Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying to remove connective-timesink. Delete reg key?


  • Please log in to reply
11 replies to this topic

#1 chrisarnt

chrisarnt

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 PM

Posted 22 May 2014 - 09:22 AM

So I am trying to remove connective-timesink.

It is very good at hiding.  The files listed in the defender log do not exist.

Defender could not remove it as access to the file or process was blocked.

Hitman pro, malware paid, and combofix do not remove it.

 

the defender log shows the reg key and I found the reg key in regedit, but this is way over my head.

 

If I delete the reg key it should block the program from starting.

Right?

 

See the screen shot.

Attached Files


Edited by hamluis, 22 May 2014 - 02:22 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:21 PM

Posted 22 May 2014 - 10:11 AM

I'm having trouble finding any information at all on connective-timesink.

 

I'm guessing that this is software to monitor your time spent on the computer?

 

Where did you download this program?

 

See if Revo Uninstaller can find it, if it can it should be able to remove it.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 chrisarnt

chrisarnt
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 PM

Posted 22 May 2014 - 01:05 PM

It looks like combo, malware, hitman or win defender deleted these.

But my problem persists.

the way it shows up is that there is something hiding runs hidden ie explorer incidences that I cannot see on my screen, but the task manager shows.

I will get pop-ups saying things like "Windows security" the webpage is trying to redirect you from facebook to bing or someother common site.

By I am not on either page. 

Then when I reboot, just sa everything is closing I get a malware bytes notification that it blocked an outgoing process.

They are this IP-BLOCK

But a few say ip block stopped

2014/05/22 09:34:03 -0400 CDAVALUATIONS (null) MESSAGE Executing scheduled update:  Daily
2014/05/22 09:34:03 -0400 CDAVALUATIONS (null) ERROR Scheduled update failed:  No address found failed with error code 0
2014/05/22 09:34:07 -0400 CDAVALUATIONS (null) MESSAGE Starting protection
2014/05/22 09:34:07 -0400 CDAVALUATIONS (null) MESSAGE Protection started successfully
2014/05/22 09:34:07 -0400 CDAVALUATIONS (null) MESSAGE Starting IP protection
2014/05/22 09:34:09 -0400 CDAVALUATIONS (null) MESSAGE IP Protection started successfully
2014/05/22 09:40:32 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 94.242.233.162 (Type: outgoing, Port: 49401, Process: iexplore.exe)
2014/05/22 10:23:58 -0400 CDAVALUATIONS CDA valuations MESSAGE Starting database refresh
2014/05/22 10:23:58 -0400 CDAVALUATIONS CDA valuations MESSAGE Stopping IP protection
2014/05/22 10:25:36 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 94.242.233.162 (Type: outgoing, Port: 49402, Process: iexplore.exe)
2014/05/22 10:25:37 -0400 CDAVALUATIONS CDA valuations MESSAGE IP Protection stopped successfully
2014/05/22 10:25:40 -0400 CDAVALUATIONS CDA valuations MESSAGE Database refreshed successfully
2014/05/22 10:25:40 -0400 CDAVALUATIONS CDA valuations MESSAGE Starting IP protection
2014/05/22 10:25:41 -0400 CDAVALUATIONS CDA valuations MESSAGE IP Protection started successfully
2014/05/22 10:26:24 -0400 CDAVALUATIONS (null) MESSAGE Starting protection
2014/05/22 10:26:24 -0400 CDAVALUATIONS (null) MESSAGE Protection started successfully
2014/05/22 10:26:24 -0400 CDAVALUATIONS (null) MESSAGE Starting IP protection
2014/05/22 10:26:26 -0400 CDAVALUATIONS (null) MESSAGE IP Protection started successfully
2014/05/22 10:29:15 -0400 CDAVALUATIONS (null) MESSAGE Starting protection
2014/05/22 10:29:15 -0400 CDAVALUATIONS (null) MESSAGE Protection started successfully
2014/05/22 10:29:15 -0400 CDAVALUATIONS (null) MESSAGE Starting IP protection
2014/05/22 10:29:17 -0400 CDAVALUATIONS (null) MESSAGE IP Protection started successfully
2014/05/22 10:32:20 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 193.169.104.1 (Type: outgoing, Port: 49833, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 193.169.104.1 (Type: outgoing, Port: 49834, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 193.169.104.1 (Type: outgoing, Port: 49846, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 193.169.104.1 (Type: outgoing, Port: 49847, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.229 (Type: outgoing, Port: 49864, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.229 (Type: outgoing, Port: 49865, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.167 (Type: outgoing, Port: 49866, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.167 (Type: outgoing, Port: 49867, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.169 (Type: outgoing, Port: 49868, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.169 (Type: outgoing, Port: 49869, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.228 (Type: outgoing, Port: 49870, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.228 (Type: outgoing, Port: 49871, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.229 (Type: outgoing, Port: 49872, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.167 (Type: outgoing, Port: 49882, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.167 (Type: outgoing, Port: 49883, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.169 (Type: outgoing, Port: 49884, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.169 (Type: outgoing, Port: 49885, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.228 (Type: outgoing, Port: 49886, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.228 (Type: outgoing, Port: 49887, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.229 (Type: outgoing, Port: 49888, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.229 (Type: outgoing, Port: 49889, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.167 (Type: outgoing, Port: 49890, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.167 (Type: outgoing, Port: 49891, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 193.169.104.30 (Type: outgoing, Port: 49934, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 193.169.104.30 (Type: outgoing, Port: 49935, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 193.169.104.30 (Type: outgoing, Port: 49936, Process: iexplore.exe)
2014/05/22 10:35:40 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 193.169.104.30 (Type: outgoing, Port: 49937, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 193.169.104.1 (Type: outgoing, Port: 50387, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 193.169.104.1 (Type: outgoing, Port: 50388, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 193.169.104.1 (Type: outgoing, Port: 50389, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 193.169.104.1 (Type: outgoing, Port: 50390, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 193.169.104.1 (Type: outgoing, Port: 50391, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 193.169.104.1 (Type: outgoing, Port: 50392, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.169 (Type: outgoing, Port: 50427, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.169 (Type: outgoing, Port: 50428, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.228 (Type: outgoing, Port: 50429, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.228 (Type: outgoing, Port: 50430, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.229 (Type: outgoing, Port: 50431, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.229 (Type: outgoing, Port: 50432, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.167 (Type: outgoing, Port: 50433, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.167 (Type: outgoing, Port: 50434, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.169 (Type: outgoing, Port: 50435, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.169 (Type: outgoing, Port: 50436, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.228 (Type: outgoing, Port: 50437, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.228 (Type: outgoing, Port: 50438, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.229 (Type: outgoing, Port: 50439, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.229 (Type: outgoing, Port: 50440, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.167 (Type: outgoing, Port: 50441, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.167 (Type: outgoing, Port: 50442, Process: iexplore.exe)
2014/05/22 10:35:48 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.169 (Type: outgoing, Port: 50443, Process: iexplore.exe)
2014/05/22 10:35:49 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.169 (Type: outgoing, Port: 50444, Process: iexplore.exe)
2014/05/22 10:35:49 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.228 (Type: outgoing, Port: 50445, Process: iexplore.exe)
2014/05/22 10:35:49 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.228 (Type: outgoing, Port: 50446, Process: iexplore.exe)
2014/05/22 10:35:49 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.229 (Type: outgoing, Port: 50460, Process: iexplore.exe)
2014/05/22 10:35:49 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.229 (Type: outgoing, Port: 50461, Process: iexplore.exe)
2014/05/22 10:35:49 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.167 (Type: outgoing, Port: 50462, Process: iexplore.exe)
2014/05/22 10:35:49 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.167 (Type: outgoing, Port: 50463, Process: iexplore.exe)
2014/05/22 10:35:49 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.169 (Type: outgoing, Port: 50464, Process: iexplore.exe)
2014/05/22 10:35:49 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 5.150.195.169 (Type: outgoing, Port: 50465, Process: iexplore.exe)
2014/05/22 10:35:49 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.228 (Type: outgoing, Port: 50466, Process: iexplore.exe)
2014/05/22 10:35:49 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.228 (Type: outgoing, Port: 50467, Process: iexplore.exe)
2014/05/22 10:35:49 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 80.252.188.229 (Type: outgoing, Port: 50468, Process: iexplore.exe)
2014/05/22 10:35:49 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 193.169.104.30 (Type: outgoing, Port: 50472, Process: iexplore.exe)
2014/05/22 10:35:49 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 193.169.104.30 (Type: outgoing, Port: 50473, Process: iexplore.exe)
2014/05/22 10:35:49 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 193.169.104.30 (Type: outgoing, Port: 50474, Process: iexplore.exe)
2014/05/22 10:35:49 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 193.169.104.30 (Type: outgoing, Port: 50485, Process: iexplore.exe)
2014/05/22 10:35:49 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 193.169.104.30 (Type: outgoing, Port: 50486, Process: iexplore.exe)
2014/05/22 10:35:49 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 193.169.104.30 (Type: outgoing, Port: 50487, Process: iexplore.exe)
2014/05/22 10:35:49 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 94.242.233.162 (Type: outgoing, Port: 50598, Process: iexplore.exe)
2014/05/22 10:35:49 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 94.242.233.162 (Type: outgoing, Port: 50599, Process: iexplore.exe)
2014/05/22 10:55:14 -0400 CDAVALUATIONS (null) MESSAGE Starting protection
2014/05/22 10:55:14 -0400 CDAVALUATIONS (null) MESSAGE Protection started successfully
2014/05/22 10:55:14 -0400 CDAVALUATIONS (null) MESSAGE Starting IP protection
2014/05/22 10:55:16 -0400 CDAVALUATIONS (null) MESSAGE IP Protection started successfully
2014/05/22 11:01:49 -0400 CDAVALUATIONS (null) MESSAGE Starting protection
2014/05/22 11:01:49 -0400 CDAVALUATIONS (null) MESSAGE Protection started successfully
2014/05/22 11:01:49 -0400 CDAVALUATIONS (null) MESSAGE Starting IP protection
2014/05/22 11:01:51 -0400 CDAVALUATIONS CDA valuations MESSAGE IP Protection started successfully
2014/05/22 11:07:34 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 94.242.233.162 (Type: outgoing, Port: 49465, Process: iexplore.exe)
2014/05/22 13:29:39 -0400 CDAVALUATIONS (null) MESSAGE Starting protection
2014/05/22 13:29:39 -0400 CDAVALUATIONS (null) MESSAGE Protection started successfully
2014/05/22 13:29:39 -0400 CDAVALUATIONS (null) MESSAGE Starting IP protection
2014/05/22 13:29:41 -0400 CDAVALUATIONS (null) MESSAGE IP Protection started successfully
2014/05/22 13:56:15 -0400 CDAVALUATIONS CDA valuations IP-BLOCK 94.242.233.162 (Type: outgoing, Port: 49402, Process: iexplore.exe)
 

T



#4 chrisarnt

chrisarnt
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 PM

Posted 22 May 2014 - 01:15 PM

My malware bytes version has these ip address on the ignore list

91.194.40.23

212.227.137.179

193.169.219.38

109.163.231.223

Are these known unsafe sites?. I have a few things through my firewall for some software I use



#5 Roodo

Roodo

  • Members
  • 760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 PM

Posted 22 May 2014 - 01:17 PM

I believe its in add/remove programs. Have you checked there?

 

Id then run rkill http://www.bleepingcomputer.com/download/rkill/

Then malwarebytes http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/



#6 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:21 PM

Posted 22 May 2014 - 01:21 PM

Let's run a couple of scans and see what we can find.

Please run the ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

 

 
Please download Malwarebytes Anti-Malware.
 
1)  Double-click on mbam-setup.exe, then click on Run to install the application, follow the prompts through the installation.
 
2)  Malwarebytes will automatically open.  If this is the first time you have run this version of Malwarbytes you will see an image like the one below.
 
mbam1_zps95cc812c.png
 
Click on Update Now, after Malwarebytes is updated click on Scan.
 
If this isn't the first time you have run this version, then you will see an image like the one below.  Click on Scan
 
mbam1_zps98e7fba9.png
 
You will be prompted to update Malwarebytes, to do so click on Update Now.
 
 mbam2_zps85f38f0c.png
 
3)  The scan will automatically run now.
 
mbamreplace_zps3ead4824.png
 
 
4)  When the scan is complete the results will be displayed.  Click on Quarantine All, then click on Apply Actions
 
mbam4_zps23e52ad4.png
 
 
5)  To complete any actions taken you will be asked if you want to restart your computer, click on Yes
 
 mbam4_zps490948cc.png
 
6)  Please post the Malwarebytes log.
 
To find your Malwarebytes log,download mbam-check.exe from here and save it to your desktop.
 
To open the log double click on mbam-check.exe on your desktop.  When the log opens, scroll down toward the bottom of the log to Quarantined Items.  Copy and paste this in your next post.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#7 chrisarnt

chrisarnt
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 PM

Posted 22 May 2014 - 03:29 PM

Ok. So I did the eset scan and the results are below.

I already had malware bytes paid edition and it did not find any of this.

 

Eset found 107 threats and took care of them.

one that is concerning is that there is an infected operating memory file?

Here are the results:

C:\a la mode\WinTOTAL\DaVinci\bin\alamode.Common.InstallUtils.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\a la mode\WinTOTAL\PktTOTAL\pktGenie.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\a la mode\WinTOTAL\System\expand.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\a la mode\WinTOTAL\System\REGSVR32.EXE Win32/Expiro.NBP virus cleaned - quarantined
C:\a la mode\WinTOTAL\System\System32\Install.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\a la mode\WinTOTAL\System\System32\MDAC_TYP.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\a la mode\WinTOTAL\Utils\vcredist_x86.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\a la mode\WinTOTAL\Utils\LocalApps\eSched\ElevateApp.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\continuetosave\uninstall.exe.vir Win32/SProtector.B potentially unwanted application deleted - quarantined
C:\AuroraCD\Setup\dotnetfx35setup.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\AuroraCD\Setup\MDAC_TYP.EXE Win32/Expiro.NBP virus cleaned - quarantined
C:\AuroraCD\Setup\unzip.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\AuroraCD\Setup\SQL\2005\SQLEXPR.EXE Win32/Expiro.NBP virus cleaned - quarantined
C:\AuroraCD\Setup\SQL\2008R2\SQLEXPR_x86_ENU.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\comm\done4\Setup.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\J2D6G\setup.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\JF0K3\UIU64m.exe Win64/Expiro.K virus deleted - quarantined
C:\dell\drivers\R226750\R226750\Setup.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R226750\R226750\Custom\DellInfo.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R226750\R226750\Custom\DellInfo64.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R226750\R226750\Win32\instmsia.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R226750\R226750\Win32\instmsiw.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R226750\R226750\Win32\Setup.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R226750\R226750\Win32\brcmVista\DPInst.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R226750\R226750\Win32\brcmWin7\DPInst.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R226750\R226750\Win64\instmsia.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R226750\R226750\Win64\instmsiw.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R226750\R226750\Win64\Setup.exe Win64/Expiro.K virus deleted - quarantined
C:\dell\drivers\R226750\R226750\Win64\brcmVista\DPInst.exe Win64/Expiro.K virus deleted - quarantined
C:\dell\drivers\R226750\R226750\Win64\brcmWin7\DPInst.exe Win64/Expiro.K virus deleted - quarantined
C:\dell\drivers\R228028\UJ232A_DB_V111_01.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R260738\BcmCrypt.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R260738\BcmSetupUtil.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R260738\bcmwls32.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R260738\bcmwls64.exe Win64/Expiro.K virus deleted - quarantined
C:\dell\drivers\R260738\bcmwltry.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R260738\bcmwlu00.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R260738\DellInfo.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R260738\DellInfo64.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R260738\IS.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R260738\Setup.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R260738\SysInfo.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R260738\vcredist_x86.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R260738\wltray.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R260738\wltrysvc.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R260738\vs08\vcredist_x86.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R260738\vs08\x64\vcredist_x64.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R260738\x64\BcmSetupUtil.exe Win64/Expiro.K virus deleted - quarantined
C:\dell\drivers\R260738\x64\bcmwltry.exe Win64/Expiro.K virus deleted - quarantined
C:\dell\drivers\R260738\x64\vcredist_x64.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R260738\x64\wltray.exe Win64/Expiro.K virus deleted - quarantined
C:\dell\drivers\R260738\x64\wltrysvc.exe Win64/Expiro.K virus deleted - quarantined
C:\dell\drivers\R275082\Setup.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R279202\setup.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R279202\x64\Difx64.exe Win64/Expiro.K virus deleted - quarantined
C:\dell\drivers\R279203\setup.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R279203\LMS\LMS.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R279203\PICON\PIconStartup.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R279203\x64\Difx64.exe Win64/Expiro.K virus deleted - quarantined
C:\dell\drivers\R279203\x64\MEcp64.exe Win64/Expiro.K virus deleted - quarantined
C:\dell\drivers\R304345\Setup.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R304345\Graphics\difx64.exe Win64/Expiro.K virus deleted - quarantined
C:\dell\drivers\R304345\Graphics\igxpun.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R304345\Intel Control Center\SetupICC.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\dell\drivers\R304345\x64\Drv64.exe Win64/Expiro.K virus deleted - quarantined
C:\HP_CLJ_3600_Installer_WW\Setup.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\HP_CLJ_3600_Installer_WW\Autorun\hpbipdf.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\HP_CLJ_3600_Installer_WW\Autorun\hpcdb.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\HP_CLJ_3600_Installer_WW\Autorun\launch.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\HP_CLJ_3600_Installer_WW\Temp\HPDIU\x64\HPDIU.exe Win64/Expiro.K virus deleted - quarantined
C:\HP_CLJ_3600_Installer_WW\Temp\HPDIU\x86\HPDIU.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\HP_CLJ_3600_Installer_WW\Temp\HPSIU\HPSIU.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\HP_CLJ_3600_Installer_WW\Temp\HPUIU\HPUIU.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\JRT\choice.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\JRT\cut.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\JRT\sed.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\JRT\shortcut.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\Program Files (x86)\a la mode\sched\ElevateApp.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlmaint.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\xpadsi90.exe Win32/Expiro.NBP virus cleaned - quarantined
C:\Qoobox\Quarantine\C\Users\CDA valuations\bbboxskejkb.exe.vir Win32/LockScreen.APR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\CDA valuations\AppData\Local\Google\Chrome\User Data\Default\Extensions\onmofhdeanllhenfhghklkcijkibnckm\1\51acc1a5d065e5.15362149.js.vir Win32/Adware.MultiPlug.H application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\CDA valuations\AppData\Local\{7D8664A6-EF76-48EC-A94A-8A6178D12AFF}\Apple\kfpemo.dll.vir Win32/TrojanDownloader.Tracur.V trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\CDA valuations\AppData\Roaming\oftbts.dll.vir a variant of Win32/Medfos.DC trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\CDA valuations\AppData\Roaming\Mozilla\Firefox\Profiles\pxru8ugz.default\extensions\pjetaj@y-.com\content\bg.js.vir Win32/Adware.MultiPlug.H application cleaned by deleting - quarantined
C:\Users\CDA valuations\AppData\Local\BGworks\rw32core.dll Win32/Boaxxe.BB trojan cleaned by deleting (after the next restart) - quarantined
C:\Users\CDA valuations\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\aewrva.js JS/Agent.NLY trojan cleaned by deleting - quarantined
C:\Users\CDA valuations\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\rovooawrea.js JS/Expiro.B trojan cleaned by deleting - quarantined
C:\Users\CDA valuations\AppData\Local\Google\Chrome\User Data\Default\Users\egefidbnaaaacelalmoonffjocipepch\background.js Win32/TrojanDownloader.Tracur.V trojan cleaned by deleting - quarantined
C:\Users\CDA valuations\AppData\Local\Google\Chrome\User Data\Default\Users\egefidbnaaaacelalmoonffjocipepch\cs.js Win32/TrojanDownloader.Tracur.V trojan cleaned by deleting - quarantined
C:\Users\CDA valuations\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\462dfb0b-61a77d9c a variant of Java/Exploit.Agent.RCN trojan cleaned by deleting - quarantined
C:\Users\CDA valuations\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\7005134e-4318ec64 a variant of Java/Exploit.Agent.RCN trojan cleaned by deleting - quarantined
C:\Users\CDA valuations\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\75cf5650-21e700e6 multiple threats cleaned by deleting - quarantined
C:\Users\CDA valuations\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\7be429d2-2d0d2a1a a variant of Java/Exploit.CVE-2013-0422.FK trojan cleaned by deleting - quarantined
C:\Users\CDA valuations\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\3ee11953-467a07e7 multiple threats cleaned by deleting - quarantined
C:\Users\CDA valuations\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\71594d60-1f9ea39a a variant of Java/Exploit.Agent.RCN trojan cleaned by deleting - quarantined
C:\Users\CDA valuations\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\6222bda4-7a3f6580 a variant of Java/Exploit.Agent.RCN trojan cleaned by deleting - quarantined
C:\Users\CDA valuations\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\32c5f629-5fb5b131 a variant of Java/Exploit.Agent.QCQ trojan cleaned by deleting - quarantined
C:\Users\CDA valuations\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\32c5f629-710625eb a variant of Java/Exploit.Agent.QCQ trojan cleaned by deleting - quarantined
C:\Users\CDA valuations\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\6cd55930-47a72ac6 a variant of Java/Exploit.CVE-2013-0422.FM trojan cleaned by deleting - quarantined
C:\Users\CDA valuations\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\7e8ed674-6c3d225f a variant of Java/Exploit.CVE-2013-0422.FM trojan cleaned by deleting - quarantined
C:\Users\CDA valuations\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\11a233bc-3486a922 multiple threats cleaned by deleting - quarantined
C:\Users\CDA valuations\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\5d47c7c7-7d4092eb a variant of Java/Exploit.CVE-2013-0422.FM trojan cleaned by deleting - quarantined
C:\Users\CDA valuations\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\2c6d0248-5867aef2 multiple threats cleaned by deleting - quarantined
C:\Users\CDA valuations\AppData\Roaming\Mozilla\Firefox\Profiles\pxru8ugz.default\extensions\yvhqxsjohh@yvhqxsjohh.org.xpi Win32/TrojanDownloader.Tracur.V trojan deleted - quarantined
C:\Users\CDA valuations\AppData\Roaming\Mozilla\Firefox\Profiles\pxru8ugz.default\extensions\{531a7473-bd37-cf2d-be38-5b1c0e7a1a34}\chrome\content.jar multiple threats deleted - quarantined
C:\Windows\ehome\sqmapi.dll Win64/Olmasco.AC trojan deleted - quarantined
Operating memory Win32/Boaxxe.BB trojan contained infected files
 



#8 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:21 PM

Posted 22 May 2014 - 03:46 PM

This computer is badly infected.  There are tools which cannot be used in this forum which will be needed to clean your computer.  For this reason you will need to open another topic in the Virus, Trojan, Spyware, and Malware Removal Logs forum.

 
Before posting your topic there you will need to read and follow the instructions in the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help.
 
This forum is always busy, for this reason it may take a couple of days before a member of the Malware Removal Team will be able to get to your topic.  Do not add anything once you have posted your log.  The Malware Removal Team members look for topics which have not been addressed, if you post any additional information it will make it appear that the topic is being addressed.
 
After you have posted your new topic a Moderator will close this topic.  If after cleaning the infection it is determined that you have a software or hardware issue you can contact a Moderator to have your topic reopened. 

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#9 chrisarnt

chrisarnt
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 PM

Posted 22 May 2014 - 03:48 PM

but this is crazy?  I run Hitman pro at startup.

malwarebytes paid version

windows defender

even combofix.

None of these find this stuff.

 

I also run rkill prior to running antivirus.

How could this be?

Will running eset again help?



#10 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:21 PM

Posted 22 May 2014 - 04:03 PM

Running Eset again is not going to resolve these problems.  

 

I've already posted what you need to do now.  I would suggest that you do this ASAP.

 

Once you have things under control you might wish to ask the Malware Response Team member who will be helping you if they can explain why Malwarebytes didn't find this.  You need to remember that different programs look for different types of infections.


Edited by dc3, 22 May 2014 - 04:04 PM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#11 chrisarnt

chrisarnt
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 PM

Posted 22 May 2014 - 04:21 PM

Thank you I will do what you said.  Should I bother using the mal ware bytes you posted above?



#12 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:21 PM

Posted 22 May 2014 - 04:58 PM

No, this is going to be taken over by whoever takes on your topic.  At this time I've gone as far as I should and you should do as I suggested in order to get this process started.

 

I would suggest not making any other changes until you are directed by the MRT member to do otherwise.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users