589.tmp

[mattbizly]

Hi guys,

 

Just found a process running on my Windows 7 Home Premium 64 laptop. It was listed as 589.tmp. I Googled it, and found not a lot of useful information (and none from a source that I was familiar with or trusted). Currently waiting for Malwarebytes to finish scanning my laptop, but I just wanted to make a post and ask if this is malware that anyone here is familiar with? I'm fairly certain that it is malicious software as I have noticed a drop in my laptops performance lately, however will post up the scan log afterwards. Also, should I post that as an attachment, or copy paste the text into the post itself? Thanks in advance for any help and advice.

 

Matt

[TwinHeadedEagle]

Hello,
    
 
They call me TwinHeadedEagle around here, and I'll try to help your with your issue.
 
     
    
Before we start please read and note the following:

• We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.
• Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
• Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time. Keep in mind that private life gets in the way too. Note that we may live in totally different time zones, what may cause some delays between answers.
• Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
• Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
• Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
• Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me!
There are no silly questions. Never be afraid to ask if in doubt!
 
 
 
  Rules and policies
 
We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!
 
Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.
 
 

---

 
Please download Farbar Recovery Scan Tool and save it to your desktop.
 
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[mattbizly]

Thank you for the offer of help Twin Headed Eagle. The Malwarebytes scan will only be a couple more minutes, after which I'll do the scan with Farbar and post both sets of results in this thread. I'll do it as two seperate posts to avoid confusion.

 

Matt

[TwinHeadedEagle]

Okay. Please upload all reports when you finish.

[mattbizly]

Here is the scan from Malwarebytes. It came up clean. Also I don't know if this is relevant, but I have been having lots of problems with Flash Player lately. Crashing, errors, videos not loading, exiting from full screen. Mostly on Youtube. Constantly getting messages about unresponsive plug ins when watching video online. Tried updating Flash player (using Firefox by the way) and that hasn't seemed to fix the problem. Just some extra info that may help diagnose the problem.

scan 8may2015.txt

[mattbizly]

And here are the two logs from Farbar. Thanks for the help so far

 

Matt

Addition.txt

FRST.txt

[TwinHeadedEagle]

Scan with ZOEK
 
Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on icon and select Run as Administrator to start the tool.
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:
  

  createsrpoint;autoclean;emptyalltemp;ipconfig /flushdns;b

• Make sure that Scan All Users option is checked.
• Push Run Script and wait patiently. The scan may take a couple of minutes.
• When the scan completes, a zoek-results logfile should open in notepad.
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

[mattbizly]

Here is the result of that scan. When the system rebooted, Malwarebytes automatically started doing a scan; I assumed that was normal so I let it continue. There was a threat message though that popped up when the scan had finished, and before the reboot. I had disabled the resident shield in AVG, however I forgot to disable the identity theft protection part of AVG. It warned of me a threat detected located in "C:\Windows\Sys\WOW64\cmd.exe". It was unable to tell me what type of threat it was, however it was a level 4 severity threat. It popped up exactly as the scan asked for authorisation however, so I assumed it was simply catching that, so I closed the warning and rebooted my laptop as normal. Just though I should tell you in case it's important and not part of the Zoek scan. Anyway, here is the scan results.

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Matt Billington on 08/05/2015 at 19:37:45.78.
Microsoft Windows 7 Home Premium  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Matt Billington\Desktop\zoek.exe [scan all users] [script inserted]

==== System Restore Info ======================

08/05/2015 19:50:30 Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\gravitysensation.com deleted successfully
C:\PROGRA~2\MSXML 4.0 deleted successfully
C:\PROGRA~2\Sony Ericsson deleted successfully
C:\PROGRA~2\VstPlugins deleted successfully
C:\PROGRA~2\Wizards of the Coast deleted successfully
C:\PROGRA~3\Guitar Pro 6 deleted successfully
C:\PROGRA~3\Oracle deleted successfully
C:\PROGRA~3\ReaConverter deleted successfully
C:\PROGRA~3\Sony Ericsson deleted successfully
C:\Users\Matt Billington\AppData\Roaming\Malwarebytes deleted successfully
C:\Users\Matt Billington\AppData\Roaming\TP deleted successfully
C:\Users\Matt Billington\AppData\Roaming\uTorrent deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-2205246989-1021118915-2616197947-1000\Software\Microsoft\Internet

Explorer\SearchScopes\{E45FE784-198F-490D-9209-95583AED082D} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes

\{E45FE784-198F-490D-9209-95583AED082D} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E45FE784-198F-490D-

9209-95583AED082D} deleted successfully

==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

ProfilePath: C:\Users\MATTBI~1\AppData\Roaming\Mozilla\Firefox\Profiles\4w50g8uy.default

user.js not found
---- Lines Search  removed from prefs.js ----
user_pref("browser.search.hiddenOneOffs", "Yahoo.co.uk,Bing,Amazon.co.uk,Chambers

(UK),DuckDuckGo,eBay.co.uk,Search Term,Twitter,Wikipedia (en)");
---- FireFox user.js and prefs.js backups ----

prefs_052015_2007_.backup

==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\PROGRA~2\gravitysensation.com not found
C:\PROGRA~2\Sony Ericsson not found
C:\PROGRA~2\VstPlugins not found
C:\PROGRA~2\Wizards of the Coast not found
C:\PROGRA~2\Windows Live SkyDrive deleted
C:\PROGRA~3\hash.dat deleted
C:\PROGRA~3\Package Cache deleted
C:\Windows\wininit.tmp deleted
C:\Windows\wininit.ini deleted
C:\end deleted
C:\Windows\SysNative\config\systemprofile\Searches deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\MATTBI~1\AppData\Roaming\Mozilla\Firefox\Profiles\4w50g8uy.default
user_pref("browser.startup.homepage", "http://www.google.com");

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"FFPDFArchitectConverter@pdfarchitect.com"=hex(2):43,00,3a,00,5c,00,50,00,72,\ []

==== Firefox Extensions ======================

ProfilePath: C:\Users\MATTBI~1\AppData\Roaming\Mozilla\Firefox\Profiles\4w50g8uy.default
- HP Detect - C:\Users\Matt Billington\AppData\Roaming\Mozilla\Firefox\Profiles

\4w50g8uy.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}
- HP Detect - %ProfilePath%\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}
- Adblock Plus Pop-up Addon - %ProfilePath%\extensions\adblockpopups@jessehakanen.net.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\Matt Billington\AppData\Roaming\Mozilla\Firefox\Profiles

\4w50g8uy.default
66640A55AEFF3819C94E0A8D40D7E0AD    - C:\Windows\SysWOW64\Adobe\Director

\np32dsw_1202122.dll -    Shockwave for Director / Shockwave for Director
9AE02005247DA91AB1743F5208DBEF76    - C:\Windows\SysWOW64\Macromed\Flash

\NPSWF32_17_0_0_169.dll -    Shockwave Flash
65C1D9F74004E775F9A8598476ABE5EE    - C:\Users\Matt Billington\AppData\LocalLow\Unity

\WebPlayer\loader\npUnity3D32.dll -    Unity Player


==== Fake Chromium Profiles Check ======================

Fake profile C:\Users\Matt Billington\AppData\Local\Google\Chrome deleted

==== Chromium Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
jmfkcklnlgedgbglfkkgedjfmejoahla - C:\Program Files (x86)\AVG\AVG2012\Chrome

\safesearch.crx[26/07/2012 03:23]
ndibdjnfmopecpmkdieinmbadjfpblof - C:\Program Files (x86)\AVG\AVG2012\Chrome

\donottrack.crx[20/04/2012 06:18]

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{86EE716B-A1E7-49D2-B19A-C9D62A1D0D3C}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q=

{searchTerms}"
{86EE716B-A1E7-49D2-B19A-C9D62A1D0D3C} Bing  Url="http://www.bing.com/search?q=

{searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox"
{BB9C072E-41F1-4A88-822E-521B8166F24E} Wikipedia  

Url="http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}"

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================

HKEY_LOCAL_MACHINE\software\Wow6432Node\mozilla\Firefox\extensions

\FFPDFArchitectConverter@pdfarchitect.com deleted successfully

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary

Internet Files\Content.IE5 emptied successfully
C:\Users\Matt Billington\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5 emptied successfully
C:\Users\Matt Billington\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low

\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary

Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary

Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Microsoft\Windows\Temporary

Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet

Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp\Temporary Internet Files

\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary

Internet Files\Content.IE5 emptied successfully

==== Empty FireFox Cache ======================

C:\Users\Matt Billington\AppData\Local\Mozilla\Firefox\Profiles\265b3mcj.default\Cache

emptied successfully
C:\Users\Matt Billington\AppData\Local\Mozilla\Firefox\Profiles\4w50g8uy.default\cache2

emptied successfully

==== Empty Chrome Cache ======================

No Chrome Cache found

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=13 folders=5 3133970 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\temp emptied successfully
C:\Users\Default User\AppData\Local\temp emptied successfully
C:\Users\hedev\AppData\Local\temp emptied successfully
C:\Users\Matt Billington\AppData\Local\Temp will be emptied at reboot
C:\Users\Public\AppData\Local\temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\MATTBI~1\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on 08/05/2015 at 20:20:40.59 ======================
 

[mattbizly]

Thought you'd probably want the results from the second scan with Malwarebytes, so here they are.

 

Thanks

 

Matt

scan2 8may 2015.txt

[TwinHeadedEagle]

Good. How is your PC behaving now?

[mattbizly]

Slightly better. Still having some slowness with Flash Player, but I suppose that's to be expected with an older machine like mine. Should I do any further scans or anything else to see if there is a problem? Also could you explain exactly what 589.tmp was/is? I'm beginning to think I might have paniced and overreacted slightly ...

 

Thanks

 

Matt

[TwinHeadedEagle]

I think it wasn't anything serious, just simple temporary file got caught by some of antivirus routines.
 
Let's make one more scan:
 
 
Uninstall outdated Malwarebytes' Anti-Malware
 
Please download MBAM-clean and save it to your desktop.

• Right-click on mbam-clean.exe icon and select Run as Administrator to start the tool.
• It will ask you to reboot the machine - please do so.

After that follow my next instructions to download & install the newset MBAM version.
 
 
 
Scan with Malwarebytes' Anti-Malware
 
Please download Malwarebytes Anti-Malware and save it to your desktop.

• Install the progam and select update.
• Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
• Click the Scan tab, choose Threat Scan is checked and click Scan Now.
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the Scan Log.
• At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

[mattbizly]

Okay great. I have to go to work today, so it will be a few hours before I can respond, but I will follow your instructions and reply with the scan log this evening. Was the threat alert I got after running Zoek anything to be concerned about, or just part of Zoek that got caught by AVG identy theft protection?

 

Thanks very much

 

Matt

[TwinHeadedEagle]

Yes, Zoek got caught by AVG. Don't worry about this.

[mattbizly]

Hello. Here's the results from the scan with the latest, updated version of MWB. Looks like everything is okay.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 09/05/2015
Scan Time: 18:31:25
Logfile: scan 9may2015.txt
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.05.09.04
Rootkit Database: v2015.04.21.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Matt Billington

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 424073
Time Elapsed: 45 min, 26 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

[TwinHeadedEagle]

Exactly

[mattbizly]

Great! So that's it?

[TwinHeadedEagle]

You're good to go

Glad I could help. We will delete all used tools and I'll give you some tips to harden your security and learn how to protect yourself

Recommended reading:

MUST READ - security tips:

• Computer Security - a short guide to staying safer online.

• Simple and easy ways to keep your computer safe and secure on the Internet

• How Malware Spreads - How did I get infected

MUST READ - general maintenance:

• What to do if your Computer is running slowly?

The Importance of Software Updating:

In order to stay protected it is very important that you regularly update all of your software. Cybercriminals depend on the apathy of users around software updates to keep their malicious endeavor running.

Operating systems, such as Windows, and applications, such as Adobe Reader or JAVA, are used by tens of millions of computers and devices around the world, making them a huge target for cybercriminals. Downloading updates and installing them can sometimes be tedious, but the advantages you get from the updates are certainly worth it.

• How to configure and use Automatic Updates in Windows
• How to update Java
• How to update Adobe Reader

Recommended additional software:

CCleaner - to clean unneeded temporary files.

Malwarebytes' Anti-Malware - to scan your system from time to time in search for malware.

Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.

McShield - to prevent infections spread by removable media.

Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.

Adblock - to surf the web without annoying ads!

Post-cleanup procedures:

Download DelFix by Xplode and save it to your desktop.

• Run the tool by right click on the icon and Run as administrator option.
• Make sure that these ones are checked:
  • Remove disinfection tools
  • Purge system restore
  • Reset system settings
• Push Run.
• The program will run for a few seconds and display a notepad report. You do not need to attach it.

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix

Tool deletes old system restore points and create a fresh system restore point after cleaning.

My help is free for everybody.

If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation:

Thank you!

Stay safe,

TwinHeadedEagle

[mattbizly]

Great, thank you very much for your help. I'll also follow the clean up procedure too. I'll be sure to point my friends this way if they have any problems as well!

 

Many thanks

 

Matt

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!