Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple threats - infected svchost exe - and more


  • This topic is locked This topic is locked
11 replies to this topic

#1 supacowboy

supacowboy

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 03 June 2010 - 05:53 PM

Multiple threats - infected svchost exe - and more

Browser redirections - recurring infections - attempted hijack



Hi guys,
I would greatly appreciate some help with this.

Malwarebytes has shown multiple threats (23) one week after I had used MalwareBytes to remove threats of 'HijackWindowsUpdate', 'Stolen.data', 'Spyware.Zbot', 'Backdoor.Bot', 'Adware.MyWebSearch' and others.

I followed your Preparation Guide steps before posting, and got to step 7 Run DDS, but can't turn off and didn't even know I had this script blocker. I get a pop-up saying 'Symantec Script blocking has prevented a script that could be harmful to you.' The strange thing is I don't have Norton or Symantec software installed. I run AVG antivirus software. So that's the first issue.

The main symptoms I can see, are my browser often redirects me to a random site on a new tab when clicking on a link. Also my PC runs slow sometimes for about 5 minutes. I have Motherboard Monitor 5 running in my system tray and it tells me the percentage use of my CPU. When I said my PC runs slow sometimes for about 5 minutes, I can see the CPU is on 100%. I don't think this is due to mulitple programs running or high demand CPU processing programs because it can happen on a google home page when nothing else is running.

The othet thing I noticed this morning - when i logged in to windows XP, I saw my desktop image come up but nothing else. No icons or task bar. Just a mouse cursor which was alternating between busy and idle. I Ctrl-Alt-Delete 'd to shut down and a popup said something like 'Remote Desktop is about to shut down. Etc etc'. That's why I think it was an attempted or successful hijack.

Although I couldn't run DDS, I did run gmer though, so I have attached the ark file and the malwarebytes scan report.

If there is anything else you need please let me know.

Many thanks for your help.

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 PM

Posted 05 June 2010 - 09:42 PM

Hi and welcome. smile.gif

My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 supacowboy

supacowboy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 07 June 2010 - 03:40 PM

Hi EB,
Thanks for your time.
As I mentioned in my previous post, I can't run DDS, as something is blocking it but I don't know what.
Attached is the latest GMER log.
I await your reply.

Many thanks.
Supacowboy

Attached Files

  • Attached File  ark.txt   4.01KB   2 downloads


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 PM

Posted 08 June 2010 - 09:34 PM

Hello.

From the Malwarebytes screenshot you posted earlier, I see evidence of potential password stealing information.


What I recommended you do is...
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Then let's begin with the removal process and remove some infections I see on your computer. The main one here is the TDL3 that is active.

Let's begin with Combofix.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 supacowboy

supacowboy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 10 June 2010 - 05:55 AM

Hi EB,
I ran ComboFix. the log is attached.
I thought I should inform you, that while running ComboFix, the same popup that prevented me from running DDS came up a few times, then disappeared after 10 seconds or so. The popup said something like "Symantec Script Blocking has prevented a script that may be harmful to you. ..."
I think this has something to do with the infections I have, because I don't have any Symantec software installed, and the antivirus I run is AVG, but this was turned off while I ran ComboFix.
Cheers for your help. I await further instructions.
SC
---------------
---------------

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 PM

Posted 10 June 2010 - 04:46 PM

Hello.

Thanks for letting me know about that.

Let's continue here.

Could you update Malwarebytes once more and run a quick scan and post the log for my review.

Thanks.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 supacowboy

supacowboy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 10 June 2010 - 05:50 PM

Hi EB,
Here it is.
MBAM log attached. Two infections found.

Since the ComboFix, my computer automatically peforms a restart after I log in. It then stays on after the second restart.
Also, A couple programs close unexpectantly, like Adobe Reader when I try to print, and MS Word did it too.

Cheers

Attached Files



#8 supacowboy

supacowboy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 11 June 2010 - 02:16 AM

Oops. After my last post i went back to mbam & 'Removed' those 2 infections. Now OS won't boot fully saying themed32.dll needs to be reinstalled. I do have recovery console installed. Shall we use that?
Sorry 4 my haste.
Regards

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 PM

Posted 14 June 2010 - 07:15 PM

Hello.

I apologize for the delay and to others I am helping with, I was sick recently and had some other personal work that had to be done. Sorry. sad.gif

Let's continue here...

So your computer doesn't boot properly into Normal Mode? What exactly happens?

Try Safe Mode...

How to Boot into Safe Mode

I suggest you read over the instructions on how to boot into Safe Mode and then print these instructions out or save them in Notepad because you won't have access to this page while in Safe Mode.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use your arrow keys to navigate and highlight Safe Mode.
  • Hit Enter.
  • You will now be asked to choose your operating system. Again, use the arrow keys to select Microsoft Windows XP.
  • Hit Enter.
Your computer will proceed to booting into Safe Mode. During the boot process, you may see random code go past your screen. Simply wait for it to pass. Your computer should boot like usually, except with Safe Mode written in the corners of your screen. Your screen may also appear to be a different size because the video drivers are not loaded properly in Safe Mode.

After the boot, you will be asked whether you wish to use system restore, or to continue to Safe Mode. Select OK to choose Safe mode.



If that still doesn't work, let us create a boot CD to do further diagnosing/fixing:

Please do this......

First read here and install ImgBurn.
  • Download OTLPE Network from either location and save it to your desktop:

    http://oldtimer.geekstogo.com/OTLPENet.exe
    http://ottools.noahdfear.net/OTLPENet.exe

  • Double click the OTLPENet icon on your desktop
  • "Do you want to burn the CD?" choose Yes
  • ImgBurn will automatically extract and load the OTLPENet Iso to be burned to CD
  • Place a blank CD in your CD-Rom
  • Click to start the burn process
  • You will see a dialog "Operation successfully completed"
  • Boot the non-working computer using the boot CD you just created
  • In order to do so, the computer must be set to boot from the CD first

    Note : For information click here

  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start
  • Copy and Paste the following code into the textbox. Do not include the word "Code"

    Please note: Double click the Firefox Icon on the desktop to connect to this thread if you have a Wired connection otherwise you can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.

    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  • Push
  • When finished, the file will be saved in drive C:\OTL.txt
  • Please post the contents of the C:\OTL.txt file in your next reply.
  • Copy this file to your USB drive if you do not have an internet connection.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 supacowboy

supacowboy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 15 June 2010 - 04:28 AM

Hi EB,
It would let me login in both normal mode and safe mode, but the popup saying themed32.dll was not found continued to popup with these files in the popup's title bar numerous times - services.exe, lsass.exe, userinit.exe, explorer.exe, rundll32.exe
After 'ok'-ing all these windows away the computer was left with only desktop wallapaper in normal mode and black screen in safe mode without any task bar or desktop icons of any kind. It would not even repond to right mouse clicks. So.... I tried windows recovery and other various recovery methods to no availa. In the end I re-installed/repaired windows from windows CD. This did a kind of fresh Windows install over my old one on C drive, but kept all user settings i.e. desktop, bookmarks, outlook pst files etc. My drive is partitioned in a way that my data is stored on D drive, Programs on E drive and other stuff on F drive with Windows OS being on C. Apart from a few drivers, most things seem working ok. So where to from here? I still have defogger running. Maybe I can now even run DDS without getting that nasty Symantec Script Blocking message. Should I try that?

Sorry to hear you weren't well. I hope you're better again very soon EB.

SC

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 PM

Posted 17 June 2010 - 07:32 PM

Hello.

If you did a re-install of Windows, then it should be fine now. If you want to make sure we can check for malware. You can run it again and post it for me to take a final look.

Other than that, here are some prevention tips >over here<. Is your system a bit slow? If so, try some of the points and things suggested here.

Hope that helps.

~Extremeboy




Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 PM

Posted 27 June 2010 - 03:02 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users