Jump to content

a nasty bug - please help


ranon

Recommended Posts

Ok, the memory usage is still high. CPU is constantly being used (abt 10-40%).

I use dropbox to keep files on various PC's the same. in post #20, rkill detected dropbox as having a virus and stopped it. Do I now start it again.

I have also not restarted since the rkill. At some point I am going to have to restart it. Please tell me when I can restart.

When I use windows task manager, i start it by right clicking on taskbar. On the image it shows as command line "taskeng.exe {98336E83-2C8E-4A6E-9318-DDE2FFB11188}". There are two processes with same name and slightly different parameters.

There are 13 different svchost.exe processes, all starting from c:\windows\system32.

Rishi

Link to post
Share on other sites

I use dropbox to keep files on various PC's the same. in post #20, rkill detected dropbox as having a virus and stopped it. Do I now start it again.

Rkill didn't detect it as a virus, it just terminated it while it did it's job, so it's OK.

You can restart it.

I have also not restarted since the rkill. At some point I am going to have to restart it. Please tell me when I can restart

Yes, restart the omputer.

When I use windows task manager, i start it by right clicking on taskbar. On the image it shows as command line "taskeng.exe {98336E83-2C8E-4A6E-9318-DDE2FFB11188}". There are two processes with same name and slightly different parameters.

This may help: (can you locate the files in question?)

http://www.neuber.co...askeng.exe.html

There are 13 different svchost.exe processes, all starting from c:\windows\system32.

This is not unusually, check the link below:

http://www.howtogeek...-is-it-running/

Let me know, there's another scan we could run that will take about 3 hours to do.

Link to post
Share on other sites

I ran the viprerescue scan.

About 75% through the scan (6hrs) the system made a hard reboot.

I am posting the last 10 lines of the log so you can see where it stopped. Quarantine directory of vipersrescue iis empty, so it does not seem to have found anything.

Also during the scan, a few processes popped up in the task manager. dllhost, csrss and one more that I cannot remember. All three were running from standard directories, but with command line as having a parameter that looks like a registry key. Is this normal?

I also noticed a directory c:\63e8929133247ad70dee9a5b. Created on 24-02-12, 12:15 pm. When I click it on explorer, it says that I do not have permission to access the directory. I can change the permissions, but I await instructions on the matter.

Log of vipresrescue follows.

TRA 2840 4812 2012-02-28 09:46:14 473532916337 VIPRERescueScanner VIPRERescueScanner: C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EP0LVP1R.GPD

VER 2840 4812 2012-02-28 09:46:15 473533561147 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:16.022087]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1

VER 2840 4812 2012-02-28 09:46:15 473534001065 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:16.052831]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1

VER 2840 4812 2012-02-28 09:46:15 473534439831 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:16.083453]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1

VER 2840 4812 2012-02-28 09:46:15 473535058643 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:16.126455]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1

TRA 2840 4812 2012-02-28 09:46:18 473581204260 VIPRERescueScanner VIPRERescueScanner: C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EP0LVP1S.GPD

VER 2840 4812 2012-02-28 09:46:18 473582108613 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:19.412678]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1

VER 2840 4812 2012-02-28 09:46:18 473582733605 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:19.456321]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1

VER 2840 4812 2012-02-28 09:46:18 473583531084 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:19.511953]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1

VER 2840 4812 2012-02-28 09:46:18 473584266049 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:19.563222]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1

TRA 2840 4812 2012-02-28 09:46:21 473623831121 VIPRERescueScanner VIPRERescueScanner: C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EP0LVP1T.GPD

VER 2840 4812 2012-02-28 09:46:21 473624596111 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:22.379949]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1

VER 2840 4812 2012-02-28 09:46:21 473625140572 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:22.417976]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1

VER 2840 4812 2012-02-28 09:46:21 473625734027 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:22.459203]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1

VER 2840 4812 2012-02-28 09:46:21 473626417980 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:22.507195]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1

TRA 2840 4812 2012-02-28 09:46:26 473691229035 VIPRERescueScanner VIPRERescueScanner: C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EP0LVP1U.GPD

VER 2840 4812 2012-02-28 09:46:26 473692113463 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:27.095489]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1

VER 2840 4812 2012-02-28 09:46:26 473692743688 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:27.139401]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1

VER 2840 4812 2012-02-28 09:46:26 473693377286 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:27.183824]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1

VER 2840 4812 2012-02-28 09:46:26 473694140085 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:27.237024]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1

TRA 2840 4812 2012-02-28 09:46:29 473746557019 VIPRERescueScanner VIPRERescueScanner: C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EP0LVP1V.GPD

VER 2840 4812 2012-02-28 09:46:29 473747460043 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:30.960966]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1

VER 2840 4812 2012-02-28 09:46:29 473748069181 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:31.003572]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1

VER 2840 4812 2012-02-28 09:46:30 473748921177 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:31.063074]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1

VER 2840 4812 2012-02-28 09:46:30 473749645945 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:31.113685]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1

Link to post
Share on other sites

I also noticed a directory c:\63e8929133247ad70dee9a5b

Go ahead and have a look, I believe it's OK though.

Also during the scan, a few processes popped up in the task manager. dllhost, csrss and one more that I cannot remember. All three were running from standard directories, but with command line as having a parameter that looks like a registry key. Is this normal?

I'm not sure on that.

TRA 2840 4812 2012-02-28 09:46:14 473532916337 VIPRERescueScanner VIPRERescueScanner: C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EP0LVP1R.GPD

That's a good Vista file???

MrC

Link to post
Share on other sites

I checked the directory on c:

it contains about 20 folders and 10 files.

What is interesting about it is that the permissions are set such that I cannot read any of the files in noteped or open any of the directories.

Directories are named 1025, 1028, 1029 etc. And the files have a setup.exe along with some xml files, but you cannot read any of them in notepad. I have not tried clickimg on the exe.

about the general health of my comp, the virus is still around. It keeps CPU usage high, other processes are painfully slow. Slo much so that I cannot even watch a video on youtube without cpu at 100% and some frame loss.

Rishi

Link to post
Share on other sites

c:\63e8929133247ad70dee9a5b

I don't have Vista but from what I remember is that it's related to the operating system or validation.

Can't you right click on it and scan it with your AV or MB??

-------------------------------------

Download aswMBR to your desktop.

http://public.avast....erek/aswMBR.exe

Double click the aswMBR.exe to run it.

If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".

Click the "Scan" button to start scan.

On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

Please zip it up and attach it in your post.

MrC

Link to post
Share on other sites

I ran the scans with Norton and MAB on the folder. Both are clean. Still I renamed the folder just as a precaution.

I also ran the scan with aswMBR and results follow.

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.02.27.02

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Arvind Raje :: LAPTOPPC [administrator]

29-02-2012 00:13:54

mbam-log-2012-02-29 (00-13-54).txt

Scan type: Custom scan

Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM

Scan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2P

Objects scanned: 105

Time elapsed: 38 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

askMBR Log -------------------------------

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software

Run date: 2012-02-29 00:20:24

-----------------------------

00:20:24.376 OS Version: Windows 6.0.6002 Service Pack 2

00:20:24.376 Number of processors: 2 586 0xF0D

00:20:24.381 ComputerName: LAPTOPPC UserName:

00:20:27.803 Initialize success

00:41:40.478 AVAST engine defs: 12022801

01:28:26.053 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0

01:28:26.059 Disk 0 Vendor: Hitachi_ SBDO Size: 114473MB BusType: 3

01:28:26.076 Disk 0 MBR read successfully

01:28:26.080 Disk 0 MBR scan

01:28:26.295 Disk 0 unknown MBR code

01:28:26.299 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 106022 MB offset 63

01:28:26.343 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 8448 MB offset 217134540

01:28:26.353 Disk 0 scanning sectors +234436545

01:28:26.442 Disk 0 scanning C:\Windows\system32\drivers

01:28:43.895 Service scanning

01:29:28.624 Modules scanning

01:29:42.194 Disk 0 trace - called modules:

01:29:42.213 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys

01:29:42.569 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85c9bac8]

01:29:42.577 3 CLASSPNP.SYS[885a78b3] -> nt!IofCallDriver -> [0x83c8a168]

01:29:42.584 5 acpi.sys[87a9b6bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x83ce2030]

01:29:43.573 AVAST engine scan C:\Windows

01:29:48.862 AVAST engine scan C:\Windows\system32

01:35:58.516 AVAST engine scan C:\Windows\system32\drivers

01:36:24.972 AVAST engine scan C:\Users\Arvind Raje

02:12:58.067 File: C:\Users\Arvind Raje\Documents\tmp\Visual Studio Enterprise\Visual Studio Enterprise\SETUP.EXE **INFECTED** Win32:Sality

02:30:16.717 AVAST engine scan C:\ProgramData

02:41:05.256 Scan finished successfully

04:27:18.577 Disk 0 MBR has been saved successfully to "C:\Users\Arvind Raje\Documents\virus\MBR.dat"

04:27:18.596 The log file has been saved successfully to "C:\Users\Arvind Raje\Documents\virus\aswMBR.txt"

MBR.rar

Link to post
Share on other sites

The only file in question is this one:

02:12:58.067 File: C:\Users\Arvind Raje\Documents\tmp\Visual Studio Enterprise\Visual Studio Enterprise\SETUP.EXE **INFECTED** Win32:Sality

It's most likely a false positive.

You can upload it to VirusTotal for a free scan...let me know the results.

C:\Users\Arvind Raje\Documents\tmp\Visual Studio Enterprise\Visual Studio Enterprise\SETUP.EXE

http://www.virustotal.com/

MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.