Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious process and .exe can't be removed


  • This topic is locked This topic is locked
14 replies to this topic

#1 Rangah

Rangah

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 09 August 2015 - 11:12 AM

Hi. As I was checking my processes tab earlier today, I noticed an unusual process called find.exe, which has never been there before. When I tried to click Open File Location, nothing happened. It also keeps disappearing from the processes list after 4 or so seconds for a brief moment, only to return. I can't stop it, as it says Unable to terminate process: 

Spoiler
As you can see the description box is empty. I've tried killing it through CMD: 
Spoiler
and AVG immediately pops a warning message: 
Spoiler
Even though I choose the Protect Me option and remove it, the find.exe process is back again. I've done this three times already, and the warning has popped up in every try. Doing a bit of searching, I found that the find.exe is located in my System32 folder: 
Spoiler
Even though it says it was created in 2009, I've never seen it in my processes tab. It cannot be deleted:
Spoiler
I am the administrator and have given myself full control for the System32 folder through the security tab: 
Spoiler
I've done it, because when I tried to delete it before, it said I needed the permission from TrustedInstaller.

 

I am really annoyed by this and have come to seek help on your forum. A massive thanks for all the help in advance.

 

 



BC AdBot (Login to Remove)

 


m

#2 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:54 PM

Posted 10 August 2015 - 04:58 AM

Hi & :welcome: to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems. :warrior:

Before we move on, please read the following points carefully: :exclame:
  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
  • If I don't reply within 24 hours please PM me!
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
Step 1

Please run a FRST scan. This will help us diagnose your problem.

frst.pngfrstscan.png
Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#3 Rangah

Rangah
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 10 August 2015 - 02:16 PM

Hi, sorry for the late reply, here are the logs: 

 

Spoiler
(FRST.txt)

 

Spoiler
(Addition.txt)

 

I would also like to note that the process and the .exe seem to be gone now. I have not done anything. My computer has been in sleep mode for about 23 hours until now. I will also not be able to check the thread tomorrow until the time this was posted due to work. I hope it is not an issue.



#4 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:54 PM

Posted 10 August 2015 - 04:31 PM

Hi there,

Step 1
  • Please download and install revouninstaller.pngRevo Uninstaller Free
    note: there is no need to click anything on that page, the download will start automatically
  • Double click Revo Uninstaller to run it
  • From the list of programs double click on the listed program(s) to remove it:
    Ask Toolbar Updater
    GadgetBox
    GadgetBox Expansion
    GMABooster 2.1b 
    SaveAs
    Search Assistant MocaFlix 1.66
    Tiny Download Manager
  • When prompted if you want to uninstall click Yes
  • Be sure the Moderate option is selected then click Next
  • The program will run, If prompted again click Yes
  • When the built-in uninstaller is finished click on Next
  • Once the program has searched for leftovers click Next
  • Check the items in bold only on the list then click Delete
    note: you may have to expand some folders by clicking the "+" mark
  • When prompted click on Yes and then on Next
  • Put a check on any folders that are found and select Delete
  • When prompted select Yes then Next
  • Once done click Finish
Step 2

Please download adwcleaner.png AdwCleaner (by Xplode) and save it to your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select "Run As Administrator"
  • Click on the Scan button.
  • After the scan has finished, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • After rebooting, a log file (that is saved in C:\AdwCleaner[S#].txt) will open automatically.
    Copy and paste the contents of that logfile in your next reply.
Step 3

Please download combofix.pngCombofix (by sUBs) and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start Combofix.exe and follow its instructions.
  • Do not use the computer while the scan is running. This may cause the program to stall.
  • When finished, a log file will be displayed (that can also be found at C:\Combofix.txt).
    Please copy and paste the contents of this file into your next post.
Note: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." after the scan, just restart the computer.
(You can find more detailed instructions in this guide on using Combofix.)
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#5 Rangah

Rangah
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 11 August 2015 - 12:51 PM

Hi, I have uninstalled the programs you listed and here are the logs:

Spoiler
(AdwCleaner)

Spoiler
(Combofix)



#6 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:54 PM

Posted 11 August 2015 - 03:55 PM

Here are the next steps for you:

(Upgrade)
Step 1

v21logo.PNG

Please download and install Malwarebytes Anti-Malware.
  • Please open Malwarebytes Anti-Malware and update the database.
  • Click "Settings" [1] and go to "Detection and Protection" [2]
  • Make sure "Scan for Rootkits" is checked.
  • Click on Dashboard [3], then click on Scan Now [4] to start the scan.
    :exclame: If Malware or Potentially Unwanted Programs [PUPs] are found, you will receive a prompt:
    m21p.png
  • Click on "Remove Selected" [5].
  • Then click "Save Results" [6] and select
    m21p4.png
  • Return to our forum. Paste your log into your next reply and then click Finish [7].
mbamv21.gif

Step 2

frst.pngfrstscan.png

Start FRST with administator privileges.
  • Make sure the following option is checked: addition.png
  • Press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
    Please copy and paste these logs in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#7 Rangah

Rangah
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 12 August 2015 - 01:04 PM

Hi, here are the Malwarebytes results:

Spoiler

 

And here are the FRST scan results:

Spoiler
(FRST.txt)

 

Spoiler
(Addition.txt)



#8 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:54 PM

Posted 13 August 2015 - 04:54 PM

Hi,
 
warning.gif Malware Warning

If your computer was used for online banking, has credit card information or other sensitive data, using a non-infected computer/device you should immediately change all account information (including those used for banking, Email, eBay, Paypal, online forums, etc).
 
 
Step 1

frst.pngfrstfix.png

Press thew7.png + R on your keyboard at the same time. Type notepad and click OK.

  • Copy the entire content of the codebox below and paste into the notepad document:
    CloseProcesses:
    File: "C:\Users\Sandis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sploit.exe"
    File: "C:\Users\Sandis\AppData\Roaming\svhost.exe"
    Startup: C:\Users\Sandis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sploit.exe [2015-08-09] (CyberLink Corp.)
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction
    HKU\S-1-5-21-768949601-3428065204-488884693-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    2015-08-09 16:19 - 2014-03-21 01:49 - 00053248 ____N (Microsoft Corporation) C:\Users\Sandis\AppData\Roaming\svhost.exe
    AlternateDataStreams: C:\ProgramData:NT
    AlternateDataStreams: C:\ProgramData:NT2
    AlternateDataStreams: C:\Users\All Users:NT
    AlternateDataStreams: C:\Users\All Users:NT2
    AlternateDataStreams: C:\ProgramData\Application Data:NT
    AlternateDataStreams: C:\ProgramData\Application Data:NT2
    AlternateDataStreams: C:\ProgramData\MTA San Andreas All:NT
    AlternateDataStreams: C:\ProgramData\MTA San Andreas All:NT2
    AlternateDataStreams: C:\ProgramData\TEMP:F3AD1365
    AlternateDataStreams: C:\Users\Sandis\Application Data:NT
    AlternateDataStreams: C:\Users\Sandis\Application Data:NT2
    AlternateDataStreams: C:\Users\Sandis\AppData\Roaming:NT
    AlternateDataStreams: C:\Users\Sandis\AppData\Roaming:NT2
    
  • Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply.
 
 
Step 2

Don't remove on your own anything that HitmanPro detects!
This scanner, as it is a really good for checking, has been known for deleting files instead of curing them, which in some cases may render the machine unbootable.
Any removals will be done manually after careful analysis of the scan results!


Please download hitmanpro_32.pngHitmanPro 32-bit / HitmanPro 64-bit by SurfRight and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click onhitmanpro.pngicon and select admin.PNGRun as Administrator to start the tool.
  • If the program won't run please run it while holding down the left CTRL key until it's loaded!
  • Click on the Next button (1). You must agree with the terms of EULA (2 - if asked).
  • Check the box beside "No, I only want to perform a one-time scan to check this computer" and click on the Next button. (3)
  • The program will start to scan the computer. It would only take several minutes.
  • When the scan is done click on Save Log (4) and close HitmanPro! (5)
  • Copy and paste the content of the log file in your next reply.

hitman.gif
 
Step 3

Please downloadesetlogo.pngOnline Scanner and save it to your Desktop.

  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start installer.pngwith administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Choose the following settings:

settings.png

  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed, click on Finish.
  • A log filelog.pngis created at logpath.png
    Copy and paste the content of this log file in your next reply.

esetlog.png

Note: Do not forget to re-enable your antivirus application after running the above scan!
eset.gif


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#9 Rangah

Rangah
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 15 August 2015 - 03:44 AM

Hi, I have followed you instructions and here are all the logs:

Spoiler
(Fixlog.txt)

 

Spoiler
(HitmanPro)

 

Spoiler
(ESET Online scanner)


Edited by Rangah, 15 August 2015 - 03:49 AM.


#10 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:54 PM

Posted 15 August 2015 - 09:52 AM

Step 1

frst.pngfrstfix.png

Press thew7.png + R on your keyboard at the same time. Type notepad and click OK.
  • Copy the entire content of the codebox below and paste into the notepad document:
    CloseProcesses:
    cmd: type "C:\da.bat"
    C:\da.bat
    C:\Program Files\ARO 2012\
    C:\ProgramData\InstallMate\GadgetBox Updater\
    C:\ProgramData\InstallMate\{0332E488-2BD3-43BF-A154-63F1D8D1C67E}\
    C:\ProgramData\InstallMate\{0D69837C-4CCF-4851-AABA-04EDD68AA18A}\
    C:\ProgramData\InstallMate\{1E675623-6EFD-4177-A39C-26DFC58474D5}\
    C:\ProgramData\InstallMate\{1FDBE0A2-A41E-47C0-A52B-EC3CC438C254}\
    C:\ProgramData\InstallMate\{2B816E9B-454C-4CFF-AE14-0D6EF0624C6D}\
    C:\ProgramData\InstallMate\{A84BD224-EE8E-4B55-A9BE-A6AC73A8F0D2}\
    C:\ProgramData\InstallMate\{C9EB6C32-67CF-4EFE-AC15-2FED12084EC4}\
    C:\Users\Sandis\AppData\Roaming\sploit\
    C:\Users\Sandis\Documents\ApnStub.exe
    CreateRestorePoint:
    EmptyTemp:
    
    
  • Click File, Save As and type fixlist.txt as the File Name.
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please post it to your reply.

After the Reboot:

Step 2

frst.pngfrstscan.png

Start FRST with administator privileges.
  • Make sure the following option is checked: addition.png
  • Press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
    Please copy and paste these logs in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#11 Rangah

Rangah
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 15 August 2015 - 10:26 AM

Here are the logs. I'd like to add that after doing the step 1 in your post above, my Google Chrome history and saved passwords were deleted. Was it supposed to happen? Also, I want to let you know that I am really thankful for all your help thus far.

 

Spoiler
(Fixlog.txt)

 

Spoiler
(FRST.txt)

 

Spoiler
(Addition.txt)



#12 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:54 PM

Posted 15 August 2015 - 10:45 AM

...my Google Chrome history and saved passwords were deleted. Was it supposed to happen?


It is included in the "EmptyTemp" directive.


lesestoff.png

Can you please tell me which problems still persist now?
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#13 Rangah

Rangah
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 15 August 2015 - 10:52 AM

The process I was worried about is gone and so are the AVG warning pop-ups. Unless there is anything else I should be worried about, I think everything has been solved. Thank you so much! Just a quick question, was my computer heavily infected?



#14 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:54 PM

Posted 15 August 2015 - 11:13 AM

Just a quick question, was my computer heavily infected?


It could have been worse. :)


combofix.pngUninstall Combofix:
Type "combofix /uninstall" in the run box (w7.png+R) and hit enter.
3w7i5uxa.png

cleandeeprybka.gif


That's it! abklatsch.gif
Your logs look clean to me at the moment. :thumbup2:
We're gonna clean up everything now, close security holes on your computer and in the end I'll provide you with a list of security tips so you hopefully will not need our help anymore in the future.


My help is free for everybody, however...
If I have helped you fix your PC, then please consider donating to continue the fight against malware: btn_donate_SM.gif
Thank you!


Clean Upcleanupm.PNG

Now we remove all the tools we used (including their logs and quarantine folders), restore your settings and delete old and infected system restorepoints:

  • You can uninstall programs that you had to install (e.g. MBAM or ESET Onlinescanner) in the control panel if you so wish.
  • Download delfix.pngDelFix (by Xplode) and save it to your Desktop.
    • Close all running programs and start delfix.exe.
    • Make sure that all available options are checked.
    • Click on Run
    • DelFix should remove all our tools and delete itself afterwards. I don't need the log file.
  • If there is still something left you can delete it manually.

Closing security holes

Many infections happen via drive-by downloads that run unnoticed in the background while the user visits an infected website. To achieve this malware exploits security holes in installed software (e.g. browser or its plugins). Older versions of such software often have lots of known exploitable holes. Therefore it's very important to always keep your software up-to-date.
The following software is outdated:
 



Adobe Flash Player ActiveX
Java 7 Update 71
Java 8 Update 25



Tips

I recommend to read and follow the "16 simple and easy ways to keep your computer safe and secure on the Internet" (Link) by Lawrence Abrams.
 
The practice of using cracking tools, keygens, warez or any pirated software is not only considered illegal activity but it is a serious security risk.
Malware authors promote and release cracked software to spread their infections. I strongly recommend you refrain from participating in this activity; your computer will be repeatedly infected otherwise. Simply visiting a cracked software site can result in infection via drive-by exploits of vulnerable software.

Cracked software will make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. In some instances an infection may cause so much damage to your system that recovery is not possible and the only option is to reformat your Hard Drive and reinstall your Operating System. Please read the following articles for more information.


Edited by deeprybka, 15 August 2015 - 11:15 AM.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#15 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:54 PM

Posted 16 August 2015 - 05:36 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users