TommyBoy 0 Posted November 3, 2014 Report Share Posted November 3, 2014 One of my relatives got this "Desktop Temperature Monitor" which seems to block Firefox, and in Internet Explorer constantly redirect to ads. I was able to remove it during a teamviewer session by running EEK, but now any browsers or new teamviewer sessions cannot connect to the internet. I did check the connections tab in IE and it hasn't got a proxy defined. Their Intel Proset Wireless icon indicates LAN connection and Internet connection. I suspect the system is still set to their proxy (or similar) and I need some ammo before I pick up the laptop on Tuesday. Anyone have any experience with this one? Thank you in advance. Link to post Share on other sites
stapp 153 Posted November 3, 2014 Report Share Posted November 3, 2014 Please follow the steps here and attach the requested logs then one of our experts can help you. http://support.emsisoft.com/forum-6/announcement-2-start-here-if-you-dont-we-are-just-going-to-send-you-back-to-this-thread/ Link to post Share on other sites
TommyBoy 0 Posted November 3, 2014 Author Report Share Posted November 3, 2014 I recreated the infection on a VM, I don't want to post where I found the malware on a public forum. I'll PM the mod who responded with an hxxp:\\url.tld version of the URL Link to post Share on other sites
TommyBoy 0 Posted November 3, 2014 Author Report Share Posted November 3, 2014 Further I don't think EEK found it. I believe what came up in my relative's scan was something else. What I did was root it out in C:\Users\dombo\AppData\Local\DesktopTemperature, deleting EXEs as i killed the processes. The DLL in that folder seems to ride on a lot of different processes and could not be deleted without a reboot (of course i lost my teamviewer connection) I killed any references to it in startup items, now my relative's pc is in the state mentioned in the first post Link to post Share on other sites
TommyBoy 0 Posted November 4, 2014 Author Report Share Posted November 4, 2014 That DLL i mentioned being 'riding' on a lot of differnet processes was a "LSP" (layered service provider) that put itself in the IP stack via Winsock 2. Running: netsh winsock reset seemed to fix it in my VM. Now I'm trying to determine if it did anything else. Windows, gotta love ol' Microsoft. Link to post Share on other sites
Kevin Zoll 309 Posted November 4, 2014 Report Share Posted November 4, 2014 Tommy, Desktop Temperature is not malware, the free version is ad supported. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKU\S-1-5-21-1930220486-3839197418-3851051193-1000\...\MountPoints2: {6af2f954-6372-11e4-9ef2-806e6f6e6963} - D:\setup64.exe Startup: C:\Users\dombo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Temperature Monitor.lnk ShortcutTarget: Desktop Temperature Monitor.lnk -> C:\Users\dombo\AppData\Local\DesktopTemperature\DesktopTemperature.exe (System Alerts LLC) Winsock: Catalog9 01 C:\Users\dombo\AppData\Local\DesktopTemperature\AiA3CF.dll [1046288] () Winsock: Catalog9 02 C:\Users\dombo\AppData\Local\DesktopTemperature\AiA3CF.dll [1046288] () Winsock: Catalog9 03 C:\Users\dombo\AppData\Local\DesktopTemperature\AiA3CF.dll [1046288] () Winsock: Catalog9 04 C:\Users\dombo\AppData\Local\DesktopTemperature\AiA3CF.dll [1046288] () Winsock: Catalog9 05 C:\Users\dombo\AppData\Local\DesktopTemperature\AiA3CF.dll [1046288] () Winsock: Catalog9 18 C:\Users\dombo\AppData\Local\DesktopTemperature\AiA3CF.dll [1046288] () 2014-11-03 16:09 - 2014-11-03 16:09 - 00000000 ____D () C:\Users\dombo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Desktop Temperature 2014-11-03 16:09 - 2014-11-03 16:09 - 00000000 ____D () C:\Users\dombo\AppData\Local\DesktopTemperature C:\Users\dombo\AppData\Local\Temp\dtminstaller.exe 2014-09-10 12:59 - 2014-09-10 12:59 - 01046288 _____ () C:\Users\dombo\AppData\Local\DesktopTemperature\AiA3CF.dll C:\Users\dombo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Temperature Monitor.lnk C:\Users\dombo\AppData\Local\DesktopTemperature\DesktopTemperature.exeClose Notepad.NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. Link to post Share on other sites
Kevin Zoll 309 Posted November 10, 2014 Report Share Posted November 10, 2014 Thread Closed Reason: Lack of Response PM either Kevin, Elise, or GT500 to have this thread reopened. The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread. Link to post Share on other sites
Recommended Posts