Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WinXP Rootkit with Win32 Services access request & Google redirect


  • Please log in to reply
3 replies to this topic

#1 XPuser

XPuser

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 06 July 2012 - 10:30 PM

Hello,

My XP-Pro laptop seems to have picked up a rootkit infection. It started when I booted from a cold start and the Zone Alarm firewall produced a message saying that the "Generic Host Process for Win32 Services is trying to access the Internet". The associated application is svchost.exe. I recognized this as a possible infection, so I denied access. Then I discovered that I could not gain internet access with the IE-8 browser. I investigated the running processes on the system using the Process Explorer application. There were several svchost processes listed. One of them didn't look familiar, so I killed it along with its process tree. I got a couple more requests for Win32 services access to the interent, which I again denied. IE-8 was now able to connect to the interent and the Google homepage. It seems to be a successful workaround for the problem until I can remove the infection. However I've also discovered that I have a Google search redirect which sometimes takes the browser to random URLs. So far I'm not getting any fake virus scanners, popups or BSODs, probably because I keep denying access to the Win32 services svchost request. I've tried several antivirus applications, including AVG, Malwarebytes, Superantispyware and TDSSkiller but none of them have been able to identify any malware on the system. I also tried the scans in safe mode with no results. I suspect that a hidden partition may have been created on the HD. The infection also deleted all the restore points on the system so I can't use that method to recover to an earlier date. I continue to use Process Explorer to kill the same svchost process each time I reboot the computer in order to access the internet. This is the first infection I've had that doesn't respond to the usual methods of detection and cleaning. I don't want to try any more utilities until I know more about what's going on. I would appreciate some advice on this.

Thanks

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:05 AM

Posted 06 July 2012 - 10:39 PM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)



Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner


Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#3 XPuser

XPuser
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 11 July 2012 - 02:06 AM

Everything was going all right until I downloaded ESET and ran it. The program tried to remove the threats it found instead of just reporting them. I rebooted and got a Windows pop up message saying there was a memory error with the application svchost.exe. When I clicked on the OK button, the message kept coming back. There was nothing I could do to keep it from popping up, even in safe mode. I finally had to give up and reinstall Win-XP. I didn't know that ESET was going to try to remove the threats after the scan. I didn't see any option for just a scan report. I had copies of all my files on an external hard drive so I was able to reinstall them after the XP installation. The computer is working normally again but I would like to have be able to clean the malware without reinstalling XP. I'm going to make a bootable CD for XP so I can work with a command line if this kind of problem happens again. I might have been able to restore a good copy of the svchost file that way. Thanks for trying to help.

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)



Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner


Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply



#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:05 AM

Posted 11 July 2012 - 08:24 AM

Thanks for letting us know :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users