Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected svchost, spoolsv & atapi.sys


  • This topic is locked This topic is locked
3 replies to this topic

#1 sdmike1

sdmike1

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:47 AM

Posted 22 April 2011 - 11:15 AM

A lot of the background information can be found here

http://www.bleepingcomputer.com/forums/topic392781.html/page__gopid__2216510#entry2216510

My son's laptop was infected with an entire petrie dish of virii, trojans, rootkits, and other malware that got past my AV and firewall. I went to my arsenal of malwarebytes, kaspersky, ESET, ad-aware, hijackthis and others, and even replaced an ATAPI.SYS that was giving me a BSOD (using recovery console). At one point MS Security Essentials (now replaced with Avast again) found wimpixo.E and Alureon.EQ, but "allowed" them for some unknown reason. I've not had any scanner show them since. I'm still plagued and need assistance. Here's what is still going on.

Avast pops up blocked URL's, mostly on two items. One is

Malicious URL blocked
object: 199.80.55.80
URL:Mal
C:\windows\system32\svchost.exe

The second is similar but involves 915.143.193.138 and spoolsv.exe. I don't even have to open the browser for these to pop up. In fact, sometimes I'll find the firefox process running by itself.

I also get a shutdown of either of these at random times with a popup that seems to neuter some things, like add/remove programs.

Links for both firefox and IE are redirected, often to a heinous page with a fake malware remover that's almost impossible to get out of (which is what I'm sure happened to my teenager)

The problem also shuts down my firewall and MS security center, but I can get those back with some work.

Here are the files, with DDS pasted and the others attached.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by mritchie at 21:25:46.82 on Thu 04/21/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1456 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\mritchie\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.signonsandiego.com/
uInternet Connection Wizard,ShellNext = iexplore
mWinlogon: Userinit=userinit.exe
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PlayNC Launcher]
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli fuwoduke.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\mritchie\applic~1\mozilla\firefox\profiles\bhdfp6f8.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-21 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-4-21 307288]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-4-21 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-4-21 42184]
R3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2010-11-12 6607744]
S1 MpKsld5b59917;MpKsld5b59917;\??\c:\windows\system32\mpenginestore\mpksld5b59917.sys --> c:\windows\system32\mpenginestore\MpKsld5b59917.sys [?]
S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2004-8-4 14336]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [2008-1-30 727908]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [2008-1-30 44928]
.
=============== Created Last 30 ================
.
2011-04-22 04:12:34 -------- d-----w- C:\MGtools
2011-04-22 00:59:48 -------- d-----w- c:\docume~1\mritchie\applic~1\SUPERAntiSpyware.com
2011-04-22 00:59:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-04-22 00:59:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-21 23:41:54 -------- d-s---w- C:\Combo-Fix
2011-04-21 22:58:46 -------- d-----w- c:\program files\ESET
2011-04-21 18:55:02 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-04-21 18:54:39 40112 ----a-w- c:\windows\avastSS.scr
2011-04-21 18:54:25 -------- d-----w- c:\program files\AVAST Software
2011-04-21 18:54:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVAST Software
2011-04-21 02:46:05 -------- d-sh--w- c:\documents and settings\mritchie\IECompatCache
2011-04-21 00:54:57 -------- d-sha-r- C:\cmdcons
2011-04-21 00:43:06 98816 ----a-w- c:\windows\sed.exe
2011-04-21 00:43:06 89088 ----a-w- c:\windows\MBR.exe
2011-04-21 00:43:06 256512 ----a-w- c:\windows\PEV.exe
2011-04-21 00:43:06 161792 ----a-w- c:\windows\SWREG.exe
2011-04-20 23:35:29 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-20 23:34:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-04-20 23:18:59 86656 ----a-w- c:\windows\system32\drivers\atapi.sys
2011-04-20 16:03:43 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-04-19 21:00:36 -------- d-----w- c:\docume~1\mritchie\applic~1\ElevatedDiagnostics
2011-04-19 20:21:11 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-19 20:08:15 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-18 03:03:54 0 ----a-w- c:\windows\Wjobovis.bin
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS721080G9SA00 rev.MC4OC10H -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A32F4F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a3357d0]; MOV EAX, [0x8a33584c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A38D030]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000007d[0x8A3B9F18]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A3C2D98]
\Driver\atapi[0x8A341910] -> IRP_MJ_CREATE -> 0x8A32F4F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A32F33B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 21:28:05.40 ===============


Attached File  DDSAttach.txt   28.48KB   0 downloads


I just realized that my ark.txt was blank. So I'll try running this again. I'm having great difficulty getting this to run correctly. it appears to run, but then doesn't save any logs (plus all the text on my screen turns white for some reason).

Thanks in advance for your assistance. I also have superantisypware logs and other things if that would help.

Edited by sdmike1, 22 April 2011 - 11:48 AM.


BC AdBot (Login to Remove)

 


#2 sdmike1

sdmike1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:47 AM

Posted 22 April 2011 - 11:41 AM

Here is a screen shot of when the svchost.exe fails. By the way, I've cleaned out all the temp file locations shown in the logs about a million times. Still working on the other log

Attached File  svchost.jpg   157.88KB   3 downloads

Edited by sdmike1, 22 April 2011 - 11:44 AM.


#3 sdmike1

sdmike1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:47 AM

Posted 22 April 2011 - 06:18 PM

Please delete this topic/thread. After being unable to run the last logging program, having new infections crop up, etc., I have decided to reformat the computer and start over with a fresh version of XP. Thanks for your time and effort. The folks here are a great asset.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 AM

Posted 22 April 2011 - 06:46 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users