a.exe b.exe c.exe

aliciainAZ · ‎07-19-2009

This morning we woke to multiple windows that were opened without our knowledge. When those windows were closed we began to hear music playing and a news cast even though no windows were open. After doing some basic looking around I saw that there were 3 new executable files that were downloaded at the same time last night, a.exe , b.exe & c.exe . I first attempted a NAV full system scan and it was taking hours to do anything. Once I saw this I looked in the task manager to see that my CPU usage was at 100% and 99% of it was being used by the c.exe . After letting the scan go on for about 5 hours I finally decided to End the Process of the b.exe & c.exe so that the scan could finish. After doing the scan the b.exe is back in the tack manager Processes. The scan finished within 45 minutes but only found a cookie that is unrelated. I did double check to see if LiveUpdate was current and it was.

I followed the steps listed in this post http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=61772&query.id=521... and there wasn't anything in the Registry that had that name so I went to the next step and downloaded the HijackThis tool. I attached those results.

I also downloaded, and used, Malwarebytes'. It is scanning right now so I will update with those results.

I am not sure what else to do. Any suggestions as how to get rid of this would be greatly appreciated.

Thank you.

Message Edited by aliciainAZ on 07-19-2009 04:21 PM

dbrisendine · ‎10-06-2008

In HiJackThis check the following and then click on check "Fix checked"

O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\b.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

Also, before you delete these entries, on the 04 b.exe, select that entry and click on the more information button in HJT. See if you can get the exact directory location to this file. After you have HJT clean the selected files, then go to this directory and delete all the files in it.

Next download MalwareBytes' AntiMalware and run a complete scan with that. Please have it fix everything it finds and then save the log. Please post that log back here.

Please download MalwareBytes' AntiMalware from this LINK . Choose the free version as this does not have a real time scanner that will interfere with Norton products. Install the program and update the definitions.

Boot into Safe Mode:
Start your system and tap the F8 key until the Advanced Options Menu appears. Using the arrow keys, select Safe Mode (no networking or command prompt) and press ENTER.

Once Safe Mode is loaded, run a full scan with MBAM. Have the program fix / delete whatever it finds and make a log file. Please post the log file contents back here for review.

delphinium · ‎11-21-2008

Also please provide a GMER scan. Make sure all boxes are checked. Run in safe mode if necessary.

http://www.gmer.net/

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain

aliciainAZ · ‎07-19-2009

I "fixed" the items listed in HJT. Unfortunately, I was unable to determine the exact directory location of the files.

I ran a full system scan using MBAM and that log is attached. After Removing the files using MBAM I received a warning window stating

"Certain items could not be removed! The first few are listed below. All items that could not be removed have been added to the delete on reboot list. Please restart your computer now. A logfile was saved to the Logs folder.

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\b.exe

Your computer needs to be restarted to complete the removal process. Would you like to continue? Yes or No"

I chose Yes & plan to continue with the safe mode reboot.

I will post the MBAM scan log, after booting in safe mode, later tonight.

Quads · ‎07-21-2008

Hi

You have a Rootkit in the background that could be just repairing everything.

Quads

aliciainAZ · ‎07-19-2009

Hi

You have a Rootkit in the background that could be just repairing everything.

Quads

**************

Unfortunately, I do not know what this means. Could you explain for me please?

Quads · ‎07-21-2008

Hi

part of it shows here, "c:\WINDOWS\system32\TDSSxekj.dll" not all of it, The rootkit can or could have instuctions to download more Malware, etc.

When you delete what is easy the rootkit could just place it all back.

Please Download http://homepages.slingshot.co.nz/~crutches/SysProt/ you have to disable auto protect before starting the program and scanning

When starting the program, go to the "Log" tab and with boxes selected for areas, scan

I will use the log, to single it out and guide you though the rest of the process step by step. if it does show

Quads

aliciainAZ · ‎07-19-2009

I ran the second MBAM scan, in safe mode.

The log is attached.

So far the a.exe , b.exe & c.exe appear to be gone. I am gonna list this problem as solved.

Thanks to everyone for helping me figure this out!!

dbrisendine · ‎10-06-2008

I appreciate your marking the solution but we would all fell better if you would follow Quads suggestions in this post . (#7 of this thread)

A rootkit can be a bad thing to have; it will keep coming back and downloading other malware also. This scan can help us determine that your system is truly clean.