Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Infection by nasty malware

Infection by nasty malware

Infection by nasty malware


Over the past few weeks my PC has been repeatedly infected with a very nasty piece of malware, the purpose of which seems to be to redirect web searches to ad. sites, particularly for Groupon. It creates hidden dirs in the root dir. and reg. keys to run exes located in user/../temp dirs. Reinfections occur by crashing my browser (Firefox 3.6.17). If I remove the malware/keys I get reinfected again within a day or two.    

I suspect that Silverlight is involved. Here is a dir /s listing of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight
I know very little about Silverlight so would be grateful if someone more knowledgable can comment on whether its contents are 'kosher'

dir /s C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight

31/05/2011  23:04    <DIR>          is
11/07/2011  21:56                77 mssl.lck
 Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is
31/05/2011  23:04    <DIR>          utb2fraa.jah
 Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah
31/05/2011  23:04    <DIR>          zgznrtuj.qtb
 Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb
31/05/2011  23:04    <DIR>          1
 Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1
18/06/2011  12:03    <DIR>          g
31/05/2011  23:04    <DIR>          l
18/06/2011  12:03    <DIR>          s
 Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1\g
31/05/2011  23:04    <DIR>          gcdjzxxajx2n1cbv4jurqx3yfvqbgmuprn5pq5wiiwc0vhfzmyaaagha
18/06/2011  12:03    <DIR>          zyrvs3qsra0qmqdkjnogznvtdjoizt0kfep5hwwtoqo4itg5elaaaaba
 Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1\g\gcdjzxxajx2n1cbv4jurqx3yfvqbgmuprn5pq5wiiwc0vhfzmyaaagha
31/05/2011  23:04                34 id.dat
31/05/2011  23:04                 8 quota.dat
31/05/2011  23:04                 8 used.dat
 Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1
18/06/2011  12:03                18 id.dat
18/06/2011  12:03                 8 quota.dat
18/06/2011  12:03                 8 used.dat
 Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1\l
    File not found
 Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1\s
31/05/2011  23:04    <DIR>          gcdjzxxajx2n1cbv4jurqx3yfvqbgmuprn5pq5wiiwc0vhfzmyaaagha
18/06/2011  12:03    <DIR>          pkbdxfnitekap1o0ei3wfxgq5twsk5xgoqkxhmx3bj4gdqbtpdaaacca
 Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1
31/05/2011  23:04    <DIR>          f
31/05/2011  23:04                56 group.dat
31/05/2011  23:04                34 id.dat
 Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1
31/05/2011  23:05             2,989 __LocalSettings
 Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1
18/06/2011  12:06    <DIR>          f
21/06/2011  15:56                56 group.dat
18/06/2011  12:03                64 id.dat
 Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1
18/06/2011  15:48               154 __LocalSettings




RE: Infection by nasty malware

Download the following in regular mode and run them in the order indicated with a reboot after each runs IF results are positive.

0.  Ccleaner to clean out temp files (no need to reboot)
1.  TDSSKiller
2.  MalwareByte's Anti-Malware
only if needed - you will need internet access to install recovery console.  You could do that ahead of time as well.
3. combofix

RE: Infection by nasty malware

Hi Goombawho

Thanx for the help.  I didn't employ CCleaner as it is listed as being a system optimization, privacy and cleaning tool and this was unneccessary in my case. I did use Kapersky's TDSSKiller and this removed a root kit. Since then I've had no browser redirections.  Thanx again.

For the benefit of others searching for info. on malware here are some details I found.  

My infection stated with the conima bug, an infection from the internet  Conima opens ports, downloads files and spawns new processess if existing exes are killed. Its purpose seems to be to redirect browser searches, particularly to Groupon sites

The malware first infects users/  . . ./roaming with

69,120 conima.exe
4 inlog
88 Input.bat
87 LocalAccountAuthority.bat
69,632 lssas.exe
69,632 manager.exe
364 mlog
89 MouseDriver.bat
89 Plug.bat
4 ylog

After removing the above and corresponding reg keys, new exes appear in user/ . ./temp directories with new keys.  Simultaneously or after ?more downloads it creates a hidden directory at the root of the master drive. After further downloads the infection disappears (no longer found by searching for visible/hidden/secret files).  It has morphed into the TDSS Rootkit.  This can be removed by Kapersky's TDSSKiller.

The bug is not removed by Microsoft updates current at 13/7/2011 and Microsoft Defender scans only identify eyeqehexopakenup.dll (see below) as a threat.

Some of the exes spawned by this malware are:-

68K  5y8f33ul.exe
MD5   : be505df456a353f6759189736d3c9b82
SHA1  : c9e40e52ee4b62a30db350d847c84f8eb9629b13
SHA256: 68ecea0f9e4ba623a1744e2dfcb1bbbda146d53d72c3cd749167a1b912b458ef

14K  7b9hst89f.exe
MD5   : e4240d79585e8fd6b2603458edaff8e0
SHA1  : c7f73ec3624e85a634a263cf4f3f2e7e3a4479e7
SHA256: 566a8926dc3bf0efd50b55f6c47252584f480a35029ab7f8da467eb104c132c0

176K   7pvdz9u.exe
MD5   : c54fddaf3a366798aeaee716565133f3
SHA1  : a759cd8683749d1dd218b808a6c883c98cd12f8a
SHA256: dd570c154d608378f73c81310866bfc2af00d98fdfeb24f61464a8dd25dfc626

3K   hHH2F9C.exe
MD5   : 29090b6b4d6605a97ac760d06436ac2d
SHA1  : d929d3389642e52bae5ad8512293c9c4d3e4fab5
SHA256: 98a24f0caf5b578e230e6f1103a5fba6aecb28a9128cad5520fcde546d643272

252K   eyeqehexopakenup.dll
MD5   : 6e1be3298502cff46cf81a49afa345a5
SHA1  : c9c5dfe01bbdc01aae8ea2c2d09a343c9f67d2a7
SHA256: 87b16b214c25c84b43f19c35e1e3778ee28923b2af5bab2ad3c0bddc2e6ee269

These are the files TDSSkiller identifies:-
\Device\Harddisk0\DR0 - copied to quarantine
\Device\Harddisk0\DR0\TDLFS\cfg.ini - copied to quarantine
\Device\Harddisk0\DR0\TDLFS\mbr - copied to quarantine
\Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
\Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
\Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
\Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
\Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
\Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine
\Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
\Device\Harddisk0\DR0\TDLFS\bckfg.tmp - copied to quarantine
\Device\Harddisk0\DR0\TDLFS\lsash.xp - copied to quarantine



RE: Infection by nasty malware

You didn't follow my directions.  The reason I advised you to use CCleaner is to clean out the temp files (where malware OFTEN hides or runs from) AND to lessen the time it takes to run the programs I mentioned (less stuff to scan).

Please do so at this time.  Then, I would run Combofix at this point EVEN if you think things are clean.  I'll bet it will find something interesting.

Disconnect your PC from the internet once the recovery console is installed  as part of combofix to prevent any downloading of "new friends" while combofix is running.

RE: Infection by nasty malware

Hi goombawahoo

"Since then I've had no browser redirections".
I spoke too soon.

My system was OK for 24 hours but Saturday 15:12 I got redirected again.  Taskman revealed:
184416  ukcya.exe
MD5   : 5c6d1e89b22aaca6b02f78f5f9c2d1ea
SHA1  : d92833255626304b05f8a68302805c6fe6374463
SHA256: 499eea35c6cecd6b527f1ea952ab7cd340cbf5056d74bc05e00922c93fed3a95

This ?reinfection occurred shortly after running Firefox 5.0.1 for the 1st time, having completely removed 3.6.17 in the malware elimination.    

I ran CCleaner & AVG (Combifix). AVG found the malware exes/dlls I'd quarantined, except ukcya.exe. It also generated 3 false +ves. It didn't find new malware

Among other stuff the malware may be screwing file attributes, as I've just noticed ukcya.exe is timestamped 27/12/2010.  Sadly AVG moved my other quarantined exes/dlls to its own quarantine without asking/warnimg me & restorating them changed their time stamps.
Currently a process is trying to access a site in China every 10 minutes, but identifying which one has to be postponed 'till Monday.



RE: Infection by nasty malware

Combofix then reload windows if it doesn't work.

RE: Infection by nasty malware

Hi goombawaho

"reload windows "
Only in extremis, and I'm not sure I'm there yet . . .  

The OS disk with my PC is ominously marked "External Recovery"
I believe it allows a fresh install but this is sure to be pain, f'instance cos. of driver issues.

OK.  A quick rap up on this bug

In addition to Kapersky's TDSSKiller, Malwarebytes and AVG I've only had time to run UnHackMe and tdl-detector.  Neither found anything.
But I'm still getting search redirections, very occasionally a flash on the desktop of what looks like a command window, and
malawarebytes still detects attempts to reach, 'though I've (AFAIK) blocked this IP in Windows Firewall.

Here is a good characterisation of my bug:-

Thanx again



RE: Infection by nasty malware

Have you tried using System Restore, and then further scanning from there?  Perhaps that'll get you by?

Also, since your disk says "External Recovery", my guess is (and this is quite common) that you have a recovery partition on your hard drive.  Sure it takes you back to square one, but is that really so bad?  It would take less time to get it "up to date" than it's taken for you to go through all you've been through so far... and you're apparently still not finished.

If you do a recovery, the only thing to be sure of is that you've backed up all your important data.  System Restore doesn't touch the data, but a system recovery will.  So, if you use Outlook, backup your .pst file (or newer versions of Office use a different extension, I forget what it is), then back up your internet favorites, documents, pictures, videos, music, whatever.

An external hard drive will be worth it's cost, especially right now, if you don't already have a backup.


RE: Infection by nasty malware

Hi kjv1611

"you have a recovery partition"
Yes, but the CD with my PC allowed a complete reinstall of Vista x64 which I've done. Thankfully the malware no longer wakes my PC from sleep in the early hours or "phones home". I'd liked to have done more investigating but not enought time.
It might be a coincidence but a week or two after my PC became infected I got a cold call from a woman with a asian accent.
"We have received a crash log report from your PC"
"Who are you".
She doesn't answer.
"Are you Microsoft"
"No we are not Microsoft. The report tells us your PC is full of viruses"     
I call the woman a rude name and hang up.
I've never had such a call before. Maybe I'm paranoid but my phone number is most of my emails.

kjv1611 - Thanx for the advice.



RE: Infection by nasty malware

the phone call may be a coincidence
I have received similar telling my they need to fix my copy of windows.

I tried to get more info from them without answering any questions but they would not even answer basic questions like what they though was wrong or how they got my details.

Amusing really as I do not use windoze @ home smile  

I do not Have A.D.D. im just easily, Hey look a Squirrel!

RE: Infection by nasty malware


It might be a coincidence but a week or two after my PC became infected I got a cold call from a woman with a asian accent.
"We have received a crash log report from your PC"
"Who are you".
She doesn't answer.
"Are you Microsoft"
"No we are not Microsoft. The report tells us your PC is full of viruses"     
I call the woman a rude name and hang up.
I've never had such a call before. Maybe I'm paranoid but my phone number is most of my emails.

My daughter received the same call only it was an Asian fellow. . .  The phone number was blocked and they told her that her system had lots of viruses and was sending thousnds of e-mails. They told her they were the "Internet Overseer". They wouldn't answer questions, provide contact names or phone numbers, or be the slightest bit helpful. What they did (daughter and family) was to change their phone to no longer accept calls from blocked phone numbers. The call has not been repeated. . .

Just because you're paranoid does not mean they are not trying to get you wink Methinks (these days) a bit of paranoia is healthy. . .

RE: Infection by nasty malware

Uh oh - the "internet overseer" is now monitoring us for virus, worms, etc. and then contacting us.  I would have asked the guy, "how do you get to be an internet overseer?".  It sound like a great job.

I would really have liked to know what they wanted you to do or to pay - you know, what their angle was.

RE: Infection by nasty malware

From what i could tell, they were trying to get $ for their pc cleanup and virus prevention software. They wouldn't tell her the name of the product. . .

RE: Infection by nasty malware

I think I found the Internet Overseer.


RE: Infection by nasty malware

I assume the 1st star was also for the pic

I do not Have A.D.D. im just easily, Hey look a Squirrel!

RE: Infection by nasty malware

John Ritter? 1980, Hero at Large.



RE: Infection by nasty malware

Goom, these scam artists are pretty active over here in the U.K.  They usually say they're from 'Microsoft' and get you to downland something like AMMYY, and then take control of your machine.  They reputedly show the user a screen which purports to have found loads errors, viruses, trojans, you name it.  You are asked if you'd like to get 'em all cleaned out, and if so, just type in your credit card details at the bottom of the screen!

Two of my clients have lost £100 or so, but, the machine was then freshly infected with nice new viruses etc!  Talk about taking the proverbial...

One call last week was a good 'un...  Client was rung and told they had today just observed his machine running with loads of viruses and malware installed on it.  Could they assist in cleaning it up?  Bemused, my client asked what did they want him to do.  "Connect to the Internet and log on to blah blah blah website".  At this point client laughs and says "Since I have been without an Internet connection for over week, this must be a con.  Goodbye!".


RE: Infection by nasty malware

Well, I guess everyone has to make a living somehow.  I hope one of them calls me.  I would have some fun with them.

RE: Infection by nasty malware

guys ive had this virus for a while now. IT seems to be a recurring issue. I got it a month ago and didnt pay much attention to it, since MBAM didnt detect anything. It later blocked some of my commonly used Internet Ports. I installed Norton and it deleted many tracking cookies, after which my internet connection worked fine and  there were no more redirects.

Now 2 weeks later im getting redirects again and MBAM doesnt detect it. Could please help me with this, im gonna try steps from the first reply though.

RE: Infection by nasty malware


You really need to start your own thread.  However, the fix for this is pretty simple.  Being you've dealt with this for a while, I'd suggest no other than a clean install.

  1. Download Ultimate Boot CD from http://www.ultimatebootcd.com/download.html - look under the Mirrors list at bottom of page
  2. Burn the image to disk.  I'd use ImgBurn - you can get at download.com if you don't have it or some other means.  If you have Windows 7, it's got Image Burning built in now, so you can just use Windows.
  3. Backup your files you want to keep if possible - thumb drive, external hard drive, CD/DVD, whatever.
  4. Make sure you've got your Windows CD and Product ID as well as any other registered software you might need/use.  If it's freeware, then don't worry about it.
  5. Reboot the machine, and either get to your BIOS settings or boot settings (look at the black screen, look for any <F12> or <Del> type instructions on the black screen at startup.
  6. Make sure it boots from CD first, not hard drive... save settings if in BIOS

  7. [li]Make sure your Ultimate Boot CD is in your CD/DVD drive before booting... if you didn't, go back and repeat.. wink
  8. When it boots to the UBCD menu, use either Darik's Boot 'N' Nuke (DBAN) or Active KillDisk.  I've had some times where DBAN wouldn't read the hard drive, so I went with KillDisk.  Both work equally as well for removing a virus.
  9. Go to bed, take a walk, go to lunch, whatever.  It'll take a while.
  10. After it completes, or if you want, after it's run a fair amount through the process, say at least 15 to 20 % for DBAN, and maybe 30% or so for KillDisk, you can just reboot and start installing Windows if you like.  Or if you want absolute surety on it, just wait for it to complete.  Whichever you choose... next step is to install Windows
  11. Hopefully you're behind a firewalled router.  If not, go buy one.  Otherwise, this will likely be labor spent in vian.

  12. [li]After Windows is installed, get it up to date via Windows Update.  If it won't connect to the web, you'll need to find the network adapter driver.  If your machine was custom built, you'll need to find the motherboard info or LAN card info, whichever it is in your case.  If it's an OEM build, such as Dell or HP, you can go to their site from another PC, download the correct driver package, and put on a thumb drive or whatever... move to your sick PC, and install.  Then run Windows Update.
  13. Install your AV software of choice, firewall, etc.  If you want an easy way to install most apps you'd probably use, look at http://ninite.com and use their installer.  It works VERY well, including skipping all the toolbars, etc.  If you're using MS Office, you can also install that from there, assuming they have the same version you're using.  You can also install Libre Office and/or Open Office from there.  AV and Antimalware apps are there as well as multimedia, utilities, etc.  Just check the box next to the ones you want, "Get Installer", download that file, and run it.  It does the rest - and very quickly too.... especially if you have a fast Internet connection.
  14. Verify Windows up to date
  15. Verify the AV software is up to date
  16. Be sure to set a Windows Restore point, calling it something like "Clean Install" so you know what it is.  Then again, I usually don't do this step, but ideally, this would be the best time to do so.  Another great idea is to create an image of the install at this point, and keep it somewhere else - on DVD, another computer, external hard drive, whatever... so if you had something happen again, you could just restore from the image quicker than the entire setup process.
Well, otherwise, if you have any further questions on it, please do start your own thread... I shouldn't have posted as much here as I did, I'm sure. blush

RE: Infection by nasty malware

Hi Mako

"You really need to start your own thread"

"I got it a month ago and didnt pay much attention to it, since MBAM didnt detect anything"
Antivirus s/w does not pick up everything and imo should not be relied on.

kjv advises a reinstall.  This is the hairy chested solution . . . but it can be a real pita to restore your m/c afterwards, particularly if you have legacy stuff.
 F'instance are you sure you know which codecs to reinstall to allow classis media player to run those old vids. or what you did to get those Office97 .hlp files to work under Vista, or which driver version fixed that adapter problem.

You don't report any steps taken to look for the malware.  Have you done really basic stuff like looking at your running tasks/services to see if there is stuff you don't recognise ?

The cmd shell is always my first resort.  It only takes a few minutes to search for stuff installed circa the date your problems commenced.  The following paginates a list of all exes installed in july 2011. Execute it from the root dir.   [/a:s][a:h] are exclusive options which list system/hidden exes.

>dir /s /t:c [/a:s][/a:h] *.exe | find "07/2011" | more

In Vista the command to run windows defender for file scanning is


and the command (options) to check the integrity of/fix windows system files is

>sfc /?

What steps have you taken to find the malware ?


RE: Infection by nasty malware

Quote (johncp):

kjv advises a reinstall.  This is the hairy chested solution . . . but it can be a real pita to restore your m/c afterwards, particularly if you have legacy stuff.
 F'instance are you sure you know which codecs to reinstall to allow classis media player to run those old vids. or what you did to get those Office97 .hlp files to work under Vista, or which driver version fixed that adapter problem.

I'll go out on a limb... well, I don't think I have to go far to say... that for most people... most situations... most computers... it is WAY faster and easier to just go through a reinstall than it is to track down all possible malware.  MOST people don't have problems with specific codecs, etc.  True, you can run into them, but most of those issues can be avoided.  I'm probably just got a fried brain from work right now, but what does m/c stand for in your post?

Anyway, examples for issues:
1. MS Windows - If it's an OEM machine such as Dell or HP, and you have your original Windows install Disk, just use that... at least since Windows XP, you shouldn't usually (best I can remember) have to even worry about the Product ID for that.

2. MS Office - Just make sure you've got your disk and SN.  If you paid the price for Office, then surely it was important enough to keep in a file drawer or something.

3. Codecs - MOST of these issues can be resolved by using a player that can handle most everything without having to install codec packages.  For instance, vlcplayer and kmplayer.  Others as well, I'm sure.  But if you never installed a particular codec or package in the first place, then you won't have to worry about that now.

4. Really, this may should have been #1.  Unless you made any complex tweaks/changes to your system since you bought it, if it has a system recovery partition or disk/set of disks, then you can also use that - that will cover all your drivers, etc... just leaving you with putting your backed up data back onto the machine, changing software and settings as you see fit, and making sure everythign is up to date.  Frankly, if you use Windows/Microsoft Update, then most updates will pretty much be taken care of.

5. Drivers - just make sure you've got the info for your network adapter driver available before the reinstall.  Well... if you have an Acer, Emachine, or Gateway, you may have more issues with drivers than HP or Dell... at least that's what I've found... and even so, it's usually not horribly difficult.  Windows Update will usually take care of most or all your drivers for you.  Also, if you have an Intel system or any Intel component, they have a nifty driver checker on their site.

Well, I gotta go... I'll try to check back later..


RE: Infection by nasty malware

let me add to KJV's excellent post, under #3:

CoDecs are no problem at all, even for the OLD stuff, all one has to do is download the K-Lite Mega Codec Pack {clean and tested) from Free-Codec.com or Codec Guide...

but I agree also that installing a media player such as VLC takes care of most encoding/container formats that are out there...

and spending more than a week on trying to hunt down malware and cleaning their effects on the OS, is a waste of time and does not always resolve the issues at hand, thus if a system is infected the most prudent way to deal with it would be to nuke it and reinstall...


"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close