Jump to content


Photo

boost_interprocess


  • This topic is locked This topic is locked
29 replies to this topic

#1 aspirit

aspirit

    Member

  • Members
  • PipPip
  • 18 posts

Posted 23 May 2013 - 04:46 AM

I am having problems and something keeps creating C:\ProgramData\boost_interprocess folder.

I can only access web pages in safe mode. Normal mode they just freeze.

 

I have Ad Aware total security and Lavasoft registry tuner.
I ran a virus scan that came back clean. Then I tried to run DDS but it would not run, it just freezes. I even tried in safe mode with the same result.
 

So I cannot post DDS log fife but I was able to run OTL and here are those files

 

Hope someone can help with these logs.

Attached Files



#2 CeciliaB

CeciliaB

    Volunteer

  • Moderator
  • 7526 posts

Posted 24 May 2013 - 12:41 PM

Hi aspirit!

 

1. Please, download DeFogger by jpshortstuff to your desktop.
http://www.jpshortst...om/Defogger.exe

Double-click DeFogger to run it.
Click the Disable button to disable CD Emulation drivers.
Click Yes to continue
Click OK
When Defogger wants to reboot the computer, click OK.

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not enable these drivers until the computer is clean and only enable them if you are using any CD emulation software as Daemon Tools or Alcohol 120%.

 

2. Please, save SystemLook on the desktop from one of these links:
http://jpshortstuff..../SystemLook.exe
http://images.malwar.../SystemLook.exe

Double-click on SystemLook file to run it.

Copy all lines in the box

:dir
C:\ProgramData\boost_interprocess
and paste in the big text field in SýstemLook.
Click on the Look button to start the search.
When finished Notepad will pop-up with the log. Copy the log and paste into your answer. If Notepad doesn't pop-up you can find the log as SystemLook.txt on the Desktop.

 

3. What type of device is D:?

I can see there is an autorun file on and that can be used by malicious files sometimes.

 

4. Please, upload this file to http://www.virustotal.com/ using the "Choose file" function (select reanalyze if asked) and post back the link to the scan report:

C:\Users\Bill\Desktop\FlashPlayer_V.86284124c.exe

 

5. Be aware of that file sharing program, as BitLord, is a major source of malicious programs.

 

6. Please, save AdwCleaner by Xplode on the desktop: http://general-chang...de/2-adwcleaner

Turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Search button.
Wait until the search has finished.
A report will be displayed, copy its content and paste into your answer.
If the report isn't displayed, it exist as C:\AdwCleaner[R1].txt.



#3 aspirit

aspirit

    Member

  • Members
  • PipPip
  • 18 posts

Posted 24 May 2013 - 03:55 PM

1. Done

 

2.Systemlook results

 

SystemLook 30.07.11 by jpshortstuff
Log created at 09:29 on 24/05/2013 by Bill

Administrator - Elevation successful

========== dir ==========

C:\ProgramData\boost_interprocess - Parameters: "(none)"

---Files---
None found.

---Folders---
20130524091604.125597 d------ [14:19 24/05/2013]

-= EOF =-

 

 

3. devise D: is a hard drive recovery partition

 

4.link to scn report
https://www.virustot...sis/1369406163/

5.I understand about file sharing being risky. Honestly I do not download music & movies.
I use it to find out of print book on Magic Tricks and other impossiable to find items.

 

6.AdwCleaner results

# AdwCleaner v2.301 - Logfile created 05/24/2013 at 09:49:22
# Updated 16/05/2013 by Xplode
# Operating system : Windows Vista ™ Home Premium  (32 bits)
# User : Bill - BILL-PC
# Boot Mode : Safe mode with networking
# Running from : C:\Users\Bill\Desktop\adwcleaner.exe
# Option [Search]

***** [Services] *****

***** [Files / Folders] *****

Folder Found : C:\ProgramData\boost_interprocess

***** [Registry] *****

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18882

[OK] Registry is clean.

-\\ Google Chrome v26.0.1410.64

File : C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default\Preferences

Found [l.23] : icon_url = "hxxp://www.delta-search.com/favicon.ico",
Found [l.26] : keyword = "delta-search.com",
Found [l.30] : search_url = "hxxp://www2.delta-search.com/?q={searchTerms}&affID=121232&babsrc=SP_ss&mntrId=A070001E90661385",

-\\ Opera v [Unable to get version]

File : C:\Users\Bill\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1197 octets] - [24/05/2013 09:46:12]
AdwCleaner[R2].txt - [1128 octets] - [24/05/2013 09:49:22]

########## EOF - C:\AdwCleaner[R2].txt - [1188 octets] ##########

 

 

Thank you very much for the help.



#4 CeciliaB

CeciliaB

    Volunteer

  • Moderator
  • 7526 posts

Posted 24 May 2013 - 04:40 PM

Good!

 

1. Please, copy all lines in the box

:dir
C:\ProgramData\boost_interprocess\20130524091604.125597

and paste in the big text field in SýstemLook.
Click on the Look button to start the search.

When finished Notepad will pop-up with the log. Copy the log and paste into your answer. If Notepad doesn't pop-up you can find the log as SystemLook.txt on the Desktop.

 

2. Please, delete the malicious file FlashPlayer_V.86284124c.exe located on your desktop. Always download new flash player versions from Adobe's web site.



#5 aspirit

aspirit

    Member

  • Members
  • PipPip
  • 18 posts

Posted 24 May 2013 - 05:19 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 11:16 on 24/05/2013 by Bill
Administrator - Elevation successful

========== dir ==========

C:\ProgramData\boost_interprocess\20130524091604.125597 - Parameters: "(none)"

---Files---
9334581e-7251-4ef7-a8ec-5bfe8e89ff68 --a---- 12 bytes [14:19 24/05/2013] [14:25 24/05/2013]
plex_frame_mutex --a---- 12 bytes [14:20 24/05/2013] [14:25 24/05/2013]

---Folders---
None found.

-= EOF =-

 

 

 

malicious file FlashPlayer_V.86284124c deleted



#6 CeciliaB

CeciliaB

    Volunteer

  • Moderator
  • 7526 posts

Posted 25 May 2013 - 01:03 AM

 Please, follow the instructions on http://www.bleepingc...to-use-combofix for installing and running ComboFix.

Read carefully and note the "Disclaimer of warranty"!

Paste the content of the log into your answer.
If ComboFix displays a message, for example that a rootkit was found, write it down as detailed as possible.



#7 aspirit

aspirit

    Member

  • Members
  • PipPip
  • 18 posts

Posted 27 May 2013 - 11:52 PM

After several attempts to run Combofix it was unsuccessful. It would freeze every time.

I sometimes received an error that said

Error saving file C:\windows\erdnt\Hiv-backup\COMPON~3! The registry could not read in or write out or flush one of the files that contain the system’s image of the registry.

But most of the time it would start the file scan and then freeze. I let it set for 35 minutes to hours. The clock would even freeze.

 

I tried running it in regular mode and safe mode.

I have to do all of the checking in safe mode as it will not access the internet in the full mode but work fine in safe mode.



#8 CeciliaB

CeciliaB

    Volunteer

  • Moderator
  • 7526 posts

Posted 28 May 2013 - 12:28 AM

Then we try another program instead.

Please, save RougueKiller on the Desktop.
http://tigzy.geeksto...RogueKiller.exe

Turn off all running programs and remove any external drives and other devices connected with USB etc. except mouse and keyboard.

Start RougueKiller (in Vista and Windows 7 right-click the program and select "Run as administrator"). If it won't start, try several times. If you still are unsuccessful, rename the file to winlogon.exe.

Wait until "Prescan" has finished.
Click on "Scan" button in upper right corner.
Wait until the scan has finished.

A report with a name similar to RKreport.txt should have been created on the desktop.
Please, post it in your answer.



#9 aspirit

aspirit

    Member

  • Members
  • PipPip
  • 18 posts

Posted 30 May 2013 - 12:05 AM

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6000 ) 32 bits version
Started in : Safe mode with network support
User : Bill [Admin rights]
Mode : Scan -- Date : 05/29/2013 18:04:48
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\windows\system32\config\SYSTEM
-> D:\Users\Default\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1       localhost
::1             localhost
127.0.0.1 serial.alcohol-soft.com
127.0.0.1 www.alcohol-soft.com
127.0.0.1 images.alcohol-soft.com
127.0.0.1 trial.alcohol-soft.com
127.0.0.1 alcohol-soft.com

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST315005 41AS SCSI Disk Device +++++
--- User ---
[MBR] c61f1dd9a5703cc6bff781887ad81007
[BSP] 79f217b87078e5bdd4abccd053ad2a98 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 33792 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 69208020 | Size: 1397003 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_05292013_02d1804.txt >>
RKreport[1]_S_05292013_02d1804.txt



#10 CeciliaB

CeciliaB

    Volunteer

  • Moderator
  • 7526 posts

Posted 30 May 2013 - 01:01 AM

1. Please, upload this file to http://www.virustotal.com/ using the "Choose file" function (select reanalyze if asked) and post back the link to the scan report:

C:\Users\Bill\AppData\Local\d3d9caps.dat

 

2. Please, turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Delete button.

Click on OK.
The computer will be restarted.

A report will be displayed, copy its content and paste into your answer.
If the report isn't displayed, it exist as C:\AdwCleaner[S1].txt
 

3. Run an online scan with Eset http://www.eset.com/onlinescan/
To shorten the scanning time disable your antivirus program while scanning.

Un-check "Remove found threats"
Check "Scan Archives"

Click "Advanced Settings"
Check:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Click Scan

When the scan is finished, copy the result and paste its content in your answer.



#11 aspirit

aspirit

    Member

  • Members
  • PipPip
  • 18 posts

Posted 30 May 2013 - 01:10 AM

 

https://www.virustot...sis/1369872525/



#12 CeciliaB

CeciliaB

    Volunteer

  • Moderator
  • 7526 posts

Posted 30 May 2013 - 05:13 PM

Hi again,

 

How is it going with AdwCleaner?



#13 aspirit

aspirit

    Member

  • Members
  • PipPip
  • 18 posts

Posted 31 May 2013 - 01:02 AM

Had problems.

In regular mode it would scan and then freeze when I hit the delete.

It will detect folder C:\ProgramData\boost_interprocess but will not delete it in regular mode. It does not detect it in safe mode.

 

Then I had other things I had to do but I am now going to run the online scan now

 

Here is the scan results but I don't get a delete result file because it freezes.

# AdwCleaner v2.301 - Logfile created 05/29/2013 at 22:13:09
# Updated 16/05/2013 by Xplode
# Operating system : Windows Vista ™ Home Premium  (32 bits)
# User : Bill - BILL-PC
# Boot Mode : Normal
# Running from : C:\Users\Bill\Desktop\adwcleaner.exe
# Option [Search]

***** [Services] *****

***** [Files / Folders] *****

Folder Found : C:\ProgramData\boost_interprocess

***** [Registry] *****

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18882

[OK] Registry is clean.

-\\ Google Chrome v27.0.1453.94

File : C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

-\\ Opera v [Unable to get version]

File : C:\Users\Bill\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R2].txt - [1045 octets] - [29/05/2013 19:12:33]
AdwCleaner[R3].txt - [1149 octets] - [29/05/2013 19:18:18]
AdwCleaner[R4].txt - [1162 octets] - [29/05/2013 19:24:56]
AdwCleaner[R5].txt - [1254 octets] - [29/05/2013 19:28:32]
AdwCleaner[R6].txt - [1342 octets] - [29/05/2013 20:52:36]
AdwCleaner[R7].txt - [1126 octets] - [29/05/2013 22:13:09]
AdwCleaner[S2].txt - [1108 octets] - [29/05/2013 19:12:43]
AdwCleaner[S3].txt - [420 octets] - [29/05/2013 19:18:35]
AdwCleaner[S4].txt - [345 octets] - [29/05/2013 19:28:45]
AdwCleaner[S5].txt - [1402 octets] - [29/05/2013 20:52:49]

########## EOF - C:\AdwCleaner[R7].txt - [1424 octets] ##########



#14 CeciliaB

CeciliaB

    Volunteer

  • Moderator
  • 7526 posts

Posted 31 May 2013 - 01:35 AM

Then we try with another program when Eset's online scanner has finished.



#15 aspirit

aspirit

    Member

  • Members
  • PipPip
  • 18 posts

Posted 31 May 2013 - 01:55 AM

Eset is saying it can not get update. It ask if proxy setting is configured properly.



#16 aspirit

aspirit

    Member

  • Members
  • PipPip
  • 18 posts

Posted 31 May 2013 - 01:59 AM

I do not use a proxy server.



#17 CeciliaB

CeciliaB

    Volunteer

  • Moderator
  • 7526 posts

Posted 31 May 2013 - 12:39 PM

Please, try Panda Active Scan instead: http://www.pandasecu...ons/activescan/

Since I haven't used it, I can't give you detailed instructions, but you should select a full system scan and not a quick or custom scan. When the scan is finished you have to choose to export the report to a text file. Please, include the report in your answer here.

 

Did AdwCleaner give you an error message when it couldn't delete the folder?

You can try to start AdwCleaner by right-clicking the file and select Run as administrator?



#18 aspirit

aspirit

    Member

  • Members
  • PipPip
  • 18 posts

Posted 01 June 2013 - 07:37 PM

Thank you for your patience with this.

I am getting very frustrated but I will keep plugging along.

 

AdwCleaner did not give an error message it just froze and I had to hard reboot



#19 CeciliaB

CeciliaB

    Volunteer

  • Moderator
  • 7526 posts

Posted 01 June 2013 - 11:56 PM

If you have an flash drive, you could try with this program instead, since it runs without starting Windows and then boost_interprocess or other malware isn't running and can't stop the programs.
 
Download Farbar Recovery Scan Tool (FRST) and save on a flash drive.
http://download.blee...farbar/FRST.exe
 
You need to restart the computer and start a Command Prompt without starting all of Windows. There are two options to do this, and which one you should use depends on if you have an installation disc with Windows Vista.

Option 1 without Windows Vista disc
 
When the computer starts, you press the F8 key repeatedly until the Windows Advanced Options Menu menu is displayed.
Use the arrow keys to highlight Repair your computer. Press Enter key.
 
Option 2 with Windows Vista disc

Insert the installation disc.
Start the computer.
When asked if you want to start the computer from the installation disc, press any key.
If you don't see the question and the computer is started from the hard disc as usual, you need to change a BIOS setting to start from the disc.
When the menu on the installation disc is displayed, click on Repair your computer.

For both options
 
Select the correct keyboard layout and click on Next.
Select which Windows you want to repair, if there are several, select the infected one. Click on Next.
Select your user account and enter your password (if you don't have a password, press the Enter key).
 
The System Recovery Options menu is displayed and it starts with Startup repair and ends with Command Prompt.
 
Select Command Prompt.
Enter:
notepad
Press the Enter key.

The Notepad program starts.
Select: File menu -> Open
Select: Computer
Find your flash drive and write down its device letter, e.g. G:.
Exit Notepad.
 
In the Command prompt enter this command:
g:\frst.exe
but replace "g" with the device letter of your flash drive. Press Enter key.
FRST program will start to run.
Read the disclaimer and click Yes to accept it.
Click Scan button.
When done, FRST will make a log file, called FRST.txt, on the flash drive.
 
Start Windows, or use another computer, to open the log file in Notepad.
Please, copy its content and past it into your reply.

#20 aspirit

aspirit

    Member

  • Members
  • PipPip
  • 18 posts

Posted 02 June 2013 - 03:25 AM

Here are the results of the Panda Active Scan. I will wait for your reply before acting on the Farbar Recovery Scan Tool

 

Attaching file. Looked bad just pasting it.

 

Attached File  ActiveScan.txt   22.38KB   255 downloads


Edited by aspirit, 02 June 2013 - 03:36 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users