Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue SVCHOST.EXE causing browser redirections?


  • This topic is locked This topic is locked
23 replies to this topic

#1 winxp_sp3_user

winxp_sp3_user

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 06 March 2010 - 07:19 AM

Hi,

I have now completed the instructions in the "Preparation Guide" topic, namely the DDS and GMER logs.

My PC is running Windows XP SP3 and I use both IE7 and Firefox.

I am having serious problems with both IE 7 and Firefox constantly being redirected, and many services - including Windows Firewall - are often stopped without warning or notice.

AVG 9.0 Free, Malwarebytes' Anti-Malware and Windows Defender all give my computer the OK, but clearly there is a problem. Finding important services stopped is obviously a concern, and the constant browser redirection (with strange hex-name BHOs) is also an indicator of malware/spyware.

I have identified a "stand-alone" instance of SVCHOST.EXE which seems suspect, for the 5 reasons outlined below.

==================================================

Point 1.

Process Explorer shows the following details (Image tab) about this particular svchost.exe:

- "C:\WINDOWS\system32\svchost.exe" (no command options!)
- Parent: <Non-existent Process>
- User: MyComputer\MyUserName
- Virtual size 39,272 K

PE verifies this host as "(Verified) Microsoft Windows Component Publisher."

However, with no command line options and no parent and child processes, this host looks very suspect.

(In fact, this svchost.exe is outside the "System Idle Process" tree altogether.)

--------------------

Point 2.

Process Explorer shows the web address (TCP/IP tab) being used by this instance of svchost.exe as:

- Remote Address: srv169.cyberhost.name:http

Is this a bona fide web address for Windows XP to be using as part of its operating system?

--------------------

Point 3.

Process Explorer shows three of the "Files" (lower pane) related to this svchost.exe instance as:

%homepath%\Cookies\index.dat
%homepath%\Local Settings\History\History.IE5\index.dat
%homepath%\Local Settings\Temporary Internet Files\Content.IE5\index.dat

Why is svchost.exe controlling these Internet Explorer files?

--------------------

Point 4.

There are 4 normal instances of svchost.exe, all of which seem valid:

Parent: services.exe
User: NT AUTHORITY\SYSTEM or NT AUTHORITY\NETWORK SERVICE

These 4 instances account for all the 18 services I have running:
15 (netsvcs) + 1 (DcomLaunch) + 1 (rpcss) + 1 (imgsvc).

Therefore, the "stand-alone" instance of svchost.exe looks even more suspect as none of the services that are listed as "Started" in "services.msc" console are missing.

--------------------

Point 5.

I suspended the svchost.exe in Process Explorer, and everything seems to be working ok.

--------------------

So, is this SVCHOST.EXE rogue and controlling internet connections/browsers??

==================================================

Also, any ideas on the following two issues regarding browser redirection/BHOs?

--------------------

Point 6.

Two suspicious "Browser Helper Objects" suddenly appeared in the IE Manage Add-ons, namely:

{7E853D72-626A-48EC-A868-BA8D5E23E045} and {BDC8AC54-D303-4BF5-8C0E-B4A3A0CE7E53}.

They had no names or information about them, and so I deleted them.

However, the AVG 9.0 Free BHO has also been corrupted - HijackThis shows "(no file)" for this entry:
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

--------------------

Point 7.

I have a locked temporary file being created each boot-up in the "%homepath%\Local Settings\Temp" directory which I cannot delete - an error message "Access is denied" comes up.

It always has the name "in#.tmp", where # is a number (e.g. "in5.tmp").

It is only 3 KB in size.

Although the characters in the file are non-ascii, each file has the string "http://nafnafqchgoogle.com/vodkaspasetmir/gwefeweterfreferger.php?id=e830cddd" in it, as well as some internet related calls e.g. "InternetOpenA InternetConnectA HttpOpenRequestA HttpSendRequestA".

==================================================
*
* DDS Log
*
==================================================

DDS (Ver_09-12-01.01) - NTFSx86
Run by Alan at 8:08:33.35 on 06/03/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.238 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Documents and Settings\Alan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.ntlworld.com/
uInternet Settings,ProxyOverride = <local>;*.local
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [<NO NAME>]
mRun: [DVDBitSet] c:\program files\hp_dvd\hp dvd\umbrella\DVDBitSet.exe /NOUI
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoSMMyPictures = 1 (0x1)
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alan\applic~1\mozilla\firefox\profiles\8r5riosh.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-3 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-3 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-3 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-3 285392]
R3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\drivers\GPWADrv.sys [2004-10-25 531456]
R3 L6DP;L6DP;c:\windows\system32\drivers\l6dp.sys [2002-7-16 29312]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 L6PODX3LV;POD X3 Live Service;c:\windows\system32\drivers\L6PODX3LV.sys [2009-5-23 531456]
S3 m763001b;M-Audio Quattro Base Driver;c:\windows\system32\drivers\m763001b.sys [2008-11-7 9216]
S3 m763001d;M-Audio Quattro Legacy Driver;c:\windows\system32\drivers\m763001d.sys [2008-11-7 6656]
S3 ma763001;M-Audio Quattro;c:\windows\system32\drivers\MA763001.sys [2008-11-7 41856]
S3 QuattroInstallerService;Quattro Installer;c:\program files\m-audio usb quattro\install\QuatInst.exe [2008-11-7 86016]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S4 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]

============== File Associations ===============

regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-03-05 19:46:26 0 d-----w- c:\program files\Unlocker
2010-03-05 11:37:34 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-03-05 11:37:34 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-03-05 11:37:33 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2010-03-05 11:37:33 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-03-05 11:37:33 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2010-03-05 11:37:33 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-05 11:37:32 991232 -c----w- c:\windows\system32\dllcache\ieframe.dll.mui
2010-03-05 11:37:32 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2010-03-05 11:37:29 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-03-04 18:46:43 26112 ----a-w- c:\windows\system32\stu2.exe
2010-03-04 00:05:11 0 d-----w- c:\program files\Windows Defender_bak
2010-03-03 23:36:40 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-03-03 17:45:29 0 d-----w- c:\docume~1\alan\applic~1\AVG9
2010-03-03 17:01:40 0 d--h--w- C:\$AVG
2010-03-03 17:01:27 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-03 17:01:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-03 17:01:20 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-03 17:01:02 0 d-----w- c:\windows\system32\drivers\Avg
2010-03-03 17:00:45 0 d-----w- c:\program files\AVG
2010-03-03 17:00:44 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-03-03 13:44:27 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-03-03 13:42:49 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-03-03 13:42:00 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-03-03 13:41:49 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2010-03-03 13:20:23 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-03-03 13:20:23 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-03-03 12:50:08 0 d-----w- c:\windows\system32\scripting
2010-03-03 12:49:56 0 d-----w- c:\windows\l2schemas
2010-03-03 12:49:54 0 d-----w- c:\windows\system32\en
2010-03-03 12:40:07 0 d-----w- c:\windows\network diagnostic
2010-03-03 12:19:55 375519 -c----w- c:\windows\system32\dllcache\nuskin.wmv
2010-03-03 12:18:57 1261 ------w- c:\windows\system32\pid.inf
2010-03-02 21:15:34 15064 ----a-w- c:\windows\system32\wuapi.dll.mui

==================== Find3M ====================

2010-03-04 18:46:44 53760 ----a-w- c:\windows\system32\userinit.exe
2010-03-03 12:39:47 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-01 18:25:34 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2010-02-01 18:25:32 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2010-02-01 18:25:28 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
2010-01-07 16:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ------w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 8:09:35.46 ===============

==================================================
*
* GMER Log
*
==================================================


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-06 10:06:14
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Alan\LOCALS~1\Temp\axtdypog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat F2448D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 83318CA1

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Alan\Application Data\Macromedia\Flash Player\#SharedObjects\95GSQCRJ\www.mathtv.com.\com.jeroenwijering.sol 53 bytes
File C:\Documents and Settings\Alan\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.mathtv.com.\settings.sol 85 bytes
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

==================================================

Any help would be much appreciated as I have spent too many hours trying to resolve these problems!

Kind regards,
Andy


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:08 AM

Posted 09 March 2010 - 06:53 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 winxp_sp3_user

winxp_sp3_user
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 11 March 2010 - 08:15 AM

Hi myrti,

Thanks for your message.

Since posting my original message, things took a turn for the worse when even more infections occurred. Long story short:

- MBAM would clear problems, but with immediate re-infection: userinit.exe (Trojan.CodecPack)
- AVG was flagging up the same threat every 20 seconds: atapi.sys (Win32/Patched.CG)

With MBAM, AVG and Spybot unable to clear the infections, and concerns about my computer's online security, I ran the TDSSkiller which seemed to cure the atapi.sys problem, and then ComboFix which seemed to clear what was left.

I am hoping that the OTL log you requested and the latest GMER log will show an all clear.

Cheers...

OTL.txt and Extras.txt attached as they are very long!

GMER log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-10 06:21:55
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Alan\LOCALS~1\Temp\axtdypog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Attached Files



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:08 AM

Posted 11 March 2010 - 03:08 PM

Hi,

the logs look pretty ok. Could you please provide the log from ComboFix and do an updated scan with Malwarebytes:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 winxp_sp3_user

winxp_sp3_user
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 11 March 2010 - 06:26 PM

Hi myrti,

Please find the MBAM log below and the TDSSKiller/ComboFix log attached.

Hopefully this is all fixed now?

If so, there are still a couple of points which concern me:

* Although the AVG 9 Free, Spybot and MBAM scans are now showing all clear, the concern is that they were also showing all clear when my computer was infected, and continued to give the all clear despite obvious infection. These anti-virus/anti-spyware programs are running in real-time plus the Windows firewall, with daily updates and scans - so do you have any idea how these rootkit infections are getting through undetected, and what sort of scans should I now be running in addition to protect my computer in the future (e.g. perhaps GMER to look for "suspicious modification")?

* Do you also know what the purpose of this rootkit was with both atapi.sys and userinit.exe infected? The site "www.malwaredomainlist.com" described the domain "nafnafqchgoogle.com" and host "srv169.cyberhost.name" which I found hidden on my computer as "malware calls home". What does that mean?!!

Many thanks...

--------------------------------------------------

Malwarebytes' Anti-Malware 1.44
Database version: 3855
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

11/03/2010 22:14:25
mbam-log-2010-03-11 (22-14-25).txt

Scan type: Quick Scan
Objects scanned: 117947
Time elapsed: 4 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:08 AM

Posted 12 March 2010 - 08:23 AM

Hi,

the sad truth is no program is able to detect and protect you rom all inections out there. I believe the combination of AVG/MBAM and SASW to be pretty good, although my prefered (personal opinion here wink.gif Others will disagree) anti virus program is Avira.

I can suggest a couple more steps to protect your PC, but you can't make the net tight enough so that absolutely no malware con wiggle through. Incidentially I thought I'd let you know that Firefox 3.0 will reach end of life on March 30th and will no longer be updated after that. So I'd suggest that at that point you update to Firefox 3.5/3.6

You can find a little more info on the infection (or at least one of the infections) here: http://www.prevx.com/blog/139/Tdss-rootkit...ns-the-net.html

It does not infect userinit.exe though, that probably is another infection. I suspect the outgoing connection you noticed, as well as the file you mentioned are connections made by the malware. cyberhost.name seems to be a server parc in Germany, so I don't think it's related to Microsoft.

Do you still get those connections to cyberhost.name?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 winxp_sp3_user

winxp_sp3_user
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 12 March 2010 - 04:11 PM

Hi,

Can I just confirm the latest OTL/GMER log were all clear?

I've certainly not had any more redirections and can find no evidence of suspect cyberhost.name or svchost.exe outside of services.exe in Process Explorer.

I did, however, find that a service called "Cryptographic Services" has now been changed to "CryptSvc" - is this something that ComboFix did?

Thanks for the link on the Tdss rootkit - one thing it didn't mention (nor can I find on internet search) is whether or not these rootkits cause any malicious damage like deleting or corrupting files on the hard disk? Or are there solely to watch for personal information/generate spam etc.?

Cheers...

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:08 AM

Posted 13 March 2010 - 04:28 AM

Hi,

they don't corrupt files as far as I know. They're into money and that means interested in making your PC part of a botnet, getting your financial information and redirecting you to sites.
Your OTL/Gmer logs were clean, just to be safe I would also like you to do a scan with Eset:
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

Regarding cryptographic services: The "service name" of the service is cryptsvc, while the "display name" of the service is cryptographic services. As far as I'm aware the display name shouldn't be changed though.

Let's see if the displayname was changed:
Open Notepad and copy/paste the code box below into a new text file.
CODE
@echo off
sc query cryptsvc >"%temp%\log.txt"
sc GetDisplayName cryptsvc >> "%temp%\log.txt"
"%temp%\log.txt"
  • Save the file as query.bat by choosing save as *All Files, and save it to your Desktop.
  • Locate "query.bat" and double-click on it to run. (It is important that you run the script from the drive where your operating system is installed).
  • It will open a text file, please copy the content in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 winxp_sp3_user

winxp_sp3_user
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 13 March 2010 - 08:47 AM

Hi,

The ESET online scan found only one threat, namely: C:\Program Files\Unlocker\unlocker1.8.8.exe Win32/Adware.ADON application

I used this utility to kill the locked ".tmp" file with the cyberhost.name in the internet temp folder before ComboFix. When I downloaded the file there was an option for an ebay toolbar which I declined (and which has not been installed), which I think is why it is being flagged.

The log from the batch file is as follows:

SERVICE_NAME: cryptsvc
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
[SC] GetServiceDisplayName SUCCESS Name = CryptSvc

Cheers...


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:08 AM

Posted 13 March 2010 - 11:40 AM

Hi,

the display name has obviously been changed. Are you sure that this is related to combofix? Couldn't it have happened with some other tool? Can you "pinpoint" the time when it happened?

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    CODE
    :reg
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cryptsvc /s
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

The hit on unlocker very likely belongs to the toolbar, the program itself should be safe.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 winxp_sp3_user

winxp_sp3_user
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 13 March 2010 - 01:07 PM

Hi,

I guess it could be any one of the following tools which I have run in the last few days:

DDS
GMER
HijackThis
SecurityCheck
ERUNT
OTL
TDSSkiller
ComboFix

I exported a list of all the services from services.msc just before starting to run these utilities and the display name then was definitely "Cryptographic Services".

I first noted the change after ComboFix, as well as some other service changes, namely setting previously Disabled services to either Automatic or Manual.

As far as I can remember, the following Disabled services had their "Startup Type" changed:

* Clipbook
* Error Reporting Service
* Help and Support
* Indexing Service
* Secondary Logon
* Uninterruptible Power Supply

The log from SystemLook is as follows:

--------------------------------------------------

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 17:08 on 13/03/2010 by Alan (Administrator - Elevation successful)

========== reg ==========

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cryptsvc]
"DependOnService"="RpcSs"
"Description"="Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start."
"DisplayName"="CryptSvc"
"ErrorControl"= 0x0000000001 (1)
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
"ObjectName"="LocalSystem"
"Start"= 0x0000000002 (2)
"Type"= 0x0000000020 (32)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cryptsvc\Enum]
"0"="Root\LEGACY_CRYPTSVC\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cryptsvc\Parameters]
"ServiceDll"="%SystemRoot%\System32\cryptsvc.dll"
"ServiceMain"="CryptServiceMain"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cryptsvc\Security]
"Security"=00 00 0e 00 01 (REG_BINARY)

-=End Of File=-

--------------------------------------------------

I have also included a search on the actual file "cryptsvc.dll" below:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 17:48 on 13/03/2010 by Alan (Administrator - Elevation successful)

========== filefind ==========

Searching for "cryptsvc.dll"
C:\WINDOWS\$NtServicePackUninstall$\cryptsvc.dll -----c 60416 bytes [12:35 03/03/2010] [07:56 04/08/2004] 10654F9DDCEA9C46CFB77554231BE73B
C:\WINDOWS\ERDNT\cache\cryptsvc.dll --a--- 62464 bytes [16:47 09/03/2010] [00:11 14/04/2008] 3D4E199942E29207970E04315D02AD3B
C:\WINDOWS\ServicePackFiles\i386\cryptsvc.dll ------ 62464 bytes [07:56 04/08/2004] [00:11 14/04/2008] 3D4E199942E29207970E04315D02AD3B
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\cryptsvc.dll --a--- 62464 bytes [12:18 03/03/2010] [00:11 14/04/2008] 3D4E199942E29207970E04315D02AD3B
C:\WINDOWS\system32\cryptsvc.dll ------ 62464 bytes [21:37 25/06/2002] [00:11 14/04/2008] 3D4E199942E29207970E04315D02AD3B

-=End Of File=-

Hope this is not going to turn out to be another problem!

Cheers...


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:08 AM

Posted 13 March 2010 - 03:18 PM

Hi,

no I don't think this will be a problem. I only wanted to make sure that nothign else was changed on the service. But the display name is only a cosmetic issue, the service name itself remains unchanged.
  • Please follow steps 1-3 behind this link to backup your registry with ERUNT (use current date while naming the location).
  • Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.

    CODE
    REGEDIT4

    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cryptsvc]
    "DisplayName"="Cryptographic Services"

  • It should look like this ->
  • Doubleclick fix.reg, when a window pops up and ask if this information should be merged, press Yes and ok.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 winxp_sp3_user

winxp_sp3_user
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 14 March 2010 - 09:09 AM

Hi,

That code has fixed the display name now back to normal!

Also, I note that the SystemLook log for C:\WINDOWS\system32\cryptsvc.dll shows the same MD5 number (3D4E1...AD3B) as C:\WINDOWS\ServicePackFiles\i386\cryptsvc.dll, meaning it has not been amended?

Still no idea what utility altered the name - the only log which mentions it by name is a Spybot report where the display name is still "Cryptographic Services". That was just before running TDSSkiller and ComboFix.

If the cryptsvc is ok (just cosmetic change), then dare I assume my PC is now clear?!

Cheers...


#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:08 AM

Posted 15 March 2010 - 05:26 PM

Hi,

Windows is trying to make their system very safe, meaning they keep a copy of clean files they install in C:\WINDOWS\ServicePackFiles and a copy of the outdated file in C:\WINDOWS\$NtServicePackUninstall$.
That is one of the reasons why you can run a system file integrity check without needing the CD to repair broken files. smile.gif

Yes your logs are looking clean and let me add that your software seems up to date too! thumbup.gif smile.gif

If you don't have anymore questions we'll get to the final step and remove the programs we used? I'll keep an eye open for the cryptographic services and if I see this happen again, I'll let the developers know. It is an odd thing to happen and I don't know what would be the benefit of modifying the display name besides checking how much attention the user is paying. wink.gif

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 winxp_sp3_user

winxp_sp3_user
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 16 March 2010 - 06:26 PM

Hi,

And just when things looked so good... I have just had a threat warning from AVG about Win32/Virut. This was from a USB flash drive which had two files in the root, an AUTORUN.INI file and a RUNDLL32.EXE file, with the RUNDLL32.EXE file being infected. AVG "healed" it though I then used CCleaner to erase it securely.

From a quick online search this seems to be a very bad infection.

I am desperately hoping that as Windows Explorer did not automatically open when the USB flash drive was plugged in, then the "autorun" did not execute. In fact, I only got the threat warning from AVG when I saw the two files in the root of the USB drive and was suspicious and manually scanned them. I am hoping this is another sign that the virus didn't run (otherwise, wouldn't the AVG threat warning have appeared immediately the USB drive was plugged in?).

A quick scan by MBAM, AVG and Spybot show all clear, but I am about to run a full system scan with AVG overnight, and then GMER too.

I will post the results as soon as I have them.

Totally fed up at the moment!

Cheers...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users