New
#51
Which driver is (that driver) and from where?
We're obviously on the same wavelength Jack as I just reconnected to copy out the driver location. Google doesn't recognize the driver so it may just be the infection itself.
Can we get some Security specialists on this? Thanks!
Malwarebytes Anti-Malware
Malwarebytes | Free Anti-Malware & Internet Security Software
Scan Date: 26/05/2014
Scan Time: 19:14:15
Logfile:
Administrator: Yes
Version: 2.00.1.1004
Malware Database: v2014.05.26.03
Rootkit Database: v2014.05.21.01
License: Trial
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Wintermoon
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 246339
Time Elapsed: 3 min, 56 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 1
Trojan.Agent, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SYSHOST32, Quarantined, [f80393c20378e4529d07e1b22bd87a86],
Registry Values: 1
Trojan.Agent, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SYSHOST32|ImagePath, "C:\Windows\Installer\{00D50165-1656-0EEE-8910-812968BC3F0D}\syshost.exe" /service, Quarantined, [f80393c20378e4529d07e1b22bd87a86]
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 1
Rootkit.Necurs.GO, c:\Windows\System32\drivers\9f699c6cf9ca7339.sys, Quarantined, [b8439fb6304b65d1430fb4c458a9be42],
Physical Sectors: 0
(No malicious items detected)
(end)
It is clean now.
My suggestion at this point unless specialists feel it is worth trying to clean up, is to reinstall after wiping with Clean command, don't import anything before checking IE for infection, then if not infected install Chrome to check it. Check these before and after installing all rounds of Windows Updates, then check both again. Likewises check browsers immediately after installing each program and after activity on any other home PC.
Unfortunately greg with rootkits it is very hard to get enough info to know. That log unfortunately does not share much. I believe malwarebytes though if detected it as a rootikit.
Here is some info on the variant from 2012:
Necurs Rootkit Spreading Quickly, Microsoft Warns
http://artemonsecurity.blogspot.com/...icroscope.html
This seems to be an old strain of it. I wonder how long it was on the system...
He had just reinstalled. We went over everything he did after reinstall and nothing was imported except from the Chrome site and the virus solutions download sites from earlier in this thread.
This leaves the network, so we dialed into his router and the firewall was off. Now enabled, he's running MBAM scans on his other home PC's.
I still think he should reinstall after wiping with Clean command, don't import anything before checking IE for infection, then if not infected install Chrome to check it. Check these before and after installing all rounds of Important and Optional Windows Updates (after enabling Automatically deliver drivers via Windows Update (Step 3)), then check both again. Likewise check browsers immediately after installing each program and after activity on any other home PC.
I'm not sure the hardware firewall will block viruses from hiding on other home PC's, though, as my sister's Linksys didn't and we had viruses running from one PC to another to hide while scans were run until disconnecting each from web before scanning.
Any other ideas?
@Greg, I would have him reset his router with the reset button, or better yet see if an updated firmware update is available. Wipe to factory defaults again, and then Install it and make sure firewall is on. Then yes I would do a clean install, especially when rootkits are involved.
@ layback bear
Good suggestion, though I am confident greg chose this as it detected a rootkit, which it would not do if that was unchecked.
Last edited by andrew129260; 27 May 2014 at 12:28.
Post #52 shows it wasn't selected. How Malwarebytes found the rootkit I don't know but their might be more.
Rescanning now with that box checked. It was checked before which makes me wonder how it got unchecked.
Thanks, guys.
Results:
Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 26/05/2014
Scan Time: 22:03:25
Logfile:
Administrator: Yes
Version: 2.00.1.1004
Malware Database: v2014.05.26.03
Rootkit Database: v2014.05.21.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Disabled
Chameleon: Disabled
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Wintermoon
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 248404
Time Elapsed: 5 min, 5 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 0
(No malicious items detected)
Registry Values: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 0
(No malicious items detected)
Physical Sectors: 0
(No malicious items detected)
(end)