Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svchost.exe Trojan


  • Please log in to reply
5 replies to this topic

#1 refinery

refinery

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 25 September 2008 - 10:12 PM

Hello

I hope that someone can assist me in removing this trojan from my system. I am running Windows XP Pro and the file is located under C:\WINDOWS\system32\drivers and it is continually trying to access the internet. Here are the results of http://virusscan.jotti.org/ analysis:

Service load: 0% 100%

File: svchost.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 536235a689c5bcf95dcb2e76ad7b8e47
Packers detected: -

Scan taken on 26 Sep 2008 02:59:23 (GMT)
A-Squared Found nothing
AntiVir Found TR/Dldr.Agent.ahcu
ArcaVir Found Trojan.Downloader.Agent.Ahcu
Avast Found Win32:Trojan-gen {Other}
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found Troj.Downloader.W32.Agent.ahcu
Dr.Web Found Trojan.DownLoader.59802
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Agent.ahcu
G DATA Found Win32:Trojan-gen {Other}
Ikarus Found Trojan-Downloader.Win32.Agent.ahcu
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Agent.ahcu
NOD32 Found Win32/Agent.AHCU
Norman Virus Control Found nothing
Panda Antivirus Found Trj/Downloader.MDW
Sophos Antivirus Found Mal/EncPk-CZ
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.Win32.Agent.ahcu

Edited by refinery, 25 September 2008 - 10:14 PM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:25 AM

Posted 26 September 2008 - 12:27 AM

http://www.bleepingcomputer.com/forums/ind...mp;#entry944365

Would you run MBAM and post the log

would you capture a running processes list

start

run

cmd

tasklist

rightclick/select all

enter

paste into a reply
Chewy

No. Try not. Do... or do not. There is no try.

#3 refinery

refinery
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 26 September 2008 - 07:54 AM

Thank you for the response. I ended up downloading different AV software and, after a reboot, it managed to delete the file. Nevertheless some registry keys were left, which MBAM deleted. Does everything look good? Or was the trojan bad enough to warrant a reformat?


Malwarebytes' Anti-Malware 1.28
Database version: 1209
Windows 5.1.2600 Service Pack 2

9/26/2008 6:59:55 AM
mbam-log-2008-09-26 (06-59-55).txt

Scan type: Quick Scan
Objects scanned: 79827
Time elapsed: 23 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 248 K
smss.exe 668 Console 0 412 K
csrss.exe 716 Console 0 4,136 K
winlogon.exe 740 Console 0 3,300 K
services.exe 784 Console 0 3,364 K
lsass.exe 796 Console 0 6,424 K
svchost.exe 976 Console 0 4,772 K
svchost.exe 1048 Console 0 4,720 K
Smc.exe 1172 Console 0 16,428 K
svchost.exe 1208 Console 0 21,636 K
svchost.exe 1240 Console 0 5,900 K
ccSetMgr.exe 1564 Console 0 4,008 K
ccEvtMgr.exe 1640 Console 0 2,176 K
brsvc01a.exe 1900 Console 0 1,248 K
brss01a.exe 1936 Console 0 1,580 K
spoolsv.exe 1944 Console 0 4,600 K
sched.exe 1980 Console 0 556 K
avguard.exe 688 Console 0 8,544 K
Brmfrmps.exe 712 Console 0 1,180 K
DefWatch.exe 720 Console 0 1,764 K
Apache.exe 920 Console 0 6,280 K
LSSrvc.exe 1092 Console 0 2,480 K
Apache.exe 1284 Console 0 6,040 K
nSvcIp.exe 1308 Console 0 6,032 K
nSvcLog.exe 1348 Console 0 4,252 K
nvsvc32.exe 1332 Console 0 3,844 K
PnkBstrA.exe 1420 Console 0 4,016 K
svchost.exe 1452 Console 0 4,188 K
MsPMSPSv.exe 1524 Console 0 1,548 K
nSvcAppFlt.exe 340 Console 0 4,532 K
alg.exe 1360 Console 0 3,840 K
svchost.exe 2184 Console 0 4,052 K
explorer.exe 3712 Console 0 36,308 K
ccApp.exe 3888 Console 0 6,036 K
THGuard.exe 3936 Console 0 8,916 K
smax4pnp.exe 3988 Console 0 3,948 K
SMax4.exe 4044 Console 0 2,352 K
pptd40nt.exe 272 Console 0 2,264 K
rundll32.exe 2588 Console 0 3,304 K
avgnt.exe 2632 Console 0 1,220 K
WeatherEye.exe 1776 Console 0 3,788 K
NMBgMonitor.exe 2832 Console 0 5,996 K
NMIndexStoreSvr.exe 3128 Console 0 10,312 K
TeaTimer.exe 3528 Console 0 36,304 K
sgmain.exe 3788 Console 0 6,272 K
sgbhp.exe 964 Console 0 3,172 K
iexplore.exe 2104 Console 0 60,624 K
notepad.exe 3908 Console 0 2,904 K
cmd.exe 2324 Console 0 2,612 K
tasklist.exe 1500 Console 0 4,144 K
wmiprvse.exe 3872 Console 0 5,632 K

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:25 AM

Posted 26 September 2008 - 08:13 AM

Thank you for the response. I ended up downloading different AV software and, after a reboot, it managed to delete the file.


Which AV?

Make sure you don't run 2 at the same time

Let's unload teatimer fom the system tray and temporaily disable it from running at bootup

To disable TeaTimer and remove its startup entry:
Go into Spybot > Mode > Advanced Mode > Tools > Resident
Uncheck (if checked) the following:
Resident "TeaTimer" (Protection of over-all system settings) Active.


This has been a very nasty rootkit/backdoor trojan and many are reloading

After a reboot would you run an updated quick scan with MBAM

http://www.malwareremoval.com/tutorials/safemodeboot.php

Have you run any scans from safe mode?
Chewy

No. Try not. Do... or do not. There is no try.

#5 refinery

refinery
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 26 September 2008 - 08:48 PM

Thank you for all your help so far.

I had Symantec Corporate Antivirus which did not detect the file as a trojan but I downloaded Avira Antivir Personal and that picked it up almost instantly. I just unloaded all the Symantec services and disabled auto protect. Do you recommend completely removing it from my system and sticking with Avira?

I did a quick scan with MBAM after a reboot and it did not detect anything. Just to be safe I did a full scan in safe mode and 4 hours later it also did not find anything. I don't think that the trojan got past the firewall but just to be safe I also changed all of my passwords as well. Do you think I got rid of it completely?

Edited by refinery, 26 September 2008 - 08:48 PM.


#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:25 AM

Posted 26 September 2008 - 09:02 PM

http://www.bleepingcomputer.com/startups/W...rEye-13408.html

You can use this to check on those entries and try to keep unnecessary startups to a minimum

I would uninstall norton, avira is very good

http://service1.symantec.com/Support/tsgen...005033108162039

let's wait and get an expert opinion on this thread

standard procedure has been to refer to the HJT forum for this infection, you may be an exception

Edited by DaChew, 26 September 2008 - 09:05 PM.

Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users