Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 31, 2015 21:23:22 GMT -8
Have Roguekiller remove these ones listed below
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-4146165697-1227186275-439605532-1000\Software\Microsoft\Windows\CurrentVersion\Run | Best Buy pc app : C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms -> Found
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-4146165697-1227186275-439605532-1000\Software\Microsoft\Windows\CurrentVersion\Run | FlashPlayerUpdate : C:\Users\user\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe -> Found
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-4146165697-1227186275-439605532-1000\Software\Microsoft\Windows\CurrentVersion\Run | Best Buy pc app : C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms -> Found
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-4146165697-1227186275-439605532-1000\Software\Microsoft\Windows\CurrentVersion\Run | FlashPlayerUpdate : C:\Users\user\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe -> Found
[Suspicious.Path][File] Best Buy pc app.lnk -- C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk [LNK@] C:\PROGRA~3\BESTBU~1\CLICKO~1.EXE "C:\ProgramData\Best Buy pc app\Best Buy pc app.application" -> Found
Quads
|
|
pg
New Helpee
Posts: 21 
|
Post by pg on Feb 1, 2015 22:41:25 GMT -8
i ran roguekiller to delete selected files. got error 2 message on both flashplayerupdate lines. ran rk again and got error 2 on one. ran rk third time and both flashplayerupdate lines showed back up in scan including one rk said it deleted. deleted third with one line saiding error 2
of course upon reflecting on your instruction i should have reported back to you without trying to delete second and third times. i hope i didnt mess anything up. please let me know what to do next and i will follow your instructions exactly. thanks
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Feb 1, 2015 22:44:09 GMT -8
How is the system running now
Quads
|
|
pg
New Helpee
Posts: 21
|
Post by pg on Feb 1, 2015 23:13:29 GMT -8
on martha user login 5 ie applications open and 5 dlhost.exe processes start hogging resources. on logout i will see flashes of ie screens or something like that. please advise
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Feb 2, 2015 14:11:26 GMT -8
Please read carefully and follow these steps.
Go to support.kaspersky.com/viruses/common/5350 Click on 1. How to disinfect a compromised system to expand the question then click on the TDSSkiller.exe green link to download and transfer the download to your desktop. Double click on TDSSKiller.exe that is on the Desktop to run the application, Open the Change Parameters option and select the detect TDL File system  Click OK
Then on Start Scan. After the scan a report will be created the report can also be found in your root directory, (usually C:\ ) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please attach the log in the post back, or paste back in a message.
Quads
|
|
pg
New Helpee
Posts: 21
|
Post by pg on Feb 2, 2015 15:52:48 GMT -8
on running martha user got the following intrusion prevention message from norton: ib.adnxs.com/ttj? 68.67.152.248 ,80 milicenso trojan activity 4 ran tdsskiller and post log result TDSSKiller.3.0.0.44_02.02.2015_18.38.30_log.txt (215.21 KB) additional information: when i look at resource monitor under disk i can see a bunch of weird system temp ie files running with the following embedded in the line: vpaidplayer, playlist, vpsurvey, player and other crazy stuff. |
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Feb 2, 2015 16:05:15 GMT -8
Have TDSSkiller delete
18:44:00.0545 0x20a8 Suspicious file ( NoAccess ): C:\Users\user\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe. md5: C58FB3E7A22AC7A3687491BF91DE0A08, sha256: 7B23B88CD6EDDF27580D56B4266DBB310DC3A4B06D63A64CE8CB19A3E079750E
18:44:00.0545 0x20a8 FlashPlayerUpdate - detected LockedFile.Multi.Generic ( 1 )
18:44:00.0595 0x20a8 FlashPlayerUpdate ( LockedFile.Multi.Generic ) - warning
Quads
|
|
pg
New Helpee
Posts: 21
|
Post by pg on Feb 2, 2015 16:33:35 GMT -8
i reran tdsskiller and deleted file. on reboot and logon the following file tried to run:
c:/user/appdata/local/temp/(c9c570f9-9310-46db-9f49-fdd3143c40c1).exe
i wasn't sure what it was so i did not let it run. please advise
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Feb 2, 2015 16:53:06 GMT -8
I have started to link data together from sources on a bad FlashPlayer file (with or without the update in name) where IE is used with files in its Internet temp folders to attempt to download and install Zbot and anything else
I am creating a script
Quads
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Feb 2, 2015 17:10:54 GMT -8
Press the  + R Keys on your keyboard at the same time. Type notepad and click OK. Copy the entire content of the codebox below and paste into the notepad (Including start and end) start
HKU\S-1-5-21-4146165697-1227186275-439605532-1000\...\Run: [FlashPlayerUpdate] => C:\Users\user\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe [200704 2015-01-30] ()
HKU\S-1-5-21-4146165697-1227186275-439605532-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
C:\Users\user\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe
C:\Users\user\AppData\Local\temp\(c9c570f9-9310-46db-9f49-fdd3143c40c1).exe
EmptyTemp:
endClick File, Save As and type fixlist (.txt may be seen on the end depending on the system setup) as the File Name. Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
Right-click on  icon and select  Run as Administrator to start FRST. (XP users click run after receipt of Windows Security Warning - Open File). Press the  button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop, called Fixlog.txt. To paste or attach back here Quads |
|
