Recurring suspicious program/process

I've got something nasty that is not identified by spybot or adaware nor my antivirus

software, Trend Microscan.

It shows up as a process which changes name every time I restart. The process is currently

called UD4042.exe. The executable file is in C/Windows/Temp. If I delete it, a new one shows

up in the same location.

I tried killing and deleting the process/executable and restarting in safe mode and running

the cleanup mangager, but it just comes back with a different name. Starting up takes a long

time with windows saying it's modifying my settings.

I've done a hijack this file, but am hesitant to post it because you seem strict about what someone must do before posting one and I'm assuming I'll screw up. Any advice as to how to proceed from here?

 

Welcome to MajorGeeks.com, please follow the steps below:

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

Downloading, Installing, and Running HijackThis

 

I have done as instructed.

I did everything in: READ & RUN ME FIRST Before Asking for Support

I also did everything in: Downloading, installing and running Hijack This.

To review, I have an executable that shows up each time I start. Each time it has a different name, but it always resides in the Windows/Temp folder. Another symptom is that each time I start, the computer spends at least a couple of minutes "Applying Computer Settings," leading to abnormally long start times.

The executable that runs is currently called SX92F.exe and shows up in the Task Manager. It can be stopped by the End Process command in the Task Manager. When I stop the process, it disappears from the Windows/Temp folder. I don't know if it's relevant, but a suspicious empty folder also appeared in Windows/Temp; it's called ASHeuristic.

When I did the "READ & RUN" procedure, I found nothing until I ran Panda. Bitdefender was clean, but Panda found a few spyware cookies. My bitdefender and Panda reports are attached.

I would really appreciate advice on how to get rid of this thing.

Thanks.

 

Please see the below thread on how to install and run Spy Sweeper and Ewido Anti-Malware. After you ran both programs, attach the logs to your next post along with a fresh HJT log from normal mode.

• Running Spy Sweeper...
  
  
• Running Ewido Security Suite ...

 

Thanks for all you help. I have finished the steps above and one spyware cookie was found by edwido.

The logs are attached.

The suspicious process is still there, this time named DCFBB9.EXE, and startup is still slow.

I would again appreciate (I really do appreciate the time you take for this) advice on how to proceed.

 

Your definitions for SS is out of date, please update these definitions and run another full sweep with SS. After you complete this new sweep with the updates attach the new log with a fresh HJT log.

 

Unfortunately, as I don't own spysweeper, I can't update the defintions. Is there anything else I can try?

 

I updated my definitions as best I could. Here's the report and the new Hijack This log.

Thanks in advance for any help you might be able to give.

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Ewido

Spy Sweeper

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:[/SIZE][/FONT]

JTB3E6.EXE

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.asianust.ac.th:8080
(Keep this if your familiar with it)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.19.1.12,172.19.1.99,172.19.1.121;
(Keep this if your familiar with it)

O1 - Hosts: 204.92.120.103 www.shitforbrains.org

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = asianust.ac.th
O17 - HKLM\Software\..\Telephony: DomainName = asianust.ac.th
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = asianust.ac.th
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = asianust.ac.th
(Keep these if your familiar with it)

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\WINDOWS\TEMP ← Delete everything in this folder!

Next, run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

• Temporary Files
• Temporary Internet Files
• Recycle Bin

And Click OK.

After you complete the above, REBOOT to normal windows and proceed with the rest of this fix...

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

First of all, I want to give a big thank you for all your help. Second, I owe an apology for my own ignorance. I am on a school network, and today a friend said to me "if you have a bug, many others must have it, too." Duh! I checked a couple other machines, and sure enough, the whole network must have it.

The good news is I seem to be free of it (at least for a while) after going through the last process you suggested. I have informed the computer center about the infection.

I attach the files I got from the last process in case they are of interest. I had no problems, but did not check any of the following in Hijack This as they are known to me:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion******
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = *****
O17 - HKLM\Software\..\Telephony: DomainName = *****
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = *****
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ****

Thank you yet again for your kindness, patience, and knowlege.

 

Your HJT log looks good, are you having any further problems?

 

Everything has been great so far on my machine.

I'm expecting to be reinfected, though, because every other machine I've checked on the school network has the same symptoms. As of now, as far as I've checked, I have the only malware-free machine on the network.

Thanks again for all the help. I have learned a lot. (I've actually been helping the computer center guys a bit, isn't that frightening?)

 

Your Welcome!

You should tell them to check out this article on How to Protect yourself from malware!

Surf Safely!