New
#91
This GUID path under programdata is listed in that log report posted by callender...
This GUID path under programdata is listed in that log report posted by callender...
Okay try this: Run Process Explorer and highlight the problem explorer.exe then right click and choose "Suspend"
Then double click the explorer.exe entry and look at the "Threads" tab then click "Stack"
Click "Copy All" and open your text editor. Paste the results. Post them here.
[QUOTE=Thorbro;2963803]Today? Sorry cpubus but I'm not sure I have seen anyone resolve this issue at all - this thread has been going for weeks without a clue. But who knows, maybe someone will find something. It does appear to be something malicious that is accessing the computer from remote location.
I'd say if this thing is using the same GUID folder for every computer to store the files then this thing is solved. A Christmas miracle! The question is what is this thing? Norton was on this machine and it was no help at all. You'd think running a dll with the same name as a system32 file would be at least something to raise an alarm about...
Indeed it does appear in Afims's log:
{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
So Afrim - you can try running the attached script in UVK (Rename with .uvk extension) and reboot if requested to do so by UVK.
UVK - FixList Afrim.txt
Last edited by Callender; 19 Dec 2014 at 14:36. Reason: add info
If anyone else tracks it down request uploading to VirusTotal to get a report and post the link to the report before deleting the folder and files.
Brilliant Cpubus; as soon as I am logged into my other (infected) PC I will give it a try. You might have to walk me through the delete process as your description is beyond my computer competence.
I don't have the same DLL file in that location, but I do have the following under the same folder:
xrWCtmg2.dll (updated today)
Any reason I can't delete that? The original file name in Details is "XPSlayer"....
(Should the whole folder be deleted?)
Yes, that looks suspicious, they just chose a different name for the file. Mine also had "XPSlayer" listed in the details. That folder should be deleted. Could you first drag out a copy of the dll file to your desktop and upload it to virustotal? Mine got deleted for good.
In order to delete that you can't have any explorer processes open, but you need explorer open to use the normal file system tools. Use the script suggested above or run a command prompt which will stay open with explorer closed.
@cpubus I tried to find the thing you told me and its not within the folder, here is whats in the folder for me - Screenshot by Lightshot -. As for the uvk scan you want me to do callender im doing it right now
EDIT
Iv done the scan here is the LOG https://www.dropbox.com/s/z2iiwr8osl...%2014.log?dl=0