1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Strange Processes Slowing Me Down

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Merkava, Nov 10, 2017.

  1. Merkava

    Merkava Private First Class

    At least two times I've run and rebooted, I think, and dtiwo still shows up.
     
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please run this and then rerun TDSSKiller:

    RKill

    Do not reboot. Try to run RogueKiller and Hitman. Let me know what happens.
     
  3. Merkava

    Merkava Private First Class

    At least two times I've run TDSSK and rebooted, and dtiwo still shows up.
     
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download and run Autoruns

    You will have to extract the contents from the ZIP file into its a new folder you create for it ( like AutoRuns on your Desktop )
    Keep the Everything tab selected in AutoRuns.
    Then click on the File menu selection and select Save. Save this log file in default format to your Desktop. The default format and filename should be AutoRuns.arn
    Now put the AutoRuns.arn file into a ZIP file and attach this ZIP to your next message. ( NOTE: You cannot attach the AutoRuns.arn file. It must be ZIP'ed ).
     
  5. Merkava

    Merkava Private First Class

    Wow. RK actually ran and found the persistent one "exibrgo.exe". "lscdpnb.exe not found" error is coming up at boot, though. "Procedure entry point could not be located in libcef.dll". Just now during Hitman scan, too. Maybe it's in its death throes now. :)

    HMP was having problems during log save, but I got it this time. Attached, along with RogueKiller and Rkill.
     

    Attached Files:

  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    For some reason I cannot open your autoruns log... it appears to be encrypted and needs a key to decrypt. I downloaded 7zip just in case and the log is gibberish.

    Have RogueKiller remove that process.

    Then reboot and rerun RogueKiller and tell me what issues you still have.
     
    Last edited: Nov 14, 2017 at 7:11 PM
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please right click on the AutoRuns.arn file and scroll to "send to" and choose Compressed (zipped) folder. (not 7zip)
     
  8. Merkava

    Merkava Private First Class

    Great lscdpnb.exe is back in Task manager, and even with Rkill and Run as Admin, RogueKiller won't run now!:( It was also apparently getting hung on some file which I didn't get written down, unfortunately. Happened at least twice. I think it's lsouegisvc.exe.
     

    Attached Files:

  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please download GMER and save it to your desktop:
    • Unzip (extract) it to your desktop.
    • Disconnect from Internet and close all running programs.
    • There is a small chance this application may crash your computer so save any work you have open.
    • Double-click gmer.exe to run it.
    • Let the gmer.sys driver to load if asked.
    • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click NO.
    • Click the Rootkit tab.
    • Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".
    • Then click the Scan button. Wait for the scan to finish.
    • Once done, click the Copy button.
    • This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop. Attach this log to your next reply.
    NOTE: If you're having problems with running gmer.exe, try it in Safe Mode. This tool works in Safe Mode whereas many other rootkit revealers do not.
     
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I did manage to open your Autoruns log and neither of those exe files are in there. Continue on with Gmer.
     
  11. Merkava

    Merkava Private First Class

    In Safe because it wouldn't start, even with Admin and Rkill. Still nothing.

    Here's an item of interest. The "lscdpnb.exe not found...procedure entry point not located in libcef.dll error that comes up? I searched for that dll and there are several results, most related to games/drivers, etc.
     
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It's related to steam.

    Now please download OTL by OldTimer.
    • Save it to your desktop.
    • Double-click on the OTL icon on your desktopto run it. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      activex
      netsvcs
      drives
      
    • Now click the [​IMG] button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
     
  13. Merkava

    Merkava Private First Class

    This is how it looks to me. No IMG text field, so I just pasted at the bottom. No IMG button, either. Not sure what to do.[​IMG]
     

    Attached Files:

    Last edited: Nov 16, 2017 at 6:09 PM
  14. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Tim's boilerplate instructions needs updating.. now click the Run Scan button. *Side note: Please try to run any scans in Normal Startup Mode if possible.
     
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Crap....images are no longer available. Carry on.
     
  16. Merkava

    Merkava Private First Class

    Okay thx. Here we go.
     

    Attached Files:

    • OTL.Txt
      File size:
      346.1 KB
      Views:
      2
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code
    Code:
    :processes
    :killallprocesses
    :otl
    [2017/11/09 11:02:57 | 000,000,000 | ---D | C] -- C:\Users\OWNER\AppData\Local\zadtgpv
    [2017/11/09 10:58:20 | 000,000,000 | ---D | C] -- C:\Users\OWNER\AppData\Local\exibrgo
    :commands
    [PURITY]
    [EMPTYTEMP]
    [RESETHOSTS]
    [REBOOT]
    
    
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.
     
  18. Merkava

    Merkava Private First Class

    No notepad, but the prompt/window to save fix.txt popped up, I directed it to desktop, clicked save, then an error msg came up saying it couldn't be opened. Scan again?
     
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    A copy of an OTL fix log is saved in a text file at :\_OTL\Moved Files
     
  20. Merkava

    Merkava Private First Class

    Sry I'm not very comp savvy. I tried to copypaste that into the Run prompt, but no dice. Not sure where that indicates on my drive.
     
  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    C:\_OTL\Moved Files

    Run won't find it. Look through File explorer after right clicking Start.

    If you can't find it, please just rerun OTL as in post #62.
     
  22. Merkava

    Merkava Private First Class

    Okay.
     

    Attached Files:

    • OTL.Txt
      File size:
      339.9 KB
      Views:
      1
  23. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    • Copy and Paste the following code into the Custom Scans/Fixes textbox.
    • Do not include the word Code
    Code:
    :otl
    [2017/11/09 11:02:57 | 000,000,000 | ---D | C] -- C:\Users\OWNER\AppData\Local\zadtgpv
    [2017/11/09 10:58:20 | 000,000,000 | ---D | C] -- C:\Users\OWNER\AppData\Local\exibrgo
    :commands
    REBOOT
    
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log from OTL to your next message.
    A copy of an OTL fix log is saved in a text file at C:\_OTL\Moved Files
     
  24. Merkava

    Merkava Private First Class

    No problems this time.
     

    Attached Files:

  25. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    OK....that's weird since the original scan did find them. Let's try this:

    Please download BlitzBlank to your desktop.
    Double-click BlitzBlank.exe to open (If running Vista, Win 7, or Win 8, 10 use right-click and select Run as Administrator)
    Press OK at the warning prompt.
    Click the Script tab
    Copy the text inside the code box below and paste it into the text-field.
    Code:
    [color=red]DeleteFile:[/color]
    C:\Users\OWNER\AppData\Local\zadtgpv
    C:\Users\OWNER\AppData\Local\exibrgo
    
    Now click the Execute Now button.
    The fix will require a reboot in order to complete successfully.
    Upon reboot, locate C:\blitzblank.log and upload this log to your next message.
     
  26. Merkava

    Merkava Private First Class

    This one?
     

    Attached Files:

  27. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No. That is the old OTL log. You need to find the log located at C:\blitzblank.log
     
  28. Merkava

    Merkava Private First Class

    Sorry, delete that^.

    I get "Syntax error in line 1, Unknown command."
     
  29. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's try it again, please:

    Double-click BlitzBlank.exe to open (If running Vista, Win 7, or Win 8, 10 use right-click and select Run as Administrator)
    Press OK at the warning prompt.
    Click the Script tab
    Copy the text inside the code box below and paste it into the text-field.
    Code:
    DeleteFile:
    C:\Users\OWNER\AppData\Local\zadtgpv
    C:\Users\OWNER\AppData\Local\exibrgo
    
    Now click the Execute Now button.
    The fix will require a reboot in order to complete successfully.
    Upon reboot, locate C:\blitzblank.log and upload this log to your next message.
     
  30. Merkava

    Merkava Private First Class

    Syntax error in line 2. Invalid file path.
     
  31. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please follow these steps:
    1. Copy all text in the quote box (below)...to Notepad.
    2. Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
      delfile.bat <<------------- you should see this on your desktop.
    3. Double click on delfile.bat to execute it.
      A black CMD window will flash, then disappear...this is normal.
    4. The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.

    Reboot and rerun OTL.
     
  32. Merkava

    Merkava Private First Class

    Access is denied!
     
  33. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Is this what you have when you run BlitzBlank:
     

    Attached Files:

  34. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    One more time:

    Double-click BlitzBlank.exe to open (If running Vista, Win 7, or Win 8, 10 use right-click and select Run as Administrator)
    Press OK at the warning prompt.
    Click the Script tab
    Copy the text inside the code box below and paste it into the text-field.
    Code:
    DeleteFile: ReplaceWithDummy
                      C:\Users\OWNER\AppData\Local\zadtgpv
                      C:\Users\OWNER\AppData\Local\exibrgo
    
    Now click the Execute Now button.
    The fix will require a reboot in order to complete successfully.
    Upon reboot, locate C:\blitzblank.log and upload this log to your next message.
     
  35. Merkava

    Merkava Private First Class

    To the pic you posted, I wasn't switching back to the Designer tab, so I'm not sure if that's what you're talking about, but I did this time and the items I pasted in Scripts showed up in Designer. Again, "Syntax error in line 2. Invalid file path"
     
  36. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please post a screenshot. If the items are showing up in Designer.....can you not hit execute now?
     
    Last edited: Nov 18, 2017 at 6:57 PM
  37. Merkava

    Merkava Private First Class

    Had to reboot. Couldn't even run MSPaint to save a screen. The same error message comes up. I don't suppose I should be running RKill first...?
     

    Attached Files:

  38. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Nothing wrong with what you are doing. Yes, run RKill and then try again with Blitz.
     
  39. Merkava

    Merkava Private First Class

    Still no dice.
     
  40. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Ok...... please right click on start/run/ and type in regedit. Once the window opens, click on edit and scroll to find. In the find box, put in zadtgpv. If it finds it, and is listed in the right column or left, right click and delete. Do the same for exibrgo.

    Then rerun RKill and Blitz. Let me know how you get along.
     
  41. Merkava

    Merkava Private First Class

    Still syntax error.
     
  42. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Did you find the items in the registry?
     
  43. Merkava

    Merkava Private First Class

    Not sure what you're referring to.
     
  44. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Did you not do this?
     

Share This Page


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


<