New
#101
[QUOTE=AfrimS;2963985]@cpubus I tried to find the thing you told me and its not within the folder, here is whats in the folder for me - Screenshot by Lightshot -. As for the uvk scan you want me to do callender im doing it right now
Yes that "xrWCtmg2" file is the main cuplrit here but all those files in that folder are used by it. That whole folder needs to go but it should stop with at least that one file destroyed. Use the delete option in UVK since normal delete will not work. But first, if you could, (and this is optional) upload that "xrWCtmg2" file to Virustotal.com and link us to the results so we can see if this virus is classified by anything at all.
[QUOTE=cpubus;2963997]One other suggestion with a word of caution. This thing seems to evade detection by using digitally signed files but you can prevent it in future using Execute Prevent. The problem with that approach is that it can interfere with some legitimate programs like Geek Uninstaller that uses AppData to run it's executable from so would need to be added as an exclusion.
If you like you could test for a while using the following settings in UVK that will make the required changes. You'd need to keep UVK installed and add exclusions when needed.
This thing was hiding pretty well, but they could have done more to prevent it from being removed. I've had adware fight me more lol. I'd like to know what in fact its purpose is. Well I'm signing off for the weekend, I expect to see more of these at work soon. We had what, 4 people infected visit this thread today including me?
Well done and thank you for all your hard work. As far as I know there are at least a couple of other threads started by users with the same issue and a quick internet search shows a few users posting the same issue on other forums - all fairly recently. It would be interesting to know how it arrives on a user's machine.
I can no longer access the folder that cpubus was talking about
EDIT: I didnt see the notification saying i had to reboot sadly but i just rebooted right now and it is no longer there anymore. What should I do next?
EDIT: Upon doing the Reboot the second explorer.exe has not come back yet. Im going to continue doing what I normally do for one day or so just to make sure it does not come back and if it doesnt I will mark the thread Solved!
Much thanks to everyone honestly this has been great and also a big bother to deal with.
Check to see if it's gone after a reboot. If it isn't state if you can open it. If you can't - right click and choose "properties and look at the folder size. There will be other ways to delete it if it still exists.
Edit: Just saw your last post. Glad it's sorted!
Last edited by Callender; 19 Dec 2014 at 20:59. Reason: add info
@ArimS
Do you need help with removing any software that you were asked to install or are you happy to keep it?
Im happy to keep eveything other then Secunia. any specific way of uninstalling that one?