Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have Browser.exe *32 virus. How do I remove it?


  • Please log in to reply
27 replies to this topic

#1 granwadoo

granwadoo

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 08 September 2014 - 07:49 PM

Hi,

 

I've determined that I have the Browser.exe *32 virus on one of my systems and would greatly appreciate help in removing it.

I am running Windows 7 Home Premium and my browser is Mozilla Firefox.

I'm hoping someone can walk me through how to remove this virus.

I first noticed my system running really slow this weekend.

In Task manager under applications I noticed Google Chrome entries. I don't have Google Chrome.

Under Processes there were about a dozen browser.exe *32 processes running and as quick as I could attempt to end them more would start up.

I've disconnected the system from internet and network after I realized that I'm infected.

Please help

 

Thx Gran



BC AdBot (Login to Remove)

 


#2 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:13 AM

Posted 09 September 2014 - 06:07 AM

Hello,
 
Please run Autoruns, and attach the file in your next reply. 
 
x6gkmKHQ.png.pagespeed.ic.KfXWJomU2Y.jpg Autoruns

  • Please download Autoruns and save the file to your Desktop.
  • Right-Click Autoruns.exe and select xAVOiBNU.jpg.pagespeed.ic.H5HC6LkiJX.jpg Run as administrator to run the programme.
  • Click Agree to End User Licence Agreement (EULA).
  • Allow the programme to scan. Once completed, click File, then Save and save the autoruns log (Autoruns.arn) to your Desktop
  • Close Autoruns.
  • Right-click Autoruns.arn, hover your mouse over Send To and click Compressed (zipped) Folder.
  • Attach the Autoruns.zip folder in your next reply. 

Posted Image

#3 granwadoo

granwadoo
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 09 September 2014 - 07:57 PM

Hi,

 

Thanks for responding. I did the Autorun but I can't figure out how to attach the file to the post.

 

Thx

Gran



#4 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:13 AM

Posted 10 September 2014 - 04:48 AM

Hello, 

 

Please refer to the following image. Follow the arrows. 


Posted Image

#5 granwadoo

granwadoo
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 10 September 2014 - 08:36 AM

Hi,

 

Sorry but I do not appear to have an attach option in the 'reply to this topic' window.

 

Thx

Gran



#6 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:13 AM

Posted 10 September 2014 - 08:42 AM

OK. 

 

Please upload the file to my channel. 

http://www.bleepingcomputer.com/submit-malware.php?channel=174


Posted Image

#7 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:13 AM

Posted 12 September 2014 - 06:55 AM

Hello, 

 

You've uploaded the wrong file. I need you to upload the .arn file, not the .exe file. 

 

If you're unsure which is which, rerun Autoruns, click File, followed by Save, and name the file Autoruns Log.

Upload Autoruns Log.arn to my channel please.


Posted Image

#8 granwadoo

granwadoo
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 12 September 2014 - 08:58 AM

HI,

 

I uploaded the log. I did get an error running Autoruns. "Could not get Wmi subscriptions. The wait operation timed out"

 

Thanks

Gran



#9 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:13 AM

Posted 12 September 2014 - 09:19 AM

Hello, 
 
Lets adopt a different approach. 
 
STEP 1
BY4dvz9.png.pagespeed.ce.cpqHQmQDB6.png AdwCleaner

  • Please download AdwCleaner and save the file to your Desktop.
  • Right-Click AdwCleaner.exe and select xAVOiBNU.jpg.pagespeed.ic.H5HC6LkiJX.jpg Run as administrator to run the programme.
  • Follow the prompts. 
  • Click Scan
  • Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. 
  • Ensure anything you know to be legitimate does not have a checkmark, and click Clean
  • Follow the prompts and allow your computer to reboot
  • After rebooting, a log (AdwCleaner[S0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
 

STEP 2
xE3feWj5.png.pagespeed.ic.JE3sJIzHrn.png Junkware Removal Tool (JRT)

  • Please download Junkware Removal Tool and save the file to your Desktop.
  • Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click JRT.exe and select xAVOiBNU.jpg.pagespeed.ic.H5HC6LkiJX.jpg Run as administrator to run the programme.
  • Follow the prompts and allow the scan to run uninterrupted. 
  • Upon completion, a log (JRT.txt) will open on your desktop.
  • Re-enable your anti-virus software.
  • Copy the contents of JRT.txt and paste in your next reply.
     

STEP 3
xMgeHyNE.png.pagespeed.ic.49_rDPUa_4.png Internet Flush

  • Press the Windows Key xpdKOQKY.png.pagespeed.ic.tmAgS1-k6q.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    @echo off
    echo Flushing Internet. Please wait... >"%userprofile%\desktop\flushresults.txt"
    ipconfig /release >>"%userprofile%\desktop\flushresults.txt" 2>&1
    ipconfig /renew >>"%userprofile%\desktop\flushresults.txt" 2>&1
    ipconfig /flushdns >>"%userprofile%\desktop\flushresults.txt" 2>&1
    netsh winsock reset all >>"%userprofile%\desktop\flushresults.txt" 2>&1
    netsh int ipv4 reset >>"%userprofile%\desktop\flushresults.txt" 2>&1
    netsh int ipv6 reset >>"%userprofile%\desktop\flushresults.txt" 2>&1
    echo Enumerating Contents of Directory. Please wait... >"%userprofile%\desktop\dirlook.txt"
    dir %userprofile%\AppData\LocalLow /s >>"%userprofile%\desktop\dirlook.txt" 2>&1
    echo Finished. Your computer will reboot. >>"%userprofile%\desktop\dirlook.txt" 2>&1
    shutdown -r -t 1
    del %0
  • Click Format. Ensure Wordwrap is unchecked
  • Click FileSave As and name the file flush.bat
  • Select All Files as the Save as type.
  • Save the file to your Desktop
  • Locate flush.bat xlmRDSkT.png.pagespeed.ic.UByFR5z3ld.jpg (W8/7/Vista) on your DesktopRight-click the icon and click xAVOiBNU.jpg.pagespeed.ic.H5HC6LkiJX.jpg Run as administrator.
  • Your computer will reboot. If not, please manually reboot. 
  • After the reboot, two logs (results.txt & dirlook.txt) will be on your DesktopCopy the contents of the logs and paste in your next reply. 
  • Note: If dirlook.txt is very large, please upload the log to my channel. 
     

======================================================

STEP 4
xpfNZP4A.png.pagespeed.ic.bp5cRl1pJg.jpg Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • AdwCleaner[S0].txt
  • JRT.txt
  • flushresults.txt
  • dirlook.txt

Edited by LiquidTension, 12 September 2014 - 02:22 PM.

Posted Image

#10 granwadoo

granwadoo
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 12 September 2014 - 01:21 PM

Hi,

 

Here you go. Thanks. I will upload dirlook.txt. It was too long to post.

 

AdwCleaner:

# AdwCleaner v3.309 - Report created 12/09/2014 at 10:26:47
# Updated 02/09/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Tbone - TBONE-HP
# Running from : C:\Users\Tbone\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

File Deleted : C:\Users\Public\Desktop\eBay.lnk

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16421

-\\ Mozilla Firefox v31.0 (x86 en-US)

[ File : C:\Users\Tbone\AppData\Roaming\Mozilla\Firefox\Profiles\gce7ar1r.default\prefs.js ]

Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_bgcolor", false);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_bgimages", false);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_colorspace", "");
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_command", "");
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_downloadfonts", false);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_duplex", 1515870810);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_edge_bottom", 0);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_edge_left", 0);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_edge_right", 0);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_edge_top", 0);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_evenpages", true);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_in_color", true);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_margin_bottom", "0.5");
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_margin_left", "0.5");
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_margin_right", "0.5");
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_margin_top", "0.5");
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_oddpages", true);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_orientation", 0);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_page_delay", 50);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_paper_data", 1);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_paper_height", " 11.00");
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_paper_name", "");
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_paper_size_type", 0);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_paper_size_unit", 0);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_paper_width", "  8.50");
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_plex_name", "");
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_resolution", 1515870810);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_resolution_name", "");
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_reversed", false);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_scaling", "  1.00");
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_shrink_to_fit", true);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_to_file", false);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_to_filename", "");
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_unwriteable_margin_bottom", 0);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_unwriteable_margin_left", 0);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_unwriteable_margin_right", 0);
Line Deleted : user_pref("print.printer_\\\\SWEETPEA-PC\\HP_Deskjet_F4400_series.print_unwriteable_margin_top", 0);
Line Deleted : user_pref("print_printer", "\\\\SWEETPEA-PC\\HP Deskjet F4400 series");

*************************

AdwCleaner[R0].txt - [6429 octets] - [12/09/2014 10:21:43]
AdwCleaner[S0].txt - [6095 octets] - [12/09/2014 10:26:47]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [6155 octets] ##########

 

JRT log:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by Tbone on Fri 09/12/2014 at 10:58:26.36
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Suspicious HKCU\..\Run entries found. Trojan:JS/Medfos.B?

    Value Name          Type                             Value Data                    
========================================================================================
    CottonInfinity    REG_SZ    C:\Windows\system32\rundll32.exe "C:\Users\Tbone\AppData\Local\CottonInfinity\CottonInfinity.dll",DllRegisterServer

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6C228F29-E559-4654-A222-7364744ACBC2}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{6C228F29-E559-4654-A222-7364744ACBC2}

 

~~~ Files

 

~~~ Folders

 

~~~ FireFox

Emptied folder: C:\Users\Tbone\AppData\Roaming\mozilla\firefox\profiles\gce7ar1r.default\minidumps [25 files]

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 09/12/2014 at 11:27:51.59
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

flushresults:

Flushing Internet. Please wait...

Windows IP Configuration

No operation can be performed on Wireless Network Connection 2 while it has its media disconnected.
No operation can be performed on Wireless Network Connection while it has its media disconnected.
No operation can be performed on Local Area Connection while it has its media disconnected.

Windows IP Configuration

No operation can be performed on Wireless Network Connection 2 while it has its media disconnected.
No operation can be performed on Wireless Network Connection while it has its media disconnected.
No operation can be performed on Local Area Connection while it has its media disconnected.

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

Reseting Global, OK!
Reseting Interface, OK!
Reseting Subinterface, OK!
Restart the computer to complete this action.

Reseting Interface, OK!
Reseting Subinterface, OK!
Restart the computer to complete this action.



#11 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:13 AM

Posted 12 September 2014 - 02:43 PM

Good job. 
 
We've found the offending directories/files. I also overlooked the malicious .dll in your Autoruns log, which I have now identified. 
Before proceeding, please do the following. 
 
xnWhGEI3.png.pagespeed.ic.cDN7g2AqT7.png VirusTotal Upload

  • Please go to VirusTotal.com.
  • Click Choose File and locate the following file:
    • C:\Users\Tbone\AppData\LocalLow\wbqfbky.dll
  • Click Scan it!.
  • If you receive the following notification: File already analysed click Reanalyse.
  • Once the file has been analyzed, copy the page URL at the top of the window and paste in your next reply.

Posted Image

#12 granwadoo

granwadoo
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 12 September 2014 - 03:22 PM

Hi,

 

I think I did this correct. Thank you.

 

https://www.virustotal.com/en/file/1d9bc678d1fb1ecdca6f2ef9654f8d08914c5c66bf5e0e93ec70856f8895410c/analysis/1410552479/

 

Also, When I turned on wifi to go to VirusTotal I started getting Malware Malicious Website Protection warnings. Here is the log.

 

Malwarebytes Anti-Malware

Protection, 9/12/2014 10:28:39 AM, SYSTEM, TBONE-HP, Protection, Malware Protection, Starting,
Protection, 9/12/2014 10:28:39 AM, SYSTEM, TBONE-HP, Protection, Malware Protection, Started,
Protection, 9/12/2014 10:28:39 AM, SYSTEM, TBONE-HP, Protection, Malicious Website Protection, Starting,
Protection, 9/12/2014 10:28:48 AM, SYSTEM, TBONE-HP, Protection, Malicious Website Protection, Started,
Protection, 9/12/2014 12:53:37 PM, SYSTEM, TBONE-HP, Protection, Malware Protection, Starting,
Protection, 9/12/2014 12:53:37 PM, SYSTEM, TBONE-HP, Protection, Malware Protection, Started,
Protection, 9/12/2014 12:53:37 PM, SYSTEM, TBONE-HP, Protection, Malicious Website Protection, Starting,
Protection, 9/12/2014 12:53:47 PM, SYSTEM, TBONE-HP, Protection, Malicious Website Protection, Started,
Protection, 9/12/2014 3:02:05 PM, SYSTEM, TBONE-HP, Protection, Malware Protection, Starting,
Protection, 9/12/2014 3:02:05 PM, SYSTEM, TBONE-HP, Protection, Malware Protection, Started,
Protection, 9/12/2014 3:02:05 PM, SYSTEM, TBONE-HP, Protection, Malicious Website Protection, Starting,
Protection, 9/12/2014 3:02:05 PM, SYSTEM, TBONE-HP, Protection, Malicious Website Protection, Started,
Detection, 9/12/2014 3:03:15 PM, SYSTEM, TBONE-HP, Protection, Malicious Website Protection, IP, 88.214.197.81, xmlclick-g.com, 49188, Outbound, C:\Users\Tbone\AppData\LocalLow\CalculatorPale\VinylModel\browser.exe,
Detection, 9/12/2014 3:03:16 PM, SYSTEM, TBONE-HP, Protection, Malicious Website Protection, IP, 88.214.197.81, xmlclick-g.com, 49189, Outbound, C:\Users\Tbone\AppData\LocalLow\CalculatorPale\VinylModel\browser.exe,
Detection, 9/12/2014 3:03:16 PM, SYSTEM, TBONE-HP, Protection, Malicious Website Protection, IP, 88.214.197.81, xmlclick-g.com, 49188, Outbound, C:\Users\Tbone\AppData\LocalLow\CalculatorPale\VinylModel\browser.exe,
Detection, 9/12/2014 3:03:35 PM, SYSTEM, TBONE-HP, Protection, Malicious Website Protection, IP, 88.214.197.81, xmlclick-g.com, 49215, Outbound, C:\Users\Tbone\AppData\LocalLow\CalculatorPale\VinylModel\browser.exe,
Detection, 9/12/2014 3:05:40 PM, SYSTEM, TBONE-HP, Protection, Malicious Website Protection, IP, 88.214.197.89, xmlclick-g.com, 49361, Outbound, C:\Users\Tbone\AppData\LocalLow\CalculatorPale\VinylModel\browser.exe,
Detection, 9/12/2014 3:05:40 PM, SYSTEM, TBONE-HP, Protection, Malicious Website Protection, IP, 88.214.197.89, xmlclick-g.com, 49362, Outbound, C:\Users\Tbone\AppData\LocalLow\CalculatorPale\VinylModel\browser.exe,
Detection, 9/12/2014 3:05:40 PM, SYSTEM, TBONE-HP, Protection, Malicious Website Protection, IP, 88.214.197.89, xmlclick-g.com, 49361, Outbound, C:\Users\Tbone\AppData\LocalLow\CalculatorPale\VinylModel\browser.exe,
Detection, 9/12/2014 3:06:16 PM, SYSTEM, TBONE-HP, Protection, Malicious Website Protection, IP, 88.214.197.89, xmlclick-g.com, 49392, Outbound, C:\Users\Tbone\AppData\LocalLow\CalculatorPale\VinylModel\browser.exe,
Detection, 9/12/2014 3:07:44 PM, SYSTEM, TBONE-HP, Protection, Malicious Website Protection, IP, 88.214.197.89, xmlclick-g.com, 49450, Outbound, C:\Users\Tbone\AppData\LocalLow\CalculatorPale\VinylModel\browser.exe,
Detection, 9/12/2014 3:08:30 PM, SYSTEM, TBONE-HP, Protection, Malicious Website Protection, IP, 88.214.197.89, xmlclick-g.com, 49478, Outbound, C:\Users\Tbone\AppData\LocalLow\CalculatorPale\VinylModel\browser.exe,

(end)



#13 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:13 AM

Posted 12 September 2014 - 05:42 PM

Hello, 
 
Please do the following, and post the log generated. After downloading DelFix, you can disconnect from the Internet.
 
Create a Restore Point by following these instructions.
 
STEP 1
xAFZxnZc.jpg.pagespeed.ic.8db6OVtjOI.png DelFix

  • Please download DelFix and save the file to your Desktop.
  • Double-click DelFix.exe to run the programme.
  • Remove the checkmark next to the following items:
    • Remove disinfection tools
  • Place a checkmark next to the following items:
    • Create registry backup
  • Click the Run button.
     

STEP 2
xMgeHyNE.png.pagespeed.ic.49_rDPUa_4.png Batch File

  • Press the Windows Key xpdKOQKY.png.pagespeed.ic.tmAgS1-k6q.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    @echo off
    echo Killing Processes... >"%userprofile%\desktop\fix.txt"
    taskkill /f /t /im browser.exe >>"%userprofile%\desktop\fix.txt" 2>&1
    taskkill /f /t /im rundll32.exe >>"%userprofile%\desktop\fix.txt" 2>&1
    echo. >>"%userprofile%\desktop\fix.txt" 2>&1
    echo Deleting Run Value... >>"%userprofile%\desktop\fix.txt" 2>&1
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v CottonInfinity /f >>"%userprofile%\desktop\fix.txt" 2>&1
    echo. >>"%userprofile%\desktop\fix.txt" 2>&1
    echo Deleting Folders/Files... >>"%userprofile%\desktop\fix.txt" 2>&1
    rd /s /q "C:\Users\Tbone\AppData\LocalLow\CalculatorPale" 
    rd /s /q "C:\Users\Tbone\AppData\LocalLow\ValidatorOptional"
    rd /s /q "C:\Users\Tbone\AppData\LocalLow\VolunteerBeerware"
    rd /s /q "C:\Users\Tbone\AppData\Local\CottonInfinity"
    if exist "C:\Users\Tbone\AppData\LocalLow\CalculatorPale" echo Operation failed. >>"%userprofile%\desktop\fix.txt" 2>&1
    if not exist "C:\Users\Tbone\AppData\LocalLow\CalculatorPale" echo Successfully completed operation. >>"%userprofile%\desktop\fix.txt" 2>&1
    if exist "C:\Users\Tbone\AppData\LocalLow\ValidatorOptional" echo Operation failed. >>"%userprofile%\desktop\fix.txt" 2>&1
    if not exist "C:\Users\Tbone\AppData\LocalLow\ValidatorOptional" echo Successfully completed operation. >>"%userprofile%\desktop\fix.txt" 2>&1
    if exist "C:\Users\Tbone\AppData\LocalLow\VolunteerBeerware" echo Operation failed. >>"%userprofile%\desktop\fix.txt" 2>&1
    if not exist "C:\Users\Tbone\AppData\LocalLow\VolunteerBeerware" echo Successfully completed operation. >>"%userprofile%\desktop\fix.txt" 2>&1
    if exist "C:\Users\Tbone\AppData\Local\CottonInfinity" echo Operation failed. >>"%userprofile%\desktop\fix.txt" 2>&1
    if not exist "C:\Users\Tbone\AppData\Local\CottonInfinity" echo Successfully completed operation. >>"%userprofile%\desktop\fix.txt" 2>&1
    del /f /s /q "C:\Users\Tbone\AppData\LocalLow\wbqfbky.dll" >>"%userprofile%\desktop\fix.txt" 2>&1
    echo. >>"%userprofile%\desktop\fix.txt" 2>&1
    echo Finished. >>"%userprofile%\desktop\fix.txt" 2>&1
    start notepad %userprofile%\desktop\fix.txt 2>&1
    del %0
  • Click Format. Ensure Wordwrap is unchecked
  • Click FileSave As and name the file delfile.bat
  • Select All Files as the Save as type.
  • Save the file to your Desktop
  • Locate delfile.bat xlmRDSkT.png.pagespeed.ic.UByFR5z3ld.jpg (W8/7/Vista) or xtDIfEhH.png.pagespeed.ic.hUvF_Da3dc.png (XP) on your DesktopRight-click the icon and click xAVOiBNU.jpg.pagespeed.ic.H5HC6LkiJX.jpg Run as administrator.
  • A log (fix.txt) will open on your Desktop. Copy the contents of the log and paste in your next reply.

Edited by LiquidTension, 12 September 2014 - 06:10 PM.

Posted Image

#14 granwadoo

granwadoo
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 13 September 2014 - 01:18 PM

Hi,

 

The link for DelFix did not work.

 

Thanks

Gran



#15 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:13 AM

Posted 13 September 2014 - 01:25 PM

Hello,

 

Try this. Let me know if you're able to download the programme.


Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users