Author Topic: Proxy and possible key logger.  (Read 106447 times)

0 Members and 2 Guests are viewing this topic.

November 02, 2014, 05:50:21 am

GenJeFT

  • Guest
Proxy and possible key logger.
« on: November 02, 2014, 05:50:21 am »
Hello. I just finished using this Rogue Killer to remove a ZeroAccess virus with good success but I found a couple of other things in the process.



Quote
RogueKiller V10.0.4.0 (x64) [Oct 29 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Jed [Administrator]
Mode : Scan -- Date : 11/02/2014  00:12:41

Processes : 0

Registry : 8
[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Found
[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Found
[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:13081  -> Found
[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:13081  -> Found
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:13081  -> Found
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:13081  -> Found

Tasks : 0

Files : 0

Hosts File : 0 [Too big!]

Antirootkit : 2 (Driver: Loaded)
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\Disk @ \Device\Harddisk0\DR0 (\SystemRoot\System32\Drivers\Ntfs.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\Disk @ \Device\Harddisk1\DR1 (\SystemRoot\System32\Drivers\Ntfs.sys)

Web browsers : 1
[PUM.Proxy][FIREFX:Config] f8wohdxq.default : user_pref("network.proxy.type", 4); -> Found

MBR Check :
+++++ PhysicalDrive0: WDC WD15EADS-00S2B0 ATA Device +++++
--- User ---
[MBR] 70ff676b258b006ed036b979e456bbb4
[BSP] 110ab8e36dc961278be2d70a5a0183e2 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1430797 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ST500DM002-1BC142 ATA Device +++++
--- User ---
[MBR] 5d369cca217414d28a6aacdaa15c55a5
[BSP] c2038edf7ba00e390a10d61035acb7a0 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_11012014_235747.log - RKreport_SCN_11012014_234159.log



The report after I tried to remove those proxy things.



Quote
RogueKiller V10.0.4.0 (x64) [Oct 29 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Jed [Administrator]
Mode : Delete -- Date : 11/02/2014  00:21:03

Processes : 0

Registry : 8
[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Replaced (0)
[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Replaced (0)
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Replaced (0)
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Replaced (0)
[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:13081  -> Deleted
[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:13081  -> ERROR [2]
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:13081  -> ERROR [2]
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:13081  -> ERROR [2]

Tasks : 0

Files : 0

Hosts File : 0 [Too big!]

Antirootkit : 2 (Driver: Loaded)
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\Disk @ \Device\Harddisk0\DR0 (\SystemRoot\System32\Drivers\Ntfs.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\Disk @ \Device\Harddisk1\DR1 (\SystemRoot\System32\Drivers\Ntfs.sys)

Web browsers : 1
[PUM.Proxy][FIREFX:Config] f8wohdxq.default : user_pref("network.proxy.type", 4); -> Replaced (0)

MBR Check :
+++++ PhysicalDrive0: WDC WD15EADS-00S2B0 ATA Device +++++
--- User ---
[MBR] 70ff676b258b006ed036b979e456bbb4
[BSP] 110ab8e36dc961278be2d70a5a0183e2 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1430797 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ST500DM002-1BC142 ATA Device +++++
--- User ---
[MBR] 5d369cca217414d28a6aacdaa15c55a5
[BSP] c2038edf7ba00e390a10d61035acb7a0 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_11012014_235747.log - RKreport_SCN_11012014_234159.log - RKreport_SCN_11022014_001237.log



I will shortly be rebooting to safemode and running this RogueKiller again to try and remove the proxy stuff that way. One thing I am interested in is that Kernal.Filter thing on my hard disks. I have been unable to find much information by googling it and what I have found seems to say its legit. So I am posting here to see what you all think.


By the way, if anyone is wondering, yes ZeroAccess broke windows firewall (that was the tipoff), and yes its working again now. Oddly enough it could only stop me from updating Microsoft Security Essentials but could not disable it. I have a good idea of when the infection happened because I had updated Microsoft Security Essentials and ran some scans as part of practice for a security class on Thursday. So my system got infected sometime Friday and the infection was discovered Saturday morning. Also if anyone knows where these reports are saved (if they are automatically saved) I might post the reports from ZeroAccess removal as well (I did not think to manually save them or post them).

Also to show how effective Microsoft Security Essentials (MSE) is that it never finished a scan before I was able to disable ZeroAccess using Malwarebytes Rootkit scanner, reactivate the firewall, and use RogueKiller to scan for, find, and remove the rest of Zero Access. So I question just how good MSE really is.

Sorry for the wall of text.

*EDIT*

Here is the new log report from the safe mode deletion attempt.

Quote
RogueKiller V10.0.4.0 (x64) [Oct 29 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode with network support
User : Jed [Administrator]
Mode : Delete -- Date : 11/02/2014  01:07:12

Processes : 0

Registry : 0

Tasks : 0

Files : 0

Hosts File : 0 [Too big!]

Antirootkit : 0 (Driver: Not loaded [0xc000035f])

Web browsers : 1
[PUM.Proxy][FIREFX:Config] f8wohdxq.default : user_pref("network.proxy.type", 4); -> Replaced (0)

MBR Check :
+++++ PhysicalDrive0: WDC WD15EADS-00S2B0 ATA Device +++++
--- User ---
[MBR] 70ff676b258b006ed036b979e456bbb4
[BSP] 110ab8e36dc961278be2d70a5a0183e2 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1430797 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ST500DM002-1BC142 ATA Device +++++
--- User ---
[MBR] 5d369cca217414d28a6aacdaa15c55a5
[BSP] c2038edf7ba00e390a10d61035acb7a0 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_11012014_235747.log - RKreport_DEL_11022014_002058.log - RKreport_SCN_11012014_234159.log - RKreport_SCN_11022014_001237.log
RKreport_SCN_11022014_010638.log

No registry files detected and the proxy replaced itself.

*Edit 2*

Due to the fact it is 1:30AM, I have been working on this for 12 hours, and that 127.0.0.1 is a loop back address for the local host I think I am barking up a wrong tree.
« Last Edit: November 02, 2014, 06:31:36 am by GenJeFT »

Reply #1November 02, 2014, 11:53:32 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 786
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Proxy and possible key logger.
« Reply #1 on: November 02, 2014, 11:53:32 pm »
Hello
try "Tools" menu => Repair ZeroAcces broken services.