Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keylog,Virus?no user or description to winlogon.exe,csrss.exe,atixclxx.exe


  • This topic is locked This topic is locked
49 replies to this topic

#1 Tramon

Tramon

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 PM

Posted 04 January 2016 - 05:20 PM

there is so much going on with my pc i don't know where to start :(

Hello My pc has being acting weird the pass few days beginning in december. well the very first thing i notice that in task manager there are no user or description to   winlogon.exe,csrss.exe,atixclxx.exe. http://prntscr.com/9m2we5never really paid to much attention to it also i notice cmd quickly  open and closes upon boot up.A few days later i was getting email saying my passwords and all that stuff has be changed. the first thing that came to my mind was i had got Keylogged. so i ran a virus scan hopping it would get rid  of it but the next day i woke up i got a email saying gmail password was changed.i ran 2 virus scans again and (hopeing)deleted the virus and  i resetted and recovered all my stuff using my phone and sure enough i got no more email saying my stuff was changed.few days passes and   yesterday i notice iexplore.exe was spamming in my task manager and my pc was going really slow. i did some googleing and i put my pc in safe mode and did 2 virus scan. not sure whats wrong with my PC so can anyone help? ill be glad to give more info if needed.

somethings i just notice today 
when i open task manager there's no user or description to   winlogon.exe,csrss.exe,atixclxx.exe. ,but if i click show process from all users then click it again. it shows the user and description http://prntscr.com/9m357w  but if i closed task manager and open it back then its now showing anymore. 

 

the virus scan i use is malwarebytes and SUPERAntiSypware

Attached Files


Edited by Tramon, 04 January 2016 - 05:24 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:53 PM

Posted 05 January 2016 - 10:59 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove these programs in bold via the Programs and features applets.

Coupon Printer for Windows (HKLM-x32\...\Coupon Printer for Windows5.0.0.2) (Version: 5.0.0.2 - Coupons.com Incorporated)
Lightshot-5.3.0.0 (HKLM-x32\...\{30A5B3C9-2084-4063-A32A-628A98DE512B}_is1) (Version: 5.3.0.0 - Skillbrains)
Pando Media Booster (HKLM-x32\...\{980A182F-E0A2-4A40-94C1-AE0C1235902E}) (Version: 2.6.0.7 - Pando Networks Inc.)
Popcorn Time (HKLM-x32\...\Popcorn Time_is1) (Version: 5.4.1.0 - Popcorn Time)

===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Popcorn Time) C:\Program Files (x86)\Popcorn Time\Updater.exe
(Skillbrains) C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [Lightshot] => C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe [226560 2014-11-18] ()
HKU\S-1-5-21-1457218534-3710924171-3785597336-1001\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-1457218534-3710924171-3785597336-1001\$0a2cb30dd13cd473a4f1c8c53bc70a0b\n. ATTENTION
AppInit_DLLs: C:\ProgramData\FlashBeat\FlashBeat64.dll => No File
AppInit_DLLs-x32: C:\ProgramData\FlashBeat\FlashBeat32.dll => No File
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
Toolbar: HKU\S-1-5-21-1457218534-3710924171-3785597336-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-1457218534-3710924171-3785597336-1001 -> No Name - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR StartupUrls: Default -> "hxxps://www.google.com/","hxxp://astromenda.com/?f=7&a=ast_cmi_14_45_ch&cd=2XzuyEtN2Y1L1QzutC0EyCyDzy0D0BzytDtC0EyBtCyBtDyDtN0D0Tzu0StCtDyEyEtN1L2XzutAtFyCtFtCtFtDtN1L1CzutCyEtBzytDyD1V1PtN1L1G1B1V1N2Y1L1Qzu2SyBtC0AyD0B0Czz0EtGtC0B0EyDtGyB0Azz0EtGtBtC0F0AtGtD0CyDtAzy0E0AyD0FzytAyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0FtCzy0DtC0EtA0EtGyE0B0DtCtGyE0EyByDtGzz0C0EyCtGyEyB0B0BzyzyyC0E0C0EzyyC2Q&cr=1346546040&ir=","hxxp://websearch.search-plaza.info/?pid=1387&r=20... (long line)
R2 Update service; C:\Program Files (x86)\Popcorn Time\Updater.exe [339968 2015-10-19] (Popcorn Time) [File not signed]
S3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [X]
S3 EagleX64; \??\C:\windows\system32\drivers\EagleX64.sys [X]
C:\$Recycle.Bin\S-1-5-21-1457218534-3710924171-3785597336-1001
Task: {0DA11479-5A08-4CFB-B475-D4F89B6C65D0} - System32\Tasks\update-sys => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [2014-03-25] ()
Task: {13DF15EF-00C3-4C1D-A17B-1B7C71E35CCC} - System32\Tasks\update-S-1-5-21-1457218534-3710924171-3785597336-1001 => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [2014-03-25] ()
Task: {89B87BD3-B396-4543-82F4-8CBD5404975D} - System32\Tasks\RCSAV1 => C:\ProgramData\FlashBeat\FlashBeat.exe <==== ATTENTION
Task: {B3EDA1C4-BC22-4D0E-8F98-8E7C18A2FF5D} - System32\Tasks\FUWVENI => C:\ProgramData\2ccaabfd880044c686d18d322faf42df\2ccaabfd880044c686d18d322faf42df.exe <==== ATTENTION
Task: {C5646937-819D-4D68-96E0-836B28799CD3} - System32\Tasks\program => C:\ProgramData\program\program.exe [2016-01-02] () <==== ATTENTION
Task: {D441CF08-E0EC-4A61-9CA0-7D2F796EA53B} - System32\Tasks\Computer Helper => C:\ProgramData\167393\helper.exe
Task: C:\windows\Tasks\RCSAV1.job => C:\ProgramData\FlashBeat\FlashBeat.exe <==== ATTENTION
Task: C:\windows\Tasks\update-S-1-5-21-1457218534-3710924171-3785597336-1001.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
Task: C:\windows\Tasks\update-sys.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
AlternateDataStreams: C:\Users\Katie\MediaFire:mf_x
HKU\S-1-5-21-1457218534-3710924171-3785597336-1001\Software\Classes\.exe: exefile =>  <===== ATTENTION
HKU\S-1-5-21-1457218534-3710924171-3785597336-1001\Software\Classes\exefile:  <===== ATTENTION
FirewallRules: [TCP Query User{8C092A53-17F4-4309-A64E-FBFF4BD66A9A}C:\users\katie\appdata\local\popcorn time\node-webkit\popcorn time.exe] => (Allow) C:\users\katie\appdata\local\popcorn time\node-webkit\popcorn time.exe
FirewallRules: [UDP Query User{04790513-FC1C-43A3-AB7E-BFFC4D176170}C:\users\katie\appdata\local\popcorn time\node-webkit\popcorn time.exe] => (Allow) C:\users\katie\appdata\local\popcorn time\node-webkit\popcorn time.exe
FirewallRules: [TCP Query User{5F012413-D948-4560-A007-7C349E7794E6}C:\users\katie\appdata\local\popcorn time\nw.exe] => (Allow) C:\users\katie\appdata\local\popcorn time\nw.exe
FirewallRules: [UDP Query User{FF85CB67-1F4B-49FB-9E1B-F21FF6C15C90}C:\users\katie\appdata\local\popcorn time\nw.exe] => (Allow) C:\users\katie\appdata\local\popcorn time\nw.exe
FirewallRules: [TCP Query User{16EBF4A2-069E-49CE-B895-F3D5CB1668B2}C:\users\katie\appdata\local\popcorn time community\nw.exe] => (Allow) C:\users\katie\appdata\local\popcorn time community\nw.exe
FirewallRules: [UDP Query User{8C147605-CA5C-4BDB-B71E-EE0E45FBA90E}C:\users\katie\appdata\local\popcorn time community\nw.exe] => (Allow) C:\users\katie\appdata\local\popcorn time community\nw.exe
FirewallRules: [{6F86147B-7AE4-42BA-89B8-3C5AE515F8E6}] => (Allow) C:\Program Files (x86)\Popcorn Time\Updater.exe
FirewallRules: [{D41055B7-4910-4E86-A9B3-D63D2B06E7A8}] => (Allow) C:\Program Files (x86)\Popcorn Time\Updater.exe
FirewallRules: [{6C1420B6-5291-406D-9D8F-B326EF7F019A}] => (Allow) C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe
FirewallRules: [{2787BB92-3321-4B63-AB38-669A730331B2}] => (Allow) C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe
FirewallRules: [{4DBE0A42-4C16-47DC-86D7-1E13ACDEF36F}] => (Allow) C:\Program Files (x86)\Popcorn Time\chromecast\node.exe
FirewallRules: [{57B657D1-C30E-4501-92E2-A831934472C3}] => (Allow) C:\Program Files (x86)\Popcorn Time\chromecast\node.exe
C:\Program Files (x86)\Skillbrains
C:\ProgramData\FlashBeat
C:\ProgramData\2ccaabfd880044c686d18d322faf42df
C:\ProgramData\program
C:\users\katie\appdata\local\popcorn time
C:\users\katie\appdata\local\popcorn time community
C:\ProgramData\167393
C:\Users\Guest\AppData\Local\Temp\avgnt.exe
C:\Users\Katie\AppData\Local\Temp\56891b974e56a.exe
C:\Users\Katie\AppData\Local\Temp\jbAML.exe
C:\Users\Katie\AppData\Local\Temp\OMxNh.exe
C:\Users\Katie\AppData\Local\Temp\rXubN.exe
C:\Users\Katie\AppData\Local\Temp\UtIob.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • When instructed Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report"
  • Click on Export TXT button save the file as RogueReport.txt
  • The file RogueReport.txt will be saved in the desktop.
  • Close the program.
  • Open the file with Notepad and Copy/paste the content into your next reply.
<<<>>>

CHR dev: Chrome dev build detected! <======= ATTENTION

Your copy of Chrome has been compromised

Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Before you do Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

If you want to save your passwords as well see here: http://www.intowindows.com/how-to-backup-saved-passwords-in-google-chrome-browser/

Re-install Chrome and the Bookmarks.
<<<>>>


Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Control Panel > Programs and Features applet.
Java™ 6 Update 17 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216017FF}) (Version: 6.0.170 - Sun Microsystems, Inc.)


Let me know of any remaining issues.

#3 Tramon

Tramon
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 PM

Posted 05 January 2016 - 05:48 PM

here's the FixLog and ADWCleaner

Attached Files


Edited by Tramon, 05 January 2016 - 06:04 PM.


#4 Tramon

Tramon
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 PM

Posted 05 January 2016 - 06:26 PM

here is RogueReport

 

RogueKiller V11.0.6.0 [Jan  4 2016] (Free) by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Katie [Administrator]
Started from : C:\Users\Katie\Desktop\RogueKiller.exe
Mode : Scan -- Date : 01/05/2016 17:22:11
 
¤¤¤ Processes : 5 ¤¤¤
[Suspicious.Path|VT.Trojan:Win32/Skeeyah.A!rfn] iexplore.exe(1240) -- C:\ProgramData\iexplore\iexplore.exe[-] -> Killed [TermProc]
[Suspicious.Path|VT.Trojan:Win32/Skeeyah.A!rfn] iexplore.exe(1172) -- C:\ProgramData\iexplore\iexplore.exe[-] -> Killed [TermProc]
[Suspicious.Path|VT.Trojan:Win32/Skeeyah.A!rfn] iexplore.exe(4000) -- C:\ProgramData\iexplore\iexplore.exe[-] -> Killed [TermProc]
[Suspicious.Path|Proc.Injected|VT.Trojan:Win32/Skeeyah.A!rfn] iexplore.exe(3016) -- C:\ProgramData\iexplore\iexplore.exe[-] -> Killed [TermProc]
[Suspicious.Path|VT.Trojan:Win32/Skeeyah.A!rfn] iexplore.exe(3776) -- C:\ProgramData\iexplore\iexplore.exe[-] -> Killed [TermThr]
 
¤¤¤ Registry : 0 ¤¤¤
 
¤¤¤ Tasks : 1 ¤¤¤
[Suspicious.Path|VT.Trojan:Win32/Skeeyah.A!rfn] \iexplore -- C:\ProgramData\iexplore\iexplore.exe -> Found
 
¤¤¤ Files : 42 ¤¤¤
[Suspicious.Path|Suspicious.Startup][File] C:\Users\Katie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Item.lnk -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{0138EAB0-CA48-43BF-B98F-00B4328DF8C1}\services.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{03970FEA-7387-47F3-A74B-4E69F12F81DC}\wuauclt.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{0C5FA4F1-53AF-496C-BE53-4549F70391AD}\csrss.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{124D5A1F-FC2B-4869-A72E-9718DEEE3D4F}\svchost.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{1753B8F0-C0D9-4D2A-8700-483EF39B65E0}\explorer.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{1AFA21B0-2B76-453D-A294-F19982F9583C}\services.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{1CFFFD53-7CD1-46C3-AB32-7838BA7CD02D}\wuauclt.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{2622E739-83E3-44EE-9D30-3FDF64513890}\services.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{263404FA-E57D-4EBC-AFA4-7C0E5164D0E9}\winlogon.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{392C9E14-AE97-49A7-8EF2-D5BD7EA3C981}\winlogon.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{41ED6232-723D-486C-95B9-69D51AA1F8BE}\dllhost.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{624A662D-D981-4F99-B45E-92E8FE60343B}\explorer.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{64BE0CBF-F5E2-4415-A725-4A03C35C9FF4}\dllhost.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{691BE190-29B2-4592-91DA-892E68713579}\svchost.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{6E80E691-3248-4461-A00D-4F3F259A8059}\explorer.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{77AE4805-D118-4A47-82DC-A82BDC35B067}\wuauclt.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{7E0BB55B-2726-4369-82D3-54569AD7823A}\dllhost.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{7EC118E3-1D15-47C8-A581-F23809D6C5EB}\services.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{7FBC01B7-B092-415B-A1A6-981D9F51A8E5}\dwm.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{808FC159-8665-4F23-86F9-EBC00CB25DF8}\explorer.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{8C7BDC9D-8A83-43CE-9541-F32A49651E1E}\explorer.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{907EF79E-3CF1-4818-A185-CDBC84CFC210}\svchost.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{99548261-E095-444D-A459-15E65424EAC2}\svchost.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{9F63C357-B48C-4991-8021-161E742F31F3}\dwm.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{A12CC2F6-0A24-466D-A678-E74376931373}\explorer.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{A3FA4384-D877-4528-A469-BB2715E2FE8B}\dwm.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{A7878584-68B7-484D-965A-A1FFEC510AFB}\csrss.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{A7EE6C63-AD12-47A5-A92B-7F24AD78733B}\csrss.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{AB304A17-B7D2-4545-82F7-EE913D2B7142}\csrss.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{B3236D54-D55B-45B9-AD64-A62B73A8E47D}\dwm.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{B80D65C6-ECD0-4D14-8D46-4DACAEFE7D4A}\winlogon.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{CA07D6F9-068A-4E8D-9978-C70C96638B7C}\services.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{D61A227C-D80A-4F6C-A78E-E3A1F415D171}\wuauclt.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{DEF335BD-3CDC-4357-BF6D-87001E45A45A}\csrss.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{E0B1D0F8-261E-4C88-BBFD-BF47EFE6BEEE}\explorer.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{E4391B5F-28A5-44BE-9B74-FB54238DE2C0}\dwm.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{E7C23359-ABA4-49B3-97D5-5F6C0320CB5E}\explorer.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{EA506D53-3810-4A87-A5B3-87D24F122E30}\csrss.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{EE7FD638-9116-446F-87D8-1AB5A15F2DFB}\dllhost.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{FA22750E-C906-4E8F-B0D8-78E0C1AA9CF2}\services.exe -> Found
[Hj.Name][File] C:\Users\Katie\AppData\Local\Microsoft\Windows\{FF584D13-34BF-48CB-84E6-D5BE2607C2A1}\winlogon.exe -> Found
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9250315AS ATA Device +++++
--- User ---
[MBR] 51cc899eba79fbdca15608b8dafe61e2
[BSP] f857a2e22280eb00b8488b0844a16fb0 : HP MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 227762 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 469530624 | Size: 9212 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:53 PM

Posted 06 January 2016 - 08:48 AM

Please run the RogueKiller tool and fix/clean everything that was found.

Restart the computer normally.

Run the RogueKiller tool one more time and post a fresh log..

Let me know of any pending issues.

#6 Tramon

Tramon
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 PM

Posted 06 January 2016 - 06:30 PM

i ran RogueKiller and and fix/clean everything.

there is a folder on my desktop that i can't delete.  when i try to deleted it. it gives me a messages that says
are you sure you want to delete these icons from your desktop?
to restore it later,go to control panel.



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:53 PM

Posted 07 January 2016 - 08:16 AM

What is the name of that folder.

#8 Tramon

Tramon
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 PM

Posted 07 January 2016 - 08:49 AM

I'm not at home rn till later but it's a just empty folder and when I try to delete it,it brings up that message. It's been on my pc every since I bought it. I didn't know how to get rid of it so I just wasn't paying much attention to it.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:53 PM

Posted 08 January 2016 - 08:21 AM

If you look at the properties of the folder what is the path and file name of this empty folder?

#10 Tramon

Tramon
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 PM

Posted 08 January 2016 - 05:55 PM

it dont show it.
when i right click the folder,the only option i get is 
Cut
Create ShortCut
Delete
https://gyazo.com/7141871160712e407140bdaf2beeb002


Edited by Tramon, 08 January 2016 - 06:13 PM.


#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:53 PM

Posted 09 January 2016 - 08:20 AM

Click the Windows button on the bottom left corner ot the task bar.

Search for Desktop.

Click the Destop entry which will open your desktop.

Do you see the Folder?
Can you delete it from there?

If not try this.

Click the Windows button on the bottom left corner ot the task bar.
Type cmd.exe in the search bar.

Right Click on the cmd.exe file and select run as An administrator.

At the prompt type
c:\Users\{your user name}\Desktop

at the prompt type DIR press the Enter key.

Do you see a folder with a strange name?
What is it?

To return to the operating system type Exit and press the Enter key.

#12 Tramon

Tramon
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 PM

Posted 09 January 2016 - 09:53 AM

umm is this what i am suppose to be looking at?
https://gyazo.com/cfb780921e84bd4bfe3d69466faf2ab1



#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:53 PM

Posted 09 January 2016 - 01:59 PM

What you are seeing is the content of the Katie folder. We want to see the content of the Desktop folder.

Type this at the prompt.

cd c:\Users\Katie\desktop

Press the Enter key.

type DIR hit the Enter key.

Do you see any folder that you did not create.

Post the image if you can.

#14 Tramon

Tramon
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 PM

Posted 09 January 2016 - 03:31 PM

srry no i don't see nothing suspicious.
https://gyazo.com/8f634c7ab7cdc52ba21d228e887307bc



#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:53 PM

Posted 10 January 2016 - 10:17 AM

At the bottom of the image in the Date column the two ?? might be the cause.
It's undefined so I guest you will have to live with it.

Could have been created by the 01/22/15 <dir> CmKs ... folder?


If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users