Solved Twin Issues in Windows Explorer That Occur 'Only' In Safe Mode

[Jacee]

Rescan with HJT, check these items:

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)

O4 - HKLM\..\Policies\Explorer\Run: []

O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')

Close all windows except HJT, then click "fix checked".

Reboot your computer.

Let's flush your DNS cache and restore MS's original Hosts file.

Copy and paste these lines in Note pad.
@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
shutdown -r -t 1
del %0
Save as flush.bat to your desktop. Right click and run as Administrator.
Your computer will reboot itself.

Next, open Malwarebytes Anti-malware, update it ....
* select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location. Copy and Paste that log into your next reply. Along with a fresh HJT log.

 

[pm2397]

FAO: Jacee(if you want you can bypass the rest of this sentence and this para and read the next one but i suggest you read on through this para too completely) and niemiro(this thread started out with the strange Windows Explorer right click issues detected 'only' in Safe Mode on my system, which were found resolved later by use of MSSE by me as you already know but which you still found that unexplainable in your mind as to why one button works and the other doesn't and why the workarounds should work because they shouldn't, but now when you gradually read this post through you will find that now the earlier Windows Explorer issues are transferred from 'Safe Mode' to 'only' 'normal boot mode' and while now even double click does not work in 'Windows Explorer and now even the workarounds do not work, So it seems to me that the 'bot' appears to be acting in vengeance when its hold on my system has been relaxed by Jacee's instruction in the 'Second Quote' below having been implemented by me and the system rebooted. Interested?, please read on this whole post. )

Right now, I see you have three topics open on this ... one here and at BC's
Worm.P2P (Bot.exe) gets redetected again in the IXP000.TMP Folder during every Full Scan By MBAM even after system reboot.
and Malwarebytes!
Worm.P2P (Bot.exe) gets redetected again in the IXP000.TMP Folder during every Full Scan By MBAM even after system reboot. - Malwarebytes Forum

We're all volunteers on anti-malware forums. When you choose multiple forums to ask for the same help, you are using time that could be spent helping another victim.

Which forum would you like to have help you?

First is that i am communicating all this from my system in 'safe mode with networking'. The 'normal boot mode' has now 'issues' as you will find below.

Jacee, first i say sorry to you for having posted the same issues 'only in the last three four days' on Malwarebytes' forum and Bleeping Computer forum. Hope you will forgive me for that. Next is that i want you to help me out here itself on Vistax64 forum. Those other threads will be closed by me without taking any action on any replies that may be forthcoming on those two threads (not that there are any forthcoming there on those two respective forums. I hope this helps.

Having said sorry to you hope you will allow me to clarify. Actually i was waiting patiently for your reply here for 'quite a long time' to this specific thread. On my request Richard (niemiro) even first sent you a PM, then a VM, and then again a PM to which your previous response was received after a gap of i believe about two weeks or so.

Having come to know from Richard that you have responsibilities on 30+ forums, i thought some five days back that it may be easier for Jacee to reply on other forums where she may be more active. The only reason i went there was in the hope that Jacee you may be more accessible to reply to my issues on them, not any other reason. But maybe i should have shown more patience. I again say sorry.

Rescan with HJT, check these items:

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)

O4 - HKLM\..\Policies\Explorer\Run: []

O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')

Close all windows except HJT, then click "fix checked".

Reboot your computer.

After implementing the above portion of your instructions and the instructed reboot, my system has a number of issues (there may be more but because the system hangs i cannot present more symptoms to you at this point of time), which i believe to be the handiwork of the 'bot' acting in vengeance and messing up part of the registry and possibly part of the OS.

1. A major part of the normal boot goes through ( about 95% in my estimate) and then the hard disk lamp appears to be no more lighting up. I may be wrong but that's what i observed. Since keeping the cursor on the icons and the buttons on the desktop screen shows the tooltips i thought maybe i can proceed with some actions.

However, on right clicking the 'My Computer' icon to open Windows Explorer in 'explore' mode, the system hangs. Tried the following.

2. Task Manager is not accessible by right clicking on the Taskbar. Next tried invoking the Security functions using CTRL + ALT + Del. NO go. It doesn't work. Conclusion: System hang. Therefore shut down the system using the Power Button.

3. On restart in normal boot mode, again a major part of the OS booted up. This time i tried double clicking 'My Computer'. This opened up Windows Explorer thankfully but disappointingly after a very very long time. Next i clicked on the arrow button to the left of Program Files. This should have immediately dropped down the subfolders. But i found that surprisingly MSSE is scanning Program Files as shown by the animated Magnifying Glass icon over it. It does that for a long time. Again tried the invoking the Task Manager and the Security functions as before but failed. Conclusion: system hang. Used the Power button forced shutdown and rebooted again in normal boot mode.

4. On the third reboot again tried double clicking 'My Computer'. This time surprisingly it failed to do that even and system hanged. Quite surprising and illogical to me.

4. On the next reboot this time thought to communicate these issues to you so instead directly double clicked the Mozilla Firefox icon. System hangs. That left me only one way of communicating with you these issues and that was going into 'Safe Mode with Networking.

5. Booted this time in 'Safe Mode with Networking'. So here i am in that mode and thankfully everything here seems to work quite okay except for this!!!.

Here i found that under the Users folder there is now additionally a 'new user' now who was not present earlier at all!!! Hidden things come to light now. Maybe this is the source of the bot. Its name is 'epmikani' and it has only two subfolders, AppData and Application Data. AppData has the subfolders Local\temp, but this temp is empty whereas in the Application Data subfolder there is the skypePM folder. In the skypePM folder there is only a single file named 2010-11-13-0.ezlog (10KB).

I have done the Trend Micro HijackThis scan in this safe mode. I find that thankfully no BHOs of the type 'no name' 'no file' are displayed and also thankfully no HKLM and HKCU trash of the type Runonce are displayed in the scan. The scan log contents are as below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:22:08, on 11/16/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\helppane.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Trend Micro\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Home Page Reset - Symantec Corp.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Home Page Reset - Symantec Corp.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Home Page Reset - Symantec Corp.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Home Page Reset - Symantec Corp.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [CognizanceTS] "rundll32.exe" C:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [ThreatFire] "C:\Program Files\ThreatFire\TFTray.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [RtHDVCpl] "C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe"
O4 - HKLM\..\Run: [hpqSRMon] "C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe"
O4 - HKLM\..\Run: [SynTPEnh] "%ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [NoAutorun] "C:\Users\Prashant Mujumdar\Downloads\NoAutorun-win32-bin-1.1.1.21\NoAutorun.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared files\brs.exe
O4 - HKLM\..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe /CHECKNOW
O4 - HKLM\..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [PDVD9LanguageShortcut] C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe
O4 - HKLM\..\Run: [PikyAgent] C:\Program Files\Conceptworld\PikySuite\PikyAgent.exe /Startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [RemoteControl9] C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [VistaBatterySaver] "C:\Program Files\SharpSoft\Vista Battery Saver\VistaBatterySaver.exe"
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [SUMo] "C:\Program Files\KC Softwares\SUMo\SUMo.exe" /minimized
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [Skype] C:\Program Files\Skype\\Phone\Skype.exe /nosplash /minimized
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - Global Startup: Aerofoil.lnk = C:\Program Files\Aerofoil\Aerofoil.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: Windows Live OneCare
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlcm.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - Help and Support
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A0756D7-96FB-4353-970F-57DCA7FF8C33}: NameServer = 218.248.255.194
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Emsisoft Anti-Malware 5.0 - Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\Emsisoft Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 11625 bytes

----------------------------------------------------------------------------

Let's flush your DNS cache and restore MS's original Hosts file.

Copy and paste these lines in Note pad.
@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
shutdown -r -t 1
del %0
Save as flush.bat to your desktop. Right click and run as Administrator.
Your computer will reboot itself.

Next, open Malwarebytes Anti-malware, update it ....
* select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location. Copy and Paste that log into your next reply. Along with a fresh HJT log.

I have created the Flush.bat on the desktop all ready for your confirmation. If you want me to flush the DNS and reset the Hosts file using the script you have instructed in 'Safe mode with Networking' and then do the MBAM full scan in this mode please confirm, but regarding the latter in my earlier post #33 i had already found that the bot does not get detected in safe mode (so assuming it is still there) it is not logically expected to get detected against Shuriken heuristics while detecting 'additional items on your system' in safe mode this time around too.

So, Jacee, what next?

 

[Jacee]

Please run the .bat file as Administrator and follow through with the above instructions.

This is information on ezlog
EZLOG: file extension ezlog - Open .ezlog files
Do you use Skype?

You have a ton of programs running, it's no wonder your system hangs. I see you have WinPatrol .... Have it check for unnecessary 'startup items' and set to manual or stop. You have some programs running that I haven't seen before, such as [CognizanceTS] "rundll32.exe" C:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
and
Conceptworld\PikySuite
Do you need them?

Is Symantec up to date? I don't see a firewall running, so if you're using Symantec, it's not fully covering you. I would suggest you uninstall it totally by using the uninstall tool:
Download and run the Norton Removal Tool to uninstall your Norton product | Norton Support

Allow Microsoft security Essentials to be your Anti-Virus. Make sure Windows Firewall is turned on (Automatic) in Services.

 

[Jacee]

There's a file we need to remove ....





Please download OTM by OldTimer and save to your Desktop.

• Double-click on OTM.exe to launch the program. Vista/Windows 7 users right-click and select Run As Administrator.
• Copy the file(s)/folder(s) paths listed below - highlight everything in the code box and press CTRL+C or right-click and choose Copy.

:

Processes
explorer.exe

:Files
c:\windows\winstart.bat

:Commands
[reboot]

• Return to OTM, right-click in the open text box labeled "Paste Instructions for Items to be Moved" (under the yellow bar) and choose Paste.
• Click the red MoveIt! button.
• The list will be processed and the results will be displayed in the right-hand pane.
• Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
• Click Exit when done.
• A log of the results is automatically created and saved to C:\_OTM\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.

--Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. After the reboot, open Notepad, click File > Open, in the File Name box type *.log and press the Enter key. Navigate to the C:\_OTM\MovedFiles folder, open the newest .log file and copy/paste the contents in your next reply. If not asked, reboot anyway.

 

[pm2397]

FAO: Jacee - Reply to your posts #43 & #44.

Please run the .bat file as Administrator and follow through with the above instructions.

I have run the Flush.bat file as per your instructions now in 'Safe Mode with 'Networking' although after flushing the DNS cache and resetting of the hosts file and the result reboot i again tried booting into normal mode at least five times with the same results of failure and system hang as had been observed and mentioned earlier in my just previous post #42.

Regarding fully updated MBAM full scan in 'Safe Mode with Networking':

I am currently doing this but i want to reaffirm to you that the bot never got detected during the so many earlier such scans done by me in safe mode but it always got then detected in the similar scans during 'normal boot mode' in the recent past.

In this regard please specifically inform me whether you have read my relevant earlier post #33 in its entirety? If not please do so.

What is the point of running this scan now again in safe mode with networking when i know it will not detect the bot in this mode as it never has earlier. We need to run it in normal mode where it was always detected earlier. But we cannot do so currently because of all the issues including system hang in normal boot mode already described in my just previous post #42.

Further please help logically explain why my system works 'entirely okay' in 'safe mode with networking' whereas it has now all the issues in normal boot mode already described in my post #42. And i have already mentioned in my post #42 that the issues in normal boot mode are entirely as a result of implementing the first part of your instructions posted in your post #41 above.

I want to inform you that prior to implementing your above instructions my system never had any such issues in normal boot mode in the entire three years of its use since purchase in October 2007.

If you want i can use system restore in 'safe mode with networking' mode to go back to the point of time before your instructions in post #41 were implemented. You will find that my system will again resume working normally in normal boot mode except of course for the presence of the bot, because earlier it always worked fine notwithstanding the presence of the surfeit of programs on my system.

The con of such a system restore venture in safe mode is that i won't be able to come back again to the present restore point because of the restrictions imposed by using system restore in safe mode with networking. The process would have been reversible if i can use system restore now in normal boot mode as in this mode the system restore can be undone entirely.

I have observed while surfing threads in a number of forums that after use of rkill and especially combofix, the problem solver issues instructions to a victim for removing these troubleshooting utilities from the system. When will such instructions be issued?

Okay, the MBAM (fully updated) full scan in 'safe mode with networking' just got over. As i have mentioned earlier too the bot doesn't get detected in safe mode at all but it always does get detected in normal boot mode. The same thing happened this time too. It didn't get detected. So you please help resolve the issues that i 'now' have in normal boot mode first and then conduct the MBAM scan in that mode to find the presence still or absence of the bot.

Here are the contents of the just finished MBAM full scan in safe mode with networking for the sake of academic information.

Malwarebytes' Anti-Malware 1.46
Malwarebytes

Database version: 5129

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18975

11/17/2010 06:42:46
mbam-log-2010-11-17 (06-42-46).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 422140
Time elapsed: 1 hour(s), 43 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

This is information on ezlog
EZLOG: file extension ezlog - Open .ezlog files
Do you use Skype?

I downloaded and installed skype on my system somewhere in the second quarter of 2009 i believe but solely because an employment firm in a foreign country requested to conduct an interview with my wife using it as she had applied for a post there. I opened up an account in her name on skype on my system and enabled all the settings so that she was online for all 24 hours then since the interview could have been conducted anytime then within a span of a week at that time. But the communication and interview actually never took place for my wife dropped the idea altogether.

I have since not used skype but at that time when i started receiving messages in my wife's skype account inbox on my system i remember having opened some of the messages just to see what was in them. There were also some invites to her from people on the Net at that time. Fed up with this i changed the settings within a week or ten days after that so that my wife was shown as offline in the skype account. I have never used skype since then. Later i even changed the settings so that skype was not be invoked with system startup.

The link you have specified clearly mentions that there is no program using which .ezlog files can be opened. Further it also mentions that these .ezlog files were hitherto a part of Skype Extras Manager, but that Skype Extras Manager no longer was part of Skype w.e.f. somewhere in September 2009. So the link really does not help open the ezlog file now found on my system. Another point is that my wife's user name on the skype account on my system was not at all 'epmikani' the till now hidden user now coming to light under the Users folder on my system.

Also then please help logically explain why the 'epmikani' User was hidden hitherto on my system till just before the time i used combofix on my system and why it is now coming to light?

You have a ton of programs running, it's no wonder your system hangs.

On what 'logical' basis Jacee you can say no wonder that my system is now hanging solely because i have a ton of programs running. I have already informed you that till i used the first part of your instructions in your post #41 above, my system worked absolutely fine in normal boot mode (except for the presence of the bot) with no issues with it and since at that time and even before that the number of programs running on my system was the same, your premise that the surfeit number of programs running is the reason for the system hanging should mean that even before invoking your instructions my system should have had all the issues that it now has after invoking your instructions, but that is not true at all. My system never had such issues ever in the past in normal boot mode before invoking your instructions. So?

And every premise about errors must satisfy the criteria of logic. The fact is that the number of programs now running on my system remain the same as i have not changed the settings now either in WinPatrol or autoruns also on my system as compared to the state before invoking the first part of your instructions in your post #41, so that logically cannot be a reason for the issues 'now' faced in normal boot mode after invoking your above instructions. I think therefore that the reason for the issues now faced in normal boot mode has to be something else and we should look for that.

Please also go through the symptoms that my system has as mentioned in my post #42 and try to help re-enable the Task Manager and the Security Dialog invoked through CTRL + ALT + DEL, both of which are currently not enabled. Hitherto before invoking your instructions they always worked.

At my end i will now use WinPatrol as per your instructions and see what programs i can untick in Startup so as to reduce the startup load on the system but that i believe may not help in resolving the issues on my system. But i will follow all your instructions just to discount the possibilities which you believe are the cause of the issues.

You have some programs running that I haven't seen before, such as [CognizanceTS] "rundll32.exe" C:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
and
Conceptworld\PikySuite
Do you need them?

Actually Jacee, The CognizanceTS and the rest part in that sentence in your quote is a part of the Bioscrypt Verisoft Access Manager program that uses a fingerprint scan to log in a User into Windows Vista on my system and to also log in a User into any program on my system that uses a user name and password. The best thing about it is that once i register my fingerprint on the software, it enables me to log in into any of the above respective programs or into Windows User login, without using the keyboard to type in the password every time. So better protection against keyloggers!!!

So it is basically an alternative to typing in user names and passwords. And yes i have the relevant fingerprint scan hardware installed on my system.

But yes, the Verisoft Access Manager software can only be used when logging a User into 'normal boot mode' or while using a username password authorization requiring application in normal boot mode.

Unfortunately Verisoft Access Manager software cannot be used in Safe Mode variants. Since the HijackThis scan i posted earlier was done in Safe Mode with Networking mode, you could not have seen this program in its scan. I use Verisoft Access Manager to log in into Windows.

I find however that with all versions of Firefox after version 3 i think and with IE it currently takes about 8 minutes for the Verisoft Access Manager to authorize a log in into an application in any of these browsers. So to do this becomes a headache. This probably has to do with the fact that the Verisoft software drivers have not been updated by its developer for a long time now. I think it also has to do with the original developer company Bioscrypt having been acquired by another company some time back and the old company's software being relegated into the dustbin and promoting its own line of similar software. Happens all the time with company acquisitions and i think is a global phenomenon.

With earlier versions of the internet browsers, Verisoft Access Manager worked very efficiently so i used it hitherto also for applications too in normal boot mode.

So i basically currently use the software to log in into Windows Vista. And yes i do use the Piky Suite Piky Basket software for copying and pasting in normal boot mode. It is integrated into Windows Explorer as a right clickable option.

Is Symantec up to date? I don't see a firewall running, so if you're using Symantec, it's not fully covering you. I would suggest you uninstall it totally by using the uninstall tool:
Download and run the Norton Removal Tool to uninstall your Norton product | Norton Support

Allow Microsoft security Essentials to be your Anti-Virus. Make sure Windows Firewall is turned on (Automatic) in Services.

Please refer to the relevant portion of my earlier post #11 reproduced below that will serve to inform you of the facts required to be known by you.

FAO: niemiro - Reply to your post #6 and after my post #10 above.

Sir, actually when you mentioned in your last reply that 'only Windows Defender is booting up additionally in safe mode' that signaled to me the exact 'cue' to pick up. It is always really upto the 'User' facing a specific issue to ask the right questions to a 'technical expert' is what i believe and based on the response of the expert to use that response in resolving the issue.

So i started thinking that probably due to some reason or the other ( which although i don't still understand exactly which one of these specifically but maybe due to malware, maybe specifically an intelligent and network aware rootkit or virus 'by stealth' attack or 'remote code execution' or just simple plain 'corruption') Windows Defender maybe is not behaving as it should.

So, i searched in Google along these lines with appropriately phrased 'expressions' and 'keywords'. And that led me to 'Microsoft Security Essentials'. Now as you already know when 'Microsoft Security Essentials' is installed on a Win Vista system what it does is to 'disable' the default Windows Defender in Vista and replace it with its own 'version'.

So i did the obvious by first completely uninstalling the 'bloatware' but i feel effective Norton Internet Security' and associated Symantec products, rebooted, then used the Norton Removal Tool for good measure, then again rebooted, and then downloaded and installed Microsoft Security Essentials and again rebooted. After that updated its definitions and scanned the system 'using the full scan' and even later used rkill, rkunhooker, and Prevx, and Sophos Anti-rootkit sequentially one by one purely on 'grounds of suspicion' of a rootkit. I still do not know whether there was a rootkit on my system or not!!!

Thereafter i went into 'Safe Mode' and there i found that on right clicking 'My Computer' i could get the right click Menu options all of them to be displayed and then on clicking the 'explore' option it opened Windows Explorer as it should. I then right clicked on a file in Windows Explorer and that displayed all the required right click options. I clicked on the 'File' Menu option on top and that action displayed all the required drop down options as it should.

So, although i still don't know whether or not the 'default' Windows Defender in my Vista system is behaving as it should (which i can only find out on uninstalling MSSE), but at least now everything is normal and the specific issues 'stand' resolved as far as already described by me above in my original post #1 in this thread. And that is that.

If you can suggest some further course of action if any or just provide me some related advice or precautions to take for the future to preempt such issues, you are most welcome to.

So actually earlier i was using Norton Internet Security 2007 version 10.2.0.30 with a long subscription but switched over to MSSE because of the right click issues earlier faced by me in Windows Explorer 'only' in 'safe mode'. This was actually the starting point of this thread.So the only firewall currently on my system is Windows Firewall and it was fully enabled when last i checked in normal boot mode when it was still working fine.

Now while the original issues faced on my system earlier 'only' in 'safe mode' stand resolved, same issues 'are now cropping up instead' 'only' in normal boot mode solely because of the implementation by me of the first portion of your instructions in your post #41 and now the workarounds also do not work. Further, neither Task Manager works nor the Security Dialog works now in normal boot mode while all this works fine in 'Safe Mode with Networking'. Add to this the 'system hang' issues now faced in normal boot mode means i cannot use normal boot mode at all.

Please therefore help resolve all these because i never faced them earlier in normal boot mode at all.

There's a file we need to remove ....





Please download OTM by OldTimer and save to your Desktop.

• Double-click on OTM.exe to launch the program. Vista/Windows 7 users right-click and select Run As Administrator.
• Copy the file(s)/folder(s) paths listed below - highlight everything in the code box and press CTRL+C or right-click and choose Copy.

:

Processes
explorer.exe

:Files
c:\windows\winstart.bat

:Commands
[reboot]

• Return to OTM, right-click in the open text box labeled "Paste Instructions for Items to be Moved" (under the yellow bar) and choose Paste.
• Click the red MoveIt! button.
• The list will be processed and the results will be displayed in the right-hand pane.
• Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
• Click Exit when done.
• A log of the results is automatically created and saved to C:\_OTM\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.

--Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. After the reboot, open Notepad, click File > Open, in the File Name box type *.log and press the Enter key. Navigate to the C:\_OTM\MovedFiles folder, open the newest .log file and copy/paste the contents in your next reply. If not asked, reboot anyway.

I will now do this as this was a separate post #44 from you, but please look into my above reply to your previous post #43 and reply accordingly to that.

Thanks for posting replies quite fast and i feel grateful to you Jacee for all your similar continued help in future too to me in advance.

Prashant

 

[pm2397]

Okay Jacee do not bother about the issues that i 'had' (see i am referring to the issues already in the past tense ) in normal boot mode for i have resolved them by searching in Google and finding that different Anti-malware programs are some of them incompatible with each other and due to that conflicts can arise. That was a new one on me because to the best of my knowledge till now a User could have all the different Anti-spyware programs on a system.

So first of all opened up appwiz.cpl in 'elevated mode' in safe mode with networking, uninstalled one anti-malware program on my system and then i had a choice of either disabling Emsisoft Anti-Malware service or disabling the Microsoft Antimalware service. Chose to disable the former by opening services.msc in elevated mode in safe mode with networking.

Then rebooted the system in normal mode and found that that was just the problem and now everything works fine in normal boot mode again. absolutely no issues. And definitely the issues were therefore not because of the surfeit of programs on my system.

Currently i am doing the MBAM full scan in normal boot mode. Shall inform you the results as soon as it gets over. Do you still want me to download OTM and follow your instructions in your post #44 in the light of the above good news? i guess not but please confirm and i will act accordingly.

Hope the bot will have been banished from my system through your esteemed help. Am crossing my hands and waiting till the MBAM full scan in normal boot mode gets over.

Prashant

 

[pm2397]

FAO: Jacee

1. MBAM Full Scan in normal boot mode got over a while ago. The same bot is unfortunately still there. It was again detected at the fag end of the scan while MBAM was 'scanning additional items on your system'. Selected it and pressed the 'Remove Selected' button. A window came up stating some items could not be removed. A log was saved and the Reboot window came up. I pressed 'yes' and the system rebooted.

The MBAM Full scan log in normal boot mode contents are pasted below:

Malwarebytes' Anti-Malware 1.46
Malwarebytes

Database version: 5129

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

11/17/2010 17:26:26
mbam-log-2010-11-17 (17-26-26).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 426049
Time elapsed: 4 hour(s), 23 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Prashant Mujumdar\AppData\Local\Temp\IXP000.TMP\bot.exe (Worm.P2P) -> Delete on reboot.
-----------------------------------------------------------------------------------------------------

2. Here are the fresh HijackThis scan log contents:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:36:17, on 11/17/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\system32\winlogon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\system32\svchost.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Panda USB Vaccine\USBVaccine.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\CyberLink\Shared files\brs.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Conceptworld\PikySuite\PikyAgent.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\KC Softwares\SUMo\SUMo.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Aerofoil\Aerofoil.exe
C:\Windows\system32\svchost.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\System32\NOTEPAD.EXE
C:\Program Files\Mythicsoft\Agent Ransack\AgentRansack.exe
C:\Program Files\Trend Micro\HiJackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\UnHackMe\UnHackMe.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Home Page Reset - Symantec Corp.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Home Page Reset - Symantec Corp.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Home Page Reset - Symantec Corp.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Home Page Reset - Symantec Corp.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [CognizanceTS] "rundll32.exe" C:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [ThreatFire] "C:\Program Files\ThreatFire\TFTray.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [RtHDVCpl] "C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe"
O4 - HKLM\..\Run: [hpqSRMon] "C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe"
O4 - HKLM\..\Run: [SynTPEnh] "%ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [NoAutorun] "C:\Users\Prashant Mujumdar\Downloads\NoAutorun-win32-bin-1.1.1.21\NoAutorun.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared files\brs.exe
O4 - HKLM\..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe /CHECKNOW
O4 - HKLM\..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [PDVD9LanguageShortcut] C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe
O4 - HKLM\..\Run: [PikyAgent] C:\Program Files\Conceptworld\PikySuite\PikyAgent.exe /Startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [RemoteControl9] C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [VistaBatterySaver] "C:\Program Files\SharpSoft\Vista Battery Saver\VistaBatterySaver.exe"
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [SUMo] "C:\Program Files\KC Softwares\SUMo\SUMo.exe" /minimized
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [Skype] C:\Program Files\Skype\\Phone\Skype.exe /nosplash /minimized
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - Global Startup: Aerofoil.lnk = C:\Program Files\Aerofoil\Aerofoil.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: Windows Live OneCare
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlcm.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - Help and Support
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A0756D7-96FB-4353-970F-57DCA7FF8C33}: NameServer = 218.248.255.194
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 15004 bytes

-------------------------------------------------------------------------------------------------

3. Implemented your instructions in post #44:

After pressing MoveIt, the results were displayed in the right pane in the OTM window and the reboot window came up. I pressed 'yes' and the system rebooted.

On system reboot in normal mode opened the requisite log file in notepad as per your instructions. Its contents are pasted below:

Error: Unable to interpret <:> in the current context!
Error: Unable to interpret <Processes> in the current context!
Error: Unable to interpret <explorer.exe> in the current context!
========== FILES ==========
c:\windows\winstart.bat moved successfully.
========== COMMANDS ==========

OTM by OldTimer - Version 3.1.17.2 log created on 11172010_190539
------------------------------------------------------------------------------------------------

Please advise. If you want i am willing to uninstall whatever programs you want to be uninstalled in our endeavor to remove the bot from my system. I can easily uninstall absolutely any program including Piky Suite and Cognizance and even others. Please confirm to me the ones you want uninstalled and i shall straightaway uninstall them

Prashant

 

[Jacee]

c:\windows\winstart.bat moved successfully.

This is good! The 'batch' file was meant to protect a rootkit. This is a legit file in Windows 95 and 98, but that's not your OS.

Follow the path in the registry and see if you have this ... or something similar
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
wextract_cleanup0 = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 "%Temp%\IXP000.TMP\""

 

[Jacee]

I would also like you to upload these files to be scanned here VirSCAN.org - Free Multi-Engine Online Virus Scanner v1.02, Supports 36 AntiVirus Engines!

c:\windows\system32\iesetup.dll
c:\windows\WLXPGSS.SCR
c:\windows\bcmC215.tmp
c:\windows\bcmC1E5.tmp

Save the results and let me know the outcome, please

 

[pm2397]

FAO: Jacee - Reply to your posts #48 & #49.

In regedit in the path you specified [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce in the right pane is displayed the following:

Name: Default; Type: Reg_SZ; Data: (value not set)

There is a subkey ApprovedBYRegRun2 under RunOnce in the above path.

In the right pane against ApprovedByRegRun2 is displayed the following:

Name: Default; Type: Reg_SZ; Data: (value not set)

So definitely not what we are searching for, but i clearly remember having seen this wextract_cleanup0 thing in the past on my system but unfortunately do not remember exactly where and on which date. Okay just remembered Agent Ransack on my system and used it to search the system for files in which contents have the string 'wextract_cleanup0'. It found out the relevant portion in the Windows Defender MPlog file (attached in and as one 'Combined Log.zip' with other attached files with this post). The ThreatFire log file also has such entries in its log.db3 file(attached in one 'Combined Log.zip' with other attached files with this post).

But i opened up the so moved winstart.bat (1KB) file in edit mode and found it completely empty.

But see here is something very relevant on a hidden rootkit on my system!!!

In 'kernel callbacks' a hidden driver loads up from the address location 0x8523AF78. The callback type is LoadImage and the module is empty. This is shown in red in the Kernel callbacks Tab when i conduct a system scan using the NoVirusThanks Anti-Rootkit software on my system. I see a right click option of removing that kernel callback LoadImage and so i removed the LoadImage and then did an MBAM full scan but by first unticking the scan file system objects to shorten the time for the scan for as it is the bot never got detected during the scanning of file system objects. So did the MBAM scan and as usual the bot got again detected while scanning additional objects against Shuriken heuristics.

I tested by rebooting thereafter whether the rootkit protector while windows boots up is there or not because you mentioned that winstart.bat was the rootkit protector and as it has been moved the bot can be deleted while the OS boots up during the system restart.

I have both Quick reports from the above Anti-Rootkit scan one before and one after the LoadImage hidden driver was removed from Kernel Callbacks. But as these reports are both 1 MB each, i am currently attaching them with this post in the abovementioned 'Combined Log.zip' file.

But i find that there must possibly be another rootkit protector that protects the rootkit during the windows restart and booting up process because in the next scan that i did with the NoVirusThanks Anti-Rootkit software, the hidden driver LoadImage from the address location 0x8523AF78 again is found in Kernel Callbacks and the bot again gets detected during the next full scan with MBAM but performed by again shortening the time for it by unticking scan file system objects and it again fails to get deleted from the system on the next reboot. So?

Are we progressing any further in our endeavor, Jacee?

I have also just used another NoVirusThanks software HijackHunter on my system and its log report i am attaching below in the above mentioned 'Combined Log.zip' with all the other above attached files as it provides much more info than the HijackThis scan. Please help and see if you can find something therein that can be investigated further.

Virscan.org results for the four files that you specified in your post #49:

Scanners did not find malware in any of these files.

Have saved the results for each individual file as html on my desktop.

Prashant

 

[Jacee]

Prashant, I must tell you that I, personally, will not deal with a Rootkit!

Some of our utmost "valued" Security Advisors will...but I won't! Please read this
Rootkit - Wikipedia, the free encyclopedia

Given the stealth nature of rootkits, there are experts who believe that the only reliable way to remove them is to re-install the operating system from trusted media.[62][63] This is because antivirus and malware removal tools running on an untrusted system may be ineffective against well-written kernel-mode rootkits. Booting an alternate operating system from trusted media can allow an infected system volume to be mounted and potentially safely cleaned, critical data to be copied off, or alternatively, a forensic examination performed.[64] Lightweight operating systems such as Windows PE, Windows Recovery Console, Windows Recovery Environment, BartPE or Live Distros can be used for this purpose, allowing the system to be cleaned.
Even if the type and nature of a rootkit is known, manual repair may be impractical, while re-installing the operating system and applications is safer, simpler and quicker.[65] Re-installation time can be greatly reduced by modern drive imaging software, especially when the source image includes necessary hardware drivers and software applications.

My best advice would be to wipe and do a "Clean Install" Vista: reformat and reinstall - Cyberwalker.com

I'm sorry, but I can't guarantee that your computer will ever be stable again without doing the above instructions. I would not even try to clean my own computers, if I had a Rootkit ...

 

[pm2397]

Prashant, I must tell you that I, personally, will not deal with a Rootkit!

Some of our utmost "valued" Security Advisors will...but I won't! Please read this
Rootkit - Wikipedia, the free encyclopedia

Given the stealth nature of rootkits, there are experts who believe that the only reliable way to remove them is to re-install the operating system from trusted media.[62][63] This is because antivirus and malware removal tools running on an untrusted system may be ineffective against well-written kernel-mode rootkits. Booting an alternate operating system from trusted media can allow an infected system volume to be mounted and potentially safely cleaned, critical data to be copied off, or alternatively, a forensic examination performed.[64] Lightweight operating systems such as Windows PE, Windows Recovery Console, Windows Recovery Environment, BartPE or Live Distros can be used for this purpose, allowing the system to be cleaned.
Even if the type and nature of a rootkit is known, manual repair may be impractical, while re-installing the operating system and applications is safer, simpler and quicker.[65] Re-installation time can be greatly reduced by modern drive imaging software, especially when the source image includes necessary hardware drivers and software applications.

My best advice would be to wipe and do a "Clean Install" Vista: reformat and reinstall - Cyberwalker.com

I'm sorry, but I can't guarantee that your computer will ever be stable again without doing the above instructions. I would not even try to clean my own computers, if I had a Rootkit ...

Okay, Jacee this probably means that the so called 'the most secure' Windows Vista as well as Windows 7 operating systems have no 'defense' against rootkits which hide in the core of the OS that is known as the kernel.

If that is true i therefore urge Microsoft through your good offices to build Windows 9 or 10, whichever is still entirely on the drawing board 'initial stages' to incorporate a 'complete security layer' around the Windows kernel so that no rootkit will dare to enter and hide in it. I am sure there must be a way to build such a complete security layer for the kernel security and you as a security expert who is an very experienced MVP can surely help in such a venture.

Secondly i request Microsoft through your good offices to include a complete Internet Security System within the standard edition of such a future Windows OS that is not only able to protect the User from viruses, trojan horses, worms, bots and the like, but also malware and spyware. It must include an intrusion detection and trapping system and as already mentioned its security layer must be able to throw off even the most persistent efforts of the most intelligent and network aware rootkits of entering the kernel and hiding there.

Any Windows OS with such built in security layer having all the above features will be always much better because everything will be tightly integrated within the OS itself and Computer buyers will not then at all need to search for, compare, and separately buy third party security products.

Further, i for one will not mind paying more for such a Windows OS. It will establish Microsoft like never before and Users will also be comparatively secure while using the Internet for their needs, especially laymen users having little awareness about the so many threats on the Internet highway.

Hope to receive a reply from you Jacee to the above that appreciates my view and suggestion as i don't think it is in any way to the detriment of Microsoft.

At least you can apprise me of what you have to state regarding the above. I would very much like to know your views as a security expert.

I thank you Jacee for devoting your valued time to attempt and help eradicate the security issues on my system and feel grateful to you. But i really would like to know also 'when i have done a clean reinstall of Vista with Richard's (niemiro) help' on my system, how best i can avoid such intrusions of a bot or rootkit or other malware on my system in future or is it true that my system will still be equally vulnerable to intrusions drive by rootkits and the like. Further when i backup my critical personal data on the hard disk before the clean reinstall i fear the rootkit or bot hide inside that data? Is this fear true?

I already have learnt not to install and use Utorrent or other P2P clients on my system. Free software from dubious websites is not to be downloaded and installed. Further, network security must be secure and a Good Internet Security Suite (such as MSSE) must be installed together with the Windows Firewall that must be enabled at all times with DEP protection for all programs. This is what i already know so as a security expert please inform me what other things i and other victim users must take care of. Or if you already have everything ready just provide the link to that and i will read up.

Awaiting your reply to the above and many thanks again to you Jacee

Prashant

 

[pm2397]

FAO: niemiro - Require your help specifically Richard to do a clean install Windows Vista on my system.

Jacee in her just previous post #51 has just emphasized that the rootkit on my system is far inside the kernel for practicable removal. Therefore she has recommended to me to do a clean install of Windows Vista on my system. I value her experience as a security expert and want to do what she has recommended.

Will you help me do that?

My HP Pavilion DV6516TX Notebook has 32 bit Windows Vista Home Premium with Service Pack 2 installed.

I have the 'windows vista recovery disc' specific for my system from HP when i purchased the notebook in October 2007 but that will restore the system only to factory settings without service pack 1 and 2. There is also an equivalent recovery partition on my system's hard disk.

I do not have any complete Vista OS DVD. What is there is a only a recovery version.

Please could you help me do a clean install Windows Vista on my system? What will be the sequence wise steps starting from personal data backup onwards. Will the bot or rootkit get transferred into the so-backed up personal data? Problem of slipstreaming SP1 and SP2 or downloading them and then installing them etc. so many thoughts in my mind now but i do not have any solutions for them. I have never faced such a situation before. Please help me as i look up to you.

Thanks in advance

Prashant

 

[pm2397]

FAO: Lorien

Sir, i have found you to be of tremendous help to me in the past by you keeping in general a track of this thread and offering your inputs and also your help in conveying to Jacee that i require her esteemed services. Many thanks to you.

As you can see Jacee has recommended now a wipe and clean install of Windows Vista because of the rootkit in the OS kernel of my system which in her expert opinion is practically not removable (refer post #51).

Consequently heeding her valuable advice, wide experience, and recommendation, i have (through my post #53 above) requested Richard (niemiro) to help me out with this clean install as i am at a complete loss of how to go about this. I have requested him because in my two active threads he helped resolve the issues and following his precise instructions i think i developed a good understanding with him and it really helped me.

But he i realize now could be very busy on other topics. Further i also now realize this possibly may require closure of this thread and opening of a new thread by me to ask help for a wipe and clean install with the details i have mentioned in my above post #53.

Please provide your valuable inputs for this and suggestions. I do not know other seniors yet on this forum as i am a newbie here but i find you are not only good but also very nice and always offering a helpful hand to users facing issues. Thanks

Prashant

 

[Lorien]

Hi Prashant,

Since you will be using the Recovery Disks from the manufacturer, it will restore your computer to just like it was when first purchased - no programs you've installed, no updates or Service Packs, no data or other files - NOTHING but what came with the system to begin with (and it will most likely ask if you want to do a full or quick format of the drive first - or it may just do it depending on how the recovery programs are configured).

First, we need to remove and save your important data. I believe this is safe and will not transfer the infection to the new installation. We need a place to store this data - an external HDD, a set of DVDs or CDs (assuming you can burn to them), a flash drive (depending on how much data needs to be saved), or a networked computer with enough free disk space if that exists. You want to do a full backup of the data but include no system files - given your version of Vista that's the only option you should have (but make sure it is a full backup and not an incremental or differential backup - it will probably present you with the option of a full backup first anyway). Here's the procedure: http://www.vistax64.com/tutorials/100133-backup-files.html.

If you have data stored elsewhere that isn't included in the normal full backup (I don't know what that might be as I don't know everything you have installed or where you keep all your data), and you know where it is located, you can include that as a separate "backup" (you can't add it to the full backup but you can still save that data and probably to the same destination). Make certain it is only data and not any other type of program or other file. Here's that procedure (though I doubt you will really need it unless you're trying to save things like the Word custom dictionary or have multiple e-mail programs where the data is not stored in your user profile but in the program itself or something like that). Be VERY careful here as this could transfer the infection if you choose to backup the wrong file or files - if in any doubt, post and ask before doing it. http://www.vistax64.com/tutorials/218344-backup-specific-files-vista-like-nt-backup-xp.html.

Next, copy any configuration information you will need to setup the computer again (like the ISP network information and the e-mail account (or accounts) setup settings and things like that). That way you won't have to call around later to get those details.

OK, now the data is backed up and you have your configuration information and we can proceed with the restore to factory conditions. You will need to boot to the Manufacturer's Recovery Disk. To boot to the CD or DVD, you may need to change the BIOS to make the CD-drive first in the boot sequence. To do that, wait for the screen that tells you the F key to push to access the boot menu or boot setup. Push it quickly. Make the changes, save your work, and exit. Put the CD in the drive and reboot. When prompted, push any key to boot from the CD.

The rest should be fairly simple - just follow the prompts to do a complete restore to factory conditions. Every recovery process is different so I can't provide you with specific instructions on how it will work, but just follow the steps as they come up. The convenient thing here is that if you somehow mess up (as unlikely as that is), all you really need to do is start over again because you've already backed up your data so you have nothing to lose. Be sure you select the same drive partition as you used before (be sure you don't install on top of your Recovery Partition or something like that). If you really get stuck, contact the computer manufacturer's technical support department for guidance on how to perform the process (as we don't have that information) - procedures may even be in an online article and you may not need to speak to anyone.


To do an ordinary clean install you would proceed as follows: http://www.winsupersite.com/showcase/winvista_install_03.asp (but you need to adapt as necessary by the procedures of your computer manufacturer and how the recovery disk operates so most of that will probably not apply in your situation but I include it in case it helps).

Then you will need to re-install all your programs, reset all your preferences, reconfigure your network and email settings, restore your backed up data, run Windows Update with possibly nearly 150 updates and the Service Packs pending,... This is more time-consuming than difficult.

That's pretty much it.

I hope this helps.

Good luck!

P.S. Don't bother with another thread - we'll just keep using this one if you run into any troubles along the way or have any questions.

 

[pm2397]

FAO: Lorien and if possible also Jacee and other security experts on this forum.

Thanks Lorien for your inputs for the wipe and clean install of Windows Vista on my system in your above post #55. They will be very helpful to me.

Since the suggested as also required first step is the back up of personal data and since we do not want that the rootkit in my system transfers its signature payload file along with the personal data to a pen drive or to other media such as an external hard disk or a CD or DVD, i did a little test first (notwithstanding your view in your post that the infection will not get transferred along with the back up of the personal data to external media) just to recheck.

What i did was to attach a pen drive to my system and formatted it completely. Next when the dialog box informing that the format was complete came up, i removed the pen drive from the system. Next closed out the Format complete dialog box, and then reattached the same pen drive to the system. Within moments i could observe in the right pane against the pen drive in the left pane when opened in Windows Explorer that the rootkit immediately automatically copied its payload file of the type emd*.tmp to the pen drive and within moments it became hidden from view and then onwards it was not visible at all.

Again formatted the pen drive and again repeated the same experiment. Conclusion is that the rootkit in my system always copies its payload onto the pen drive and its signature is always of the type emd*.tmp .

Unfortunately that means either we have to take steps that the rootkit somehow cannot copy its payload somehow to the pen drive (I think maybe Jacee as a security expert (or even other security experts on this forum) could possibly just put in her view about this specific aspect whether this can be done and if yes then what has to be done to achieve this) or if she says no then it surely means that i will have to forgo all the personal data on my system which will be a pity. More i think of it the more i somehow think that the latter option will what sadly has to be reached as the conclusion.

What do you or even other security experts on this forum who may have a good experience about rootkits suggest? Thanks in advance.

And yes in my earlier posts (i realize) while replying to Jacee the length of each such post could have been much shorter (probably Lorien in your mind and even Richard (niemiro) you might echo my thoughts) and the language and the arguments used could have been much nicer and more tactful. Sorry to Jacee and i hope to improve because i don't want this forum to lose a security expert of her standing.

Prashant

 

[Jacee]

@ pm2397, this forum won't lose me because of your 'extended length' of your replies

Please follow Lorien's instructions.... post #55

 

[Lorien]

Hi prashant,

From Jacee's reply, it seems that she is not concerned about the results of your experiment as she recommended you proceed as I suggested despite what you disclosed. I don't know if that's because she wants to test if it works anyway or if that experiment is not actually transferring the rootkit but doing something else or simply trying and being unsuccessful - this is beyond my scope of expertise and I don't know her plans - but as she has read your reply and still suggested you follow #55, then I suggest that's how we should proceed. You have the instructions. The ball is now in your court.

Incidentally, I've posted replies at least as long as yours and even longer - so I have no trouble with a long post. I generally prefer to have too much information to not having enough. Not everyone agrees with that, but it certainly hasn't bothered me in the slightest. And you read Jacee's reply on that topic.

Post if you have any questions or problems and someone will try to respond (perhaps whoever is best qualified given the inquiry).

Good luck!

 

[pm2397]

FAO: Jacee, Lorien, and niemiro. Please do read this complete post (i know and you already know it will be a long read). You may not forget it at least for a day or two, because now belatedly when it is of no consequence i have won one last-ditch battle fighting virtually alone against the bot/rootkit!!! in my system.

My finding: It is curious how when mostly when we fear and avoid losing everything that we consistently fail but some'rare'times when we have nothing to lose and still fight on regardless, the outcome surprises us because we find we may have won a battle or two against something that is virtually and seemingly unfightable.

Although i have been clearly understanding, preparing, and planning everything and bringing my knowledge up to date in the last two days regarding the only recourse now left to take which is the wipe and clean install of Windows Vista on my system ( i had a chat session with HP technical support and they provided me the requisite applicable HP Web links applicable for my specific Notebook DV6516TX detailing the procedure for the clean install of Windows Vista Home Premium using the HP Recovery Disk that i already have and they also clarified all the points that i asked them and now i am going to finally do the wipe and the clean install within the next two days), but on the other hand, parallelly, something within me 'very firmly' has shirked away from giving up the fight against the bot/rootkit (and its creator and remote controller) on my system. So, before i surrendered to the bot/rootkit ultimately i thought of fighting one last battle against it, 'all alone', despite everyone else's thinking.

And in this regard at last i have some very good news to inform you all (pity na that it is so belatedly because Jacee has already recommended this case for a clean install and be sure of that because i will be doing that only and nothing else because i have great respect for her technical knowledge, expertise, and wide experience) but i want to tell the bot/rootkit creator/remote controller that though he/she may have won the war i have won at least a 'battle', and if we all unite together 'simultaneously' some day in the future, rootkits and bots will be surely consigned to the dustbin. And i think that day will not be far away. But we need to be positive and have confidence and be willing to fight and think of some logical steps. One is to start 'redesigning' the BIOS (not much research for rethinking in this regard for long i believe. And to put 'enough code' into it that will fight and 'contain' rootkits because it loads before the OS does and the rootkits surely cannot enter the BIOS to subvert the code.

Okay enough of mere talk and so what is this good news and what did i do so that it was achieved. First Jacee see the contents of this fresh MBAM full scan log of the C: drive with all default scanner settings done in normal boot mode today itself. The bot's gone. And how. That is the good news.

MBAM FULL SCAN LOG Contents:

Malwarebytes' Anti-Malware 1.46
Malwarebytes

Database version: 5160

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

11/21/2010 13:07:58
mbam-log-2010-11-21 (13-07-58).txt

Scan type: Full scan (C:\|)
Objects scanned: 389231
Time elapsed: 3 hour(s), 24 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
--------------------------------------------------------------------------------------------------

Jacee, the first thing you will notice about this log is that the number of items scanned is much less than in the earlier logs that i posted. So Jacee if she would now think what Prashant must have done is that belatedly (Jacee: (thinking) he argues and fights with me regarding my expert opinions in my replies openly on the forum but in practice does what i recommend to him) heeding to her advice that he has a surfeit of programs on his system (and requires to reduce the load on his system by uninstalling some of them) has uninstalled Piky Suite, Skype, Nero, and a host of many other programs, she would be entirely right. That is what i did as the first step because now i had nothing to lose because of the impending clean install although when Jacee had rightly suggested that i argued with her because i didn't want to lose programs to that disgusting bot.

The next step that i took was to open Windows firewall and drastically reduced the number of allowed exceptions to programs, services, and other relevant Windows components over the Internet.

Next i did a really intensive search on Google for Antirootkit applications, and found Wilderssecurity.com and Antirootkit.com. On these i found a reference to many anti-rootkit applications. One of these found amazing by a User was Usec Radix and Sysinternals' (now TechNet Microsoft) Rootkit Revealer by the great Mark Russinovich. So i thought what is the harm if i test these out on my system as as-it-is i have nothing to lose because my system will be soon undergoing a format. And so i downloaded these and then ran both these on my system (first Rootkit Revealer and then Usec Radix). Of course i went through many troubles such as BSODs and resultant system crashes, but still kept on with the job after the forced system shutdown and reboot and even did some seemingly crazy things like disabling some 'suspicious' services in services.msc as reported by Radix. I lost the sdthelper driver of Usec Radix (to the Rootkit probably but i really don't know) but still ran it and then also copied the radix installer folder to another folder under my User directory and ran the Usec Radix application from there. Although it complained with a warning sdthelper driver could not load because of a path issue, it completed its scan successfully, patched some items and provided a log.

Then i fully updated MBAM and ran a full scan of the C: drive with default scanner settings in normal boot mode. Although i never expected that MBAM will report that there is no infected object or file, that's what happened and to tell you frankly i was stunned to find this result.

Thanks to Jacee for everything because although i may have questioned her recommendations, but i have followed each and every one of her recommendations at the end and full credit goes to her because by following her guidelines, ultimately the bot has been banished from my system which was our endeavor. Just (maybe) the rootkit is still in my system in some hidden form by evading detection using Polymorphism, but who cares. i am satisfied by this crusade against it. So what if my system still surely goes under critical surgery through a format and clean install?

Thanks to all of you and not forgetting Rootkit Revealer, Usec Radix, and some really crazy things that i did on my system. All's well when it ends well.

Prashant

 

[Lorien]

Hi Prashant,

See Jacee's response #51. Expert opinion varies on the success of removing rootkits. Just because Jacee won't do so herself (for good reason), doesn't mean it can't be attempted or that there aren't tools that claim to be able to do so and may even be partially successful or other experts willing to try (though I'd tend to agree with her that even if it seems to have been successful, the system can never again be trusted).

Also, just because MBAM no longer shows it does not mean it is gone though it may appear to be the case and does make it seem like progress has been made (that's why many experts including Jacee believe a clean install is the only appropriate response). As you said, it may have simply buried itself deeper into the system and while that bot.exe file seems to be gone according to MBAM, the infection and/or the result of the infection (mainly in terms of altered or damaged or missing or moved or renamed or added files) is very likely if not certainly still present.

I applaud your success in getting it to no longer show up in MBAM (I'm not sure I would have made the effort, but you did and obtained a sense of satisfaction so perhaps it was worth it) - but I am more gratified to hear that you recognize this has not solved the real problem and that a clean install is still required and that you still plan to do so.

As far as fighting rootkits (and all other types of infections), as quickly as people design defenses, there are others (and typically quite a few more of them - everyone out there with a computer and the skills to create these things and the willingness to do so for whatever reason) who are working just as hard to defeat those defenses and they are generally successful in time (and when discovered, the "hole" is patched and the hackers just then begin again looking for another vulnerability and the battle goes on). I'm not sure this is a war that can be won as much as one where everyone needs to be vigilant, protect themselves as much as possible or reasonable, use common sense to avoid situations where becoming infected is too risky, and trust those defending us (the original designers, the makers of supplemental security products, and the removal experts with their own set of specialized tools) to find solutions and repair problems quickly. Rootkits present a uniquely deadly problem as many consider them not to be treatable once infected and perhaps BIOS designers and others can do something more to defend against them (and I'm sure they already do as much as they can given their resources and budgets) - but these infections are somewhat rare (when compared to other types) and defenses are already fairly strong (we see them, but they are not nearly as common or generally widespread as other varieties). I hope you are right, but I suspect it will remain a constant war where the "bad guys" will sometimes win a battle or two.

Thanks for the update and good luck.