Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Very Advanced Virus Infection


  • This topic is locked This topic is locked
43 replies to this topic

#16 Jim Eddy

Jim Eddy
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 31 August 2013 - 02:42 PM

Hello Gringo,

Oops. Sorry. I did not notice that you were using RPN.

That did it. BlitzBlank did run. It is very scary.

It throws up warnings and then brings the machine down. But not completely. It leaves the machine with no display and no disk activity but the fan is still running and, apparently, the disk drive is still spinning. It beeps when I unplug the power. And beeps again when I plug it back in. (It is a notebook computer that runs off a battery when unplugged.) I waited 15 minutes for something to happen. Nothing did. I lost patience and held down the power key to force the machine all the way down. It went all the way down but did not turn off the battery and plugged in lights. After holding down the power button for about 30 seconds I let it go and the only way that I knew that it was down was when I unplugged it all the lights went out and there was no beep.

Then I booted the machine back up. It displayed some very scary looking messages from very low in the boot process. They about deleting files and replacing them with dummies. Then the machine came up. When it came up it threw up the usual Task Scheduler not working message. I did not click Close Program right away. The Explorer was very slow for a long time. It did its usual 15 minutes of frantic disk activity. It did leave a log. This is it:

BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
MoveFileOnReboot: sourceFile = "\??\c:\program files\google\update\googleupdate.exe", destinationFile = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\windows\system32\macromed\flash\flashplayerupdateservice.exe", destinationFile = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\windows\tasks\adobe flash player updater.job", destinationFile = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\windows\tasks\googleupdatetaskmachinecore.job", destinationFile = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\windows\tasks\googleupdatetaskmachineua.job", destinationFile = "(null)", replaceWithDummy = 0

I rebooted the machine. It came up the same way: “Task Scheduler not working” and lots of disk activity. There was no mention of any Google set up. Nothing was using much cpu but the disk was getting hit hard.

Jim

BC AdBot (Login to Remove)

 


#17 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:51 AM

Posted 31 August 2013 - 09:15 PM

Hello


OK rerun combofix again for me


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#18 Jim Eddy

Jim Eddy
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 01 September 2013 - 09:51 AM

Hello Gringo,

 

I ran ComboFix without a script file.  The log is posted below.

 

Regarding this run of ComboFix it went normally until the reboot before the log file is produced.  On the way back up Windows threw up its usual message:

 

Task Scheduler Engine has stopped working

A problem caused the program to stop working correctly.

Windows will close the program and notify you if a solution is available.

                                Debug           CloseProgram

 

This time I did not select Debug or CloseProgram.  I let the windows stay up.  There after ComboFix continued to think until it was time to put up the ComboFix.txt file.  At that point it wrote two messages into its Command Prompt window that looked vaguely like this (I was not able to read them before the window closed): SED: Something about not being able to access or open or find some file.  It then invoked notepad on an empty file and displayed that full screen along with the message box:

 

Cannot find the C:\Users\JimEddy\AppData\Local\Temp\log.txt file.

Do you want to create a new file?

Yes        No         Cancel

 

I selected Yes.

 

The full screen notepad file was renamed from untitled.txt to log.txt.  It was empty.  I saved the empty file to the desktop.  Explorer was very slow, even to the point of saying that Notepad was not responding.  After about 3 minutes it did save to the desktop and I was able to close notepad.  Another 15 seconds.

 

I am suspicious that all of this was behavior at the end of the ComboFix run has to do with the fact that I chose not to select “Close Program” on the “Task Scheduler Engine has stopped working” message.  That message is still up.  Explorer takes more than five seconds to open the Start Menu.  As soon as I select “Close Program” on the message box, two things happen:

 

  1. Explorer becomes instantaneous.
  2. There is displayed in the notification area the message

“The last backup failed”

 

When I open the icon doing the talking it throws up a panel with the title “Backup Status and Configuration”.  It offers to do a backup.  I don’t have a backup media attached to the PC so I decline that.

 

 

 

 

 

 

One thing that I neglected to report earlier is that it seems that the RecycleBin is emptied by ComboFix.

 

It is my belief that the unusual behavior at the end of the ComboFix run would not happen if I closed the Task Scheduler message box as soon as it appears during bootup.

 

Here is the ComboFix log file.

 

================================================

 

 

 

ComboFix 13-08-22.01 - JimEddy 09/01/2013   8:55.4.2 - x86

Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.1.1033.18.1977.619 [GMT -4:00]

Running from: c:\environment\Folders\z06 comboFix\ComboFix.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\JimEddy\AppData\Local\Temp\rad0EFA8.tmp\bin\Gadget.Interop.dll

c:\users\JimEddy\AppData\Local\Temp\rad4B35C.tmp\bin\x86\sharpwrapi_Win32.dll

c:\windows\system32\TPAPSLOG.LOG

c:\windows\system32\TPHDLOG0.LOG

.

.

(((((((((((((((((((((((((   Files Created from 2013-08-01 to 2013-09-01  )))))))))))))))))))))))))))))))

.

.

2013-09-01 13:06 . 2013-09-01 13:11  --------   d-----w-     c:\users\JimEddy\AppData\Local\temp

2013-09-01 13:06 . 2013-09-01 13:06  --------   d-----w-     c:\windows\system32\config\systemprofile\AppData\Local\temp

2013-09-01 13:06 . 2013-09-01 13:06  --------   d-----w-     c:\users\TEMP\AppData\Local\temp

2013-09-01 13:06 . 2013-09-01 13:06  --------   d-----w-     c:\users\TEMP.Rathbone\AppData\Local\temp

2013-09-01 13:06 . 2013-09-01 13:06  --------   d-----w-     c:\users\Default\AppData\Local\temp

2013-08-30 12:09 . 2013-08-20 04:47  7166848    ----a-w-     c:\programdata\Microsoft\Windows Defender\Definition Updates\{449BB28A-B9C9-46EC-B0A3-995378CAC37B}\mpengine.dll

2013-08-26 18:00 . 2013-07-25 02:42  149656     ----a-w-   c:\program files\Internet Explorer\sqmapi.dll

2013-08-26 18:00 . 2013-07-25 02:25  768512     ----a-w-   c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll

2013-08-26 18:00 . 2013-07-25 02:24  194560     ----a-w-   c:\program files\Internet Explorer\IEShims.dll

2013-08-26 18:00 . 2013-07-25 02:24  194560     ----a-w-   c:\program files\Internet Explorer\ieproxy.dll

2013-08-26 18:00 . 2013-07-25 02:42  757400     ----a-w-   c:\program files\Internet Explorer\iexplore.exe

2013-08-26 18:00 . 2013-07-25 02:25  104448     ----a-w-   c:\program files\Internet Explorer\jsdebuggeride.dll

2013-08-26 18:00 . 2013-07-25 02:25  678912     ----a-w-   c:\program files\Internet Explorer\iedvtool.dll

2013-08-26 18:00 . 2013-07-25 02:25  387584     ----a-w-   c:\program files\Internet Explorer\jsdbgui.dll

2013-08-26 14:19 . 2013-07-05 04:53  905664     ----a-w-     c:\windows\system32\drivers\tcpip.sys

2013-08-26 14:19 . 2013-06-15 11:23  24064 ----a-w-     c:\windows\system32\drivers\tssecsrv.sys

2013-08-23 22:06 . 2013-08-23 22:06  --------   d-----w-   c:\windows\ERUNT

2013-08-23 20:53 . 2013-08-23 20:54  --------   d-----w-   C:\AdwCleaner

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-08-02 04:09 . 2013-08-28 15:00  1548288    ----a-w-     c:\windows\system32\WMVDECOD.DLL

2013-07-25 02:32 . 2013-08-26 18:00  1800704    ----a-w-     c:\windows\system32\jscript9.dll

2013-07-25 02:26 . 2013-08-26 18:00  1129472    ----a-w-     c:\windows\system32\wininet.dll

2013-07-25 02:25 . 2013-08-26 18:00  1427968    ----a-w-     c:\windows\system32\inetcpl.cpl

2013-07-25 02:23 . 2013-08-26 18:00  142848     ----a-w-     c:\windows\system32\ieUnatt.exe

2013-07-25 02:23 . 2013-08-26 18:00  420864     ----a-w-     c:\windows\system32\vbscript.dll

2013-07-25 02:22 . 2013-08-26 18:00  2382848    ----a-w-     c:\windows\system32\mshtml.tlb

2013-07-19 13:29 . 2012-04-05 14:07  692104     ----a-w-     c:\windows\system32\FlashPlayerApp.exe

2013-07-19 13:29 . 2011-06-16 13:55  71048 ----a-w-     c:\windows\system32\FlashPlayerCPLApp.cpl

2013-07-17 19:41 . 2013-08-26 14:19  2048 ----a-w-     c:\windows\system32\tzres.dll

2013-07-10 09:47 . 2013-08-26 14:19  783360     ----a-w-     c:\windows\system32\rpcrt4.dll

2013-07-10 00:27 . 2013-07-10 00:27  94632 ----a-w-     c:\windows\system32\WindowsAccessBridge.dll

2013-07-10 00:27 . 2013-07-10 00:28  867240     ----a-w-     c:\windows\system32\npDeployJava1.dll

2013-07-10 00:27 . 2010-06-05 11:32  789416     ----a-w-     c:\windows\system32\deployJava1.dll

2013-07-09 12:10 . 2013-08-26 14:19  1205168    ----a-w-     c:\windows\system32\ntdll.dll

2013-07-08 04:55 . 2013-08-26 14:19  3603904    ----a-w-     c:\windows\system32\ntkrnlpa.exe

2013-07-08 04:55 . 2013-08-26 14:19  3551680    ----a-w-     c:\windows\system32\ntoskrnl.exe

2013-07-08 04:20 . 2013-08-26 14:19  172544     ----a-w-     c:\windows\system32\wintrust.dll

2013-07-08 04:16 . 2013-08-26 14:19  133120     ----a-w-     c:\windows\system32\cryptsvc.dll

2013-07-08 04:16 . 2013-08-26 14:19  98304 ----a-w-     c:\windows\system32\cryptnet.dll

2013-07-08 04:16 . 2013-08-26 14:19  992768     ----a-w-     c:\windows\system32\crypt32.dll

2013-06-15 13:22 . 2013-08-26 14:19  15872 ----a-w-     c:\windows\system32\icaapi.dll

2013-06-04 01:50 . 2013-07-10 08:14  2049024    ----a-w-     c:\windows\system32\win32k.sys

2001-09-28 21:00 . 2009-07-17 16:55  164864     ------w-   c:\program files\UNWISE.EXE

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

"Taskbar Shuffle"="c:\environment\Folders\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2010-12-10 1093632]

"TpShocks"="TpShocks.exe" [2008-06-07 181536]

"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]

"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-04-15 61728]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-10-06 824616]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe" [2009-07-24 240112]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2011-03-31 20480]

"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-01-14 644384]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-04-01 154136]

"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]

"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-08-31 165208]

"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-08-31 124248]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-02-11 1191936]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-04-01 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-04-01 178712]

"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-04 242976]

"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2008-06-25 3077432]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]

"ACWlIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWlIcon.exe" [2010-09-17 181608]

"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2010-09-17 431464]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]

"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2011-08-24 651832]

"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-05-29 367128]

"CreateLMBCShortCut"="c:\program files\Lenovo\Mobile Broadband Connect\UserShortcutCreator.exe" [2009-04-13 40960]

"CPMonitor"="c:\program files\Roxio 2010\5.0\CPMonitor.exe" [2009-07-21 84464]

"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2009-01-14 214576]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-11-16 641704]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-6-22 50688]

PowerNap.lnk - c:\windows\Installer\{2436940B-1C2C-4FB4-A703-0EE9B1350791}\_35E0567647C2420371B885.exe 1 [2012-1-6 372526]

PowerNapWatcher.lnk - c:\windows\Installer\{2436940B-1C2C-4FB4-A703-0EE9B1350791}\_18B4EACA6AED157B14F49D.exe [2012-1-6 10134]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

[HKLM\~\startupfolder\C:^Users^JimEddy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^regmonstd.lnk]

path=c:\users\JimEddy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk

backup=c:\windows\pss\regmonstd.lnk.Startup

backupExtension=.Startup

.

R2 ADExchange;ArcSoft Exchange Service;c:\program files\Common Files\ArcSoft\esinter\Bin\eservutil.exe [x]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ   PLA DPS BFE mpssvc

LocalServiceAndNoImpersonation  REG_MULTI_SZ   FontCache

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-08-31 13:41     1177552    ----a-w-   c:\program files\Google\Chrome\Application\29.0.1547.62\Installer\chrmstp.exe

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = <-loopback>

uInternet Settings,ProxyServer = http=127.0.0.1:49176;https=127.0.0.1:49176

Trusted Zone: internet

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 204.186.110.76 204.186.80.251 216.144.187.199

TCP: Interfaces\{A7C72638-EC15-4741-8D97-150C33341983}: NameServer = 0.0.0.0

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB

.

.

**************************************************************************

scanning hidden processes ... 

.

scanning hidden autostart entries ...

.

scanning hidden files ... 

.

scan completed successfully

hidden files:

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(5576)

c:\program files\Lenovo\Drag-to-Disc\Shellex.dll

c:\windows\system32\DLAAPI_W.DLL

c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ibmpmsvc.exe

c:\windows\system32\atiesrxx.exe

c:\windows\system32\atieclxx.exe

c:\windows\system32\WLANExt.exe

c:\program files\LENOVO\HOTKEY\TPHKSVC.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\CISVC.EXE

c:\program files\DebugDiag\DbgSvc.exe

c:\program files\Dell\PowerNap\PowerNap.Service.exe

c:\program files\Intel\WiFi\bin\EvtEng.exe

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\Lenovo\Communications Utility\CAMMUTE.exe

c:\program files\Intel\AMT\LMS.exe

c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe

c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe

c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE

c:\program files\Common Files\Protexis\License Service\PsiService_2.exe

c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\windows\System32\TPHDEXLG.exe

c:\program files\Lenovo\Client Security Solution\tvttcsd.exe

c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe

c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe

c:\program files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe

c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\windows\system32\DRIVERS\xaudio.exe

c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe

c:\program files\Lenovo\System Update\SUService.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\System32\TpShocks.exe

c:\windows\System32\rundll32.exe

c:\program files\ThinkVantage\PrdCtr\LPMGR.EXE

c:\program files\ThinkVantage\PrdCtr\LPMLCHK.EXE

c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE

c:\windows\system32\WerFault.exe

c:\program files\Lenovo\HOTKEY\TPONSCR.exe

c:\program files\Lenovo\Zoom\TpScrex.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\Dell\PowerNap\PowerNap.exe

c:\program files\Dell\PowerNap\PowerNapWatcher.exe

c:\program files\Synaptics\SynTP\SynTPLpr.exe

c:\windows\system32\dllhost.exe

c:\windows\System32\msdtc.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

c:\program files\Lenovo\Rescue and Recovery\rrservice.exe

c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

c:\windows\system32\cidaemon.exe

c:\windows\System32\wsqmcons.exe

c:\windows\servicing\TrustedInstaller.exe

.

**************************************************************************

.

Completion time: 2013-09-01  09:20:15 - machine was rebooted

ComboFix-quarantined-files.txt  2013-09-01 13:20

ComboFix2.txt  2013-08-25 20:03

ComboFix3.txt  2013-08-25 13:47

.

Pre-Run: 75,768,320,000 bytes free

Post-Run: 75,713,826,816 bytes free

.

- - End Of File - - 8E59A5DDC804C005F389F45BFE8E7426

6CDEB6C7D41A15D446A0571583928580

 

 

 

I did not notice any change in behavior on reboot.

 

I hope you have more tricks up your sleeve.

 

Thank you for your help.

 

Jim



#19 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:51 AM

Posted 01 September 2013 - 12:12 PM

Let's check to make sure the service is set to run automatically.

Click the Start orb
In the Start Search box, type services and press enter.
Scroll down to Task Scheduler, right click it and choose properties.

Make sure the start up type is set to Automatic.

Restart your PC and see if you get the error again.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#20 Jim Eddy

Jim Eddy
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 01 September 2013 - 02:02 PM

Hello Gringo,

 

Yes, the Task Scheduler shows up in the service list as:

 

Name            Description          Status     StartupType     Log On As

 

Task Scheduler  Enables a user […]   Started    Automatic       LocalSystem

 

When I select this line an go to Properties it lists the Startup type as Automatic and the Service Status as Started.  The path to the executable is listed as:

 

C:\Windows\System32\svchost.exe –k netsvcs

 

Note that the Task Scheduler is listed this way both before and after I select “Close Program” on the “Task Scheduler has stopped working” error message.

 

I did not change any of these settings since they seemed to be correct.  The next reboot after looking at the properties was the same as it was with the “Task Scheduler stopped working” message coming up as always.

 

Looking at the resource monitor shows two svchost.exe processes at the top of the list:

 

svchost.exe (DcomLaunch)   7 threads

svchost.exe (LocalSystemNetworkRestricted)      43 threads

 

Even these were getting less than 0.1 % cpu time.  This was after the reboot but before I closed the “Task Scheduler has stopped working” message.  After I selected “Close Program” many other processes got cpu time and the two processes above were driven to the bottom of the list.

 

Thank you for your attention and tenacity.

 

I await your next move.

 

Jim



#21 Jim Eddy

Jim Eddy
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 03 September 2013 - 02:35 PM

Gringo,

 

I'm still here.

 

Jim



#22 Jim Eddy

Jim Eddy
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 04 September 2013 - 06:01 PM

Gringo,

 

Am I done?

 

Jim



#23 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:51 AM

Posted 04 September 2013 - 10:07 PM

Hello Jim

researching to see what we can do - I am out of ideas


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#24 Jim Eddy

Jim Eddy
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 05 September 2013 - 10:22 AM

Hello Gringo,

 

Here is some additional information that might give you something to pull on.

 

Before I came to Bleeping Computer I had two viruses at least partially disabled by unchecking them the msconfig Startup list.   One of them had an entry in the list that is this:

 

Startup Item:          regmonstd

Manufacturer:         Unknown

Command:              C:\Windows\System32\rundll32.exe C:\Users\JimEddy\AppData\Local\Temp\b34btbztdb0vavaw.exe,XFG00

Location:                 C:\Users\JimEddy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

 

As I said, I had disabled this by unchecking it in the Startup list.  It was disabled when we ran all of our antivirus software.

 

And there was one other one.  I no longer remember what it was.  And I had disabled it in the list also. 

 

This morning I did a normal boot.  That enabled everything.  I got an error message back that I had been getting when the above entry was enabled.  It was:

 

RunDLL

 

Error loading

C:\Users\JimEddy\AppData\Local\Temp\b34btbztdb0vavaw.exe

The specified module could not be found.

                                                                                                Ok

 

This is because I had earlier removed the target item from this folder.

 

I had neglected to mention to you earlier that there were two items in the Startup list that had been unchecked.  Might it be helpful to rerun the appropriate antivirus software after a normal boot where everything is enabled.  The software might report something that did not see before because it was not running.  That might allow you to see something that we could clean out and make some progress.

 

What do you think?

 

Jim



#25 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:51 AM

Posted 05 September 2013 - 07:31 PM


Hello Jim

We can try it - nothing can be hurt by doing it



I would like you to download an updated version of combofix.

update combofix
  • Delete the version of combofix you have now on your desktop and download a new one from here**Note: It is important that it is saved directly to your desktop**

    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.

    Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

    Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#26 Jim Eddy

Jim Eddy
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 06 September 2013 - 09:57 AM

Hello Gringo,

 

I downloaded and ran the new ComboFix after a normal boot.  The normal boot enabled this virus in the msconfig startup list:

 

Startup Item:          regmonstd

Manufacturer:         Unknown

Command:              C:\Windows\System32\rundll32.exe C:\Users\JimEddy\AppData\Local\Temp\b34btbztdb0vavaw.exe,XFG00

Location:                 C:\Users\JimEddy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

 

Here is the ComboFix.txt file from that ComboFix run:

 

==========================

 

ComboFix 13-09-06.01 - JimEddy 09/06/2013   8:45.5.2 - x86

Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.1.1033.18.1977.826 [GMT -4:00]

Running from: c:\users\JimEddy\Desktop\ComboFix.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\JimEddy\AppData\Local\Temp\rad36408.tmp\bin\x86\sharpwrapi_Win32.dll

c:\users\JimEddy\AppData\Local\Temp\radFEC81.tmp\bin\Gadget.Interop.dll

c:\windows\system32\TPAPSLOG.LOG

c:\windows\system32\TPHDLOG0.LOG

.

.

(((((((((((((((((((((((((   Files Created from 2013-08-06 to 2013-09-06  )))))))))))))))))))))))))))))))

.

.

2013-09-06 13:00 . 2013-09-06 13:03         --------   d-----w-                c:\users\JimEddy\AppData\Local\temp

2013-09-06 13:00 . 2013-09-06 13:00         --------   d-----w-                c:\windows\system32\config\systemprofile\AppData\Local\temp

2013-09-06 13:00 . 2013-09-06 13:00         --------   d-----w-                c:\users\TEMP\AppData\Local\temp

2013-09-06 13:00 . 2013-09-06 13:00         --------   d-----w-                c:\users\TEMP.Rathbone\AppData\Local\temp

2013-09-06 13:00 . 2013-09-06 13:00         --------   d-----w-                c:\users\Default\AppData\Local\temp

2013-09-03 14:06 . 2013-08-20 04:47         7166848                ----a-w-                c:\programdata\Microsoft\Windows Defender\Definition Updates\{041CA9AE-56C9-4A47-9CF3-1B8B4C2A2368}\mpengine.dll

2013-08-28 15:00 . 2013-08-02 04:09         1548288                ----a-w-                c:\windows\system32\WMVDECOD.DLL

2013-08-26 14:19 . 2013-07-05 04:53         905664  ----a-w-                c:\windows\system32\drivers\tcpip.sys

2013-08-26 14:19 . 2013-06-15 13:22         15872    ----a-w-                c:\windows\system32\icaapi.dll

2013-08-26 14:19 . 2013-06-15 11:23         24064    ----a-w-                c:\windows\system32\drivers\tssecsrv.sys

2013-08-26 14:19 . 2013-07-17 19:41         2048       ----a-w-                c:\windows\system32\tzres.dll

2013-08-26 14:19 . 2013-07-10 09:47         783360  ----a-w-                c:\windows\system32\rpcrt4.dll

2013-08-26 14:19 . 2013-07-09 12:10         1205168                ----a-w-                c:\windows\system32\ntdll.dll

2013-08-26 14:19 . 2013-07-08 04:55         3603904                ----a-w-                c:\windows\system32\ntkrnlpa.exe

2013-08-26 14:19 . 2013-07-08 04:55         3551680                ----a-w-                c:\windows\system32\ntoskrnl.exe

2013-08-26 14:19 . 2013-07-08 04:16         133120  ----a-w-                c:\windows\system32\cryptsvc.dll

2013-08-26 14:19 . 2013-07-08 04:16         992768  ----a-w-                c:\windows\system32\crypt32.dll

2013-08-26 14:19 . 2013-07-08 04:20         172544  ----a-w-                c:\windows\system32\wintrust.dll

2013-08-26 14:19 . 2013-07-08 04:16         98304    ----a-w-                c:\windows\system32\cryptnet.dll

2013-08-23 22:06 . 2013-08-23 22:06         --------   d-----w-                c:\windows\ERUNT

2013-08-23 20:53 . 2013-08-23 20:54         --------   d-----w-                C:\AdwCleaner

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-07-19 13:29 . 2012-04-05 14:07         692104  ----a-w-                c:\windows\system32\FlashPlayerApp.exe

2013-07-19 13:29 . 2011-06-16 13:55         71048    ----a-w-                c:\windows\system32\FlashPlayerCPLApp.cpl

2013-07-10 00:27 . 2013-07-10 00:27         94632    ----a-w-                c:\windows\system32\WindowsAccessBridge.dll

2013-07-10 00:27 . 2013-07-10 00:28         867240  ----a-w-                c:\windows\system32\npDeployJava1.dll

2013-07-10 00:27 . 2010-06-05 11:32         789416  ----a-w-                c:\windows\system32\deployJava1.dll

2001-09-28 21:00 . 2009-07-17 16:55         164864  ------w- c:\program files\UNWISE.EXE

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

"Taskbar Shuffle"="c:\environment\Folders\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2010-12-10 1093632]

"TpShocks"="TpShocks.exe" [2008-06-07 181536]

"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]

"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-04-15 61728]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-10-06 824616]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-11-16 641704]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe" [2009-07-24 240112]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2011-03-31 20480]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]

"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-01-14 644384]

"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2011-08-24 651832]

"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-05-29 367128]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-04-01 154136]

"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]

"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-08-31 165208]

"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-08-31 124248]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-02-11 1191936]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-04-01 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-04-01 178712]

"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-04 242976]

"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2008-06-25 3077432]

"CreateLMBCShortCut"="c:\program files\Lenovo\Mobile Broadband Connect\UserShortcutCreator.exe" [2009-04-13 40960]

"CPMonitor"="c:\program files\Roxio 2010\5.0\CPMonitor.exe" [2009-07-21 84464]

"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2009-01-14 214576]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]

"ACWlIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWlIcon.exe" [2010-09-17 181608]

"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2010-09-17 431464]

.

c:\users\JimEddy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

regmonstd.lnk - c:\windows\System32\rundll32.exe c:\users\JimEddy\AppData\Local\Temp\b34btbztdb0vavaw.exe,XFG00 [2006-11-2 44544]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-6-22 50688]

PowerNap.lnk - c:\windows\Installer\{2436940B-1C2C-4FB4-A703-0EE9B1350791}\_35E0567647C2420371B885.exe 1 [2012-1-6 372526]

PowerNapWatcher.lnk - c:\windows\Installer\{2436940B-1C2C-4FB4-A703-0EE9B1350791}\_18B4EACA6AED157B14F49D.exe [2012-1-6 10134]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

R2 ADExchange;ArcSoft Exchange Service;c:\program files\Common Files\ArcSoft\esinter\Bin\eservutil.exe [x]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork               REG_MULTI_SZ                PLA DPS BFE mpssvc

LocalServiceAndNoImpersonation           REG_MULTI_SZ                FontCache

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-08-31 13:41              1177552                ----a-w-                c:\program files\Google\Chrome\Application\29.0.1547.62\Installer\chrmstp.exe

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = <-loopback>

uInternet Settings,ProxyServer = http=127.0.0.1:49176;https=127.0.0.1:49176

Trusted Zone: internet

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 204.186.110.76 204.186.80.251 216.144.187.199

TCP: Interfaces\{A7C72638-EC15-4741-8D97-150C33341983}: NameServer = 0.0.0.0

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-09-06 09:06

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ... 

.

scanning hidden autostart entries ...

.

scanning hidden files ... 

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(5948)

c:\program files\Lenovo\Drag-to-Disc\Shellex.dll

c:\windows\system32\DLAAPI_W.DLL

c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ibmpmsvc.exe

c:\windows\system32\atiesrxx.exe

c:\windows\system32\atieclxx.exe

c:\windows\system32\WLANExt.exe

c:\program files\LENOVO\HOTKEY\TPHKSVC.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\CISVC.EXE

c:\program files\DebugDiag\DbgSvc.exe

c:\program files\Dell\PowerNap\PowerNap.Service.exe

c:\program files\Intel\WiFi\bin\EvtEng.exe

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\Lenovo\Communications Utility\CAMMUTE.exe

c:\program files\Intel\AMT\LMS.exe

c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe

c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe

c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE

c:\program files\Common Files\Protexis\License Service\PsiService_2.exe

c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe

c:\windows\System32\TpShocks.exe

c:\windows\System32\rundll32.exe

c:\program files\ThinkVantage\PrdCtr\LPMGR.EXE

c:\program files\ThinkVantage\PrdCtr\LPMLCHK.EXE

c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE

c:\program files\Dell\PowerNap\PowerNap.exe

c:\program files\Dell\PowerNap\PowerNapWatcher.exe

c:\windows\System32\rundll32.exe

c:\program files\Lenovo\HOTKEY\TPONSCR.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Lenovo\Zoom\TpScrex.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

c:\windows\System32\TPHDEXLG.exe

c:\program files\Lenovo\Client Security Solution\tvttcsd.exe

c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe

c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe

c:\program files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe

c:\program files\Synaptics\SynTP\SynTPLpr.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\windows\system32\DRIVERS\xaudio.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe

c:\program files\Lenovo\System Update\SUService.exe

c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

c:\windows\system32\dllhost.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

c:\windows\System32\msdtc.exe

c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

c:\progra~1\ThinkPad\UTILIT~1\PWMUIAux.exe

c:\program files\Lenovo\Rescue and Recovery\rrservice.exe

c:\windows\system32\cidaemon.exe

.

**************************************************************************

.

Completion time: 2013-09-06  09:11:46 - machine was rebooted

ComboFix-quarantined-files.txt  2013-09-06 13:11

ComboFix2.txt  2013-08-25 20:03

ComboFix3.txt  2013-08-25 13:47

.

Pre-Run: 73,127,821,312 bytes free

Post-Run: 73,006,161,920 bytes free

.

- - End Of File - - 5E9824319AA2C6ABFC8FD2A73EA45EDD

6CDEB6C7D41A15D446A0571583928580

 

============================================

 

I notice from the log that ComboFix did notice regmonstd.exe in the Startup list but it did not molest it in any way.  It was still there after the boot because I got the message that I get whenever I do a normal boot (no startups disabled):

 

RunDLL

Error loading

C:\Users\JimEddy\AppData\Local\Temp\b34btbztdb0vavaw.exe

The specified module could not be found.

                                                OK

 

The reason that it could not be found was because I have already deleted it.

 

The Task Scheduler Engine has stopped working message was also there as always.

 

And the two messages came up again after a second boot.

 

Is there anything suggestive in the log file?

 

Do you have anything that can be used to purge unwanted items out of the startup list?  Perhaps purge all items that are unchecked?  Or all items named in a script file?  If not I will edit the registry.  I would like to avoid doing that in favor of some tool if the tool would get the registry items and all the bits and pieces laying around the file system.  However, I will edit the registry if I have to.  I don’t want to see that entry in my startup list.

 

What do you think?

 

Thank you for your help.

 

Jim



#27 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:51 AM

Posted 06 September 2013 - 10:44 AM


Hello Jim

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\users\JimEddy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk
c:\users\JimEddy\AppData\Local\Temp\b34btbztdb0vavaw.exe,XFG00
 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#28 Jim Eddy

Jim Eddy
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 06 September 2013 - 07:32 PM

Hello Gringo,

 

The results were very interesting.  Here is the ComboFix.txt file.

 

==============================

 

ComboFix 13-09-06.01 - JimEddy 09/06/2013  19:21:00.6.2 - x86

Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.1.1033.18.1977.595 [GMT -4:00]

Running from: c:\users\JimEddy\Desktop\ComboFix.exe

Command switches used :: c:\users\JimEddy\Desktop\CFScript.txt

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

FILE ::

"c:\users\JimEddy\AppData\Local\Temp\b34btbztdb0vavaw.exe,XFG00"

"c:\users\JimEddy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk"

.

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\JimEddy\AppData\Local\Temp\rad5CD8F.tmp\bin\Gadget.Interop.dll

c:\users\JimEddy\AppData\Local\Temp\rad8CA90.tmp\bin\x86\sharpwrapi_Win32.dll

c:\windows\system32\TPAPSLOG.LOG

c:\windows\system32\TPHDLOG0.LOG

.

.

(((((((((((((((((((((((((   Files Created from 2013-08-06 to 2013-09-06  )))))))))))))))))))))))))))))))

.

.

2013-09-06 23:34 . 2013-09-06 23:38         --------   d-----w-                c:\users\JimEddy\AppData\Local\temp

2013-09-06 23:34 . 2013-09-06 23:34         --------   d-----w-                c:\windows\system32\config\systemprofile\AppData\Local\temp

2013-09-06 23:34 . 2013-09-06 23:34         --------   d-----w-                c:\users\TEMP\AppData\Local\temp

2013-09-06 23:34 . 2013-09-06 23:34         --------   d-----w-                c:\users\TEMP.Rathbone\AppData\Local\temp

2013-09-06 23:34 . 2013-09-06 23:34         --------   d-----w-                c:\users\Default\AppData\Local\temp

2013-09-06 21:05 . 2013-08-20 04:47         7166848                ----a-w-                c:\programdata\Microsoft\Windows Defender\Definition Updates\{C5E97A28-0AE1-4046-950A-BD61A64E811B}\mpengine.dll

2013-08-28 15:00 . 2013-08-02 04:09         1548288                ----a-w-                c:\windows\system32\WMVDECOD.DLL

2013-08-26 14:19 . 2013-07-05 04:53         905664  ----a-w-                c:\windows\system32\drivers\tcpip.sys

2013-08-26 14:19 . 2013-06-15 13:22         15872    ----a-w-                c:\windows\system32\icaapi.dll

2013-08-26 14:19 . 2013-06-15 11:23         24064    ----a-w-                c:\windows\system32\drivers\tssecsrv.sys

2013-08-26 14:19 . 2013-07-17 19:41         2048       ----a-w-                c:\windows\system32\tzres.dll

2013-08-26 14:19 . 2013-07-10 09:47         783360  ----a-w-                c:\windows\system32\rpcrt4.dll

2013-08-26 14:19 . 2013-07-09 12:10         1205168                ----a-w-                c:\windows\system32\ntdll.dll

2013-08-26 14:19 . 2013-07-08 04:55         3603904                ----a-w-                c:\windows\system32\ntkrnlpa.exe

2013-08-26 14:19 . 2013-07-08 04:55         3551680                ----a-w-                c:\windows\system32\ntoskrnl.exe

2013-08-26 14:19 . 2013-07-08 04:16         133120  ----a-w-                c:\windows\system32\cryptsvc.dll

2013-08-26 14:19 . 2013-07-08 04:16         992768  ----a-w-                c:\windows\system32\crypt32.dll

2013-08-26 14:19 . 2013-07-08 04:20         172544  ----a-w-                c:\windows\system32\wintrust.dll

2013-08-26 14:19 . 2013-07-08 04:16         98304    ----a-w-                c:\windows\system32\cryptnet.dll

2013-08-23 22:06 . 2013-08-23 22:06         --------   d-----w-                c:\windows\ERUNT

2013-08-23 20:53 . 2013-08-23 20:54         --------   d-----w-                C:\AdwCleaner

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-07-19 13:29 . 2012-04-05 14:07         692104  ----a-w-                c:\windows\system32\FlashPlayerApp.exe

2013-07-19 13:29 . 2011-06-16 13:55         71048    ----a-w-                c:\windows\system32\FlashPlayerCPLApp.cpl

2013-07-10 00:27 . 2013-07-10 00:27         94632    ----a-w-                c:\windows\system32\WindowsAccessBridge.dll

2013-07-10 00:27 . 2013-07-10 00:28         867240  ----a-w-                c:\windows\system32\npDeployJava1.dll

2013-07-10 00:27 . 2010-06-05 11:32         789416  ----a-w-                c:\windows\system32\deployJava1.dll

2001-09-28 21:00 . 2009-07-17 16:55         164864  ------w- c:\program files\UNWISE.EXE

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

"Taskbar Shuffle"="c:\environment\Folders\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2010-12-10 1093632]

"TpShocks"="TpShocks.exe" [2008-06-07 181536]

"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]

"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-04-15 61728]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-10-06 824616]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-11-16 641704]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe" [2009-07-24 240112]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2011-03-31 20480]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]

"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-01-14 644384]

"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2011-08-24 651832]

"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-05-29 367128]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-04-01 154136]

"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]

"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-08-31 165208]

"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-08-31 124248]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-02-11 1191936]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-04-01 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-04-01 178712]

"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-04 242976]

"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2008-06-25 3077432]

"CreateLMBCShortCut"="c:\program files\Lenovo\Mobile Broadband Connect\UserShortcutCreator.exe" [2009-04-13 40960]

"CPMonitor"="c:\program files\Roxio 2010\5.0\CPMonitor.exe" [2009-07-21 84464]

"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2009-01-14 214576]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]

"ACWlIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWlIcon.exe" [2010-09-17 181608]

"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2010-09-17 431464]

.

c:\users\JimEddy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

regmonstd.lnk - c:\windows\System32\rundll32.exe c:\users\JimEddy\AppData\Local\Temp\b34btbztdb0vavaw.exe,XFG00 [2006-11-2 44544]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-6-22 50688]

PowerNap.lnk - c:\windows\Installer\{2436940B-1C2C-4FB4-A703-0EE9B1350791}\_35E0567647C2420371B885.exe 1 [2012-1-6 372526]

PowerNapWatcher.lnk - c:\windows\Installer\{2436940B-1C2C-4FB4-A703-0EE9B1350791}\_18B4EACA6AED157B14F49D.exe [2012-1-6 10134]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

R2 ADExchange;ArcSoft Exchange Service;c:\program files\Common Files\ArcSoft\esinter\Bin\eservutil.exe [x]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork               REG_MULTI_SZ                PLA DPS BFE mpssvc

LocalServiceAndNoImpersonation           REG_MULTI_SZ                FontCache

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-08-31 13:41              1177552                ----a-w-                c:\program files\Google\Chrome\Application\29.0.1547.62\Installer\chrmstp.exe

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = <-loopback>

uInternet Settings,ProxyServer = http=127.0.0.1:49176;https=127.0.0.1:49176

Trusted Zone: internet

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 204.186.110.76 204.186.80.251 216.144.187.199

TCP: Interfaces\{A7C72638-EC15-4741-8D97-150C33341983}: NameServer = 0.0.0.0

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-09-06 19:39

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ... 

.

scanning hidden autostart entries ...

.

scanning hidden files ... 

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(5424)

c:\program files\Lenovo\Drag-to-Disc\Shellex.dll

c:\windows\system32\DLAAPI_W.DLL

c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ibmpmsvc.exe

c:\windows\system32\atiesrxx.exe

c:\windows\system32\atieclxx.exe

c:\windows\system32\WLANExt.exe

c:\program files\LENOVO\HOTKEY\TPHKSVC.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\CISVC.EXE

c:\program files\DebugDiag\DbgSvc.exe

c:\program files\Dell\PowerNap\PowerNap.Service.exe

c:\program files\Intel\WiFi\bin\EvtEng.exe

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\Lenovo\Communications Utility\CAMMUTE.exe

c:\program files\Intel\AMT\LMS.exe

c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe

c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe

c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE

c:\program files\Common Files\Protexis\License Service\PsiService_2.exe

c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe

c:\windows\System32\TpShocks.exe

c:\program files\Lenovo\HOTKEY\TPONSCR.exe

c:\program files\Lenovo\Zoom\TpScrex.exe

c:\windows\System32\rundll32.exe

c:\program files\ThinkVantage\PrdCtr\LPMGR.EXE

c:\program files\ThinkVantage\PrdCtr\LPMLCHK.EXE

c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE

c:\program files\Dell\PowerNap\PowerNap.exe

c:\program files\Dell\PowerNap\PowerNapWatcher.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\windows\System32\TPHDEXLG.exe

c:\program files\Lenovo\Client Security Solution\tvttcsd.exe

c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe

c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe

c:\program files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe

c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\windows\system32\DRIVERS\xaudio.exe

c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\program files\Lenovo\System Update\SUService.exe

c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

c:\windows\system32\dllhost.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\System32\msdtc.exe

c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

c:\program files\Lenovo\Rescue and Recovery\rrservice.exe

c:\progra~1\ThinkPad\UTILIT~1\PWMUIAux.exe

c:\windows\system32\cidaemon.exe

.

**************************************************************************

.

Completion time: 2013-09-06  19:47:09 - machine was rebooted

ComboFix-quarantined-files.txt  2013-09-06 23:47

ComboFix2.txt  2013-08-25 20:03

ComboFix3.txt  2013-08-25 13:47

.

Pre-Run: 78,540,935,168 bytes free

Post-Run: 78,500,847,616 bytes free

.

- - End Of File - - FE37743D71FF4CD09AD1924919308380

6CDEB6C7D41A15D446A0571583928580

 

================================

 

This time the behavior after the ComboFix restart was different than it has been in the past.  This time the same two messages came up that come up after every reboot:

 

Task Scheduler Engine has stopped working

A problem caused the program to stop working correctly.

Windows will close the program and notify you if a solution is available.

                                                                Debug                                   CloseProgram

 

and

 

RunDLL

 

Error loading

C:\Users\JimEddy\AppData\Local\Temp\b34btbztdb0vavaw.exe

The specified module could not be found.

                                                                                                Ok

 

 

 

However, this time I did not dismiss either of them.  They both disappeared at the instant that the message came up over the notification area:

 

 

Task Schedular Engine was closed to help protect your computer.

Data Execution Prevention has closed Task Schedular Engine.

 

 

This is the very first time that this has happened this way.  Always in the past (probably in the hundreds over the last year or so) the last message has only come up after I had closed the “Task Scheduler Engine has stopped working” message.  This time the “Task Schedular Engine has stopped working” message was snatched away by the Data Execution Prevention mechanism my participation.

 

This seems like progress to me.

 

I wonder if it is possible that the “Task Scheduler Engine has stopped working” message is the virus spoofing me and when I have clicked it then had permission to jam something into my Task Scheduler list.

 

Another piece of evidence is that the regmonstd.exe entry in the startup list is still there.  It seems to have resisted our attempt to get rid of it.  It is almost as if this business with the “Task Scheduler Engine has stopped working” somehow puts the regmonstd.exe entry back into the startup list after the boot up.  Or something.

 

All of this is speculation.  However, two things seem clear.

 

  1.  We are getting closer.
  2. Stronger medicine is necessary.

 

Perhaps you will see something in the log file.

 

Thank you for your help.

 

Jim



#29 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:51 AM

Posted 06 September 2013 - 11:45 PM



Hello

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

Clean Out Temp Files
  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here CCleaner
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. default settings are fine
    • Click Run Cleaner.
    • Close CCleaner.
Run Malwarebytes

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



Download HijackThis
  • Go Here to download HijackThis program
  • Save HijackThis to your desktop.
  • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
  • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
  • copy and paste hijackthis report into the topic
"information and logs"
  • In your next post I need the following
    • Log From MBAM
    • report from Hijackthis
    • let me know of any problems you may have had
    • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#30 Jim Eddy

Jim Eddy
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 07 September 2013 - 11:45 AM

Hello Gringo,

 

I ran CCleaner. It claimed to have cleaned up about 169 MB of stuff.  It ran without any events that seemed unusual.

 

I ran mbam-setup.exe.  It informed me that I already had the installation directory on the machine.  Did I want to install into that directory?  I looked around for a way to uninstall the existing MalwareBytes and found none so I told it to install in that same directory.

 

Malwarebytes successfully updated its database from its server.

 

Malwarebytes then launched.  It came up with “Perform full scan selected”.  I deselected that in favor of “Perform quick scan” and selected scan.

 

After about two minutes of scanning the Malwarebytes GUI flashed and the busy cursor came up.  During that time it claimed to be scanning MSISCSI.SYS.  It stayed that way for about a minute.  After that it kept going without claiming to have found anything.  About 20 seconds later it incremented objects detected to 1.

 

Ultimately the scan found 2 items.

 

When I clicked on Removed Selected it came back with the message that all selected items have been removed successfully.  It did not do a restart.  Here is the Malwarebytes log file.

 

========================

 

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

 

Database version: v2013.09.07.03

 

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

JimEddy :: RATHBONE [administrator]

 

9/7/2013 9:42:03 AM

mbam-log-2013-09-07 (09-42-03).txt

 

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 272169

Time elapsed: 8 minute(s), 50 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 1

HKCR\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007} (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 1

C:\Users\JimEddy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk (Malware.Trace.E) -> Quarantined and deleted successfully.

 

(end)

 

===================================

 

I am very pleased to see that it noticed regmonstd.lnk.

 

Next I ran HijackThis from the desktop as administrator.

 

I followed all the instructions except the last one:

 

I don’t know what means the instruction:

 

“copy and paste hijackthis report into the topic”

 

or if the next line is part of this instruction I don’t know what means the instruction:

 

“copy and paste hijackthis report into the topic ‘information and logs’”

 

If it means to save the report and add it to this post it is below.

 

This is the hijackthis.log.

 

===================================

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 10:06:56 AM, on 9/7/2013

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v9.00 (9.00.8112.16502)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\Windows\System32\TpShocks.exe

C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Real\RealPlayer\realplay.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe

C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\Program Files\ThinkVantage\PrdCtr\LPMLCHK.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE

C:\Program Files\Lenovo\Client Security Solution\cssauth.exe

C:\Program Files\Roxio 2010\5.0\CPMonitor.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

C:\Environment\Folders\Taskbar Shuffle\taskbarshuffle.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Dell\PowerNap\PowerNap.exe

C:\Program Files\Dell\PowerNap\PowerNapWatcher.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\system32\taskeng.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\PWMUIAux.exe

C:\Windows\system32\sdclt.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Users\JimEddy\Desktop\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:49176;https=127.0.0.1:49176

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <-loopback>

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)

O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Password Manager Browser Helper Object - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor

O4 - HKLM\..\Run: [PMBVolumeWatcher] C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe

O4 - HKLM\..\Run: [picon] "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup

O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [Message Center Plus] C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe /start

O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray

O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent

O4 - HKLM\..\Run: [CreateLMBCShortCut] "C:\Program Files\Lenovo\Mobile Broadband Connect\UserShortcutCreator.exe"

O4 - HKLM\..\Run: [CPMonitor] "C:\Program Files\Roxio 2010\5.0\CPMonitor.exe"

O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog

O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [ACWlIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWlIcon.exe

O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Environment\Folders\Taskbar Shuffle\taskbarshuffle.exe

O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe

O4 - Global Startup: PowerNap.lnk = ?

O4 - Global Startup: PowerNapWatcher.lnk = ?

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Windows\system32\Shdocvw.dll

O9 - Extra button: (no name) - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O9 - Extra 'Tools' menuitem: Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

O15 - Trusted Zone: http://*.mcafee.com

O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB

O16 - DPF: {BAD4FE2C-503B-45CC-88CD-4B0574057D11} (FuturemarkSystemInfoX Class) - http://clients.futuremark.com/calico/systeminfodeploy/FMSI_v460.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A7C72638-EC15-4741-8D97-150C33341983}: NameServer = 0.0.0.0

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

O23 - Service: ArcSoft Exchange Service (ADExchange) - Unknown owner - C:\Program Files\Common Files\ArcSoft\esinter\Bin\eservutil.exe (file missing)

O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Unknown owner - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe (file missing)

O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Dell Power Nap Service (dell_power_nap_service) - Unknown owner - C:\Program Files\Dell\PowerNap\PowerNap.Service.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe

O23 - Service: Futuremark SystemInfo Service - Futuremark Corporation - C:\Program Files\Futuremark\Futuremark SystemInfo\FMSISvc.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo. - C:\Windows\system32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: Lenovo Camera Mute (LENOVO.CAMMUTE) - Lenovo Group Limited - C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe

O23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe

O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe

O23 - Service: Wireless PAN DHCP Server (MyWiFiDHCPDNS) - Unknown owner - C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe

O23 - Service: PMBDeviceInfoProvider - Sony Corporation - C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe

O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE

O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe

O23 - Service: RoxMediaDB12 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe

O23 - Service: Roxio Hard Drive Watcher 12 (RoxWatch12) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe

O23 - Service: SessionLauncher - Unknown owner - C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe (file missing)

O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe

O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe

O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe

O23 - Service: TSS Core Service (TSSCoreService) - Lenovo - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe

O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe

O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe

O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

O23 - Service: CamMonitor (uCamMonitor) - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe

O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

 

--

End of file - 14508 bytes

 

====================================

 

The computer is running somewhat better.  After reboot I no longer get the message referring to not being able to open b34btbztdb0vavaw.exe.  And there is no longer the reference to regmonstd.exe in the msconfig startup list. 

 

That is good progress.  I can now do a full normal boot without that message coming up.

 

However the Task Scheduler problem is still there.  After boot I get the usual message:

 

 

Task Scheduler Engine has stopped working

 

A problem caused the program to stop working correctly.

Windows will close the program and notify you if a solution is available.

                                Debug      Close Program

 

 

After I select "Close Program" I get, as always, the message above the notification area:

 

Task Scheduler Engine was closed to help protect your computer.

Data Execution Prevention has closed Task Scheduler Engine.

 

As usual there is a lot of disk activity immediately after bootup.  I don’t know what is accessing the disk.  Nothing is getting very much cpu time.  The thing that gets as much as anything is 40 threads of

 

svchost.exe (LocalSystemNetworkRestricted)

 

I don’t know what this means.

 

I have been investigating this “Task Scheduler has stopped working” message.  It comes up even after a clean boot.  It comes up even if all items in the msconfig startup list are disabled.  It comes up even when all items in the msconfig startup list and all non-microsoft services are disabled.

 

It comes up even when all items in the msconfig start list are disabled, all nonmicrosoft services are disabled, and all microsoft services are disabled except just two.  The only two services necessary to get the message to come up are:

 

Windows Event Log

Task Scheduler

 

Obviously if Task Scheduler is not allowed to run there will be no message about it having stopped working.  And the Windows Event Log could easily be necessary to react to the event and get the message up.

 

On the other hand these would be a good place to put an infection.

 

Since these are the only two services running and no startup software is running, it seems to me that the infection is in these two services or in the basic operating system or in something that is launched by the Task Scheduler.

 

As it happens there are two very suspicious tasks that show up in the Task Scheduler Task list.  They are:

 

Task Name       {05A1F776-8FFC-4D43-A17E-C38B7350C994}

Next Run Time   [Blank]

Triggers        When the task is created or modified

Location        \

 

 

Task Name       {263110EF-334A-47CB-AB39-8F7865608DFB}

Next Run Time   [Blank]

Triggers        When the task is created or modified

Location        \

 

These are apparently designed to run once each if something were to modify them somehow.

 

In regedit if you search on 05A1F776, for example, you get hits like:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Windows NT\CurrentVersion\schedule\TaskCache\Tasks\{F99839DB-62F4-4E74-AF2A-011BB1D49B92}

 

Inside this record are these data:

 

(Default)       (Value not set)

DynamicInfo     03 00 00 00 d0 [and so on]

Hash            3a 1c f1 75 da [and so on]

Path            \{05A1F776-8FFC-4D43-A17E-C38B7350C994}  [this is the hit]

Triggers        15 00 00 00 00 [and so on]

 

 

The next hit on 05A1F776 is:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Windows NT\CurrentVersion\schedule\TaskCache\Tree\{05A1F776-8FFC-4D43-A17E-C38B7350C994}

 

Inside this record are these data:

 

(Default)       (Value not set)

Id              {F99839DB-62F4-4E74-AF2A-011BB1D49B92}

Index           0x00000003 (3)

 

This is a circular reference.  It is very difficult to believe that this is legitimate.

 

This has survived everything we have thrown at it thus far.

 

Do you have anything that will address this kind of thing?

 

Thank you for your help.

 

Jim






2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users