Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchast.exe


  • This topic is locked This topic is locked
5 replies to this topic

#1 Dale in GA

Dale in GA

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 17 October 2009 - 12:00 PM

A few weeks ago, a nasty little piece of ransomware calling itself Windows Police Pro showed up on my wife's computer.

In addition to demanding that she buy their poison, WPP disabled Firefox and Windows Explorer, plus whatever onboard virus protection software she had.

She had Netscape installed, though, and was able to access the internet through it.

I visited this site and printed out the removal instructions and followed them. We downloaded fixtm.reg and fixexe.reg, as well as mbam.exe.

i was never able to get mbam to run on her computer, though, but after a number of efforts (i.e., reboot, fixtm.reg, delete the 2 files from processes list, then fixexe.reg, then an abortive attempt to run mbam), we noticed that WPP and svchast.exe had disappeared from the processes list on task manager. The extortion demands stopped and access to all functions seemed to be restored.

Two days ago, though, she told me she can't access the internet - in fact, she can't even open any of her browsers, even Netscape.

I ran Avast, and during the memory and startup check, it hangs up when scanning svchast.exe. However, when I look a the list of processes in task manager, svchast.exe isn't there, and there's nothing that looks like Windows Police Pro, either.

I rebooted and ran fixtm.reg, and then accessed task manager, but svchast still wasn't there.

I tried running mbam but it hung up after 1 or 2 seconds. The most it ever scanned was 2 files. More recently it displays an error message: "An error occurred. Please report the following error code to the Malwarebytes Anti-Malware support team: 703(0,14)." Sometimes the error code is 703(0,13) or 703(0,9).

I've used something called Startup Mechanic to keep track of startup items, and it hangs after a while, but it didn't display anything that looked like svchast.exe.

I'm assuming that the current problem is related to the previous problem. Because we can't access the internet from that computer, whatever tools i download have to be on a flash drive from this computer.

This is getting frustrating, as I'm sure you can imagine, and i sure would appreciate a hand!

Edited by Dale in GA, 17 October 2009 - 12:03 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:08:24 AM

Posted 17 October 2009 - 10:07 PM

Welcome to BC


:trumpet:

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr

==================================

:flowers:

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.
--------------------------------------


:thumbsup: Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Dale in GA

Dale in GA
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 18 October 2009 - 09:43 PM

Just got in - don't close the topic, but I can't do this until tomorrow. Thanks!

#4 Dale in GA

Dale in GA
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 19 October 2009 - 04:40 PM

I ran the three processes you advised.

RootRepeal returned the following report:

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/10/19 16:31
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF5D17000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D87000 Size: 8192 File Visible: No Signed: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xF7DF7000 Size: 1664 File Visible: No Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xF7D37000 Size: 5248 File Visible: No Signed: -
Status: -

Name: tatertot.scr.sys
Image Path: C:\WINDOWS\system32\drivers\tatertot.scr.sys
Address: 0xF4C19000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Joan\Desktop\CJB420~1.EXE:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: D:\Shared D\Otherr\Sort 1006\0605\13\68sr0608-06.jpg
Status: Locked to the Windows API!

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5d376b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5d37574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5d37a52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5d3714c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5d3764e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5d3708c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5d370f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5d3776e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5d3772e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf5d378ae

Hidden Services
-------------------
Service Name: gasfkywjddlkxj
Image Path: C:\WINDOWS\system32\drivers\gasfkynroukupv.sys

==EOF==

************************
Following is the report WIN32Diag.txt:

Running from: C:\Documents and Settings\Joan\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Joan\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!
********************************

I tried many times to exeute the command DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt but was unable to. I kept getting an error message saying tht Windows couldn't open DIR and that I should check my spelling, etc.

The command also wouldn't run on my (hopefully uninfected) computer, by the way.

I certainly hope this helps.

Edited by Dale in GA, 19 October 2009 - 06:02 PM.


#5 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:08:24 AM

Posted 19 October 2009 - 08:31 PM

Using the two logs you created


Now that you were successful in creating those two logs you need to post them in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that these logs were all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,009 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:24 AM

Posted 21 October 2009 - 11:35 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/265960/unknown-nasty-malware/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users