robertsb41

CLOSED Mysa1, Mysa2, Mysa3 and Ok Scheduled Tasks Keep Coming Back

Recommended Posts

I found a thread named Miner Problems similar to the issues I am having on your forums.  I am running server03 in a VM.  I tried to install EEK but it's telling me that KB2533623 is required to start it so I stopped.  From the other thread it looked like running AVZ resulted in a fix.  I would appreciate any help that you can give me.

Attached are the FRST.txt and Addition.txt files.

Thanks!

Addition.txt

FRST.txt

Edited by robertsb41
FRST

Share this post


Link to post
Share on other sites

Let's start by doing this first.

Download AdwCleaner and save it on your desktop.

  1. Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
  2. Double click on adwcleaner.exe to run the tool.
  3. Click on the Scan button.
  4. After the scan has finished, click on the Clean button.
  5. Confirm each time with OK.
  6. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  7. Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
    NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.

Download Junkware Removal Tool and save it on your desktop.

  1. Run the tool by double-clicking it.
  2. The tool will open and start scanning your system.
  3. Please be patient as this can take a while to complete depending on your system's specifications.
  4. On completion, a log is saved to your desktop and will automatically open.
  5. Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKLM\...\Command Processor:  <==== ATTENTION
HKU\S-1-5-21-601678652-2310755134-4130716680-1017\...\Run: [] => [X]
HKU\S-1-5-18\...\Run: [] => [X]
HKU\S-1-5-18\...\RunOnce: [] => [X]
GroupPolicy: Restriction ? <==== ATTENTION
GroupPolicyScripts: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local: [ActivePolicy] SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{bcf48365-2fc3-4d71-b4e0-03ae549e20de} <==== ATTENTION (Restriction - IP)
BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll => No File
2017-08-02 11:36 - 2017-08-02 11:36 - 000000486 _____ C:\WINDOWS\Tasks\Mysa3.job
2017-08-02 11:36 - 2017-08-02 11:36 - 000000414 _____ C:\WINDOWS\Tasks\Mysa2.job
2017-08-02 11:36 - 2017-08-02 11:36 - 000000334 _____ C:\WINDOWS\Tasks\Mysa1.job
2017-08-02 11:36 - 2017-08-02 11:36 - 000000330 _____ C:\WINDOWS\Tasks\ok.job
2017-08-02 09:24 - 2017-08-02 14:38 - 000000000 ____D C:\Documents and Settings\brandonr\Local Settings\Temp\1
2017-07-09 05:00 - 2017-07-09 05:00 - 000027426 ____T C:\Documents and Settings\EPlanService\Local Settings\Temp\165A2AA2.dmp
2017-07-03 21:48 - 2017-07-03 21:48 - 000130784 ____T C:\Documents and Settings\EPlanService\Local Settings\Temp\DD7F.dmp
Task: C:\WINDOWS\Tasks\Mysa1.job => rundll32.exe  c:\windows\debug\item.dat,ServiceMain aaaarundll32.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Mysa2.job => c:\windows\debug\item.dat <==== ATTENTION
Task: C:\WINDOWS\Tasks\Mysa3.job => c:\windows\help\lsmosee.exe>>ps&echo bye>>ps&ftp -s:ps c:\windows\help\lsmosee.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\ok.job => rundll32.exe  c:\windows\debug\ok.dat,ServiceMain aaaarundll32.exe
WMI_ActiveScriptEventConsumer_fuckyoumm2_consumer: <==== ATTENTION
HKLM\...\batfile\DefaultIcon: %SystemRoot%\System32\shell32.dll,-153 <==== ATTENTION
HKLM\...\cmdfile\DefaultIcon: %SystemRoot%\System32\shell32.dll,-153 <==== ATTENTION

Close Notepad.



NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Changing tools.

Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop.

• Double-click on setup.exe to install RogueKiller.

Close all programs and disconnect any USB or external drives before running the tool.

• Right-click RogueKiller.exe and select Run As Administrator to run the tool.
• Once the Prescan has finished, click Scan.
• Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply.

Share this post


Link to post
Share on other sites

After some research, this infection appears to have been dropped by the Eternalblue-Doublepulsar exploit that exploits vulnerable versions of SMB on unpatched Windows systems.
 
Would it be possible to get copies of all the EAM Forensics, Surf Protection, File Guard, Behavior Blocker, Scan, and Update logs?  You can zip all the logs into a single ZIP file and attach the ZIP archive to your reply.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.