Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe hijack/virus


  • This topic is locked This topic is locked
8 replies to this topic

#1 maureen456

maureen456

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 02 January 2014 - 11:10 PM

Hello and Happy New Years!

 

I believe that my cpu is infectecd with a virus or trojan. In my task manager I have multiple svchost.exe running with a 100% cpu usage and one of them has massive memory usage over 200,000k which I have never seen before.

 

My cpu is also running extremely slow. I tried to remove malicous items using malwarebytes anti-malware in safe mode but during the end of the process my cpu flashed a "Warning shut down message" along the lines of NT authority system.... Dcom server process......launcher service....

 

I am sorry I tried to write it down but that's all I could remember.

 

If you could be so kind as to assit me, I would appreciate it greatly. I read your stickys to await for instructions and allow you to direct the process, so that is what I shall do.

 

Thank you so much.



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:25 PM

Posted 03 January 2014 - 11:23 AM

Hi,

 

Download Malwarebytes Anti-Rootkit from HERE to your Desktop.

  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • DO NOT click on the Cleanup button. Simply exit the program.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 maureen456

maureen456
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 03 January 2014 - 10:16 PM

Hello xXToffeeXx,

 

Thank you so much for addressing my request and coming to my aid and offering assistance, I really appreciate you, your skills, knowledge, time, and effort.

 

Here is the mbar text log:

Malwarebytes Anti-Rootkit BETA 1.07.0.1008
www.malwarebytes.org

Database version: v2014.01.03.01

Windows XP Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Compaq_Owner :: COMPAQ-PC [administrator]

1/2/2014 11:59:48 PM
mbar-log-2014-01-02 (23-59-48).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 263542
Time elapsed: 45 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

Here is the system log:

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1008

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 2 x86

System is currently in a safe mode

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 1.999000 GHz
Memory total: 737656832, free: 546959360

Downloaded database version: v2014.01.03.01
Downloaded database version: v2013.12.18.01
=======================================
Initializing...
------------ Kernel report ------------
     01/02/2014 23:59:20
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
\WINDOWS\System32\drivers\FLTMGR.SYS
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
ohci1394.sys
\WINDOWS\system32\DRIVERS\1394BUS.SYS
sshrmd.sys
ssfs0bbc.sys
ssidrv.sys
\WINDOWS\system32\DRIVERS\NDIS.SYS
\WINDOWS\system32\DRIVERS\TDI.SYS
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
viaide.sys
MountMgr.sys
ftdisk.sys
PartMgr.sys
VolSnap.sys
atapi.sys
fasttx2k.sys
\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
KSecDD.sys
Ntfs.sys
uagp35.sys
Mup.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\fetnd5bv.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\HssDrv.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\taphss.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\framebuf.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk4\DR6
Upper Device Object: 0xffffffff82927030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000078\
Lower Device Object: 0xffffffff8298f030
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk3\DR5
Upper Device Object: 0xffffffff82928ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000077\
Lower Device Object: 0xffffffff8292f758
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR4
Upper Device Object: 0xffffffff82923520
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000076\
Lower Device Object: 0xffffffff82928578
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR3
Upper Device Object: 0xffffffff8292eab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000075\
Lower Device Object: 0xffffffff82923a98
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff82b7bab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-12\
Lower Device Object: 0xffffffff82b41d98
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff82b7bab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff82b10aa0, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff82b7bab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff82b139e8, DeviceName: \Device\00000069\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff82b41d98, DeviceName: \Device\Ide\IdeDeviceP2T0L0-12\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 1549F232

Partition information:

    Partition 0 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 55  Numsec = 0

    Partition 1 type is Other (0xc)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 12579777

    Partition 2 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 12579840  Numsec = 143715600
    Partition is not bootable

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 80026361856 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-54-156281488-156301488)...
Done!
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xffffffff8292eab8, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff82929480, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8292eab8, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff82923a98, DeviceName: \Device\00000075\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 2, DevicePointer: 0xffffffff82923520, DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff82ab3e08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff82923520, DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff82928578, DeviceName: \Device\00000076\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 3, DevicePointer: 0xffffffff82928ab8, DeviceName: \Device\Harddisk3\DR5\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff829232f8, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff82928ab8, DeviceName: \Device\Harddisk3\DR5\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8292f758, DeviceName: \Device\00000077\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 4, DevicePointer: 0xffffffff82927030, DeviceName: \Device\Harddisk4\DR6\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff82928890, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff82927030, DeviceName: \Device\Harddisk4\DR6\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8298f030, DeviceName: \Device\00000078\, DriverName: \Driver\USBSTOR\
------------ End ----------
Scan finished
=======================================

Removal queue found; removal started
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_2_12579840_i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removal finished

 

 

 

The svchost.exe seems to be working better, but now the iexplore,exe seems to be the problem with eating up memory and cpu usage. Maybe be the malwarebytes anti-malware helped cure it, so the virus is down but not out.

 

thanks again for your help.

 



#4 maureen456

maureen456
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 03 January 2014 - 10:20 PM

I am sorry the post above has lines in it, here is a repost.

 

Hello xXToffeeXx,

 

Thank you so much for addressing my request and coming to my aid and offering assistance, I really appreciate you, your skills, knowledge, time, and effort.

 

 

mbar log:

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1008
www.malwarebytes.org

Database version: v2014.01.03.01

Windows XP Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Compaq_Owner :: COMPAQ-PC [administrator]

1/2/2014 11:59:48 PM
mbar-log-2014-01-02 (23-59-48).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 263542
Time elapsed: 45 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

systems log:

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1008

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 2 x86

System is currently in a safe mode

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 1.999000 GHz
Memory total: 737656832, free: 546959360

Downloaded database version: v2014.01.03.01
Downloaded database version: v2013.12.18.01
=======================================
Initializing...
------------ Kernel report ------------
     01/02/2014 23:59:20
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
\WINDOWS\System32\drivers\FLTMGR.SYS
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
ohci1394.sys
\WINDOWS\system32\DRIVERS\1394BUS.SYS
sshrmd.sys
ssfs0bbc.sys
ssidrv.sys
\WINDOWS\system32\DRIVERS\NDIS.SYS
\WINDOWS\system32\DRIVERS\TDI.SYS
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
viaide.sys
MountMgr.sys
ftdisk.sys
PartMgr.sys
VolSnap.sys
atapi.sys
fasttx2k.sys
\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
KSecDD.sys
Ntfs.sys
uagp35.sys
Mup.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\fetnd5bv.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\HssDrv.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\taphss.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\framebuf.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk4\DR6
Upper Device Object: 0xffffffff82927030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000078\
Lower Device Object: 0xffffffff8298f030
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk3\DR5
Upper Device Object: 0xffffffff82928ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000077\
Lower Device Object: 0xffffffff8292f758
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR4
Upper Device Object: 0xffffffff82923520
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000076\
Lower Device Object: 0xffffffff82928578
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR3
Upper Device Object: 0xffffffff8292eab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000075\
Lower Device Object: 0xffffffff82923a98
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff82b7bab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-12\
Lower Device Object: 0xffffffff82b41d98
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff82b7bab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff82b10aa0, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff82b7bab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff82b139e8, DeviceName: \Device\00000069\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff82b41d98, DeviceName: \Device\Ide\IdeDeviceP2T0L0-12\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 1549F232

Partition information:

    Partition 0 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 55  Numsec = 0

    Partition 1 type is Other (0xc)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 12579777

    Partition 2 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 12579840  Numsec = 143715600
    Partition is not bootable

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 80026361856 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-54-156281488-156301488)...
Done!
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xffffffff8292eab8, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff82929480, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8292eab8, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff82923a98, DeviceName: \Device\00000075\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 2, DevicePointer: 0xffffffff82923520, DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff82ab3e08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff82923520, DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff82928578, DeviceName: \Device\00000076\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 3, DevicePointer: 0xffffffff82928ab8, DeviceName: \Device\Harddisk3\DR5\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff829232f8, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff82928ab8, DeviceName: \Device\Harddisk3\DR5\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8292f758, DeviceName: \Device\00000077\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 4, DevicePointer: 0xffffffff82927030, DeviceName: \Device\Harddisk4\DR6\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff82928890, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff82927030, DeviceName: \Device\Harddisk4\DR6\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8298f030, DeviceName: \Device\00000078\, DriverName: \Driver\USBSTOR\
------------ End ----------
Scan finished
=======================================

Removal queue found; removal started
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_2_12579840_i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removal finished

 

The svchost.exe seems to be working better, but now the iexplore,exe seems to be the problem with eating up memory and cpu usage. Maybe be the malwarebytes anti-malware helped cure it, so the virus is down but not out.

 

thanks again for your help.



#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:25 PM

Posted 04 January 2014 - 05:24 AM

Hi,

 

On consideration, we need you to repost this issue with a DDS log so we can get it out.

Please follow this Preparation Guide and post in a new topic.
Let me know if all went well. 

 

xXToffeeXx~


Edited by xXToffeeXx, 04 January 2014 - 09:24 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:25 PM

Posted 04 January 2014 - 09:34 AM

Hi,

 

Make sure to follow the instructions in the post above. I have edited after talking with a colleague about this infection. Thank you.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 maureen456

maureen456
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 13 January 2014 - 10:29 AM

Hello xXToffeeXx,

 

Thank you so much for providing guidance and instruction. I have created a new topic and followed the preparation guide as asked. I am sorry for the delayed response, my dad needed the cpu for work, so it was tied up. Not surprisingly, the virus is back, but now I will be able to respond immediately.

 

Thank you for providing your skills and expertise and helping me. :)



#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:25 PM

Posted 13 January 2014 - 11:23 AM

Hi,

 

No worries on that, and you are welcome :)

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:11:25 AM

Posted 13 January 2014 - 11:29 AM

Now that you have posted logs in MRL

Please refrain from asking for further help from other members or staff until the Malware Removal Team has checked your posted log. The Malware Removal Team work very hard to investigate a unique solution to your problem and you will receive individual expert assistance. This takes time and effort so we ask you to please be patient while waiting for assistance and NOT to make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member. Any modifications you make on your own can result in system changes which may not show it the log you already posted. Further, following advice outside of that post may cause confusion for the team member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

The Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean. If you followed any other advice already, please ensure you inform the Malware Removal Team Team Helper when they respond to assist you with your log. This will help them know what has been done and they probably will ask for an updated log.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Removal Team member is already assisting you and not open the thread to respond.

If HelpBot replies to your topic, please follow Step One so it will report your topic to the team members.

This topic is closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users