Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Strange svchost.exe

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Strange svchost.exe

Unread postby andy10614 » February 28th, 2009, 5:05 pm

Hiya guys,
I currently have a Windows XP desktop computer which is quite often slow, however i recently brought some more RAM for it, which did help in speeding it up alot.

However sometimes it becomes very slow for a short period of time, the process svchost.exe was taking more or less 90-100% of the cpu. (it is the network service of svchost.exe)

Here is the HJT report (Updated file names as requested,therefore a new log.) :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:38:45, on 04/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\BLUENEXT\BN-WD54G\Installer\WINXP\BCU.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\SwiftKit\SwiftKit.exe
C:\Program Files\Trend Micro\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BN-WD54G Wireless Client Utility.lnk = C:\Program Files\BLUENEXT\BN-WD54G\Installer\WINXP\BCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/ ... ontrol.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsup ... gctlsr.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 6683 bytes



Thanks in advance. :compress:
andy10614
Active Member
 
Posts: 11
Joined: February 28th, 2009, 4:54 pm
Advertisement
Register to Remove

Re: Strange svchost.exe

Unread postby John B. » March 5th, 2009, 11:47 am

Hi! :hello2: and welcome to the Malware Removal forums.
My name is John Brouwer - if it helps, you can call me John for short. I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.

These rules are good for you to know:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me how long it will take so the topic will not be closed.

These rules are to make my voluntary work more comfortable:
  • Please be patient. The work I do is voluntary and I also have a private life (school, work, friends and hobbies).
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • Please reply to this thread. Do not start a new topic.
  • Also, don't post logs as attachments. Other helpers like to view the logs as well and opening a lot of attachments is irritating. It can also contain malware.

Finally, please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
  • Start HijackThis
  • Click on the Open The Misc Tool Section button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop and post the contents in a reply to this topic.

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Strange svchost.exe

Unread postby andy10614 » March 5th, 2009, 6:40 pm

Hiya John, thanks for your response, here is the Uninstall list you requested:

Ad-Aware
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11
Apple Mobile Device Support
Apple Software Update
avast! Antivirus
BN-WD54G Wireless Client Utility
Bonjour
Canon PIXMA iP1500
COMODO Internet Security
COMODO SafeSurf
DivX Web Player
Fraps (remove only)
Free Video to iPod Converter version 3.1
Free YouTube to iPod Converter version 3.1
Free YouTube to Mp3 Converter version 3.1
GIMP 2.4.6
Hamachi 1.0.3.0
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HyperCam 2
Intel(R) Extreme Graphics Driver
iTunes
Java(TM) 6 Update 12
K-Lite Mega Codec Pack 4.0.0
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
mIRC
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Network Play System (Patching)
Opera 9.63
QuickTime
Realtek AC'97 Audio
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
Shockwave
Skype™ 4.0
Sony Vegas Pro 8.0
Spybot - Search & Destroy
SwiftKit
The Sims Unleashed
Uninstall 1.0.0.1
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
Ventrilo Client
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Imaging Component
Windows Live installer
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver


P.S. i have tried to remove "The Sims Unleashed" several times, all of which it has failed, not that I think this is what is causing the problem as i cannot find any of the files from the program on the computer.

Thanks, Andy.
andy10614
Active Member
 
Posts: 11
Joined: February 28th, 2009, 4:54 pm

Re: Strange svchost.exe

Unread postby John B. » March 6th, 2009, 5:17 pm

Hi Andy,

P.S. i have tried to remove "The Sims Unleashed" several times, all of which it has failed, not that I think this is what is causing the problem as i cannot find any of the files from the program on the computer.

We will work on this stuff after you are finishing the cleaning procedure.

There is nothing in your log that looks bad, so we will run two scans, but I think you are clean.

Step 1: Disable Ad-Aware Ad-Watch
Please disable Ad-Aware Ad-Watch as it may interfere with the fix.
  • Right click on the Ad-Watch icon in the system tray.
  • At the bottom of the screen there will be two checkable items called Active and Automatic.
    • Active: This will turn Ad-Watch On\Off without closing it.
    • Automatic: Suspicious activity will be blocked automatically.
  • Uncheck both of those boxes.
  • If you did not have those options there could be an option called Disable AdWatch-Live, so check that one.
Once your log is clean you can re-enable those settings in Ad-Aware.

Step 2: Disable Teatimer
Please disable Teatimer as it may interfere with the fix.
First:
  • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
  • Choose Exit Spybot S&D Resident
Second:
  • Open Spybot S&D
  • Click Mode, check Advanced Mode
  • Go To Left Panel, Click Tools, then also in left panel, click Resident
  • If your firewall raises a question, say OK
  • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Once your log is clean you can re-enable those settings in TeaTimer.

Step 3: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Step 4: Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Close the Notepad file.
  • The log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Step 5: Reboot
To make sure MalwareBytes' Anti-Malware has finished completely and we can go on.

Step 6: Download and Run ComboFix
Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. For information on how to disable your anti virus program please see this:
http://www.bleepingcomputer.com/forums/topic114351.html

If your have Avast as anti virus an additional thing has to be changed to make ComboFix work properly:
Image

Go on with the ComboFix guide when it opens its log please close it.

Remember that the ComboFix log is saved here: C:\ComboFix.txt

Step 7: Post logs
Please post the following logs in a reply to this topic (use multiple posts if the logs are cut off):
  • New HijackThis log
  • MalwareBytes' Anti-Malware log
  • ComboFix log

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Strange svchost.exe

Unread postby andy10614 » March 6th, 2009, 7:39 pm

Hiya John,
Here are the three logs:

ComboFix:

ComboFix 09-03-04.01 - single user 2009-03-06 23:11:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1271.884 [GMT 0:00]
Running from: c:\documents and settings\single user\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090306-0] *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\mdm.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2009-02-06 to 2009-03-06 )))))))))))))))))))))))))))))))
.

2009-03-06 22:10 . 2009-03-06 22:10 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-06 22:10 . 2009-03-06 22:10 <DIR> d-------- c:\documents and settings\single user\Application Data\Malwarebytes
2009-03-06 22:10 . 2009-03-06 22:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-06 22:10 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-06 22:10 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-26 17:13 . 2009-03-04 17:34 <DIR> d-------- c:\program files\Trend Micro
2009-02-23 21:56 . 2009-02-23 21:24 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-23 21:27 . 2009-02-23 21:24 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-23 21:18 . 2009-02-23 21:18 <DIR> d-------- c:\program files\Lavasoft
2009-02-23 21:18 . 2009-02-23 21:18 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-18 21:11 . 2009-02-18 21:12 <DIR> d-------- c:\program files\HyCam2
2009-02-18 18:25 . 2009-02-28 20:49 <DIR> d-------- c:\documents and settings\single user\Application Data\Skype
2009-02-18 18:24 . 2009-02-18 18:24 <DIR> dr------- c:\program files\Skype
2009-02-18 18:24 . 2009-02-18 18:24 <DIR> d-------- c:\program files\Common Files\Skype
2009-02-16 01:48 . 2009-02-16 01:47 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-16 00:01 . 2009-02-23 00:23 <DIR> d-------- c:\program files\DivX
2009-02-14 16:34 . 2009-02-14 23:50 <DIR> d-------- c:\documents and settings\single user\Application Data\Hamachi
2009-02-14 16:32 . 2009-02-14 16:32 25,280 --a------ c:\windows\system32\drivers\hamachi.sys
2009-02-14 16:31 . 2009-02-14 16:34 <DIR> d-------- c:\program files\Hamachi

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-06 22:06 --------- d-----w c:\documents and settings\single user\Application Data\mIRC
2009-03-06 22:01 --------- d-----w c:\program files\mIRC
2009-03-06 18:58 34 ----a-w c:\documents and settings\single user\jagex_runescape_preferences.dat
2009-03-05 22:32 --------- d-----w c:\program files\SwiftKit
2009-03-03 22:12 --------- d-----w c:\documents and settings\single user\Application Data\LimeWire
2009-02-28 20:32 --------- d-----w c:\documents and settings\single user\Application Data\skypePM
2009-02-26 23:52 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-26 21:51 110,992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-02-26 18:21 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-23 21:38 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-23 21:35 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-23 21:18 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-23 21:18 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-20 14:57 --------- d-----w c:\documents and settings\All Users\Application Data\comodo
2009-02-20 09:24 24,336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-02-18 18:24 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-02-16 11:13 --------- d-----w c:\program files\ShortKeys2
2009-02-16 01:07 57,344 ----a-w c:\windows\ALCXMNTR.EXE
2009-01-30 17:46 --------- d-----w c:\documents and settings\single user\Application Data\gtk-2.0
2009-01-18 20:33 --------- d-----w c:\program files\Common Files\Adobe
2009-01-18 20:21 --------- d-----w c:\program files\Kontiki
2009-01-18 20:15 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-01-09 17:38 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-04-07 10:03 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
1998-12-09 09:53 99,840 -c--a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 09:53 70,144 -c--a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 09:53 48,640 -c--a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 09:53 31,744 -c--a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 09:53 186,368 -c--a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 09:53 17,920 -c--a-w c:\program files\Common Files\IRASRIAL.DLL
2008-09-25 15:13 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092520080926\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2008-12-17 278264]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-16 148888]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-02-26 1851128]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-23 509784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BN-WD54G Wireless Client Utility.lnk - c:\program files\BLUENEXT\BN-WD54G\Installer\WINXP\BCU.exe [2008-02-22 593920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\cssdll32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:Gnutella port

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-08-04 114768]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-12-17 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-12-17 24336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-08-04 20560]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S3 naecd;naecd;\??\c:\docume~1\SINGLE~1\LOCALS~1\Temp\naecd.sys --> c:\docume~1\SINGLE~1\LOCALS~1\Temp\naecd.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-23 21:24]

2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
Trusted Zone: youtube.com\www
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/ ... ontrol.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-06 23:17:45
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(856)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(1748)
c:\windows\system32\guard32.dll
c:\progra~1\WINDOW~2\wmpband.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-06 23:24:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-06 23:24:02

Pre-Run: 3,690,356,736 bytes free
Post-Run: 3,641,905,152 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

183 --- E O F --- 2009-02-25 17:06:01





HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:26:40, on 06/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BN-WD54G Wireless Client Utility.lnk = C:\Program Files\BLUENEXT\BN-WD54G\Installer\WINXP\BCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/ ... ontrol.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsup ... gctlsr.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 6037 bytes





Malwarebytes' Anti Malware:

Malwarebytes' Anti-Malware 1.34
Database version: 1825
Windows 5.1.2600 Service Pack 3

06/03/2009 22:54:55
mbam-log-2009-03-06 (22-54-54).txt

Scan type: Full Scan (C:\|)
Objects scanned: 114861
Time elapsed: 42 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Thanks alot, Andy.
andy10614
Active Member
 
Posts: 11
Joined: February 28th, 2009, 4:54 pm

Re: Strange svchost.exe

Unread postby John B. » March 7th, 2009, 6:32 am

Hi Andy,

Well done! Seems like you did everything perfectly.

Can you please post the contents of this file:
C:\Qoobox\ComboFix-quarantined-files.txt

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Strange svchost.exe

Unread postby andy10614 » March 7th, 2009, 8:11 am

Hiya, here is the combofix-quarantined-files:


1998-09-03 23:09:08 AC------ 119,400 C:\Qoobox\Quarantine\C\WINDOWS\system32\MDM.EXE.vir
2009-03-06 23:07:28 A------- 108 C:\Qoobox\Quarantine\catchme.log
2009-03-06 23:14:12 A------- 8,137 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-03-06 23:14:27 A------- 276 C:\Qoobox\Quarantine\Registry_backups\Legacy_NPF.reg.dat
2009-03-06 23:22:04 A------- 171 C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}.reg.dat


Thanks, Andy.
andy10614
Active Member
 
Posts: 11
Joined: February 28th, 2009, 4:54 pm

Re: Strange svchost.exe

Unread postby John B. » March 7th, 2009, 2:23 pm

Hi Andy,

There is one file that we need to research a little more.
C:\Qoobox\Quarantine\C\WINDOWS\system32\MDM.EXE.vir

  • Copy/Paste the file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.

Post the complete results into a reply to this topic.

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Strange svchost.exe

Unread postby andy10614 » March 7th, 2009, 7:26 pm

Hello John,
I used both sites because the first one didnt seem very clear to read, here is the VirusTotal log (I think i copied everything that you will need):

File MDM.EXE.vir received on 03.08.2009 00:18:42 (CET)
Current status: finished
Result: 0/39 (0%)
Compact
Print results Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.07 -
AhnLab-V3 5.0.0.2 2009.02.27 -
AntiVir 7.9.0.105 2009.03.07 -
Authentium 5.1.0.4 2009.03.07 -
Avast 4.8.1335.0 2009.03.06 -
AVG 8.0.0.237 2009.03.07 -
BitDefender 7.2 2009.03.07 -
CAT-QuickHeal 10.00 2009.03.07 -
ClamAV 0.94.1 2009.03.06 -
Comodo 1035 2009.03.07 -
DrWeb 4.44.0.09170 2009.03.07 -
eSafe 7.0.17.0 2009.03.05 -
eTrust-Vet 31.6.6386 2009.03.06 -
F-Prot 4.4.4.56 2009.03.07 -
F-Secure 8.0.14470.0 2009.03.07 -
Fortinet 3.117.0.0 2009.03.07 -
GData 19 2009.03.07 -
Ikarus T3.1.1.45.0 2009.03.07 -
K7AntiVirus 7.10.663 2009.03.07 -
Kaspersky 7.0.0.125 2009.03.07 -
McAfee 5546 2009.03.07 -
McAfee+Artemis 5546 2009.03.07 -
Microsoft 1.4405 2009.03.07 -
NOD32 3917 2009.03.07 -
Norman 6.00.06 2009.03.06 -
nProtect 2009.1.8.0 2009.03.07 -
Panda 10.0.0.10 2009.03.07 -
PCTools 4.4.2.0 2009.03.07 -
Prevx1 V2 2009.03.08 -
Rising 21.19.42.00 2009.03.06 -
SecureWeb-Gateway 6.7.6 2009.03.07 -
Sophos 4.39.0 2009.03.07 -
Sunbelt 3.2.1858.2 2009.03.08 -
Symantec 1.4.4.12 2009.03.07 -
TheHacker 6.3.2.7.275 2009.03.07 -
TrendMicro 8.700.0.1004 2009.03.06 -
VBA32 3.12.10.1 2009.03.07 -
ViRobot 2009.3.7.1639 2009.03.07 -
VirusBuster 4.5.11.0 2009.03.07 -
Additional information
File size: 119400 bytes
MD5...: 95d85d69ffc099c516d99cb9581e3fe2
SHA1..: 138b3b95b6a22ebc9c56d9025a68f64862fc2e4f
SHA256: d1cb7a385a1b238d2910687863c36328c4371edd11a9ef783a3853049d531720
SHA512: 924d4cd6e6bce6015e3046ed82661f3a8c5b51f556a2e887d0bb6959df29886f
48837e3469d3decad3671c3d2a10383847d06148402cc0295476fd88fa36916d
ssdeep: 3072:qCYLZ2tYATfsmATfc38DnA0fLLpGKowi3wsxYloP6aQF0DFW/iSF:6mhOhf
LY9Yhl86aI0DFW/F
PEiD..: InstallShield 2000
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x14ac0
timedatestamp.....: 0x356ef682 (Fri May 29 17:55:14 1998)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x14b72 0x14c00 6.33 2255a2c27c5b47c332e742177659d44b
.rdata 0x16000 0x493a 0x4a00 5.43 72f2880f65838f879deb97763b781372
.data 0x1b000 0x2bc 0x200 1.08 a38cb0a1bdb640841928bb65e5402379
.rsrc 0x1c000 0x1088 0x1200 4.85 fa393ec2b54445b48bbb2aabf4a15a4e

( 6 imports )
> USER32.dll: PostThreadMessageA, KillTimer, DispatchMessageA, GetMessageA, SetTimer, LoadStringA, MessageBoxA, MsgWaitForMultipleObjects, PeekMessageA, EnumWindows, GetWindowTextA, IsWindowVisible, GetWindowThreadProcessId, wsprintfA, CharNextA, TranslateMessage, wvsprintfA, wvsprintfW
> KERNEL32.dll: lstrcpynA, MultiByteToWideChar, FindResourceA, LoadLibraryExA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, lstrcatA, WritePrivateProfileStringA, LeaveCriticalSection, EnterCriticalSection, DebugBreak, GetCurrentProcess, GetCurrentThread, HeapDestroy, OutputDebugStringA, OutputDebugStringW, lstrcatW, GetPrivateProfileSectionNamesA, GetVersion, GetPrivateProfileStringA, lstrcpyA, SetEvent, ResumeThread, OpenEventA, CreateThread, OpenProcess, CreateEventA, GetCurrentProcessId, WaitForSingleObject, GetModuleHandleA, CreateProcessA, CloseHandle, WideCharToMultiByte, InitializeCriticalSection, TerminateProcess, GetComputerNameA, GetModuleFileNameA, InterlockedIncrement, DeleteCriticalSection, LocalAlloc, GetCommandLineA, lstrcmpiA, GetThreadLocale, GetLastError, LocalFree, GetProcAddress, lstrlenA, LoadLibraryA, InterlockedDecrement, GetCurrentThreadId, lstrlenW, GetFileSize, FreeLibrary, CreateFileA, SizeofResource, LoadResource, GetStartupInfoA
> ole32.dll: CoImpersonateClient, CoDisconnectObject, CoRevertToSelf, CoCreateInstance, CoCreateGuid, CoInitialize, CoInitializeSecurity, CoUninitialize, StringFromIID, IIDFromString, CoTaskMemAlloc, CoTaskMemRealloc, WriteClassStm, OleSaveToStream, OleLoadFromStream, CoReleaseMarshalData, CoMarshalInterface, CreateStreamOnHGlobal, CoUnmarshalInterface, ProgIDFromCLSID, CoRegisterClassObject, CoRevokeClassObject, StringFromGUID2, CoTaskMemFree, StringFromCLSID
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> ADVAPI32.dll: GetTokenInformation, OpenThreadToken, IsValidAcl, CopySid, RegEnumKeyExA, RegQueryInfoKeyA, RegOpenKeyA, RegEnumValueA, RegDeleteValueA, OpenSCManagerA, OpenServiceA, ControlService, DeleteService, CloseServiceHandle, CreateServiceA, StartServiceCtrlDispatcherA, RegCreateKeyA, LookupAccountNameA, GetLengthSid, GetSecurityDescriptorOwner, GetKernelObjectSecurity, GetSecurityDescriptorDacl, GetAclInformation, DeleteAce, AddAce, AdjustTokenPrivileges, LookupPrivilegeValueA, EqualSid, GetSecurityDescriptorGroup, RegSetValueA, RegCreateKeyExA, RegOpenKeyExA, IsValidSecurityDescriptor, RegCloseKey, RegEnumKeyA, RegDeleteKeyA, ReportEventA, RegisterEventSourceA, DeregisterEventSource, SetServiceStatus, GetSecurityDescriptorLength, RegisterServiceCtrlHandlerA, RegQueryValueExA, GetUserNameA, RegSetValueExA, SetSecurityDescriptorSacl, SetSecurityDescriptorDacl, MakeSelfRelativeSD, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, SetSecurityDescriptorGroup, AddAccessDeniedAce, AddAccessAllowedAce, OpenProcessToken, GetSecurityDescriptorSacl, GetAce, InitializeAcl
> MSVCRT.dll: wcscpy, __3@YAXPAX@Z, __2@YAPAXI@Z, __CxxFrameHandler, _purecall, free, _mbsicmp, _wcsicmp, _makepath, _splitpath, atol, isdigit, _mbsninc, _mbscmp, puts, _mbschr, _mbsdec, _ultoa, strtoul, realloc, malloc, vsprintf, _controlfp, towlower, vswprintf, wcstombs, __dllonexit, _onexit, _except_handler3, _terminate@@YAXXZ, _exit, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, wcslen, wcscat, _mbsinc

( 0 exports )
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=95d85d69ffc099c516d99cb9581e3fe2' target='_blank'>http://www.threatexpert.com/report.aspx?md5=95d85d69ffc099c516d99cb9581e3fe2</a>




Here is the Jotti's log too:

Scan taken on 07 Mar 2009 23:23:27 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Quick Heal Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Thanks, Andy.
andy10614
Active Member
 
Posts: 11
Joined: February 28th, 2009, 4:54 pm

Re: Strange svchost.exe

Unread postby John B. » March 8th, 2009, 9:15 am

Hi Andy,

There is one more file which we need to know a little more about:
Please download SystemLook from one of the links below and save it to your desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :file
    C:\docume~1\SINGLE~1\LOCALS~1\Temp\naecd.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post that log. It can also be found on your desktop.

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Strange svchost.exe

Unread postby andy10614 » March 8th, 2009, 3:14 pm

Hiya John, I downloaded SystemLook, however it didn't seem to be able to find the file you requested, also upon searching for the file throught the computer it wasn't found either.
Here is the log anyway:


SystemLook v1.0 by jpshortstuff (02.03.09)
Log created at 18:56 on 08/03/2009 by single user (Administrator - Elevation successful)

========== file ==========

C:\docume~1\SINGLE~1\LOCALS~1\Temp\naecd.sys - Unable to find/read file.

-=End Of File=-


Thanks, Andy.
andy10614
Active Member
 
Posts: 11
Joined: February 28th, 2009, 4:54 pm

Re: Strange svchost.exe

Unread postby John B. » March 8th, 2009, 3:58 pm

Hi Andy,

Thanks for doing that. Does not matter if the file is not there.

Please open Notepad and copy/paste the text in the box into the window:

Code: Select all
http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=40363

Suspect::
C:\Qoobox\Quarantine\C\WINDOWS\system32\MDM.EXE.vir


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. For information on how to disable your anti virus program please see this:
http://www.bleepingcomputer.com/forums/topic114351.html

If your have Avast as anti virus an additional thing has to be changed to make ComboFix work properly:
Image

After doing that close any open browsers.

Image

Refering to the picture above, drag CFScript into ComboFix.exe

ComboFix will start scannning and when it opens its log please post that log.

Also let me know about any problems you still have with your computer. Tell me in as much detail as possible so that I have a clear view about what is happening.

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Strange svchost.exe

Unread postby andy10614 » March 9th, 2009, 11:53 am

Hiya John, Here is the log:

ComboFix 09-03-06.02 - single user 2009-03-09 15:42:24.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1271.861 [GMT 0:00]
Running from: c:\documents and settings\single user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\single user\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090308-0] *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-09 to 2009-03-09 )))))))))))))))))))))))))))))))
.

2009-03-06 22:10 . 2009-03-06 22:10 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-06 22:10 . 2009-03-06 22:10 <DIR> d-------- c:\documents and settings\single user\Application Data\Malwarebytes
2009-03-06 22:10 . 2009-03-06 22:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-06 22:10 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-06 22:10 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-26 17:13 . 2009-03-04 17:34 <DIR> d-------- c:\program files\Trend Micro
2009-02-23 21:56 . 2009-02-23 21:24 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-23 21:27 . 2009-02-23 21:24 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-23 21:18 . 2009-02-23 21:18 <DIR> d-------- c:\program files\Lavasoft
2009-02-23 21:18 . 2009-02-23 21:18 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-18 21:11 . 2009-02-18 21:12 <DIR> d-------- c:\program files\HyCam2
2009-02-18 18:25 . 2009-02-28 20:49 <DIR> d-------- c:\documents and settings\single user\Application Data\Skype
2009-02-18 18:24 . 2009-02-18 18:24 <DIR> dr------- c:\program files\Skype
2009-02-18 18:24 . 2009-02-18 18:24 <DIR> d-------- c:\program files\Common Files\Skype
2009-02-16 01:48 . 2009-02-16 01:47 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-16 00:01 . 2009-02-23 00:23 <DIR> d-------- c:\program files\DivX
2009-02-14 16:34 . 2009-02-14 23:50 <DIR> d-------- c:\documents and settings\single user\Application Data\Hamachi
2009-02-14 16:32 . 2009-02-14 16:32 25,280 --a------ c:\windows\system32\drivers\hamachi.sys
2009-02-14 16:31 . 2009-02-14 16:34 <DIR> d-------- c:\program files\Hamachi

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-08 23:28 --------- d-----w c:\program files\SwiftKit
2009-03-08 19:23 34 ----a-w c:\documents and settings\single user\jagex_runescape_preferences.dat
2009-03-08 19:00 --------- d-----w c:\documents and settings\single user\Application Data\mIRC
2009-03-08 18:59 --------- d-----w c:\program files\mIRC
2009-03-03 22:12 --------- d-----w c:\documents and settings\single user\Application Data\LimeWire
2009-02-28 20:32 --------- d-----w c:\documents and settings\single user\Application Data\skypePM
2009-02-26 23:52 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-26 21:51 155,384 ----a-w c:\windows\system32\guard32.dll
2009-02-26 21:51 110,992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-02-26 18:21 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-23 21:38 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-23 21:35 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-23 21:18 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-23 21:18 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-20 14:57 --------- d-----w c:\documents and settings\All Users\Application Data\comodo
2009-02-20 09:24 24,336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-02-18 18:24 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-02-16 11:13 --------- d-----w c:\program files\ShortKeys2
2009-02-16 01:47 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-16 01:07 57,344 ----a-w c:\windows\ALCXMNTR.EXE
2009-01-30 17:46 --------- d-----w c:\documents and settings\single user\Application Data\gtk-2.0
2009-01-18 20:33 --------- d-----w c:\program files\Common Files\Adobe
2009-01-18 20:21 --------- d-----w c:\program files\Kontiki
2009-01-18 20:15 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-01-09 17:38 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-17 21:43 249,592 ----a-w c:\windows\system32\cssdll32.dll
2008-12-12 11:18 87,336 -c--a-w c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-04-07 10:03 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
1998-12-09 09:53 99,840 -c--a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 09:53 70,144 -c--a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 09:53 48,640 -c--a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 09:53 31,744 -c--a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 09:53 186,368 -c--a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 09:53 17,920 -c--a-w c:\program files\Common Files\IRASRIAL.DLL
2008-09-25 15:13 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092520080926\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-06_23.21.59.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-06 18:58:26 315,392 ----a-w c:\windows\.jagex_cache_32\runescape\jogl.dll
+ 2009-03-08 19:23:18 315,392 ----a-w c:\windows\.jagex_cache_32\runescape\jogl.dll
- 2009-03-06 18:58:26 20,480 ----a-w c:\windows\.jagex_cache_32\runescape\jogl_awt.dll
+ 2009-03-08 19:23:18 20,480 ----a-w c:\windows\.jagex_cache_32\runescape\jogl_awt.dll
+ 2009-03-09 15:26:51 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_558.dat
+ 2009-03-09 15:26:14 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2008-12-17 278264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-16 148888]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-02-26 1851128]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-23 509784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BN-WD54G Wireless Client Utility.lnk - c:\program files\BLUENEXT\BN-WD54G\Installer\WINXP\BCU.exe [2008-02-22 593920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\cssdll32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:Gnutella port

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-08-04 114768]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-12-17 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-12-17 24336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-08-04 20560]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S3 naecd;naecd;\??\c:\docume~1\SINGLE~1\LOCALS~1\Temp\naecd.sys --> c:\docume~1\SINGLE~1\LOCALS~1\Temp\naecd.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-23 21:24]

2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
Trusted Zone: youtube.com\www
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/ ... ontrol.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-09 15:46:28
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\windows\system32\cssdll32.dll
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(856)
c:\windows\system32\cssdll32.dll
c:\windows\system32\guard32.dll
.
Completion time: 2009-03-09 15:49:55
ComboFix-quarantined-files.txt 2009-03-09 15:49:41
ComboFix2.txt 2009-03-06 23:24:12

Pre-Run: 3,417,788,416 bytes free
Post-Run: 3,453,165,568 bytes free

171 --- E O F --- 2009-02-25 17:06:01



Just to tell you, the problems seem to have stopped for a while, I will try to look out if it keeps happening again.

Thanks, Andy.
andy10614
Active Member
 
Posts: 11
Joined: February 28th, 2009, 4:54 pm

Re: Strange svchost.exe

Unread postby John B. » March 9th, 2009, 4:49 pm

Hi Andy,

We will need to run a CFScript one more time, but this time I will not let it do the whole scan.

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
DeQuarantine::
C:\Qoobox\Quarantine\C\WINDOWS\system32\MDM.EXE.vir

Quit::


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. For information on how to disable your anti virus program please see this:
http://www.bleepingcomputer.com/forums/topic114351.html

If your have Avast as anti virus an additional thing has to be changed to make ComboFix work properly:
Image

After doing that close any open browsers.

Image

Refering to the picture above, drag CFScript into ComboFix.exe

ComboFix will start doing its thing. After it has finished a log called DeQuarantine_log.txt will be opened. Please post that together with a new HijackThis log and also tell me about any problems/questions you have. If you have no problems/questions, would you consider this case done?

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Strange svchost.exe

Unread postby andy10614 » March 9th, 2009, 7:22 pm

Hiya John,
Here is the DeQuarantine log:

C:\Qoobox\Quarantine\C\WINDOWS\system32\MDM.EXE.vir -> C:\WINDOWS\system32\MDM.EXE ( 119400 bytes )


And here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:18:35, on 09/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BN-WD54G Wireless Client Utility.lnk = C:\Program Files\BLUENEXT\BN-WD54G\Installer\WINXP\BCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.youtube.com
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/ ... ontrol.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsup ... gctlsr.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 6299 bytes



If this log seems okay, then i would say that the problem would probably be solved, however should i remove the programs, like combofix, hijackthis ect. or just leave them on the computer?

Thanks for all your help, Andy.
andy10614
Active Member
 
Posts: 11
Joined: February 28th, 2009, 4:54 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 484 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware