Skip to content


Reply
Honored Emissary
Geuzebier
Posts: 149
Registered: ‎04-02-2012
Accepted Solution

HZWmark infection : Rogue.Agent affecting Trend Micro IS.

[ Edited ]

HZWmark infection : Rogue.Agent affecting Trend Micro IS.

 

Most if not all effects listed here still persist after 1st removal by Mbam.

 

 

Asus HDMI P2B-VM

Windows 7 home premium sp1, 64b, Asus OEM (installed by myself).

Intel core i5 cpu 750 @ 2x 2,67GHz.

4 Gb RAM.

Ati Radeon 5670 videocard.

++++++++++++++++++++++++

 

Freshly re-installed pc, i am not yet able to perform a completely clean installment, 1st time this pc is installed by myself, previous 2 installments performed by shop-admin. Last installment by shop was normal Windows 7. No OEM version for i forgot to deliver the Asus-disc and shop-admin didn’t ask for it. Service-pack 1 for Win7 has been installed several times by shop-admin but ever a mishap. PC and/or USBsticks came back from the shop still infected.

 

 

Microsoft Security Essentials v 2.1.1116.0, Found no malware.

Clientversion of program vs. Harmfull software 3.0.8402.0,

Version of Engine 1.1.8202.0,

Antivirusdefinition 1.123.854.0,

Antispywaredefinition 1.123.854.0,

Verson of Network Inspection System Engine 2.0.8001.0,

Version of Network Inspection Definition 11.0.0.0.

 

 

Trend Micro IS  v 17.50.1707.0005, Found no malware.

Engine 9.500.1005,

Patern 8.877.50,

Type test-/OEM-version

 

(did not realize Trand Micro was on Asus-disc, otherwise would not have been installed & therefore infection would not have been found this obviously easy. Never used before on this pc as i had MS SE, McAfee IS 2010 & 2011, Norton 360 and Norton IS 2012).

 

Trend Micro Housecall version 7.2 Bèta, Found no malware.

 

Microsoft Inernet Explorer  64b (glad to see Trend Micro opening in 64b version).

Version 9.0.8112.16421,

Incl. updates 9.0.5 (kb2647516)

An outdated version according to the top-advertisement in Winamp, wants me to upgrade.

 

Microsoft Bing Bèta : Big Ships! After Installation of IE9 from Select Internetbrowser (as mandated in Europe) i was glad to finaly see only Bing for IE9 among BHO’s. IE8version of Bing persisted even after re-installation of IE. Now i check for version to write here i see the IE9-version of Bing is not available though still marked as standard search-engine. The version for IE8 is back and though not standard it is the onlyone IE can use. Bing would show the IE9version-searchresults as top-results if it could. This is in both 32b as in 64b edition of IE9.

 

Microsoft Office 2010

 

Microsoft Silverlight 4.1.10111.0

 

DirectX passibly versions  9 and 11.

Don’t show in Configscreen -> Programs & Features.  Didn’t check via Valve/Steam, see below.

 

Adobe Flashplayer 11 Active X 64-bit v. 11.2.202.228

Registers in IE as Shockwave Flash Object.

 

not installed : Norton IS 2012, 360 and Norton Utilities 15, McAfee 2011.

Norton might have updates for HZW-variants at 28 and 30th of march 2012. On the other hand that could be a redirect  as i know i have been redirected to a false (verified at my bank) Norton-support (asking for money) from this computer a few months ago. Norton was affected prior to re-installation. It withheld some updates to other programs and especially ID-safe went crazy. Norton and McAfee site-advisors were “strange”. WOT-site-advisor seemed to be working alright.

 

++++++++++++

 

1st discrepancy i noticed was Windows not recognizing the videocard : no driver-updates, i could not use a screensaver (default bubbles) and going to Windows-classification it scored 1. Checked Asus-installationdisc oncemore to no avail. Via Valve/Steam – who could not initially recognize videocard either – i got to ATI/AMD-website, dowloaded CCC and set that straight.

 

2nd was Trend Micro IS giving warnings for un-authorized IE- and other changes with the suffix HZWmark. Quite a lot of them while opening Office-appl’s for the 1st time to set their settings.

 

Checking the Trend Micro IS settings i found “HZWmark” added to every entry in the “un-authorized changes-section” as well as after each last sentence of the explanations in that section.

IE Bing did not give info, searching on HZWmark or HZW.

Trend Micro Threatlibrary gave 5 variants, 2 of wich with alliasses from other securitycompanies. In both cases Symantic (Norton, did not check PC Tools) gave good info. The other companies had no info (not anymore, or not accessable for me) exept for Sophos who does not live up tot heir name for the awfully litlebit of info (visible to me).

 

All info was from a few years ago, no new info exept for Norton having an update for HZW-variations on the 28th and the 30th of march this year (i re-installed the 30th). Becouse of the Norton-problems on 2 pc’s in the recent past i am reluctant to install Norton again but that would be a passiblity.

The Trend Micro-info is not for Windows Vista or 7, and as the the “HZWmark” is present this obvious, i know i suffer difirent variant then listed at Trend Micro and Norton.

 

The Trend Micro solutions to known variants concern a 1st-pass scan followed by registry- or Taskmanager- changes followed by a 2nd-pass scan. 1st pass scans by (Microsft Security Essentials upon initial installation and oncemore after scheduled Trend Micro Titanium scan this morning, not working simultaniously) and by Trend Micro IS (Safe modus, non-Windows-services de-activated) as well as Trend Micro Housecall (Safe modus, non-Windows-services de-activated) (+ a scheduled scan fr Trend Micro IS followed by a manual scan with MS SE in normal modus) did not reveal any infection thus i can not change the infected files or stop the service for the 2nd-pass scan to work.

 

 

Adobe ActiveX and Microsoft Silverlight do show in Control Pannel though they do not work everywhere, f.e. can’t see smilies on trend Micro forum.

 

Control Panel -> Programs and Features loads extremely slow.

 

Could not find DirectX 11 via Bing-search nor via on-site search. DirectX is installed via the game Civilization V and that seems to work propperly however the game Metro 2033 can’t use DirectX becouse of a shared DLL missing. Both games are on Valve/Steam-account (i don’t have a Steam-forumaccount from where players credentials were stolen summer 2011).

DirectX does not show in Control Panel -> Programs and Features. Nvidia PhysX does while i don’t know of giving it permission to install (i installed the games fr regular user-account with limited priviliges).

1 april, Opening another Steam-acc. to test Fall Out New Vegas DirectX installs anew, the Steam-window doesn’t say which version and it still doesn’t show in Programs & Features.

 

 

Asus techsupport page reached via Microsoft Answers says there currently are no tools available, computermodel not listed, Asus Automated model-detection doesn’t work (on my pc).

 

Via Trend Micro Forum “Preparation guide before Malware removal”  IE can’t find the GeekstoGo -> Old Timer web-page. Since the IE on my pc also can not find the page via a post fr yesterday (^http://community.trendmicro.com/t5/Malware-Discussions/Need-help-TROJ-ZACCESS-CQJ/td-p/64186) i assume it is a denial of service. No realy clear indication of redirect detected.

I went to Geekstogo homepage and from there i could go to the download after all. Trew it away again since Mbam found a Rogue and not a Keylogger or Passwordstealer.

 

 

 

Thanks to Trend Micro for showing the malware this obvious ;

Thanks to Valve/Steam for various functions ;

Special thanks to Mbam for finding (1st part of) Rogue.Agent (at last, be assured Mbam has been run several times before re-installation without any result).

 

 

[edit] i ment to post more then the alotted attachements. Since there are only 3 available for the entire thread i thought i'ld save one for later.

Please use plain text.
Honored Emissary
Geuzebier
Posts: 149
Registered: ‎04-02-2012

Re: HZWmark infection : Rogue.Agent affecting Trend Micro IS.

[ Edited ]

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.02.04

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
abcdefg :: abcdefg-PC [administrator]

2-4-2012 16:06:53
mbam-log-2012-04-02 (16-06-53).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 208049
Time elapsed: 1 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\abcdefg\AppData\Local\Temp\a.exe (Rogue.Agent) -> Quarantined and deleted successfully.

(end)

 

Though most problems on my pc persist, i can see the smilies on this forum now.

Please use plain text.
Honored Emissary
Geuzebier
Posts: 149
Registered: ‎04-02-2012

Re: HZWmark infection : Rogue.Agent affecting Trend Micro IS.

My profile here says : "Browser used for last visit Mozilla/4.0".

However i only have IE 9 installed.

Please use plain text.
Honored Emissary
Geuzebier
Posts: 149
Registered: ‎04-02-2012

Re: HZWmark infection : Rogue.Agent affecting Trend Micro IS.

Statusbar in IE enabeled, searching other topics on this forum i found an answer to my problem not being able to reach OTL via “Preparation guide before Malware removal”. As explained by respawn in http://community.trendmicro.com/t5/Malware-Discussions/troj-zaccess-CQJ-keeps-coming-back/td-p/65026 the given URL has a double HTTP : http://http//www.geekstogo.com/forum/files/file/398-otl-oldtimers-list-it/. Please adjust the sticky “Preparation guide before Malware removal” so future users will not get annoid or even paranoid becouse of it.

Please use plain text.
Legendary Noble
malwarekiller
Posts: 3,978
Registered: ‎08-08-2011

Re: HZWmark infection : Rogue.Agent affecting Trend Micro IS.

Welcome aboard! Posted Image

Since the issues seems severe its worth using combofix....

 

Download ComboFix from the any of the locations given in this website:

    • IMPORTANT !!! You need to Save ComboFix.exe to your Desktop
      • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you are still unsure on how to do this, see here
      • Double click on ComboFix.exe & follow the prompts.
      • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
      • If you already have the Recovery Console preinstalled, it will not ask for the following. If it does prompt, allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

      Posted Image

      Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

      Posted Image

      Click Yes, to continue scanning for malware. Please be patient and don't use the PC whilst it is scanning.

      When finished, it shall produce a log for you. Please copy & paste the contents of this log (also found at C:\ComboFix.txt) in your next reply at your topic.
—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Honored Emissary
Geuzebier
Posts: 149
Registered: ‎04-02-2012

Re: HZWmark infection : Rogue.Agent affecting Trend Micro IS.

[ Edited ]

Thank you Malwarekiller.

After Combofix the addition "HZWmark" on every entry & explanation there-of in "Un-authorized Change Prevention" persists. IE was not standard browser anymore while it is (should be) the only (normal) browser (aside fr specialized Steam, Winamp Quicktime Realplayer).

 

Combofixlog in attachment.

Please use plain text.
Legendary Noble
malwarekiller
Posts: 3,978
Registered: ‎08-08-2011

Re: HZWmark infection : Rogue.Agent affecting Trend Micro IS.

[ Edited ]

Nothing evident to see as malware...lets try the second opinion cloud scanner...

 

 

  • This step can be performed in Normal Mode ,so please download the latest official version of HitmanPro.
    [Image: Download Hitman Pro]
  • Double click on the previously downloaded file to start the HitmanPro installation.
    [Image: hitmanpro-icon.png]
    NOTE : If you have problems starting HitmanPro, use the "Force Breach" mode. Hold down the left CTRL-key when you start HitmanPro and all non-essential processes are terminated, including the malware process. (How to start HitmanPro in Force Breach mode - Video)
  • Click on Next to install HitmanPro on your system.
    [Image: installing-hitmanpro.png]
  • The setup screen is displayed, from which you can decide whether you wish to install HitmanPro on your machine or just perform a one-time scan, select a option then click on Next to start a system scan.
    [Image: hitmanpro-setup-options.png]
  • HitmanPro will start scanning your system for malicious files. Depending on the the size of your hard drive, and the performance of your computer, this step will take several minutes.
    [Image: hitmanpro-scanning.png]
  • Once the scan is complete,a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click Next.
    [Image: hitmanpro-scan-results.png]
  • Click Activate free license to start the free 30 days trial and remove the malicious files.
    [Image: hitmanpro-activation.png]
  • HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.Please in the end give me the list of threats it detected.
—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Honored Emissary
Geuzebier
Posts: 149
Registered: ‎04-02-2012

Re: HZWmark infection : Rogue.Agent affecting Trend Micro IS.

1st scan in normal modus quaranteined Old Timer (downloaded anew after i found that mishap not being part of infection) as a false positive. Scan raced through my pc so i thought it was a quickscan. Did one more in safe modus, was just as quick, no result.


<?xml version="1.0"?>
<Log filesProcessed="9460" timeSpentInSecs="82" date="2012-04-03T10:00:13" version="3.6.0.151" scan="Normal" computer="abcdefg-PC"/>

Please use plain text.
Legendary Noble
malwarekiller
Posts: 3,978
Registered: ‎08-08-2011

Re: HZWmark infection : Rogue.Agent affecting Trend Micro IS.

[ Edited ]

ok....now can u tweak  a setting in hitman...move towards the settings...

 

open hitman

 

choose setting

 

go to advanced

 

activate EWS

 

back to the home screen click scan and choose EWS And allow it to scan tell me what items are detected dont take any actions without my approval.

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Honored Emissary
Geuzebier
Posts: 149
Registered: ‎04-02-2012

Re: HZWmark infection : Rogue.Agent affecting Trend Micro IS.

False positives again so it seems :

 

3 april 2012 Hitman EWS 1a.gif

Please use plain text.