Jump to content

sunkist.notifylcondata

morkie

By morkie
in Resolved Malware Removal Logs

 Share

Recommended Posts

kevinf80

kevinf80

Posted
Posted

The best option now is to set up a "Clean Boot" see if the system responds ok in that mode, if so we look for the problem service.......

 

 

Click Start, click Run, type msconfig, and then click OK.

 

The System Configuration Utility dialog box is displayed.

 

We now need to configure selective startup options:

 

  • In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
  • Click to clear the Process SYSTEM.INI File check box.
  • Click to clear the Process WIN.INI File check box.
  • Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.
  • Click the Services tab.
  • Click to select the Hide All Microsoft Services check box.
  • Click Disable All, and then click OK. this will disable none MS services.
  • When you are prompted, click Restart to restart the computer.

 

When you receive the following message, click to select the Don't show this message or launch the System Configuration Utility when Windows start check box, and then click OK.

 

If the clean boot fixes the issue do the following:

 

Repeat as above, ensure all MS services are hidden, enable half of the non MS services then re-boot. If the issue does not return do exactly the same again, this time only enable the bottom half of non MS services.

If the issue returns we know the issue is in the bottom half, so you now repeat again but only enable half of the bottom half. Keep doing that until you isolate the rogue sevice.

 

Let me know how you get on, I know it is a laborious task but it will locate the issue. Obviously if the issue happens with the initial clean boot we`ll have to think again....

Link to post
Share on other sites
  • Replies 82
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

morkie

morkie

Posted
  • Author
Posted

Kevin,

I was not able to isolate the rogue service. Mainly because the issue does not always happen. I have been able to boot up the last 3 times with normal startup selected including all services and all startup items. The problem just isn't consistent and doesn't happen every time. I do get a windows error msg. on the desktop screen during start that I haven't seen till I started selecting all the startup items in MSCONFIG. It says "runner error: invalid back web application ID137903".

Anyhow, where do we go from here ?

 

richie

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Run the following:

 

download this tool Startuplite[/[/urlb] to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at Boot. Does that help, make any difference?

 

Also read here:

 

So what is the status of your system now, are there any remaining issues or concerns....

 

 

Link to post
Share on other sites
morkie

morkie

Posted
  • Author
Posted

Kevin,

It's been running just fine so far. I wonder if the issue is just lurking and waiting to strike again, but right now there are no issues. I'll run the program Startuplite and read the link to bleeping computers later today.

Still have a couple questions if you could answer them.

Is "sunkist.notifyicondata.hwnd" a virus or something else ?

Can it spread to the other 2 computers I have on my home network connected to a router via WIFI ?

 

richie

Link to post
Share on other sites
morkie

morkie

Posted
  • Author
Posted

Kevin,

This is amazing. Just after I posted my previious post above, the issue returned and the computer slowed way down. I tried something out of desperation. I opened windows task manager and in the "processes" window I saw a "svchost.exe" process that was using 100% in the CPU column. I highlighted it and selected end process and voila, the computer came back to running normally. Does that help you any to get rid of this thing ?

 

richie

Link to post
Share on other sites
morkie

morkie

Posted
  • Author
Posted

Hi Kevin,

Here are the reports. When Rogue Killer finished it said "Please look at different tabs and delete items with buttons" , I didn't do that and only did what you told me, when I closed the program it then said "No items have been deleted do you really want to quit", I said yes. The forum would not allow me to upload the file "mbr.dat".

 

aswMBR.txt

 

RKreport0_S_11182013_170240.txt

 

 

 

 

 

 

richie

 

 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

When RK lists entries or terminates a process it does not always mean they are malicious.... Do the following:

 

Upload a File to Virustotal

Go to http://www.virustotal.com/

  • Click the Choose file button
  • Navigate to the file C:\WINDOWS\ltmsg.exe or just copy/paste it in.
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the results back here please.

 

Next,

 

Run Malwarebytes again, this time use the Full scan option, post that log...
 

Link to post
Share on other sites
morkie

morkie

Posted
  • Author
Posted

Kevin,

After running the MBAM full system scan it found 3 items, which I quarantined and it asked to reboot. I did and when everything was done loading the problem immediately started and the computer was unusable until once again I stopped the process that was showing 100% in windows task manager.

 

 

ltmsg(1).txt

ltmsg(2).txt

ltmsg(3).txt

mbam-log-2013-11-18 (18-18-07).txt

MBAM-log-2013-11-18 (19-33-34).txt

 

richie

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

download the latest version of TDSSKiller from here:
http://support.kaspersky.com/downloads/utils/tdsskiller.exe and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.


    image000q.png
  • Put a checkmark beside loaded modules.


    2012081514h0118.png

  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.


    2012081517h0349.png

  • Click the Start Scan button.


    19695967.jpg

  • The scan will be quick.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.


    67776163.jpg

  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.


    62117367.jpg

  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


 

Kevin

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Run the following from outside of windows, see if we can make progress...

 

Download the tool from here :- http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline and save to the Desktop.

You will have to select the correct version for your system, either 32 or 64 bit

Run the tool, Windows 7 or Vista user right click and select "Run as Administrator"

Read the instructions in the new window and select "Next"

 

WD2.png

 

In the new window accept the agreement:

 

WD2a.png

 

In the new window select your USB Flash Drive, then select "Next"

 

WD3.png

 

In the new window ensure you Flash drive is selected, if not click on "Refresh" then select "Next"

 

WD3a.png

 

In the new window accept the formatting alert by selecting "Next"

 

WD3b.png

 

Files will be Downloaded:

 

WD4.png

 

Files will be processed and created

 

WD5.png

 

Flash drive will be formatted and prepared

 

WD6.png

 

Files will be added to the Flash Drive and the tool will be created.

 

WD7.png

 

The procedure is finished and the Tool created, click on "Finish" to complete.

 

WD8.png

 

Plug the USB into the sick PC and boot up, if it does not boot from the flash drive change the boot options as required,  Use F12 as it boots, change options...

As it boots you`ll see files being loaded and the windows splash screen, eventually the tool will run a "Quick Scan" follow the prompts and deal with what it finds.

When complete do a full scan, deal with what it finds.

When finished, remove the USB stick then press the Esc key to boot into regular windows.

 

Navigate to the following file:

 

"C:\Windows\Windows Defender Offline\Support\MPLog-MM/DD/YYYY-HH/MM/SS .txt"

 

Open with notepad and copy and paste it into a reply.

Link to post
Share on other sites
morkie

morkie

Posted
  • Author
Posted

Kevin,

Problem with defender offline. The progam opens with a msg. defender needs to update virus definitions, I clik on updates it runs for several minutes and then I get a msg. "could not update definitions error code Ox80508007. The program won't scan without the updates. What do we do now ? By the problem with the virus or whatever it's called, comes on every time now when I start the computer.

 

Thanks,

richie

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Can you post a screen shot of this alert you get for sunkist

 

Next,

 

download SystemLook from the following link below and save it to your Desktop.


http://images.malwareremoval.com/jpshortstuff/SystemLook.exe


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :regfindsunkist.*:filefindsunkist.*:servicesunkist
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.



Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Is the remaining problem related to svchost using 100% in Taskmanager, if so do the following:

 

Open Taskmanager, make a note of the PID for the svchost entries that are causing issue. Close Taskmanager

 

Next,

 

1. Click Start on the Windows taskbar, and then click Run. or select the Windows key and R Key together

2. In the Open box, type CMD, and then press ENTER.

3. At the command prompt type or copy/paste tasklist /svc  and then press ENTER

 

In the list that opens scroll down and look for the PID against svchost entries that match problem ones from Taskmanager. Make a note of the services that are running from those entries....

 

Post those for me...

Link to post
Share on other sites
morkie

morkie

Posted
  • Author
Posted

OK, I found out that tasklist /svc only comes with winxp pro but I was able to download it. The process svchost PID for the slow one changes everytime I boot up. But it does have a lot of programs listed. I will try tomorrow and copy the list from the cmd prompt using the windows dos screen, it has a copy save function that I finally figured out.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.