Okay, before I do that I found the following...
igfxCuiService.exe
igfxEM.exe
igfxHK.exe
igfxTray.exe
These aren't on my system.
Win7 notebook hit by "Microsoft Support" scam, possible Rootki
Started by
HALlives
, Feb 12 2017 08:08 PM
#32
Posted 14 February 2017 - 08:59 PM
HALlives
- Topic Starter
-
- Member
-
- 59 posts
Member
Also, they don't show up in Safe Mode.
#33
Posted 14 February 2017 - 09:03 PM
HALlives
- Topic Starter
-
- Member
-
- 59 posts
Member
ECHO is on.
Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window Title
========================= ======== ================ =========== ============ =============== ================================================== ============ ========================================================================
System Idle Process 0 Services 0 24 K Unknown NT AUTHORITY\SYSTEM 0:07:14 N/A
System 4 Services 0 908 K Unknown N/A 0:00:07 N/A
smss.exe 316 Services 0 1,240 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
csrss.exe 532 Services 0 5,164 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
wininit.exe 592 Services 0 5,244 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
csrss.exe 600 Console 1 19,368 K Running NT AUTHORITY\SYSTEM 0:00:01 N/A
winlogon.exe 656 Console 1 7,820 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
services.exe 696 Services 0 9,504 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
lsass.exe 704 Services 0 12,580 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
lsm.exe 712 Services 0 4,512 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 812 Services 0 9,792 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
ekrn.exe 872 Services 0 172,876 K Unknown NT AUTHORITY\SYSTEM 0:00:07 N/A
svchost.exe 908 Services 0 8,504 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:00 N/A
svchost.exe 1004 Services 0 20,652 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
svchost.exe 292 Services 0 26,180 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 356 Services 0 18,656 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
svchost.exe 588 Services 0 33,180 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
audiodg.exe 1036 Services 0 20,396 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
igfxCUIService.exe 1160 Services 0 7,708 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
WUDFHost.exe 1252 Services 0 6,464 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
WUDFHost.exe 1452 Services 0 14,188 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
WUDFHost.exe 1532 Services 0 5,468 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
svchost.exe 1596 Services 0 15,720 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:01 N/A
wlanext.exe 1684 Services 0 15,396 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
conhost.exe 1692 Services 0 2,936 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
spoolsv.exe 1784 Services 0 14,192 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 1812 Services 0 13,796 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
svchost.exe 1848 Services 0 6,712 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 1884 Services 0 14,524 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
armsvc.exe 1968 Services 0 4,192 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
officeclicktorun.exe 1996 Services 0 14,744 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
CxUtilSvc.exe 684 Services 0 4,660 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 1316 Services 0 7,472 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
EvtEng.exe 1616 Services 0 14,712 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
ibtsiva.exe 344 Services 0 4,424 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
mbae-svc.exe 2076 Services 0 12,140 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
RegSrvc.exe 2248 Services 0 6,548 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
mbae64.exe 2256 Services 0 4,364 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
conhost.exe 2280 Services 0 3,076 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
ss_conn_service.exe 2336 Services 0 4,720 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 2448 Services 0 9,968 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
SynTPEnhService.exe 2468 Services 0 4,652 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
UsbClientService.exe 2556 Services 0 4,568 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
valWBFPolicyService.exe 2588 Services 0 4,816 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
ZeroConfigService.exe 2612 Services 0 14,672 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
unsecapp.exe 2788 Services 0 5,424 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
WmiPrvSE.exe 2912 Services 0 9,688 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
svchost.exe 1156 Services 0 5,064 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
svchost.exe 3100 Services 0 5,716 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:00 N/A
taskeng.exe 3888 Console 1 6,912 K Running Barb-PC\Barb 0:00:00 TaskEng - Task Scheduler Engine Process
SynTPEnh.exe 3900 Console 1 17,424 K Running Barb-PC\Barb 0:00:00 N/A
dwm.exe 3908 Console 1 26,224 K Running Barb-PC\Barb 0:00:00 DWM Notification Window
PresentationFontCache.exe 3940 Services 0 17,968 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
egui.exe 3952 Console 1 31,880 K Running Barb-PC\Barb 0:00:00 ESET Smart Security
explorer.exe 4004 Console 1 58,116 K Running Barb-PC\Barb 0:00:01 N/A
taskeng.exe 4076 Services 0 5,660 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
SynTPHelper.exe 3140 Console 1 3,684 K Running Barb-PC\Barb 0:00:00 N/A
MicTray64.exe 3184 Console 1 8,220 K Running Barb-PC\Barb 0:00:00 MicTray
taskhost.exe 3424 Console 1 10,296 K Running Barb-PC\Barb 0:00:00 MCI command handling window
igfxEM.exe 3596 Console 1 10,356 K Running Barb-PC\Barb 0:00:00 The Event Manager - Status
igfxHK.exe 1400 Console 1 8,240 K Running Barb-PC\Barb 0:00:00 HotKey Listener
igfxTray.exe 3720 Console 1 9,156 K Running Barb-PC\Barb 0:00:00 igfxtrayWindow
SearchIndexer.exe 4408 Services 0 14,684 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
SearchProtocolHost.exe 4484 Services 0 8,136 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
SearchFilterHost.exe 4504 Services 0 5,656 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
chrome.exe 4552 Console 1 101,760 K Running Barb-PC\Barb 0:00:03 Win7 notebook hit by "Microsoft Support" scam, possible Rootki - Page 2
chrome.exe 4572 Console 1 7,180 K Unknown Barb-PC\Barb 0:00:00 N/A
chrome.exe 4612 Console 1 8,724 K Running Barb-PC\Barb 0:00:00 N/A
chrome.exe 4732 Console 1 40,200 K Unknown Barb-PC\Barb 0:00:01 N/A
chrome.exe 4792 Console 1 110,264 K Unknown Barb-PC\Barb 0:00:07 N/A
wmpnetwk.exe 1308 Services 0 28,400 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:00 N/A
svchost.exe 4324 Services 0 12,564 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
devmonsrv.exe 5608 Services 0 8,748 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
cmd.exe 6056 Console 1 3,784 K Running Barb-PC\Barb 0:00:00 tasklist /v
conhost.exe 6064 Console 1 5,412 K Running Barb-PC\Barb 0:00:00 OleMainThreadWndName
tasklist.exe 6132 Console 1 6,400 K Unknown Barb-PC\Barb 0:00:00 N/A
WmiPrvSE.exe 1312 Services 0 6,628 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:00 N/A
These Windows services are started:
Adobe Acrobat Update Service
Application Experience
Base Filtering Engine
Bluetooth Device Monitor
Bluetooth Support Service
Certificate Propagation
CNG Key Isolation
COM+ Event System
Computer Browser
Credential Manager
Cryptographic Services
CxUtilSvc
DCOM Server Process Launcher
Desktop Window Manager Session Manager
DHCP Client
Diagnostic Policy Service
Diagnostic Service Host
Diagnostic System Host
Diagnostics Tracking Service
Distributed Link Tracking Client
DNS Client
Encrypting File System (EFS)
ESET Service
Extensible Authentication Protocol
Function Discovery Provider Host
Function Discovery Resource Publication
Group Policy Client
HomeGroup Listener
HomeGroup Provider
Human Interface Device Access
IKE and AuthIP IPsec Keying Modules
Intel Bluetooth Service
Intel® HD Graphics Control Panel Service
Intel® PROSet/Wireless Event Log
Intel® PROSet/Wireless Registry Service
Intel® PROSet/Wireless Zero Configuration Service
IP Helper
IPsec Policy Agent
Malwarebytes Anti-Exploit Service
Microsoft Office ClickToRun Service
Multimedia Class Scheduler
Network Connections
Network List Service
Network Location Awareness
Network Store Interface Service
Offline Files
Peer Name Resolution Protocol
Peer Networking Grouping
Peer Networking Identity Manager
Plug and Play
Portable Device Enumerator Service
Power
Print Spooler
Program Compatibility Assistant Service
Remote Procedure Call (RPC)
RPC Endpoint Mapper
SAMSUNG Mobile Connectivity Service
Security Accounts Manager
Server
Shell Hardware Detection
Smart Card
SSDP Discovery
Synaptics FP WBF Policy Service
SynTPEnh Caller Service
System Event Notification Service
Task Scheduler
TCP/IP NetBIOS Helper
Themes
UPnP Device Host
UsbClientService
User Profile Service
Windows Audio
Windows Audio Endpoint Builder
Windows Biometric Service
Windows Driver Foundation - User-mode Driver Framework
Windows Event Log
Windows Firewall
Windows Font Cache Service
Windows Image Acquisition (WIA)
Windows Management Instrumentation
Windows Media Player Network Sharing Service
Windows Presentation Foundation Font Cache 3.0.0.0
Windows Search
WinHTTP Web Proxy Auto-Discovery Service
WLAN AutoConfig
Workstation
The command completed successfully.
#34
Posted 14 February 2017 - 09:03 PM
zep516
-
- Malware Removal
-
- 8,097 posts
Trusted Helper
igfxCuiService.exe
igfxEM.exe
igfxHK.exe
igfxTray.exe
That looks like Intel Graphics card files. And they don't load in safe mode that's why the screen looks funny in safe mode.
igfxEM.exe
igfxHK.exe
igfxTray.exe
That looks like Intel Graphics card files. And they don't load in safe mode that's why the screen looks funny in safe mode.
#35
Posted 14 February 2017 - 09:08 PM
zep516
-
- Malware Removal
-
- 8,097 posts
Trusted Helper
Let me look it over, at first glance don't see much except
Startup items in "Barb" & "All Users" startup folders:
------------------------------------------------------
C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup {++}
<<!>> Funny.exe [null data]
Do you know what that is ?
Startup items in "Barb" & "All Users" startup folders:
------------------------------------------------------
C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup {++}
<<!>> Funny.exe [null data]
Do you know what that is ?
#36
Posted 14 February 2017 - 09:11 PM
HALlives
- Topic Starter
-
- Member
-
- 59 posts
Member
No idea Joe, although I think it might have shown up on one of the other scans?
#37
Posted 14 February 2017 - 09:16 PM
HALlives
- Topic Starter
-
- Member
-
- 59 posts
Member
It doesn't show up in the list of programs available to Uninstall.
#38
Posted 14 February 2017 - 09:17 PM
zep516
-
- Malware Removal
-
- 8,097 posts
Trusted Helper
delete files
- Copy all text in the quote box (below)...to Notepad.
@echo off rd /s /q "C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Funny.exe " del %0
- Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
It should look like this:
<--XP
<--vista - Double click on delfile.bat to execute it.
A black CMD window will flash, then disappear...this is normal. - The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.
#39
Posted 14 February 2017 - 09:24 PM
HALlives
- Topic Starter
-
- Member
-
- 59 posts
Member
Okay, I did that, everything seemed to go as it should... I rebooted the machine and the Scammer window came right back, and that crap's stil on the taskbar.
#40
Posted 14 February 2017 - 09:29 PM
zep516
-
- Malware Removal
-
- 8,097 posts
Trusted Helper
Can you run this, ESET online scan, might have to do it in safe mode because of your computer shutting down, this scan can take a while. Give it a shot and I'll talk Tomorrow.
Please run a free online scan with the ESET Online Scanner
Please run a free online scan with the ESET Online Scanner
- Tick the box next to YES, I accept the Terms of Use
- Click Start
- Click Start
- Make sure that the options Remove found threats and the option Scan unwanted applications is checked
- Click Scan (This scan can take several hours, so please be patient)
- Once the scan is completed, you may close the window
- Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
- or C:\Program Files (x86)\ESET\Esetonlinescanner\log.txt).
- Copy and paste that log as a reply to this topic
#41
Posted 14 February 2017 - 09:39 PM
zep516
-
- Malware Removal
-
- 8,097 posts
Trusted Helper
RegSrvc.exe
Let me look into that too, but I need to step out for a while.
EDIT Looks like part of Intel too.
Let me look into that too, but I need to step out for a while.
EDIT Looks like part of Intel too.
#42
Posted 14 February 2017 - 09:45 PM
HALlives
- Topic Starter
-
- Member
-
- 59 posts
Member
Thanks Joe, the Online Scanner is running.
The funny thing is that Eset is installed on the machine, but wouldn't run in Safe Mode.
#43
Posted 14 February 2017 - 09:51 PM
zep516
-
- Malware Removal
-
- 8,097 posts
Trusted Helper
Great. Hope it finds something.
Anti Virus programs do not run in Safe mode or safe mode with networking, never surf the internet in that mode.
If ESET does not find anything, tomorrow we try a system restore to a point before this occurred, and see if that does it. That's my idea so far.
It's 11:50 here, time for twilight zone.....
Anti Virus programs do not run in Safe mode or safe mode with networking, never surf the internet in that mode.
If ESET does not find anything, tomorrow we try a system restore to a point before this occurred, and see if that does it. That's my idea so far.
It's 11:50 here, time for twilight zone.....
#44
Posted 14 February 2017 - 10:30 PM
HALlives
- Topic Starter
-
- Member
-
- 59 posts
Member
19:38:13 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.14.0
# EOSSerial=ae34801878b7c7468e8aeebb9eb77b8b
# end=init
# utc_time=2017-02-15 03:38:13
# local_time=2017-02-14 19:38:13 (-0800, Pacific Standard Time)
# country="United States"
# osver=6.1.7601 NT Service Pack 1
19:39:22 Updating
19:39:22 Update Init
19:39:23 Update Download
19:40:15 esets_scanner_reload returned 0
19:40:15 g_uiModuleBuild: 32410
19:40:15 Update Finalize
19:40:15 Call m_esets_charon_send
19:40:15 Call m_esets_charon_destroy
19:40:15 Updated modules version: 32410
19:40:24 Call m_esets_charon_setup_create
19:40:24 Call m_esets_charon_create
19:40:24 m_esets_charon_create OK
19:40:24 Call m_esets_charon_start_send_thread
19:40:24 Call m_esets_charon_setup_set
19:40:24 m_esets_charon_setup_set OK
19:40:24 Scanner engine: 32410
20:05:02 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.14.0
# EOSSerial=ae34801878b7c7468e8aeebb9eb77b8b
# engine=32410
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# sfx_checked=true
# utc_time=2017-02-15 04:05:01
# local_time=2017-02-14 20:05:01 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 0 238674951 0 0
# compatibility_mode_1='ESET Smart Security 9.0'
# compatibility_mode=8232 16777214 100 100 0 18936343 0 0
# scanned=2
# found=0
# cleaned=0
# scan_time=1485
20:09:35 Call m_esets_charon_send
20:09:35 Call m_esets_charon_destroy
20:09:36 RecursiveRemoveDirectoryAndAllFiles: C:\Users\Barb\AppData\Local\ESET\ESETOnlineScanner\Quarantine\
#45
Posted 15 February 2017 - 08:36 PM
HALlives
- Topic Starter
-
- Member
-
- 59 posts
Member
Okay, I rolled the machine back to a Restore Point before the attack... the machine rebooted and I'm looking at a black screen and a white cursor, nothing else, it's been like this for about 5 minutes now.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
