Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Started with svcHost.exe now Win32:Malware-gen infected


  • Please log in to reply
5 replies to this topic

#1 bigbronco

bigbronco

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 14 March 2013 - 03:32 PM

Hello first post ever here.

 

Win 7 with Internet Explorer

 

Norton IS started showing High disc usage by: Winrscmde svchost.exe. I also was getting high CPU usage. The fan would even kick on high. I ran RKILL, TDSSKILLER, aswMBR, and then MalwareBytes. I tried to run EST Online Scanner but when I check agree and click start it opens another small window and just hangs there.  

The computer now does not give the high disc or cpu warning but when I restart it hangs at my desktop screen with the thinking circle spinning over my wi fi conection. I have to hard reboot into safe mode then the internet works. I reboot and it boots fine. But when I try to watch a video it says I need adobe flash to play but I have it. Also when I reboot I have to do the whole safe mode thing again. When it does restart it takes about 6 or 7 minutes to fully start. I disabled all unneccesary startup software. It is running very slow.

 

So I ran TDSKILLER, aswMBR and MalwareBytes again. I have no idea what to do.

 


 

 


 


 



BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:59 PM

Posted 14 March 2013 - 04:25 PM

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters


    tds2.jpg

  • Check Loaded Modules  and Detect TDLFS file systemDo not check Verify file digital signatures (even though it is checked in the example)
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now


    2012081514h0118.png

  • Click Start Scan and allow the scan process to run

  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue


    tds6.jpg

  • Click Reboot computer
  • Please post the contents of  TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)in your reply


===================================================


aswMBR

--------------------

  • Download aswMBR and save it to your desktop.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here
  • Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.
  • Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.


    aswMBR1.png
  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.


    aswMBR2.png
  • Please post the contents of the log in your next reply.

NOTE:  aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.


===================================================


ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan  This process may may take several hours, that is normal

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png  button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.

    esetsmartinstaller_enu.png

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:

    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply.   Note:  If no malware was found you will not get a log.
  • Click the Back button.
  • Click the Finish button.


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • TDSSKiller log
  • aswMBR log
  • ESET results


 



#3 bigbronco

bigbronco
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 14 March 2013 - 05:50 PM

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-03-14 13:39:57
-----------------------------
13:39:57.850    OS Version: Windows x64 6.1.7601 Service Pack 1
13:39:57.850    Number of processors: 4 586 0x503
13:39:57.850    ComputerName: SEABRIDL-HP  UserName: Seabridl
13:39:59.425    Initialize success
13:41:17.925    AVAST engine defs: 13031401
13:41:40.088    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000006b
13:41:40.104    Disk 0 Vendor: Hitachi_ JE3O Size: 476940MB BusType: 11
13:41:40.119    Disk 0 MBR read successfully
13:41:40.119    Disk 0 MBR scan
13:41:40.135    Disk 0 Windows 7 default MBR code
13:41:40.135    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          199 MB offset 2048
13:41:40.150    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       462797 MB offset 409600
13:41:40.182    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        13839 MB offset 948217856
13:41:40.213    Disk 0 Partition 4 00     0C    FAT32 LBA MSDOS5.0      103 MB offset 976560128
13:41:40.260    Disk 0 scanning C:\Windows\system32\drivers
13:41:52.225    Service scanning
13:42:28.745    Modules scanning
13:42:28.760    Disk 0 trace - called modules:
13:42:28.823    ntoskrnl.exe CLASSPNP.SYS disk.sys amd_xata.sys storport.sys hal.dll amd_sata.sys
13:42:28.838    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004414060]
13:42:28.854    3 CLASSPNP.SYS[fffff88001a0143f] -> nt!IofCallDriver -> [0xfffffa80042ebac0]
13:42:28.869    5 amd_xata.sys[fffff88001160900] -> nt!IofCallDriver -> \Device\0000006b[0xfffffa80042e6930]
13:42:30.570    AVAST engine scan C:\Windows
13:42:33.908    AVAST engine scan C:\Windows\system32
13:46:58.656    AVAST engine scan C:\Windows\system32\drivers
13:47:32.680    AVAST engine scan C:\Users\Seabridl
13:50:07.916    AVAST engine scan C:\ProgramData
13:51:17.929    File: C:\ProgramData\Microsoft\Windows\DRM\A42A.tmp  **INFECTED** Win32:Malware-gen
13:51:18.007    File: C:\ProgramData\Microsoft\Windows\DRM\A42B.tmp  **INFECTED** Win32:Malware-gen
13:51:18.116    File: C:\ProgramData\Microsoft\Windows\DRM\F410.tmp  **INFECTED** Win32:Malware-gen
13:51:18.163    File: C:\ProgramData\Microsoft\Windows\DRM\F421.tmp  **INFECTED** Win32:Malware-gen
13:52:09.362    Scan finished successfully
13:54:03.564    Disk 0 MBR has been saved successfully to "C:\Users\Seabridl\Documents\MBR.dat"
13:54:03.579    The log file has been saved successfully to "C:\Users\Seabridl\Documents\aswMBR.txt"

 

 

 

13:34:23.0753 4676  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
13:34:24.0346 4676  ============================================================
13:34:24.0346 4676  Current date / time: 2013/03/14 13:34:24.0346
13:34:24.0346 4676  SystemInfo:
13:34:24.0346 4676 
13:34:24.0346 4676  OS Version: 6.1.7601 ServicePack: 1.0
13:34:24.0346 4676  Product type: Workstation
13:34:24.0346 4676  ComputerName: SEABRIDL-HP
13:34:24.0346 4676  UserName: Seabridl
13:34:24.0346 4676  Windows directory: C:\Windows
13:34:24.0346 4676  System windows directory: C:\Windows
13:34:24.0346 4676  Running under WOW64
13:34:24.0346 4676  Processor architecture: Intel x64
13:34:24.0346 4676  Number of processors: 4
13:34:24.0346 4676  Page size: 0x1000
13:34:24.0346 4676  Boot type: Normal boot
13:34:24.0346 4676  ============================================================
13:34:25.0064 4676  BG loaded
13:34:25.0610 4676  Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
13:34:25.0625 4676  ============================================================
13:34:25.0625 4676  \Device\Harddisk0\DR0:
13:34:25.0625 4676  MBR partitions:
13:34:25.0625 4676  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x63800
13:34:25.0625 4676  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x64000, BlocksNum 0x387E6800
13:34:25.0625 4676  \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0x3884A800, BlocksNum 0x1B07800
13:34:25.0625 4676  \Device\Harddisk0\DR0\Partition4: MBR, Type 0xC, StartLBA 0x3A352000, BlocksNum 0x33830
13:34:25.0625 4676  ============================================================
13:34:25.0641 4676  C: <-> \Device\Harddisk0\DR0\Partition2
13:34:25.0766 4676  D: <-> \Device\Harddisk0\DR0\Partition3
13:34:25.0766 4676  ============================================================
13:34:25.0766 4676  Initialize success
13:34:25.0766 4676  ============================================================
13:36:44.0856 1428  ============================================================
13:36:44.0856 1428  Scan started
13:36:44.0856 1428  Mode: Manual;
13:36:44.0856 1428  ============================================================
13:36:46.0416 1428  ================ Scan system memory ========================
13:36:46.0416 1428  System memory - ok
13:36:46.0416 1428  ================ Scan services =============================
13:36:46.0821 1428  [ A87D604AEA360176311474C87A63BB88 ] 1394ohci        C:\Windows\system32\drivers\1394ohci.sys
13:36:46.0868 1428  1394ohci - ok
 

13:37:20.0392 1428  Scan finished
13:37:20.0392 1428  ============================================================
13:37:20.0408 4304  Detected object count: 0
13:37:20.0408 4304  Actual detected object count: 0
13:38:11.0795 3388  Deinitialize success
 

 

I could not get eset to run.



#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:59 PM

Posted 14 March 2013 - 06:11 PM

I could not get eset to run.

 

Explain



#5 bigbronco

bigbronco
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 14 March 2013 - 08:55 PM

I tried to run EST Online Scanner but when I check agree and click start it opens another small window and just hangs there. 



#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:59 PM

Posted 14 March 2013 - 09:30 PM

Can you please try to run in safemode with networking?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users