TYlS8Gk5.exe adware or possible trojan

[sanpedrocactus]

Please help. I've gone through the 8 stips listed in the main post and it's still happening. Somehow it's related to the TYlS8Gk5.exe file because everytime I delete it, it temporarily goes away... but somehow regenerates itself--I've even tried shredding it and it still comes back. Does anyone know what this exe is from or where and what the main file is that keeps reviving it? Any and all help is greatly appreciated. Thanks!

 

[rf6647]

Welcome to TS. I know – it’s just my perfunctory greeting.

Let’s jump to performming a deep scan using ComboFix.
Combofix Instructions developed by Blind Dragon

Afterwards, scan with MBAM, SAS, & HJT as before.

Post all logs. Discuss progress and changes you observe.

From the results a Script file is developed, and applied to ComboFix which effectively “shreds” files & folders that are covered by the infection.

Rationale for this approach: standard tool not able to identify root. In addition to fighting infections, ComboFix informs on new files within 30-day window and a registry view of startup applications.

 

[sanpedrocactus]

Update

Here are my logs like you requested. And thank you for the welcome. Not sure if it took care of it though as it did seem to try to access my explorer program again (even though Firefox is my browser of choice...) anyway; I'll keep an eye on it and if nothing happens for a week or so I'll post an all-clear. Thanks again for your help.

 

[sanpedrocactus]

No Dice.

the TYlS8Gk5.exe is still regenerating itself... any other ideas or do I just need to wipe everything?

 

[momok]

Hi,

for some reason, that combofix log is not a complete one. Please run a fresh combofix scan as well as a Hijakcthis scan. Post the 2 logs in your next reply, thanks.

 

[rf6647]

Momok, sanpedrocactus, SAS log indicates it detected a virus in one of the combofix components. I suggest uninstall & re-install from the second site.

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

*The above procedure will:
* Delete the following: ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

 

[sanpedrocactus]

Combofix worked better this time...

Sorry about that first f*up Combofix scan. I thought it wasn't quite right, but I also figured I'd never used it before so really wasn't sure what to expect. Anyway, here are the new logs. As always, thanks guys!

 

[momok]

Nice find, rf6647.

Sanpedrocactus:
These are the following Combofix/CFScript instructions.

1. Open notepad and copy/paste the text in the quote box below into it:
   
   

   File::
   c:\windows\inf\SETAB.tmp
   c:\windows\Tasks\At1.job
   c:\windows\Tasks\At45.job
   c:\windows\Tasks\At21.job
   c:\windows\Tasks\At48.job
   c:\windows\Tasks\At24.job
   c:\windows\Tasks\At47.job
   c:\windows\Tasks\At23.job
   c:\windows\Tasks\At46.job
   c:\windows\Tasks\At44.job
   c:\windows\Tasks\At43.job
   c:\windows\Tasks\At22.job
   c:\windows\Tasks\At20.job
   c:\windows\Tasks\At19.job
   c:\windows\Tasks\At42.job
   c:\windows\Tasks\At18.job
   c:\windows\Tasks\At6.job
   c:\windows\Tasks\At30.job
   c:\windows\Tasks\At39.job
   c:\windows\Tasks\At38.job
   c:\windows\Tasks\At15.job
   c:\windows\Tasks\At14.job
   c:\windows\Tasks\At25.job
   c:\windows\Tasks\At40.job
   c:\windows\Tasks\At16.job
   c:\windows\Tasks\At7.job
   c:\windows\Tasks\At5.job
   c:\windows\Tasks\At4.job
   c:\windows\Tasks\At31.job
   c:\windows\Tasks\At3.job
   c:\windows\Tasks\At29.job
   c:\windows\Tasks\At28.job
   c:\windows\Tasks\At27.job
   c:\windows\Tasks\At26.job
   c:\windows\Tasks\At2.job
   c:\windows\Tasks\At9.job
   c:\windows\Tasks\At8.job
   c:\windows\Tasks\At41.job
   c:\windows\Tasks\At37.job
   c:\windows\Tasks\At36.job
   c:\windows\Tasks\At35.job
   c:\windows\Tasks\At34.job
   c:\windows\Tasks\At33.job
   c:\windows\Tasks\At32.job
   c:\windows\Tasks\At17.job
   c:\windows\Tasks\At13.job
   c:\windows\Tasks\At12.job
   c:\windows\Tasks\At11.job
   c:\windows\Tasks\At10.job
   c:\windows\system32\TYlS8Gk5.exe
   c:\windows\system32\1o45RwD2.exe

2. Save this as "CFScript.txt" on the desktop.
3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
   
   
4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
   Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

Thereafter, please post a fresh HJT log as well as the resultant ComboFix log from the above instructions as attachments into this thread.

 

[sanpedrocactus]

Not sure it worked. I did what you said... but it froze towards the end all 3 times. (I did what you said and didn't touch anything left it run for 20, 30, and 60min before I rebooted.) Then I ran it without the script and finally it gave me a log. I unloaded and reloaded CF 2 times so that I could start from scratch... no dice. I've enclosed both logs plus a copy of the exact log that I dropped into the CF.EXE--I don't know where you want to go from here.

 

[momok]

I'm a little stumped by this. It appears however that those files that ought to be removed have been removed. Both your HijackThis logs and Combofix logs seem to be clean now too.

Are you still facing any other problems?

 

[sanpedrocactus]

No. Actually so far so good. I was just a little doubtful that it worked because the log never popped up like it usually did after combofix was done scanning. I'd say we're good to go then. Thanks again for all your help man! You guys rock!!