Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

xravcp.exe virus in %appdata%\Microsoft\Crypto


  • This topic is locked This topic is locked
4 replies to this topic

#1 BrentN

BrentN

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 07 October 2013 - 04:56 PM

Customer's computer. Have it entirely clean, except for one file. %Appdata%\Roaming\Microsoft\Crypto has xravcp.exe. It uses most of the CPU (like this topic). Killing the process and deleting the executable results in it coming back in a few minutes. I can't locate any scheduled tasks related to this virus.
 
It's also gotten a new file over the weekend, RAVCl64.exe. This claims to be "Realtek HD Audio Manager".
 
RAVCL64.exe at Virustotal: https://www.virustotal.com/en/file/889a9b3e3bcdc1e7cacfba322cd97b1056cda085f3c970c90395b079fe265a80/analysis/1381182000/
 
xravcp.exe at VirusTotal: https://www.virustotal.com/en/file/77784aa03b7bbccc1679379eeff9d777566038e9f49d30f2deb6b8ecd6a5d591/analysis/1381182574/
Metascan: https://www.metascan-online.com/en/scanresult/file/ab909e91041e431d8e51981dc178aa4e
Virscan.org: http://r.virscan.org/report/0d862881575d462cfa09d289d3a51f1d.html
 
 
 
Using Process Explorer, I can see the xravcp.exe is being launched with the following parameters:
"C:\Users\Pete\AppData\Roaming\Microsoft\Crypto\xRAVCp.exe" -pooluser=AQXUSoBLto8s85nQJdFDC4yUqaCzbjKp8b -poolip=194.63.141.76 -poolport=1337 -genproclimit=4 -poolfee=2
I can see that it's communicating with that IP. The port on the computer (right now) that traffic is coming from is port 57239.
 
There's another file in the Crypto folder that seems to be related. It doesn't have a file extension.
AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-473015930-1009277704-935537888-1000\ea60569d5740807bb38b859a5ac130a8_05b9da15-ee4a-4c9f-952b-d6b8a1b27623
The section of text starting with "ea" and ending with "623" is the file name. Submitting to avira shows it's a known clean file, 52 bytes. Says it's part of Trusteer Rapport, which is installed on this computer.
 
I tried submitting it to Anubis http://anubis.iseclab.org to try and find out where it's dropping files, it didn't work. 
 
=========================================
 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16686  BrowserJavaVersion: 10.40.2
Run by Pete at 15:52:11 on 2013-10-07
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.7935.5383 [GMT -6:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\LSI SoftModem\agr64svc.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\DirecTV\DirecTV\Kernel\DMP\CLDTVHNService.exe
C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe
C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40STB.EXE
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Program Files (x86)\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\spool\drivers\x64\3\WrtMon.exe
C:\Program Files (x86)\NewSoft\Presto! PageManager 8 for EP\PMSpeed.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\System32\spool\drivers\x64\3\WrtProc.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\Sun\Java\bin\javaw.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe
C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Windows\splwow64.exe
C:\Program Files (x86)\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\CNYHKey.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Windows\Sun\Java\bin\javaw.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Pete\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Pete\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Pete\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Pete\Downloads\autoruns.exe
C:\Users\Pete\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Pete\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Pete\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Pete\AppData\Roaming\Microsoft\Crypto\xRAVCp.exe
C:\Program Files (x86)\Motorola Mobility\MotoCast\LiveUpdate\MotoCastUpdate.exe
C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe
C:\Windows\Sun\Java\bin\javaw.exe
C:\Users\Pete\AppData\Roaming\Microsoft\Crypto\RAVCl64.exe
C:\Program Files (x86)\Motorola Mobility\MotoCast\LiveUpdate\MotoCastUpdate.exe
C:\Windows\ehome\mcGlidHost.exe
C:\ProgramData\Avira\AntiVir Desktop\TEMP\SELFUPDATE\update.exe
C:\ProgramData\Avira\AntiVir Desktop\TEMP\SELFUPDATE\updrgui.exe
C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe
C:\Users\Pete\Downloads\procexp.exe
C:\Users\Pete\AppData\Local\Temp\procexp64.exe
C:\Users\Pete\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = C:\Windows\System32\userinit.exe
BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files (x86)\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.2.11\CoIEPlg.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.2.11\IPSBHO.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Norton Safety Minder BHO: {B8E07826-0971-4f16-B133-047B88034E89} - 
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.2.11\CoIEPlg.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [PMSpeed] C:\Program Files (x86)\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [WorkForce 310(Network)] C:\Windows\System32\spool\DRIVERS\x64\3\E_IATIFHA.EXE /FU "C:\Windows\TEMP\E_S361.tmp" /EF "HKCU"
uRun: [EPSON WorkForce 310 Series] C:\Windows\System32\spool\DRIVERS\x64\3\E_IATIFHA.EXE /FU "C:\Windows\TEMP\E_S32E2.tmp" /EF "HKCU"
uRun: [cdloader] "C:\Users\Pete\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [Google Update] "C:\Users\Pete\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [Java Updater Module] C:\Windows\Sun\Java\bin\javaw.exe -jar C:\Windows\config\systemprofile\AppData\Local\Google\Update\Manifest\Initial\1e611a00
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [BrMfcWnd] "C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN
mRun: [CLMLServer] "C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe"
mRun: [ControlCenter3] "C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe" /autorun
mRun: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe"
mRun: [Gateway Photo Frame] "C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe" -A
mRun: [LedKey] CNYHKey.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [BYR_AGENT] C:\ProgramData\LGMOBILEAX\BYR_Client\VZWNotiAgent.exe
mRun: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe"  -osboot
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
dRun: [EPSON7BE541] C:\Windows\System32\spool\DRIVERS\x64\3\E_IATIFHA.EXE /FU "C:\Windows\TEMP\E_S4F18.tmp" /EF "HKCU"
StartupFolder: C:\Users\Pete\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled\ding!.lnk.disabled
StartupFolder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled\mcafee security scan plus.lnk.disabled
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
IE: Append to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
Trusted Zone: ev-webapp-p
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/C/B/F/CBF23A2C-3E55-4664-BC5C-762780D79BA0/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://ssl-portal.lanl.gov/dana-cached/sc/JuniperSetupClient.cab
TCP: NameServer = 192.168.10.1
TCP: Interfaces\{7CFF51E4-2715-4C18-8011-B9A5F1F20D79} : DHCPNameServer = 192.168.10.1
TCP: Interfaces\{B153107D-FE34-44A6-8C68-B0EC6A154D97} : DHCPNameServer = 69.145.232.4 69.144.49.30 69.146.17.3
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.2.11\CoIEPlg.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
x64-Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe
x64-Run: [WrtMon.exe] C:\Windows\System32\spool\drivers\x64\3\WrtMon.exe
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Pete\AppData\Roaming\Mozilla\Firefox\Profiles\mr7fzqh5.default-1347661856206\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: C:\ProgramData\Norton\{78CA3BF0-9C3B-40e1-B46D-38C877EF059A}\NSM_2.2.0.34\coFFFw\components\coFFFw.dll
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\McAfee Security Scan\3.0.318\npMcAfeeMSS.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\nprpplugin.dll
FF - plugin: c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll
FF - plugin: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll
FF - plugin: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll
FF - plugin: C:\Users\Pete\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_168.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: !HIDDEN! 2010-01-16 09:40; {20a82645-c095-46ed-80e3-08825760534b}; c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKE64;RapportKE64;C:\Windows\System32\drivers\RapportKE64.sys [2011-5-27 295696]
R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2013-10-3 28600]
R1 RapportCerberus_56758;RapportCerberus_56758;C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_56758.sys [2013-10-4 589872]
R1 RapportEI64;RapportEI64;C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2013-9-10 265872]
R1 RapportPG64;RapportPG64;C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2013-9-10 384432]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2013-5-23 143120]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-8-18 203264]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2013-10-3 84024]
R2 AntiVirService;Avira Real-Time Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2013-10-3 108088]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2013-10-3 105344]
R2 CLDTVHNService;CLDTVHNService;C:\Program Files (x86)\DirecTV\DirecTV\Kernel\DMP\CLDTVHNService.exe [2009-9-17 75048]
R2 DeviceMonitorService;DeviceMonitorService;C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe [2012-6-5 87400]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-8-25 13672]
R2 Motorola Device Manager;Motorola Device Manager Service;C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [2012-7-17 116632]
R2 Norton Internet Security;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe [2009-9-8 117640]
R2 ntk_dtv;ntk_dtv;C:\Program Files (x86)\DirecTV\DirecTV\Kernel\DMP\ntk_dtv_64.sys [2009-9-17 82416]
R2 PST Service;PST Service;C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe [2012-9-8 65657]
R2 RapportMgmtService;Rapport Management Service;C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2013-9-10 1435928]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2013-2-17 1153368]
R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-9-16 3273088]
R3 cxpl_mhd;CX23885/8 PCI-E AvStream Video Capture (PalomarMHD);C:\Windows\System32\drivers\y_cx88x.sys [2009-3-23 676992]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-8-29 140376]
R3 RTL85n64;Realtek 8180/8185 Extensible 802.11 Wireless Device Driver;C:\Windows\System32\drivers\RTL85n64.sys [2010-3-23 2061856]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-9-28 395264]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-4-19 161384]
S3 Andbus;LGE Android Platform Composite USB Device;C:\Windows\System32\drivers\lgandbus64.sys [2010-12-7 19456]
S3 AndDiag;LGE Android Platform USB Serial Port;C:\Windows\System32\drivers\lganddiag64.sys [2010-12-7 27648]
S3 AndGps;LGE Android Platform USB GPS NMEA Port;C:\Windows\System32\drivers\lgandgps64.sys [2010-12-7 27136]
S3 ANDModem;LGE Android Platform USB Modem;C:\Windows\System32\drivers\lgandmodem64.sys [2010-12-7 34304]
S3 androidusb;ADB Interface Driver;C:\Windows\System32\drivers\lgandadb.sys [2010-8-2 31744]
S3 BHDrvx64;Symantec Heuristics Driver;C:\Windows\System32\drivers\NISx64\1007020.00B\BHDrvx64.sys [2009-9-8 334384]
S3 ccHP;Symantec Hash Provider;C:\Windows\System32\drivers\NISx64\1007020.00B\cchpx64.sys [2009-9-8 583296]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2012-9-9 57280]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-9-12 1512448]
S3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2012-9-21 351520]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [2013-2-5 235216]
S3 motandroidusb;Mot ADB Interface Driver;C:\Windows\System32\drivers\motoandroid.sys [2009-7-10 31744]
S3 MotDev;Motorola Inc. USB Device;C:\Windows\System32\drivers\motodrv.sys [2009-5-8 53632]
S3 MUD;Driver for Magellan USB Device;C:\Windows\System32\drivers\MUD.sys [2008-2-5 63232]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-10-4 19456]
S3 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\NISx64\1007020.00B\SymEFA64.sys [2009-9-8 402992]
S3 SYMNDISV;Symantec Network Filter Driver;C:\Windows\System32\drivers\NISx64\1007020.00B\symndisv.sys [2009-9-8 56880]
S3 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A};Symantec Redirector - Norton Safety Minder;C:\Windows\System32\drivers\NSMx64\0202000.026\symrdrs.sys [2011-10-18 211576]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-10-4 57856]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-3-2 1255736]
S3 WSDScan;WSD Scan Support via UMB;C:\Windows\System32\drivers\WSDScan.sys [2009-7-13 25088]
S4 ahcix64s;ahcix64s;C:\Windows\System32\drivers\ahcix64s.sys [2009-4-9 225296]
S4 AntiVirWebService;Avira Web Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avwebgrd.exe [2013-10-3 815160]
S4 Browser Manager;Browser Manager;C:\ProgramData\Browser Manager\2.6.1249.132\{d1538445-ebd9-4c43-882a-854eff8d928c}\brwmngr.exe [2013-5-14 0]
S4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2013-3-6 39056]
.
=============== Created Last 30 ================
.
2013-10-06 10:55:43 10752 ----a-w- C:\Users\Pete\AppData\Roaming\Microsoft\Crypto\RAVCl64.exe
2013-10-05 16:31:53 7054848 ----a-w- C:\Users\Pete\AppData\Roaming\Microsoft\Crypto\xRAVCp.exe
2013-10-04 18:11:11 3072 ----a-w- C:\Windows\System32\drivers\en-US\tsusbflt.sys.mui
2013-10-04 18:11:02 15360 ----a-w- C:\Windows\System32\RdpGroupPolicyExtension.dll
2013-10-04 18:11:02 13312 ----a-w- C:\Windows\System32\TsUsbRedirectionGroupPolicyExtension.dll
2013-10-04 18:11:02 13312 ----a-w- C:\Windows\System32\TsUsbRedirectionGroupPolicyControl.exe
2013-10-04 18:09:36 -------- d-----w- C:\Program Files\LSI SoftModem
2013-10-04 18:08:57 458712 ----a-w- C:\Windows\System32\drivers\cng.sys
2013-10-04 18:08:57 340992 ----a-w- C:\Windows\System32\schannel.dll
2013-10-04 18:08:57 247808 ----a-w- C:\Windows\SysWow64\schannel.dll
2013-10-04 18:08:57 154480 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2013-10-04 18:08:56 1448448 ----a-w- C:\Windows\System32\lsasrv.dll
2013-10-04 18:08:55 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2013-10-04 18:08:55 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2013-10-04 18:08:51 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll
2013-10-04 18:08:51 366592 ----a-w- C:\Windows\System32\qdvd.dll
2013-10-04 18:06:07 -------- d-----w- C:\ProgramData\Oracle
2013-10-04 17:57:26 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-10-04 17:48:48 -------- d-----w- C:\Users\Pete\AppData\Local\WindowsUpdate
2013-10-03 22:46:55 12872 ----a-w- C:\Windows\System32\bootdelete.exe
2013-10-03 21:21:09 -------- d-----w- C:\ProgramData\HitmanPro
2013-10-03 21:09:21 -------- d-----w- C:\Users\Pete\AppData\Roaming\Avira
2013-10-03 21:06:52 81112 ----a-w- C:\Windows\System32\drivers\avnetflt.sys
2013-10-03 21:02:49 28600 ----a-w- C:\Windows\System32\drivers\avkmgr.sys
2013-10-03 21:02:49 105344 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2013-10-03 21:02:47 -------- d-----w- C:\ProgramData\Avira
2013-10-03 21:02:47 -------- d-----w- C:\Program Files (x86)\Avira
2013-10-03 20:58:05 -------- d-----w- C:\Users\Pete\AppData\Roaming\SUPERAntiSpyware.com
2013-10-03 20:57:45 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2013-10-03 20:57:45 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2013-10-03 20:45:24 -------- d-----w- C:\Windows\System32\catroot2
2013-10-03 17:48:47 -------- d-----w- C:\RegBackup
2013-10-01 23:21:07 -------- d-----w- C:\Program Files (x86)\VS Revo Group
2013-10-01 09:13:59 148992 ----a-w- C:\Program Files\Internet Explorer\jsdebuggeride.dll
2013-10-01 00:40:05 155584 ----a-w- C:\Windows\System32\drivers\ataport.sys
2013-10-01 00:23:46 -------- d-sh--w- C:\$$PendingFiles
2013-09-26 18:41:15 9430408 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2013-09-26 17:47:38 3155456 ----a-w- C:\Windows\System32\win32k.sys
2013-09-19 23:13:32 -------- d-----w- C:\ProgramData\Geek Squad
2013-09-16 18:30:40 4806016 ----a-w- C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2013-09-16 18:30:40 4806016 ----a-w- C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
.
==================== Find3M  ====================
.
2013-10-04 17:57:12 868264 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-10-04 17:57:12 790440 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-09-26 18:41:27 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-26 18:41:27 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-09-11 05:18:28 295696 ----a-w- C:\Windows\System32\drivers\RapportKE64.sys
2013-08-27 07:13:06 100864 ----a-w- C:\Windows\SysWow64\zlib1.dll
2013-08-27 07:13:05 245795 ----a-w- C:\Windows\SysWow64\libcurl.dll
2013-08-10 05:22:18 2241024 ----a-w- C:\Windows\System32\wininet.dll
2013-08-10 05:20:59 3959296 ----a-w- C:\Windows\System32\jscript9.dll
2013-08-10 05:20:55 67072 ----a-w- C:\Windows\System32\iesetup.dll
2013-08-10 05:20:55 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2013-08-10 03:59:10 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-08-10 03:58:09 2876928 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-08-10 03:58:06 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2013-08-10 03:58:06 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2013-08-10 03:17:38 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2013-08-10 03:07:50 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-08-10 02:27:59 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2013-08-10 02:17:19 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-08-02 02:23:53 5550528 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-08-02 02:15:44 1732032 ----a-w- C:\Windows\System32\ntdll.dll
2013-08-02 02:15:03 362496 ----a-w- C:\Windows\System32\wow64win.dll
2013-08-02 02:15:03 243712 ----a-w- C:\Windows\System32\wow64.dll
2013-08-02 02:15:03 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2013-08-02 02:14:57 215040 ----a-w- C:\Windows\System32\winsrv.dll
2013-08-02 02:14:11 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2013-08-02 02:13:34 424448 ----a-w- C:\Windows\System32\KernelBase.dll
2013-08-02 01:59:30 3968960 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-08-02 01:59:30 3913664 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-08-02 01:51:23 1292192 ----a-w- C:\Windows\SysWow64\ntdll.dll
2013-08-02 01:50:42 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2013-08-02 01:50:42 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2013-08-02 01:09:17 338432 ----a-w- C:\Windows\System32\conhost.exe
2013-08-02 00:59:09 112640 ----a-w- C:\Windows\System32\smss.exe
2013-08-02 00:45:37 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2013-08-02 00:45:36 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2013-08-02 00:45:35 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2013-08-02 00:45:34 2048 ----a-w- C:\Windows\SysWow64\user.exe
2013-08-02 00:43:05 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2013-07-25 09:25:54 1888768 ----a-w- C:\Windows\System32\WMVDECOD.DLL
2013-07-25 08:57:27 1620992 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL
2013-07-19 01:58:42 2048 ----a-w- C:\Windows\System32\tzres.dll
2013-07-19 01:41:01 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
.
============= FINISH: 15:53:38.55 ===============

Attached Files


Edited by Grinler, 09 October 2013 - 10:00 AM.
Edited out malware sample link


BC AdBot (Login to Remove)

 


#2 BrentN

BrentN
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 08 October 2013 - 04:30 PM

I managed to track it down.

 

Using Process Monitor, I was able to determine Java was creating the infected file. Using Process Explorer, I got the launch parameters for the Java processes, which pointed me to the c:\windows\config\systemprofile\AppData\Local\Google\Update\Manifest\Initial folder.

 

There are java files in here that are launched by a Java entry in the registry at HKCU\Software\Microsoft\Windows\CurrentVersion\Run. The entry is "Java Updater Manager" and was set to "C:\Windows\Sun\Java\bin\javaw.exe -jar C:\Windows\config\systemprofile\appdata\local\google\update\manifest\initial]\1e611a00".  There were some related files in parent folders, all the way up to the appdata folder.


Edited by Elise, 09 October 2013 - 09:59 AM.
Link removed for security reasons


#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,551 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:38 PM

Posted 10 October 2013 - 10:24 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: Turorial
Link 1
Link 2

IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please restart the computer before running this security check.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Please paste the logs in your next reply DO NOT ATTACH THEM.
Let me know what problem persists.

#4 BrentN

BrentN
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 10 October 2013 - 12:30 PM

Sorry, I've removed the virus (as posted) and these instructions are no longer necessary. Thank you.



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,551 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:38 PM

Posted 10 October 2013 - 01:01 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users