Sevarel issues resulting from 123.exe

Discussion in 'Malware Help (A Specialist Will Reply)' started by clv, Dec 16, 2008.

  1. clv

    clv Private E-2

    I need assistance with several issues that I have as a result of 123.exe

    While browsing a website, a window opened directing to restart so new settings could take place, the app was 123. I immediately closed the browser and the window to prompting a restart. I opened task manager and could see 123.exe and downer.exe running in the process tab. I ended those two processes and then launched a full scan of symantec. The scan showed nothing. My company tech directed me to run HouseCall. Housecall failed on three attempts, by stopping in the middle of the scan completely. After the 3rd failure and reboot, I received a zerocfgsvc error, my task bar and desktop were completely gone, and all my network services. My tech recommended that I try to save my most recent files with ERDCommand2k5.iso and reformat the entire drive. I cannot get the tool to boot.

    I have attempted to run the steps outlined by this sites' windows cleaning procedure. I cannot install the software tools as I receive another error message that my windows installer cannot be accessed. when I attempt to turn on the installer in the the services tab, I receive a 1068 error-"The dependency service of group failed to start"

    I am not sure what to fix first at this point and I dont believe that the problem is completely unrecoverable to the point of re-formatting, but more of a progression of fixes.

    Thank you inadvance for your help, I have missed several work deadline yesterday as a result of this and what to resolve this as soon as possible.
     
    clv, Dec 16, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!


    Please try following along with the below instructions.

    Begin by clicking Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.
    • Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.
    • Then search forTDSSserv.sys
    • Let me know if you find this or not.
    • If you do find it, right click on it, and select Disable. Do not try to uninstall it.
    • Also if TDSSserv.sys is found and you disable it, then reboot.
    • After reboot continue on with the below cleaning instructions.

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    Notes:


    1. If you run into problems trying to run theREAD & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
     
    chaslang, Dec 18, 2008
    #2
  3. clv

    clv Private E-2

    Chaslang-
    Prior to receiving your post, I attempted to run through the removal guide process. I did try to install the tools using a cd, but found that the window installer failed on every attempt. I followed the instructions detailed by microsoft in the following article. http://support.microsoft.com/kb/315346. This too did not fix the installer issue, I resorted to a dynamic install to repair the issue. Once that was completed I worked through the removal guide steps, after all was fixed, I still received on start up and randomly a message that states 'cannot find hguest.exe'

    As a result of your post directions, I did not find TDSSserv.sys and I have re-run the tools again and attached the logs.
     

    Attached Files:

    clv, Dec 19, 2008
    #3
  4. clv

    clv Private E-2

    4 of 4 log files
     

    Attached Files:

    clv, Dec 19, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You seem to have a bunch of unknown items that showed up on Dec 15th. They seem to possibly relate to Chinese websites and may are relate to something with OCR. Do you know what the below files and folder are:
    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [hgcheck] C:\WINDOWS\system32\hgcheck.exe
    O23 - Service: Lan Discover Agent (magaService) - Unknown owner - C:\Program Files\Sygate\SSA\maga\maga.exe (file missing)
    O23 - Service: Network Connections Logs (Netlogs) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)

    After clicking Fix, exit HJT.



    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Dec 21, 2008
    chaslang, Dec 21, 2008
    #5
  6. clv

    clv Private E-2

    Chaslang-
    I am not sure what those files are and the problem did begin on Dec 15, I was processing data files from a website hosted out of Geneva as I do every week.

    I followed your instructions below and have attached the logs. I have not had the 'hguest' notice pop up in the last 48 hours. The only unusual thing that did occur was that yesterday, my corporate Symantec product, which runs realtime, identifed three threats in c:\QooBox and two others. I have a attached the history report for reference.

    I am not sure at this point if the sitution is resolved.

    CLV
     

    Attached Files:

    clv, Dec 24, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then we should investigate them in some more detail. Do you do anything related to Chinese websites or with the Chinese language? Is it possible these are related to something you do for work. The LanqiEngine folder showed up on Dec 15th and some of those other files are probably related to it. See the below report too and see if anything looks familiar:

    http://www.siteadvisor.com/sites/9iwg.com/downloads/17533558/

    QooBox is just the Quarantine folder for ComboFix. Too bad Symantec did not do its job and detect those files while they were getting put on your PC in the first place. Now it wastes your time reporting them when the are no longer a problem. The mstask.sys one was a problem and I just missed it while reading your first logs. It was also from Dec 15th.


    Now let's try to collect some additional info on those files and the folder.

    Now we need to use ComboFix.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Then attach the below log:
    • C:\ComboFix.txt
    Make sure you tell me how things are working now!
     
    chaslang, Dec 26, 2008
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds