Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe errors and Infection of win32/patched.dx and more


  • Please log in to reply
7 replies to this topic

#1 sportsfroma2

sportsfroma2

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 18 October 2010 - 01:58 PM

Alright, so I am writing about my uncle's computer today...

The initial problem was that there would be a svchost.exe error message that was popping up quite often. Unfortunately I did not write the error message down, but it always mentioned a memory location and the options were to press ok to close or cancel to debug.. And pressing either one didn't do anything else

Other symptoms are: Unable to load superAntispyware, malwarebytes, sypobot search and destroy. Microsoft security essential was installed also, but it's unable to update and seems to freeze up when running a scan.

Also, it does not allow me to contact to the windows update server and there are infrequent/random google search redirects.

MY first course of action was to install Super + malware bytes (and their definition updates) from windows safe mode. While the programs were able to isntall fine, I am unable to start the programs or run any scans- when I double click on their icons nothing happens.

After that, I made a AVG boot disc and run the scan directly from there

It identified 5 infections: 4 instances of "Trojan Horse Generic19.agyh" (3 of which were in the system restore files), and 1 infection of "win32/patched.dx" which was in pci.sys. I deleted all the instances of Trojan Horse generic19.agyh but AVG warned my that pci.sys was a required system file and should not be deleted, but the only options from their boot disc was to delete or rename the file.

Not knowing what to do, I skipped that and didn't do anything.. I figured I should stop guessing and should follow the advice of the experts here at bleepingcomputer :thumbsup:

Right now I'm back into windows, and it seems as though the svchost.exe popups/error messages are gone (for now?).

Still unable to use any of those previously mentioned malware removal programs.

Also, it should be noted that this computer is running Windows XP sp@ so it certainly seems as though my uncle hasn't been running the windows updates like hw should be doing, and there are other instances of old programs and stuff.. There also seem to be remains (shortcuts and things like that) of various other anti-malware programs like norton/symantec and other things.

I appreciate any assistance you can provide. Thanks!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:19 PM

Posted 18 October 2010 - 03:29 PM

Hello,we need to stop the malware from loading.

Reboot into Safe Mode with Networking
How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):

Next run MBAM (MalwareBytes):
Post back the logs and tell me how we are doing.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 sportsfroma2

sportsfroma2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 18 October 2010 - 07:03 PM

Hi Boopme!

First, thank you so much for your response

OK, so I was able to boot into safe mode with networking without a problem (infact I'm still in there right now).

I ran Rkill, and it went through the prompts and left me with this log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Administrator on 10/18/2010 at 19:50:37.


Services Stopped:


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Administrator\Desktop\rkill.scr


Rkill completed on 10/18/2010 at 19:50:48.


Was able to run the fixexe.reg, without incident

At first I tried to use the mbam that I installed/updated yesterday via my flash drive, which didn't work (when I double clicked on it nothing happens).
Same thing with the Super I installed yesterday.

I then tried to go to malwarebytes.org to download the newest file/reinstall, but I am unable to connect to that url. Instead, I searched malwarebytes.org on google and I was able to get to the cnet downloads page for mbam and was able to access the download that way.

I did that, went through the install (again) without any problems- yet, I am still unable to "run" the problem.. When I double-click on the icon nothing happens

Same thing with Super, and I tried to go to SAS's site to re-download the install files and try to reinstall. While I am able to get to their site, when I click on "download free edition" it tries to auto download but then quickly goes to "page load error- Address Not Found Firefox can't find the server at downloads.superantispyware.com. "

So it seems as though I'm unable to utilize either of those tools right now

Please let me know what's the best way to proceed.

Thanks!

(edited to fix a few typos)

UPDATE:

I just read through the stickied thread for "For those having trouble running Malwarebytes Anti-Malware"
http://www.bleepingcomputer.com/forums/topic267354.html

and followed the advice to rename it to explorer.exe

That worked, and I have started a full scan!

Once that si completed, I will do the same with the SAS exe file and see if that also does the trick.

I will reply with the results of that scans once they're finished

Edited by sportsfroma2, 18 October 2010 - 08:17 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:19 PM

Posted 18 October 2010 - 09:15 PM

Good work thanks...
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 sportsfroma2

sportsfroma2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 18 October 2010 - 10:41 PM

ok, so I completed both the Malwarebyes and SuperAntiSpyware full-scans in safe mode after renaming the files.

The results of the Malwarebytes scan:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4798

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18702

10/18/2010 9:45:02 PM
mbam-log-2010-10-18 (21-45-02).txt

Scan type: Full scan (C:\|)
Objects scanned: 195463
Time elapsed: 31 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{00000162-9980-0010-8000-00aa00389b71} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.84,93.188.161.224 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a41043f2-4f92-4390-9813-b17dcf663fcd}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.84,93.188.161.224 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e5d181cb-acab-4141-a294-abb6722f5bfc}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.84,93.188.161.224 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{56709E39-C1EF-4358-B671-B630B0D8ED4E}\RP1393\A0086779.exe (Rogue.BulletProofSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56709E39-C1EF-4358-B671-B630B0D8ED4E}\RP1393\A0086808.exe (Rogue.BulletProofSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{56709E39-C1EF-4358-B671-B630B0D8ED4E}\RP1393\A0086809.exe (Rogue.BulletProofSoftware) -> Quarantined and deleted successfully.

It prompted me to restart to complete the removal, I did.

After it restarted I went back into safe more with networking, ran rkill (same results as before) and then did a full SAS scan.
The Results of the SuperAntiSpware Scan:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/18/2010 at 11:04 PM

Application Version : 4.44.1000

Core Rules Database Version : 5708
Trace Rules Database Version: 3520

Scan type : Complete Scan
Total Scan Time : 01:08:50

Memory items scanned : 275
Memory threats detected : 0
Registry items scanned : 6855
Registry threats detected : 3
File items scanned : 66377
File threats detected : 0

Trojan.DNS-Changer (Hi-Jacked DNS)
HKLM\SYSTEM\CONTROLSET003\SERVICES\TCPIP\PARAMETERS\INTERFACES\{A41043F2-4F92-4390-9813-B17DCF663FCD}#NAMESERVER
HKLM\SYSTEM\CONTROLSET003\SERVICES\TCPIP\PARAMETERS\INTERFACES\{E5D181CB-ACAB-4141-A294-ABB6722F5BFC}#NAMESERVER
HKLM\SYSTEM\CONTROLSET003\SERVICES\TCPIP\PARAMETERS#NAMESERVER


after removal I again restarted, and it went straight into chkdsk

I was not able to write down everything that was shown on the screen during chkdsk, but one "abnormal" looking thing (to me, at least) was:
deleted index entry Boabcb~1.jso in index $I30 of file 24911
deleted index entry bookmarks-2010-10-05.json in index $I30 of file 24911

and there were around 4 more of that but I wasn't able to write them down

not sure if that was abnormal or not.

After that completed, the Computer did start up into Windows XP. Upon startup I did get the following error message:
Posted Image

Besides that some things are better it seems, Superantispyware DID start up in the system tray (it was not before) and I was able to go to malwarebytes.org which I was not able to visit previously.

Although, there is also another odd thing, it's like there's an empty "box" with a red X in it on my desktop above the system tray, here's a screenshot of that:
Posted Image

don't know if it that mean anything for you but figured I'd inform you of that anyway.

Please let me know what you think.

Thanks!

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:19 PM

Posted 20 October 2010 - 07:26 PM

Hello, sorry for the delay. The board update was taking up my time. I am asking about this image.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 sportsfroma2

sportsfroma2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 23 October 2010 - 05:50 PM

Hi Boopme, I totally understand about the board update, no problems.

In the meantime, Malwarebytes & Super scan reults continued to be clean, but I was continuing to have issues.

Since Microsoft Security Essentials was running it ran it's autoscan and the Aleuron.H rookit (same as TDS?) was being detected repeatedly even after it was "cleaned" by MSE. I searched on the site and it seemed as though the best course of action was to just reformat/reinstall so that is what I am doing right now.

Again, thank you for looking into this and I appreciate all the help.

I do have one question, however-
I backed up some files (mostly pictures, pdf, and .doc word files) that my uncle might/might not need onto a spare external Hard Drive.

Given that this malware seemed to be fairly malicious/invasive, What's the best way to determine that the files are "clean" and rookit-free before coping them back onto the computer?

Thanks

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:19 PM

Posted 24 October 2010 - 12:15 PM

OK. we will try one more tool here to kill this.
Please run the tool here How to remove Google Redirects

When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.
These tools we ran here should also be run on the External drive.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users