Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

SVCHOST atapi cdrom

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

SVCHOST atapi cdrom

Unread postby ultutt00 » February 4th, 2010, 9:43 am

From time to time my AVG resident shield reports an infection with the notice "Virus identified Packed Protector.C." I am not permited to remove this because it claims that "Object is white-listed (critical/systemfile that should not be removed)". I should mention that my system restore function has been off for a month or so because something malicious was in there.
Below is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:40:35, on 04/02/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\av_md.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Guitar Pro 5\GP5.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.mini20.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: עוזר הכניסה של Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Nokia FastStart] "C:\Program Files\Nokia\Nokia Music\NokiaMusic.exe" /command:faststart
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [av_md] C:\WINDOWS\system32\av_md.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [av_md] C:\Documents and Settings\user\av_md.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 4897 bytes


Here is the uninstall list:

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG Free 8.5
BitLord 1.1
Choice Guard
DAEMON Tools Toolbar
DivX Codec
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
EarMaster Pro 5
eMule
Guild Wars
Guitar Pro 5.0
Hero Editor V0.96
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB942288-v3)
Java(TM) 6 Update 17
Junk Mail filter update
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.7)
MSVC80_x86
MSVCRT
MSXML 6.0 Parser (KB933579)
Nero 6 Ultra Edition
Nokia Connectivity Cable Driver
Nokia Ovi Application Installer
Nokia Ovi Application Installer 6.85.3011
Nokia Ovi Content Copier
Nokia Ovi Content Copier 6.85.3011
Nokia Ovi Suite
Nokia Ovi System Utilities
Nokia Ovi System Utilities 6.85.3016
Nokia PC Suite
Nokia PC Suite
Nokia Software Updater
NVIDIA Drivers
PC Connectivity Solution
Realtek AC'97 Audio
Segoe UI
Spybot - Search & Destroy
VC80CRTRedist - 8.0.50727.762
Ventrilo Client
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Imaging Component
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
WinRAR archiver
World of Warcraft
חבילת התקני Windows. - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
חבילת התקני Windows. - Nokia Modem (06/01/2009 4.1)
חבילת התקני Windows. - Nokia Modem (06/01/2009 7.01.0.3)
מסייע הכניסה של Windows Live

Thank you
ultutt00
Active Member
 
Posts: 4
Joined: February 4th, 2010, 9:12 am
Advertisement
Register to Remove

Re: SVCHOST atapi cdrom

Unread postby MWR 3 day Mod » February 7th, 2010, 9:00 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: SVCHOST atapi cdrom

Unread postby deltalima » February 12th, 2010, 6:30 am

Hi ultutt00,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your computer problems.

The logs can take some time to research, so please be patient with me.

Please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • All of my posts need to be checked by a teacher, so please be patient while I attempt to remove your malware.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: SVCHOST atapi cdrom

Unread postby deltalima » February 12th, 2010, 9:40 am

Hi ultutt00,

BACKDOOR TROJAN

I'm afraid I have some bad news for you. Your computer is infected with BACKDOOR TROJAN. Backdoor Trojans are the most dangerous and most widespread type of Trojan. Backdoor Trojans provide the author or "master" of the Trojan with remote "administration" of victims machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, Backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer, change settings on the computer and more. Please read this article by Roger A. Grimes on Remote Access Trojans it will give you an Idea of the severity of the type of infection you have.

What are Remote Access Trojans and why are they dangerous


You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.


How do I respond to a possible identity theft and how do I prevent it


Because of the severity and the capabilities of this type of virus, (it cannot be known what changes to your system it has made or if it opened up other ways into your system) The only responsible course of action I can advise is to reformat your computer and reinstall windows.

Further reading:

When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

Should you have any questions please feel free to ask.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: SVCHOST atapi cdrom

Unread postby ultutt00 » February 12th, 2010, 10:17 am

deltalima,

From what you've written me, I see that I have no recourse but to reformat the affected computer and reinstall its operating system. Based on this advice I have contacted my trusted computer technician to have him pay this computer a visit and carry out these instructions. I had hoped to solve this problem myself and save myself the expense, but this is far too serious a matter now for me to rely on my layman's level of understanding. I thank you for warning me of the seriousness of this threat. I only wonder now how this got into that computer (do you see any program that could have been the conduit?) and what I should do (or not do) to reduce the chances of this happening again? Any words of wisdom you can share would be appreciated.
ultutt00
Active Member
 
Posts: 4
Joined: February 4th, 2010, 9:12 am

Re: SVCHOST atapi cdrom

Unread postby deltalima » February 12th, 2010, 2:20 pm

Hi ultutt00,

From what you've written me, I see that I have no recourse but to reformat the affected computer and reinstall its operating system


That is a very wise decision.

I only wonder now how this got into that computer (do you see any program that could have been the conduit?) and what I should do (or not do) to reduce the chances of this happening again? Any words of wisdom you can share would be appreciated.


There are many ways that infections can get onto a computer. You are running and antivirus program and that is crucial, once you machine has been reformatted then ensure that the first job is to reinstall the antivirus software and keep it updated

You have no firewall installed, I recommend that you install one as the next job after the antivirus.

Another area of concern is that you are running outdated versions of critical software, Windows XP, Internet Explorer and Adobe Reader are all badly out of date so on the reformatted machine make sure that these (and Java) are all kept updated.

From the logs you posted, the biggest security risk and most likely reason for the infection is the use of Peer to Peer filesharing programs, namely eMule and BitLord 1.1. Please see the warning here

Please let me know when you have read this so that the thread can be archived.

Good luck with the newly formatted computer. Happy surfing and stay clean!
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: SVCHOST atapi cdrom

Unread postby ultutt00 » February 12th, 2010, 3:03 pm

Thank you deltalima for taking the time to help me. I will take all your advice to heart and discuss it all with my technician when he gets here and see how we can make sure the updating you mentioned is regularly carried out from now on. The fact that my firewall was down was a disturbing bit of information. It was always up as far as I knew, or at least I assumed it was up because I remember making a point to erect it; now I suspect that the backdoor trojan took it down without me noticing.

You can archive this thread now. I have read it.
ultutt00
Active Member
 
Posts: 4
Joined: February 4th, 2010, 9:12 am

Re: SVCHOST atapi cdrom

Unread postby deltalima » February 12th, 2010, 3:41 pm

Hi ultutt00,

The fact that my firewall was down was a disturbing bit of information. It was always up as far as I knew


If I may add a little further explanation, the logs did not show that the Windows firewall was down, I was referring to the fact that you were not using a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world.Firewalls protect against hackers and malicious intruders. There are several free firewalls available, one I would highly recommend is

Online-Armor by Tall Emu

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: SVCHOST atapi cdrom

Unread postby Dakeyras » February 14th, 2010, 6:52 am

Since we have done all we can, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 71 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware