globalroot\systemroot\svchost.exe Trojan issue

xerowun · June 11, 2012

Howdy, Starting last night we started seeing signs of malware on one of our computers. The license for the antivirus had expired shortly before and since I wasn't the one using it at the time no action was taken until today, but by that point the computer was starting to freeze and play odd advertisements in the background. After doing a scan with malwarebytes, as well as downloading Avast! and running a scan with that, all indications are pointing to svchost.exe acting malicious. The DDS scan logs are attached, any help removing this trojan would be greatly appreciated. Any other attempt through Avast! or malwarebytes have proven unsuccessful.

DDS.txt

Attach.txt

MrCharlie · June 11, 2012

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options, they're not all bad!)

Post back the report.

MrC

------->Logs will be closed if you haven't replied within 3 days!<--------

xerowun · June 11, 2012

Good day Mr C, the report from RK is as follows;

RogueKiller V7.5.4 [06/07/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User: Carley [Admin rights]

Mode: Scan -- Date: 06/11/2012 16:48:53

¤¤¤ Bad processes: 2 ¤¤¤

[sUSP PATH] c2c_service.exe -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -> KILLED [TermProc]

[sVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 2 ¤¤¤

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK3275GSX +++++

--- User ---

[MBR] c14a194e47a70f624d48fac8dd35e444

[bSP] 35cff5c93c53e5a466e70c6c8ff31d64 : Windows Vista MBR Code

Partition table:

0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 289747 Mo

2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 596475904 | Size: 13997 Mo

User != LL1 ... KO!

--- LL1 ---

[MBR] c4914e1e81df3f4ac53ca6366093c6f1

[bSP] 35cff5c93c53e5a466e70c6c8ff31d64 : Windows Vista MBR Code

Partition table:

1 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 289747 Mo

3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 596475904 | Size: 13997 Mo

User != LL2 ... KO!

--- LL2 ---

[MBR] c4914e1e81df3f4ac53ca6366093c6f1

[bSP] 35cff5c93c53e5a466e70c6c8ff31d64 : Windows Vista MBR Code

Partition table:

1 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 289747 Mo

3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 596475904 | Size: 13997 Mo

Finished : << RKreport[3].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

MrCharlie · June 12, 2012

Lets do a check for rootkits.......

Please make sure system restore is running and create a new restore point before continuing.

XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

xerowun · June 12, 2012

The TDSSKiller log is attached. From what I can tell there are no active issues currently insofar that Avast! isn't blocking any activity, but I will let you be the final say.

TDSSKiller.2.7.36.0_11.06.2012_18.01.39_log.txt

MrCharlie · June 12, 2012

Yes, TDSSKiller cleaned out a bunch of malware.

Please do this............

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

xerowun · June 12, 2012

I have the combofix file included below for your review.

ComboFix.txt

MrCharlie · June 12, 2012

Looks Good......

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

xerowun · June 12, 2012

<div>The system seems to be running as it should, everything checks out.</div>

<div>Malwarebytes Anti-Malware 1.61.0.1400</div>

<div>www.malwarebytes.org</div>

<div>Database version: v2012.06.12.02</div>

<div>Windows 7 Service Pack 1 x64 NTFS</div>

<div>Internet Explorer 9.0.8112.16421</div>

<div>Carley :: CARLEY-PC [administrator]</div>

<div>Scan options disabled: P2P</div>

<div>Objects scanned: 296383</div>

<div>Time elapsed: 29 minute(s), 45 second(s)</div>

<div>Memory Processes Detected: 0</div>