Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svchost.exe problems and Constant detection of viruses by Nod32


  • Please log in to reply
8 replies to this topic

#1 dmndmn

dmndmn

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 05 April 2009 - 09:59 AM

Hey there,
Seems like my pc's been infected for a third time :flowers: . This place was very helpful to me in correcting my previous problems, cleaned my pc twice without having to do a thorough format and re-install. Anyhow, let me get started on my problem. My problems started on April 1st. At first i thought it could probably be the Conficker strain of viruses. The problems that begun were :


1) Nod32 [completely updated] begun detecting multiple attacks. Since i've it on 'Strict Cleaning' mode, it quarantines the item itself. I Want to point out that from my last clean reinstall (February 2009) up till April 1st, i had a mere 4-5 attack attempts which were successfully blocked, but since April 1st, the number has gone upto about atleast 60. Here's a pic :
Posted Image

I know the details mention that's it's a Trojan downloader but i wasn't completely convinced that it wasn't Conficker, because April 1st = sudden attacks. Coincidence? Maybe. And yes, i'm not exactly a professional at this stuff :thumbsup:


2) At first they were all svchost.exe related virus attacks. I also noticed that in the 'Task Manager' a particular 'xp.exe' had a strange behavioral pattern. It seemed like there were attempts to completely halt the process but the process would show up instantly again. And everytime Nod32 quarantined the scvhost.exe related attack, a new svchost.exe would start up, with the older one still clearly running in the Task Manager. Now this would take up the number of svchost.exe processes from 3 to 10 or even more in a matter of hours bringing the total number of active processes from ~30 to >50. This has never happened before. In the 'Task Manager', the Commit Charge used to be a mild 250-400Mb/3237Mb for days on end. But now , possibly since the increase in the number of svchost.exes running, the commit charge shoots up to approximately 1000Mb/3237Mb within a matter of hours.
Here's a pic :
Posted Image


3) Also, Similar to Conficker's behavior, my internet would end up clogging, with download speeds ( even Direct downloads ) being just approx 30% of the actual speed. This would often result in the download being terminated or abruptly stopped.


After all this i ran a couple of Conficker detection tools, and also used the 'Conficker Working Group's image verification but haven't detected any possible Conficker-related infections, so i'm thinking it could be another problem, but i'm not totally convinced.


Thanks in advance. Any help would be great.

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:17 AM

Posted 05 April 2009 - 08:42 PM

Hello.

Let's run MBAM first.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 dmndmn

dmndmn
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 05 April 2009 - 10:14 PM

Hey Extremeboy,
First of all, thanks for the quick response :thumbsup: , i know things here can get hectic at times. Anyhow, I followed the instructions, here's the log :

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.35
Database version: 1943
Windows 5.1.2600 Service Pack 2

4/6/2009 8:28:06 AM
mbam-log-2009-04-06 (08-28-06).txt

Scan type: Quick Scan
Objects scanned: 72028
Time elapsed: 4 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acpi32 (Rootkit.Spamtool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i386si (Rootkit.Spamtool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\systemntmi (Rootkit.Spamtool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ws2_32sik (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nicsk32 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsik (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fips32cup (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ksi32sk (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\xp\Local Settings\Temp\~TMA2D.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\xp\Local Settings\Temporary Internet Files\Content.IE5\SHGRMNEB\load[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

One more thing i want to mention is that when MBAM was running, as soon as it detected the 1st infected item, i was overwhelmed by Nod32 prompts that several attacks were being attempted, so i turned off my net, but still the prompts persisted, thankfully Nod32 did it's job too. MBAM successfully deleted the detected items, but i'm sorry to say that the problem still persists, got another prompt right now, got to monitor the situation though, but as of now, no svchost.exe errors. And there are a few suspicious files i'd like to mention, they're all of the same similar names and are of .tmp format. For ex: BN66.tmp and such, typical virus behavior, when removal was attempted it would replicate itself to another file with a similar name, like BN78.tmp,these files were located here:C:\Documents and Settings\xp\Local Settings\Temp. As of now no such files exist, but the attack made just now was by BN69.tmp

Will post back if the same issue is still existent. Once again, thanks in advance.

#4 dmndmn

dmndmn
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 06 April 2009 - 01:31 PM

I monitored the system for some time, and it seems that the problem hasn't been eradicated :thumbsup: . Still having the same problems, but the intensity has decreased, net slightly faster and Commit Charge and number of svchost.exe processes increasing at a slower rate, overall better performance, but the same problem, constant nod32 messages and new svchost.exe processes starting up.

Any insight into this would be really helpful.

Thanks in advance.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:17 AM

Posted 06 April 2009 - 03:29 PM

Hello.

You have a serious and nasty infection. One of them include a rootkit backdoor.

Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Tell me what you want to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 dmndmn

dmndmn
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 08 April 2009 - 02:26 AM

Hey extremeboy,
Sorry for the late reply, i was caught up with some work. I think i will format and reinstall my OS. Now i have a question. I have a single hard drive with three partitions. One housing the OS, and the other 2 for backing up my files. Now, is it enough if i do just format the OS partition or would it be better if just do a thorough format of the whole system? Also, i have backed up some files to an external Hard drive. What are the chances of the malware piggy-backing onto the external drive?

And before i forget, i did a "Full scan" using MBAM, it detected few more potential hazards and cleaned them. Since then, actually the system is back to normal functioning. Haven't had a single Nod32 virus alert and no more files quarantined and the net's back to normal functionality, no hiccups or anything. That particularly suspicious xp.exe has been removed by Nod32 itself. Anyway here's the log for the MBAM scan in which it removed the remaining malware.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.36
Database version: 1946
Windows 5.1.2600 Service Pack 2

4/7/2009 8:56:35 AM
mbam-log-2009-04-07 (08-56-35).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 130091
Time elapsed: 29 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acpi32 (Rootkit.Spamtool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i386si (Rootkit.Spamtool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fips32cup (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

Thanks in advance. Regards.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:17 AM

Posted 08 April 2009 - 04:15 PM

Hello.

Even if it's better, your computer was compromised and that's the only important thing here. If you don't wish to format that's your decision.

I will answer your questions.

1) It would be better if ALL 3 drives were formatted since the rootkit can be anywhere.
2) When you backed up your data make sure the following 2 steps were followed:

2a) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2b) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

3) If you are wondering if your data files are infected or not, to make sure you should scan those files using an anti-virus scanner and an anti-malware/anti-spyware scanner making sure they are free from malware before transfering it to your new formatted computer. From what I have seen the results were always CLEAN, meaning they were not infected at all. The guidlines in step 2a and b need to be followed. Executables and .html/.htm may have traces of the infection.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 dmndmn

dmndmn
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 10 April 2009 - 11:19 PM

Hello,
Sorry for the late reply. This has been a rather hectic week for me, had some deadlines. Anyways , as you suggest i shall perform a thorough clean format. Thanks for all your help and time extremeboy. Regards.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:17 AM

Posted 11 April 2009 - 10:18 AM

No Problem.

Always a pleasure to help out. :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users