Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible malware - spawning folders/files in Content.IE5


  • This topic is locked This topic is locked
2 replies to this topic

#1 gshafer72

gshafer72

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 11 August 2014 - 11:28 AM

Hello all,

 

I am receiving antivirus warnings about a blocked process on a Windows 7 Enterprise SP1 PC from my Vipre Antivirus. Running Malware Bytes shows no results at all, and honestly seems to skip right through the registry scan, which naturally generates concerns - full threat scan finishing in just over 4 minutes. Below is the alert being received from Vipre. Looking in the AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 folder, there are multiple folders that seem to spawn and eventually delete, but are constantly replaced with new folders. The contents naturally seem very "spammy".

 

Ran a SpyBot search which also identified nothing, along with a HijackThis scan (log attached)

 

Any suggestions on where to start with this would be greatly appreciated.

 

Event Information

 

Event Occurred

2014-08-10T12:11:10

Event Type

Auto Processing without Notification

Timeout

0(s)

Monitor Source

On File Access

Monitor Type

File

Recommend System Scan

No

Event Actor Enum

Object

 

 

Application Information

 

File Path

C:\Windows\SysWow64\svchost.exe

Process ID

1016420

File Size

20992( B)

CRC8

0000000000000000

Application Rating

Known Good

Added To Always Allow List

No

Company

Microsoft Corporation

File Version

6.1.7600.16385 (win7_rtm.090713-1255)

Product Name

Microsoft® Windows® Operating System

Product Version

6.1.7600.16385

Description

Host Process for Windows Services

Copyright

© Microsoft Corporation. All rights reserved.

 

 

 

File Path

C:\Users\localusernameremoved\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G4FE4264\ad4[1].htm

MD5

ab7626ce6a259d97ad24be485b6aa426

CRC8

0000000000000000

Application Rating

Known Bad

Threat ID

4723419

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:14 AM

Posted 16 August 2014 - 08:39 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.
 
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===
 
Clean your Temporary files/Folders.
 
Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program.
  • TFC will close all open programs itself in order to run.
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted, it should not take long to finish.
  • Once it's finished, click OK to reboot. 
  • If it does not reboot, reboot your system manually.
  •  
    Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the  Scan  button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
  •  
    IMPORTANT
     
    • If you click the Clean button all items listed in the report will be removed.
     
    If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
     
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the  Scan  button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
  • ===
     
    HijackThis is not ready for your Operating systems.
    You can remove it using the Add/Remove Program applet.
    Use this one from now on instead.
     
    Download the  version of this tool for your operating system.
    and save it to a folder on your computer's Desktop.
    Double-click to run it. When the tool opens click Yes to disclaimer.
    Press Scan button.
    It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
    The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
    ===
     
    Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
    To attach a file select the "More Reply Option" and follow the instructions.
     
    How is the computer running?
    Wait for further instructions.


    #3 nasdaq

    nasdaq

    • Malware Response Team
    • 38,925 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:03:14 AM

    Posted 22 August 2014 - 07:55 AM

    Due to the lack of feedback, this topic is now closed.

    In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

    Please include a link to your topic in the Private Message. Thank you.




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users