Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What Am I Infected With?


  • This topic is locked This topic is locked
2 replies to this topic

#1 mdrury

mdrury

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:48 AM

Posted 26 June 2012 - 01:46 PM

I ran MalwareBytes and it didn't find anything, but there's a web browser process that starts and I hear audio from it, but you can't see it. Only see it in Task Manager, but can't do anything with it. I ran HijackThis and ComboFix. I can't attach the ComboFix log because this site says it is too big. So I compressed it, but then it yelled at me saying I'm not permitted to upload this kind of file.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:48 AM

Posted 01 July 2012 - 08:15 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [UserLog] C:\Program Files (x86)\exo5\usrsessionlog.exe


Click on Fix Checked when finished and exit HijackThis.


Delete this folder in bold.
C:\Program Files (x86)\exo5\

Restart the computer normally.

I need more information on these files which are suspicious.

C:\Windows\kbruntime\ipsecat.exe
C:\Windows\kbruntime\wpagnt.exe

>>> Run Jotti's malware scan: Please copy each line from the following (in bold):
C:\Windows\kbruntime\ipsecat.exe
C:\Windows\kbruntime\wpagnt.exe


  • Go to Jotti's malware scan and click the Browse button,
  • A window will open, right-click in the File name field and choose Paste.
  • Click the Submit button and let the scan run uninterrupted.
  • At the end right-click the Permalink button and choose "Copy the link". Posted Image
  • Open Notepad (Start => All Programs => Accessories) and click "Edition" => "Paste".
    If more then one file submitted, return to the "Jotti's malware scan" window and click the "Next file" button to continue with the rest.
Please copy and paste these Permalinks in your next reply.
If Jotti is busy, please go to http://www.virustotal.com

===

HijackThis is not able to provide accurate information for 64 bit systems.
In your case we need to see a DDS Log.
I would remove HijackThis using the Add/Remove Programs list.

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.
===

Include the links from the Jotti's scan.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:48 AM

Posted 08 July 2012 - 10:30 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users