Jump to content

Sephamore-threads/idle-threads.exe problem


Recommended Posts

  • Replies 73
  • Created
  • Last Reply

Top Posters In This Topic

Hello joshtessier1234 and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Change the download folder setting in the default Browser so all tools we may use are saved to the Desktop:

user posted imageGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. user posted image
Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

user posted imageMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. user posted image Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

user posted imageInternet Explorer - Click the Tools menu in the upper right-corner of the browser. user posted image Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

user posted imageChange default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties"

In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK"

Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location.....

Next,

Follow the instructions in the following link to show hidden files:

http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Next,

Download RKill from here: http://www.bleepingcomputer.com/download/rkill/

There are three buttons to choose from with different names on, select the first one and save it to your desktop.
 
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7/8/10, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
  • If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
  • If the tool does not run from any of the links provided, please let me know.


Next,

Please open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:
 
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…



If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish. Follow the instructions above....


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach those logs to your reply.


Let me see those logs in your reply...

Thank you,

Kevin...

 

Link to post
Share on other sites

here are the files requested

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2016-06-14
Scan Time: 5:17 PM
Logfile: 
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.06.14.05
Rootkit Database: v2016.05.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: easyhome

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 312504
Time Elapsed: 11 min, 48 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
PUP.Optional.WinYahoo, HKU\S-1-5-21-3958632929-2267976054-3537584900-1002\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{5FC0B60C-45AD-4BB9-96D3-0AB53E64AE7E}, Quarantined, [26b7f903dbbe7db9e90683524ab9df21], 

Registry Values: 1
PUP.Optional.WinYahoo, HKU\S-1-5-21-3958632929-2267976054-3537584900-1002\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{5FC0B60C-45AD-4BB9-96D3-0AB53E64AE7E}|URL, https://ca.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ggbg_16_19¶m1=1¶m2=f[26b7f903dbbe7db9e90683524ab9df21]D4%26b[26b7f903dbbe7db9e90683524ab9df21]DIE%26cc[26b7f903dbbe7db9e90683524ab9df21]Dca%26pa[26b7f903dbbe7db9e90683524ab9df21]DWincy%26cd[26b7f903dbbe7db9e90683524ab9df21]D2XzuyEtN2Y1L1QzuyEyEtAyB0EyC0EyByE0DyCyDyC0Dzz0EtN0D0Tzu0StCyDzyyDtN1L2XzutAtFtBtCtFtCtFyCtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyD0BtByDtCyE0D0DtGtB0EtA0EtGyE0ByE0BtGtDtAtAtBtGtBtAtDyDtB0EtAyDzzyDtC0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzyzyyEzyyC0B0AyBtGyCtB0B0DtGyEtA0D0FtG0A0DzzyEtGyBtBtB0F0DyE0A0DyD0A0EyE2QtN0A0LzuyE%26cr[26b7f903dbbe7db9e90683524ab9df21]D63595027%26a[26b7f903dbbe7db9e90683524ab9df21]Dwbf_ggbg_16_19%26os_ver[26b7f903dbbe7db9e90683524ab9df21]D6.3%26os[26b7f903dbbe7db9e90683524ab9df21]DWindowsQuarantinedB8.1&p={searchTerms}, %4, %5

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

 

Rkill.txt

Addition.txt

FRST.txt

Link to post
Share on other sites

Thanks for the logs, continue as follows:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Go here: https://www.zemana.com/Download download and install Zemana Anti-malware. Allow a shortcut to be saved to your Desktop.. The tool will be active with a 15 day trial....

Right click on user posted image Zemana Antimalware and select "Run as Administrator"

From the GUI select "Settings"

user posted image

In the new window Select 1. Updates, when complete Select 2. Real Time Protection.

user posted image

In the next window make sure 1. all boxes are checkmarked and the action is "Quarantine" and then " 2. Select the home icon.

user posted image

In the new window select "Scan"

user posted image

When the scan completes check each found entry (if any). For "Suspicious Browser Settings" choose REPAIR for all other entries choose QUARANTINE then select the "Next" tab


The action complete window will open, from there select the "Back" tab. That will take you back to the home screen...

On that screen select the "Reports" tab. (Looks like 3 chimneys)

user posted image

On that screen select and highlite the scan details line, then select "Open Report"

user posted image

Copy and paste that log to your reply...

Next,

Download AdwCleaner by Xplode onto your Desktop.
 
  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....


Let me see those logs, also give an update on any remaining issues or concerns....

Thank you,

Kevin...

Fixlist.txt

Link to post
Share on other sites

mmm strange, those were backup files to replace exploited versions with FRST fix. FRST should have created a restore point before making changes, see if we use that to restore connection...

Close down your PC, Hold down the Shift key and reboot. Windows should open to the "Choose an Option" window....

From that window select "Troubleshoot" from the next window select "Advance Options" from  there select  "System Restore" from there follow the prompts to run System Restore to any date prior to this issue happening

Link to post
Share on other sites

Thanks for those logs, we still have a problem with the following files:
 

Quote

 

C:\WINDOWS\system32\dnsapi.dll
[2016-05-15 17:17] - [2016-05-15 17:17] - 0686976 ____A (Microsoft Corporation) D27F8F963006C398B0BEE14AD67F2D39

C:\WINDOWS\SysWOW64\dnsapi.dll
[2016-05-15 17:17] - [2016-05-15 17:17] - 0535080 ____A (Microsoft Corporation) D7BF3487073C497F2BF55B6AF4CB632A

 

Those files are forged and must be replaced, I used the replacements identified by RKill last time, Lets do a search this time with FRST...

Open FRST again, type or copy/paste the following in the edit box after "Search:".

dnsapi.dll

Click Search button and post the log (Search.txt) it makes to your reply.

Link to post
Share on other sites

Thanks for that log, ok we try once again...

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Lets see if we are successful this time.....

 

Fixlist.txt

Link to post
Share on other sites

Yes they were listed to be removed, FRST had them listed to be removed after reboot but they failed..

Quote

"C:\Windows\System32\mutex-threads.exe" => Could not move
"C:\Windows\System32\idle-threads.exe" => Could not move
"C:\Windows\System32\latch-threads.exe" => Could not move
"C:\Windows\System32\semaphore-threads.exe" => Could not move

 

Go to this link: https://www.malwarebytes.org/fileassassin/  Download and install Malwarebytes File Assassin, follow the instructions at the same link to remove those files...

Let me know if that is successful.. if it is successful continue and run the following:

Go here: https://www.zemana.com/Download download and install Zemana Anti-malware. Allow a shortcut to be saved to your Desktop.. The tool will be active with a 15 day trial....

Right click on user posted image Zemana Antimalware and select "Run as Administrator"

From the GUI select "Settings"

user posted image

In the new window Select 1. Updates, when complete Select 2. Real Time Protection.

user posted image

In the next window make sure 1. all boxes are checkmarked and the action is "Quarantine" and then " 2. Select the home icon.

user posted image

In the new window select "Scan"

user posted image

When the scan completes check each found entry (if any). For "Suspicious Browser Settings" choose REPAIR for all other entries choose QUARANTINE then select the "Next" tab


The action complete window will open, from there select the "Back" tab. That will take you back to the home screen...

On that screen select the "Reports" tab. (Looks like 3 chimneys)

user posted image

On that screen select and highlite the scan details line, then select "Open Report"

user posted image

Copy and paste that log to your reply...

Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....


let me see those logs in your reply, also give an update on any remaining issues or concerns...

I`m logging off shortly as its after 1 am local time for me, need some sleep. Will catch up later...

Thank you,

Kevin...
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.