Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sweetpacks and maybe something else?


  • Please log in to reply
15 replies to this topic

#1 Starfox

Starfox

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 30 September 2013 - 09:38 PM

Hello everyone,

 

Okay, a few months ago I was infected with sweetpacks, which I thought I had cleaned. Several sweeps with MBAM and Bitdefender, among other tools, showed a clean system, or so I thought. I have several terabytes of data, so deep sweeps are a major undertaking, and do not happen as often as they should I'm afraid. Anyway, saw something suspicious in my task manager after some odd behavior over the past week or so, and discovered conhost.exe appearing without image path name or command line entries. I attempted to access or shut it down, and access denied. I clicked show processes from all users, and suddenly it shows a path name and command line, which oddly begins with \??\C:\ followed by the rest of the information. Thinking this odd, I tried Googling "\??\C:\" only to get absolutely nothing helpful. I simply have no clue what this is. So I go into safe mode and do 11 hours of MBAM to find 8 infections, seven of which are related to sweetpacks, which somehow managed to re-install itself after I re-installed Firefox a couple of weeks ago (I know it's related because one of the sweetpacks infections was the toolbar for Firefox which I had removed from IE and Chrome some time ago), and I also discovered that Core Temp, which is a utility I had been using for a few months, apparently carried with it an unwanted payload. I have since cleaned these infections, or at least the tools I'm using say they're gone. But when I return to standard mode and check Task Manager, the conhost.exe appears just as before--inaccessible and without information about its source unless I check show processes from all users.  What is happening here? Do I have an infection? How can I be certain? OS: Windows 7 Ultimate Not sure what else you need to know. 

 

Thanks ahead of time for any help with this.  :smash:



BC AdBot (Login to Remove)

 


#2 Adam Pollard

Adam Pollard

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales, UK
  • Local time:11:41 AM

Posted 01 October 2013 - 12:18 AM

http://www.howtogeek.com/howto/4996/what-is-conhost.exe-and-why-is-it-running/

 

It should only be running if you have a command prompt running.



#3 Starfox

Starfox
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 03 October 2013 - 03:10 PM

Okay, then I need to post in another thread I guess. Thanks.



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:41 AM

Posted 03 October 2013 - 07:36 PM

Have you run these

Please download Rkill by Grinler and save it to your desktop.
  • Link 1
  • Link 2
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.
Now run this. It will scan but not remove.. We will remove after looking at the results.

Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Starfox

Starfox
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 04 October 2013 - 12:58 AM

Thank you for the response. I wasn't expecting it, so I posted in the other area for malware removal help. Let me try your suggestions and get back with you afterward.



#6 Starfox

Starfox
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 04 October 2013 - 01:09 AM

Okay, sorry this took me so long to reply. I ran Rkill like you said. The log generated reads as follows:

 

Rkill 2.6.1 by Lawrence Abrams (Grinler)
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 10/04/2013 02:02:35 AM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1       localhost
 
Program finished at: 10/04/2013 02:03:07 AM
Execution time: 0 hours(s), 0 minute(s), and 32 seconds(s)
 
 
Then I ran the AdwCleaner. That log reads as follows:
 
# AdwCleaner v3.006 - Report created 04/10/2013 at 02:04:33
# Updated 01/10/2013 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : Starfox - J7
# Running from : C:\Users\Starfox\Desktop\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
File Found : C:\Windows\System32\dmwu.exe
File Found : C:\Windows\System32\ImhxxpComm.dll
Folder Found C:\ProgramData\boost_interprocess
Folder Found C:\Users\Starfox\AppData\LocalLow\boost_interprocess
Folder Found C:\Windows\SysWOW64\ARFC
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\Software\Splashtop Inc.
Key Found : [x64] HKCU\Software\Splashtop Inc.
Key Found : HKLM\SOFTWARE\Classes\AppID\{82A5CE4D-AF0C-45B6-8AF8-75625BE6A08D}
Key Found : HKLM\SOFTWARE\Classes\AppID\{B2B7E0CD-E169-43B3-A233-E129610EE314}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4E8E0178-00EF-413D-9324-E7B3E31572E3}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{A1A533A8-E106-422B-AE29-D0025269AF83}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{B1759D04-0EF9-472A-B5C3-C774997B5321}
Key Found : HKLM\Software\InstallIQ
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80ED3EBC-CC05-4336-ABCC-295798855718}
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Key Found : HKLM\Software\Splashtop Inc.
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : [x64] HKLM\SOFTWARE\wnlt
Value Found : [x64] HKLM\SOFTWARE\Mozilla\Firefox\Extensions [{7D4F1959-3F72-49d5-8E59-F02F8AA6815D}]
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.16686
 
 
-\\ Google Chrome v
 
[ File : C:\Users\Starfox\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [2410 octets] - [04/10/2013 02:04:33]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2470 octets] ##########
 
I don't see anything I know I want. I don't know what Splashtop is. I know I don't want InstallIQ.


#7 Starfox

Starfox
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 04 October 2013 - 01:11 AM

I don't know if it matters, but I have Bitdefender running in the background all during these runs.



#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:41 AM

Posted 04 October 2013 - 09:14 AM

Splashtop
 
Clean that last log up.
 
Double click on AdwCleaner.exe to run the tool again.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished... <-insert any special instructions here for what to uncheck OR remove this line if there are none->
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Looks good.. one last quick scan.
     
    thisisujrt.gif Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Starfox

Starfox
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 04 October 2013 - 10:21 AM

okay, thanks for the link, but I don't recall ever installing Splashtop, so do I have someone spying on me? Maybe a R.A.T. or something? What a pain?! Okay, I'm following your instructions and will post back when complete.

 

Update: Also, don't know if it's related, but my computer RAM keeps increasing over time until it's utilizing about 8-10 Gigs on average. And Bitdefender cannot complete a scan of my entire computer without a critical error. Not sure if the two are related, but I notice the increase in RAM usage since attempting to complete a full system scan over the last several days. The scan will get to about 97% and fail on critical error after 13+ hours.

 

Okay, here's the first log:

 

# AdwCleaner v3.006 - Report created 04/10/2013 at 11:25:29
# Updated 01/10/2013 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : Starfox - J7
# Running from : C:\Users\Starfox\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\Windows\SysWOW64\ARFC
Folder Deleted : C:\Users\Starfox\AppData\LocalLow\boost_interprocess
File Deleted : C:\Windows\System32\dmwu.exe
File Deleted : C:\Windows\System32\ImhxxpComm.dll
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Value Deleted : [x64] HKLM\SOFTWARE\Mozilla\Firefox\Extensions [{7D4F1959-3F72-49d5-8E59-F02F8AA6815D}]
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{82A5CE4D-AF0C-45B6-8AF8-75625BE6A08D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B2B7E0CD-E169-43B3-A233-E129610EE314}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4E8E0178-00EF-413D-9324-E7B3E31572E3}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A1A533A8-E106-422B-AE29-D0025269AF83}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B1759D04-0EF9-472A-B5C3-C774997B5321}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80ED3EBC-CC05-4336-ABCC-295798855718}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKCU\Software\Splashtop Inc.
Key Deleted : HKLM\Software\InstallIQ
Key Deleted : HKLM\Software\Splashtop Inc.
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Key Deleted : [x64] HKLM\SOFTWARE\wnlt
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.16686
 
 
-\\ Google Chrome v
 
[ File : C:\Users\Starfox\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [2570 octets] - [04/10/2013 02:04:33]
AdwCleaner[R1].txt - [2630 octets] - [04/10/2013 11:21:56]
AdwCleaner[S0].txt - [2543 octets] - [04/10/2013 11:25:29]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2603 octets] ##########

Edited by Starfox, 04 October 2013 - 10:31 AM.


#10 Starfox

Starfox
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 04 October 2013 - 10:40 AM

The JRT log: 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.3 (09.27.2013:1)
OS: Windows 7 Ultimate x64
Ran by Starfox on Fri 10/04/2013 at 11:35:07.04
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Failed to delete: [Folder] "C:\ProgramData\boost_interprocess"
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 10/04/2013 at 11:39:21.22
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#11 Starfox

Starfox
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 04 October 2013 - 10:59 AM

Okay, I uninstalled splashtop via the control panel and ran AdwCleaner again. This is the last log generated:

 

# AdwCleaner v3.006 - Report created 04/10/2013 at 11:48:45
# Updated 01/10/2013 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : Starfox - J7
# Running from : C:\Users\Starfox\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\boost_interprocess
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\Software\Splashtop Inc.
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.16686
 
 
-\\ Google Chrome v
 
[ File : C:\Users\Starfox\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [2570 octets] - [04/10/2013 02:04:33]
AdwCleaner[R1].txt - [2630 octets] - [04/10/2013 11:21:56]
AdwCleaner[R2].txt - [1014 octets] - [04/10/2013 11:45:36]
AdwCleaner[S0].txt - [2699 octets] - [04/10/2013 11:25:29]
AdwCleaner[S1].txt - [943 octets] - [04/10/2013 11:48:45]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1002 octets] ##########


#12 Starfox

Starfox
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 04 October 2013 - 11:16 AM

I'm concerned because conhost.exe still appears with the same issue in task manager as before. No image path name or command line and access denied unless I click "Show processes from all users." Then I get image path name C:\Windows\System32\conhost.exe, which I think is fine, but the command line is \??\C:\Windows\system32\conhost.exe "-200179965-2382279664654638-730092353108597682191357647619543753001301467993 exactly as I've typed it here with the single set of double quotes and all. At that point I am also able to end process and no adverse effects appear to occur. I have no idea why this is running since I have no command line prompt window open. Should I be concerned about this, too?



#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:41 AM

Posted 04 October 2013 - 01:17 PM

What is conhost.exe and Why Is It Running?

 

So What Is It?

The conhost.exe process fixes a fundamental problem in the way previous versions of Windows handled console windows, which broke drag & drop in Vista.

It’s a completely legitimate executable—as long as it’s running from the system32 folder, and is signed by Microsoft.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Starfox

Starfox
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 04 October 2013 - 05:11 PM

Thanks, I appreciate that. The previous poster had said it shouldn't be running unless I have a command prompt window open, so I didn't know what to think. 



#15 Starfox

Starfox
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 04 October 2013 - 05:12 PM

So.... I should be good now?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users