|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
12-28-2007, 02:05 AM
|
#1 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: winxp sp2
|
suspicious svchost behavior following trojan attack
Hi, I’m running win xp sp2 with zone alarm antivirus+firewall internet suite. In the single day betn when my previous antivirus (trend micro) expired and I installed ZA pro, I got a bad infection of mainly win32 trojans and a couple other nasties (which disabled my task manager, system restore, run cmd, etc). ZA seemingly cleared them all; ad-aware cleared some spyware, and spybot found and cleaned smitfraud and virtumonde among a host of other spywares/malwares.
My problem now is that my svchost.exe keeps trying to communicate with certain ip addresses (10.12.**.** – 10.44.**.** among others) ip tracings on these addresses almost always returns a negative; only once I got a trace to somewhere in china. I have now set ZA to ask me every time the “generic win32 process” wants to communicate with the internet; I allow it to access the DNS n DHCP addresses of my ISP and Microsoft (becoz otherwise I can’t surf) and deny everything else. Before I put such blocks, my net speed had become abysmally slow. Looking at ZA’s program logs, I can see that svchost keeps trying to send n receive data from abovementioned ip’s 6–10 times/min. From its properties, I see that the svchost.exe file in c:\windows\system32 was modified around the time my machine got infected; I’ve had no reason to mod it in any way myself. I’ve run combofix, sdfix, rogueremover, smitfraudfix (suggestions from trustworthy forums) after finding suspicious entries in hijackthis and rootkitrevealer; they all removed a variety of viruses and Trojans that my ZA couldn’t find. I’ll attach their logs if reqd. I don’t have any usable system restore points anymore coz I had to turn it off in order to get rid of virus traces. I have 6 svchost processes running at the moment and all of them are either network/system/local service. One of them is much larger than the rest (30,000~40,000 K). I know svchost is supposed to communicate with the net for windows to functions properly; but I know something’s wrong here - I’m guessing I still have a trojan that’s sending info somehow to these untraceable ip’s. DSS log Deckard's System Scanner v20071014.68 Run by User on 2007-12-28 14:15:41 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 2 Restore Point(s) -- 2: 2007-12-28 08:45:49 UTC - RP106 - Deckard's System Scanner Restore Point 1: 2007-12-27 18:52:14 UTC - RP105 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as User.exe) ------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:17:03 PM, on 12/28/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\STacSV.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\sttray.exe C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe C:\Program Files\Nero\Nero 7\InCD\InCD.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft ActiveSync\Wcescomm.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe F:\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\User.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\RunOnce: [srePostpone] rundll32.exe c:\windows\system32\zonelabs\srescan.dll,DoSpecialAction O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1194292783343 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {BE90DF74-A983-4BBB-A9C1-F2C90807F548} (AssureSignControl Control) - http://www.mca.gov.in/DCAPortalWeb/d...ignControl.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{26B6BDC9-6672-4625-80D5-9081B1A94BD5}: NameServer = 203.115.71.214 203.115.81.38 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 8938 bytes -- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) ----------- backup-20071218-004743-649 F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system\lsass.exe backup-20071227-154930-199 O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing) backup-20071228-003659-523 O18 - Protocol: ebk - {1E411CE8-FE8B-4973-B8E0-6EA2CC3C6B06} - (no file) backup-20071228-003659-686 O23 - Service: PCGUPAXJFOC - Unknown owner - C:\DOCUME~1\User\LOCALS~1\Temp\PCGUPAXJFOC.exe (file missing) backup-20071228-003659-906 O23 - Service: GNQTEZDA - Unknown owner - C:\DOCUME~1\User\LOCALS~1\Temp\GNQTEZDA.exe (file missing) backup-20071228-010008-645 O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System> R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System> R2 CDRPDACC (Quinnware CDDA Driver (by InfinaDyne)) - c:\program files\quintessential player\cdrpdacc.sys <Not Verified; Arrowkey; CD Device Access> R3 catchme - c:\docume~1\user\locals~1\temp\catchme.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module> R2 STacSV (SigmaTel Audio Service) - c:\windows\system32\stacsv.exe <Not Verified; SigmaTel, Inc.; C-Major Audio> S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe S4 GNQTEZDA - c:\docume~1\user\locals~1\temp\gnqtezda.exe (file missing) S4 PCGUPAXJFOC - c:\docume~1\user\locals~1\temp\pcgupaxjfoc.exe (file missing) -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2007-12-15 01:00:00 338 --a------ C:\WINDOWS\Tasks\McDefragTask.job 2007-12-01 01:00:00 330 --a------ C:\WINDOWS\Tasks\McQcTask.job -- Files created between 2007-11-28 and 2007-12-28 ----------------------------- 2007-12-28 14:13:38 0 d-------- C:\ie-spyad_zo <IE-SPY~1> 2007-12-28 13:50:04 0 dr-h----- C:\Documents and Settings\User\Recent 2007-12-28 13:16:22 8576 --a------ C:\WINDOWS\system32\drivers\hamksdqhcdmt.sys <Not Verified; Panda Software International; RKPavProc Driver> 2007-12-28 12:49:59 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus> 2007-12-28 12:48:00 8576 --a------ C:\WINDOWS\system32\drivers\cbehhhcgygem.sys <Not Verified; Panda Software International; RKPavProc Driver> 2007-12-28 11:16:13 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-12-28 11:16:10 0 d-------- C:\WINDOWS\LastGood 2007-12-28 10:13:45 0 d-------- C:\WINDOWS\ERUNT 2007-12-28 01:05:45 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google 2007-12-28 01:05:43 0 dr------- C:\Documents and Settings\LocalService\Favorites 2007-12-28 01:05:43 0 d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo! 2007-12-27 23:35:32 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2007-12-27 23:35:15 0 d-------- C:\Program Files\Spyware Doctor 2007-12-27 23:35:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Google 2007-12-27 15:53:49 5104446 --a------ C:\WINDOWS\system32\BXZZIMEDPSH 2007-12-27 15:47:48 0 dr------- C:\Documents and Settings\LocalService\My Documents 2007-12-27 15:46:53 0 dr-h----- C:\Documents and Settings\LocalService\Recent 2007-12-22 15:58:50 0 d-------- C:\SmitfraudFix 2007-12-22 15:53:07 1129580 --a------ C:\SmitfraudFix.exe 2007-12-22 14:45:33 0 d-------- C:\Program Files\RogueRemover FREE 2007-12-22 14:45:20 0 d-------- C:\Documents and Settings\User\Application Data\MailFrontier 2007-12-22 14:36:28 2530 --a------ C:\WINDOWS\system32\tmp.reg 2007-12-22 14:35:22 0 d-------- C:\Documents and Settings\User\SmitfraudFix 2007-12-18 16:33:36 4910112 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-12-18 16:20:45 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier 2007-12-18 16:20:41 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat 2007-12-18 16:20:35 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System> 2007-12-18 16:20:17 0 d-------- C:\WINDOWS\system32\ZoneLabs 2007-12-18 16:19:43 0 d-------- C:\WINDOWS\Internet Logs 2007-12-18 00:09:24 4998005 --a------ C:\WINDOWS\system32\ESJHHGHRS 2007-12-17 23:46:48 0 d--h----- C:\WINDOWS\system32\GroupPolicy 2007-12-17 15:04:37 0 d-------- C:\WINDOWS\pss 2007-12-17 13:59:31 0 d-------- C:\Program Files\Alwil Software 2007-12-17 11:17:59 0 d-------- C:\Program Files\SpywareBlaster 2007-12-17 10:26:17 0 d-------- C:\Program Files\Lavasoft 2007-12-13 23:34:11 0 d-------- C:\Program Files\Microsoft 2007-12-13 23:34:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help 2007-12-13 23:11:07 0 d-------- C:\Program Files\MSBuild 2007-12-13 23:03:11 0 d-------- C:\WINDOWS\system32\XPSViewer 2007-12-13 23:02:09 0 d-------- C:\Program Files\Reference Assemblies 2007-12-13 21:29:02 0 d-------- C:\WINDOWS\system32\AGEIA 2007-12-13 21:29:01 0 d-------- C:\Program Files\AGEIA Technologies 2007-12-13 21:28:40 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-12-13 21:27:25 0 d-------- C:\Microsoft Robotics Studio (1.5) 2007-12-09 18:51:37 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module> 2007-12-09 18:51:34 0 d-------- C:\Program Files\West Point Bridge Designer 2007 2007-12-03 12:11:27 0 d-------- C:\Documents and Settings\User\Application Data\Ahead 2007-12-02 15:23:16 0 d-------- C:\WINDOWS\wb 2007-12-02 14:51:31 0 d-------- C:\Documents and Settings\User\Application Data\IGN_DLM 2007-11-29 13:13:40 0 d-------- C:\Documents and Settings\User\Application Data\FrostWire 2007-11-28 22:46:02 0 d-------- C:\WINDOWS\ASTULogTemp 2007-11-28 00:27:09 0 d-------- C:\Program Files\KChess -- Find3M Report --------------------------------------------------------------- 2007-12-28 13:49:12 0 d-------- C:\Program Files\Opera 2007-12-28 13:46:32 0 d-------- C:\Program Files\Microsoft ActiveSync 2007-12-28 13:44:10 0 d-------- C:\Program Files\Google 2007-12-28 11:46:32 0 d-------- C:\Documents and Settings\User\Application Data\Google 2007-12-17 10:37:43 0 d-------- C:\Program Files\WordWeb 2007-12-17 10:37:43 0 d-------- C:\Program Files\CCleaner 2007-12-17 10:37:43 0 d-------- C:\Program Files\AusLogics Registry Defrag 2007-12-17 10:37:43 0 d-------- C:\Program Files\Audacity 2007-12-17 10:37:43 0 d-------- C:\Program Files\Apple Software Update 2007-12-17 10:36:57 0 d-------- C:\Program Files\Windows NT 2007-12-17 10:36:57 0 d-------- C:\Program Files\WinBoard 2007-12-17 10:36:57 0 d-------- C:\Program Files\Winamp 2007-12-17 10:36:57 0 d-------- C:\Program Files\Stellarium 2007-12-17 10:36:57 0 d-------- C:\Program Files\SecondLife 2007-12-17 10:36:57 0 d-------- C:\Program Files\Quintessential Player 2007-12-17 10:36:57 0 d-------- C:\Program Files\QuickTime 2007-12-17 10:36:57 0 d-------- C:\Program Files\Pocket Tanks Deluxe 2007-12-17 10:36:57 0 d-------- C:\Program Files\Pawn 2 2007-12-17 10:36:50 0 d-------- C:\Program Files\Movie Maker 2007-12-17 10:36:50 0 d-------- C:\Program Files\Messenger 2007-12-17 10:36:50 0 d-------- C:\Program Files\LimeWire 2007-12-17 10:36:50 0 d-------- C:\Program Files\iTunes 2007-12-17 10:36:50 0 d-------- C:\Program Files\FrostWire 2007-12-17 10:36:50 0 d-------- C:\Program Files\ExpressPCB 2007-12-17 10:26:21 0 d-------- C:\Documents and Settings\User\Application Data\Lavasoft 2007-12-17 10:23:54 0 d-------- C:\Program Files\Trend Micro 2007-12-13 21:28:40 0 d-------- C:\Program Files\Common Files 2007-12-12 10:06:36 0 d-------- C:\Program Files\BOINC 2007-11-27 20:43:44 0 d-------- C:\Program Files\Ubisoft 2007-11-27 20:43:38 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-11-27 13:41:55 0 d-------- C:\Documents and Settings\User\Application Data\LimeWire 2007-11-27 12:26:52 0 d-------- C:\Program Files\Java 2007-11-26 00:50:48 0 d-------- C:\Documents and Settings\User\Application Data\Apple Computer 2007-11-17 10:35:54 0 d-------- C:\Documents and Settings\User\Application Data\Adobe 2007-11-16 15:11:26 0 d-------- C:\Documents and Settings\User\Application Data\Mobipocket 2007-11-16 14:40:59 0 d-------- C:\Program Files\Mobipocket.com 2007-11-16 14:21:04 0 d-------- C:\Program Files\Common Files\Mobipocket Shared 2007-11-16 13:54:03 0 d-------- C:\Program Files\Orneta 2007-11-14 23:33:35 2528 --a------ C:\Documents and Settings\User\Application Data\$_hpcst$.hpc 2007-11-13 12:51:11 0 --a------ C:\WINDOWS\system32\SBRC.dat 2007-11-13 12:51:11 0 --a------ C:\WINDOWS\system32\SBFC.dat 2007-11-13 02:00:56 0 d-------- C:\Documents and Settings\User\Application Data\Sunbelt Software 2007-11-12 21:17:38 0 d-------- C:\Program Files\iPod 2007-11-12 21:15:51 0 d-------- C:\Program Files\Common Files\Apple 2007-11-03 14:45:56 0 d-------- C:\Program Files\Common Files\McAfee 2007-11-02 21:56:45 0 d-------- C:\Documents and Settings\User\Application Data\Sun 2007-10-31 00:06:43 0 d-------- C:\Program Files\SpeedFan 2007-10-29 19:39:26 0 d-------- C:\Documents and Settings\User\Application Data\AdobeUM 2007-10-29 18:55:38 0 d-------- C:\Program Files\GameTop.com 2007-10-29 16:40:10 0 d-------- C:\Documents and Settings\User\Application Data\Macromedia 2007-10-21 12:49:14 5 --a------ C:\WINDOWS\system32\SySMP3CutJoin.dat 2007-10-20 18:59:27 0 --a------ C:\WINDOWS\nsreg.dat 2007-10-20 18:53:41 2301 --a------ C:\WINDOWS\mozver.dat 2007-10-20 02:48:52 62 --ahs---- C:\Documents and Settings\User\Application Data\desktop.ini 2007-10-19 21:28:22 0 -rahs---- C:\MSDOS.SYS 2007-10-19 21:28:22 0 -rahs---- C:\IO.SYS 2007-10-19 21:28:22 0 --a------ C:\CONFIG.SYS 2007-10-19 21:28:22 0 --a------ C:\AUTOEXEC.BAT 2007-10-19 21:25:21 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [02/26/2007 08:04 AM] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [02/26/2007 08:04 AM] "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [02/26/2007 08:03 AM] "SigmatelSysTrayApp"="sttray.exe" [05/06/2007 02:40 PM C:\WINDOWS\sttray.exe] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [03/01/2007 03:57 PM] "SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [05/15/2007 03:55 PM] "InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [05/15/2007 03:55 PM] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/23/2006 03:10 PM] "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [12/05/2006 10:55 PM] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [11/14/2007 04:05 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:26 AM] "ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [09/28/2007 01:35 PM] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [11/13/2006 01:39 PM] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [12/27/2007 11:35 PM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] "srePostpone"=rundll32.exe c:\windows\system32\zonelabs\srescan.dll,DoSpecialAction [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4aea40a6-9147-11dc-985a-0019213a31ab}] AutoRun\command- H:\ [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9f14124-a7fb-11dc-9899-0019213a31ab}] AutoRun\command- wscript.exe VirusRemoval.vbs open\Command- wscript.exe VirusRemoval.vbs *Newly Created Service* - CBEHHHCGYGEM *Newly Created Service* - HAMKSDQHCDMT *Newly Created Service* - RKPAVPROC *Newly Created Service* - SDTHOOK -- End of Deckard's System Scanner: finished at 2007-12-28 14:18:33 ------------ Panda Online Active Scan log Incident Status Location Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\User\Desktop\ComboFix.exe[nircmd.exe] Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\User\Desktop\ComboFix.exe[nircmd.cfexe] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\User\Desktop\SDFix.exe[SDFix\apps\Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\User\SmitfraudFix\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\User\SmitfraudFix\SmitfraudFix\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\User\SmitfraudFix\smitRem\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\SmitfraudFix\Process.exe Virus:Trj/Rebooter.J Disinfected C:\SmitfraudFix\Reboot.exe Virus:W32/Perlovga.A.worm Disinfected E:\website extramural\Website\System Volume Information\_restore{F27C5A40-5953-46BC-8D0E-8774746D113C}\RP117\A0034049.inf Virus:W32/Perlovga.A.worm Disinfected E:\website extramural\Website\System Volume Information\_restore{F27C5A40-5953-46BC-8D0E-8774746D113C}\RP117\A0035031.inf Virus:W32/Perlovga.A.worm Disinfected E:\website extramural\Website\System Volume Information\_restore{F27C5A40-5953-46BC-8D0E-8774746D113C}\RP118\A0035046.inf Virus:W32/Perlovga.A.worm Disinfected E:\website extramural\Website\System Volume Information\_restore{F27C5A40-5953-46BC-8D0E-8774746D113C}\RP119\A0035170.inf -----End of Panda AS Log----- I have removed the perlovga virus-infected files manually after the panda scan. Can you please help in fixing the svchost problem? Thanks in advance! |
|
     |
|
12-31-2007, 06:31 AM
|
#3 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,345
OS: xp
|
Re: suspicious svchost behavior following trojan attack
Hi
Post the latest combofix text c:\combofix.txt please Open your my computer right click on (after pluging in your usb stick or sticks or other removable drive) choose explore and look for VirusRemoval.vbs and autorun.inf Are either present ? Get and post a kaspersky online report Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component Click Yes, when prompted to install its ActiveX component. (Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.) The program launches and downloads the latest definition files.
There is no option to clean/disinfect, however, we need to analyze the information on the report.   To obtain the report: Click on: Save Report As (above - red blinking arrow) Next, in the Save as prompt, Save in area, select: Desktop In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt] Then, click: Save Please post the Kaspersky Online Scanner Report in your reply. |
|
|
|
|
01-01-2008, 01:14 PM
|
#4 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: winxp sp2
|
Re: suspicious svchost behavior following trojan attack
Hi, Thank you very much for helping me. Wish you a happy new year!
No virusremoval.vbs file was found anywhere. I did find 5 autorun.inf files, but they seemed legit, having been created ages ago. attaching screenshot of search results anyway (i can't seem to copy-paste it here). Kapersky Scan Log: ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Wednesday, January 02, 2008 1:33:44 AM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 1/01/2008 Kaspersky Anti-Virus database records: 501117 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ F:\ G:\ Scan Statistics: Total number of scanned objects: 71710 Number of viruses found: 1 Number of infected objects: 9 Number of suspicious objects: 0 Duration of the scan process: 01:13:41 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\User\Application Data\$_hpcst$.hpc Object is locked skipped C:\Documents and Settings\User\Application Data\MailFrontier\ASD.log Object is locked skipped C:\Documents and Settings\User\Application Data\Opera\Opera\mail\indexer\indexer.dat Object is locked skipped C:\Documents and Settings\User\Application Data\Opera\Opera\mail\lexicon\lexicon.dat Object is locked skipped C:\Documents and Settings\User\Application Data\Opera\Opera\mail\mailbase.dat Object is locked skipped C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped C:\Documents and Settings\User\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\User\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\User\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\User\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\User\Local Settings\Temp\WCESLog.log Object is locked skipped C:\Documents and Settings\User\Local Settings\Temp\~DFBD5D.tmp Object is locked skipped C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\User\ntuser.dat Object is locked skipped C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped C:\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\SmitfraudFix.exe RarSFX: infected - 2 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{686F3DE7-8EFF-4FB2-ADAA-7C06C90B57F5}\RP105\A0079224.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\System Volume Information\_restore{686F3DE7-8EFF-4FB2-ADAA-7C06C90B57F5}\RP105\A0079699.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\System Volume Information\_restore{686F3DE7-8EFF-4FB2-ADAA-7C06C90B57F5}\RP116\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped C:\WINDOWS\Internet Logs\SUHAS.ldb Object is locked skipped C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\ZLT0260d.TMP Object is locked skipped C:\WINDOWS\Temp\ZLT02610.TMP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped D:\System Volume Information\_restore{686F3DE7-8EFF-4FB2-ADAA-7C06C90B57F5}\RP116\change.log Object is locked skipped E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped E:\System Volume Information\_restore{686F3DE7-8EFF-4FB2-ADAA-7C06C90B57F5}\RP116\change.log Object is locked skipped F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped F:\System Volume Information\_restore{686F3DE7-8EFF-4FB2-ADAA-7C06C90B57F5}\RP116\change.log Object is locked skipped Scan process completed. |
|
|
|
|
01-01-2008, 01:29 PM
|
#5 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: winxp sp2
|
Re: suspicious svchost behavior following trojan attack
post cont'd
Latest Combofix Log: ComboFix 07-12-28.1 - User 2008-01-02 1:52:34.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.524 [GMT 5.5:30] Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-12-01 to 2008-01-01 ))))))))))))))))))))))))))))))) . 2008-01-01 23:52 . 2008-01-01 23:52 <DIR> d-------- C:\Program Files\KChess 2008-01-01 23:50 . 2008-01-01 23:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-01-01 23:50 . 2008-01-01 23:50 <DIR> d-------- C:\WINDOWS\LastGood 2008-01-01 23:50 . 2008-01-01 23:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-12-29 18:46 . 2007-12-29 18:49 <DIR> d-------- C:\Documents and Settings\User\.gimp-2.4 2007-12-29 17:12 . 2007-12-29 17:12 <DIR> d-------- C:\Program Files\GIMP-2.0 2007-12-29 17:11 . 2007-12-29 17:11 <DIR> d-------- C:\Program Files\WinDirStat 2007-12-29 17:07 . 2007-12-29 17:07 <DIR> d-------- C:\Program Files\Paint.NET 2007-12-29 17:05 . 2007-12-29 17:05 <DIR> d-------- C:\Program Files\Foxit Software 2007-12-29 17:04 . 2007-12-29 18:25 <DIR> d-------- C:\Program Files\Celestia 2007-12-29 17:04 . 2007-12-29 17:04 1,092 --a------ C:\WINDOWS\UnitConverter2.INI 2007-12-29 15:10 . 2007-12-29 15:10 <DIR> d-------- C:\getservice 2007-12-29 14:23 . 2007-12-29 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-12-28 23:49 . 2007-12-28 23:50 <DIR> d-------- C:\RD4B335D2AF9F44185AFC417F8D8D4B473DR 2007-12-28 14:15 . 2007-12-28 14:15 <DIR> d-------- C:\Deckard 2007-12-28 14:13 . 2007-12-28 14:13 <DIR> d-------- C:\ie-spyad_zo 2007-12-28 13:16 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\hamksdqhcdmt.sys 2007-12-28 13:03 . 2007-12-28 13:08 824,168,448 --a------ C:\3B8.tmp 2007-12-28 12:49 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS 2007-12-28 12:48 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\cbehhhcgygem.sys 2007-12-28 11:16 . 2007-12-28 14:00 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-12-28 11:16 . 2007-12-28 13:11 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2007-12-28 11:16 . 2007-12-28 13:11 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2007-12-28 11:16 . 2007-12-28 13:11 1,406 --a------ C:\WINDOWS\system32\Help.ico 2007-12-28 10:13 . 2007-12-28 10:14 <DIR> d-------- C:\WINDOWS\ERUNT 2007-12-28 01:05 . 2007-12-28 01:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo! 2007-12-27 23:35 . 2007-12-28 09:43 <DIR> d-------- C:\Program Files\Spyware Doctor 2007-12-27 23:35 . 2007-12-28 01:07 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2007-12-27 15:53 . 2007-12-27 15:55 5,104,446 --a------ C:\WINDOWS\system32\BXZZIMEDPSH 2007-12-22 15:58 . 2007-12-28 13:55 <DIR> d-------- C:\SmitfraudFix 2007-12-22 15:53 . 2007-12-22 15:54 1,129,580 --a------ C:\SmitfraudFix.exe 2007-12-22 14:45 . 2007-12-22 15:06 <DIR> d-------- C:\Program Files\RogueRemover FREE 2007-12-22 14:45 . 2007-12-22 14:45 <DIR> d-------- C:\Documents and Settings\User\Application Data\MailFrontier 2007-12-22 14:36 . 2007-12-28 23:45 2,530 --a------ C:\WINDOWS\system32\tmp.reg 2007-12-22 14:35 . 2007-12-28 13:20 <DIR> d-------- C:\Documents and Settings\User\SmitfraudFix 2007-12-19 00:28 . 2008-01-02 01:07 959 --a------ C:\rollback.ini 2007-12-18 16:33 . 2008-01-02 01:57 6,727,200 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-12-18 16:33 . 2008-01-01 17:33 89,276 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2007-12-18 16:20 . 2007-12-22 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier 2007-12-18 16:19 . 2008-01-02 01:40 <DIR> d-------- C:\WINDOWS\Internet Logs 2007-12-18 01:21 . 2007-12-18 01:21 138 --a------ C:\WINDOWS\wininit.ini 2007-12-18 00:09 . 2007-12-18 00:10 4,998,005 --a------ C:\WINDOWS\system32\ESJHHGHRS 2007-12-17 23:46 . 2007-12-17 23:46 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2007-12-17 15:29 . 2007-12-17 15:29 29 --a------ C:\WINDOWS\system32\fdisiufw.tmp 2007-12-17 13:59 . 2007-12-17 13:59 <DIR> d-------- C:\Program Files\Alwil Software 2007-12-17 11:17 . 2007-12-28 11:31 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-12-17 10:26 . 2007-12-29 14:24 <DIR> d-------- C:\Program Files\Lavasoft 2007-12-17 09:28 . 2007-12-17 09:28 29 --a------ C:\WINDOWS\system32\yfdfhiui.tmp 2007-12-13 23:34 . 2007-12-13 23:34 <DIR> d-------- C:\Program Files\Microsoft 2007-12-13 23:34 . 2007-12-13 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help 2007-12-13 23:11 . 2007-12-13 23:11 <DIR> d-------- C:\Program Files\MSBuild 2007-12-13 23:03 . 2007-12-17 10:30 <DIR> d-------- C:\WINDOWS\system32\XPSViewer 2007-12-13 23:02 . 2007-12-13 23:02 <DIR> d-------- C:\Program Files\Reference Assemblies 2007-12-13 23:01 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll 2007-12-13 21:29 . 2007-12-13 21:29 <DIR> d-------- C:\WINDOWS\system32\AGEIA 2007-12-13 21:29 . 2007-12-13 21:29 <DIR> d-------- C:\Program Files\AGEIA Technologies 2007-12-13 21:28 . 2007-12-29 14:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-12-13 21:27 . 2007-12-13 21:28 <DIR> d-------- C:\Microsoft Robotics Studio (1.5) 2007-12-09 18:51 . 2007-12-17 10:36 <DIR> d-------- C:\Program Files\West Point Bridge Designer 2007 2007-12-09 18:51 . 2007-12-09 18:50 737,280 --a------ C:\WINDOWS\iun6002.exe 2007-12-09 18:51 . 2000-05-22 16:58 608,448 --a------ C:\WINDOWS\system32\COMCTL32.OCX.bak 2007-12-09 18:51 . 2000-05-22 16:58 140,488 --a------ C:\WINDOWS\system32\COMDLG32.OCX.bak 2007-12-03 12:11 . 2007-12-03 12:12 <DIR> d-------- C:\Documents and Settings\User\Application Data\Ahead 2007-12-02 15:23 . 2007-12-17 10:38 <DIR> d-------- C:\WINDOWS\wb 2007-12-02 14:51 . 2007-12-02 15:06 <DIR> d-------- C:\Documents and Settings\User\Application Data\IGN_DLM . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-29 12:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-12-29 11:33 --------- d-----w C:\Program Files\WinASO 2007-12-29 08:54 --------- d-----w C:\Documents and Settings\User\Application Data\Lavasoft 2007-12-29 05:58 15,360 ----a-w C:\WINDOWS\TASKMAN.EXE 2007-12-28 16:29 --------- d-----w C:\Program Files\Java 2007-12-28 14:59 53,643 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_12_28_17_51_22_small.dmp.zip 2007-12-28 08:19 --------- d-----w C:\Program Files\Opera 2007-12-28 08:16 --------- d-----w C:\Program Files\Microsoft ActiveSync 2007-12-28 08:14 --------- d-----w C:\Program Files\Google 2007-12-27 11:08 65,095 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_12_27_16_30_51_small.dmp.zip 2007-12-22 06:07 14,336 ----a-w C:\WINDOWS\system32\svchost.exe 2007-12-17 05:07 --------- d-----w C:\Program Files\WordWeb 2007-12-17 05:07 --------- d-----w C:\Program Files\CCleaner 2007-12-17 05:07 --------- d-----w C:\Program Files\AusLogics Registry Defrag 2007-12-17 05:07 --------- d-----w C:\Program Files\Audacity 2007-12-17 05:07 --------- d-----w C:\Program Files\Apple Software Update 2007-12-17 05:06 --------- d-----w C:\Program Files\WinBoard 2007-12-17 05:06 --------- d-----w C:\Program Files\Winamp 2007-12-17 05:06 --------- d-----w C:\Program Files\Stellarium 2007-12-17 05:06 --------- d-----w C:\Program Files\SecondLife 2007-12-17 05:06 --------- d-----w C:\Program Files\Quintessential Player 2007-12-17 05:06 --------- d-----w C:\Program Files\QuickTime 2007-12-17 05:06 --------- d-----w C:\Program Files\Pocket Tanks Deluxe 2007-12-17 05:06 --------- d-----w C:\Program Files\Pawn 2 2007-12-17 05:06 --------- d-----w C:\Program Files\LimeWire 2007-12-17 05:06 --------- d-----w C:\Program Files\iTunes 2007-12-17 05:06 --------- d-----w C:\Program Files\FrostWire 2007-12-17 05:06 --------- d-----w C:\Program Files\ExpressPCB 2007-12-17 04:53 --------- d-----w C:\Program Files\Trend Micro 2007-12-12 04:36 --------- d-----w C:\Program Files\BOINC 2007-12-04 05:05 --------- d-----w C:\Documents and Settings\User\Application Data\FrostWire 2007-11-27 15:15 11,973 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-11-27 15:13 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-11-27 15:13 --------- d-----w C:\Program Files\Ubisoft 2007-11-27 08:11 --------- d-----w C:\Documents and Settings\User\Application Data\LimeWire 2007-11-25 19:20 --------- d-----w C:\Documents and Settings\User\Application Data\Apple Computer 2007-11-16 09:41 --------- d-----w C:\Documents and Settings\User\Application Data\Mobipocket 2007-11-16 09:10 --------- d-----w C:\Program Files\Mobipocket.com 2007-11-16 08:51 --------- d-----w C:\Program Files\Common Files\Mobipocket Shared 2007-11-16 08:24 --------- d-----w C:\Program Files\Orneta 2007-11-14 10:35 75,248 ----a-w C:\WINDOWS\zllsputility.exe 2007-11-14 10:35 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll 2007-11-13 11:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro 2007-11-12 20:30 --------- d-----w C:\Documents and Settings\User\Application Data\Sunbelt Software 2007-11-12 15:47 --------- d-----w C:\Program Files\iPod 2007-11-12 15:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2007-11-12 15:45 --------- d-----w C:\Program Files\Common Files\Apple 2007-11-12 15:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple 2007-11-03 09:15 --------- d-----w C:\Program Files\Common Files\McAfee 2007-11-03 09:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA(2) 2007-11-02 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee 2007-10-21 22:09 267,272 ----a-w C:\WINDOWS\system32\xactengine2_10.dll 2007-10-21 22:07 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll 2007-10-12 09:44 3,734,536 ----a-w C:\WINDOWS\system32\d3dx9_36.dll 2007-10-12 09:44 1,374,232 ----a-w C:\WINDOWS\system32\D3DCompiler_36.dll 2007-10-02 04:26 444,776 ----a-w C:\WINDOWS\system32\d3dx10_36.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2007-11-22 21:40] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-12-27 23:35] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-02-26 08:04] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-02-26 08:04] "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-02-26 08:03] "SigmatelSysTrayApp"="sttray.exe" [2007-05-06 14:40 C:\WINDOWS\sttray.exe] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57] "SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 15:55] "InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 15:55] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 15:10] "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "gusvc"=3 (0x3) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4aea40a6-9147-11dc-985a-0019213a31ab}] \Shell\AutoRun\command - H:\ [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9f14124-a7fb-11dc-9899-0019213a31ab}] \Shell\AutoRun\command - wscript.exe VirusRemoval.vbs \Shell\open\Command - wscript.exe VirusRemoval.vbs . Contents of the 'Scheduled Tasks' folder "2007-12-14 19:30:00 C:\WINDOWS\Tasks\McDefragTask.job" - c:\PROGRA~1\mcafee\mqc\QcConsol.exe' "2007-11-30 19:30:00 C:\WINDOWS\Tasks\McQcTask.job" - c:\PROGRA~1\mcafee\mqc\QcConsol.exe . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-02 01:58:10 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-02 2:00:55 C:\ComboFix2.txt ... 2007-12-28 17:28 C:\ComboFix3.txt ... 2007-12-27 16:17 Thanks in advance! |
|
|
|
|
01-01-2008, 05:17 PM
|
#6 (permalink) | |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,345
OS: xp
|
Re: suspicious svchost behavior following trojan attack
Looks clean to me punkprincess
those autorun.inf are ok lets cleanup a leftover registry entry Launch Notepad (not wordpad or other text editor), and copy and paste the contents of the code box below into a new text file. Save it as file name: "fixme.reg" (not including the word code). Save as file type: All files (*.*) and save it on your Desktop. Code:
REGEDIT4
;
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9f14124-a7fb-11dc-9899-0019213a31ab}]
;
Restart your PC. You can delete rooktit revealer's left overs service Open a command prompt (start run type cmd press enter) type sc delete "GNQTEZDA" press enter, type in sc delete "PCGUPAXJFOC" press enter, type exit and press enter to exit the command prompt Quote:
|
|
|
|
|
|
01-01-2008, 10:43 PM
|
#7 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: winxp sp2
|
Re: suspicious svchost behavior following trojan attack
I've carried out the steps you asked me to. i'm sure the machine is clean otherwise, but the svchost process still keeps trying to connect to the internet and accept connections from the mentioned addresses; and considering the fact that its not a file that is modified for any reason by the system itself, its modification history around the time of the infection seems significant. i'll post on the ZA forums too abt the issue.
i have a clean copy of the svchost.exe file in a backup cd, but i dont know how to replace it in system32 and/or the dllcache (since killing any svchost process shuts down the comp). if you could perhaps provide instructions on how to do this, replacing it seems to be the best option. if that's not possible, i guess this thread can be closed. thanks awfully for the help! |
|
|
|
|
01-01-2008, 11:53 PM
|
#8 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,345
OS: xp
|
Re: suspicious svchost behavior following trojan attack
An ads steam was added to svchost, the file itself wasnt actualy changed, that ads was cleaned but the file itself will still show as modified, not to worry.
-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) ----------- backup-20071227-154930-199 O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe :ext.exe (file missing) smithfraudfix sdfix should be removed now You should also remove combofix, for it go start run type in combofix /u and press ok submit these two files at virustotal please C:\WINDOWS\system32\fdisiufw.tmp C:\WINDOWS\system32\yfdfhiui.tmp http://www.virustotal.com/ Last edited by LonnyRJones : 01-01-2008 at 11:57 PM. |
|
|
|
|
01-02-2008, 01:03 AM
|
#9 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: winxp sp2
|
Re: suspicious svchost behavior following trojan attack
submitted files at virustotal; both files are clean. also submitted another file from system32 "config.nt" which had the same timestamp; it was clean too.
should these files be deleted? uninstalled combo/SD/smitfraudfix. hijackthis does not reveal any hidden ads stream, but i hadn't checked earlier. correct me if i'm wrong but what i read abt ads streams seems to fit what my svchost is doing: sending data packets to an unknown host. is there another reliable way of revealing ads streams? rootkitrevealer is still giving 2 suspicious entries with tag "hklm\system\controlset001\group policy\system reserved"; result: hidden from windows API; size: 8 bytes. i'm not sure what this means. thanks. |
