Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svchost.exe Virus - not sure which one! Help!


  • Please log in to reply
12 replies to this topic

#1 Queaker

Queaker

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Round Rock, TX
  • Local time:03:01 PM

Posted 15 April 2010 - 12:16 PM

Hi,

I have a virus or malware / spyware. I have something. Just not sure what.

Last night, I was looking for spoilers on the TV show lost and (stupidly) clicked on a link I didn't recognize through my Google search. Immediately, my browser began refreshing rapidly through several websites. And a window popped up from AVG saying, "Threat Blocked." (see image)

Posted Image

I ran AVG and the scan came back as no infections.
I ran Malware bytes. Same thing. No infections.
I also ran Hijackthis - no infections.

Meanwhile, during my scans, every minute or two, I would suddenly have a IE browser pop up with a commercial website. I didn't have IE open, so I know this was part of the infection that my scanners weren't picking up!

Then my PC froze. I rebooted (unfortunately).

I've run the scanners a couple times, still no infection found. But I keep getting a "Just-In-Time Debugging" window pop up on me, and I've never seen it before last night. I always close it out and never answer it.

What do I do? Where do I start?

I am running WinXP

Here are some other things I've done since the infection (besides run the scanners):
1. Used System restore - picking a date from 3 days ago.
2. Uploaded all my photos that had not been recently backed up to photobucket.com
3. Backed all my music up on my MP3 player.
4. Burned 3 rewritable discs with my non-backed up business files.
5. Currently backing up my home videos (*.mov) to a non-public domain I own.

I think that's it.

Edited by Queaker, 15 April 2010 - 12:59 PM.


BC AdBot (Login to Remove)

 


#2 Queaker

Queaker
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Round Rock, TX
  • Local time:03:01 PM

Posted 15 April 2010 - 01:14 PM

Let me know if there is any other information you need! I am refreshing every 5 minutes or so for a reply.

Thank you so very much ahead of time!!
Queaker

#3 Queaker

Queaker
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Round Rock, TX
  • Local time:03:01 PM

Posted 15 April 2010 - 03:42 PM

Anyone?

#4 Queaker

Queaker
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Round Rock, TX
  • Local time:03:01 PM

Posted 15 April 2010 - 05:55 PM

More information:

I had Automatic Updates turned off but turned it on today. Now, I am being prompted by Auto Update to install the following:

* Cumulative Security Update for IE7 KB980182
* Security Update KB975561
* Security Update KB966323
* Security Update KB977816
* Security Update KB978338
* Security Update KB979683
* Security Update KB980232
* Security Update KB981349
* Update KB979306
* Windows malicious software removal tool - April 2010 KB890830


Is any of this from the virus? Should I go ahead and install these updates?

Thank you to whoever helps me,
Queaker

#5 trollocks

trollocks

  • Members
  • 369 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:09:01 PM

Posted 15 April 2010 - 06:44 PM

Looking at your screenshot your malwarebytes database is about a year old.Update and rescan.Then post the log

#6 Queaker

Queaker
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Round Rock, TX
  • Local time:03:01 PM

Posted 15 April 2010 - 10:41 PM

Thank you very much! I can't believe I didn't update Malwarebytes. In my panic, I overlooked a pretty simple action.

I just updated and scanned again. MBAM results were Backdoor.bot

I'm including both the quick scan and full scan log files.


Quick Scan

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

4/15/2010 9:54:53 PM
mbam-log-2010-04-15 (21-54-53).txt

Scan type: Quick scan
Objects scanned: 2813
Time elapsed: 2 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



#7 Queaker

Queaker
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Round Rock, TX
  • Local time:03:01 PM

Posted 15 April 2010 - 10:42 PM

And Full Scan:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

4/15/2010 10:52:26 PM
mbam-log-2010-04-15 (22-52-26).txt

Scan type: Full scan (C:\|F:\|G:\|)
Objects scanned: 308990
Time elapsed: 56 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 28

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security

Center\UpdatesDisableNotify (Disabled.SecurityCenter) ->

Bad: (1) Good: (0) -> Quarantined and deleted

successfully.

Folders Infected:
C:\Documents and Settings\LocalService\Application

Data\twain_32 (Trojan.Zbot) -> Quarantined and deleted

successfully.
C:\Documents and Settings\NetworkService\Application

Data\twain_32 (Trojan.Zbot) -> Quarantined and deleted

successfully.

Files Infected:
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP266\A0054807.DLL (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP266\A0054810.DLL (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP266\A0054811.DLL (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP266\A0054813.DLL (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP266\A0054814.DLL (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP266\A0054823.DLL (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP266\A0054826.EXE (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP266\A0054829.DLL (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP266\A0054830.DLL (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP266\A0054831.EXE (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP266\A0054835.EXE (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP266\A0054836.DLL (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP266\A0054837.DLL (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP266\A0054838.DLL (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP266\A0054840.EXE (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP266\A0054841.EXE (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP266\A0054842.EXE (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP266\A0054843.DLL (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP266\A0054844.EXE (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP266\A0054845.DLL (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP266\A0054854.DLL (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP268\A0055781.DLL (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP268\A0055782.DLL (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP268\A0055784.DLL (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP268\A0055785.DLL (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\System Volume

Information\_restore{087737AA-F1A4-4C22-A041-AC6878F63265}

\RP268\A0055818.dll (Adware.MyWebSearch) -> Quarantined

and deleted successfully.
C:\Documents and Settings\LocalService\Application

Data\twain_32\user.ds (Trojan.Zbot) -> Quarantined and

deleted successfully.
C:\Documents and Settings\NetworkService\Application

Data\twain_32\user.ds (Trojan.Zbot) -> Quarantined and

deleted successfully.


Edited by Queaker, 15 April 2010 - 10:53 PM.


#8 Queaker

Queaker
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Round Rock, TX
  • Local time:03:01 PM

Posted 15 April 2010 - 11:11 PM

I guess my question now is, how bad is Trojan.Zbot and how easy will it be to eradicate completely? Should I be worried about sensitive / personal information that was / is on my PC?

I know it isn't completely gone yet as I'm still having symptoms - another IE window with some random url just popped up while I was typing this post.

BUT, I need to head to bed, I haven't slept in about 36 hours. I'll check back on here first thing in the morning. Thanks again for any and all help!!!

(thank you!!)

#9 trollocks

trollocks

  • Members
  • 369 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:09:01 PM

Posted 16 April 2010 - 02:47 AM

This is a standard canned speech about backdoor trojans.

You have a backdoor infection.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall


Your Malwarebytes database is still outdated.Yours shows 3930,mine is 3994.Update and run a full scan in normal mode

#10 Queaker

Queaker
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Round Rock, TX
  • Local time:03:01 PM

Posted 16 April 2010 - 07:45 AM

Okay, will format PC.

I'm worried about the files I backed up yesterday (after the infection).

1. Uploaded all my photos to photobucket.com
3. Backed all my music up on my MP3 player.
4. Burned 3 rewritable discs with business files.
5. Uploaded home videos (*.mov) to a domain I own.

How can I access these files after I format the PC?
I mean, should I access them? Is there a way to ensure they are not infected?
Can I trust MBAM to detect any infections if I scan the discs?

I really appreciate all your help, I've been beside myself since Wednesday night.
:thumbsup:

#11 trollocks

trollocks

  • Members
  • 369 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:09:01 PM

Posted 16 April 2010 - 09:21 AM

The safest practice is not to backup any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected

#12 Queaker

Queaker
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Round Rock, TX
  • Local time:03:01 PM

Posted 16 April 2010 - 09:43 AM

Wonderful!@ Thank you for letting me know about the file extensions. You've been a wonderful help.

Wish they had a "bow-down-gratefully" smiley here :thumbsup:

#13 trollocks

trollocks

  • Members
  • 369 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:09:01 PM

Posted 16 April 2010 - 09:47 AM

No problem,good luck




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users