvement...

https://www.pcworld.com/article/2955491/windows/how-to-stop-windows-10-from-using-your-pcs-bandwidth-to-update-strangers-systems.html

Link to post
Share on other sites

Argh! That PCWorld page auto-ran so many videos, that it kept locking up my computer. Finally printed the page to PDF, closed Chrome, and was able to read the instructions thataway.

To no avail. I turned off, as instructed, the option to send parts of Windows updates to any other computer, whether on my network or not.  And when I rebooted...

Nothing. Until I opened Malwarebytes. At that point, I got two MORE alerts on Shieldapps.mL. The reports are attached. Again. As they occurred at 5:15 pm, I've named them MByteReport(today's date) 1715a and b, respectively.

Whoever wrote this malware - and I'm beginning to truly believe Equifax is less innocent than they claim - is diabolical and clever.

MBytReport10-16-17 1715b.txt

MBytReport10-16-17 1715a.txt

Link to post
Share on other sites

Can you uninstall the following program if you do not use it...

Identity Theft Preventer (HKLM-x32\...\Identity Theft Preventer) (Version: 1.1.1 - ShieldApps)

If you prefer to keep it, add as an exclusion to Malwarebytes.... This ongoing block is that program calling home, it is apparently not malicious....

https://www.virustotal.com/en/url/33a7931457e71c357dafaffef7b365002739ee90bf7edfbec93f302d00a5f744/analysis/1508217691/

However VT check on the contact IP does flag up as possibly malicious

https://www.virustotal.com/en/ip-address/37.97.254.27/information/

The IP is classed as clean regarding possible Spamming...

https://cleantalk.org/blacklists?record=37.97.254.27

Let me know which route you prefer...

Next,

Website Data-
Domain: s1.symcb.com
IP Address: 23.4.53.163
Port: [50401]
Type: Outbound
File: C:\Windows\System32\BackgroundTransferHost.exe

Another block in your report list, is not malicious per se, this is a Microsoft Process calling out... Only Malwarebytes flags this domain as malicious in a VirusTotal check;

https://www.virustotal.com/en/url/7846e89e57f54df83684fae036b611b7bb3936c22e30289acd81e53e62a40d44/analysis/1508218247/

The IP is not found in a spamming check...

https://cleantalk.org/blacklists?record=23.4.53.163

Thanks,

Kevin

 

 

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.