Jump to content

Recommended Posts

Hey there, recently I got infected with a redirect virus that opens up a new tab for an advertisement page. I've tried running the scans with Adwcleaner, Malwarebytes, Superantispyware, Hitmanpro, zemana, emnisoft and roguekiller to get get rid of as much as I can. I've also uninstalled my browsers and reinstalled them. So far when I browse the web on Opera nothing pops up anymore but when I run scans with Hitmanpro, a new ****.tmp.exe file is always generated. In this case the most recent one I have is 3B8C.tmp.exe and a new one will always generate everytime I make a scan once I turn on the laptop. Attached to this email is a screenshot of the scan results from Hitmanpro. Any help on what to do would be greatly appreciated. Also, let me know if you need any information about computer specs or anything else, thanks.

 

malwarepic.png

Share this post


Link to post
Share on other sites

Hi realfromthestart :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Follow the instructions in the thread below. Make sure to download the MBAR version linked in it. Let me know if you're not able to launch it and run a scan.
 
https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/
 
If you manage to run a scan, delete everything it finds, and then copy/paste the content of the mbar-log-DATE-(TIME).txt log that is located in the MBAR folder here after. 

Share this post


Link to post
Share on other sites

Ok, so here are the results after the scan.

 

Malwarebytes Anti-Rootkit BETA 1.10.3.1001
www.malwarebytes.org

Database version:
  main:    v2017.11.08.12
  rootkit: v2017.10.14.01

Windows 10 x64 NTFS
Internet Explorer 11.674.15063.0
Windows 10 :: DESKTOP-OMRH27L [administrator]

11/8/2017 1:05:24 PM
mbar-log-2017-11-08 (13-05-24).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 306323
Time elapsed: 14 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Windows 10\Downloads\Lets Drift 3.EXE (CheatTool.CETTrainer) -> Delete on reboot. [2bf1916f2f7b8caa06132f4de819f30d]

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 

Share this post


Link to post
Share on other sites

It didn't detect anything, weird. Let's see if FRST can give us more information.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.

  • Download the right version of FRST for your system:
    • FRST 32-bit
    • FRST 64-bit
      Note: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using.
  • Move the executable (FRST.exe or FRST64.exe) on your Desktop
  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds
  • Make sure the Addition.txt box is checked
  • Click on the Scan button
    KSJwAxg.png
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files
  • Copy and paste the content of both FRST.txt and Addition.txt in your next reply

Share this post


Link to post
Share on other sites

Alright, follow the instructions below.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

fixlist.txt

Share this post


Link to post
Share on other sites

Alright, follow the instructions below.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

Share this post


Link to post
Share on other sites

Fix result of Farbar Recovery Scan Tool (x64) Version: 02-11-2017
Ran by Windows 10 (08-11-2017 14:14:46) Run:2
Running from C:\Users\Windows 10\Downloads\FRST
Loaded Profiles: Windows 10 (Available Profiles: Windows 10)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:

GroupPolicy: Restriction <==== ATTENTION

C:\ProgramData\mntemp

EmptyTemp:
*****************

Processes closed successfully.
Error: (0) Failed to create a restore point.
"C:\Windows\system32\GroupPolicy\Machine" => not found.
"C:\ProgramData\mntemp" => not found.

=========== EmptyTemp: ==========

BITS transfer queue => 7364608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 7488560 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 3122 B
Edge => 0 B
Chrome => 0 B
Firefox => 0 B
Opera => 26690489 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 3620 B
Windows 10 => 506610 B

RecycleBin => 1578 B
EmptyTemp: => 40.1 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 14:14:52 ====

Share this post


Link to post
Share on other sites

Can you tell me if the *.tmp.exe processes are back?

Share this post


Link to post
Share on other sites

Okay, follow the instructions below.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Registry Search
Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply.

  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds
  • In the Search text area, copy and paste the following:
    tmp.exe
  • Once done, click on the Search Registry button and wait for FRST to finish the search
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply


 

Share this post


Link to post
Share on other sites

Ran the search, this nothing really came up. Below is the results from notepad.

Farbar Recovery Scan Tool (x64) Version: 02-11-2017
Ran by Windows 10 (08-11-2017 18:33:54)
Running from C:\Users\Windows 10\Downloads\FRST
Boot Mode: Normal

================== Search Registry: "tmp.exe" ===========


====== End of Search =====

Share this post


Link to post
Share on other sites

Not really. These files keeps being created, which means that the dropper is still on the system and we need to find it.

sUc2qjf.pngAutoruns - Start-up Entries
Follow the instructions below to give me an Autoruns log containing your start-up entries:

  • Download Autoruns.zip from the Sysinternals Suite webpage
  • Extract the content of the Autoruns.zip folder where you want, then go in the folder, right-click on Autoruns.exe and select Run as Administrator
  • Accept the EULA on opening, then wait for all the entries to load
  • Click on File then Save and save the file to a location easily accessible as a .arn (Autoruns) file
  • Right-click on the file you saved and select Send to followed by Compressed (zipped) folder
  • Attach the .zip file on your next post, or if it says that it's too big, upload it on SendSpace and post the download URL for it here

Share this post


Link to post
Share on other sites

Hum... I don't see anything suspicious in this log, nor in the FRST ones I reviewed. Though there's a few more places I would like to check. Download the fixlist.txt below, run a FRST fix with it and attach the fixlog.txt here after.

 

fixlist.txt

Share this post


Link to post
Share on other sites

Nothing. Can you do try something? Can you find a .tmp.exe file in your Temp folder, upload it to VirusTotal and provide me the report URL for it?

Share this post


Link to post
Share on other sites

When you delete the .tmp.exe files, do they comeback on restart? Or do they comeback right away (without a restart)?

Share this post


Link to post
Share on other sites

It comes back every time I restart. It's been a day or two since my last scan and now I see a lot more of them. What I also noticed is it might possibly be a false positive. I put the view on thumbnail and I saw that the icon is the same one for WD Drive which is for the external hard drive I have. I'm thinking these files are created from one of the WD Drive Utilities program for my external drive. It just seems that hitmanpro picks it up as malware. This is just a hunch at the moment, I'm not sure if I'm right. I'm running scans after I uninstalled the WD programs and see if the same tmp.exe files show up.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.