Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

syshost.exe trojan infection


  • This topic is locked This topic is locked
3 replies to this topic

#1 BrokenSword47

BrokenSword47

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 27 March 2013 - 03:27 PM

Hey guys, I'm not really sure of what to say. If you have anything specific to ask me, then go ahead. I didn't have a firewall, so I downloaded the Comodo one, but it doesn't start. It told me I can save a report, so I did. Hopefully it will help you, so I'm going to upload it as well.

 

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16455 BrowserJavaVersion: 10.9.2
Run by Paul at 22:16:21 on 2013-03-27
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3519.2214 [GMT 2:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Multimedia Keyboard Driver\M-KbdDrv.exe
C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
C:\Program Files\COMODO\COMODO Internet Security\cis.exe
C:\Program Files\COMODO\COMODO Internet Security\cis.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Webteh\BSPlayer\bsplayer.exe
C:\Program Files\Opera\opera.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - d:\programe\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [MutlimediaKbdDriver] c:\program files\multimedia keyboard driver\M-KbdDrv.exe
mRun: [HDAudDeck] c:\program files\via\viaudioi\vdeck\VDeck.exe -r
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "c:\program files\amd avt\bin\kdbsync.exe" aml
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [COMODO Internet Security] c:\program files\comodo\comodo internet security\cistray.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{6CB6DBB0-49B1-4563-AC15-5CA29C247895} : DHCPNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R1 AsrAppCharger;AsrAppCharger;c:\windows\system32\drivers\AsrAppCharger.sys [2012-12-7 13832]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-12-9 242240]
R1 xlkfs;xlkfs;c:\windows\system32\drivers\xlkfs.sys [2012-5-5 18432]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-7-4 217088]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2012-12-14 1436160]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-3-27 398184]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2012-2-23 86544]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C62x86.sys [2012-12-7 68208]
R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\drivers\tap0901t.sys [2012-12-20 27136]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2012-12-7 1108480]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2013-1-16 20072]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2013-1-16 576768]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2013-1-16 43728]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-3-27 682344]
S2 mnoqrfxapykx;mnoqrfxapykx;"c:\users\paul\appdata\local\temp\dat41.tmp.exe" --service --> c:\users\paul\appdata\local\temp\DAT41.tmp.exe [?]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-1-8 161536]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 cmdvirth;COMODO Virtual Service Manager;c:\program files\comodo\comodo internet security\cmdvirth.exe [2013-1-24 127184]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2012-12-31 14920]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2012-12-31 9160]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-3-27 21104]
S3 TunngleService;TunngleService;c:\program files\tunngle\TnglCtrl.exe [2012-12-20 745368]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-12-8 1343400]
S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files\razer\razer game booster\driver\WinRing0.sys [2012-11-13 14416]
.
=============== Created Last 30 ================
.
2013-03-27 19:57:56 -------- d-s---w- c:\programdata\Shared Space
2013-03-27 19:56:38 -------- d-----w- c:\program files\COMODO
2013-03-27 19:56:33 -------- d-----w- c:\programdata\Comodo
2013-03-27 19:56:31 -------- d-----w- c:\programdata\Comodo Downloader
2013-03-27 19:41:12 -------- d-----w- c:\users\paul\appdata\roaming\Malwarebytes
2013-03-27 19:39:40 -------- d-----w- c:\programdata\Malwarebytes
2013-03-27 19:39:39 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-27 19:39:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-03-26 18:20:32 -------- d-----w- c:\users\paul\appdata\local\Mozilla
2013-03-26 18:19:54 -------- d-----w- c:\program files\Tor Browser
2013-03-25 23:14:52 -------- d-----w- c:\program files\Winamp Detect
2013-03-25 23:14:46 -------- d-----w- c:\program files\common files\PX Storage Engine
2013-03-23 12:38:52 -------- d-----w- c:\program files\OpenOffice.org 3
2013-03-23 12:37:34 -------- d-----w- c:\program files\OpenOffice
2013-03-11 22:27:59 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2013-03-11 19:26:00 805400 ----a-r- c:\windows\system32\tmpC79C.tmp
2013-03-11 19:25:09 805400 ----a-r- c:\windows\system32\tmpC73E.tmp
2013-03-10 20:16:15 -------- d-----w- c:\users\paul\appdata\roaming\Disney Interactive Studios
2013-03-09 23:28:02 -------- d-----w- c:\users\paul\appdata\local\NBGI
2013-03-09 22:36:21 -------- d-sh--w- c:\programdata\DSS
2013-03-09 22:36:20 -------- d-----w- c:\programdata\Codemasters
2013-03-09 22:32:57 19087360 ----a-w- c:\windows\system32\mkl_blueripple.dll
2013-03-09 22:32:56 1417216 ----a-w- c:\windows\system32\rapture3d_oal.dll
2013-03-09 22:32:55 -------- d-----w- c:\program files\BRS
2013-03-09 22:32:54 809496 ----a-r- c:\windows\system32\tmpB579.tmp
2013-03-09 22:32:54 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2013-03-09 22:32:54 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2013-03-09 22:32:54 -------- d-----w- c:\program files\OpenAL
2013-03-08 19:19:24 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2013-03-08 19:17:57 -------- d-----w- c:\program files\iPod
2013-03-08 19:17:56 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-03-08 19:17:56 -------- d-----w- c:\program files\iTunes
2013-03-08 19:16:43 -------- d-----w- c:\program files\Bonjour
2013-03-07 00:04:16 -------- d-----w- c:\users\paul\appdata\local\Sniper Elite Nazi Zombie Army
2013-03-06 21:07:34 -------- d-----w- c:\users\paul\appdata\local\EA Games
2013-03-06 21:07:13 -------- d-----w- c:\programdata\Origin
2013-03-06 20:52:48 -------- d--h--w- c:\program files\common files\EAInstaller
2013-03-01 21:49:54 -------- d-----w- c:\users\paul\appdata\local\LogMeIn Hamachi
2013-03-01 21:49:18 -------- d-----w- c:\program files\LogMeIn Hamachi
.
==================== Find3M ====================
.
2013-03-12 20:58:20 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-12 20:58:20 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-05 13:30:14 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2013-01-24 20:43:02 35488 ----a-w- c:\windows\system32\cmdcsr.dll
2013-01-24 20:43:02 354752 ----a-w- c:\windows\system32\guard32.dll
2013-01-24 20:42:50 40656 ----a-w- c:\windows\system32\cmdkbd32.dll
2013-01-24 20:42:50 263888 ----a-w- c:\windows\system32\cmdvrt32.dll
2013-01-24 18:15:02 114203 ----a-w- c:\windows\system32\drivers\qstr.sys
2013-01-16 17:51:44 43728 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2013-01-16 17:51:42 576768 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2013-01-16 17:51:42 20072 ----a-w- c:\windows\system32\drivers\cmderd.sys
2013-01-08 13:26:36 23552 ----a-w- c:\windows\xlkfs.dll
2012-12-29 18:34:13 140360 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2012-12-29 18:34:04 283032 ----a-w- c:\windows\system32\PnkBstrB.xtr
2012-12-29 18:34:04 283032 ----a-w- c:\windows\system32\PnkBstrB.exe
2012-12-29 18:23:11 283032 ----a-w- c:\windows\system32\PnkBstrB.ex0
2012-12-29 17:21:24 138056 ----a-w- c:\users\paul\appdata\roaming\PnkBstrK.sys
2012-12-29 17:07:34 3130440 ----a-w- c:\windows\system32\pbsvc_blr.exe
.
============= FINISH: 22:17:03.14 ===============

 

 

 

 

Thanks a lot! Hopefully you'll be able to work your magic.

 

Edit: I forgot to add that I used Glary Utilities to Block the syshost.exe process and the problem wasn't happening anymore even though I still can't delete the trojans. That's when I posted the info. At frist I tried playing a Youtube video and it just stopped, showing a static picture as if autoplay was disabled. Then I found out that after about 10-15 second of seeing a webpage I wasn't able to click anything on it, only refresh. I checked task manager and found the syshost.exe process running.

 

Attached File  attach.txt   8.7KB   1 downloads

Attached File  CisReport_v6.0.264710.2708_20130327-220713.zip   12.82KB   0 downloads


Edited by BrokenSword47, 27 March 2013 - 04:47 PM.


BC AdBot (Login to Remove)

 


#2 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:44 AM

Posted 27 March 2013 - 06:05 PM

Hello and Welcome to BleepingComputer Forums! welcome.gif
 
My name is Chris and and I will be helping you with your computer problems.
 
Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only! If you are not the original poster of this thread DO NOT run the fixes provided here.
  • Please do not run any tools until requested by myself or another member of Staff! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • If you stay with me, follow my instructions and ask questions when confused you'll be back up and running in no time smile.gif
  •  
    With that out of the way,
     
    is the only issue at this point the fact that Comodo will not start? Do you get any error related to Comodo when you attempt to start it?

    Please don't send help request via PM, unless I am already helping you. Use the forums!
    If you have not heard from me in 48 hours please use this and send me a PM reminder.

    #3 CStew23

    CStew23

    • Members
    • 1,484 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:01:44 AM

    Posted 30 March 2013 - 04:02 PM

    Bump. Are you still with us? Since it has been 2 days without a reply I assume the issue is resolved


    Please don't send help request via PM, unless I am already helping you. Use the forums!
    If you have not heard from me in 48 hours please use this and send me a PM reminder.

    #4 etavares

    etavares

      Bleepin' Remover


    • Malware Response Team
    • 15,514 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:01:44 AM

    Posted 03 April 2013 - 05:50 AM

    Due to the lack of feedback, this topic is now closed.

    In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

    Please include a link to your topic in the Private Message. Thank you.


    If I don't respond within 2 days, please feel free to PM me.
    Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

    Posted Image
    Unified Network of Instructors and Trusted Eliminators
     





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users