Jump to content

Infected: Multiple Conhost.exe, CMD.exe and REG.exe processes spawning.


Recommended Posts

This computer has proven to be very difficult to clean.  Now after throwing a bunch of tools at it, it seems to scan clean. However, there are processes being spawned that make me nervous.  As it is running, there are multiple conhost.exe, cmd.exe and reg.exe processes spawned.  if I let it run long enough, they take 100% processor and the system becomes unuseable.  I wrote a looping batch file to taskkill the reg.exe task and that makes it possible to do some diagnostics. Please help! 

 

I have run the following tools:

rkill

adwcleaner

Malwarebytes Rootkit Scanner

Malwarebytes

Norton Power Eraser

Hitman Pro

Microsoft Security Essentials.

 

Please find attached the FRST and Addition Logs

 

Thank you in advance for all of your help.

 

BA

Addition.txt

FRST.txt

Link to post
Share on other sites

nothing found:

 

 

wait.gif Analysis completed.
SHA256: 43703a6c9bfc49ee6e8a5ba25cabc7eed598cb245745c56f52e23f6093eebecf File name: winevent.exe Detection ratio: 0 / 55 Analysis date: 2015-11-22 23:24:11 UTC ( 1 minute ago )
 
0
 
0
 
Antivirus Result Update ALYac   20151122 AVG   20151122 AVware   20151122 Ad-Aware   20151122 AegisLab   20151122 Agnitum   20151122 AhnLab-V3   20151122 Alibaba   20151120 Antiy-AVL   20151122 Arcabit   20151122 Avast   20151122 Avira   20151122 Baidu-International   20151122 BitDefender   20151123 Bkav   20151121 ByteHero   20151123 CAT-QuickHeal   20151121 CMC   20151118 ClamAV   20151123 Comodo   20151122 Cyren   20151122 DrWeb   20151122 ESET-NOD32   20151122 Emsisoft   20151122 F-Prot   20151122 F-Secure   20151120 Fortinet   20151122 GData   20151122 Ikarus   20151122 Jiangmin   20151122 K7AntiVirus   20151122 K7GW   20151122 Kaspersky   20151122 Malwarebytes   20151122 McAfee   20151122 McAfee-GW-Edition   20151122 MicroWorld-eScan   20151122 Microsoft   20151122 NANO-Antivirus   20151122 Panda   20151122 Qihoo-360   20151123 Rising   20151122 SUPERAntiSpyware   20151122 Sophos   20151122 Symantec   20151122 Tencent   20151123 TheHacker   20151121 TrendMicro   20151122 TrendMicro-HouseCall   20151122 VBA32   20151120 VIPRE   20151122 ViRobot   20151122 Zillya   20151122 Zoner   20151122 nProtect   20151120
Link to post
Share on other sites

Thanks for the logs... Continue please:

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

Please open Malwarebytes Anti-Malware.

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may or may not see this message box.

            'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.



To get the log from Malwarebytes do the following:

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…




If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware to your desktop.

  • Double-click mbam-setup and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish. Follow the instructions above....

 
Next,
 
Download AdwCleaner by Xplode onto your Desktop.

  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


 

Next,

 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 
Next,
 
dr_web_cureit_zpse80d87bf.jpg
Download Dr Web Cureit from here http://www.freedrweb.com/cureit save to your desktop. (Scroll to bottom of page)

  • The file will be randomly named
  • Reboot to safe mode <<<<<------------ http://support.eset.com/kb2268/
  • Run Dr Web
  • Tick the I agree box and select continue
  • Click select objects for scanning

    drwebselect.JPG
  • Tick all boxes as shown
  • Click the wrench and select automatically apply actions to threats

    drwebfolders.JPG
  • Press start scan
  • The scan will now commence

    drwebscan.JPG
  • Once the scan has finished click open report <<<--- Do not miss this step

    drwebscancomplete.JPG
  • A notepad will open
  • Select File > Save as..
  • Save it to your desktop



This log will be excessive,  Please attach it to your next reply…
 

Let me see those logs, also give an update on any remaining issues or concerns...

 

Thank you,

 

Kevin.....

 

 

 

Fixlist.txt

Link to post
Share on other sites

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8/8.1/10, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes select "Report",in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. log will open.
  • Close the program > Don't Fix anything!

 

Let me see that log please...

 

Kevin.

Link to post
Share on other sites

I see nothing in the logs to explain what you tell me is happening, ok run the following:

 

Please download Gmer from Here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...

            Sections
            IAT/EAT
            Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running Programs as well as your Browsers.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.



Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

**If GMER crashes** Follow the instructions here and disable your security temporarily…
 

Next,

 

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt  "Optional scan" Select scan, when done post the new logs....

 

Post those logs,

 

Thank you,

 

Kevin
 

Link to post
Share on other sites

Thanks for the logs, continue as follows:

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Please open Malwarebytes Anti-Malware.

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may or may not see this message box.

            'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.



To get the log from Malwarebytes do the following:

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

 

Next,

 

Download AdwCleaner by Xplode onto your Desktop. (If you still have AdwCleaner no need to d/l again)

  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...

 

Post those logs, also let me know if any remaining issues or concerns...

 

Thank you,

 

Kevin
 

Fixlist.txt

Link to post
Share on other sites

The idea of clean boot is to check if any 3rd party service(s) (none microsoft) is/are the cause of the problem, in your case this seems to be true. What we need to do now is find the problem service(s) that cause the issue.

 

So with the system in clean boot (all none ms services disabled) follow the instructions again to open MSCONFIG, keep microsoft services hidden. Now manually enable the top half of the "none ms services" close out MSCONFIG and reboot your system.

 

Does the spawning return, if so we then know the problem services is among the top half. If not we know it is amongst the bottom half. From there we continue the chase...

If the  top half (enabled) spawns disable in turn until the problem service is found...

 

If the top half  (enabled) does not spawn enable each of the bottom half in turn until the service is found... You will need to re-boot after each step, I realize it may be  laborious but is well worth the effort..

 

Thank you,

 

Kevin

Link to post
Share on other sites

I have the Culprit!  It is called Windows Event Log Viewer.  Located in C:\Windows\Win Services.  Running a file called winevent.exe

 

I have left the service disabled and created a .zip of the Win Services folder which I will upload if you like.  i will await further instructions.

Link to post
Share on other sites

Thnk you for the confirmation on the culprit, i`m not 100% sure why this problem occurs, we did upload winevent.exe to VirusTotal early in the thread, if you recall it came back clean. I`ve posted to our private forum seeking advice.

Just leave tools etc as is for now, I`ll post back to you when I have more information.

 

Thank you,

 

Kevin...

Link to post
Share on other sites

Hello BAsystems,

 

Unfortunately I got no help/advice in our private forum, probably no one has encountered this specific issue previously... The problem service "Windows Event Log" default setting is automatic, It is needed to log issues as they happen. Problems can happen if the issue to log is too large and it outlasts the log timer...

 

Info on the service can be found at the following sites:

 

http://www.blackviper.com/windows-services/windows-event-log/

 

https://support.microsoft.com/en-us/kb/2701799

 

Also the Microsoft Community is a great site to ask specific questions regarding system problems/issues. Select the "Participate" option to ask a question at the following link:

 

http://answers.microsoft.com/en-us?auth=1

 

Looking through event logs contained in FRST logs the following seem to repeat:

 

BlueStacks
catchme
- related to Combofix..

 

Before you contact MS community do the following,

 

Uninstall the following apps:

 

Best Buy pc app
Best Buy pc app

BlueStacks
iTunes

Bonjour

 

Use the following Uninstaller program if needed,

 

Download GeekUninstaller from here: http://www.geekuninstaller.com/download (Choose free version) Save Geek.zip to your Desktop. (Visit the Home page at that link for necessary information)

Extract Geek Uninstaller and save to your Desktop. There is no need to install, the executable is portable and can also be run from a USB if required.

Run the tool, the main GUI will populate with installed programs list,

Left click on Program name to highlight that entry.

Select Action from the Menu bar, then Uninstall from there follow the prompts.

If Uninstall fails open the "Action" menu one more time and use "Force Removal" option

 

Also download and run this:


 

http://download.bleepingcomputer.com/sUBs/CF_UNINST.EXE


 

That will remove Combofix remnants and associated folders etc...

 

Let me know if those changes make any difference, you will need to  enable "Windows Event log" service to see if any changes happen....

 

If the proposed changes do not help iTunes/Bonjour canbe re-installed, do not re-install Best Buy PC is not recommended....

 

Let me know what happens,

 

Thank you,

 

Kevin....

Link to post
Share on other sites

Before I do the suggested course of action, I need to correct one thing.  You stated that the "Windows Event Log" is a default setting.  This is true, and that service is running currently.  The service in question is called "Windows Event Log Viewer".  It seems to be running from a rogue directory under Windows called "Win Services".  I have it disabled through MSConfig and the system is symptom free.

 

I'd like to upload the zipped file I made of the directory "Win Services" so that it can be studied and a legitimate fix put into place for future infections.  I have no idea of what it is doing or attempting to do.

 

I will remove combofix and the Best Buy garbage as instructed.  I'll hold off on Bonjour and Itunes until I hear back from you about my minor correction on the service name.

 

Thank you for your help!

Link to post
Share on other sites

Thanks for the update and the correction. Yes remove Combofix and Best buy PC, leave the others alone. At the begining of this thread I did note the following entry in the FRST.txt log

 

R2 Windows Event Log Viewer; C:\windows\Win Services\winevent.exe [16896 2015-10-15] (winevent) [File not signed]

 

I requested winevent.exe be uploaded to VirusTotal to be checked, if you recall the analysis result was clean, hence I just ignored it in the initial FRST fix.... Probably a bit lax on my behalf, at least you were a lot more suspicious than I was, even with the aid of the clean boot I did not see what was staring me in the face....

 

Can you zip up and attach this file "C:\windows\Win Services\winevent.exei`ll get it to the malware hunter section.....

 

Also run FRST again as follows:

 

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the two new logs....

 

Thank you,

 

Kevin.....
 

Link to post
Share on other sites

I've removed the Best Buy PC, uninstalled Combofix, ran FRST and have attached the Log Files as requested.  I also have included the zipped copy of C:\Windows\Win Services directory that includes the Winevent.exe and support structure.  When I went to upload it again to Virustotal, it is no longer there.  I'm assuming one of the last few fixes has removed it?  

 

I manually deleted the Service that it had created and deleted the Win Services directory from c:\Windows after this last FRST scan.

 

Thanks again!

 

 

FRST.txt

Addition.txt

Win Services.zip

Link to post
Share on other sites

Thanks for the logs and the update, I will PM one of the Moderators to d/l the attached zip folder for analysis....

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Please open Malwarebytes Anti-Malware.

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may or may not see this message box.

            'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.



To get the log from Malwarebytes do the following:

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…



Let me see those logs, also give an update on any remaining issues or concerns...

 

Thank you,

 

Kevin..
 

Fixlist.txt

Link to post
Share on other sites

Thanks for the update, if you run Malwarebytes again does it find the same malicious files?

 

Regarding winevent.exe, that file is legitimate. Unfortunately as you were aware it runs from a none default folder, inside that folder was also a batch file to d/l unwanted extras, a sneaky rogue setup for sure....

 

If Malwarebytes is stalling maybe worthwhile doing a clean install...

 

Please download MBAM-clean and save it to your desktop.

  •    Right-click on mbam-clean.exe icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  •    It will ask you to reboot the machine - please do so.
  •    Run the cleaner tool again, re-boot when complete.



Download & install the newset MBAM version.

Please download 51a46ae42d560-malwarebytes_anti_malware.Malwarebytes Anti-Malware

  •    Install the progam and select update.
  •    Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
  •    In the same tab, under PUP and PUM detections make sure it is set to Treat detections as malware.
  •    Click the Scan tab, choose Threat Scan is checked[/b and click Scan Now.
  •    If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  •    Upon completion of the scan (or after the reboot), click the History tab.
  •    Click Application Logs and double-click the Scan Log.
  •    At the bottom click Export and choose Text file.



Save the file to your desktop and post its content in your next reply.

 

Thanks,

 

Kevin..
 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.