|
Post by boherb on Oct 29, 2014 15:34:19 GMT -8
I now have multiple ivfsobgs.exe *32 described as google chrome running.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Oct 29, 2014 16:11:25 GMT -8
Ok so like some others Now you have Tracur
SIGH
Back soon
Quads
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Oct 29, 2014 16:21:08 GMT -8
I want the multiple ivfsobgs.exe *32 processes running for the below due to what should be a Randomised path.
Delete your copy of addition.txt that is on the Desktop
Now Start FRST and make sure the addition option is ticked before running a scan
Give the new FRST and addition logs back here.
Quads
|
|
|
Post by boherb on Oct 29, 2014 16:47:28 GMT -8
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Oct 29, 2014 18:56:54 GMT -8
You may want to read carefully all of this message first before starting the steps.
NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Download the script attached, needs to be the same file name as well (fixlist.txt), have it on the Desktop, so that fixlist.txt is next to FRST64.exe,
DO NOT DRAG AND DROP to download the script, it won't work for FRST (Right click on the attachment link (not the normal left click) and from the menu choose Save As or Save Link as.)
The script tells FRST what to do.
Start FRST that is on the desktop When the tool opens click Yes to disclaimer. (if it still does)
Press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) please post it to your reply (attach or paste)
Quads
|
|
|
Post by boherb on Oct 30, 2014 13:45:42 GMT -8
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 30-10-2014 Ran by Ed at 2014-10-30 17:41:22 Run:3 Running from C:\Users\Ed\Desktop Loaded Profile: Ed (Available profiles: house 1 & Elizabeth & Beth & Ed & Carrie) Boot Mode: Normal ==============================================
Content of fixlist: ***************** start (Microsoft Corporation) C:\Windows\System32\regsvr32.exe (Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe (Google Inc.) C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\ivfsobgs.exe (Google Inc.) C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\ivfsobgs.exe (Google Inc.) C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\ivfsobgs.exe (Google Inc.) C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\ivfsobgs.exe (Google Inc.) C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\ivfsobgs.exe 2014-10-29 19:05 - 2014-10-29 19:05 - 00718152 _____ () C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\36.0.1985.143\libglesv2.dll 2014-10-29 19:05 - 2014-10-29 19:05 - 00126280 _____ () C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\36.0.1985.143\libegl.dll 2014-10-29 19:05 - 2014-10-29 19:05 - 08537928 _____ () C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\36.0.1985.143\pdf.dll 2014-10-29 19:05 - 2014-10-29 19:05 - 00353096 _____ () C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\36.0.1985.143\ppGoogleNaClPluginChrome.dll 2014-10-29 19:05 - 2014-10-29 19:05 - 01732936 _____ () C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\36.0.1985.143\ffmpegsumo.dll 2014-10-29 19:05 - 2014-10-29 19:05 - 14669128 _____ () C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\36.0.1985.143\PepperFlash\pepflashplayer.dll C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\ivfsobgs.exe C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu HKU\S-1-5-21-3041920962-711388082-3092027376-1006\...\Run: [hmghlgglmd] => regsvr32.exe /s "C:\Users\Ed\AppData\Local\{1C9723C3-5B3D-4F2D-9429-E979AB7863D4}\hmghlgglmd.dll" <===== ATTENTION C:\Users\Ed\AppData\Local\{1C9723C3-5B3D-4F2D-9429-E979AB7863D4}\hmghlgglmd.dll C:\Users\Ed\AppData\Local\{1C9723C3-5B3D-4F2D-9429-E979AB7863D4} end *****************
[2132] C:\Windows\System32\regsvr32.exe => Process closed successfully. [3180] C:\Windows\SysWOW64\regsvr32.exe => Process closed successfully. [5304] C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\ivfsobgs.exe => Process closed successfully. [7160] C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\ivfsobgs.exe => Process closed successfully. C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\ivfsobgs.exe => No running process found C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\ivfsobgs.exe => No running process found C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\ivfsobgs.exe => No running process found C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\36.0.1985.143\libglesv2.dll => Moved successfully. C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\36.0.1985.143\libegl.dll => Moved successfully. C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\36.0.1985.143\pdf.dll => Moved successfully. C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\36.0.1985.143\ppGoogleNaClPluginChrome.dll => Moved successfully. C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\36.0.1985.143\ffmpegsumo.dll => Moved successfully. C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\36.0.1985.143\PepperFlash\pepflashplayer.dll => Moved successfully. C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae\ivfsobgs.exe => Moved successfully. C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu\eljshooae => Moved successfully. C:\Users\Ed\AppData\LocalLow\Apple Computer\ksqtllxheecu => Moved successfully. HKU\S-1-5-21-3041920962-711388082-3092027376-1006\Software\Microsoft\Windows\CurrentVersion\Run\\hmghlgglmd => value deleted successfully. C:\Users\Ed\AppData\Local\{1C9723C3-5B3D-4F2D-9429-E979AB7863D4}\hmghlgglmd.dll => Moved successfully. C:\Users\Ed\AppData\Local\{1C9723C3-5B3D-4F2D-9429-E979AB7863D4} => Moved successfully.
==== End of Fixlog ====
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Oct 31, 2014 13:03:23 GMT -8
That should have broken apart that one
Quads
|
|
|
Post by boherb on Oct 31, 2014 14:53:43 GMT -8
I have an instance of iexplore*32 using large amounts of memory and CPU time.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Oct 31, 2014 15:06:08 GMT -8
Ok restart the system
Then delete your copy of addition.txt that is on your desktop and then run a new scan with FRSt to create 2 new logs
Quads
|
|
|
Post by boherb on Oct 31, 2014 16:31:24 GMT -8
|
|