Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PimIndexMaintenanceSvc_20127 Unknown Infection


  • This topic is locked This topic is locked
8 replies to this topic

#1 akien

akien

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 11 August 2016 - 09:26 PM

Both Windows 10 boxes (Dell Optiplex 900 and Lenovo Yoga laptop) became infected with something, I don't know what. CC numbers were stolen and used. When I looked at the task list, I saw tasks like the one listed in the subject. PimIndexMaintenanceSvc was followed in the task list by  PimIndexMaintenanceSvc_20127. And this was true for a lot of services. This particular one showed up in the services control panel, but wasn't editable. Neither was it possible to edit that task in the registry. Trying to delete apparently infected files or processes just caused new ones to pop up.

 

Found that the only other windows computer in the house (a generic Core Duo running Windows 7) was also infected with something with different symptoms, but Defender Offline found and resolved that one. So maybe the infections were being passed around.

 

But for the Windows 10 computers, Windows Defender was no help. I eventually reformatted both machines with USB drives from the media creation tool, and as soon as they came up, they were infected. I rebuilt both machines to run Linux at that point. On the Dell I then set up VirtualBox machine from a Microsoft DVD for Windows 7, and then allowed that to update to Windows 10 over the web. Came up with the same infection.

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,627 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 PM

Posted 16 August 2016 - 09:30 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/623144 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 17 August 2016 - 04:06 PM

Hello akien.

 

 

Don't see anything in the logs you attached. PimIndexMaintenanceSvc is part of Windows 10. Also not real clear what CC refers to, or why you think the systems are infected. Unlikely a reformatted drive installing a new download can bring infection with it. What are the issues you are having there?


Ad eundum quo no duck ante iit

#4 akien

akien
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 17 August 2016 - 10:47 PM

So first issue was the cc theft info.

 

Then I looked at computer. the problem wasn't PimIndexMaintenanceSvc, I know that belongs there. It was the one below it. Which currently says PimIndexMaintenanceSvc_1f568. But it's not even that file per se, it's every one of the UnistackSvcGroup services. It's duplicated, and with that under-bar and 5 hex digits. And I can't edit the services entries, when I hit apply it says "invalid parameter". And when I tried getting at the entries via the registry, even running as admin, when I tried to take ownership of the entry, it gave me access denied. That hasn't happened with any registry entry actually related to windows. Yeah, I know those actions shouldn't be taken by anybody, but I also have tinkered with the insides of Windows a lot. I even tried going in to safe mode, deleting all the entries for those tasks (which interestingly enough, it would let me do in safe mode)... But when I rebooted it normally, they were all back again, albeit with different hex numbers.

 

I've got images, but I haven't been able to figure out how to upload them. Perhaps that isn't supported here.



#5 akien

akien
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 18 August 2016 - 10:34 AM

Also worth noting, while Defender finds nothing (same with Kapersky), Norton seems to detect the problem, but then the machine immediately reboots.



#6 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 18 August 2016 - 04:36 PM

You disabled Defender, rebooted then installed Kaspersky. Ran a scan, no results, then uninstalled Kaspersky, rebooted, then installed and ran a scan with Norton? Anything shy of that scenario would have caused Norton to have problems, since no two (or more) antivirus programs can be installed at one time. Even disabled, they have active functions that will interfere.

 

I truly suggest you stop dabbling with Registry. The UnistackSvcGroup services are again part of Windows 10, and protected by the system itself.

 

I assume CC means credit card, but I don't think any issues with them came from this system. Not checking your logs, and your posting that programs like Kaspersky found nothing.


Ad eundum quo no duck ante iit

#7 akien

akien
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 18 August 2016 - 08:12 PM

I'm sorry, I am clearly not describing this very well. You seem to keep getting sucked into the extraneous stuff rather than the core issue. With respect to the registry, I've been a windows developer since 1991, I understand how service profiles and their launch information is stored there. That's what led me to try that. With respect to the various AV packages, I never had more than one installed at a time.

 

In spite of all that, I am still left with these ghost processes so that I have 2 entries for each service associated with UnistackSvcGroup. image If I stop these, different ones in the same group just start up on their own. As if some process doesn't want them stopped. And I am prevented from disabling them. image Now does that not sound the least bit suspicious? I've seen Windows crash because a key service was stopped, and I've seen windows attempt to restart a process if the process itself failed, but not if it was stopped by the user in the services panel. And I have seen infections create services with an underscore and numbers after them. And I've seen those processes magically restart themselves. One time was about 3 years ago, on a friend's machine, and Malwarebytes found and resolved that one. The other time was about 10 years ago, and I was able to eradicate it myself from safe mode by finding the unsigned executable that was launched from one of the entries in the services panel. Malware bytes doesn't see anything this time. 

 

I get that your scan shows nothing wrong, but that is inconsistent with the ghost processes and their magically restarting. Before the credit card issue, these processes did not show up in task manager. I don't have any idea what I was doing on that particular day, but I do remember mistyping a URL, and being alarmed at what came up. Later that day I bought something on a web site other than Amazon, which is somewhat unusual for me. And the next day, I got a call saying my credit card usage pattern had suddenly changed, and there were a bunch of charges to iTunes that I didn't make. The first change was within an hour of my purchasing the item online. Since I still had the card in my hand, I went to the computer to see if anything was amiss there. And, lo, these processes were present. Now I don't know for sure that these ghost processes are the cause, but for what I think are obvious reasons, I've been reluctant to trust an instance of Windows 10 that had those in it since then.

 

Thoughts?



#8 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 19 August 2016 - 03:49 PM

Thank you for clarifying things there. May need to disable the UnistackSvcGroup, which is doable, but let's scan first.

 

Whatever antivirus or security software you have there right now, please disable it (and mention in your next post what you disabled).

 

Download Gmer from here. Bleeping has a download but I want to be sure it is the version updated for 10. Just scroll down and click the "Download EXE" button.

 

Once the opening scan finishes, click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).  

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document.  Once the file is created, open it and rightclick again and choose Paste.  Copy the information and post it here please.
 


Ad eundum quo no duck ante iit

#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,611 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:47 PM

Posted 05 January 2018 - 04:39 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users