Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Interesting Window Popped-up

  • Please log in to reply
1 reply to this topic

#1 mythix


  • Members
  • 1 posts
  • Local time:06:51 PM

Posted 03 August 2013 - 02:02 PM

 For the past few days I have had an option when alt-tabbing that shows a yellow, red, and blue square as the icon. I am unable to switch to this process and it has no description when alt-tabbing, but I haven't had the time recently to figure out what is going on, and can't take a screenshot of it (due to only being able to see it when alt-tabbing). Just a few moments ago, a window popped up followed by another window just like the first, and it looks something like this: http://i.imgur.com/EWvMZWU.png

and another questionable process in my task manager "188492.exe" Facebook Video Call. And this is clearly fake because of the exe name and I don't even use facebook video call.

I opened up security task manager and sent a few weird things to quarantine that seemed to be added to my computer on this date which is interesting because I haven't downloaded any files or anything at all today, so I'm worried its a bigger problem. Can anyone help? Need more info? let me know.

EDIT: another screen shot showing the facebook video call and another program (which i believe to be causing the mysterious alt-tab entry due to how long its been on my computer) in security task manager http://i.imgur.com/yGOeGFw.png although it does say certified by windows so maybe im just imagining things.


Here is mbam log:

Malwarebytes Anti-Malware
Database version: v2013.07.27.04
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16635
Kevin :: PENELOPE [administrator]
8/3/2013 3:13:58 PM
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 539042
Time elapsed: 1 hour(s), 11 minute(s), 46 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKCU\Software\DC3_FEXEC (Malware.Trace) -> No action taken.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) -> Bad: (http://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10045&barid={4C954B71-CAFF-11E2-AB5B-50E549552901}) Good: (http://www.google.com) -> No action taken.
Folders Detected: 1
C:\Users\Kevin\AppData\Roaming\dclogs (Stolen.Data) -> No action taken.
Files Detected: 32
C:\$Recycle.Bin\S-1-5-21-117235487-719496623-2448589979-1000\$R48EYWC.ZIP (Trojan.Agent) -> No action taken.
C:\$Recycle.Bin\S-1-5-21-117235487-719496623-2448589979-1000\$R64P0E8.77\SMC 2.77\com.run (Trojan.Agent) -> No action taken.
C:\$Recycle.Bin\S-1-5-21-117235487-719496623-2448589979-1000\$R64P0E8.77\SMC 2.77\krnln.fnr (Trojan.FlyStudio) -> No action taken.
C:\$Recycle.Bin\S-1-5-21-117235487-719496623-2448589979-1000\$R64P0E8.77\SMC 2.77\SMC2.77.exe (Trojan.FlyStudio) -> No action taken.
C:\$Recycle.Bin\S-1-5-21-117235487-719496623-2448589979-1000\$R6DJOI2\uninstaller.exe (Adware.GameVance) -> No action taken.
C:\$Recycle.Bin\S-1-5-21-117235487-719496623-2448589979-1000\$R6DJOI2\updater.exe (Adware.GameVance) -> No action taken.
C:\Users\Kevin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G5TK5ODX\51e98ea6785c9[1].exe (PUP.Adware.MultiPlug) -> No action taken.
C:\Users\Kevin\AppData\Local\Temp\tmpA51E.tmp.exe (Trojan.MSIL) -> No action taken.
C:\Users\Kevin\AppData\Local\Temp\ukjaslmqwplaskmzmcnvbv4600875021046180834.exe (Trojan.MSIL) -> No action taken.
C:\Users\Kevin\AppData\Local\Temp\is1326335552\2282700_Setup.EXE (PUP.Optional.AddLyrics) -> No action taken.
C:\Users\Kevin\AppData\Local\Temp\temp_dZAlOEYAnq\vbc.exe (Misused.Legit) -> No action taken.
C:\Users\Kevin\AppData\Local\Temp\temp_EUjlKJZCeO\vbc.exe (Misused.Legit) -> No action taken.
C:\Users\Kevin\AppData\Local\Temp\temp_QBWbvYUuJk\vbc.exe (Misused.Legit) -> No action taken.
C:\Users\Kevin\AppData\Local\Temp\temp_qpesZtDftc\vbc.exe (Misused.Legit) -> No action taken.
C:\Users\Kevin\AppData\Local\Temp\temp_rJtMrCWJgI\vbc.exe (Misused.Legit) -> No action taken.
C:\Users\Kevin\AppData\Local\Temp\temp_SjIqnsvxCY\vbc.exe (Misused.Legit) -> No action taken.
C:\Users\Kevin\AppData\Local\Temp\temp_WYqVflfdzw\vbc.exe (Misused.Legit) -> No action taken.
C:\Users\Kevin\AppData\Local\Temp\temp_YcEPQmcVaV\vbc.exe (Misused.Legit) -> No action taken.
C:\Users\Kevin\Downloads\setup.exe (PUP.Optional.InstallCore) -> No action taken.
C:\Users\Kevin\Downloads\SMC_2.77.ZIP (Trojan.Agent) -> No action taken.
C:\Users\Kevin\Downloads\SoftonicDownloader_for_microsoft-photo-story.exe (PUP.Optional.Softonic) -> No action taken.
C:\Windows\Setup\scripts\faXcooL.exe (HackTool.Wpakill) -> No action taken.
C:\Users\Kevin\AppData\Roaming\dclogs\2013-05-11-7.dc (Stolen.Data) -> No action taken.
C:\Users\Kevin\AppData\Roaming\dclogs\2013-05-12-1.dc (Stolen.Data) -> No action taken.
C:\Users\Kevin\AppData\Roaming\dclogs\2013-05-13-2.dc (Stolen.Data) -> No action taken.
C:\Users\Kevin\AppData\Roaming\dclogs\2013-05-14-3.dc (Stolen.Data) -> No action taken.
C:\Users\Kevin\AppData\Roaming\dclogs\2013-05-15-4.dc (Stolen.Data) -> No action taken.
C:\Users\Kevin\AppData\Roaming\dclogs\2013-05-16-5.dc (Stolen.Data) -> No action taken.
C:\Users\Kevin\AppData\Roaming\dclogs\2013-05-17-6.dc (Stolen.Data) -> No action taken.
C:\Users\Kevin\AppData\Roaming\dclogs\2013-08-02-6.dc (Stolen.Data) -> No action taken.
C:\Users\Kevin\AppData\Roaming\dclogs\2013-08-03-7.dc (Stolen.Data) -> No action taken.

Edited by mythix, 03 August 2013 - 03:28 PM.

BC AdBot (Login to Remove)


#2 Broni


    The Coolest BC Computer

  • BC Advisor
  • 42,769 posts
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:51 PM

Posted 03 August 2013 - 06:01 PM

Welcome aboard p22002758.gif


p22002970.gif Your MBAM log says "No action taken".

Re-run MBAM, fix all issues and post new log.




p22002970.gif Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.

p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

p22002970.gif Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size

Click Go and post the result.

p22002970.gifDownload Malwarebytes Anti-Rootkit from HERE to your Desktop.
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • DO NOT click on the Cleanup button. Simply exit the program.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt

p22002970.gif Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

NOTE Do NOT wrap your logs in "quote" or "code" brackets.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users