Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Rootkit ZeroAccess inserted into tcp/ip stack. PEV.exe problem, needs


  • This topic is locked This topic is locked

#31
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

Q1 Am I vulnerable to hackers and malware if I only bootup, go to GTG and sign in? I ask since some changes to ZoneAlarm require booting up to activate changes made. I would be without some items of security proteciton.

Generally speaking no, the updates will be the only part not operational until the reboot

Q2 Are different statuses of web connection indicated by different patterns of blinking of the two tiny computer screens in the icon in the Notification area? That I'm could be receiving communications, some accepted, some blocked, some hacking? Assume both tiny screens lit mean solid incoming and/or outgoing traffic? Is blinking of upper tiny screen indicating incoming? lower outgoing? Couldn't find web info.

No, that is just a graphic display that the connection is working/receiving/transmitting

1. Internet Options- Privacy- Settings: "Accept All Cookies"
(My setting: Default, Medium High, High or Block All Cookies)

If you block all cookies some sites will not work. The hype about the security of cookies is in my opinion overrated. I leave IE at default

3. Internet Options- Security- Trusted Sites- Security level for this zone- Allowed level for this zone: All- Low (----Appropriate for sites you absolutely trust)
(My setting: ------Trusted Sites- Security Allowed level for this zone: All - Medium)
(My setting: ------Internet - Security Allowed level for this zone: All - Medium)

Confusion: But Trusted Sites settings are for https connection which appears absent with GTG. I get a pop-up saying "You are leaving a secured site" which confuses me in that I see a http address, not a https address shaded pink or green like when connected with Dell.


From MS

This zone contains Web sites that you trust as safe (such as Web sites that are on your organization's intranet or that come from established companies in whom you have confidence). When you add a Web site to the Trusted Sites zone, you believe that files you download or that you run from the Web site will not damage your computer or data. By default, there are no Web sites that are assigned to the Trusted Sites zone, and the security level is set to Low.

So it has nothing to do with HTTPS

Low setting for Internet and for Trusted sites are different.
Internet low: "Unsigned ActiveX controls will not be downloaded. Have to go into Custom level... to allow unsigned ActiveX in Internet. Necessary?

If it is not signed you do not want it

Q3 Is connection with GTG a highly secured https connection? No color nor https. Can I absolutely trust GTG?
Or there is no https connection with GTG so I need to temporarily change things in the Internet Zone using Custom level... access? Don't know what to change or are no changes necessary? Allow unsigned ActiveX, etc?

No, HTTPS is generally use by banking and trading sites to secure any financial information

TEMPORARY SECURITY CHANGES TO BE MADE BEFORE BOOTING UP AND SIGNING INTO GTG - ZoneAlarm

You do not need to make any changes to your security to visit this site. The only time the AV needs to be turned off is for the duration of a combofix run. Purely because the behaviour of combofix causes some AV's to stop it from working
  • 0

Advertisements


#32
johneangel

johneangel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Essexboy

Slight cleaning problem.

Ran OTL in Normal with ZAES, no problems.

Ran Run ComboFix /Uninstall, no problem. Confirmation msg rec'd. Uninstalled all of combo including Qoobox.

But a new Combo file. I'm parnoid about Rootkit ZeroAccess.
Q1 Has ComboFix malware be created today ??????

I noticed a new Combo folder created today, June 30, 2013 at 4:39:28 PM at "C:\ComboFix" with one file, NirCmd.exe "created and accessed" today at 4:39pm, but modified on 4/19/09, 9:56:28 PM.

Using search I found 16 files modified within "seconds" before and 25 files within "seconds" after nircmd.exe was modified at 4:39:34pm.
The two closest files:

SWREG.3XE-2965A2D9 at 4:39:32 PM.
NIRCMD.EXE-2C39EF53 at 4:39:34 PM
edb.chk at 4:39:35 PM

And found 3 prefetch files: NIRCMDC.3XE-03B38F81, -117BB35D, -0A841DB5. modified 4:39:XXpm.
NIRCMD created and accessed June 27, 2013, 6:22:28 AM
And PEV.3XE-358EBDB6/4:39:13pm, PEV.EXE-0CE2BF4A/4:39:29pm, PEV.3XE-21FD478C/4:39:32pm, PEV.EXE-0806C34B/4:39:42pm.
PEV's created & accessed Jun27/6:20:XX to 6:22:XX
Only 9 MS update files modified on 4/19/09 between 1 and 2pm, 7 hours earlier. No files either created or accessed on 4/19/09.

What created this new file? Is it malware?
======================
Ran Search Companion and will remove all old Combo txt files and shortcuts.
======================

I've been using ZoneAlarm, PC Tools Registry Mechanics, Malwarebytes free, SuperAntiSpyware free, SpywareBlaster, CCleaner and Auslogics Disk Defrag since 1998. I'll add FileHippo update checker.

The end is near!

Paranoid john

Edited by johneangel, 30 June 2013 - 10:57 PM.

  • 0

#33
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
They are files that combofix has left behind after it used them to clean up behind itself and are not a problem :)
  • 0

#34
johneangel

johneangel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Essexboy

Good morning.

Ran OTL, hit the clean (something) button, not the "cleanup" button. Slight variation.

And it removed itself but left a text file and 4 other programs on desktop, it didn't remove all the programs we have used. I know, I'm begging the issue.

Okay to remove them with Revo's Hunter mode: OTLq, text file, winsock_xp_fix, winsockxpfix, AVPTool(not a random name) and Kaspersky's setup_11.0.0.1245.x01_2013_06_28_18_12.

Why weren't they removed?

I'm assuming resident AV refers to resident anti-virus. Thus when I exit ZoneAlarm, their reident AV, Kaspersky is left working. So when I'm asked to close all anti-virus programs, I'm not do this by just exiting ZoneAlarm.

Late for swimming.

thanks, john
  • 0

#35
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OTL only removes the most frequently used programmes there will be some that it will not remove as they are rarely removed

All bar AVP can be just deleted from the desktop as they do not install
  • 0

#36
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP