Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

conhost.exe, presentationhost.exe, ... How to remove these Virus?


  • This topic is locked This topic is locked
14 replies to this topic

#1 Scard123

Scard123

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 24 December 2015 - 01:27 AM

Hi all,

Instigated by a low performance of my laptop, I discovered a bunch of 'fake' processes running background.... Am I quite sure the laptop is infected with some type of malware. Will you be able to help me with this?

I attached the log of FRST as per http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Thank you,
S.

Attached Files

  • Attached File  FRST.txt   34.87KB   6 downloads


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:20 PM

Posted 25 December 2015 - 11:14 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL =
SearchScopes: HKLM -> {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
SearchScopes: HKLM -> {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL =
SearchScopes: HKU\S-1-5-21-653478955-3067283134-999092648-53289 -> {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
SearchScopes: HKU\S-1-5-21-653478955-3067283134-999092648-53289 -> {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL =
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll [No File]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
CHR Plugin: (Shockwave Flash) - C:\Users\fhen3366.MCS\AppData\Local\Google\Chrome\Application\47.0.2526.80\gcswf32.dll => No File
CHR Plugin: (Java Deployment Toolkit 6.0.220.4) - C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll => No File
CHR Plugin: (Java(TM) Platform SE 6 U22) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\3.0.50611.0\npctrl.dll => No File
CHR Plugin: (Native Client) - C:\Users\fhen3366.MCS\AppData\Local\Google\Chrome\Application\47.0.2526.80\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\fhen3366.MCS\AppData\Local\Google\Chrome\Application\47.0.2526.80\pdf.dll => No File
CHR Plugin: (Google Update) - C:\Users\fhen3366.MCS\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll => No File
CHR Extension: (Store) - C:\Users\fhen3366.MCS\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2015-12-06]
CHR Extension: (Store) - C:\Users\fhen3366.MCS\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjakmojkcnhgipgkkbiempkfdndcnlah [2012-03-28]
CHR HKLM\...\Chrome\Extension: [hjakmojkcnhgipgkkbiempkfdndcnlah] - C:\ProgramData\CodecC\hjakmojkcnhgipgkkbiempkfdndcnlah.crx [2012-03-28]
S3 BS2155461756; \??\C:\Users\fhen3366.MCS\AppData\Local\Temp\NTFS.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Users\fhen3366.MCS\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom
C:\Users\fhen3366.MCS\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjakmojkcnhgipgkkbiempkfdndcnlah
C:\ProgramData\CodecC\hjakmojkcnhgipgkkbiempkfdndcnlah.crx

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
Please post the logs.

I will also need the Addition.txt log that was created by the Farbar tool.

Let me know what problem persists.

#3 Scard123

Scard123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 29 December 2015 - 08:11 PM

Hi nasdaq,

 

Thank you for the interest.

 

I followed your instructions and for a few minutes (prior to connecting the laptop to the internet), the performance of the computer seemed to have improved. However, after a while the performance lagged again and the same 'fake' processes reappeared.

 

I attach the logs of Frstix, Adwclean. I also rerun a scan with FRST and the log follows attached (addition.txt as well).

 

Thank you for your help and I'd appreciate further advice.

Cheers,
S. 

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:20 PM

Posted 30 December 2015 - 10:08 AM



Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{035FBE31-3755-450A-A775-5E6BBD43D344}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{095A2EEC-F7FE-42E8-96FB-C20E53081908}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{320F0FDB-BE0A-4648-9D18-4A2C3448C007}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{62A0D750-DED9-448C-B693-406B34BB0892}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{634059C0-D264-4B2C-AE80-F73E48D33E5B}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{6D7374DE-63AA-473C-8C02-60D9CDCD84C5}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{91EFB276-CEFE-48EC-BB3A-57795A7B4008}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{A45426FB-E444-42B2-AA56-419F8FBEEC61}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{A54D478D-4F70-4F72-9A74-17C9986E35AB}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{C5A2122B-A05B-4FD8-AE49-91990AE10998}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{D166BD15-03AF-413A-BEFD-0679FF410B49}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{EB06378B-ABB6-4B3C-9B40-D488DD8A6E93}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-653478955-3067283134-999092648-53289_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> no filepath
Task: {7892C890-F776-4CDE-A4DB-765763C33ABF} - \Advanced System Protector -> No File <==== ATTENTION
Task: {E001E28B-6F67-4DF3-B264-5FBA6BC17AC7} - System32\Tasks\Express FilesUpdate => C:\Program Files\ExpressFiles\EFUpdater.exe <==== ATTENTION
Task: {EAD3AAA0-90E5-43A8-837C-D6D600860DBF} - System32\Tasks\{8B902857-C039-4426-9289-95BBFEA95174} => pcalua.exe -a C:\Users\fhen3366.MCS\AppData\Local\Temp\Temp1_Setup_PortalPlus1_10.zip\Install_PortalPlus_1_10_ArcelorMittal.exe
C:\Users\fhen3366.MCS\AppData\Local\Temp\Temp1_Setup_PortalPlus1_10.zip
C:\Program Files\ExpressFiles

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en
Select "From the beginning of time"

Restart Chrome.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Control Panel > Programs and Features applet.

Java 7 Update 55 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217055FF}) (Version: 7.0.550 - Oracle)

How is the computer running now?

#5 Scard123

Scard123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 30 December 2015 - 06:33 PM

No, the laptop is still slow and with a bunch of fake processes. I attached a print screen after turning on the internet where you may see processes like notepad.exem dllhost.exe, 

Further, I attached the requested logs.

 

Cheers,
S.

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:20 PM

Posted 31 December 2015 - 08:22 AM

Lets check further.

You will need to temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Click the Options in bold the following options are available to you.
Select only the check boxes for the options in bold.
 

Running Processes
Installed Programs
Startup Information
FireFox look
Chrome Look
Auto Clean


Do a Quick Scan
HijackThis log
Uninstall list
Shortcut Fix
Do a Deep Scan
Installer List
IE Default
Silent Runner
System Restore Info
Symlink Check
Reset Chrome
System Specs
Recently created
Empty Temp
Auto Clean



Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.
Do
Please attach the zoek-results.log in your reply. It's probably too long to post.

How to:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.

Make sure you Enable your AV Program.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:20 PM

Posted 06 January 2016 - 09:03 AM

Are you still with me?

#8 Scard123

Scard123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 25 February 2016 - 07:00 PM

Yes, I am.

 

I followed your instructions and left zoek.exe running all night. It didn't return any result and I can only assume that it got stuck.

 

The malware issue is still on going.

Thanks



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:20 PM

Posted 26 February 2016 - 07:45 AM

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

When completed it will create a log. Please post the content on your next reply.
===

When this is completed run the Zoek tool one more time.
You can stop the process if it takes more then one hour to complete.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:20 PM

Posted 03 March 2016 - 09:19 AM

Are you still with me?

#11 Scard123

Scard123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 03 March 2016 - 11:38 PM

Yes, I am. I will follow the procedure during the weekend. Cheers.



#12 Scard123

Scard123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 06 March 2016 - 02:54 AM

I don't think either rkill worked and once again zoek.exe didn't produce any results after 2hours...

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:20 PM

Posted 06 March 2016 - 08:00 AM

Run this tool and post the log if you can.
It should not take more the one hour to complete.

Please Download and run the ComboFix tool.

How to use ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions on the page.

Post the content of the C:\ComboFix.txt file for my review.

p.s.
When all is well you can remove the tool by following the Uninstall instructions on the same page.

====

#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:20 PM

Posted 12 March 2016 - 09:21 AM

Are you still with me?



#15 Scard123

Scard123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:20 AM

Posted 14 March 2016 - 03:11 AM

nasdaq, I am sincerely grateful for your efforts but I have to be a good sports and accept defeat.

 

It has been too much work for a rather limited success and thus, I decided that as soon as I finish a large project that I am involved in, I will simply format the laptop.

 

Sorry for wasting your time.

 

Best wishes,
F.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users