mattbizly Posted May 8, 2015 ID:961125 Share Posted May 8, 2015 Hi guys, Just found a process running on my Windows 7 Home Premium 64 laptop. It was listed as 589.tmp. I Googled it, and found not a lot of useful information (and none from a source that I was familiar with or trusted). Currently waiting for Malwarebytes to finish scanning my laptop, but I just wanted to make a post and ask if this is malware that anyone here is familiar with? I'm fairly certain that it is malicious software as I have noticed a drop in my laptops performance lately, however will post up the scan log afterwards. Also, should I post that as an attachment, or copy paste the text into the post itself? Thanks in advance for any help and advice. Matt Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted May 8, 2015 ID:961129 Share Posted May 8, 2015 Hello, They call me TwinHeadedEagle around here, and I'll try to help your with your issue. Before we start please read and note the following:We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.Limit your internet access to posting here, some infections just wait to steal typed-in passwords.Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time. Keep in mind that private life gets in the way too. Note that we may live in totally different time zones, what may cause some delays between answers.Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me! There are no silly questions. Never be afraid to ask if in doubt! Rules and policies We won't support any piracy. That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding! Failure to follow these guidelines will result with closing your topic and withdrawning any assistance. Please download Farbar Recovery Scan Tool and save it to your desktop. Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.Only one of them will run on your system, that will be the right version. Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. Link to post Share on other sites More sharing options...
mattbizly Posted May 8, 2015 Author ID:961134 Share Posted May 8, 2015 Thank you for the offer of help Twin Headed Eagle. The Malwarebytes scan will only be a couple more minutes, after which I'll do the scan with Farbar and post both sets of results in this thread. I'll do it as two seperate posts to avoid confusion. Matt Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted May 8, 2015 ID:961135 Share Posted May 8, 2015 Okay. Please upload all reports when you finish. Link to post Share on other sites More sharing options...
mattbizly Posted May 8, 2015 Author ID:961145 Share Posted May 8, 2015 Here is the scan from Malwarebytes. It came up clean. Also I don't know if this is relevant, but I have been having lots of problems with Flash Player lately. Crashing, errors, videos not loading, exiting from full screen. Mostly on Youtube. Constantly getting messages about unresponsive plug ins when watching video online. Tried updating Flash player (using Firefox by the way) and that hasn't seemed to fix the problem. Just some extra info that may help diagnose the problem.scan 8may2015.txt Link to post Share on other sites More sharing options...
mattbizly Posted May 8, 2015 Author ID:961146 Share Posted May 8, 2015 And here are the two logs from Farbar. Thanks for the help so far MattAddition.txtFRST.txt Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted May 8, 2015 ID:961196 Share Posted May 8, 2015 Scan with ZOEK Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)Temporary disable your AntiVirus and AntiSpyware protection - instructions here.Right-click on icon and select Run as Administrator to start the tool.Wait patiently until the main console will appear, it may take a minute or two.In the main box please paste in the following script:createsrpoint;autoclean;emptyalltemp;ipconfig /flushdns;bMake sure that Scan All Users option is checked.Push Run Script and wait patiently. The scan may take a couple of minutes.When the scan completes, a zoek-results logfile should open in notepad.If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)Post its content into your next reply. Link to post Share on other sites More sharing options...
mattbizly Posted May 8, 2015 Author ID:961220 Share Posted May 8, 2015 Here is the result of that scan. When the system rebooted, Malwarebytes automatically started doing a scan; I assumed that was normal so I let it continue. There was a threat message though that popped up when the scan had finished, and before the reboot. I had disabled the resident shield in AVG, however I forgot to disable the identity theft protection part of AVG. It warned of me a threat detected located in "C:\Windows\Sys\WOW64\cmd.exe". It was unable to tell me what type of threat it was, however it was a level 4 severity threat. It popped up exactly as the scan asked for authorisation however, so I assumed it was simply catching that, so I closed the warning and rebooted my laptop as normal. Just though I should tell you in case it's important and not part of the Zoek scan. Anyway, here is the scan results.Zoek.exe v5.0.0.0 Updated 04-May-2015Tool run by Matt Billington on 08/05/2015 at 19:37:45.78.Microsoft Windows 7 Home Premium 6.1.7601 Service Pack 1 x64Running in: Normal Mode Internet Access DetectedLaunched: C:\Users\Matt Billington\Desktop\zoek.exe [scan all users] [script inserted]==== System Restore Info ======================08/05/2015 19:50:30 Zoek.exe System Restore Point Created Successfully.==== Empty Folders Check ======================C:\PROGRA~2\gravitysensation.com deleted successfullyC:\PROGRA~2\MSXML 4.0 deleted successfullyC:\PROGRA~2\Sony Ericsson deleted successfullyC:\PROGRA~2\VstPlugins deleted successfullyC:\PROGRA~2\Wizards of the Coast deleted successfullyC:\PROGRA~3\Guitar Pro 6 deleted successfullyC:\PROGRA~3\Oracle deleted successfullyC:\PROGRA~3\ReaConverter deleted successfullyC:\PROGRA~3\Sony Ericsson deleted successfullyC:\Users\Matt Billington\AppData\Roaming\Malwarebytes deleted successfullyC:\Users\Matt Billington\AppData\Roaming\TP deleted successfullyC:\Users\Matt Billington\AppData\Roaming\uTorrent deleted successfully==== Deleting CLSID Registry Keys ======================HKEY_USERS\S-1-5-21-2205246989-1021118915-2616197947-1000\Software\Microsoft\InternetExplorer\SearchScopes\{E45FE784-198F-490D-9209-95583AED082D} deleted successfullyHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{E45FE784-198F-490D-9209-95583AED082D} deleted successfullyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E45FE784-198F-490D-9209-95583AED082D} deleted successfully==== Deleting CLSID Registry Values ========================== Deleting Services ========================== FireFox Fix ======================ProfilePath: C:\Users\MATTBI~1\AppData\Roaming\Mozilla\Firefox\Profiles\4w50g8uy.defaultuser.js not found---- Lines Search removed from prefs.js ----user_pref("browser.search.hiddenOneOffs", "Yahoo.co.uk,Bing,Amazon.co.uk,Chambers(UK),DuckDuckGo,eBay.co.uk,Search Term,Twitter,Wikipedia (en)");---- FireFox user.js and prefs.js backups ----prefs_052015_2007_.backup==== Batch Command(s) Run By Tool========================== Deleting Files \ Folders ======================C:\PROGRA~2\gravitysensation.com not foundC:\PROGRA~2\Sony Ericsson not foundC:\PROGRA~2\VstPlugins not foundC:\PROGRA~2\Wizards of the Coast not foundC:\PROGRA~2\Windows Live SkyDrive deletedC:\PROGRA~3\hash.dat deletedC:\PROGRA~3\Package Cache deletedC:\Windows\wininit.tmp deletedC:\Windows\wininit.ini deletedC:\end deletedC:\Windows\SysNative\config\systemprofile\Searches deleted==== Firefox Start and Search pages ======================ProfilePath: C:\Users\MATTBI~1\AppData\Roaming\Mozilla\Firefox\Profiles\4w50g8uy.defaultuser_pref("browser.startup.homepage", "http://www.google.com");==== Firefox Extensions Registry ======================[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]"FFPDFArchitectConverter@pdfarchitect.com"=hex(2):43,00,3a,00,5c,00,50,00,72,\ []==== Firefox Extensions ======================ProfilePath: C:\Users\MATTBI~1\AppData\Roaming\Mozilla\Firefox\Profiles\4w50g8uy.default- HP Detect - C:\Users\Matt Billington\AppData\Roaming\Mozilla\Firefox\Profiles\4w50g8uy.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}- HP Detect - %ProfilePath%\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}- Adblock Plus Pop-up Addon - %ProfilePath%\extensions\adblockpopups@jessehakanen.net.xpi- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpiAppDir: C:\Program Files (x86)\Mozilla Firefox- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}==== Firefox Plugins ======================Profilepath: C:\Users\Matt Billington\AppData\Roaming\Mozilla\Firefox\Profiles\4w50g8uy.default66640A55AEFF3819C94E0A8D40D7E0AD - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1202122.dll - Shockwave for Director / Shockwave for Director9AE02005247DA91AB1743F5208DBEF76 - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_169.dll - Shockwave Flash65C1D9F74004E775F9A8598476ABE5EE - C:\Users\Matt Billington\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll - Unity Player==== Fake Chromium Profiles Check ======================Fake profile C:\Users\Matt Billington\AppData\Local\Google\Chrome deleted==== Chromium Look ======================HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensionsjmfkcklnlgedgbglfkkgedjfmejoahla - C:\Program Files (x86)\AVG\AVG2012\Chrome\safesearch.crx[26/07/2012 03:23]ndibdjnfmopecpmkdieinmbadjfpblof - C:\Program Files (x86)\AVG\AVG2012\Chrome\donottrack.crx[20/04/2012 06:18]==== Set IE to Default ======================Old Values:[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]"Start Page"="http://www.google.com"New Values:[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]"Start Page"="http://www.google.com"==== All HKCU SearchScopes ======================HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes"DefaultScope"="{86EE716B-A1E7-49D2-B19A-C9D62A1D0D3C}"{012E1000-F331-11DB-8314-0800200C9A66} Google Url="http://www.google.com/search?q={searchTerms}"{86EE716B-A1E7-49D2-B19A-C9D62A1D0D3C} Bing Url="http://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox"{BB9C072E-41F1-4A88-822E-521B8166F24E} Wikipedia Url="http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}"==== Deleting CLSID Registry Keys ========================== Deleting CLSID Registry Values ======================HKEY_LOCAL_MACHINE\software\Wow6432Node\mozilla\Firefox\extensions\FFPDFArchitectConverter@pdfarchitect.com deleted successfully==== Empty IE Cache ======================C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5 emptied successfullyC:\Users\Matt Billington\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfullyC:\Users\Matt Billington\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfullyC:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5 emptied successfullyC:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5 emptied successfullyC:\Windows\serviceprofiles\networkservice\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5 emptied successfullyC:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.IE5 emptied successfullyC:\Windows\serviceprofiles\Localservice\AppData\Local\Temp\Temporary Internet Files\Content.IE5 emptied successfullyC:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\TemporaryInternet Files\Content.IE5 emptied successfully==== Empty FireFox Cache ======================C:\Users\Matt Billington\AppData\Local\Mozilla\Firefox\Profiles\265b3mcj.default\Cacheemptied successfullyC:\Users\Matt Billington\AppData\Local\Mozilla\Firefox\Profiles\4w50g8uy.default\cache2emptied successfully==== Empty Chrome Cache ======================No Chrome Cache found==== Empty All Flash Cache ======================Flash Cache Emptied Successfully==== Empty All Java Cache ======================Java Cache cleared successfully==== C:\zoek_backup content ======================C:\zoek_backup (files=13 folders=5 3133970 bytes)==== Empty Temp Folders ======================C:\Users\Default\AppData\Local\temp emptied successfullyC:\Users\Default User\AppData\Local\temp emptied successfullyC:\Users\hedev\AppData\Local\temp emptied successfullyC:\Users\Matt Billington\AppData\Local\Temp will be emptied at rebootC:\Users\Public\AppData\Local\temp emptied successfullyC:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfullyC:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfullyC:\Windows\Temp will be emptied at reboot==== After Reboot ========================== Empty Temp Folders ======================C:\Windows\Temp successfully emptiedC:\Users\MATTBI~1\AppData\Local\Temp successfully emptied==== Empty Recycle Bin ======================C:\$RECYCLE.BIN successfully emptied==== EOF on 08/05/2015 at 20:20:40.59 ====================== Link to post Share on other sites More sharing options...
mattbizly Posted May 8, 2015 Author ID:961227 Share Posted May 8, 2015 Thought you'd probably want the results from the second scan with Malwarebytes, so here they are. Thanks Mattscan2 8may 2015.txt Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted May 8, 2015 ID:961251 Share Posted May 8, 2015 Good. How is your PC behaving now? Link to post Share on other sites More sharing options...
mattbizly Posted May 9, 2015 Author ID:961304 Share Posted May 9, 2015 Slightly better. Still having some slowness with Flash Player, but I suppose that's to be expected with an older machine like mine. Should I do any further scans or anything else to see if there is a problem? Also could you explain exactly what 589.tmp was/is? I'm beginning to think I might have paniced and overreacted slightly ... Thanks Matt Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted May 9, 2015 ID:961310 Share Posted May 9, 2015 I think it wasn't anything serious, just simple temporary file got caught by some of antivirus routines. Let's make one more scan: Uninstall outdated Malwarebytes' Anti-Malware Please download MBAM-clean and save it to your desktop.Right-click on mbam-clean.exe icon and select Run as Administrator to start the tool.It will ask you to reboot the machine - please do so.After that follow my next instructions to download & install the newset MBAM version. Scan with Malwarebytes' Anti-Malware Please download Malwarebytes Anti-Malware and save it to your desktop.Install the progam and select update.Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.Click the Scan tab, choose Threat Scan is checked and click Scan Now.If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.Upon completion of the scan (or after the reboot), click the History tab.Click Application Logs and double-click the Scan Log.At the bottom click Export and choose Text file.Save the file to your desktop and include its content in your next reply. Link to post Share on other sites More sharing options...
mattbizly Posted May 9, 2015 Author ID:961318 Share Posted May 9, 2015 Okay great. I have to go to work today, so it will be a few hours before I can respond, but I will follow your instructions and reply with the scan log this evening. Was the threat alert I got after running Zoek anything to be concerned about, or just part of Zoek that got caught by AVG identy theft protection? Thanks very much Matt Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted May 9, 2015 ID:961319 Share Posted May 9, 2015 Yes, Zoek got caught by AVG. Don't worry about this. Link to post Share on other sites More sharing options...
mattbizly Posted May 9, 2015 Author ID:961423 Share Posted May 9, 2015 Hello. Here's the results from the scan with the latest, updated version of MWB. Looks like everything is okay. Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 09/05/2015Scan Time: 18:31:25Logfile: scan 9may2015.txtAdministrator: YesVersion: 2.01.6.1022Malware Database: v2015.05.09.04Rootkit Database: v2015.04.21.01License: TrialMalware Protection: EnabledMalicious Website Protection: EnabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x64File System: NTFSUser: Matt BillingtonScan Type: Threat ScanResult: CompletedObjects Scanned: 424073Time Elapsed: 45 min, 26 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 0(No malicious items detected)Modules: 0(No malicious items detected)Registry Keys: 0(No malicious items detected)Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 0(No malicious items detected)Files: 0(No malicious items detected)Physical Sectors: 0(No malicious items detected)(end) Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted May 9, 2015 ID:961424 Share Posted May 9, 2015 Exactly Link to post Share on other sites More sharing options...
mattbizly Posted May 9, 2015 Author ID:961426 Share Posted May 9, 2015 Great! So that's it? Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted May 9, 2015 ID:961427 Share Posted May 9, 2015 You're good to go Glad I could help. We will delete all used tools and I'll give you some tips to harden your security and learn how to protect yourself Recommended reading: MUST READ - security tips:Computer Security - a short guide to staying safer online.Simple and easy ways to keep your computer safe and secure on the InternetHow Malware Spreads - How did I get infectedMUST READ - general maintenance:What to do if your Computer is running slowly?The Importance of Software Updating:In order to stay protected it is very important that you regularly update all of your software. Cybercriminals depend on the apathy of users around software updates to keep their malicious endeavor running.Operating systems, such as Windows, and applications, such as Adobe Reader or JAVA, are used by tens of millions of computers and devices around the world, making them a huge target for cybercriminals. Downloading updates and installing them can sometimes be tedious, but the advantages you get from the updates are certainly worth it.How to configure and use Automatic Updates in WindowsHow to update JavaHow to update Adobe ReaderRecommended additional software: CCleaner - to clean unneeded temporary files.Malwarebytes' Anti-Malware - to scan your system from time to time in search for malware.Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.McShield - to prevent infections spread by removable media.Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.Adblock - to surf the web without annoying ads! Post-cleanup procedures:Download DelFix by Xplode and save it to your desktop.Run the tool by right click on the icon and Run as administrator option.Make sure that these ones are checked:Remove disinfection toolsPurge system restoreReset system settingsPush Run.The program will run for a few seconds and display a notepad report. You do not need to attach it.The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFixTool deletes old system restore points and create a fresh system restore point after cleaning. My help is free for everybody.If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation: Thank you! Stay safe,TwinHeadedEagle Link to post Share on other sites More sharing options...
mattbizly Posted May 9, 2015 Author ID:961437 Share Posted May 9, 2015 Great, thank you very much for your help. I'll also follow the clean up procedure too. I'll be sure to point my friends this way if they have any problems as well! Many thanks Matt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 10, 2015 Root Admin ID:961637 Share Posted May 10, 2015 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts