Malwarebytes targeted n65adserv

[Hisserto]

Hello, My malwarebytes popped up and showed n65adserv as a potential threat.

I've tried to run Malwarbytes but now it won't run.

Defender shows no issues.

Not exactly sure what that is or how harmful it can be. I looked for that file but couldn't find it.

I'm running Windows10 pro

 

 

[kevinf80]

Please download Farbar Recovery Scan Tool from here: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit... Next, From your Desktop select the start Flag (bottom lefthand corner of screen) Hold down the "Shift key" of your keyboard, keep it down and select "Restart" Your PC should open to the "Choose an Option" window.... release shift key. From that window select "Troubleshoot" From the next window select "Advance Options" From that Window select "Command Prompt" Ensure to plug the flash drive into a USB port... You should now be in Recovery Environment with the Command Prompt Window open...... Continue with the following:   In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type E:\frst64 or E:\frst depending on your version. Press Enter Note: Replace letter E with the drive letter of your flash drive. <<<----vey important The tool will start to run. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) on the flash drive. You will need to boot back to Normal windows to post the log, or if applicable do that action from a spare PC... To boot back to windows, type exit at the prompt and hit enter Please copy and paste or attach FRST log to your reply. Thanks, Kevin...

[Hisserto]

Thanks for you quick response. File below

FRST.txt

[kevinf80]

Save the attached file fixlist.txt to your flash drive, same place as FRST.
Now please enter System Recovery Options as you did to get the log.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next,

Reboot to Normal Windows:

Please open Malwarebytes Anti-Malware.   On the Settings tab > Protection Scroll to and make sure the following are selected: Scan for Rootkits Scan within Archives   Scroll further to Potential Threat Protection make sure the following are set as follows: Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended) Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)   Click on the Scan make sure Threat Scan is selected, A Threat Scan will begin. With some infections, you may or may not see this message box. 'Could not load DDA driver'   Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions. When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab If asked to restart your computer to complete the removal, please do so When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard. Wait for the prompt to restart the computer to appear, then click on Yes. After the restart once you are back at your desktop, open MBAM once more to retrieve the log. To get the log from Malwarebytes do the following:   Click on the Reports tab > from main interface. Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply   Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Post logs from FRST and Malwarebytes... Thank you, Kevin

 

fixlist.txt

[Hisserto]

Kevin, Thank you for your help. I got to the point where I export summary to clipboard but after waiting 5 minutes or so I don't get the prompt to restart the computer.

[kevinf80]

That might not always happen, only if a reboot is required to remove stubborn malware/infection/rootkit etc.

[Hisserto]

Ok here is the report.

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 10/25/17
Scan Time: 1:56 PM
Log File: cd104ea6-b9ad-11e7-9837-000acd2c0e2d.json
Administrator: Yes

-Software Information-
Version: 3.2.2.2029
Components Version: 1.0.212
Update Package Version: 1.0.3095
License: Trial

-System Information-
OS: Windows 10 (Build 16299.19)
CPU: x64
File System: NTFS
User: ASUS\ducks

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 386374
Threats Detected: 3
Threats Quarantined: 3
Time Elapsed: 2 min, 11 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 1
Rootkit.Fileless.MTGen, HKU\S-1-5-21-1031065555-1004515542-3751822052-1001_Classes\ifxupo\SHELL\OPEN\COMMAND, Quarantined, [1383], [261828],1.0.3095

Registry Value: 2
Rootkit.Fileless.MTGen, HKU\S-1-5-21-1031065555-1004515542-3751822052-1001_Classes\ifxupo\SHELL\OPEN\COMMAND|, Quarantined, [1383], [261828],1.0.3095
Trojan.Fileless.MTGen, HKU\S-1-5-21-1031065555-1004515542-3751822052-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|^WXODCOLAXB, Quarantined, [365], [262350],1.0.3095

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

(end)

[kevinf80]

What about the log from FRST fix, can I see that. Also run the following:

Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror   Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop Ensure to get the correct version for your system.... 32 Bit version: https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en 64 Bit version: https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\mrt.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Let me sse those logs, also tell me if there are any remaining issues or concerns... Thank you, Kevin

[Hisserto]

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.53, October 2017 (build 5.53.14306.0)
Started On Wed Oct 25 15:33:57 2017

Engine: 1.1.14104.0
Signatures: 1.251.1312.0
Run Mode: Interactive Graphical Mode

Results Summary:
----------------
No infection found.
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Wed Oct 25 15:40:51 2017

Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.53, October 2017 (build 5.53.14306.0)
Started On Wed Oct 25 15:46:17 2017

Engine: 1.1.14104.0
Signatures: 1.251.1312.0
Run Mode: Interactive Graphical Mode

Results Summary:
----------------
No infection found.
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Wed Oct 25 15:50:36 2017

Return code: 0 (0x0)
 

1 hour ago, kevinf80 said:

What about the log from FRST fix, can I see that. I never ran the first fix. I was anxious and gave that a try before I read your advice about using running the thumb drive. I ran it but didn't use the fix.

 

AdwCleaner[S2].txt

[kevinf80]

If you`ve not used the fix how did you get Malwarebytes to run, the fix had all parts of the infection up for removal.... Without removal I do not know why MB now runs for you...

Quote

Start
GroupPolicy: Restriction <==== ATTENTION
2017-10-24 11:52 - 2017-10-24 11:53 - 000000000 ____D C:\Users\ducks\AppData\Local\Qmokxy
2017-10-24 11:26 - 2017-10-24 11:26 - 000000000 ____D C:\Users\ducks\AppData\Local\Wvirbes
2017-10-24 11:26 - 2017-10-24 11:26 - 000000000 ____D C:\Users\ducks\AppData\Local\Rzetvikn
2017-10-24 11:26 - 2017-10-24 11:26 - 000000000 ____D C:\Users\ducks\AppData\Local\Ikmepy
2017-10-21 18:32 - 2012-09-18 11:27 - 000501760 _____ C:\Windows\System32\ZSHP1020.EXE
safeboot: Minimal => The system is configured to boot to Safe Mode <==== ATTENTION
end

 

[Hisserto]

I ran it but from the thumb drive i thought I sent it.

Fix result of Farbar Recovery Scan Tool (x64) Version: 25-10-2017
Ran by SYSTEM (25-10-2017 13:51:37) Run:1
Running from G:\
Boot Mode: Recovery
==============================================

fixlist content:
*****************
Start
GroupPolicy: Restriction <==== ATTENTION
2017-10-24 11:52 - 2017-10-24 11:53 - 000000000 ____D C:\Users\ducks\AppData\Local\Qmokxy
2017-10-24 11:26 - 2017-10-24 11:26 - 000000000 ____D C:\Users\ducks\AppData\Local\Wvirbes
2017-10-24 11:26 - 2017-10-24 11:26 - 000000000 ____D C:\Users\ducks\AppData\Local\Rzetvikn
2017-10-24 11:26 - 2017-10-24 11:26 - 000000000 ____D C:\Users\ducks\AppData\Local\Ikmepy
2017-10-21 18:32 - 2012-09-18 11:27 - 000501760 _____ C:\Windows\System32\ZSHP1020.EXE
safeboot: Minimal => The system is configured to boot to Safe Mode <==== ATTENTION
end

*****************

C:\Windows\System32\GroupPolicy\Machine => moved successfully
C:\Windows\System32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
C:\Users\ducks\AppData\Local\Qmokxy => moved successfully
C:\Users\ducks\AppData\Local\Wvirbes => moved successfully
C:\Users\ducks\AppData\Local\Rzetvikn => moved successfully
C:\Users\ducks\AppData\Local\Ikmepy => moved successfully
C:\Windows\System32\ZSHP1020.EXE => moved successfully

=========================  bcdedit ========================

The operation completed successfully.

========= End of bcdedit =========

==== End of Fixlog 13:51:38 ====

Fixlog.txt

[kevinf80]

What is happening with your PC, is it responding as expected, do you have any remaining issues or concerns...

One other point, with AdwCleaner you ran a scan but never used the Clean function according to the log you posted...?

[Hisserto]

I haven't done much with the computer since this happened but things are much better than yesterday. I thought i posted the adwcleaner file here it is

# AdwCleaner 7.0.3.1 - Logfile created on Wed Oct 25 20:29:40 2017
# Updated on 2017/29/09 by Malwarebytes 
# Running on Windows 10 Pro (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

No malicious folders deleted.

***** [ Files ] *****

No malicious files deleted.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

No malicious registry entries deleted.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries deleted.

*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0

*************************

C:/AdwCleaner/AdwCleaner[C0].txt - [4720 B] - [2017/10/25 19:28:56]
C:/AdwCleaner/AdwCleaner[S1].txt - [3436 B] - [2016/2/19 19:43:17]
C:/AdwCleaner/AdwCleaner[S2].txt - [1148 B] - [2016/2/19 19:47:8]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt ##########

[kevinf80]

One more scan to make sure no remnants of the infection are still on your system....

Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...   Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.   Let me see the log when complete.... Thank you, Kevin

[Hisserto]

Hi again Kevin, Just woke up scan complete no issues. Going to use the computer and see how everything is. You were very helpful and easy to follow.

Let me know if I need to do anything else. 

I'm very careful about where I go and what I open at least in my mind. Maybe not. Any idea of when or how this happened? The only thing I recall is a quick page popped up from 

Adobe flash saying I had to update. I was distracted with something and just clicked on it. But noticed it didn't look quite right. Plus it was in

Edge so I think that browser updates flash. That made me worry. That's when I got the message from malware.

SophosVirusRemovalTool.log

[kevinf80]

Hello Hisserto,

The infection you had is known to exploit systems via a malicous file masked as an update for Adobe Flashplayer, I believe it may also be masked as an update for Firefox... One thing I do know for sure, Malwarebyts Premium would have protected your system from such exploits. I would strongly recommend you update Malwarebytes to premium level asap. I do not work for Malwarebytes and am not affiliated in any way so have nothing to gain from that advice....

Let me know if your PC is responding as expected, also let le know if there are any remaining issues or concerns. If none I give instructions to clean up tools etc....

Thank you,

Kevin

Edited October 26, 2017 by kevinf80
typing error

[Hisserto]

 

 

I noticed this in defender just as I was about to close it. Can you read what it says?

quarantined threats Backdoor Win32/Floxif 9/22/ 17

the last was SoftwareBundler Win32/Dowadmin 10/25/17

I assume to hit the remove all option?

 

 

[kevinf80]

Floxif.B is a Trojan, it comes packed with exploits to run on your system with malicious intent. I would definitely use the "remove all" option. When complete open Windows Defender and run a Full Scan, let me know the outcome...

[Hisserto]

Kevin, The outcome was odd I ran the full scan and it showed one threat. I had it fix it or quarantined and when i looked again it said no threats found. Now i look in history and see 

SoftwareBundlier:Win32/Dowadmin on 10/25/2017

and a new one called

Worm:Win32/Gamarue.l on 10/26/2017

[kevinf80]

Very strange, can you run another full scan, see what information is returnded...

[Hisserto]

adding this looks like i'm still in trouble.

[Hisserto]

I looked at that location its a usb drive and i'm shocked. It appears all over my drives. I believe its a ebook mp3.

 

I might just wipe everything from all drives and start fresh not sure why we save so much. Nothing real important on my drives

What do you advise?

[Hisserto]

Running the defender full scan again.

[kevinf80]

Is that report only flagging E:\ drive..? If that is a USB flashdrive we need to do some about quick time.... I want you to istall McShield when the Defender scan is completed, that program monitors and protects all drives and USB devices when plugged in.... http://www.mcshield.net/download.html

[Hisserto]

Ok I'll get that and run it. The affected lists not only e: one line says containerfile E:\FileHistory\Robert\ROBERT\Data\J\Downloads\3-0c86e-Voyager(2014_10_05 07_29_45 UTC)zip

More of those but some end in zip some in rar and some in exe

But the date listed there is todays date. Did something just download and find a home there or has it been there since I downloaded that file a few yrs ago?

Defender is only about 33% finished. I ran it on this computer also I worry if somehow it could travel through my network onto this one. It came back clean and the second computer has only one drive my infected one has 3 hard one network and one usb.