yep, send that in for analysis. It doesn’t look anywhere near legit; here’s what I found.
Creates a file called zzop93.dll in %WINDIR%\system32
Punches a hole in the Windows firewall by creating a Registry key: HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List"D:\DOCS\11.exe" (no quotes)=“D:\DOCS\11.exe:*:Enabled:11” (no quotes, and no equals sign; that’s just the value of the key)
I also noticed 11.exe doing a lot of Process Profiling, according to Process Monitor; this kind of event involves measuring CPU & RAM load.
Finally, it looks like 11.exe is doing a lot of meddling in services, including password services; that could be the OS (Sandboxie didn’t say; it just listed several Registry keys involved with services), but I doubt it.
I have the same thing happening to me except that Avast has continued to block the attempts to download hxxp://wxxw.vsetutvse.net/11.exe - so I am not infected with 11.exe but with something else that tries to run/download 11.exe from vsetutvse.net. There is an attempt to connect every 5 or 10 minutes and it’s been going on for several days.
These attempts aren’t being made from a website but there is something on my machine that is trying periodically. I have been unable to find the source on my machine. I’ve run Malwarebytes, SuperAntiSpyware, ESET, SpywareDoctor, SpyBot, UnHackMe and Avast but none of them find the file on my machine that is trying to link to vsetutvse.net. Everything I see in HiJackThis looks legit.
Thanks for the suggestions. Unfortunately, the problem remained.
In the end, I accepted defeat and restored from a backup - sadly it’s 3-months old :-X . So I now have to bring it up to date but at least I no longer have the original problem. Thanks again.
