Jump to content

svchost.exe winrscmde infection


MartinMGA

Recommended Posts

Hello,

I have a system running Windows 7 Home edition that appears to be infected. Symptoms include random audio ads and poor performance caused by a process running svchost.exe with description 'winrscmde'. I've run MBAM repeatedly and it detects a Trojan Agent in svchost.exe, but is unable to clean it. Following the instructions in this forum, I've downloaded dds.scr and run it. The DDS.txt and Attach.txt logs are attached.

Any help removing this will be much appreciated. Thank you in advance.Attach.txtDDS.txt

Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites

Thanks for your response, MrC! Here's the RogueKiller report:

RogueKiller V8.0.2 [08/31/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Jeffrey [Admin rights]

Mode : Scan -- Date : 09/12/2012 21:51:37

¤¤¤ Bad processes : 1 ¤¤¤

[sVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 6 ¤¤¤

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$bc189afb16d360fec1695b982c4671cd\n.) -> FOUND

[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$bc189afb16d360fec1695b982c4671cd\n.) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND

[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$bc189afb16d360fec1695b982c4671cd\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$bc189afb16d360fec1695b982c4671cd\U --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$bc189afb16d360fec1695b982c4671cd\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST375052 8AS SCSI Disk Device +++++

--- User ---

[MBR] ed901f0165c1f4fc827850f7acf7d823

[bSP] ab39d269876e95b2d4c1e038d272bb99 : Acer tatooed MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 15360 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31459328 | Size: 100 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 31664128 | Size: 699942 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

+++++ PhysicalDrive2: Generic SD/MMC USB Device +++++

Error reading User MBR!

User = LL1 ... OK!

Error reading LL2 MBR!

+++++ PhysicalDrive4: Generic MS/MS-PRO USB Device +++++

Error reading User MBR!

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

Here you go......

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please read the directions carefully so you don't end up deleting something that is good!!

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    2012081517h0349.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Link to post
Share on other sites

I downloaded and ran TDSSKiller. Here's the initial report:

09:21:06.0799 5808 TDSS rootkit removing tool 2.8.8.0 Aug 24 2012 13:27:48

09:21:07.0189 5808 ============================================================

09:21:07.0189 5808 Current date / time: 2012/09/13 09:21:07.0189

09:21:07.0189 5808 SystemInfo:

09:21:07.0189 5808

09:21:07.0189 5808 OS Version: 6.1.7601 ServicePack: 1.0

09:21:07.0189 5808 Product type: Workstation

09:21:07.0189 5808 ComputerName: JEFFREY-PC

09:21:07.0189 5808 UserName: Jeffrey

09:21:07.0189 5808 Windows directory: C:\Windows

09:21:07.0189 5808 System windows directory: C:\Windows

09:21:07.0189 5808 Running under WOW64

09:21:07.0189 5808 Processor architecture: Intel x64

09:21:07.0189 5808 Number of processors: 2

09:21:07.0189 5808 Page size: 0x1000

09:21:07.0189 5808 Boot type: Normal boot

09:21:07.0189 5808 ============================================================

09:21:08.0449 5808 Drive \Device\Harddisk0\DR0 - Size: 0xAEA8CDE000 (698.64 Gb), SectorSize: 0x200, Cylinders: 0x16441, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040

09:21:08.0469 5808 ============================================================

09:21:08.0469 5808 \Device\Harddisk0\DR0:

09:21:08.0469 5808 MBR partitions:

09:21:08.0469 5808 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1E00800, BlocksNum 0x32000

09:21:08.0469 5808 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1E32800, BlocksNum 0x55713000

09:21:08.0469 5808 ============================================================

09:21:08.0499 5808 C: <-> \Device\Harddisk0\DR0\Partition2

09:21:08.0499 5808 ============================================================

09:21:08.0499 5808 Initialize success

09:21:08.0499 5808 ============================================================

09:21:30.0787 5312 Deinitialize success

Followed the instructions and after reboot, ran the scan. It found two objects, one malicious and one suspicious. Clicked continue and it ran 'cure' on the malicious one and rebooted again. After that reboot, TDSSkiller started again so I ran the scan again. This time it found only the suspicious object (sounds promising!) The reports from the two scans are big, so I've zipped and attached them. Thanks!TDSSKiller.2.8.8.0_13.09.2012_09.24.41_log.txt.7zTDSSKiller.2.8.8.0_13.09.2012_09.29.01_log.txt.7z

Link to post
Share on other sites

Run TDSSKiller again and choose Delete for this one only: (no need to post the log)

09:26:25.0692 1364 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

09:26:25.0692 1364 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

~~~~~~~~~~~~~~~~~~~

Reboot and........

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Reboot and scan the system with RogueKiller again and post the new log, MrC

Link to post
Share on other sites

Ran the delete in TDSSkiller, then the MBAM quick scan. It found one object (before we started, it would find two). Here are its logs from before and after I told it to Remove Selected Items.

Before:

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.13.08

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

Jeffrey :: JEFFREY-PC [administrator]

9/13/2012 11:20:54 AM

mbam-log-2012-09-13 (11-29-15).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 246896

Time elapsed: 8 minute(s), 2 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\svchost.exe (Trojan.Agent) -> No action taken.

(end)

After:

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.13.08

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

Jeffrey :: JEFFREY-PC [administrator]

9/13/2012 11:20:54 AM

mbam-log-2012-09-13 (11-20-54).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 246896

Time elapsed: 8 minute(s), 2 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

(end)

RogueKiller report after reboot:

RogueKiller V8.0.2 [08/31/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Jeffrey [Admin rights]

Mode : Scan -- Date : 09/13/2012 11:34:27

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$bc189afb16d360fec1695b982c4671cd\n.) -> FOUND

[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$bc189afb16d360fec1695b982c4671cd\n.) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND

[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$bc189afb16d360fec1695b982c4671cd\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$bc189afb16d360fec1695b982c4671cd\U --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$bc189afb16d360fec1695b982c4671cd\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST375052 8AS SCSI Disk Device +++++

--- User ---

[MBR] ed901f0165c1f4fc827850f7acf7d823

[bSP] ab39d269876e95b2d4c1e038d272bb99 : Acer tatooed MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 15360 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31459328 | Size: 100 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 31664128 | Size: 699942 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

+++++ PhysicalDrive1: Generic Compact Flash USB Device +++++

Error reading User MBR!

User = LL1 ... OK!

Error reading LL2 MBR!

+++++ PhysicalDrive2: Generic SD/MMC USB Device +++++

Error reading User MBR!

User = LL1 ... OK!

Error reading LL2 MBR!

+++++ PhysicalDrive3: Generic microSD USB Device +++++

Error reading User MBR!

User = LL1 ... OK!

Error reading LL2 MBR!

+++++ PhysicalDrive4: Generic MS/MS-PRO USB Device +++++

Error reading User MBR!

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[2].txt >>

RKreport[1].txt ; RKreport[2].txt

I did notice when running TDSSkiller to delete, there was a popup from Norton saying that it had blocked a rootkit attack. Is this a problem?

Thanks,

Martin

Link to post
Share on other sites

New infection showing.

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$bc189afb16d360fec1695b982c4671cd\n.) -> FOUND

[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$bc189afb16d360fec1695b982c4671cd\n.) -> FOUND

Now click Delete on the right hand column under Options

Next click on the Files tab and put a check next to these and uncheck the rest. (if found)

[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND

[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$bc189afb16d360fec1695b982c4671cd\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$bc189afb16d360fec1695b982c4671cd\U --> FOUND

[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$bc189afb16d360fec1695b982c4671cd\L --> FOUND

Now click Delete on the right hand column under Options

~~~~~~~~~~~~~~~~~~~

Reboot and rescan scan with Malwarebytes and RogueKiller > post the logs, MrC

Link to post
Share on other sites

Followed the instructions and now MBAM scan found no objects. Here's the log:

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.13.08

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

Jeffrey :: JEFFREY-PC [administrator]

9/13/2012 12:22:14 PM

mbam-log-2012-09-13 (12-22-14).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 246848

Time elapsed: 8 minute(s), 37 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Here's the RogueKiller log:

RogueKiller V8.0.2 [08/31/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Jeffrey [Admin rights]

Mode : Scan -- Date : 09/13/2012 12:32:53

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST375052 8AS SCSI Disk Device +++++

--- User ---

[MBR] ed901f0165c1f4fc827850f7acf7d823

[bSP] ab39d269876e95b2d4c1e038d272bb99 : Acer tatooed MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 15360 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31459328 | Size: 100 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 31664128 | Size: 699942 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[4].txt >>

RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt

Link to post
Share on other sites

Great thumbsup.gif

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

MrC

Link to post
Share on other sites

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.