Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake svchost.exe trojan created in windows temp folder


  • This topic is locked This topic is locked
9 replies to this topic

#1 Andy Bennett

Andy Bennett

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 30 December 2009 - 12:37 PM

In my Windows\temp folder folders are being created with seemingly random names holding an svchost.exe file. At the moment I have 12 svchost.exe files running which I know is not normal on my PC (normally about 6). Every time a new one is created AVira antivir picks it up and allows me to deny it access, but this comes up every 5 minutes so is incredibly annoying, especially while gaming.
I have tried putting the computer into safemod and running a full scan on both Avira and MBAM (This did find some malware but removal has not affected this problem) and nothing in my Hijackthis log is out of the normal.
I am running Windows ultimate 32bit (still on a single core CPU, but upgrading soon)
Please help, Thanks in advance
Andy

It appears on AVira as TR/Crypt.XPACK.Gen

I will not post a HJT log as I have watched my HJT log closly and checked it myself several times and there is nothing wrong in it.

BC AdBot (Login to Remove)

 


#2 Andy Bennett

Andy Bennett
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 31 December 2009 - 02:24 PM

Um little help?

#3 Andy Bennett

Andy Bennett
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 04 January 2010 - 04:52 AM

It's alright managed to fix it myself

#4 red_death614

red_death614

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 04 January 2010 - 01:31 PM

Hi! My computer just started to have exactly the same problem... so, how did you solve it for yourself? i'm curious...

thx in advance

#5 mantissa

mantissa

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 09 January 2010 - 02:04 AM

Also wondering about your solution. Am experiencing the same issues - any insight will be helpful.

Thanks~!

#6 homersimpson

homersimpson

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 10 January 2010 - 10:33 AM

Yes, please share your solution with us. I'm having the same problem and no antivirus/spyware program so far (ran 8+ different ones) has managed to fix this.

#7 homersimpson

homersimpson

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 11 January 2010 - 03:37 PM

FIXED!!

In my case ATAPI.SYS was infected with a rootkit.

Solution (for me):

I ran hijackthis and removed 2 O9 entries mentioning XPNETDIAG.

There was a 'winlogon notify' mentioning an avg dll -> deleted this also.

Then I downloaded and ran HITMANPRO. It identified the atapi.sys rootkit in about 10 seconds. Tried to fix it but couldn't (I can't for some reason boot into safe mode), so I booted into the other OS on this machine and copied a clean atapi.sys to the affected drive. Make sure to overwrite BOTH!! There's one in windows\system32 AND one in windows\system32\dllcache.

If you can't do this, copy a clean version of atapi.sys under another name to your drive and see if you can replace the infected ones via the recovery console.

Good luck. It worked for me. No more fake svchost.exe's and no more browser redirects!!

#8 homersimpson

homersimpson

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 11 January 2010 - 04:06 PM

A word of warning:

The fake svchost.exe was making connections to a number of IP addresses, all registered to RIPE Network Coordination Centre.

The malware this rootkit was throwing around included keyloggers and password checkers. If your virus/spyware software did not pick up on these intrusions, you may want to change passwords on important accounts.


What's really scary about all this is that some of the biggest names in the industry didn't catch this rootkit. AVG pro and Trendmicro didn't see it. Online scanners like PANDA, F-SECURE and KASPERSKY didn't see it. Reanimator, rootkitrevealer, malwarebytes, superantispyware, and webrootspysweeper didn't see it.

???

Is this a new trick?

#9 pete_C

pete_C

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 14 February 2010 - 08:45 AM

Using Microsoft's free download tool TCPview I was able to watch this virus as it repeatedly
started up a xxx.tmp/svchost.exe connects to Russian URL 91.212.226.182 (or a few others) and then deletes itself. It's fast enough to be gone by the time antivirus
tools like Windows Security Essentials can quarantine it or remove it. They may detect it,
and report it, BUT, it self deletes before the antivirus tools can do anything. That's why nobody
sees an svchost.exe file with or without antivirus tools doing anything about it.

It looks like it just may be waiting for a signal from the Russian URL or the other control locations
before activating.http://www.bleepingcomputer.com/forums/style_emoticons/default/mad.gif Thus the sneaky netbot quick connect and remove.

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:01 PM

Posted 12 April 2010 - 08:50 PM

Hello everyone,

It is very important to realize that every infection is different and must be approached differently. Each one of you that is still experiencing problems should post his or her own separate topic. Following the removal instructions for another computer can wreak serious havoc on your machine.

Also, rootkits are very serious business and require specialized tools to remove. If your security program tell you that you have a rootkit, please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<==

If you can produce at least some of the logs, then please create the new topic. If you cannot produce any of the logs, then please create a new topic in the Am I Infected forum if you don't already have one and state what your issues are, that you are trying to follow the preparation guide and cannot produce the logs. You will then receive further instruction on what to do.

To avoid further confusion for all concerned, this topic is now closed.

Orange Blossom ~ forum moderator
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users