Zeus Virus And Other Threats

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Somemelvin1, Apr 17, 2017.

  1. Somemelvin1

    Somemelvin1 Private First Class

    Issue: “Windows detected Zeus Virus”. There was a recording on infinite loop asking me to pay them or they would shut down my computer.

    Update: I executed the Malware Removal Procedure and attached the files. There were many threats discovered by your tools. No action taken per the instructions.

    Thanks for taking a look.

    · AdwCleaner: I did NOT “clean” the threats.
    · Malware Bytes: There was NO remove button, only a quarantine button.
     

    Attached Files:

    Somemelvin1, Apr 17, 2017
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Have MBAM quarantine everything it found. Do the same with ADWcleaner.

    Then rerun RogueKiller and have it remove these items:

    ¤¤¤ Registry : 27 ¤¤¤
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{E24D4521-8580-4F73-88E8-68E99966A50E}C:\users\debbie\appdata\local\temp\joi134c.tmp\join.me.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\debbie\appdata\local\temp\joi134c.tmp\join.me.exe|Name=join.me.exe|Desc=join.me.exe|Defer=User| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{36802D07-9322-4DC8-A435-4C951C085AF0}C:\users\debbie\appdata\local\temp\joi134c.tmp\join.me.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\debbie\appdata\local\temp\joi134c.tmp\join.me.exe|Name=join.me.exe|Desc=join.me.exe|Defer=User| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{A579EAA4-2ECA-4468-BDA0-34158CE851C4}C:\users\debbie\appdata\local\temp\joiab1f.tmp\join.me.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\debbie\appdata\local\temp\joiab1f.tmp\join.me.exe|Name=join.me.exe|Desc=join.me.exe|Defer=User| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{7D627F6F-A36A-4AB8-872F-94FCB638EEF5}C:\users\debbie\appdata\local\temp\joiab1f.tmp\join.me.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\debbie\appdata\local\temp\joiab1f.tmp\join.me.exe|Name=join.me.exe|Desc=join.me.exe|Defer=User| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D757FD44-E9A8-44A0-B6E2-2A60BD779EC2} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Debbie\AppData\Local\Temp\7zS3CCC\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {685E5428-8A51-4E2E-BAA4-CE2CCB8C2963} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Debbie\AppData\Local\Temp\7zS3CCC\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {5D8E6AEF-8563-4A10-B7FE-0DE7DCEAB069} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Debbie\AppData\Local\Temp\7zS356D\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {DBD6274C-C062-4ED4-A7E9-7E317AA4942F} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Debbie\AppData\Local\Temp\7zS356D\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {59851F21-E588-4880-94E4-E29A26D51A20} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Debbie\AppData\Local\Temp\7zS5A9C\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {42937F55-024D-4554-8E06-9944930E2A98} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Debbie\AppData\Local\Temp\7zS5A9C\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {0F51A3DA-D58D-481D-A18E-C8DD4ED1EEE2} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Debbie\AppData\Local\Temp\7zS3425\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {58004724-4E79-4BA4-BA62-962FD5EFF9B6} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Debbie\AppData\Local\Temp\7zS3425\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D2ED4682-8947-4973-B71A-1D2837C79049} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Debbie\AppData\Local\Temp\7zS1DF9\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {27E53C93-23EB-4722-9FDD-9909D5430AF1} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Debbie\AppData\Local\Temp\7zS1DF9\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {377EF98B-B924-4F1C-B7B0-75A34B01A14E} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Debbie\AppData\Local\Temp\7zS4F17\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {0A436EF9-D889-4AB2-A556-B7E307C46456} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Debbie\AppData\Local\Temp\7zS4F17\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D4133A5F-5992-49FC-985F-6ADEB4A0E063} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Debbie\AppData\Local\Temp\7zS42AA\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {95AA4221-D4EA-4C8D-9A3F-79DC1386D706} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Debbie\AppData\Local\Temp\7zS42AA\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
    [PUP.Gen1|VT.not-a-virus:WebToolbar.Win32.Visicom.a] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {DA29C587-E9EB-43C9-9D07-A578B9281009} : v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\pandasecuritytb\cleanupie.exe|Name=Panda Safe Web IE Cleaner| [7] -> Found
    [PUP.Gen1|VT.not-a-virus:WebToolbar.Win32.Visicom.a] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {81188069-0DAD-484A-AC31-D3C353FFB527} : v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\pandasecuritytb\cleanupie.exe|Name=Panda Safe Web IE Cleaner| [7] -> Found
    [PUP.Gen1|VT.not-a-virus:WebToolbar.Win32.Visicom.a] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {55A1ECFA-81CE-415E-9CA3-FD1A5BE9EFBE} : v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\pandasecuritytb\ToolbarCleaner.exe|Name=ToolbarCleaner| [7] -> Found
    [PUP.Gen1|VT.not-a-virus:WebToolbar.Win32.Visicom.a] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {7A114F63-9AF0-49FC-B0DF-1B5A767AF7AE} : v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\pandasecuritytb\ToolbarCleaner.exe|Name=ToolbarCleaner| [7] -> Found


    ¤¤¤ Files : 5 ¤¤¤
    [PUP.Gen1][Folder] C:\ProgramData\Adtrustmedia -> Found
    [PUP.Gen1][Folder] C:\Users\Debbie\AppData\Local\AdTrustMedia -> Found
    [PUP.Gen1][Folder] C:\ProgramData\Adtrustmedia -> Found
    [PUP.Gen1][Folder] C:\Program Files\AdTrustMedia -> Found

    Next rerun Hitman and have it remove these items:

    Potential Unwanted Programs _________________________________________________

    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{62155D33-3CE2-401E-8967-5A270628A3D5}\ (MyStart)
    HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{62155D33-3CE2-401E-8967-5A270628A3D5}\ (MyStart)

    Reboot and rescan with both RogueKiller and Hitman and attach the new logs.

    Now :

    http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista,Seven,Eight or 10, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
     
    TimW, Apr 17, 2017
    #2
  3. Somemelvin1

    Somemelvin1 Private First Class

    Sorry for the delay. I've attached the files.
    • ADWCleaner: There was no Quarantine button so I selected “clean”.
    • Rogue Killer: I do not see the 5 files you referenced in the Rogue Killer results list. What method should I use to delete them?
    • Hitman: There were 2 other files that defaulted to “delete”. I changed them to quarantine since you didn’t mention them: PandaSecurityDx.dll and PandaSecuritytb.dll.
    I am using Panda Antivirus as my antivirus. Why are there so many Panda related threats?

    Thanks again for taking a look.
     

    Attached Files:

    Somemelvin1, Apr 29, 2017
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The panda files are safe. You're logs are clean. What malware issues remain?
     
    TimW, Apr 29, 2017
    #4
  5. Somemelvin1

    Somemelvin1 Private First Class

    I am not experiencing any problems at this point.
    Thank you!
     
    Somemelvin1, Apr 29, 2017
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8 or 10, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. After doing the above, you should work thru the below link:
     
    TimW, Apr 29, 2017
    #6
  7. Somemelvin1

    Somemelvin1 Private First Class

    #4 says to reenable UAC.
    However, the original malware instructions said "For Windows 10 users - don't worry about UAC."
    Does #4 apply to me if I'm running Windows 10?
    Thanks.
     
    Somemelvin1, Jun 25, 2017
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    "For Windows 10 users - don't worry about UAC."
     
    TimW, Jun 25, 2017
    #8
  9. Somemelvin1

    Somemelvin1 Private First Class

    Got it.
    HitmanPro is not in the Control Panel/Programs and Features list.
    What is best method to delete this tool including the extra vestiges?
    Thanks.
     
    Somemelvin1, Jun 25, 2017
    #9
  10. Somemelvin1

    Somemelvin1 Private First Class

    Nevermind. Looks like MGClean.bat took care of it.
    Thanks.
     
    Somemelvin1, Jun 25, 2017
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You're welcome.
     
    TimW, Jun 25, 2017
    #11
  12. Somemelvin1

    Somemelvin1 Private First Class

    The advice given in "how to protect yourself from malware" is to use one antivirus and one firewall. I have installed Panda for the antivirus and Comodo for the firewall. When I disabled the windows firewall, Windows was unhappy. Is it correct to keep the windows firewall disabled with the Comodo firewall running?
    Thanks for your advice on this.
     
    Somemelvin1, Jul 18, 2017
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes......you shouldn't use two firewalls as that can cause conflicts.
     
    TimW, Jul 18, 2017
    #13
  14. Somemelvin1

    Somemelvin1 Private First Class

    Thank you.
     
    Somemelvin1, Jul 18, 2017
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You're are welcome.
     
    TimW, Jul 18, 2017
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds