Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keep seeing system popups in russian


  • This topic is locked This topic is locked
7 replies to this topic

#1 sudo sandwich

sudo sandwich

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 09 January 2012 - 02:07 AM

First off, I have the only account on this windows 7 computer, and I speak english only, and have all settings (as default) to communicate in english, so I should not be seeing these russian popups which are asking me various things and adding russian toolbars to IE, and attempted to do so for firefox. I believe that the issues are located in the Mail.Ru folder in Program Files (x86), but I can't seem to delete that (even with using cd %programfiles(x86)% then rd /s "Mail.Ru" commands in command prompt, which says Access is Denied for all of the files contained within Mail.Ru). Any help in removing the source of this problem would be very much appreciated!

Attached File  Attach.txt   2.23KB   0 downloads

Here is the DDS log:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by David at 1:47:36 on 2012-01-09
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8103.6728 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AppleOSSMgr.exe
C:\Windows\system32\AppleTimeSrv.exe
C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Boot Camp\Bootcamp.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Windows\splwow64.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe
C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Razer\DeathAdder\razertra.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Aurora\firefox.exe
C:\Program Files (x86)\Aurora\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\David\Downloads\Defogger.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.mail.ru/cnt/9514
uURLSearchHooks: ???????@Mail.Ru: {09900de8-1dca-443f-9243-26ff581438af} - C:\Program Files (x86)\Mail.Ru\Sputnik\MailRuSputnik.dll
mWinlogon: Userinit=userinit.exe
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: MailRuBHO Class: {8984b388-a5bb-4df7-b274-77b879e179db} - C:\Program Files (x86)\Mail.Ru\Sputnik\MailRuSputnik.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: ???????@Mail.Ru: {09900de8-1dca-443f-9243-26ff581438af} - C:\Program Files (x86)\Mail.Ru\Sputnik\MailRuSputnik.dll
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
uRun: [Gadwin PrintScreen] "C:\Program Files (x86)\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [DeathAdder] C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
mRun: [Guard.Mail.ru.gui] "C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe" /gui
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 10.0.1.1
TCP: Interfaces\{DE6E5FC1-C312-43EA-8EC6-1A49AF3FF452} : DhcpNameServer = 10.0.1.1
TCP: Interfaces\{DE6E5FC1-C312-43EA-8EC6-1A49AF3FF452}\6416E646D4D275966496 : DhcpNameServer = 155.68.1.100
BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO-X64: MailRuBHO Class: {8984B388-A5BB-4DF7-B274-77B879E179DB} - C:\Program Files (x86)\Mail.Ru\Sputnik\MailRuSputnik.dll
BHO-X64: ???????@Mail.Ru - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: ???????@Mail.Ru: {09900DE8-1DCA-443F-9243-26FF581438AF} - C:\Program Files (x86)\Mail.Ru\Sputnik\MailRuSputnik.dll
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [DeathAdder] C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
mRun-x64: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
mRun-x64: [Guard.Mail.ru.gui] "C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe" /gui
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\8axddd4y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://go.mail.ru/search?q={searchTerms}&utf8in=1&fr=ietb
FF - prefs.js: browser.search.selectedEngine - mail.ru: Поиск в Интернете
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AppleHFS;AppleHFS;C:\Windows\system32\drivers\AppleHFS.sys --> C:\Windows\system32\drivers\AppleHFS.sys [?]
R0 AppleMNT;AppleMNT;C:\Windows\system32\drivers\AppleMNT.sys --> C:\Windows\system32\drivers\AppleMNT.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AppleOSSMgr;Apple OS Switch Manager;C:\Windows\system32\AppleOSSMgr.exe --> C:\Windows\system32\AppleOSSMgr.exe [?]
R2 AppleTimeSrv;Apple Time Service;C:\Windows\system32\AppleTimeSrv.exe --> C:\Windows\system32\AppleTimeSrv.exe [?]
R2 Guard.Mail.ru;Guard.Mail.ru;C:\Program Files (x86)\Mail.Ru\Guard\GuardMailRu.exe [2012-1-8 1723480]
R2 KeyAgent;KeyAgent;\??\C:\Windows\system32\drivers\KeyAgent.sys --> C:\Windows\system32\drivers\KeyAgent.sys [?]
R2 MacHALDriver;Mac HAL;\??\C:\Windows\system32\drivers\MacHALDriver.sys --> C:\Windows\system32\drivers\MacHALDriver.sys [?]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-12-3 2655768]
R3 acpials;ALS Sensor Filter;C:\Windows\system32\DRIVERS\acpials.sys --> C:\Windows\system32\DRIVERS\acpials.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AppleBtBc;Apple Broadcom Built-in Bluetooth;C:\Windows\system32\DRIVERS\AppleBtBc.sys --> C:\Windows\system32\DRIVERS\AppleBtBc.sys [?]
R3 applemtm;Apple Multitouch Mouse;C:\Windows\system32\DRIVERS\applemtm.sys --> C:\Windows\system32\DRIVERS\applemtm.sys [?]
R3 applemtp;Apple Multitouch;C:\Windows\system32\DRIVERS\applemtp.sys --> C:\Windows\system32\DRIVERS\applemtp.sys [?]
R3 bScsiSDa;bScsiSDa;C:\Windows\system32\DRIVERS\bScsiSDa.sys --> C:\Windows\system32\DRIVERS\bScsiSDa.sys [?]
R3 CirrusFilter;CS420xLowerFilter;C:\Windows\system32\DRIVERS\CS420x64.sys --> C:\Windows\system32\DRIVERS\CS420x64.sys [?]
R3 danewFltr;NewDeathAdder Mouse;C:\Windows\system32\drivers\danew.sys --> C:\Windows\system32\drivers\danew.sys [?]
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\Windows\system32\DRIVERS\IRFilter.sys --> C:\Windows\system32\DRIVERS\IRFilter.sys [?]
R3 KeyMagic;USB Keyboard HID Filter;C:\Windows\system32\DRIVERS\KeyMagic.sys --> C:\Windows\system32\DRIVERS\KeyMagic.sys [?]
R3 MEIx64;Intel® Management Engine Interface ;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-01-09 06:22:23 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5161983E-85F8-4DF0-B808-02ADF19E7239}\offreg.dll
2012-01-08 17:52:35 -------- d-----w- C:\Users\David\AppData\Roaming\SkyMonk
2012-01-08 17:52:30 -------- d-----w- C:\Program Files (x86)\Mail.Ru
2012-01-07 01:04:40 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5161983E-85F8-4DF0-B808-02ADF19E7239}\mpengine.dll
2011-12-29 18:09:19 -------- d-----w- C:\Users\David\.jagex_cache_32
2011-12-28 19:26:40 14744 ----a-w- C:\Users\David\AppData\Roaming\Microsoft\IdentityCRL\production\ppcrlconfig.dll
2011-12-23 03:25:04 -------- d-----w- C:\Users\David\AppData\Roaming\Bioshock2
2011-12-23 03:23:50 -------- d-sh--w- C:\ProgramData\SecuROM
2011-12-23 03:22:49 453456 ----a-w- C:\Windows\SysWow64\d3dx10_42.dll
2011-12-23 03:22:48 1892184 ----a-w- C:\Windows\SysWow64\D3DX9_42.dll
2011-12-23 03:22:44 -------- d-----w- C:\Windows\SysWow64\xlive
2011-12-23 03:22:44 -------- d-----w- C:\Program Files (x86)\Microsoft Games for Windows - LIVE
2011-12-23 03:06:36 -------- d-----w- C:\Program Files (x86)\2K Games
2011-12-20 01:04:59 469264 ----a-w- C:\Windows\System32\d3dx10.dll
2011-12-20 01:03:47 178800 ----a-w- C:\Windows\SysWow64\CmdLineExt_x64.dll
2011-12-20 00:54:03 -------- d-----w- C:\Users\David\AppData\Roaming\2K Games
2011-12-20 00:49:11 -------- d-----w- C:\Games
2011-12-17 02:02:04 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2011-12-11 18:49:39 -------- d-----w- C:\Program Files (x86)\Gadwin Systems
2011-12-11 18:26:15 -------- d-----w- C:\Program Files (x86)\AutoHotkey
.
==================== Find3M ====================
.
2011-12-04 23:52:45 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-03 18:09:39 499712 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2011-12-03 18:09:39 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll
2011-12-03 13:41:16 0 ----a-w- C:\Windows\ativpsrm.bin
2011-12-03 05:52:34 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-11-24 04:52:09 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-11-05 05:41:43 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-11-05 05:32:50 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-11-05 04:35:00 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-05 04:26:03 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-11-05 03:32:47 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-05 02:48:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-15 06:31:56 723456 ----a-w- C:\Windows\System32\EncDec.dll
2011-10-15 05:38:59 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
.
============= FINISH: 1:48:02.39 ===============

Edited by sudo sandwich, 09 January 2012 - 02:19 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:21 AM

Posted 14 January 2012 - 10:51 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Please post the logs for my review.

Let me know if the problem persists.

#3 sudo sandwich

sudo sandwich
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 15 January 2012 - 11:58 PM

Thank you so much for your help, nasdaq! Attached to this post are the logs you requested.

edit: Just a last minute thought: I have both the mac and the pc running on the same hard drive, and I can access the files of the other OS while running one OS. So, whatever malware or other malicious code that could have been running on my windows section of my hard drive, could it also have infected the mac section? Or should the entire problem be fixed now? (I will repost again in a few days as to whether or not the problem persists)

Attached Files


Edited by sudo sandwich, 16 January 2012 - 12:13 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:21 AM

Posted 16 January 2012 - 09:49 AM

I do not think that this infection has crossed over to the other operating system.
===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 29


===

If all is well, in a couple of days you can proceed with this.

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

Surf Safely, and Think Prevention!
===

#5 sudo sandwich

sudo sandwich
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 17 January 2012 - 11:24 PM

Hi nasdaq, I'm just posting to let you know that the problem seems to be fixed, so thank you very much for that! However, I still notice something left over from when I unwittingly downloaded that malware. I did manage to delete Mail.Ru, thanks to the help of Safe Mode. But I still see a process labelled as "atieclxx.exe" that I did not see before I downloaded the malware, and I cannot kill that process using Windows Task Manager. How can I kill this process?

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:21 AM

Posted 18 January 2012 - 10:32 AM

That file is safe.

http://www.file.net/process/atiesrxx.exe.html

#7 sudo sandwich

sudo sandwich
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 18 January 2012 - 01:43 PM

Alright, thanks!

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:21 AM

Posted 24 January 2012 - 02:01 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users