Solved Windows Activation Technologies Pop-up

[Callender]

Re: Malware issues. Suggest getting help in the System Security thread.

If you like you can also run a scan with Ultra Adware Killer. You can launch it from UVK's welcome screen. Do not select anything for removal. When the scan completes select "Menu" then "Open Log" - upload the file.

​

You could also run scans with the other built in apps. Scan with MBAM and ADW Cleaner. Do not use the other apps!

Welcome Screen > System Repair > Third Party Apps.

It will download the app or update to the latest version if you already have the app installed.

​

 

[tjg79]

I looked at your log. Can you confirm what is in this folder?

C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}

Two files:

amstream.dll, 8-Oct-15 14:10, Application Extension, 267 KB

8afc49b02429a, 8-Oct-15 14:32, File, 178 KB

Do you think this is the virus? If so, should I manually delete it?

Regards

 

[tjg79]

I've contacted ESET tech support and they have opened a case with elevated tech support. We weren't able to do a chat support, so we've switched to email. I've emailed them a compendium of log files gathered by one of their ESET utilities. They're supposed to give me a call or email back after they've analyzed the logs.

I will move this topic to the malware forum, because that is what this is all about.

Regards

 

[Callender]

I looked at your log. Can you confirm what is in this folder?

C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}

Two files:

amstream.dll, 8-Oct-15 14:10, Application Extension, 267 KB

8afc49b02429a, 8-Oct-15 14:32, File, 178 KB

Do you think this is the virus? If so, should I manually delete it?

Regards

I think it's legit and should be left alone. It's just that that GUID could have contained some malware. In this case - it doesn't. Thanks for having a look!

 

[Callender]

I will move this topic to the malware forum, because that is what this is all about.

Regards

Good idea!

 

[tjg79]

The new thread:

http://www.sevenforums.com/system-s...ing-trojan-attack-need-clean.html#post3158572

 

[NoelDP]

The MGADiag is clear - and shows no significant changes in the past year or so (compared to your earlier thread).
KB971033 is installed - and happy

 

[tjg79]

Thank you Noel.

When I clicked on that UAC pop-up, I immediately started having a virus problem. Presently, neither ESET Smart Security 8, Windows Defender nor SuperAntiSpyware have been able to eradicate it.

This virus downloads temp file junk at an alarming rate. It also causes the system to behave very sluggishly when navigating with Windows Explorer. When I shutdown, I get a few moments of webpage ads visible in flashes.

 

[tjg79]

This was a Trojan.Bedep virus variation. ESET tech support removed it and repaired the damage. Without their support, I would have had to restore the system. However, as I had deleted all my restore points, I would have had to reload the OS.

It all started when I clicked "Yes" on that User Account Control box. Whenever something like that pops up for no reason, you should start scanning.

Regards

 

[Callender]

Great that you got it sorted. It would be interesting to know if task scheduler shows the time that WAT was last run and if it corresponded to the time/ date that you clicked on the pop up or if it was some sort of fake pop up.

http://www.sevenforums.com/attachme...on-technologies-pop-up-wat-task-scheduler.jpg

 

[tjg79]

The Task Scheduler indicates it was last run 11-Sep-15 06:15:10.

If I understand that correctly, it wasn't running when I started this thread or when I clicked the "Yes" button.

Therefore, it must have been a fake indication of a run.

Is that correct?

 

[NoelDP]

You would ONLY have got that popup for one reason - you were attempting to install the update.
The update is signed, and as such, if there had been a problem with it, you would have seen a very different popup describing certificate errors.

 

[tjg79]

I wasn't installing anything. I think that pop-up was an impostor and I was tricked into clicking yes. Once I clicked yes, all the trouble started.

 

[Callender]

Well I kind of agree with Noel however that doesn't explain why task scheduler doesn't show that it ran when you clicked on the UAC pop up! Instead in shows 11 September which doesn't seem right.

 

[tjg79]

Well I kind of agree with Noel however that doesn't explain why task scheduler doesn't show that it ran when you clicked on the UAC pop up! Instead in shows 11 September which doesn't seem right.

If it was an impostor, it seems right. The UAC didn't run, but a pop-up that appeared to be the UAC did run and when I clicked on "Yes," the back door was wide open for all the riff-raff.

I thought it was very strange for that pop-up to occur. That's why I started this thread, but I didn't wait long enough to read the replies, before I got curious and clicked "Yes."

The two were definately related.

It's been so long since I've been hit like that that I got stupid.

Regards

 

[TeresaS]

I clicked yes too

Hey tjg79, I fell for it too even after checking the cert (expired) and researching WAT. When I saw that it did not update the file(s) it said it was going to, I immediately pull the system from the network and reimaged it. I also changed my user name and password. I still haven't solved my account lockout problem this caused though.

 

[tjg79]

Hey tjg79, I fell for it too even after checking the cert (expired) and researching WAT. When I saw that it did not update the file(s) it said it was going to, I immediately pull the system from the network and reimaged it. I also changed my user name and password. I still haven't solved my account lockout problem this caused though.

I think this virus is new. It's very sophisticated, because the pop-up is high quality and looks legit.

When ESET tech support cleaned my system, they collected what information they could about this virus. Hopefully, it will be incorporated into their virus definitions soon.

Regards

 

[TeresaS]

FYI-we believe the payload came from camelcap.com/work/home/index.php. Since I re-imaged the system, that was all we could find. I also solved my account lockout issue which was fortunately only caused by my username change.

Cheers

 

[Callender]

FYI-we believe the payload came from camelcap.com/work/home/index.php. Since I re-imaged the system, that was all we could find. I also solved my account lockout issue which was fortunately only caused by my username change.

Cheers

Well I tried to find that payload in order to try to infect my machine and study it but I get:

​

 

[NoelDP]

The who.is data on camelcap is interesting -
originally registered 16/9/15 - so only 1 month old.
Registrar is in China
Registered owner is in the UK (!) - the post code is actually for ebuyer.com (!!) - but the address is Skelton, a couple of miles away, and appears not to exist (at least according to the Royal Mail postcode finder service).