"Desktop Temperature Monitor" removed, now applications can't access Internet

[TommyBoy 0]

One of my relatives got this "Desktop Temperature Monitor" which seems to block Firefox, and in Internet Explorer constantly redirect to ads.

 

I was able to remove it during a teamviewer session by running EEK, but now any browsers or new teamviewer sessions cannot connect to the internet.

 

I did check the connections tab in IE and it hasn't got a proxy defined.

 

Their Intel Proset Wireless icon indicates LAN connection and Internet connection.

 

I suspect the system is still set to their proxy (or similar) and I need some ammo before I pick up the laptop on Tuesday.

 

Anyone have any experience with this one?

 

Thank you in advance.

[stapp 148]

Please follow the steps here and attach the requested logs then one of our experts can help you.

 

 http://support.emsisoft.com/forum-6/announcement-2-start-here-if-you-dont-we-are-just-going-to-send-you-back-to-this-thread/

[TommyBoy 0]

I recreated the infection on a VM, I don't want to post where I found the malware on a public forum. I'll PM the mod who responded with an hxxp:\\url.tld version of the URL

[TommyBoy 0]

Further I don't think EEK found it. I believe what came up in my relative's scan was something else.

 

What I did was root it out in C:\Users\dombo\AppData\Local\DesktopTemperature, deleting EXEs as i killed the processes. The DLL in that folder seems to ride on a lot of different processes and could not be deleted without a reboot (of course i lost my teamviewer connection)

 

I killed any references to it in startup items, now my relative's pc is in the state mentioned in the first post

[TommyBoy 0]

That DLL i mentioned being 'riding' on a lot of differnet processes was a "LSP" (layered service provider) that put itself in the IP stack via Winsock 2.
 
Running:

netsh winsock reset

 

seemed to fix it in my VM. Now I'm trying to determine if it did anything else.

 

 

Windows, gotta love ol' Microsoft.

[Kevin Zoll 308]

Tommy,

Desktop Temperature is not malware, the free version is ad supported.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-21-1930220486-3839197418-3851051193-1000\...\MountPoints2: {6af2f954-6372-11e4-9ef2-806e6f6e6963} - D:\setup64.exe
Startup: C:\Users\dombo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Temperature Monitor.lnk
ShortcutTarget: Desktop Temperature Monitor.lnk -> C:\Users\dombo\AppData\Local\DesktopTemperature\DesktopTemperature.exe (System Alerts LLC)
Winsock: Catalog9 01 C:\Users\dombo\AppData\Local\DesktopTemperature\AiA3CF.dll [1046288] ()
Winsock: Catalog9 02 C:\Users\dombo\AppData\Local\DesktopTemperature\AiA3CF.dll [1046288] ()
Winsock: Catalog9 03 C:\Users\dombo\AppData\Local\DesktopTemperature\AiA3CF.dll [1046288] ()
Winsock: Catalog9 04 C:\Users\dombo\AppData\Local\DesktopTemperature\AiA3CF.dll [1046288] ()
Winsock: Catalog9 05 C:\Users\dombo\AppData\Local\DesktopTemperature\AiA3CF.dll [1046288] ()
Winsock: Catalog9 18 C:\Users\dombo\AppData\Local\DesktopTemperature\AiA3CF.dll [1046288] ()
2014-11-03 16:09 - 2014-11-03 16:09 - 00000000 ____D () C:\Users\dombo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Desktop Temperature
2014-11-03 16:09 - 2014-11-03 16:09 - 00000000 ____D () C:\Users\dombo\AppData\Local\DesktopTemperature
C:\Users\dombo\AppData\Local\Temp\dtminstaller.exe
2014-09-10 12:59 - 2014-09-10 12:59 - 01046288 _____ () C:\Users\dombo\AppData\Local\DesktopTemperature\AiA3CF.dll
C:\Users\dombo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Temperature Monitor.lnk
C:\Users\dombo\AppData\Local\DesktopTemperature\DesktopTemperature.exe

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[Kevin Zoll 308]

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or GT500 to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.