Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svhost.exe files infecting local html files on winxp


  • This topic is locked This topic is locked
2 replies to this topic

#1 jamieuk

jamieuk

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 01 June 2011 - 07:19 AM

.
DDS (Ver_11-05-19.01) - FAT32x86
Internet Explorer: 6.0.2900.2180
Run by kyle at 12:55:00 on 2011-06-01
.
============== Running Processes ===============
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\winsys.exe
C:\Documents and Settings\kyle\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\kyle\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\kyle\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\kyle\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.msn.com
mLocal Page = c:\windows\system\blank.htm
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\dvcfqmby\iytrbpkp.exe
mRun: [AS00_Gear511] c:\program files\netgear\wg511scu\utility.\Gear511.exe -hide
mRun: [Windows Messanger Control Center] winsys.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\system\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\system\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso4.cab
DPF: Win32 Classes
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\kyle\application data\mozilla\firefox\profiles\yaqh0afg.default\
FF - plugin: c:\documents and settings\kyle\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
.
============= SERVICES / DRIVERS ===============
.
S? AWINDIS5;AWINDIS5 Protocol Driver
S? NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service
S? SPI;Sony Programmable I/O Control Device
.
=============== Created Last 30 ================
.
2011-06-01 11:30:06 -------- d-----w- c:\documents and settings\kyle\application data\DriverCure
2011-06-01 11:30:05 -------- d-----w- c:\documents and settings\kyle\application data\ParetoLogic
2011-06-01 11:29:36 -------- d-----w- c:\documents and settings\all users\application data\ParetoLogic
2011-06-01 10:02:17 -------- d-sh--w- C:\Recycled
2011-06-01 09:49:06 145769 ----a-w- c:\windows\explorermgr.exe
2011-06-01 09:34:11 -------- d-sha-r- C:\cmdcons
2011-06-01 09:30:41 98816 ----a-w- c:\windows\sed.exe
2011-06-01 09:30:41 518144 ----a-w- c:\windows\SWREG.exe
2011-06-01 09:30:41 256512 ----a-w- c:\windows\PEV.exe
2011-06-01 09:30:41 208896 ----a-w- c:\windows\MBR.exe
2011-05-27 20:12:30 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-23 16:14:40 -------- d-----w- c:\windows\system32\NtmsData
2011-05-23 15:59:39 -------- d-----w- c:\documents and settings\all users\application data\phpDesigner
2011-05-23 15:58:08 -------- d-----w- c:\documents and settings\kyle\application data\phpDesigner
2011-05-23 15:58:03 -------- d-----w- c:\program files\phpDesigner
2011-05-23 14:39:40 -------- d-----w- c:\program files\dvcfqmby
2011-05-23 14:27:44 159744 --sh--r- c:\windows\winsys.exe
2011-05-23 14:21:18 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys
2011-05-22 22:18:17 -------- d-----w- c:\program files\WS_FTP
2011-05-22 22:17:52 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\ctor.dll
2011-05-22 22:17:52 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\DotNetInstaller.exe
2011-05-22 22:17:52 418140 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\iscript.dll
2011-05-22 22:17:52 344482 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\iuser.dll
2011-05-22 22:17:52 184852 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll
2011-05-22 22:17:51 876984 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\iKernel.dll
2011-05-22 22:17:43 184452 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\iGdi.dll
2011-05-22 22:17:42 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\00\intel32\Setup.dll
2011-05-22 22:10:44 36864 ------w- c:\windows\system32\kill.dll
2011-05-22 22:10:34 17801 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-05-22 22:10:25 393216 ----a-w- c:\windows\system32\WG511TFCS.exe
2011-05-22 22:10:25 221184 ----a-w- c:\windows\Unin511T.exe
2011-05-22 22:10:25 221184 ----a-w- c:\windows\Inst511T.exe
2011-05-22 22:10:25 17801 ----a-w- c:\windows\system32\AegisP.sys
2011-05-22 22:10:25 155745 ------w- c:\windows\system32\installservice.exe
2011-05-22 22:10:25 102400 ----a-w- c:\windows\system32\ASupplicant.dll
2011-05-22 22:10:24 488992 ----a-w- c:\windows\system32\drivers\wg511nd5.sys
2011-05-22 22:10:22 -------- d-----w- c:\program files\NETGEAR
2011-05-22 22:09:33 377362 ----a-w- c:\program files\common files\installshield\iscript\iscript.dll
2011-05-22 22:09:33 328124 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2011-05-22 22:09:33 229738 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2011-05-22 22:09:33 184720 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2011-05-22 22:09:32 614532 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\IKernel.exe
2011-05-22 22:00:14 -------- d--h--w- c:\windows\$hf_mig$
2011-05-22 19:56:59 265984 ----a-w- c:\windows\system32\drivers\WG511v2XP.sys
2011-05-22 19:55:54 -------- d-----w- c:\windows\Downloaded Installations
2011-05-22 15:48:39 -------- d-----w- C:\wamp
2011-05-22 15:38:30 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-05-22 15:38:26 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-05-22 15:38:16 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-05-22 15:38:16 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2011-05-22 15:26:24 -------- d-----w- c:\documents and settings\kyle\local settings\application data\Temp
2011-05-22 15:26:19 -------- d-----w- c:\documents and settings\kyle\local settings\application data\Google
2011-05-22 15:24:29 -------- d-s---w- c:\documents and settings\kyle\UserData
2011-05-22 15:20:53 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-05-22 14:39:28 73728 ----a-w- c:\windows\system32\AW32n50.dll
2011-05-22 14:39:28 16194 ----a-w- c:\windows\system32\AWINDIS5.SYS
2011-05-22 14:29:15 15360 ----a-w- c:\windows\system32\dllcache\msgrocm.dll
2011-05-22 14:28:13 17408 ----a-w- c:\windows\system32\dllcache\ocmsn.dll
2011-05-22 14:27:35 51456 ----a-w- c:\windows\system32\dllcache\vga256.dll
2011-05-22 14:27:35 18176 ----a-w- c:\windows\system32\dllcache\vga64k.dll
2011-05-22 14:25:51 2897920 ----a-w- c:\windows\system32\dllcache\xpsp2res.dll
2011-05-22 14:25:32 16896 ----a-w- c:\windows\system32\dllcache\medctroc.dll
2011-05-22 14:25:30 33792 ----a-w- c:\windows\system32\dllcache\tabletoc.dll
2011-05-22 14:24:31 8261 ----a-w- c:\windows\system32\dllcache\zoneoc.dll
2011-05-22 14:24:17 174200 ----a-w- c:\windows\system32\dllcache\xenroll.dll
2011-05-22 14:24:03 18432 ----a-w- c:\windows\system32\dllcache\wtsapi32.dll
2011-05-22 14:24:00 22528 ----a-w- c:\windows\system32\dllcache\wsock32.dll
2011-05-22 14:22:58 118272 ----a-w- c:\windows\system32\dllcache\umpnpmgr.dll
2011-05-22 14:22:55 121856 ----a-w- c:\windows\system32\dllcache\tsoc.dll
2011-05-22 14:22:53 15360 ----a-w- c:\windows\system32\dllcache\tsd32.dll
2011-05-22 14:22:42 246272 ----a-w- c:\windows\system32\dllcache\tapisrv.dll
2011-05-22 14:22:42 181760 ----a-w- c:\windows\system32\dllcache\tapi32.dll
2011-05-22 14:22:40 984576 ----a-w- c:\windows\system32\dllcache\syssetup.dll
2011-05-22 14:22:37 713216 ----a-w- c:\windows\system32\dllcache\sxs.dll
2011-05-22 14:22:36 6144 ----a-w- c:\windows\system32\dllcache\svcpack.dll
2011-05-22 14:22:36 14336 ----a-w- c:\windows\system32\dllcache\svchost.exe
2011-05-22 14:22:33 67584 ----a-w- c:\windows\system32\dllcache\sti.dll
2011-05-22 14:22:00 50688 ----a-w- c:\windows\system32\dllcache\smss.exe
2011-05-22 14:20:59 69120 ----a-w- c:\windows\system32\dllcache\olethk32.dll
2011-05-22 14:19:59 57344 ----a-w- c:\windows\system32\dllcache\msasn1.dll
2011-05-22 14:18:51 278016 ----a-w- c:\windows\system32\dllcache\gdi32.dll
2011-05-22 14:18:50 132608 ----a-w- c:\windows\system32\dllcache\fxsocm.dll
2011-05-22 14:18:48 9344 ----a-w- c:\windows\system32\dllcache\framebuf.dll
2011-05-22 14:18:48 32828 ----a-w- c:\windows\system32\dllcache\fp40ext.dll
2011-05-22 14:18:41 55808 ----a-w- c:\windows\system32\dllcache\eventlog.dll
2011-05-22 14:18:40 1082368 ----a-w- c:\windows\system32\dllcache\esent.dll
2011-05-22 14:17:17 148480 ----a-w- c:\windows\system32\dllcache\dnsapi.dll
2011-05-22 14:17:14 111104 ----a-w- c:\windows\system32\dllcache\dhcpcsvc.dll
2011-05-22 14:15:59 8704 ----a-w- c:\windows\system32\dllcache\snmptrap.exe
2011-05-22 14:14:59 23040 ----a-w- c:\windows\system32\dllcache\EXCH_regtrace.exe
2011-05-22 14:13:52 40960 ----a-w- c:\windows\system32\dllcache\msiregmv.exe
2011-05-22 14:12:59 6144 ----a-w- c:\windows\system32\dllcache\kbdth3.dll
2011-05-22 14:11:59 59904 ----a-w- c:\windows\system32\dllcache\imkrinst.exe
2011-05-22 14:10:54 61440 ----a-w- c:\windows\system32\dllcache\httpod51.dll
2011-05-22 14:09:59 6144 ----a-w- c:\windows\system32\dllcache\ftpmib.dll
2011-05-22 14:08:58 24064 ----a-w- c:\windows\system32\dllcache\compfilt.dll
2011-05-22 14:06:48 45568 ----a-w- c:\windows\system32\dllcache\browscap.dll
2011-05-22 14:05:59 189440 ----a-w- c:\windows\system32\dllcache\smtpadm.dll
2011-05-22 13:59:46 -------- d-sh--w- c:\documents and settings\all users\DRM
2011-05-22 13:58:37 -------- d--h--w- c:\program files\WindowsUpdate
2011-05-22 13:56:59 46080 ----a-w- c:\windows\system32\dllcache\wab.exe
2011-05-22 13:55:40 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-05-22 13:55:40 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2011-05-22 13:55:34 -------- d-----w- c:\windows\system32\wbem\Performance
2011-05-22 13:53:51 44544 ----a-w- c:\windows\system32\hticons.dll
2011-05-22 13:50:46 54272 ----a-w- c:\windows\system32\drivers\swmidi.sys
2011-05-22 13:50:43 52864 ----a-w- c:\windows\system32\drivers\DMusic.sys
2011-05-22 13:50:39 7552 ----a-w- c:\windows\system32\drivers\MSKSSRV.sys
2011-05-22 13:50:35 5376 ----a-w- c:\windows\system32\drivers\MSPCLOCK.sys
2011-05-22 13:50:31 142464 ----a-w- c:\windows\system32\drivers\aec.sys
2011-05-22 13:50:28 60800 ----a-w- c:\windows\system32\drivers\sysaudio.sys
2011-05-22 13:50:26 2944 ----a-w- c:\windows\system32\drivers\drmkaud.sys
2011-05-22 13:50:23 4992 ----a-w- c:\windows\system32\drivers\MSPQM.sys
2011-05-22 13:50:20 171776 ----a-w- c:\windows\system32\drivers\kmixer.sys
2011-05-22 13:50:16 82944 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2011-05-22 13:50:13 6400 ----a-w- c:\windows\system32\drivers\splitter.sys
2011-05-22 13:50:07 3072 ----a-w- c:\windows\system32\drivers\audstub.sys
2011-05-22 13:49:34 10624 ----a-w- c:\windows\system32\drivers\gameenum.sys
2011-05-22 13:49:04 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-05-22 13:48:54 9344 ----a-w- c:\windows\system32\drivers\compbatt.sys
2011-05-22 13:48:52 14080 ----a-w- c:\windows\system32\drivers\battc.sys
2011-05-22 13:48:51 14080 ----a-w- c:\windows\system32\drivers\CmBatt.sys
2011-05-22 13:48:22 20752 ----a-w- c:\windows\system32\drivers\SonyNC.sys
2011-05-22 13:48:20 37040 ----a-w- c:\windows\system32\drivers\SonyPI.sys
2011-05-22 13:48:20 114688 ----a-w- c:\windows\system32\SonyPI.dll
2011-05-22 13:48:08 289664 ----a-w- c:\windows\system32\drivers\atimpab.sys
2011-05-22 13:48:07 382592 ----a-w- c:\windows\system32\atidrab.dll
2011-05-22 13:48:07 37376 ----a-w- c:\windows\system32\atievxx.exe
2011-05-22 13:44:55 -------- d-sh--w- c:\windows\Installer
2011-05-22 13:43:55 1086058 ----a-r- c:\windows\SET4.tmp
2011-05-22 13:43:51 1042903 ----a-r- c:\windows\SET3.tmp
2011-05-22 13:43:40 -------- d-----w- c:\windows\system32\CatRoot2
2011-05-22 13:43:40 -------- d-----w- c:\windows\system32\CatRoot
2011-05-22 13:43:08 -------- d-----w- C:\Documents and Settings
2011-05-22 13:32:06 -------- d-----w- C:\undo
2011-05-22 13:28:59 102400 ----a-w- c:\windows\system32\wmpshell.dll
2011-05-22 13:27:42 40448 ----a-w- c:\windows\system32\osuninst.exe
2011-05-22 13:26:55 15360 ----a-w- c:\windows\system32\pentnt.exe
2011-05-22 13:25:59 446464 ----a-w- c:\windows\system32\dllcache\obrb0C0A.dll
2011-05-22 13:24:20 50176 ----a-w- c:\windows\system32\xmlprovi.dll
2011-05-22 13:23:59 98304 ----a-w- c:\windows\system32\wshom.ocx
2011-05-22 13:22:59 67584 ----a-w- c:\windows\system32\osuninst.dll
2011-05-22 13:21:59 14592 ----a-w- c:\windows\system32\drivers\smclib.sys
2011-05-22 13:20:59 83456 ----a-w- c:\windows\system32\olepro32.dll
2011-05-22 13:19:59 86016 ----a-w- c:\windows\system32\msapsspc.dll
2011-05-22 13:18:58 87552 ----a-w- c:\windows\system32\dllcache\hhctrlui.dll
2011-05-22 13:17:18 83456 ----a-w- c:\windows\system32\dpvsetup.exe
2011-05-22 13:16:59 8192 ----a-w- c:\windows\system32\dllcache\d3d8thk.dll
2011-05-22 13:15:36 -------- d-----w- c:\windows\MDMUPGLG
2011-05-22 13:06:03 -------- d-----w- c:\windows\ESLogs
2011-05-22 13:04:16 -------- d-----w- c:\windows\system\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
2011-05-22 13:04:16 -------- d-----w- c:\windows\system\CatRoot
2011-05-22 13:03:58 -------- d-----w- c:\program files\DirectX
2011-05-22 13:02:57 -------- d-s---w- c:\windows\Downloaded Program Files
2011-05-22 13:02:55 -------- d-----r- c:\windows\Offline Web Pages
2011-05-22 13:01:51 -------- d-----w- c:\windows\All Users
2011-05-22 13:01:07 28672 ----a-w- c:\windows\system32\RAPILIB.DLL
2011-05-22 12:55:22 -------- d--h--w- c:\windows\spool
2011-05-22 12:55:14 -------- d--h--w- c:\windows\SYSBCKUP
2011-05-22 12:55:09 -------- d--h--w- c:\windows\APPLOG
.
==================== Find3M ====================
.
2011-05-22 14:03:54 152576 ----a-w- c:\windows\system32\migicons.exe
2011-05-22 13:05:20 81920 --sh--w- C:\VIDEOROM.BIN
2011-05-22 12:48:36 2490 ----a-w- c:\windows\system\DLCNDI.DLL
2008-06-06 11:17:46 159744 --sh--r- c:\windows\winsys.exe
.
============= FINISH: 12:57:32.16 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:22 AM

Posted 02 June 2011 - 04:17 PM

Hi!

I have a feeling you are infected with a polymorphic infection, and if my suspicions are correct, the only way of fixing it is to reformat and re-install your computer.

We will upload a file to VirusTotal to confirm.

VirusTotal File Scan
Please go to: VirusTotal
  • Posted Image
  • Click the Browse button and search for the following file: c:\program files\dvcfqmby\iytrbpkp.exe
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.
If it says already scanned -- click "reanalyze now"

Please post the results in your next reply

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:22 AM

Posted 04 June 2011 - 12:05 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users