Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CSE google redirect malware and re-appearing temp files/registry values


  • This topic is locked This topic is locked
18 replies to this topic

#1 BadMalwarePleaseHelp

BadMalwarePleaseHelp

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 24 January 2017 - 09:25 PM

Hi Everyone,

 

So I seem to have gotten a pretty nasty bit of malware on my pc that I cannot seem to remove. I have used the following software packages and they will find the malware and delete upon reboot but they are always there again! Can anyone help me finally get rid of this? Thanks in advance. 

 

MalwareBytes

ADWCleaner

Hitmapro

TDSKiller

Windows Defender 

 

Here is the latest Log of the HitmanPro Scan:

 

HitmanPro 3.7.15.281
www.hitmanpro.com
 
   Computer name . . . . : DREW
   Windows . . . . . . . : 10.0.0.14393.X64/4
   User name . . . . . . : Drew\dcarrier
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Trial (22 days left)
 
   Scan date . . . . . . : 2017-01-24 18:55:27
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 1m 33s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
 
   Threats . . . . . . . : 3
   Traces  . . . . . . . : 31
 
   Objects scanned . . . : 1,525,140
   Files scanned . . . . : 32,101
   Remnants scanned  . . : 340,984 files / 1,152,055 keys
 
Malware _____________________________________________________________________
 
   C:\WINDOWS\Temp\g3B72.tmp
      Size . . . . . . . : 3,629,056 bytes
      Age  . . . . . . . : 0.1 days (2017-01-24 15:48:43)
      Entropy  . . . . . : 6.4
      SHA-256  . . . . . : BD5C1783CA073FF99E4629420ACC7B68A19D506638592A48FF265E9D8AC94A93
    > Bitdefender  . . . : Gen:Variant.Razy.118497
      Fuzzy  . . . . . . : 112.0
      Forensic Cluster
          0.0s C:\Windows\Temp\g3B72.tmp
          0.6s C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{B3B1517E-BBE6-45CD-AA50-9CEEEA8BEC24}
 
   C:\WINDOWS\Temp\g79C7.tmp.exe
      Size . . . . . . . : 248,832 bytes
      Age  . . . . . . . : 1.8 days (2017-01-22 23:31:53)
      Entropy  . . . . . : 5.3
      SHA-256  . . . . . : 936EA464F68D2F559CBBD9A415B3DED6A6F2EBB51FC04D2669392C5B2135376D
    > Bitdefender  . . . : Trojan.Generic.20350958
    > HitmanPro  . . . . : Mal/Generic-S
      Fuzzy  . . . . . . : 108.0
      Forensic Cluster
         -2.2s C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\D09AA5A32039F1FEFB7F707B58F14369
         -0.7s C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{13BF7912-AFA4-459A-AA16-9D9FF3728306}
          0.0s C:\Windows\Temp\g79C7.tmp.exe
          3.8s C:\Windows\Temp\g79C8.tmp.exe
          4.6s C:\Windows\Temp\DREW
          4.9s C:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\4\71\
          4.9s C:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\4\71\3C6BF82429773C73.dat
         15.9s C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{85CB88BC-DEBB-45F5-AD60-CF42256133D1}
 
   C:\WINDOWS\TEMP\g79C8.tmp.exe
      Size . . . . . . . : 240,640 bytes
      Age  . . . . . . . : 1.8 days (2017-01-22 23:31:57)
      Entropy  . . . . . : 5.2
      SHA-256  . . . . . : 0C03B26478DEEC8800BE159AF8C0023F4A79C2DFEBB515B50B4955820E8F4A00
      Parent Name  . . . : C:\Windows\System32\rundll32.exe
      Running processes  : 3096
    > Bitdefender  . . . : Trojan.Agent.CCXB
      Fuzzy  . . . . . . : 119.0
      Startup
         HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wd
      Forensic Cluster
         -6.0s C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\D09AA5A32039F1FEFB7F707B58F14369
         -4.5s C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{13BF7912-AFA4-459A-AA16-9D9FF3728306}
         -3.8s C:\Windows\Temp\g79C7.tmp.exe
          0.0s C:\Windows\Temp\g79C8.tmp.exe
          0.8s C:\Windows\Temp\DREW
          1.1s C:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\4\71\
          1.1s C:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\4\71\3C6BF82429773C73.dat
         12.1s C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{85CB88BC-DEBB-45F5-AD60-CF42256133D1}
 
 
Cookies _____________________________________________________________________
 
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:abmr.net
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:addthis.com
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:agkn.com
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:bluekai.com
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:crwdcntrl.net
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:demdex.net
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:dpm.demdex.net
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:googleadservices.com
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:imrworldwide.com
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:in.ml314.com
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:krxd.net
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:mathtag.com
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:ml314.com
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:monster.demdex.net
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:nbcu.demdex.net
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:outbrain.com
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:pagefair.com
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:rfihub.com
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:rlcdn.com
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:scorecardresearch.com
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:skimresources.com
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:stats.csnne.com
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:w55c.net
   C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Cookies:yadro.ru
 
 
 

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:43 PM

Posted 25 January 2017 - 10:13 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#3 BadMalwarePleaseHelp

BadMalwarePleaseHelp
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 25 January 2017 - 10:32 PM

Hello! Sorry, I've been away at work. I ran ran Zoek program and this is the log file.

 

Edit: Sorry you said attach. I'm doing that now. 
 
Also, my PC seems to be running better right now. At least the virus doesn't appear to be running in the Processes in Task Manager and I don't see the similar files in the temp directory at the moment. 

Attached Files


Edited by BadMalwarePleaseHelp, 25 January 2017 - 10:41 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:43 PM

Posted 26 January 2017 - 09:18 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

===

#5 BadMalwarePleaseHelp

BadMalwarePleaseHelp
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 26 January 2017 - 10:37 PM

I just got on my computer again and unfortunately the virus is running as an executable again and I see it in the temp directory once more :(

 

What are the next steps?



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:43 PM

Posted 27 January 2017 - 08:07 AM



Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

When completed it will create a log. Please post the content on your next reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.


#7 BadMalwarePleaseHelp

BadMalwarePleaseHelp
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 27 January 2017 - 09:22 PM

Here is the Log for RougueKiller:

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 01/27/2017 07:21:29 PM in x64 mode.
Windows Version: Windows 10 Pro 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\Windows\Temp\g8DF5.tmp.exe (PID: 6936) [WD-HEUR]
 
1 proccess terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * agp440 [Missing Service]
 * gagp30kx [Missing Service]
 * IEEtwCollectorService [Missing Service]
 * IoQos [Missing Service]
 * nv_agp [Missing Service]
 * TimeBroker [Missing Service]
 * uagp35 [Missing Service]
 * uliagpkx [Missing Service]
 * WcsPlugInService [Missing Service]
 * wpcfltr [Missing Service]
 * WSService [Missing Service]
 
 * AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
 * WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]
 
 * vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 * vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1 v1.ff.avast.com 
  127.0.0.1 vlcproxy.ff.avast.com 
  0.0.0.0 keystone.mwbsys.com
 
Program finished at: 01/27/2017 07:21:40 PM
Execution time: 0 hours(s), 0 minute(s), and 11 seconds(s)


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:43 PM

Posted 28 January 2017 - 09:17 AM


I just found this article.

gtbB5.tmp.exe
Google Toolbar Installer

http://www.fastfixerror.com/whats-gtbb5-tmp-exe-how-to-fix-it-is-it-a-virus.html

===

Let see what we can find.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post both logs for my review.

p.s.
Other than that problem what else is not right with this computer?

#9 BadMalwarePleaseHelp

BadMalwarePleaseHelp
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 28 January 2017 - 10:02 AM

Here are the two attachments for that scan.

 

PC seems to be running okay, other than when that .exe starts up, then I have browser issues.

Attached Files



#10 BadMalwarePleaseHelp

BadMalwarePleaseHelp
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 28 January 2017 - 10:04 AM

Should I try the steps in this article?

 

http://www.fastfixerror.com/whats-gtbb5-tmp-exe-how-to-fix-it-is-it-a-virus.html



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:43 PM

Posted 28 January 2017 - 10:52 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

[B]HKLM-x32\...\Run: [] => [X]
ShortcutTarget: Update Notifier.lnk -> C:\Program Files\WinZip\WZUpdateNotifier.exe (WinZip Computing, S.L.)
FF Extension: (Java Console) - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} [2017-01-20] [not signed]
FF Extension: (Java Console) - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [2017-01-20] [not signed]
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre1.6.0_24\bin\new_plugin\npjp2.dll [2017-01-20] (Sun Microsystems, Inc.)
CHR Extension: (Chrome Web Store Payments) - C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-20]
CHR Extension: (Hover Zoom) - C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Extensions\nonjdcjchghhkdoolnlbekcfllmednbl [2017-01-28]
CHR Extension: (Fast search) - C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbdpajcdgknpendpmecafmopknefafha [2017-01-15]
CHR Extension: (Chrome Media Router) - C:\Users\dcarrier\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-16][/B]
Task: {8C96F4BE-599F-4D3D-95BA-24C0D1F3AA61} - \WinZipBackGroundToolsTask -> No File <==== ATTENTION
Task: {9E0CF28E-AC17-4A47-8011-AAE99E5CD6A6} - System32\Tasks\Private Internet Access Startup => C:\Program Files\pia_manager\pia_manager.exe [2017-01-15] ()
Task: {A778021E-307B-4D9B-B4C9-D2C4DA59D198} - \WPD\SqmUpload_S-1-5-21-1956388521-3478640138-340246364-1001 -> No File <==== ATTENTION
Task: {BFBA2AD1-4FE1-4941-8DA4-0B41DAE3B6F7} - \{0B7E7A47-7E0B-7A08-7D11-090C040D117A} -> No File <==== ATTENTION
Task: {F7311F49-C486-4AC7-8D41-D239ACC6756F} - \7a3y5r2 -> No File <==== ATTENTION
Shortcut: C:\Users\dcarrier\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\G??gle ?hr?m?.lnk -> C:\Users\dcarrier\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
Shortcut: C:\Users\dcarrier\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\L?un?h Int?rnet ???l?r?r ?rowser.lnk -> C:\Users\dcarrier\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\Users\dcarrier\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\G??gle Chr?me.lnk -> C:\Users\dcarrier\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
2017-01-15 20:59 - 2014-03-22 02:24 - 02846720 _____ () C:\ProgramData\7a3y5r2\7a3y5r2.dll
2017-01-26 20:35 - 2017-01-27 22:02 - 03265024 _____ () C:\WINDOWS\TEMP\gDE0F.tmp
AlternateDataStreams: C:\Users\dcarrier\Documents\BEService_h1z1.exe:crc [20]
C:\Program Files\pia_manager
C:\ProgramData\7a3y5r2

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after these updates remove the old version(s) via the Control Panel > Programs > Programs and Features.
J2SE Runtime Environment 5.0 Update 12 (HKLM-x32\...\{3248F0A8-6813-11D6-A77B-00B0D0150120}) (Version: 1.5.0.120 - Sun Microsystems, Inc.)
Java™ 6 Update 24 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216024F0}) (Version: 6.0.240 - Oracle)

Please let me know what problem persists with this computer.

Again other than the temp file, what problems are you still having with this computer.

#12 BadMalwarePleaseHelp

BadMalwarePleaseHelp
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 28 January 2017 - 12:07 PM

I have installed the latest version of Java and it removed those older versions automatically. PC seems to be running okay. Only issue seems to be with the browsers and that virus/malware. 

 

Here is the log file:

Attached Files


Edited by BadMalwarePleaseHelp, 28 January 2017 - 12:09 PM.


#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:43 PM

Posted 28 January 2017 - 02:22 PM

Those .tmp files are created by a program you run or Updated.

What problem are you having with the browsers?

#14 BadMalwarePleaseHelp

BadMalwarePleaseHelp
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 28 January 2017 - 03:02 PM

When the virus is running it does redirects and the browser flashes.



#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:43 PM

Posted 29 January 2017 - 09:11 AM



SystemLook.exe
SystemLook_x64.exe
  • Double-click SystemLook.exe/SystemLook_x64.exe
  • to run it.
  • Copy and paste the content of the following bold text into the main textfield:
  • :regfind
    g*.tmp
    g*.*.exe

    :filefind
    g*.tmp
    g*.*.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled [b]SystemLook.txt.
===


p.s.
Are all the browsers affected or just one of them.
Which one is it?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users