Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost virus plus zlob downloader


  • This topic is locked This topic is locked
4 replies to this topic

#1 DanMac

DanMac

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 21 October 2008 - 10:50 AM

I think my problem with this was caught quickly but I'm unsure how to go about cleaning. The first thing that happened was windows firewall alert came up asking about some permission for svchost. This i thought strange seeing as i don't have windows firewall activated. I clicked the close window cross in top right hand corner and about 5 mins later my machine froze.

I immediately rebooted to safe mode and took off the network. I ran AVG command line scan and it found and healed svchost32 virus, Zlob.AFFW downloader, TDSSxfum.dll trojan.

I rebooted again and updated my spybot, then ran a scan and it found coolwwwsearch.svchost32. Also a windowsfirewallbypass where the identified file was in windows\system32\usmt\migwiz.exe

BUT before the scan finished my computer shut down. This made me very sad :thumbsup:

So i rebooted to safe again and ran another avg scan and more stuff came up. this time it said downloader.zlob.affk with associated files named brastk in c:\windows and c:\windows\system32 and a registry key in HKLM\Sotware\Microsoft\Windows\CurrentVersion\Run\\brastk

My problem is that i fear putting this machine back online to do the HJT logs and online scans you usually need. If i boot to safe mode with networking would this be enough to ensure other machines on my network aren't exposed or should i just shut them down?

How should i best proceed to clean my system?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:44 AM

Posted 21 October 2008 - 11:14 AM

You can always download the programs you need from another computer, save to a flash (usb, pen, thumb, jump) drive or CD, transfer to the infected machine, then install and run the program.

I recommend you download and perform a Quick Scan in normal mode with Malwarebytes Anti-Malware following the instructions provided in that link. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes.


If you're using Windows 2000/XP, also do this:

Print out and follow these instructions: "How to use SDFix". <- for Windows 2000/XP ONLY!
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • Please be patient as the scan may take up to 20 minutes to complete.
  • When the process is complete, the SDFix report log will open in Notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • The SDFix report log (Report.txt) will open in Notepad and automatically be saved in the SDFix folder.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to re-enable you anti-virus and and other security programs before connecting to the Internet.
Note: If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, you will need to fix the policy restrictions created by this infection. Open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 DanMac

DanMac
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 22 October 2008 - 04:37 AM

Thanks for the fast response. Things look a lot better now. The infection only disabled spybot, so malwarebytes scan and fix seems to have worked. Logs as follows:

Initial Malwarebytes scan log:

Malwarebytes' Anti-Malware 1.29
Database version: 1276
Windows 5.1.2600 Service Pack 3

22/10/2008 09:56:53
mbam-log-2008-10-22 (09-56-53).txt

Scan type: Quick Scan
Objects scanned: 57888
Time elapsed: 6 minute(s), 43 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 20

Memory Processes Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\TDSS60c0.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\TDSS6237.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSc16e.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSSc650.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSShrsr.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSkpje.log (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSnmxh.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSoiqh.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSorvd.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSrhym.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSrhyp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSriqp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSStkdu.log (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSvvbj.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSxfum.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\TDSSmqlt.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\TDSSpqlt.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


-----

After reboot, ran another scan which came back clean:

Malwarebytes' Anti-Malware 1.29
Database version: 1276
Windows 5.1.2600 Service Pack 3

22/10/2008 10:07:43
mbam-log-2008-10-22 (10-07-43).txt

Scan type: Quick Scan
Objects scanned: 57803
Time elapsed: 6 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


-----

Still ran SDfix just in case:


SDFix: Version 1.237
Run by Administrator on 22/10/2008 at 10:16

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-22 10:21:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\SMINST\\Scheduler.exe"="C:\\WINDOWS\\SMINST\\Scheduler.exe:*:Enabled:Scheduler "
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"="C:\\WINDOWS\\system32\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Crystal Decisions\\Crystal Reports 10\\crw32.exe"="C:\\Program Files\\Crystal Decisions\\Crystal Reports 10\\crw32.exe:*:Enabled:Crystal Reports"
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"="C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE:*:Disabled:SAgent4"
"C:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"="C:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe:*:Disabled:Update Service"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\WINDOWS\\system32\\mstsc.exe"="C:\\WINDOWS\\system32\\mstsc.exe:*:Enabled:Remote Desktop Connection"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\drivers\\svchost.exe"="C:\\WINDOWS\\system32\\drivers\\svchost.exe:*:Disabled:svchost"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 8 Feb 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 22 Oct 2008 0 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\PDFC\BIT1.tmp"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Assets\My Asset Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Bank\My Bank Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Customer\My Customer Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Finance\My Finance Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Invoice\My Invoice Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Nominal\My Nominal Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\POP\My POP Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Products\My Products Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Project\My Project Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\SOP\My SOP Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Supplier\My Supplier Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\DemoData\REPORTS\Assets\My Asset Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\DemoData\REPORTS\Bank\My Bank Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\DemoData\REPORTS\Customer\My Customer Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\DemoData\REPORTS\Finance\My Finance Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\DemoData\REPORTS\Invoice\My Invoice Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\DemoData\REPORTS\Nominal\My Nominal Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\DemoData\REPORTS\POP\My POP Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\DemoData\REPORTS\Products\My Products Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\DemoData\REPORTS\Project\My Project Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\DemoData\REPORTS\SOP\My SOP Reports\rpt.sys"
Fri 9 Aug 2002 0 A..H. --- "C:\Program Files\Sage\Accounts\DemoData\REPORTS\Supplier\My Supplier Reports\rpt.sys"
Sun 23 Apr 2000 22,016 A..H. --- "C:\Documents and Settings\All Users\Documents\davesdump\my docs stuff\DWG AIDS\COLLEGE\IBT2\Citizen Publishing\~WRL0001.tmp"
Thu 20 Feb 2003 203,264 A..H. --- "C:\Documents and Settings\All Users\Documents\davesdump\my docs stuff\DWG AIDS\Misc files\Project Kendal\COPY FROM JEFFS LAPTOP\~WRL2043.tmp"

Finished!
------

Looks like I'm clean again. Thanks for the help :thumbsup:

#4 DanMac

DanMac
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 22 October 2008 - 08:38 AM

I've been plodding through the various online self help stuff to do with HijackThis and have found various rubbish i don't need. When i got down to O20, i found karna.dat which i googled and found was an undesirable. So am going to follow your killbox instructions now to try to get rid.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:44 AM

Posted 22 October 2008 - 08:50 AM

I have moved your HijackThis log to the HijackThis Logs and Malware Removal forum as they are not permitted in this forum. Please go here, click on the Options button in the upper right corner of that thread and choose Track this topic. Subscribe to that topic to ensure you are notified when a helper replies.

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic.

IMPORTANT NOTE: One or more of the identified infections (TDSS****.sys) was related to a nasty variant of a rootkit component. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, continue in the thread where your hijackthis log has been moved. Should you decide to reformat, please let me know via PM so I can close that thread as well.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users