Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DLLHost.exe*32 PresentationHost conhost msdtc msiexec act on their own


  • This topic is locked This topic is locked
13 replies to this topic

#1 LockOnSCoRPioN

LockOnSCoRPioN

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 03 December 2015 - 03:18 AM

Hello.

I've been doing a lot of reading about this stuff that keeps coming up on its own.

Basically, I have the same problem as here:

http://www.bleepingcomputer.com/forums/t/580672/multiple-instances-of-conhost-ctfmon-msiexec-etc-slow-computer/

 

Sorry for a long description below, as I want to paint a good picture of what my system is like and what I am like.

 

Weird stuff, like when I reboot or shut down, an Internet Explorer window seems to come up with random pages or even videos playing, but can only see it at the very last second upon reboot/shutdown. As if the computer is a zombie, doing stuff on its own.

I think it's related to the Flash Player.

There're many 0KB files in %TEMP% like fla52E4.tmp

And the problem seems to happen a lot when I connect online.

I use a WiFi PCI card and only get online when I need to.

 

Let me tell you some background.

I have been using a PC for like 25 years out of my 34 years of age.

I even do IT work, but also fix people's computers on a side

And I use the tools RKill, ComboFix, JRT, AdwCleaner, in that order, when I go fix someone's computer.

 

My own system has several physical HDDs and one SSD.

On each HDD, I have separate OSes:

Windows XP SP2 32-bit

Windows 7 Ultimate 32-bit

Windows 7 Ultimate 64-bit

Windows 7 Ultimate 64-bit on SSD also.

 

And these Win7 are not 6.1.7600 releases but are 6.1.7100 RC1

I have never went up to the final releases.

All Windows Updates disabled and they are patched to work forever.

I had the ones on HDDs working since 2009, without issues and on SSD since 2013.

 

I have never ran an anti-virus and simply used the tools to check periodically, only if I felt like I had to.

I only have about 33-35 processes/services running on boot in Win7 on HDD and SSD.

And I always keep an eye on the Task Manager.

 

The problem with these processes starting to come up on their own began just the other day and I noticed it right away.

The problem is on SSD but then seems to have spread to the HDD once I booted into that one.

 

It's not possible to run ComboFix on Win7 6.1.7100 as it thinks it's in compatibility mode.

 

I already done the SFC /Scannow /offbootdir=m:\ /offwindir=m:\windows and it found files and repaired them.

Since, the problem has not gone away but a bit less of it, so to say.

The system itself is not getting much slower, even though its from 2009 AMD Phenom II X4 940 O/Ced and 8GB DDR800.

It did become slower a bit, like when I open .txt files in notepad, it takes a sec to show the contents, and used to be instant just a day ago. Also, when I login to Desktop, the blue hourglass usually only makes one full spin, but now about 1.5-2 spins.

 

I'm pretty sure I got infected through a Flash Player in FireFox, as I do not update it often or for months, it's set to manual and auto-update is off but also C:\Windows\SysWOW64\Macromed\Flash\mms.cfg

ProtectedMode=0

 

I do not have Chrome or anything Google (only FireFox) on SSD but I do on HDD Win7 boot.

I also have uninstalled IE (as part of Windows) and never updated it.

I always browse in Incognito Mode in FF and have almost no Addons but AdBlock Plus and Force Flash Player on Youtube.

I never had a problem with malware, the JRT and AdwCleaner always came up empty, maybe removed Yahoo first time I ran them before. Again, I am unable to run ComboFix because my build is 6.1.7100

 

I am always super careful the way I use the system, but I must have gone to some site that now gave me this persistent malware/trojan or whatever this is. It uses these processes on its own, mainly when I connect online:

dllhost.exe*32 COM Surrogate
rundll32.exe
PresentationHost.exe
taskhost.exe
conhost.exe
msdtc.exe
ctfmon.exe
cmd.exe
notepad.exe

msiexec.exe

cmd.exe

 

I already ran TDSSKiller and it only found a Locked SPTD.SYS which is part of Daemon Tools and is ok as far as I understand.

 

I tried pretty much everything I could think of, but the problem persists, at a lesser state maybe, but goes down like mad when I connect to WiFi. I even changed the MAC / NetworkAddress in registry and Physical Address on the Modem/Router and got a new IPv4 IP even, I do that from time to time anyway.

 

It's really bad on the SSD, and I'm trying to avoid booting into it.

It's somewhat less prominent on the HDD.

 

So, please, someone who knows this like in the post link above, Broni guy, please, help me!

Let's do this! First on the HDD boot, where I'm writing this from.

And if it works, we'll proceed into the SSD, where it's really bad.

I'm not booting into WinXP at all, just in case. But if I have to, I can use another computer, an AiO HP with Win10 on it.

 

Thanks!

 

P.S.: I have other things going on in my life, that aren't good, so please, allow me time to respond. I will do precisely what's asked of me.

 

 

*UPDATE* 12/3/2015 11:50am PST

 

I think I fixed the problem on the HDD Win7.

So, lets proceed into the heavily infected SSD Win7

These programs/services start and act on their own, and even when Windows Installer is Disabled in Services, it still starts:

dllhost.exe*32
rundll32.exe
PresentationHost.exe
taskhost.exe
conhost.exe
msdtc.exe
ctfmon.exe
cmd.exe
notepad.exe

msiexec.exe

cmd.exe

services.exe

 

Also the %TEMP% folder gets populated with 0KB files of this kind fla52E4.tmp so I think it's to do with Flash, which has been updated and ProtectedMode=1 is set now in mms.cfg

 

And, the most strange thing is when I restart or shutdown, an Internet Explorer-like window comes up, just for a second, with random websites open, even videos playing in it, ads, as if the system is being used to browse online randomly. And it's real, because if I'm not connected to WiFi, it comes up with blank Page Cannon be Displayed instead of actual sites that it shows otherwise. I can take a picture or a video of it, since cannot screenshot it at that point.

 

Please, someone confident, assist me in getting rid of this! Thanks again.

 

*UPDATE* 12/3/2015 12:30pm PST

Another symptom is that the HDDs spool back up randomly while idling on Desktop, where they used to stay off, as they're set to spin off in 30 mins, and they would never spin back on on their own like they do now.


Edited by LockOnSCoRPioN, 03 December 2015 - 03:29 PM.


BC AdBot (Login to Remove)

 


#2 hena

hena

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 06 December 2015 - 12:53 PM

Hello.

I am Hena and I will be helping you.

Please do not use any tools unless you think you should 100%.

I believe that you might have a Cryptoware/ransomware, because notepad starts at startup.

Please tell me if this is the case, and if it is,which one?

Dont use slang/idioms, because english is not my first language.


Edited by hena, 06 December 2015 - 12:53 PM.


#3 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:30 PM

Posted 07 December 2015 - 09:37 AM

Hi there,

Not to offend you, but cleaning the machine regularly instead of using active AV & AM protection is not a good idea.

What's the deal with protection vs. cleaning? - Emsisoft Blog

Cleaning vs. Protection – Why you shouldn’t rely on malware cleaning - Emsisoft Blog

ComboFix is not meant to be used without proper malware removal training at one of the UNITE schools. ComboFix usage, Questions, Help? - Look here

The programs that you have listed are all legit, but some (i.e. Notepad) is not meant to start on boot. Please run these programs to get some information about your computer.

:step1: MiniToolbox by Farbar

Disable your antivirus if it does not allow you to download the tool!
Please download MiniToolBox, save it to your desktop and run it.
Place a checkmark in Select all, then click Go and post the result (MTB.txt). A copy of Result.txt will be saved in the same directory the tool is run.

===

:step2: Security Check by screen317
  • Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt. Please copy and paste the contents of the log in your next reply.

Please let me know if you encounter any problems while running the tools.

Regards,
Alex

#4 LockOnSCoRPioN

LockOnSCoRPioN
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 08 December 2015 - 02:57 PM

Before I proceed using these tools, I want to know whether it's hena or Alexstrasza who is actually assisting me with this.

 

 

Hello.

I am Hena and I will be helping you.

Please do not use any tools unless you think you should 100%.

I believe that you might have a Cryptoware/ransomware, because notepad starts at startup.

Please tell me if this is the case, and if it is,which one?

Dont use slang/idioms, because english is not my first language.

 

Notepad does not run at startup, but appears arbitrarily some time after that.

Other processes/services, although legitimate, come up on their own and eat up RAM and I know they should not do that.

 

"Please do not use any tools unless you think you should 100%."

Using that logic, I am not 100% sure, more like unsure at all, that I should trust and use the MiniToolBox by Farbar and the Security Check by screen317.

 

This link looks very suspicious to me: http://rocketgrannie.spywareinfoforum.org/SecurityCheck.exe

 

I have used ComboFix many times on all kinds of systems, with only positive results.

Same goes for RKill before running other tools like JRT and AdwCleaner.

 

Not to offend you, but I'd rather prefer to get help from a fluently English-speaking individual.



#5 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:04:30 PM

Posted 08 December 2015 - 03:38 PM

Please follow the instructions given to you by Alexstrasza

She is currently in the malware removal training program and has been given permission to help in Am I Infected. Most important, she has the experience to help you and knows what tools are needed in order to help you.

I suggest you read this
Am I Infected? What do I do? How do I get help? Who is helping me?

Note that Am I Infected is open for anyone to help in. We do closely monitor Am I Infected to make sure that someone is receiving the best advice for getting rid of malware.

In addition to those listed as trusted, there are also non-staff members who help in Am I Infected. If a member does try to help you, one way to determine his/her track record is to look for other posts by that person in AII. You can also pm a moderator if you have questions or concerns about a member who is helping you.

Regarding the link you think is suspicious: It is perfectly safe. Please run it and post the log.

You should also run MiniToolBox and post that log.

Both tools are safe and used multiple times a day here at Bleeping Computer.

*Security Check is also hosted in the Bleeping Computer download section
http://www.bleepingcomputer.com/download/securitycheck/

Edited by Queen-Evie, 08 December 2015 - 03:48 PM.


#6 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:30 PM

Posted 09 December 2015 - 06:47 AM

Hi there,

Rocket Grannie is a member of BC's Malware Response Team and SecurityCheck's current maintainer. Its original author screen317 is part of Malwarebytes Corporation.

Farbar is a Security Developer here at BC. Their tools are safe to use and trustworthy - in fact, they are used a lot here in BC and in other websites.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:30 PM

Posted 09 December 2015 - 07:28 PM

As Alex noted...most of the well known specialized tools we use against malware are written by experts/Security Colleagues at various security forums like Bleeping Computer, TechSupport, GeeksToGo, SypwareInfo and other similar sites so they can be trusted...this includes any program hosted by BC for download. Unfortunately, many of these tools (or their embedded files) are repeatedly falsely detected by various anti-virus programs from time to time. This sometimes results in an inaccurate site rating/warning of potentially dangerous software when that is not the case. If you receive such a warning from your anti-virus it can be ignored.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 LockOnSCoRPioN

LockOnSCoRPioN
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 11 December 2015 - 05:10 PM

Alright, thanks.

I will get to it and run the tools.

Please allow me a bit of time.

I really appreciate the help and apologize for being suspicious or reluctant regarding running these tools.

Thanks.



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:30 PM

Posted 11 December 2015 - 05:14 PM

...I really appreciate the help and apologize for being suspicious or reluctant regarding running these tools...

Not a problem and no need to apologize. We want our members to feel safe and know they are receiving trustworthy help so we don't mind explaining.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 LockOnSCoRPioN

LockOnSCoRPioN
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 11 December 2015 - 11:48 PM

It says double-click, but I think I'm going to Right Click and Run as Administrator.

I'm going to reboot into the SSD, as I'm using HDD boot to read and post on the forums, as I do not want to go online with the infected system at all, until it's cleaned.



#11 LockOnSCoRPioN

LockOnSCoRPioN
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 12 December 2015 - 12:29 AM

:step1: MiniToolbox by Farbar

Disable your antivirus if it does not allow you to download the tool!
Please download MiniToolBox, save it to your desktop and run it.
Place a checkmark in Select all, then click Go and post the result (MTB.txt). A copy of Result.txt will be saved in the same directory the tool is run.

===

:step2: Security Check by screen317

  • Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt. Please copy and paste the contents of the log in your next reply.

Please let me know if you encounter any problems while running the tools.

Regards,
Alex

 

 

I ran the tools on the affected SSD Win7 Ultimate RC1 6.1.7100 without the Internet, WiFi not connected.

 

:step1: MiniToolbox by Farbar LOG:

 

MiniToolBox by Farbar  Version: 02-11-2015
Ran by SCoRPioN (administrator) on 11-12-2015 at 20:53:50
Running from "C:\DOWNLOADS"
Microsoft Windows 7 Ultimate   (X64)
Model: System Product Name Manufacturer: System manufacturer
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
 
========================= FF Proxy Settings: ============================== 
 
"network.proxy.type", 0
 
"Reset FF Proxy Settings": Firefox Proxy settings were reset.
 
========================= Hosts content: =================================
127.0.0.1 localhost
========================= IP Configuration: ================================
 
Realtek PCIe GBE Family Controller = Local Area Connection (Media disconnected)
802.11g PCI Wireless Adapter = Wireless Network Connection 2 (Media disconnected)
TAP-Windows Adapter V9 = Local Area Connection 2 (Media disconnected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global icmpredirects=enabled
add route prefix=0.0.0.0/0 interface="Wireless Network Connection" nexthop=10.247.32.1 validlifetime=4294967295 preferredlifetime=4294967295 publish=Yes
add address name="Wireless Network Connection" address=192.168.1.88
add address name="Wireless Network Connection" address=10.247.34.78
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : PHENOMIIX4SSD
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
 
Wireless LAN adapter Wireless Network Connection 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : westell.com
   Description . . . . . . . . . . . : 802.11g PCI Wireless Adapter
   Physical Address. . . . . . . . . : 12-24-5D-85-6B-92
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Ethernet adapter Local Area Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 00-24-8C-1B-55-11
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Ethernet adapter Local Area Connection 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : TAP-Windows Adapter V9 #2
   Physical Address. . . . . . . . . : 00-FF-EC-A5-6A-E3
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.{FD55CC80-489B-4AC5-B1F6-9ECB18FB990F}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.{ECA56AE3-9271-4C45-AAD7-4437928B2C9F}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.westell.com:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  UnKnown
Address:  127.0.0.1
 
Ping request could not find host google.com. Please check the name and try again.
Server:  UnKnown
Address:  127.0.0.1
 
Ping request could not find host yahoo.com. Please check the name and try again.
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 14...12 24 5d 85 6b 92 ......802.11g PCI Wireless Adapter
 12...00 24 8c 1b 55 11 ......Realtek PCIe GBE Family Controller
 15...00 ff ec a5 6a e3 ......TAP-Windows Adapter V9 #2
  1...........................Software Loopback Interface 1
 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0      10.247.32.1  Default 
===========================================================================
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [51712] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134528] (Microsoft Corporation)
Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134528] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70144] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\mswsock.dll [321024] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304] (Microsoft Corporation)
x64-Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [321024] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [321024] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [321024] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [321024] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [321024] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [321024] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [321024] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [321024] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [321024] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [321024] (Microsoft Corporation)
 
========================= Event log errors: ================================
 
Could not start eventlog service, could not read events.
 
The Windows Event Log service is starting.
The Windows Event Log service could not be started.
 
A system error has occurred.
 
System error 5 has occurred.
 
Access is denied.
 
 
=========================== Installed Programs ============================
 
µTorrent (HKLM-x32\...\uTorrent) (Version: 1.8.5 - )
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.5.1.17730 - Adobe Systems Inc.)
Adobe Community Help (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 3.4.980 - Adobe Systems Incorporated.)
Adobe Flash Player 19 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 19.0.0.245 - Adobe Systems Incorporated)
Adobe Flash Player 19 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 19.0.0.245 - Adobe Systems Incorporated)
Adobe Premiere Pro CS5.5 (HKLM-x32\...\{0497EAED-70DA-4BBE-BEB3-AF77FD8788EA}) (Version: 5.5 - Adobe Systems Incorporated)
Adobe Reader 9.5.0 (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-A95000000001}) (Version: 9.5.0 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{C8807716-1F6F-5C43-3C32-7295A45CF060}) (Version: 8.0.911.0 - Advanced Micro Devices, Inc.)
Arma: Cold War Assault (HKLM-x32\...\Steam App 65790) (Version:  - Bohemia Interactive)
Bandicam (HKLM-x32\...\Bandicam) (Version: 1.9.5.510 - Bandisoft.com)
Bandisoft MPEG-1 Decoder (HKLM-x32\...\BandiMPEG1) (Version:  - Bandisoft.com)
Corsair SSD Toolbox (HKLM-x32\...\{70DE02E8-FBDD-4892-9B21-117DCA1DD553}_is1) (Version: 1.0.0.0 - LC Technology International, Inc.)
Creative Audio Console (HKLM-x32\...\AudioCS) (Version: 1.32 - Creative Technology Limited)
Data Lifeguard Diagnostic for Windows 1.24 (HKLM-x32\...\{519C4DB6-B53B-4F5C-8297-89B2BE949FA5}_is1) (Version:  - Western Digital Corporation)
DCS World (HKLM\...\DCS World_is1) (Version: 1.2.6.17746 - )
DCS World OpenBeta (HKLM\...\DCS World OpenBeta_is1) (Version: 1.2.8 - )
DivX Setup (HKLM-x32\...\DivX Setup) (Version: 2.6.1.90 - DivX, LLC)
EVGA Precision 2.0.4 (HKLM-x32\...\Precision) (Version: 2.0.4 - EVGA Corporation)
FaceTrackNoIR version 1.7 (HKLM-x32\...\FaceTrackNoIR_is1) (Version: 1.7 - FaceTrackNoIR Team)
ffdshow (remove only) (HKLM-x32\...\ffdshow) (Version:  - )
FileZilla Client 3.7.1.1 (HKLM-x32\...\FileZilla Client) (Version: 3.7.1.1 - Tim Kosse)
GIMP 2.8.10 (HKLM\...\GIMP-2_is1) (Version: 2.8.10 - The GIMP Team)
Grand Theft Auto IV (HKLM-x32\...\Steam App 12210) (Version:  - Rockstar North)
IGT Slots Cleopatra II (HKLM-x32\...\IGT Slots Cleopatra II1.1) (Version: 1.1 - Foxy Games)
Intel® IPP Run-Time Installer 5.3 Update 4 for Windows* on IA-32 (HKLM-x32\...\{754854DC-2E0A-49D8-A1A1-426C1F9B1459}) (Version: 5.3.4.087 - Intel Corporation)
Masque IGT Slots Lucky Larry's Lobstermania (HKLM-x32\...\{08E9B665-BA03-4380-8494-B1E3E1693DDE}) (Version: 1.0.1 - Masque Publishing)
Masque IGT Slots Wolf Run (HKLM-x32\...\{7C0BF6E9-7021-46E4-87B3-4C4587256A22}) (Version: 1.0.0 - Masque Publishing)
Microsoft .NET Framework 4.5 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft Games for Windows - LIVE (HKLM-x32\...\{2C9EE786-1DDB-4C98-8FA4-B1B9B5A66B77}) (Version: 3.1.186.0 - Microsoft Corporation)
Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{42AA4CA8-DCD8-4308-BCAB-0B6D75856A9D}) (Version: 3.5.95.0 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Office Visio Professional 2007 (HKLM-x32\...\VISPRO) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Mozilla Firefox 42.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 42.0 (x86 en-US)) (Version: 42.0 - Mozilla)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.4.1 - Notepad++ Team)
NVIDIA 3D Vision Driver 337.50 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 337.50 - NVIDIA Corporation)
NVIDIA 3D Vision Video Player (HKLM-x32\...\{244FB715-13C4-4C85-BEB6-6C1ABB29D8B1}) (Version: 1.7.5 - NVIDIA Corporation)
NVIDIA Graphics Driver 337.50 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 337.50 - NVIDIA Corporation)
NVIDIA PhysX (HKLM-x32\...\{7B5AA67E-FEA0-40BB-BAB5-CA56645A589C}) (Version: 9.13.0725 - NVIDIA Corporation)
Open Broadcaster Software (HKLM-x32\...\Open Broadcaster Software) (Version:  - )
OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
OpenVPN 2.3.0-I005  (HKLM-x32\...\OpenVPN) (Version: 2.3.0-I005 - )
PunkBuster Services (HKLM-x32\...\PunkBusterSvc) (Version: 0.993 - Even Balance, Inc.)
Ralink RT6x Wireless LAN Card (HKLM-x32\...\{FAB1F336-1B7C-4057-A7BC-2922CD82A781}) (Version: 1.5.4.0 - Ralink)
Steam (HKLM-x32\...\{048298C9-A4D3-490B-9FF9-AB023A9238F3}) (Version: 1.0.0.0 - Valve Corporation)
TAP-Windows 9.9.2 (HKLM\...\TAP-Windows) (Version: 9.9.2 - )
TeamSpeak 3 Client (HKLM-x32\...\TeamSpeak 3 Client) (Version: 3.0.11.1 - TeamSpeak Systems GmbH)
VC80CRTRedist - 8.0.50727.6195 (HKLM-x32\...\{933B4015-4618-4716-A828-5289FC03165F}) (Version: 1.2.0 - DivX, Inc) Hidden
VLC media player 2.0.7 (HKLM-x32\...\VLC media player) (Version: 2.0.7 - VideoLAN)
Windows 7 USB/DVD Download Tool (HKLM-x32\...\{CCF298AF-9CE1-4B26-B251-486E98A34789}) (Version: 1.0.30 - Microsoft Corporation)
Windows Live ID Sign-in Assistant (HKLM\...\{9B48B0AC-C813-4174-9042-476A887592C7}) (Version: 6.500.3165.0 - Microsoft Corporation)
XBMC (HKCU\...\XBMC) (Version:  - Team XBMC)
 
========================= Devices: ================================
 
 
========================= Memory info: ===================================
 
Percentage of memory in use: 11%
Total physical RAM: 8191.18 MB
Available physical RAM: 7246.45 MB
Total Virtual: 8189.32 MB
Available Virtual: 7199.04 MB
 
========================= Partitions: =====================================
 
1 Drive c: (SYSTEM7X64SSD) (Fixed) (Total:111.69 GB) (Free:24.2 GB) NTFS
3 Drive e: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.03 GB) NTFS
4 Drive f: (SPACEDISK) (Fixed) (Total:232.88 GB) (Free:26.73 GB) NTFS
5 Drive g: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS
6 Drive h: (SYSTEM) (Fixed) (Total:232.91 GB) (Free:6.05 GB) NTFS
7 Drive i: (STORAGE 7B) (Fixed) (Total:232.88 GB) (Free:9.42 GB) NTFS
8 Drive j: (STORAGE) (Fixed) (Total:232.85 GB) (Free:9.92 GB) NTFS
9 Drive k: (SYSTEM 7) (Fixed) (Total:114.4 GB) (Free:16.51 GB) NTFS
10 Drive l: (STORAGE 7A) (Fixed) (Total:118.39 GB) (Free:9.44 GB) NTFS
11 Drive m: (STORAGE X) (Fixed) (Total:867.51 GB) (Free:8.01 GB) NTFS
12 Drive n: (SYSTEM7X64) (Fixed) (Total:63.9 GB) (Free:3.07 GB) NTFS
 
========================= Users: ========================================
 
User accounts for \\PHENOMIIX4SSD
 
Administrator            Guest                    Install                  
SCoRPioN                 
 
========================= Minidump Files ==================================
 
No minidump file found
 
========================= Restore Points ==================================
 
 
**** End of log ****
 
 
PLEASE NOTE: 
I have multiple (4) physical HDDs partitioned into 2 each, except SPACEDISK, 3 HDDs are bootable, also the SSD, which is affected. Please, do not create anything that messes with them. The two System Reserved are OK.
 
:step2: Security Check by screen317 LOG:
 
 Results of screen317's Security Check version 1.013 --- 11/28/15  
 Windows 7  x64 (UAC is disabled!)  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Security Center service is not running! This report may not be accurate! 
 Windows Firewall Enabled!  
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 Adobe Flash Player 19.0.0.245  
 Adobe Reader 9 Adobe Reader out of Date! 
 Mozilla Firefox (42.0) 
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 29% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log`````````````````````` 
 

 

PLEASE NOTE:

I will NOT update to Service Pack 1.

I will NOT enable Security Center service.

I will keep using Windows Firewall, and will NOT install any Anti-Virus. I had Avast before and it did not prevent anything.

I'm very careful browsing online and have survived on this system since 2009 without issues until now.

I do NOT have Google Chrome but only FireFox (with AdBlock Plus) and Internet Explorer is DISABLED/Uninstalled/Hidden/Unchecked from the list of Installed Windows Components.

I will NOT update to newest Adobe Reader. I can remove it all together, if you want.

 

If needed, I can connect to the Internet once or twice and film a video of whats going on and post it, like when I restart, for a moment before shutting down, an IE or some kind of browser window appears like it's browsing random websites on its own, using Adobe Flash or something, very random.

 

Please, work with me within these requirements.

These logs are not showing anything I can spot that's abnormal.

I clear my own %TEMP% folder manually, but files like fla52E4.tmp of 0KB start appearing in mass once I connect to the Internet and "stuff" begins to happen on its own.

The Microsoft services start on their own as soon as I connect to the Internet, and I will NOT connect to the Internet  for any long time, on the SSD boot, until it is fixed.

 

Thank You



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:30 AM

Posted 12 December 2015 - 11:37 AM

Please, work with me within these requirements.

 

Unfortunately we cannot provide you assistance within your set requirements. This is not an unwillingness from our part to help you solve your problem, but what you are asking us, translates to "I want you to secure my house against burglars, but only in such a way that I will not be required to close my doors and windows". Of course this is an analogy, but I hope you get the idea.

 

I'm not saying that your view on security is wrong, after all this is your own computer and you're allowed to use it in whatever way you see fit. However, if you come here looking for help that implies you trust the help given by the experts at this forum. The fact is, this help does not match with the conditions you imposed, hence continuing this topic is pointless.

 

I'm not going to debate your security setup in this topic nor do I expect you to defend it, but unless you are willing to change your mind, this is all the help we can give you here.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 LockOnSCoRPioN

LockOnSCoRPioN
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 13 December 2015 - 02:14 AM

HitmanPro 3.7.10 - Build 251 (64-bit)
 
It located the Backdoor Virus/Trojan and removed it!
Now, the system is behaving normally, no issues!
Nothing runs on its own, no DLLHost.exe*32, no Notepad opening itself or files slowly, no delay on login, nothing abnormal!
Found only this one virus (Avast failed to find it):
 
C:\ProgramData\{A652AF35-6B87-4D7C-98A1-204C5F7317E9}\atl.dll
      Size . . . . . . . : 372,736 bytes
      Age  . . . . . . . : 11.5 days (2015-12-01 11:31:57)
      Entropy  . . . . . : 7.5
      SHA-256  . . . . . : E40939B749DA763FB9B1A58EEAB9948C402094EBA160927DEA762068D5BD5BE7
      Product  . . . . . : Microsoft® Windows® Operating System
      Publisher  . . . . : Microsoft Corporation
      Description  . . . : Microsoft® Active Directory Certificate Services
      Version  . . . . . : 6.1.7600.16385
      Copyright  . . . . : © Microsoft Corporation. All rights reserved.
      LanguageID . . . . : 1033
    > Kaspersky  . . . . : Backdoor.Win64.Bedep.hp
      Fuzzy  . . . . . . : 109.0
      Forensic Cluster
         -15.1s C:\ProgramData\{A652AF35-6B87-4D7C-98A1-204C5F7317E9}\
         -15.1s C:\ProgramData\{A652AF35-6B87-4D7C-98A1-204C5F7317E9}\283e3ce15a9
          0.0s C:\ProgramData\{A652AF35-6B87-4D7C-98A1-204C5F7317E9}\atl.dll
 
 

It's 11-12 days ago when it occurred.

A simple Google search and Hitman Pro did the trick!

I know my computer system and how it's supposed to behave very well, and it's only one pesky virus that was doing it, everything else is clean.

 

In addition, I'm changing my IP and I flush DNS, change MAC and all that cool stuff manually myself.

I also use a VPN often. And to prevent this in the future, HitmanPro patched the system with LINK protection (Microsoft Security Advisory 2286198).

 

 

Thanks for trying..

 

P.S.:

My requirements didn't have to be broken, and your response was not justified.

My observation is that females tend to approach the technical problems with an emotion, where none is required, in fact, it's counter-productive.

You can take this in a wrong way, and remove this post and my account, OR you can learn a lesson and instead allow this post to remain, so others can locate the help next time.



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:30 AM

Posted 13 December 2015 - 02:47 AM

My requirements didn't have to be broken, and your response was not justified.

No? Then why did Bedep end up on your computer? It is often dropped by exploit kits on infected websites. This is one of the reasons why we recommend an antivirus and why we at BC think that any computer without antivirus is at risk, you have just proven that point splendidly; you say yourself you are a careful user, you monitor your computer, you know how it is supposed to behave and yet your computer was infected despite all that. Do yourself a favor and install an antivirus, next time the exploit kit drops teslacrypt (thats today's favorite payload, you can take my word for it or not).
Let's not even start on windows and third-party software updates that for an important part fix vulnerabilities that are used by exploit kits.

My observation is that females tend to approach the technical problems with an emotion, where none is required, in fact, it's counter-productive.

While you are entitled to your opinion, unfortunately you are not allowed to ignore the forum rules to which you agreed when you joined this forum. Let me quote the relevant part for you:

There will be no racial, ethnic, gender based insults or any other personal discriminations.  This will not be tolerated and can lead to immediate suspension. 

 
But no worries, I won't remove this post, Everyone who wants to review this post will be allowed to see your opinion in this case as well as the fact that even being an acclaimed rational individual you managed to get infected, which should be a lesson for all: the advice we give here at BC actually is there for a reason.

Since, although female, I happen to be an admin here and you clearly violated the forum rules by insulting not only me but also the other helper who volunteered her time to attempt to assist you, this topic will be locked. Consider yourself fortunate you are not banned in the process as well. Any future continuation of this behavior may change that though.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users