The Mother Board

Motherboards.org forums. Free tech support, motherboard ID, and more.
It is currently Thu Aug 16, 2018 6:11 pm

All times are UTC - 8 hours




Post new topic Reply to topic  [ 44 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next
Author Message
PostPosted: Wed Jan 14, 2015 1:52 pm 
Offline
Green Belt
Green Belt

Joined: Tue Apr 15, 2003 12:56 pm
Posts: 217
Location: Dover, NH USA
I tried Kaspersky Rescue Disk,

FULL SCAN of all three of my internal HDDs
Didn't FIND A THING ;#_#; ^_^ @_@........

_________________
(PC Specs)
CPU: AMD FX-9590 4.7GHz 8-core
CPU Instructions: MMX(+), SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4A, x86-64, AMD-V, AES, AVX, XOP, FMA3, FMA4
Motherboard: Asus SABERTOOTH 990FX R2.0
GPU: nVidia GTX 750Ti SC 2GB
GFX Drivers: Nvidia v398.36
OS: Windows 7 Ultimate 64-bit SP1
RAM: 32GB Kingston 1866MHz DDR3


Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 14, 2015 5:12 pm 
Offline
Mobo-fu Master
Mobo-fu Master

Joined: Wed Nov 12, 2003 11:57 am
Posts: 20849
Location: 07438
Do a Regedit from the 'run' prompt. Then search for any notation of that "Vosteran". If any trace is found, delete its key value cell from the "tree" column.. but not any further into the "tree" than that individual cell page.
Put in a more basic way, the cell on the "tree" folder, when opened having a (+) sign, would show sub-cells of key values. Taking out the main cell folder may cause more problems if associations refer to other process files.
If you have several hard drives or multiple partitions, run that directory check on all.
The MSCONFIG process will list all programming that is on the system, so if something is causing unwanted operations, uncheck its function box.

_________________
F@H.. to solve mankind's maladies.. in our lifetimes!


Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 14, 2015 6:17 pm 
Offline
Green Belt
Green Belt

Joined: Tue Apr 15, 2003 12:56 pm
Posts: 217
Location: Dover, NH USA
breaking down the cmdline string.....
Code:
C:\WINDOWS\system32\cmd.exe  /K for  /F %i in ('dir /b /a:h-d /w "C:\Documents and Settings\All Users\Application Data\1837308050\*"') do start /b regsvr32.exe /s /n /i:"/64 QV0RLkDNJMohCCDWYSLNtdRXIPOZUAogex4Cn5ppPJig1KKm3 " "C:\Documents and Settings\All Users\Application Data\1837308050\%i"


Code:
C:\WINDOWS\system32\cmd.exe  /K for  /F %i in ('dir /b /a:h-d /w "C:\Documents and Settings\All Users\Application Data\1837308050\*"')

/K Carries out the command specified by string but remains

/b Start application without creating a new window. The
application has ^C handling ignored. Unless the application
enables ^C processing, ^Break is the only way to interrupt






Code:
regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
/u -   Unregister server
/s -   Silent; display no message boxes
/i -   Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
/n -   do not call DllRegisterServer; this option must be used with /i


Code:
do start /b regsvr32.exe /s /n /i:"/64 QV0RLkDNJMohCCDWYSLNtdRXIPOZUAogex4Cn5ppPJig1KKm3 " "C:\Documents and Settings\All Users\Application Data\1837308050\%i"

so its going to silently, install passing this string to what ever was in that folder... PDT_Armataz_01_19 "/64 QV0RLkDNJMohCCDWYSLNtdRXIPOZUAogex4Cn5ppPJig1KKm3 " which appears to be a base 64 but I tried using online decoders to no avail..... and to not call the DllRegisterServer as well... i.e. being REAL s.n.e.a.k.y. about it PDT_Armataz_01_19


_________________________________________________________________________________________________
I could have sworn I had gotten rid of everything.... must be a reminats of my original cleaning....

Code:
VosteranHTML.RK4WSBMGSSQO7S4EMNNWSWUNF4  reg_none  (zero-length binary value)

found at:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithProgids


Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\vosteran.exe]
"LocalizedString"="vosteran"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\vosteran.exe\shell]
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\vosteran.exe\shell\open]
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\vosteran.exe\shell\open\command]
@="\"C:\\Documents and Settings\\Melchior\\Local Settings\\Application Data\\Vosteran\\Application\\vosteran.exe\""


well those reg keys are AXED.... and no trace of its files anywhere evident by the fact that not one took so far has seen anything left this time around...


a search of my file system (name and inside) and win-registry, of these strings nets nothing.

QV0RLkDNJMohCCDWYSLNtdRXIPOZUAogex4Cn5ppPJig1KKm3
RK4WSBMGSSQO7S4EMNNWSWUNF4

_________________
(PC Specs)
CPU: AMD FX-9590 4.7GHz 8-core
CPU Instructions: MMX(+), SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4A, x86-64, AMD-V, AES, AVX, XOP, FMA3, FMA4
Motherboard: Asus SABERTOOTH 990FX R2.0
GPU: nVidia GTX 750Ti SC 2GB
GFX Drivers: Nvidia v398.36
OS: Windows 7 Ultimate 64-bit SP1
RAM: 32GB Kingston 1866MHz DDR3


Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 14, 2015 10:34 pm 
Offline
Green Belt
Green Belt

Joined: Tue Apr 15, 2003 12:56 pm
Posts: 217
Location: Dover, NH USA
nope Malwarebytes Anti-Rootkit scanner didn't find a thing

AND its detailed scan of each HDDs Boot sectors... found nothing found. lol


testing using a tool called Emsisoft Emergency Kit
found two entries...App.win32.InstalledAd no targeted files ...

and on a full scan it only found 8 false positives (programs I had been using for years!!)...

and 4-5 old MS HTML Archives (from old research years ago) that had IE Frame exploits so I scrapped them,
then again I haven't opened those files in years... so there is no chance they are related this this nonsense


Attachments:
Malwarebytes Anti-Rootkit__ScanLogs.rar [3.52 KiB]
Downloaded 40 times

_________________
(PC Specs)
CPU: AMD FX-9590 4.7GHz 8-core
CPU Instructions: MMX(+), SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4A, x86-64, AMD-V, AES, AVX, XOP, FMA3, FMA4
Motherboard: Asus SABERTOOTH 990FX R2.0
GPU: nVidia GTX 750Ti SC 2GB
GFX Drivers: Nvidia v398.36
OS: Windows 7 Ultimate 64-bit SP1
RAM: 32GB Kingston 1866MHz DDR3
Top
 Profile  
Reply with quote  
PostPosted: Thu Jan 15, 2015 2:20 am 
Offline
Mobo-fu Master
Mobo-fu Master

Joined: Sun May 06, 2001 12:01 am
Posts: 37463
Location: Netherlands
A search for that {3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0} key gives this:
http://www.avira.com/en/support-threats ... 9/tlang/en
So check for those files and delete them.

Another piece of evidence your system was hit by something REAL nasty, part of a rootkit I suspect. The problem with rootkits is, you NEVER can tell what the **** they put in where since they can mask everything at whatever point in the boot process of your machine (even pre-OS).

Have you checked your scheduled tasks folder yet?

_________________
We hate rut, but we fear change.
********************************
System error, strike any user to continue...


Top
 Profile  
Reply with quote  
PostPosted: Thu Jan 15, 2015 3:12 am 
Offline
Green Belt
Green Belt

Joined: Tue Apr 15, 2003 12:56 pm
Posts: 217
Location: Dover, NH USA
evasive wrote:
A search for that {3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0} key gives this:
http://www.avira.com/en/support-threats ... 9/tlang/en
So check for those files and delete them.

Another piece of evidence your system was hit by something REAL nasty, part of a rootkit I suspect. The problem with rootkits is, you NEVER can tell what the **** they put in where since they can mask everything at whatever point in the boot process of your machine (even pre-OS).

Have you checked your scheduled tasks folder yet?



lol of course I have I ain't a newb :wink:

everything i see says my system is clean with the exception of that one thing,
nope nothing here matching what was on averia.... ?_?


I scanned with quote a few apps including TDSSKiller, Malwarebytes Anti-Rootkit scanner,
and I even ran the Kaspersky Rescue Disk and it didn't find a thing I will make note its NET drivers worked so I was able to get updated files for it.

_________________
(PC Specs)
CPU: AMD FX-9590 4.7GHz 8-core
CPU Instructions: MMX(+), SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4A, x86-64, AMD-V, AES, AVX, XOP, FMA3, FMA4
Motherboard: Asus SABERTOOTH 990FX R2.0
GPU: nVidia GTX 750Ti SC 2GB
GFX Drivers: Nvidia v398.36
OS: Windows 7 Ultimate 64-bit SP1
RAM: 32GB Kingston 1866MHz DDR3


Top
 Profile  
Reply with quote  
PostPosted: Thu Jan 15, 2015 6:28 am 
Offline
Mobo-fu Master
Mobo-fu Master

Joined: Wed Nov 12, 2003 11:57 am
Posts: 20849
Location: 07438
Check your boot.ini file.. in the root of C:\. Should be something similar to this..
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /fastdetect

Or from Settings > System > Advanced > Startup and Recovery, you can edit it if required. Back up the file first, though.

Even though I have Firefox as default browser, IE still gets some useless files.. but is not supposed to. Maybe the OS auto update search?

_________________
F@H.. to solve mankind's maladies.. in our lifetimes!


Top
 Profile  
Reply with quote  
PostPosted: Thu Jan 15, 2015 5:37 pm 
Offline
Green Belt
Green Belt

Joined: Tue Apr 15, 2003 12:56 pm
Posts: 217
Location: Dover, NH USA
lol of course I already checked that... its clean as a whistle.
Quote:
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Professional x64 Edition" /noexecute=optin /fastdetect


I have CCleaner clean several times a day depending on how many times I close Firefox.... the only file I see for IE is the
a index file for its temp files which is automatically recreated when its deleted by CCleaner... that and when I do windows update checks via IE...



oohh looky here... a windows update more specifically the

- Malicious Software Removal Tool x64 - January 2015 (KB890830)
installing... =D done. and it say I am clean too....

_________________
(PC Specs)
CPU: AMD FX-9590 4.7GHz 8-core
CPU Instructions: MMX(+), SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4A, x86-64, AMD-V, AES, AVX, XOP, FMA3, FMA4
Motherboard: Asus SABERTOOTH 990FX R2.0
GPU: nVidia GTX 750Ti SC 2GB
GFX Drivers: Nvidia v398.36
OS: Windows 7 Ultimate 64-bit SP1
RAM: 32GB Kingston 1866MHz DDR3


Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 16, 2015 1:18 am 
Offline
Green Belt
Green Belt

Joined: Tue Apr 15, 2003 12:56 pm
Posts: 217
Location: Dover, NH USA
I found something I wasn't sure about...
Code:
COM Surrogate
(No signature was present in the subject) Microsoft Corporation
v5.2.3790.3959
Sat Feb 17 00:24:26 2007
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

autostart:
HKLM\System\CurrentControlSet\Services\COMSysApp


its a windows service.... seems legit except for the (No signature was present in the subject) part... is it supposed to have


Attachments:
TDSSKiller.3.0.0.42_16.01.2015_07.23.26_log.rar [23.43 KiB]
Downloaded 41 times
unknown file plus reg files.rar [3.05 KiB]
Downloaded 40 times

_________________
(PC Specs)
CPU: AMD FX-9590 4.7GHz 8-core
CPU Instructions: MMX(+), SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4A, x86-64, AMD-V, AES, AVX, XOP, FMA3, FMA4
Motherboard: Asus SABERTOOTH 990FX R2.0
GPU: nVidia GTX 750Ti SC 2GB
GFX Drivers: Nvidia v398.36
OS: Windows 7 Ultimate 64-bit SP1
RAM: 32GB Kingston 1866MHz DDR3
Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 16, 2015 6:07 am 
Offline
Mobo-fu Master
Mobo-fu Master

Joined: Wed Nov 12, 2003 11:57 am
Posts: 20849
Location: 07438
As to that reference of " C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
autostart: HKLM\System\CurrentControlSet\Services\COMSysApp "..
Supposedly, it is an OS file provided by MS.. and may not require a digital signature, as it is not a critical core or Kernel file.
Found several references.. valid program required by the OS on start up, otherwise certain features may not be available.
http://www.bleepingcomputer.com/startup ... 25641.html
Seems to be a launch-type process for an add-on feature.. Wifi, external drive, network server? NAS?
http://msdn.microsoft.com/en-us/library ... .5%29.aspx

That Malicious Software Removal Tool is still issued monthly by MS.. a quick antivirus and malware cleaner. (KB890830) It will be issued for several more months, until all the POS (point-of-sale) systems have been upgraded. Almost all ATM and similar use a basic form of Win XP as the OS. By default, it scans only the C:\ drive.. but can scan all drives and files.

_________________
F@H.. to solve mankind's maladies.. in our lifetimes!


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 44 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next

All times are UTC - 8 hours


Who is online

Users browsing this forum: AhrefsBot [Bot], MegaIndex.ru [Crawler] and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group