|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
11-02-2009, 07:00 PM
|
#1 (permalink) |
|
Registered User
Join Date: Nov 2009
Posts: 3
OS: Windows 2003 Server
|
SVCHOST.EXE "call home" problem (Win2K3 Server)
Running Win2K3 as a workstation, Kaspersky v7 Antivirus with ZoneAlarm v3.5 (v4.5 driver).
This machine was configured over 2 years ago and seemingly has remained clean with the exception of a few bad items in the last few months that MalwareBytes was able to fix. MBAM & CCleaner are used regularly. On Oct 23 a problem started when I simply clicked on a link to [...9down...] when trying to get some info and was hit immediately.I do not want to post the actual link here in this post* * this same site [...9down...]tried to install 2 more bad guys via html, but Zone Alarm blocked them so the complete payload was not delivered and installed. I saved the HTML from that attempt. Many utilities such as AdAware, SuperAntiSpyware, GMER, Catchme, Spyware Doctor(removed afterwords) and a few others were installed for on-demand scanning to try to fix this problem. There is still at least one parasite left that I cannot identify. Present symptoms are: 1. General slowdown (much improved since AdAware found and removed a few malware entries) 2. Dnsrslvr is accessing svchost.exe and then tries to call home (UDP) via port 443 (HTTPS) to 212.117.174.171. This happens at about 4 to 5 minutes after every boot up. Zone Alarm blocks it. DNS Client Service is set to Automatic. 3. Cannot boot into Safemode-- (I suspect this is only due to missing or wrong registry entries) I don't know exactly when this happened, since I have not had any reason to try for several months Malware Bytes cannot detect anything unusual. AdAware did find 3 nasties (all fixed at reboot) but shows clean now. After that reboot, things are running MUCH faster! Now AdAware says all is OK, but that is not the case. ************************************************************************************* Can only check the following boxes in GMER (probably since this is Win2k3 ?): [x] Services [x] Registry [x] Files [x] ADS --- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0x93 0x9A 0x87 0x1B ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{675C636A-C4BF-5DA0-8B14-23B18A138CF4} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{675C636A-C4BF-5DA0-8B14-23B18A138CF4}@bbaealbalkoapfjdonahdghjchiglpjanipe 0x62 0x62 0x70 0x61 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{675C636A-C4BF-5DA0-8B14-23B18A138CF4}@abaealbalkoapfjdondhgkbgagicflcfhk 0x62 0x62 0x63 0x62 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{98C6C4AB-E8AB-6536-D947-92707DDB9FAD} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{98C6C4AB-E8AB-6536-D947-92707DDB9FAD}@abkeccgholmbgfccdgieopmpjbilglllhe 0x61 0x61 0x00 0x00 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{98C6C4AB-E8AB-6536-D947-92707DDB9FAD}@bbkeccgholmbgfccdghepfcnhehnfjpccodd 0x61 0x61 0x00 0x00 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F8E1536F-0D0B-13BC-DFED-7B62D0443A8B} ---- EOF - GMER 1.0.15 ---- *************************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-02 14:54:58 Windows 5.2.3790 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{675C636A-C4BF-5DA0-8B14-23B18A138CF4}] "bbaealbalkoapfjdonahdghjchiglpjanipe"=hex:62,62,70,61,62,70,64,6a,6d,62,63,61,65,6c,6d,6c,6e,63,65,6d,65,.. "abaealbalkoapfjdondhgkbgagicflcfhk"=hex:62,62,63,62,6a,70,65,6a,6a,62,6b,67,6a,64,67,68,63,64,62,6b,64,.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{98C6C4AB-E8AB-6536-D947-92707DDB9FAD}] "abkeccgholmbgfccdgieopmpjbilglllhe"=hex:61,61,00,00 "bbkeccgholmbgfccdghepfcnhehnfjpccodd"=hex:61,61,00,00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F8E1536F-0D0B-13BC-DFED-7B62D0443A8B}] scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 *************************************************************************************** Did a scan with Registry Clean Expert, removed the following: Key: HKCR\CLSID\{101193C0-0BFE-11D0-AF91-00AA00B67A42}\InprocServer32 ValueName: (Default) Value: C:\WINDOWS\system32\t5rdv.dll The file referenced (C:\WINDOWS\system32\t5rdv.dll) doesn't exist. Key: HKCR\CLSID\{129D7E40-C10D-11D0-AFB9-00AA00B67A42}\InprocServer32 ValueName: (Default) Value: C:\WINDOWS\system32\t5rdv.dll The file referenced (C:\WINDOWS\system32\t5rdv.dll) doesn't exist. Key: HKCR\CLSID\{13AA3650-BB6F-11D0-AFB9-00AA00B67A42}\InprocServer32 ValueName: (Default) Value: C:\WINDOWS\system32\t5rdv.dll The file referenced (C:\WINDOWS\system32\t5rdv.dll) doesn't exist. Key: HKCR\CLSID\{4150F050-BB6F-11D0-AFB9-00AA00B67A42}\InprocServer32 ValueName: (Default) Value: C:\WINDOWS\system32\t5rdv.dll The file referenced (C:\WINDOWS\system32\t5rdv.dll) doesn't exist. Key: HKCR\CLSID\{4EB31670-9FC6-11CF-AF6E-00AA00B67A42}\InprocServer32 ValueName: (Default) Value: C:\WINDOWS\system32\t5rdv.dll The file referenced (C:\WINDOWS\system32\t5rdv.dll) doesn't exist. Key: HKCR\CLSID\{8B498502-1218-11CF-ADC4-00A0D100041B}\InprocServer32 ValueName: (Default) Value: C:\WINDOWS\system32\ecesq.dll The file referenced (C:\WINDOWS\system32\ecesq.dll) doesn't exist. Key: HKCR\CLSID\{B1B77C00-C3E4-11CF-AF79-00AA00B67A42}\InprocServer32 ValueName: (Default) Value: C:\WINDOWS\system32\t5rdv.dll The file referenced (C:\WINDOWS\system32\t5rdv.dll) doesn't exist. Key: HKCR\CLSID\{D877B48A-8972-4653-91E2-445CD4E12FC2}\InprocServer32 ValueName: (Default) Value: C:\WINDOWS\system32\ecesq.dll The file referenced (C:\WINDOWS\system32\ecesq.dll) doesn't exist. Key: HKCR\CLSID\{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} ValueName: AppID Value: {C615554D-7B87-4275-84FF-8E0BA2AD071B} The AppID {C615554D-7B87-4275-84FF-8E0BA2AD071B} referenced in this entry doesn't exist. ************************************************************************************** HijackThis Log: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 7:36:07 PM, on 10/31/2009 Platform: Windows 2003 SP2 (WinNT 5.02.3790) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\Program Files\UPHClean\uphclean.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe C:\Program Files\MemInfo\meminfo.exe C:\Program Files\Echo Digital Audio\Console3\launch.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Mozilla Firefox\firefox.exe F:\Portable Program Files\Hijack_This\HiJackThis_v2.exe O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe" O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{2DF84560-D194-463D-8626-719BF193CEF0}: NameServer = 192.168.1.200 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 2268 bytes **************************************************************************************** Again,the only symptoms showing right now are 1. Safemode not working 2. Call Home problem (5 minutes after boot). I have done a ProcessMonitor PML boot log which I can send. Recovery Console is installed and working. I would be most appreciative to get help with this problem. I really do not want to do a full reinstall at this time; it is not convenient, since I have some important work to do in these next few weeks. Last edited by Acco; 11-02-2009 at 07:03 PM. |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
11-12-2009, 12:35 PM
|
#3 (permalink) |
|
Registered User
Join Date: Nov 2009
Posts: 3
OS: Windows 2003 Server
|
Re: SVCHOST.EXE "call home" problem (Win2K3 Server) Solution Found - Problem Fixed!
I really do not understand why this post was ignored here but it can now be closed.
Problem is now Fixed! Perhaps someone else will be helped by this. After many false starts, I booted with Barts PE CD and ran a FULL scan with Dr,Web. Lo and behold, there was one infected file: C:\windows\system32\drivers\(HDD_drivername).sys Dr Web identified the infection as backdoor.Tdss.565 That was unexpected. I have seen no forum discussion of that particular infection technique. Not only could it not be detected while the OS was running, it was part of every action being performed, since it was the very driver that controls the hard drives-it made itself invisible! I replaced the bad driver with a clean copy while still booted under Barts PE and shut down the machine. Next a normal startup into Windows. Next a MWAB scan -nothing found and Kaspersky scan-nothing found except for the copy of the bad file I saved under a changed name which I then deleted. Kaspersky identifed the infection as rootkit.win32.Tdss.u All is now ok. No more calling home 5 minutes after bootup, Safe mode works fine. So, another place is found to search for infections. Happy Hunting Last edited by Acco; 11-12-2009 at 12:41 PM. |
|
|
|
| Thread Tools | |
|
|
