• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Followers 0
aspirit

boost_interprocess

30 posts in this topic

I am having problems and something keeps creating C:\ProgramData\boost_interprocess folder.

I can only access web pages in safe mode. Normal mode they just freeze.

 

I have Ad Aware total security and Lavasoft registry tuner.
I ran a virus scan that came back clean. Then I tried to run DDS but it would not run, it just freezes. I even tried in safe mode with the same result.

So I cannot post DDS log fife but I was able to run OTL and here are those files

 

Hope someone can help with these logs.

OTL.Txt

Extras.Txt

Share this post


Link to post
Share on other sites

Hi aspirit!

 

1. Please, download DeFogger by jpshortstuff to your desktop.
http://www.jpshortstuff.247fixes.com/Defogger.exe

Double-click DeFogger to run it.
Click the Disable button to disable CD Emulation drivers.
Click Yes to continue
Click OK
When Defogger wants to reboot the computer, click OK.

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not enable these drivers until the computer is clean and only enable them if you are using any CD emulation software as Daemon Tools or Alcohol 120%.

 

2. Please, save SystemLook on the desktop from one of these links:
http://jpshortstuff.247fixes.com/SystemLook.exe
http://images.malwareremoval.com/jpshortstuff/SystemLook.exe

Double-click on SystemLook file to run it.

Copy all lines in the box

:dir
C:\ProgramData\boost_interprocess
and paste in the big text field in SýstemLook.
Click on the Look button to start the search.
When finished Notepad will pop-up with the log. Copy the log and paste into your answer. If Notepad doesn't pop-up you can find the log as SystemLook.txt on the Desktop.

 

3. What type of device is D:?

I can see there is an autorun file on and that can be used by malicious files sometimes.

 

4. Please, upload this file to http://www.virustotal.com/ using the "Choose file" function (select reanalyze if asked) and post back the link to the scan report:

C:\Users\Bill\Desktop\FlashPlayer_V.86284124c.exe

 

5. Be aware of that file sharing program, as BitLord, is a major source of malicious programs.

 

6. Please, save AdwCleaner by Xplode on the desktop: http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner

Turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Search button.
Wait until the search has finished.
A report will be displayed, copy its content and paste into your answer.
If the report isn't displayed, it exist as C:\AdwCleaner[R1].txt.

Share this post


Link to post
Share on other sites

1. Done

2.Systemlook results

SystemLook 30.07.11 by jpshortstuff
Log created at 09:29 on 24/05/2013 by Bill

Administrator - Elevation successful

========== dir ==========

C:\ProgramData\boost_interprocess - Parameters: "(none)"

---Files---
None found.

---Folders---
20130524091604.125597 d------ [14:19 24/05/2013]

-= EOF =-

3. devise D: is a hard drive recovery partition

4.link to scn report
https://www.virustotal.com/en/file/dec5c52343bbcd8d9a4f195e21173e45e22ee716019793762c7b3bf9964d7fea/analysis/1369406163/

5.I understand about file sharing being risky. Honestly I do not download music & movies.
I use it to find out of print book on Magic Tricks and other impossiable to find items.

 

6.AdwCleaner results

# AdwCleaner v2.301 - Logfile created 05/24/2013 at 09:49:22
# Updated 16/05/2013 by Xplode
# Operating system : Windows Vista Home Premium (32 bits)
# User : Bill - BILL-PC
# Boot Mode : Safe mode with networking
# Running from : C:\Users\Bill\Desktop\adwcleaner.exe
# Option [search]

***** [services] *****

***** [Files / Folders] *****

Folder Found : C:\ProgramData\boost_interprocess

***** [Registry] *****

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18882

[OK] Registry is clean.

-\\ Google Chrome v26.0.1410.64

File : C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default\Preferences

Found [l.23] : icon_url = "hxxp://www.delta-search.com/favicon.ico",
Found [l.26] : keyword = "delta-search.com",
Found [l.30] : search_url = "hxxp://www2.delta-search.com/?q={searchTerms}&affID=121232&babsrc=SP_ss&mntrId=A070001E90661385",

-\\ Opera v [unable to get version]

File : C:\Users\Bill\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1197 octets] - [24/05/2013 09:46:12]
AdwCleaner[R2].txt - [1128 octets] - [24/05/2013 09:49:22]

########## EOF - C:\AdwCleaner[R2].txt - [1188 octets] ##########

 

 

Thank you very much for the help.

Share this post


Link to post
Share on other sites

Good!

 

1. Please, copy all lines in the box

:dir
C:\ProgramData\boost_interprocess\20130524091604.125597

and paste in the big text field in SýstemLook.
Click on the Look button to start the search.

When finished Notepad will pop-up with the log. Copy the log and paste into your answer. If Notepad doesn't pop-up you can find the log as SystemLook.txt on the Desktop.

 

2. Please, delete the malicious file FlashPlayer_V.86284124c.exe located on your desktop. Always download new flash player versions from Adobe's web site.

Share this post


Link to post
Share on other sites

SystemLook 30.07.11 by jpshortstuff
Log created at 11:16 on 24/05/2013 by Bill
Administrator - Elevation successful

========== dir ==========

C:\ProgramData\boost_interprocess\20130524091604.125597 - Parameters: "(none)"

---Files---
9334581e-7251-4ef7-a8ec-5bfe8e89ff68 --a---- 12 bytes [14:19 24/05/2013] [14:25 24/05/2013]
plex_frame_mutex --a---- 12 bytes [14:20 24/05/2013] [14:25 24/05/2013]

---Folders---
None found.

-= EOF =-

 

 

 

malicious file FlashPlayer_V.86284124c deleted

Share this post


Link to post
Share on other sites

Please, follow the instructions on http://www.bleepingcomputer.com/combofix/how-to-use-combofix for installing and running ComboFix.

Read carefully and note the "Disclaimer of warranty"!

Paste the content of the log into your answer.
If ComboFix displays a message, for example that a rootkit was found, write it down as detailed as possible.

Share this post


Link to post
Share on other sites

After several attempts to run Combofix it was unsuccessful. It would freeze every time.

I sometimes received an error that said

Error saving file C:\windows\erdnt\Hiv-backup\COMPON~3! The registry could not read in or write out or flush one of the files that contain the system’s image of the registry.

But most of the time it would start the file scan and then freeze. I let it set for 35 minutes to hours. The clock would even freeze.

 

I tried running it in regular mode and safe mode.

I have to do all of the checking in safe mode as it will not access the internet in the full mode but work fine in safe mode.

Share this post


Link to post
Share on other sites

Then we try another program instead.

Please, save RougueKiller on the Desktop.
http://tigzy.geekstogo.com/Tools/RogueKiller.exe

Turn off all running programs and remove any external drives and other devices connected with USB etc. except mouse and keyboard.

Start RougueKiller (in Vista and Windows 7 right-click the program and select "Run as administrator"). If it won't start, try several times. If you still are unsuccessful, rename the file to winlogon.exe.

Wait until "Prescan" has finished.
Click on "Scan" button in upper right corner.
Wait until the scan has finished.

A report with a name similar to RKreport.txt should have been created on the desktop.
Please, post it in your answer.

Share this post


Link to post
Share on other sites

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6000 ) 32 bits version
Started in : Safe mode with network support
User : Bill [Admin rights]
Mode : Scan -- Date : 05/29/2013 18:04:48
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\windows\system32\config\SYSTEM
-> D:\Users\Default\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost
127.0.0.1 serial.alcohol-soft.com
127.0.0.1 www.alcohol-soft.com
127.0.0.1 images.alcohol-soft.com
127.0.0.1 trial.alcohol-soft.com
127.0.0.1 alcohol-soft.com

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST315005 41AS SCSI Disk Device +++++
--- User ---
[MBR] c61f1dd9a5703cc6bff781887ad81007
[bSP] 79f217b87078e5bdd4abccd053ad2a98 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 33792 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 69208020 | Size: 1397003 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_05292013_02d1804.txt >>
RKreport[1]_S_05292013_02d1804.txt

Share this post


Link to post
Share on other sites

1. Please, upload this file to http://www.virustotal.com/ using the "Choose file" function (select reanalyze if asked) and post back the link to the scan report:

C:\Users\Bill\AppData\Local\d3d9caps.dat

 

2. Please, turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Delete button.

Click on OK.
The computer will be restarted.

A report will be displayed, copy its content and paste into your answer.
If the report isn't displayed, it exist as C:\AdwCleaner[s1].txt

3. Run an online scan with Eset http://www.eset.com/onlinescan/
To shorten the scanning time disable your antivirus program while scanning.

Un-check "Remove found threats"
Check "Scan Archives"

Click "Advanced Settings"
Check:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Click Scan

When the scan is finished, copy the result and paste its content in your answer.

Share this post


Link to post
Share on other sites

Hi again,

 

How is it going with AdwCleaner?

Share this post


Link to post
Share on other sites

Had problems.

In regular mode it would scan and then freeze when I hit the delete.

It will detect folder C:\ProgramData\boost_interprocess but will not delete it in regular mode. It does not detect it in safe mode.

 

Then I had other things I had to do but I am now going to run the online scan now

 

Here is the scan results but I don't get a delete result file because it freezes.

# AdwCleaner v2.301 - Logfile created 05/29/2013 at 22:13:09
# Updated 16/05/2013 by Xplode
# Operating system : Windows Vista Home Premium (32 bits)
# User : Bill - BILL-PC
# Boot Mode : Normal
# Running from : C:\Users\Bill\Desktop\adwcleaner.exe
# Option [search]

***** [services] *****

***** [Files / Folders] *****

Folder Found : C:\ProgramData\boost_interprocess

***** [Registry] *****

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18882

[OK] Registry is clean.

-\\ Google Chrome v27.0.1453.94

File : C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

-\\ Opera v [unable to get version]

File : C:\Users\Bill\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R2].txt - [1045 octets] - [29/05/2013 19:12:33]
AdwCleaner[R3].txt - [1149 octets] - [29/05/2013 19:18:18]
AdwCleaner[R4].txt - [1162 octets] - [29/05/2013 19:24:56]
AdwCleaner[R5].txt - [1254 octets] - [29/05/2013 19:28:32]
AdwCleaner[R6].txt - [1342 octets] - [29/05/2013 20:52:36]
AdwCleaner[R7].txt - [1126 octets] - [29/05/2013 22:13:09]
AdwCleaner[s2].txt - [1108 octets] - [29/05/2013 19:12:43]
AdwCleaner[s3].txt - [420 octets] - [29/05/2013 19:18:35]
AdwCleaner[s4].txt - [345 octets] - [29/05/2013 19:28:45]
AdwCleaner[s5].txt - [1402 octets] - [29/05/2013 20:52:49]

########## EOF - C:\AdwCleaner[R7].txt - [1424 octets] ##########

Share this post


Link to post
Share on other sites

Then we try with another program when Eset's online scanner has finished.

Share this post


Link to post
Share on other sites

Eset is saying it can not get update. It ask if proxy setting is configured properly.

Share this post


Link to post
Share on other sites

Please, try Panda Active Scan instead: http://www.pandasecurity.com/homeusers/solutions/activescan/

Since I haven't used it, I can't give you detailed instructions, but you should select a full system scan and not a quick or custom scan. When the scan is finished you have to choose to export the report to a text file. Please, include the report in your answer here.

 

Did AdwCleaner give you an error message when it couldn't delete the folder?

You can try to start AdwCleaner by right-clicking the file and select Run as administrator?

Share this post


Link to post
Share on other sites

Thank you for your patience with this.

I am getting very frustrated but I will keep plugging along.

 

AdwCleaner did not give an error message it just froze and I had to hard reboot

Share this post


Link to post
Share on other sites

If you have an flash drive, you could try with this program instead, since it runs without starting Windows and then boost_interprocess or other malware isn't running and can't stop the programs.

 

Download Farbar Recovery Scan Tool (FRST) and save on a flash drive.

http://download.bleepingcomputer.com/farbar/FRST.exe

 

You need to restart the computer and start a Command Prompt without starting all of Windows. There are two options to do this, and which one you should use depends on if you have an installation disc with Windows Vista.

 

Option 1 without Windows Vista disc

 

When the computer starts, you press the F8 key repeatedly until the Windows Advanced Options Menu menu is displayed.

Use the arrow keys to highlight Repair your computer. Press Enter key.

 

Option 2 with Windows Vista disc

 

Insert the installation disc.

Start the computer.

When asked if you want to start the computer from the installation disc, press any key.

If you don't see the question and the computer is started from the hard disc as usual, you need to change a BIOS setting to start from the disc.

When the menu on the installation disc is displayed, click on Repair your computer.

 

For both options

 

Select the correct keyboard layout and click on Next.

Select which Windows you want to repair, if there are several, select the infected one. Click on Next.

Select your user account and enter your password (if you don't have a password, press the Enter key).

 

The System Recovery Options menu is displayed and it starts with Startup repair and ends with Command Prompt.

 

Select Command Prompt.

Enter:

notepad

Press the Enter key.

 

The Notepad program starts.

Select: File menu -> Open

Select: Computer

Find your flash drive and write down its device letter, e.g. G:.

Exit Notepad.

 

In the Command prompt enter this command:

g:\frst.exe

but replace "g" with the device letter of your flash drive. Press Enter key.

FRST program will start to run.

Read the disclaimer and click Yes to accept it.

Click Scan button.

When done, FRST will make a log file, called FRST.txt, on the flash drive.

 

Start Windows, or use another computer, to open the log file in Notepad.

Please, copy its content and past it into your reply.

Share this post


Link to post
Share on other sites

Here are the results of the Panda Active Scan. I will wait for your reply before acting on the Farbar Recovery Scan Tool

 

Attaching file. Looked bad just pasting it.

 

ActiveScan.txt

Edited by aspirit

Share this post


Link to post
Share on other sites

Hi asprit,

 

Most of the items that Panda ActiveScan found are TrackingCookies and they are never dangerous for the computer. See http://en.wikipedia.org/wiki/Tracking_cookies for an explanation, specially second paragraph.

 

1. Upload this file to http://www.virustotal.com/ using the "Choose file" function (select reanalyze if asked) and post back the link to the scan report: c:\windows\system32\memwarp.ocx

 

2. Save SystemLook on the desktop from one of these links:

http://jpshortstuff.247fixes.com/SystemLook.exe

http://images.malwareremoval.com/jpshortstuff/SystemLook.exe

 

Double-click on SystemLook file to run it.

 

Copy all lines in the box

:file
c:\windows\system32\memwarp.ocx
and paste in the big text field in SýstemLook.

Click on the Look button to start the search.

When finished Notepad will pop-up with the log. Copy the log and paste into your answer. If Notepad doesn't pop-up you can find the log as SystemLook.txt on the Desktop.

Share this post


Link to post
Share on other sites

Here are the results

 

https://www.virustotal.com/en/file/af5daf5accbb6338a76ae214bf7ffdec8c64ab4ead74fdce9de5905b4b9dfcff/analysis/1370217041/

 

 

SystemLook 30.07.11 by jpshortstuff
Log created at 18:56 on 02/06/2013 by Bill
Administrator - Elevation successful

========== file ==========

c:\windows\system32\memwarp.ocx - File found and opened.
MD5: DD3A74962D0D61200E078F4E1C6574D6
Created at 21:49 on 07/04/2009
Modified at 16:56 on 29/03/2002
Size: 73728 bytes
Attributes: --a----
FileVersion: 2.00
ProductVersion: 2.00
OriginalFilename: drspeed.ocx
InternalName: drspeed
ProductName: DrSpeedsys
CompanyName: Aluria Software
Comments: DrSpeedsys

-= EOF =-

Share this post


Link to post
Share on other sites

Please, close all programs including antivirus programs and other similar programs. Otherwise they might stop OTL.

How? See http://www.bleepingcomputer.com/forums/topic114351.html

 

Start the program OTL.

Copy all the lines in the box:

:OTL
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}  (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
:Files
ipconfig /flushdns /c
c:\windows\system32\memwarp.ocx
C:\ProgramData\boost_interprocess
:Commands
[CREATERESTOREPOINT]
[REBOOT]
Paste them into the field Custom Scans/Fixes.

Click on Run Fix.

 

If you are asked to restart the computer do that. Please, restart in normal mode since otherwise I don't think OTL will get an opportunity to delete the files.

 

Notepad will pop-up with a log. Copy it and paste it into your answer.

If it is not pop-upped, you can find it in the folder c:\_OTL\Moved Files and its name contains the date and time for when OTL was run.

 

Be sure that antivirus programs etc. are active before connecting to internet.

Share this post


Link to post
Share on other sites

Results below.

 

 

 

========== OTL ==========
Starting removal of ActiveX control {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}
C:\ProgramData\webex\ieatgpc.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Bill\Desktop\cmd.bat deleted successfully.
C:\Users\Bill\Desktop\cmd.txt deleted successfully.
c:\windows\system32\MemWarp.ocx moved successfully.
File\Folder C:\ProgramData\boost_interprocess not found.
========== COMMANDS ==========
Unable to start System Restore Service. Error code 1084

OTL by OldTimer - Version 3.2.69.0 log created on 06032013_193952

Share this post


Link to post
Share on other sites

"File\Folder C:\ProgramData\boost_interprocess not found."

Is it correct that the folder doesn't exist any more?

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0