Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

shady process jiobo.exe (suspected malware) taking up 54% CPU


  • This topic is locked This topic is locked
31 replies to this topic

#1 icicle67

icicle67

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 03 February 2010 - 11:57 PM

jiobo.exe is running at startup and destroying my CPU. I cannot delete or end it.
It's located at C:\Users\Username\ according to task manager, but when I navigate
there, even though I have 'show hidden files' checked, the directory shows no
evidence of the file, so I can't run FileASSASSIN on it either.

It began as a malware infection that I got from my old XP machine. I plugged
in my HD enclosure to my Dell laptop that runs Vista (now SP2, which I updated
today hoping to solve this). Some symptoms (listed in detail below) sounded
similar to the one posted here: http://www.bleepingcomputer.com/forums/ind...p;#entry1016549

BEFORE Mbam and ComboFix, symptoms included:
- shady pop-ups when I visited my favorite websites, even with popup blocker turned on.
- attempts to open internet explorer against my will
- on startup, Adobe Distiller and/or Acrobat "have stopped working," and when I try to
open any other Adobe programs, they boot entirely, but then "stop working" and shut down.
- windows updates suspiciously present on some but not all reboots. this may be coincidence.
- processes I didn't recognize that carried either no description or their descriptions were
the same as their filenames (ex: jiobo.exe's decription is jiobo.exe; I can't remember any
of the other process names). Their filenames would also change with every boot-up, to
something that either a) google didn't recognize or b) took me to a fake virus removal
site riddled with popups and installers. There would be three or four of these gremlinesque
processes showing in TM at a time, and Malwarbytes recognized and took care of three
of them, and I thought ComboFix took care of the rest until a few more reboots.

AFTER Mbam and ComboFix
- I have gotten a few popups, since virus removal, but not reliably, and none today,
so this has improved considerably.
- no attempts at internet explorer, but the popups have instead appeared in firefox
(which has been and is set as the default browser)
- same as before with the Adobe programs not booting properly or at all.
- jiobo.exe is taking up to 54% of my CPU, causing video playback to skip relentlessly.
- recently got a blue screen and several spontaneous (some failed) reboots, but that could
have been from running my laptop on my bed, so I think it's safe to say this was unrelated
and due to overheating (since that's what one of the blue screens said, and the machine
was way too hot at the time).

Is it possible that my blackberry has a virus on its media card, and is reinfecting
my system? The way my external HD did? [sidenote: Will also be posting shortly
re: how to transfer old design files to a new hard drive without transferring viruses,
since this is bound to happen again soon when I upgrade to a network storage device]

Either way, Mbam and ComboFix just were not enough. I have HijackThis installed,
and it sees the process, but I haven't tried hitting "Fix" there yet. Waiting for your
input on this one. :)

Bottom line:
The only process still running that I can see is jiobo.exe.
I can't end it in Task Manager (nothing happens).
I unchecked it in the Boot tab of msconfig, but it was running at the next startup anyway.
It eats my CPU.
And kills my CS3 programs.


Thank you!!

Attached Files



BC AdBot (Login to Remove)

 


#2 icicle67

icicle67
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 04 February 2010 - 12:04 AM

I just tried Folder Options/View/ and unchecked "Hide protected operating system files" and jiobo.exe did show up in C\Users\Username
Still can't delete it, and when I tried to rename it, it actually changed the Folder Options BACK to have "Hide protected operating system files" checked, against my will. weird...

Edited by Orange Blossom, 10 February 2010 - 09:51 PM.


#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:33 PM

Posted 10 February 2010 - 07:35 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#4 icicle67

icicle67
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 12 February 2010 - 12:46 AM

Have attached the DSS report, and Defogger ran without any issues.

Running GMER caused a PAGE_FAULT... blue screen after hours of scanning when I ran it in regular Vista. It read:

---------------------------------------------------------------------------------------------------------
A problem has been detected and Windows has been shut down to prevent damage to your computer.

kxldqpoc.sys

PAGE_FAULT_IN_NONPAGED_AREA
If this is the first time you have seen this Stop error screen, restart computer. If this screen continues follow the following steps:

Check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any Windows updates you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advances Datrtup Options, and then select Safe Mode.

Technical information:

*** STOP: 0x00000050 (0xA0128008, 0x00000000, 0xA4530F60, 0x00000000)

*** kxldqpoc.sys - Address A4530F60 base at A4525000, DateStamp 4b274f8d

Collecting data for drash dump ...
Initializing disk for crash dump ...
Physical memory dump complete.
Contact your system admin or technical support group for further assistance.
---------------------------------------------------------------------------------------------------------

There were way more found items when I ran GMER *not* in safe mode, but the scan took hours, and I wasn't at my machine when it would happen (and this happened twice) so I couldn't save that longer log.



I ran GMER in safe mode and got the following log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-11 05:15:08
Windows 6.0.6002 Service Pack 2
Running: 7oq29xpe.exe; Driver: C:\Users\Cecilia\AppData\Local\Temp\kxldqpoc.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\fastfat \Fat 81867A7A

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet003\Services\rotscxpgmymeyh@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxpgmymeyh@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxpgmymeyh@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxpgmymeyh@imagepath \systemroot\system32\drivers\rotscxbefwyxqs.sys
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxpgmymeyh\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxpgmymeyh\main@aid 10033
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxpgmymeyh\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxpgmymeyh\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxpgmymeyh\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxpgmymeyh\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxpgmymeyh\main\injector@* rotscxwsp8.dll
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxpgmymeyh\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxpgmymeyh\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxpgmymeyh\modules@rotscxrk.sys \systemroot\system32\drivers\rotscxbefwyxqs.sys
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxpgmymeyh\modules@rotscxcmd.dll \systemroot\system32\rotscxdxhxhuym.dll
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxpgmymeyh\modules@rotscxlog.dat \systemroot\system32\rotscxjrmjqqgr.dat
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxpgmymeyh\modules@rotscxwsp.dll \systemroot\system32\rotscxdftnlwkc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxpgmymeyh\modules@rotscx.dat \systemroot\system32\rotscxgnumbowm.dat
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxpgmymeyh\modules@rotscxwsp8.dll \systemroot\system32\rotscxxpddppsx.dll

---- EOF - GMER 1.0.15 ----




After the first blue screen, I got loops of windows startup repair until I was forced to do a system restore.
If this requires that I post new logs, do let me know; I didn't want to do anything out of order from your
instructions or include too many attachments, so I haven't done anything more than described here.


THANK YOU so much for your help on this.

Attached Files

  • Attached File  DDS.txt   20.55KB   3 downloads


#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:33 PM

Posted 12 February 2010 - 06:36 PM

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.


We do need to run Combofix now.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#6 icicle67

icicle67
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 12 February 2010 - 07:50 PM

Should I disconnect from the internet before I run combofix?

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:33 PM

Posted 12 February 2010 - 07:54 PM

No, just run it. thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#8 icicle67

icicle67
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 12 February 2010 - 11:06 PM

Here is the ComboFix.txt

Attached Files



#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:33 PM

Posted 13 February 2010 - 05:02 AM

Okay, let's run Combofix again, but this time with a script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\users\Cecilia\jiobo.exe
c:\windows\TEMP\TMP00000012E50E65F0CCBECC25
c:\users\Cecilia\{9088a6a2-9258-4e24-9276-a633a81700b8}

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"jiobo"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Please now run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#10 icicle67

icicle67
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 13 February 2010 - 10:47 AM

When you say "check all the drives," do you mean I should plug in my (even more) infected HD, my phone, and camera card, as mentioned in the first post? Or are you referring to both drives C: and D: (recovery)?

#11 icicle67

icicle67
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 13 February 2010 - 11:16 AM

First post didn't appear right away, ignore this

Edited by icicle67, 13 February 2010 - 11:17 AM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:33 PM

Posted 13 February 2010 - 12:42 PM

QUOTE(icicle67 @ Feb 13 2010, 03:47 PM) View Post
When you say "check all the drives,"


Where does it say that?
Posted Image
m0le is a proud member of UNITE

#13 icicle67

icicle67
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 13 February 2010 - 07:27 PM

# If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:33 PM

Posted 13 February 2010 - 08:10 PM

Oh right, that's to make sure that MBAM scans all partitioned drives. C:, D:, whatever you've got. smile.gif
Posted Image
m0le is a proud member of UNITE

#15 icicle67

icicle67
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 14 February 2010 - 09:07 AM

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 6.0.6002 Service Pack 2

2/14/2010 9:03:05 AM
mbam-log-2010-02-14 (09-02-30).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|K:\|)
Objects scanned: 618134
Time elapsed: 2 hour(s), 40 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Cecilia\Downloads\Adobe CS4 Activation Patch\Adobe CS4 Keygen.exe (Trojan.Downloader) -> No action taken.
C:\Users\Cecilia\Downloads\Adobe CS4 Master Collection\Adobe CS4 Master Collection\Adobe CS4 Master Collection\adobe-master-cs4-keygen.exe (Trojan.Downloader) -> No action taken.
C:\Users\Cecilia\Downloads\Adobe.CS4.Master.Collection.Keygen.Only\Adobe CS4 Keygen.exe (Trojan.Downloader) -> No action taken.
C:\Windows\System32\CS4 Crack\Adobe CS4 Keygen & Activation\Adobe CS4 Master Collection Keygen.exe (Trojan.Downloader) -> No action taken.


Shhhh.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users