Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit that creates svchost.exe in temp folder


  • This topic is locked This topic is locked
2 replies to this topic

#1 hanzue

hanzue

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 08 April 2010 - 09:15 PM

Need help bad. I got infected with this rootkit(I think) that creates svchost.exe copies in the temp folder, runs it, then deletes the copies before it can be healed. And I'm pretty sure my PC has more malware I'm unaware of. Here are my logs.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Ronald at 8:26:36.89 on Fri 04/09/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2943.2336 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\D-Link\D-Link Wireless G DWA-110\AirGCFG.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Soundcrank\SoundcrankLoader.exe
C:\Documents and Settings\Ronald\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
svchost.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Ronald\Desktop\dds.scr
C:\Program Files\Opera\Opera.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\ronald\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [D-Link D-Link Wireless G DWA-110] c:\program files\d-link\d-link wireless g dwa-110\AirGCFG.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mspaint] "c:\windows\system32\Paint.exe" -autocheck
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe"
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\soundc~1.lnk - c:\program files\soundcrank\SoundcrankLoader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: MCPClient - c:\progra~1\common~1\stardock\mcpstub.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\progra~1\common~1\stardock\MCPCore.dll
SSODL: GootkitSSO - {146B4E70-EFFA-45B2-8F98-1E1C0C1E9EE0} - c:\windows\system32\msxsltsso.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-6 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-6 27784]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-6 297752]
S3 GarenaPEngine;GarenaPEngine;c:\docume~1\ronald\locals~1\temp\XMJ37E.tmp [2010-4-9 25616]

=============== Created Last 30 ================

2020-09-05 02:01:34 0 d-----w- c:\windows\ERUNT
2010-04-09 15:00:19 2438 ----a-w- c:\windows\system32\.crusader
2010-04-09 14:52:24 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-09 14:52:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-09 14:51:57 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-08 01:46:11 0 d-----w- c:\docume~1\ronald\applic~1\Malwarebytes
2010-04-08 01:46:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-08 01:46:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-08 01:45:59 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 01:45:59 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 20:41:24 0 d-----w- C:\spoolerlogs
2010-04-07 20:28:32 0 d-----w- C:\_OTM
2010-04-07 20:19:53 0 d-----w- c:\windows\pss
2010-04-07 17:08:08 148 ----a-w- c:\windows\system32\fjhdyfhsn.bat
2010-04-07 16:44:44 0 d-----w- c:\program files\Rosetta Stone
2010-04-07 16:44:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Rosetta Stone
2010-04-07 08:39:41 0 d-----w- c:\docume~1\alluse~1\applic~1\WildTangent
2010-04-07 08:35:34 0 d-----w- c:\program files\WildGames
2010-04-04 03:06:58 0 d-----w- c:\documents and settings\ronald\Bloom
2010-04-04 03:06:27 0 d-----w- c:\program files\Bloom
2010-03-24 18:09:01 0 d-----w- c:\program files\directx
2010-03-24 18:05:49 0 d-----w- c:\program files\CAPCOM
2010-03-23 18:56:32 0 d-----w- c:\program files\Mobius
2010-03-19 17:19:58 0 d-----w- c:\docume~1\ronald\applic~1\FOG Downloader
2010-03-19 17:16:27 0 d-----w- c:\docume~1\alluse~1\applic~1\PMB Files
2010-03-19 17:14:51 0 d-----w- c:\program files\Pando Networks
2010-03-14 17:55:40 0 d-----w- c:\docume~1\ronald\applic~1\Xfire
2010-03-13 15:54:28 0 d-----w- c:\program files\Constantine
2010-03-13 02:20:30 0 d-----w- c:\program files\Atari

==================== Find3M ====================

2010-04-09 05:54:25 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-04-08 18:21:56 7120536 ----a-w- c:\program files\DotA Allstars v6.67c.w3x
2010-04-07 17:06:52 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-03-06 21:07:32 61696 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-25 04:07:42 25 ----a-w- c:\program files\popcinfot.dat
2009-02-01 10:07:44 962144094 ----a-w- c:\program files\Left.4.Dead.Full-Rip.Skullptura.rar
2004-10-01 23:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe

============= FINISH: 8:27:15.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 hanzue

hanzue
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 09 April 2010 - 10:19 PM

MRT, please close this topic. I got a BlSoD and I had to repair my windows installation. Thankfully, the malware and the rootkit is now gone. Perhaps they were infecting sysyem files and now that I have a fresh install, so to speak, I believe they are gone. More power to you! Thanks for putting up such a great forum. I will probably post back should the infection havr survived. Thanks guys!

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,090 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:07 PM

Posted 11 April 2010 - 07:25 AM

Sorry to hear that you had to reinstall.

This topic will now be closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users