Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

More Badness & Task Manager Credits "Google Chrome"


  • Please log in to reply
1 reply to this topic

#1 Oonder

Oonder

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:California
  • Local time:09:54 PM

Posted 18 January 2015 - 06:22 PM

I had been using AVG & found it adequate. I got this computer in fall 2009 with Windows 7 32-bit on it. Since then, I've been using Microsoft Security Essentials.
But it never found anything, until this month.

Nov 21, I decided to try AVG again. D/Led the 30 day trial version & ran it. It found 4 Trojans in less than an hour. There was a "buy right now" sales pitch - pushy already; I was suspicious. Deleted AVG on 26th.

Dec 30, I found right away that my computer is infected with a serious, really active bit of Malware/virus. I don't know its name; it apparently settles into or at least uses a directory in Windows ... C:\\Windows\sysWOW\dllhost.exe is said to be the culprit. MalwareBytes was continuously blocking "ads," I guess they are, generated by dllhost.exe? Try as I may, I've not been able to do anything about it.
(Update: I bought & used Malwarebytes in 2014, March thru July I think. It used a lot of CPU while running. Slowed me down. I thoughtlessly deleted it ... at least, I think I did.)
The very frequent message that Malwarebytes is blocking outgoing "stuff" must have been generated by the virus itself, as MWB wasn't on here at that time. My CPU was running at=close to 100%. The main user seemed to be C:\Windows\SysWOW64\dllhost.exe.

Dec 31, MSE found something!: Trojan:Win32/Powessere.A!reg - "severe, active." I said Remove it.

Jan 1, MSE found Trojan:Win32/Powessere.A!reg - "severe, active" again. I said Quarantine it. I was in over my head.
I'd "lost" my trusted computer tech in 2009 & hadn't bothered to find someone else. Looked around, found a recommended one, but about 25 miles away. I took my computer to them on Friday, January 2. (50 mile round trips are no longer on my activity list.)

Jan 6: Computer was fixed & then relapsed; Windows(or-Internet?) Explorer didn't work again. They wanted to wipe the HD & reinstall Windows. I said No, 'cause my many data files are scattered about in different folders. Pretty sure I couldn't find them all. So they installed a new HD Local Disk C:\, plus something called Recovery D:\, & my original HD became OS E:\. They warned that this move would be somewhat destructive ... and it was. But at least, the Trojan was gone(?).
Windows 7 64-bit is what I now had. Instead of MSE, they sold me McAfee Intel Antivirus.

Saturday, Jan 10, computer came home. 8 days in the shop.
Windows Explorer couldn't see or show most of my stuff, especially my software. So I began reinstalling the things I use daily. That evening, I was playing my online game. At one point, it crashed, & I saw a brief message about "Display Driver --"

Jan 12, McAfee Intel, popped up & said it wasn't doing anything & the Firewall was down. I clicked buttons to put it to work, then registered it. Discovered I now had VipreRescue on Drv E. ... By 6:00 p.m., my CPU was running at=close to 100%. I knew I was infected, reinfected again. Culprit: C:/Users/Jteran/AppData/LocalLow/Microsoft/tlibubmaehm/nkkvbawfc/hgoydlgey. I could not see it at first; AppData didn't show up until I typed it in.

Long story short: My hgoydlgey behaves exactly the same as described in Spoof Google Chrome Processes & Other Badness, Started by 337stat
http://www.bleepingcomputer.com/forums/t/544747/spoof-google-chrome-processes-other-badness/
I reaquired Malwarebytes. Ran it. It found Trojans.

Scan Log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/17/2015
Scan Time: 11:49:39 AM
Logfile: Scan_Log.txt
Administrator: No

Version: 2.00.4.1028
Malware Database: v2015.01.17.04
Rootkit Database: v2015.01.14.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Jteran

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 316329
Time Elapsed: 14 min, 2 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 1
Trojan.Chrome.INJ, C:\Users\Jteran\AppData\Local\Intuit\xuyguhmgtgcj.dll, , [3e3a797fa9e0a98d56b0cd3d0cf6c739],

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
Trojan.Chrome.INJ, HKU\S-1-5-21-2584471922-1738281300-3232750533-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|xuyguhmgtgcj, regsvr32.exe /s "C:\Users\Jteran\AppData\Local\Intuit\xuyguhmgtgcj.dll", , [3e3a797fa9e0a98d56b0cd3d0cf6c739]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
Trojan.Chrome.INJ, C:\Users\Jteran\AppData\Local\Intuit\xuyguhmgtgcj.dll, , [3e3a797fa9e0a98d56b0cd3d0cf6c739],

Physical Sectors: 0
(No malicious items detected)


(end)

Edited by Oonder, 19 January 2015 - 02:58 AM.


BC AdBot (Login to Remove)

 


m

#2 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:54 AM

Posted 18 January 2015 - 06:26 PM

Can you re-run malwarebytes this time remove the infections and post the new log.

 

 

 

Step 1: Minitoolbox.
 
Please download MINITOOLBOX and run it.



Checkmark following boxes:


Flush DNS
Reset FF proxy Settings
Reset Ie Proxy Settings
Report IE Proxy Settings
Report FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size
List Devices (problems only)



Click Go and post the result.
 
Step 2: Junkware Removal Tool.
 
Please download Junkware Removal Tool and save it on your desktop.

  • Shut down your anti-virus, anti-spyware, and firewall software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Please post the JRT log.

Step 3: Adware Cleaner.
 
Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 4: Adware Removal Tool.
 
Download Adware removal tool to your desktop, right click the icon and select Run as Administrator.

LOr0Gd7.png

Hit Ok.

sYFsqHx.png

Hit next make sure to leave all items checked, for removal.

8NcZjGc.png


The Program will close all open programs to complete the removal, so save any work and hit OK. Then hit OK after the removal process is complete,  then OK again to finish up. Post log generated by tool.
 
Step 5: Malwarebytes AntiRootkit
 
 
Download Malwarebytes Anti-Rootkit to your desktop.
  • Double-click the icon to start the tool.
  • It will ask you where to extract make sure it is on the desktop.
  • Malwarebytes Anti-Rootkit needs to be run from an account with admin rights.
  • Click next to continue.
  • Then Click Update
  • Once the update is Finished select Next then Scan.
  • If no malware has been found, at the end of scan select Exit
  • If an infection was found, make sure to select all items and click Cleanup.
  • Reboot your machine.
  • Open the MBAR folder and paste the content of the following into your next reply:
  • mbar-log-{date} (xx-xx-xx).txt
  • system-log.txt

[/*]

Step 6: Security Check Log.
 
Download Security Check from here or here and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document

 
Step 7: Report
 
Tell me how the machine is performing, and if you need help performing any steps. Also post all requested logs.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users