Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by Trojan, Avast says.


  • Please log in to reply
15 replies to this topic

#1 DK3Cubed

DK3Cubed

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 24 March 2009 - 05:14 PM

Hi, My problem has been that for I don't know how long, Avast (latest version and fully updated) has been popping up saying that c:\windows\system32\svchost.exe is infected with Win32:Patched-II [Trj]. I tried googleing it, but with no results. I let Avast "contain" it, just by clicking ignorer, since it cant delete it and it cant move it to the chest. It has been like that for several months now. Then just the other day, all of a sudden IE started popping up from time to time with gambling sites, and some times linking to sites that make avast freak out and block them, so I'm guessing that it's fending of more trojans or some thing like that.

Also I have Avast popping up saying C:\WINDOWS\System32\drivers\ac71bab7.sys infected by some sort of trojan, I didn't get the name last time, but i get to delete that one, Avast cant repair it! I'll post the name it reports of that one, next time it pops up!

Also I'm using Sygate firewall and using it to block Services.exe that is trying to connect to 65.60.25.218 using remote port 80, If I let it through It seams to get worse, with IE pupping up!

I followed Black Vipers XP Services config for XP-SP2 for the safe-mode services config, in order to try and close down as much uncalled for stuff, as I could. I'm not sure if that was the reason, but I just tried updating XP to SP3 but it didn't work, so I followed a link that MS-update gave me and downloaded SP3 as an exe file. That didn't work either It came up and said that It couldn't copy a file named svchost.exe, I said that It could proceed without copying that file, even so it did not work in the end, and I'm still with SP2.

Anyway, I'm pretty sure that some sort of trojan and maybe some other stuff is in there some were, 5 years ago I would just have reinstalled, but as the machine is otherwise running fine I really hope to save my installation...

I'd really appreciate any help!

Thanks Kasper

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:58 AM

Posted 24 March 2009 - 07:38 PM

Hello please post the log from this scan,thanks.

Next run MBAM:
Please download Malwarebytes Anti-Malware (v1.34) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 DK3Cubed

DK3Cubed
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 25 March 2009 - 11:53 AM

Hi Boopme. Thanks so far! :thumbsup:

While rebooting it kind of got stock in the very beginning of the boot sequence, after waiting for a minute, I hit the restart button! When windows came back up I still got the same svchost.exe alarm from avast and just now got the C:\WINDOWS\System32\drivers\ac71bab7.sys alarm again. I guess/know it's just part of the work, but I thought I'd better let you know that MBAM didn't get rid of it all!

Anyway, here is the log:

Database version: 1897
Windows 5.1.2600 Service Pack 2

25-03-2009 17:34:22
mbam-log-2009-03-25 (17-34-22).txt

Scan type: Quick Scan
Objects scanned: 81023
Time elapsed: 6 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 11
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\dvdllphm.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vfwcxh.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{acccc29d-a9fc-4aac-a33c-3e636f6d94ad} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{acccc29d-a9fc-4aac-a33c-3e636f6d94ad} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{acccc29d-a9fc-4aac-a33c-3e636f6d94ad} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\34862601 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12zfg94-f641-2sf-k31p-5n1er6h6l2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12cfg515-k641-55sf-n55p (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\vfwcxh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\dvdllphm.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mhplldvd.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hsipeomo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kyifnpbl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dporri.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\ipux.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Kasper\Local Settings\Temporary Internet Files\Content.IE5\6JRYS0CO\qw[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kasper\Local Settings\Temporary Internet Files\Content.IE5\8OW436QX\index[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kasper\Local Settings\Temporary Internet Files\Content.IE5\BM6D70UL\aasuper3[1].htm (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Kasper\Local Settings\Temporary Internet Files\Content.IE5\UQKU0GSF\CAY70XAJ (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\kkxeqvic.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svchost.exf (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Thanks Kasper

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:58 AM

Posted 25 March 2009 - 01:37 PM

Yeah,we may work right thru these..but let me know.

Next run ATF and SAS:
From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Now Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 DK3Cubed

DK3Cubed
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 25 March 2009 - 05:30 PM

Hi Again... OK, Avast seams to be doing better now, meaning that the only alarm I'm getting is on the c:\windows\system32\svchost.exe file. Avast is still saying that that thing, is in memory and that I should schedule a boot time scan. I didn't.. :-)

Anyway, here is first log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/25/2009 at 11:09 PM

Application Version : 4.25.1014

Core Rules Database Version : 3814
Trace Rules Database Version: 1768

Scan type : Complete Scan
Total Scan Time : 00:22:22

Memory items scanned : 205
Memory threats detected : 0
Registry items scanned : 7580
Registry threats detected : 6
File items scanned : 19555
File threats detected : 3

Rootkit.Mailer/Gen
HKLM\System\ControlSet001\Services\ac71bab7
C:\WINDOWS\SYSTEM32\DRIVERS\AC71BAB7.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_ac71bab7
HKLM\System\controlset003\Services\ac71bab7
HKLM\System\controlset003\Enum\Root\LEGACY_ac71bab7
HKLM\System\CurrentControlSet\Services\ac71bab7
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_ac71bab7

Adware.Vundo/Variant
C:\WINDOWS\SYSTEM32\DKRVBQ.DLL
C:\WINDOWS\SYSTEM32\HCWAABEU.DLL


And here is the MBAM log:
Malwarebytes' Anti-Malware 1.34
Database version: 1898
Windows 5.1.2600 Service Pack 2

25-03-2009 23:21:10
mbam-log-2009-03-25 (23-21-10).txt

Scan type: Quick Scan
Objects scanned: 74045
Time elapsed: 3 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Still a little way to go, but still this is so much appreciated...
Thanks!!

Kasper

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:58 AM

Posted 25 March 2009 - 07:53 PM

Hi Kasper, I'm suspecting a False Positive here now. Could you submit that file (c:\windows\system32\svchost.exe ) to either Virustotal or Jotti's malware scan for a second opinion and post back their response.

Edited by boopme, 25 March 2009 - 07:54 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 DK3Cubed

DK3Cubed
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 26 March 2009 - 05:16 PM

Well, that would be great if that's the case, how ever, I find these results kind of funny then.

Here is the results of the two scans:

0 bytes size received / Se ha recibido un archivo vacio

And
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

Then I disabled my firewall and avast antivirus.
Then the scans worked much better, here is the results:

File svchost.exe received on 03.26.2009 23:07:28 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 23/40 (57.5%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.26 Trojan-Dropper.Agent!IK
AhnLab-V3 5.0.0.2 2009.03.26 -
AntiVir 7.9.0.129 2009.03.26 TR/Dldr.Agent.adrd.13
Antiy-AVL 2.0.3.1 2009.03.26 -
Authentium 5.1.2.4 2009.03.26 W32/DownloaderX.BBCX
Avast 4.8.1335.0 2009.03.26 Win32:Patched-II
AVG 8.5.0.283 2009.03.26 Win32/PEPatch.BV
BitDefender 7.2 2009.03.26 Trojan.Patched.BT
CAT-QuickHeal 10.00 2009.03.26 TrojanDownloader.Agent.adrd
ClamAV 0.94.1 2009.03.26 -
Comodo 1085 2009.03.26 -
DrWeb 4.44.0.09170 2009.03.26 -
eSafe 7.0.17.0 2009.03.26 -
eTrust-Vet 31.6.6418 2009.03.26 -
F-Prot 4.4.4.56 2009.03.26 W32/DownloaderX.BBCX
F-Secure 8.0.14470.0 2009.03.26 Trojan-Downloader.Win32.Agent.adrd
Fortinet 3.117.0.0 2009.03.26 W32/PEPatched.GI
GData 19 2009.03.26 Trojan.Patched.BT
Ikarus T3.1.1.48.0 2009.03.26 Trojan-Dropper.Agent
K7AntiVirus 7.10.682 2009.03.26 Trojan-Downloader.Win32.Agent
Kaspersky 7.0.0.125 2009.03.26 Trojan-Downloader.Win32.Agent.adrd
McAfee 5565 2009.03.26 Generic Downloader.x
McAfee+Artemis 5565 2009.03.26 Generic Downloader.x
McAfee-GW-Edition 6.7.6 2009.03.26 Trojan.Dldr.Agent.adrd.13
Microsoft 1.4502 2009.03.26 Virus:Win32/Proscks.F
NOD32 3966 2009.03.26 -
Norman 6.00.06 2009.03.26 -
nProtect 2009.1.8.0 2009.03.26 -
Panda 10.0.0.10 2009.03.26 Suspicious file
PCTools 4.4.2.0 2009.03.26 -
Prevx1 V2 2009.03.26 -
Rising 21.22.32.00 2009.03.26 Trojan.Win32.PePatch.hw
Sophos 4.40.0 2009.03.26 -
Sunbelt 3.2.1858.2 2009.03.26 Trojan-Downloader.Win32.Agent.adrd
Symantec 1.4.4.12 2009.03.26 Backdoor.Graybird
TheHacker 6.3.3.7.292 2009.03.26 -
TrendMicro 8.700.0.1004 2009.03.26 -
VBA32 3.12.10.1 2009.03.26 -
ViRobot 2009.3.26.1664 2009.03.26 Trojan.Win32.Downloader.14336.BX
VirusBuster 4.6.5.0 2009.03.26 -
Additional information
File size: 14336 bytes
MD5...: 8b399460a5f3e6686368484fef2f11d6
SHA1..: 16024e63d72c2a059039ac143f32181de48303eb
SHA256: e8379d1cfae6ada2aa6464fa5f9407bc65161d4c98bd38ce2a82f8b585595aa0
SHA512: be764b848d88ee31e4c1876ab0b285720da30e513f033ccc2ca82f7445997f51
6a690640b9a10676d3d88eaddc6c3f5342117019e75afda9c85977654aa96ab4
ssdeep: 384:cDiRrTp13SkhnRCwOV5JpeLCdw9rDmiBWCl8CbW:zT/3Ska6LhmiEC
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x41ab
timedatestamp.....: 0x41107ed6 (Wed Aug 04 06:14:46 2004)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2c00 0x2c00 6.29 6fc4d075dfb37185ffae8eacb467b822
.data 0x4000 0x1f0 0x200 2.78 97056a386e4b2a1a1a154ed911eb0df7
.rsrc 0x5000 0x418 0x600 2.55 c3cb1746e6ddf2f8a9e3fbaaade80e61

( 4 imports )
> ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW
> KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook
> ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid
> RPCRT4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening

( 0 exports )
RDS...: NSRL Reference Data Set
-




And the other one:

File: svchost.exe
Status:
INFECTED/MALWARE
MD5: 8b399460a5f3e6686368484fef2f11d6
Packers detected:
-
Scanner results
Scan taken on 26 Mar 2009 22:10:08 (GMT)
A-Squared
Found Trojan-Dropper.Agent!IK
AntiVir
Found TR/Dldr.Agent.adrd.13
ArcaVir
Found Downloader.Agent.Adrd
Avast
Found Win32:Agent-ABMP
AVG Antivirus
Found Win32/PEPatch.BV
BitDefender
Found Trojan.Patched.BT
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found W32/DownloaderX.BBCX
F-Secure Anti-Virus
Found Trojan-Downloader.Win32.Agent.adrd
Ikarus
Found Trojan-Dropper.Agent
Kaspersky Anti-Virus
Found Trojan-Downloader.Win32.Agent.adrd
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found TrojanDownloader.Agent.adrd
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


I suspect that Avast should be disabled during some or one of the scans/clean outs, in order to clean this one out? But I wont do anything until advised by you!

Thanks Kasper

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:58 AM

Posted 26 March 2009 - 07:16 PM

Ok yes it appears there are conflicting Apps then. That's why I wanted a second opinion. So connnect your internet ,download the new Version,1.35 of MBAm, as in the instructions below. Now disconnect from the internet ... Keep all those other apps OFF.
Rerun MBAM,not updating now as you have already done that.

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Connect internet again install SDFix then disconnect and run it as instructed below.

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 DK3Cubed

DK3Cubed
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 27 March 2009 - 06:38 AM

Hi again, Here is the logs:

Malwarebytes' Anti-Malware 1.35
Database version: 1905
Windows 5.1.2600 Service Pack 2

27-03-2009 11:31:27
mbam-log-2009-03-27 (11-31-27).txt

Scan type: Quick Scan
Objects scanned: 74258
Time elapsed: 2 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




And the other one!!

SDFix: Version 1.240
Run by Kasper on 27-03-2009 at 11:51

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\LWOA.EXE - Deleted
C:\MBACKYT.EXE - Deleted
C:\YAXEHI.EXE - Deleted
C:\881206~1 - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-27 12:17:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:c1d1f6cc
"s2"=dword:faa757ab
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:7f,27,8a,a2,47,d0,47,d9,96,61,de,de,dc,f8,15,bb,3a,5c,23,75,d1,..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:7f,27,8a,a2,47,d0,47,d9,96,61,de,de,dc,f8,15,bb,3a,5c,23,75,d1,..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000002
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Control\Class\{85B5DDD0-E090-4B15-BDF2-A443A3CA0B66}\Properties]
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Services\MRxDAV\EncryptedDirectories]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:7f,27,8a,a2,47,d0,47,d9,96,61,de,de,dc,f8,15,bb,3a,5c,23,75,d1,..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"

[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001]
"ujdew"=hex:88,db,ed,cd,34,65,a8,e0,8a,2f,a2,c5,1b,ae,32,23,f8,6a,ae,1f,5e,..
"a0"=hex:20,01,00,00,88,85,79,62,70,31,8a,f7,c0,87,fc,ba,ec,50,46,50,4e,..

[HKEY_LOCAL_MACHINE\SYSTEM\controlset003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40]
"ujdew"=hex:b9,bb,92,9a,a7,a0,3f,16,b8,e2,4e,67,c5,5d,7c,ce,80,fb,77,3a,88,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\games\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"="C:\\Program Files\\games\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe:*:Enabled:Supreme Commander"
"C:\\Program Files\\games\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"="C:\\Program Files\\games\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe:*:Enabled:GPGNet - Supreme Commander"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\games\\World in Conflict\\wic.exe"="C:\\Program Files\\games\\World in Conflict\\wic.exe:*:Enabled:World in Conflict"
"C:\\Program Files\\games\\World in Conflict\\wic_online.exe"="C:\\Program Files\\games\\World in Conflict\\wic_online.exe:*:Enabled:World in Conflict - Online Only"
"C:\\Program Files\\games\\World in Conflict\\wic_ds.exe"="C:\\Program Files\\games\\World in Conflict\\wic_ds.exe:*:Enabled:World in Conflict - Dedicated Server"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"="C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe:*:Enabled:Company of Heroes - Opposing Fronts"
"C:\\Program Files\\games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"="C:\\Program Files\\games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe:*:Enabled:Sins of a Solar Empire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\MsSetup.exe"="C:\\WINDOWS\\system32\\MsSetup.exe:*:Enabled:Microsoft Internet Sharing"
"C:\\Program Files\\games\\Sid Meier's Civilization IV Colonization\\Colonization.exe"="C:\\Program Files\\games\\Sid Meier's Civilization IV Colonization\\Colonization.exe:*:Enabled:Sid Meier's Civilization IV Colonization"
"C:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"="C:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe:*:Enabled:Rise of Nations"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 1 Jul 2008 14,243,082 A.SH. --- "C:\Program Files\vixy.net\conv.exe"
Thu 19 Mar 2009 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 5 Sep 2006 427,632 A..H. --- "C:\Program Files\Canon\Canon Setup Utility 2.3\Maint.exe"
Tue 11 May 2004 61,440 A..H. --- "C:\Program Files\Canon\Canon Setup Utility 2.3\uinstrsc.dll"
Tue 16 Dec 2008 0 ...H. --- "C:\Documents and Settings\Kasper\Application Data\Microsoft\Word\~WRL2274.tmp"
Mon 13 Oct 2008 1,332 ...HR --- "C:\Documents and Settings\Kasper\Application Data\SecuROM\UserData\securom_v7_01.bak"
Sun 6 Jul 2008 4,215 A.SH. --- "C:\Documents and Settings\Kasper\Application Data\Roxio\Dragon\3.x\DiscInfoCache\TSSTcorp_CD_DVDW_SH-S183L_SB02_000_DICV018_DRGVA000047.TMP"

Finished!



I still have the c:\windows\system32\svchost.exe Avast alarm though!

About the SDFix run in safe mode, the internet was disconnected, but since in safe mode I did not have any options to turn either Avast or Sygate firewall of!? They didn't seam to be running in safe mode?!

Thanks Kasper.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:58 AM

Posted 27 March 2009 - 01:37 PM

That's better.. Let me know about Scvhost. Also MBAm put out a new version yesterday so let's upgrade and run it.

Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 DK3Cubed

DK3Cubed
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 27 March 2009 - 07:36 PM

Hi Again.

Ok updated MBAM I updated before the scan yesterday, but updated it again!
Still clean.
One thing though, If I disable Avast MBAM runs right through the scan and comes up clean. If I leave Avast on (did this by mistake) Then Avast comes up, during the MBAM scan, with the alarm on the scvhost.exe. It's like Avast reacts when MBAM looks at the file, even though MBAM doesn't seam to recognise it as malware. Just an observation. Anyway, the problem is still there regarding the scvhost.exe I tryed to ask avast to put it in the chest again, still not possible it says. This was all done in the normal XP mode.

Here is the report:

Malwarebytes' Anti-Malware 1.35
Database version: 1909
Windows 5.1.2600 Service Pack 2

28-03-2009 01:26:19
mbam-log-2009-03-28 (01-26-19).txt

Scan type: Quick Scan
Objects scanned: 73895
Time elapsed: 1 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thanks Kasper.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:58 AM

Posted 28 March 2009 - 11:31 PM

Sorry for the delay. Have you tried uninstalling Avast and reinstalling to see if there are corupted files?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 DK3Cubed

DK3Cubed
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 29 March 2009 - 11:04 AM

About the delay, not a problem it has been like this for months now so a few days more or less is not a big deal. :-)

Back on subject, no I didn't try uninstalling and reinstalling Avast. If I do that should I try installing another Antivirus software or should I run MBAM or something, before reinstalling Avast?

Later Kasper.

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:58 AM

Posted 29 March 2009 - 01:57 PM

Well I guess there is a possibility of some type of conlict with your system and Avast. So one you can uninstall and then scan . That willl eliminate any conflicts. If you want to try another then I suggest AntiVir. See our page.. L@@K
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 DK3Cubed

DK3Cubed
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 30 March 2009 - 07:01 PM

Hi boopme.

Ok, It seams to be fixed, here is what I did:

1. Uninstalled Avast.
2. Ran MBAM and Super antiSpyware. All came came out clean.
3. Installed Antivir, It immediately freaked out about scvhost.exe. After restart, it was still there, then it like tried to fix, rename, move to chest, deleting and so on, for like 20 or 30 times, then in the end it actually fixed it, even though I kind of thought that it was stock in a loop of, I found some thing - click OK, I found some thing - click OK, I found some thing - click OK...
4. Ran a complete scan.
5. Ran MBAM and Super, clean.
6. Uninstalled Antivir, installed Avast again.
7. Uninstalled Sygate firewall and installed the Comodo firewall. I read that it is better!!
8. Ran Mbam and super, clean. Avast is happy now, no more alarms or problems.

Is there anything more for me to do, then to be dancing on the tables, while yelling thank you so much? :thumbsup: Thank You is a humble word, but really, you helped me out big time here, so a big Thanks in order!! If you were her I would hug you and buy you a large bear at the nearest bar!

Thanks
Kasper.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users