featherless 0 Posted February 21, 2014 Share Posted February 21, 2014 (edited) I generally keep my computer on sleep and restart it once a week or so. I noticed odd behavior where explorer.exe would crash on me whenever I would try to open an exe or video unless I ran it as administrator. I decided to reboot and as soon as I did I saw at the bottom left corner a very minimized window and I found in my processes something named "uninst000.exe". I promptly ended the process tree. After that I figured it'd be a good idea to grab eset and spybot and give it a run. ______________________________________ Spybot yields: Win32.Downloader.gen: [sBI $E6AD2227] Program directory (Directory, nothing done) C:\Users\(user)\AppData\Local\Conduit\ --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) --- 2009-01-26 blindman.exe (1.0.0.8) 2009-01-26 SDFiles.exe (1.6.1.7) 2009-01-26 SDMain.exe (1.0.0.6) 2009-01-26 SDShred.exe (1.0.2.5) 2009-01-26 SDUpdate.exe (1.6.0.12) 2009-01-26 SDWinSec.exe (1.0.0.12) 2009-01-26 SpybotSD.exe (1.6.2.46) 2009-01-26 TeaTimer.exe (1.6.4.26) 2014-02-20 unins000.exe (51.49.0.0) 2009-01-26 Update.exe (1.6.0.7) 2009-01-26 advcheck.dll (1.6.2.15) 2007-04-02 aports.dll (2.1.0.0) 2008-06-14 DelZip179.dll (1.79.11.1) 2009-01-26 SDHelper.dll (1.6.2.14) 2008-06-19 sqlite3.dll 2009-01-26 Tools.dll (2.1.6.10) 2009-01-16 UninsSrv.dll (1.0.0.0) 2014-01-08 Includes\Adware-000.sbi (*) 2014-01-08 Includes\Adware-001.sbi (*) 2014-02-19 Includes\Adware-C.sbi (*) 2014-01-08 Includes\Adware.sbi (*) 2014-01-13 Includes\AdwareC.sbi (*) 2010-08-13 Includes\Cookies.sbi (*) 2014-01-08 Includes\Dialer-000.sbi (*) 2014-01-08 Includes\Dialer-001.sbi (*) 2014-01-08 Includes\Dialer-C.sbi (*) 2014-01-08 Includes\Dialer.sbi (*) 2014-01-13 Includes\DialerC.sbi (*) 2013-04-11 Includes\HeavyDuty.sbi (*) 2014-01-08 Includes\Hijackers-000.sbi (*) 2014-01-08 Includes\Hijackers-001.sbi (*) 2014-01-08 Includes\Hijackers-C.sbi (*) 2014-01-08 Includes\Hijackers.sbi (*) 2014-01-13 Includes\HijackersC.sbi (*) 2014-01-08 Includes\iPhone-000.sbi (*) 2014-01-08 Includes\iPhone.sbi (*) 2014-01-08 Includes\Keyloggers-000.sbi (*) 2014-01-08 Includes\Keyloggers-C.sbi (*) 2014-01-08 Includes\Keyloggers.sbi (*) 2014-01-13 Includes\KeyloggersC.sbi (*) 2004-11-29 Includes\LSP.sbi (*) 2014-01-09 Includes\Malware-000.sbi (*) 2014-01-09 Includes\Malware-001.sbi (*) 2014-01-09 Includes\Malware-002.sbi (*) 2014-02-05 Includes\Malware-003.sbi (*) 2014-01-28 Includes\Malware-004.sbi (*) 2014-01-09 Includes\Malware-005.sbi (*) 2014-01-09 Includes\Malware-006.sbi (*) 2014-01-09 Includes\Malware-007.sbi (*) 2014-02-19 Includes\Malware-C.sbi (*) 2014-01-13 Includes\Malware.sbi (*) 2014-01-13 Includes\MalwareC.sbi (*) 2014-01-15 Includes\PUPS-000.sbi (*) 2014-01-15 Includes\PUPS-001.sbi (*) 2014-01-15 Includes\PUPS-002.sbi (*) 2014-02-19 Includes\PUPS-C.sbi (*) 2014-01-13 Includes\PUPS.sbi (*) 2014-01-13 Includes\PUPSC.sbi (*) 2010-01-25 Includes\Revision.sbi (*) 2014-01-08 Includes\Security-000.sbi (*) 2014-01-08 Includes\Security-C.sbi (*) 2014-01-08 Includes\Security.sbi (*) 2014-01-13 Includes\SecurityC.sbi (*) 2008-06-03 Includes\Spybots.sbi (*) 2008-06-03 Includes\SpybotsC.sbi (*) 2014-01-08 Includes\Spyware-000.sbi (*) 2014-01-08 Includes\Spyware-001.sbi (*) 2014-01-08 Includes\Spyware-C.sbi (*) 2014-01-08 Includes\Spyware.sbi (*) 2014-01-08 Includes\SpywareC.sbi (*) 2012-11-19 Includes\Tracks.uti 2014-01-15 Includes\Trojans-000.sbi (*) 2014-01-15 Includes\Trojans-001.sbi (*) 2014-01-15 Includes\Trojans-002.sbi (*) 2014-01-15 Includes\Trojans-003.sbi (*) 2014-01-15 Includes\Trojans-004.sbi (*) 2014-01-15 Includes\Trojans-005.sbi (*) 2014-01-15 Includes\Trojans-006.sbi (*) 2014-01-15 Includes\Trojans-007.sbi (*) 2014-01-15 Includes\Trojans-008.sbi (*) 2014-01-15 Includes\Trojans-009.sbi (*) 2014-02-19 Includes\Trojans-C.sbi (*) 2014-01-15 Includes\Trojans-OG-000.sbi (*) 2014-01-15 Includes\Trojans-TD-000.sbi (*) 2014-01-15 Includes\Trojans-VM-000.sbi (*) 2014-01-15 Includes\Trojans-VM-001.sbi (*) 2014-01-15 Includes\Trojans-VM-002.sbi (*) 2014-01-15 Includes\Trojans-VM-003.sbi (*) 2014-01-15 Includes\Trojans-VM-004.sbi (*) 2014-01-15 Includes\Trojans-VM-005.sbi (*) 2014-01-15 Includes\Trojans-VM-006.sbi (*) 2014-01-15 Includes\Trojans-VM-007.sbi (*) 2014-01-15 Includes\Trojans-VM-008.sbi (*) 2014-01-15 Includes\Trojans-VM-009.sbi (*) 2014-01-15 Includes\Trojans-VM-010.sbi (*) 2014-01-15 Includes\Trojans-VM-011.sbi (*) 2014-01-15 Includes\Trojans-VM-012.sbi (*) 2014-01-15 Includes\Trojans-VM-013.sbi (*) 2014-01-15 Includes\Trojans-VM-014.sbi (*) 2014-01-15 Includes\Trojans-VM-015.sbi (*) 2014-01-15 Includes\Trojans-VM-016.sbi (*) 2014-01-15 Includes\Trojans-VM-017.sbi (*) 2014-01-15 Includes\Trojans-VM-018.sbi (*) 2014-01-15 Includes\Trojans-VM-019.sbi (*) 2014-01-15 Includes\Trojans-VM-020.sbi (*) 2014-01-15 Includes\Trojans-VM-021.sbi (*) 2014-01-15 Includes\Trojans-VM-022.sbi (*) 2014-01-15 Includes\Trojans-VM-023.sbi (*) 2014-01-15 Includes\Trojans-VM-024.sbi (*) 2014-01-15 Includes\Trojans-ZB-000.sbi (*) 2014-01-15 Includes\Trojans-ZL-000.sbi (*) 2014-01-09 Includes\Trojans.sbi (*) 2014-01-09 Includes\TrojansC-02.sbi (*) 2014-01-09 Includes\TrojansC-03.sbi (*) 2014-01-16 Includes\TrojansC-04.sbi (*) 2014-01-09 Includes\TrojansC-05.sbi (*) 2014-01-09 Includes\TrojansC.sbi (*) 2008-03-04 Plugins\Chai.dll 2008-03-05 Plugins\Fennel.dll 2008-02-26 Plugins\Mate.dll 2007-12-24 Plugins\TCPIPAddress.dll ______________________________________ Keep in mind that I live in a place with several others and that has frequent guests, so I have my own keylogger on my system for when I am away, so anything with a keylogger may be a false positive. I have had this logger for half a year now and have not had issues. These issues I have been having only manifested within the last several days. Spybot originally could not remove Win32.Downloader.gen so it tried to remove it during boot and it still could not. Eset also found it and could not clean nor delete it. However, when eset ran a reboot, it refused to run giving an error message saying "error communicating with kernel". I ran through the eset knowledgebase. ESET Service entry in the services.msc was on automatic but was not started. When I tried to start it is displays an error message: "Windows could not start the ESET Service service on Local Computer. Error 1053: The service did not respond to the start or control request in a timely fashion" I ran both the sirefef cleaner and the ircbot cleaner provided in the knowledgebase and both had no effect. What should be my next step? Run eset or spybot in safemode? dxdiag.txt Edited February 24, 2014 by Marcos Dxdiag log moved to a file Link to comment Share on other sites More sharing options...
Arakasi 549 Posted February 21, 2014 Share Posted February 21, 2014 Hello Featherless, I noticed your username in your posted logs. Requesting you or ESET staff remove this for your own personal security. uninst000.exe is not necessarily a malicious running process, but a common named used for uninstallers for a wide .... HUGE range of application. Its almost a standard etiquette in development. Let's start with what version of ESET are you running ? Have you tried Hitman Pro , TDSS Killer from Kaspersky for rootkits, and Emsisoft Emergency Kit ? My first recommendation would be safemode with networking running HitmanPro, then immediately after , reset all your browsers. "RESET" Do you know how to create a SysRescure Utility ? Create SysRescue Would advise creating one and scanning your machine using SysRescue with the latest up-to-date definitions, ESET now detects most variants of Conduit. Although a browser reset is also needed after the fact. Good luck Link to comment Share on other sites More sharing options...
Arakasi 549 Posted February 21, 2014 Share Posted February 21, 2014 If you have an active subscription with ESET, you have free US support by phone. Contact them during normal business hours, and the techs @ level3 will provide assistance as well. Link to comment Share on other sites More sharing options...
featherless 0 Posted February 21, 2014 Author Share Posted February 21, 2014 (edited) Thanks for the reply Arakasi. I edited the post. I just ran eset and spybot in safemode. Eset was able to function in safemode. I returned back to normal windows and eset kind of worked for a little. The program was open but the control panel was blank white. After a about a minute the error window reappeared saying it had an error communicating with the kernal. So whatever it got rid of in safemode just re-executed itself. I will try what you said Arakasi. EDIT: Also, I have only tried eset and spybot. The version of eset I am using is a 30-day trial version. I just downloaded it a couple hours ago off the website. EDIT2: I just ran rkill and it found two processes: * C:\Windows\SysWOW64\ExMgr.exe (PID: 4300) [WD-HEUR] * C:\Windows\system\ATLOISAService.exe (PID: 4556) [WD-HEUR] EDIT3: Also, pretty sure it is not a conduit issue. I accidentally installed a conduit search bar extension while installing a legitimate program. I believe it was mumble or something similar, I am not remembering at the moment. I know exactly how I got this issue and I am pretty sure it is not conduit (then again you never know. I don't want to rule anything out). ***EDIT 4: Possible solution? Thank you Arakasi for all the suggestions. I grabbed everything just in case I need to use them. I decided to try out Hitman Pro first. I booted into safemode with networking mode. I ran rkill first and let that run. Then I ran hitman pro. It detected a number of conduit and rocketfuel entries both of which was on ignore at first but I deleted all of them. There were also a number of cookies. I am not sure if it is fixed yet or not, but I can now at least run eset on normal windows now which is a good sign. Not sure how to make sure everything is cleared. ***EDIT 5: NOT SOLVED Things seemed to have been functioning much better and how they should. While making up for lost time for a couple hours and while malwarebytes was running a full scan, everything was fine. After the full malwarebytes scan and some more conduit registries found, I restarted my computer. Once the computer was booted back up again, eset once again had the kernel issue described above. So far everything else seems to be running fine however I feel like the malware still exists. Going to sleep. Edited February 21, 2014 by featherless Link to comment Share on other sites More sharing options...
Arakasi 549 Posted February 21, 2014 Share Posted February 21, 2014 It really does sound like a rootkit, if its truly malware breaking the tie between eset and kernel. Try ERA Remover from Safe mode hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN2372 & TDSS Killer hxxp://usa.kaspersky.com/downloads/TDSSKiller I would run ATF Cleaner, or ccleaner on your temp directories. If you havent run EEK , i would run that also. Sysrescue would probably trump all the above, because it would be similar to running ESET in safe mode. IF at the very end the malware still exists. Create a SysInspector log that ESET Staff or myself can look at to provide better assistance. Link to comment Share on other sites More sharing options...
featherless 0 Posted February 23, 2014 Author Share Posted February 23, 2014 I have tried EEK and TDSS Killer. I will try ERA, ccleaner, and sysrescue now. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,909 Posted February 23, 2014 Administrators Share Posted February 23, 2014 What's the output of running "sc query ekrn" as an administrator? Link to comment Share on other sites More sharing options...
featherless 0 Posted February 24, 2014 Author Share Posted February 24, 2014 SERVICE_NAME: ekrn TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 1 STOPPED WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 Also, I tried EEK again, TDSS, and ERA and nothing. I ran ccleaner as well but I am not sure if that does anything. Eset still has problems talking to the kernel. Also, ever since I ran hitman pro the first time and when I boot up into regular windows there is a run error for a conduit thing. I will write it down when I boot up again. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted February 24, 2014 Share Posted February 24, 2014 To remove that conduit error, do the following : Control Panel > Administrative Tools > Task Scheduler Under Task Scheduler Library, remove the line item corresponding to your error. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted February 24, 2014 Share Posted February 24, 2014 CCleaner is used to delete all the files in your Temp directories. Temporary directories are the commonplace for malware to reside. Link to comment Share on other sites More sharing options...
featherless 0 Posted February 24, 2014 Author Share Posted February 24, 2014 CCleaner is used to delete all the files in your Temp directories. Temporary directories are the commonplace for malware to reside. Rather I meant I wasn't sure if it did anything. I wasn't doubting its capabilities. Maybe eset just needs a reinstall? perhaps I truly did get rid of it? I am using my computer right now to do things and all the oddities are gone. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted February 24, 2014 Share Posted February 24, 2014 Good. Uninstall from Safemode using uninstaller, Boot to normal, and reinstall ESET. Did you get the conduit error gone from startup in the Task scheduler ? If you are having troubles finding it, post a screen of your tasks. Good luck ! Link to comment Share on other sites More sharing options...
Arakasi 549 Posted February 24, 2014 Share Posted February 24, 2014 For future readers and on-lookers, The thing with Antivirus protection, is active self-defense. If you are already compromised, it is on occasion a tribulation to fix, repair, and clean everything all out after the fact. Sometimes it even requires a reload of the operating system. ESET will protect and keep harmful files and intrusions out of your computer, better than most; but installing antivirus protection in general after you have already been infected is trivial to say the least. You must get yourself clean and the treats removed, plus patch up your system with all the security patches, then reinitialize your AV protection for self-defense. _________________________ I know that you installed the ESET trial, however i encourage you to purchase a subscription to stay protected past the 30days. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,909 Posted February 24, 2014 Administrators Share Posted February 24, 2014 Does running "net start ekrn" actually start ekrn service? Link to comment Share on other sites More sharing options...
Recommended Posts