possible svchost.exe hijack

[cybot]

I purchased malwarebytes a couple of months ago after chrome on my mom's laptop had a minor malware issue (which I successfully resolved). however, now that I am  using malwarebytes pro on my laptop, I am seeing semi frequent messages from malwarebytes saying that outbound traffic from svchost.exe has been blocked. (Malicious Website Protection, IP, 93.115.84.195, 56083, Outbound, C:\Windows\System32\svchost.exe) there have been multiple IP's that are associated with this message I am seeing. I have run some of the utilities that are suggeste in these forums, ComboFix, ADWcleaner, Roguekiller, TDSKiller, and MBAR as well as running my AV and malwarebytes full scan. All except MBAR comeback with no results found. Mbar runs fine until the scan tries to scan "c:\users\username\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db" it will just sit there and I am unable to cancel the scan. the file is only 25.6 Kb, so I doubt it is infected with anything. I think it is probably a bug in MBAR that I am encountering. that aside, all the negatives on all the other scans woul seem to indicate that I do not have any malware. but then why am I seeing this outbound activity from svchost? am I missing something here?

malwarebytes protect log.txt

malwarebytes scan log.txt

TDSSKiller.3.0.0.39_15.06.2014_02.44.46_log.txt

[cybot]

here is the hijackthis log for my system.

hijackthis.log

[cybot]

here is the log from tdsskiller

TDSSKiller.3.0.0.39_15.06.2014_02.44.46_log.txt

[cybot]

oops already added that log.... ignore last post.... sorry

[cybot]

I have been putting off posting my combofix log because combofix kept wanting to del 500Mb worth of file starting with the name tmp. they were residing in my C:\users\[username]\appdata\local\microsoft\windows\temporary internet files\ directory. I had to drop to command prompt and manually delete the files using del tmp.* /s /q command. it was much faster than combofix doing it. but with those files gone. I was able to run combofix all the way through. combofix found what looks like something called winpcap installed on my system. it appears to be some sort of "windows packet capture" software. I know I never installed such software, but it is possible that it may be part of something legitimate that is installed. I sincerely doubt that is the case however.

 

UPDATE: 

 

This software MAY have been installed as part of NetGear Genie software, this is the router management software for my Netgear WNDR-4500 router. after deleting npf.sys as well as having combofix remove the other winpcap files, the software no longer works properly. I will reinstall the software and see if combofix finds it again. Is it possible that hackers are hijack the winpcap for their own purposes? if so, it looks like Netgear needs to be notified of this.

ComboFix.txt

[cybot]

wpcap was indeed  installed with netgear genie. I unistalled genie, and then went into the registry, and into explorer, an manully removed packet.dll and nfp.sys from system32 and subdirectories.... there are no other signs of anything wrong, all the files removed by combofix were related to diskkeeper 12 setup files, I have no idea what they were doing in the syswow64 directory tho. since removing genie, I am no longer getting alerts from malwarebytes (see original post for the alert given). I will contact Netgear to see what they have to say. Is it even possible for someone to have foun a way to subvert the winpcap portocols (or whatever) to try and capture packets from my pc with out my permission?

[cybot]

ok NOW I REALLLY need some help!  since running combofix an removing the winpcap components (along with netgear genie), I am now receiving random BSOD's BAD_POOL_HEADER was one of the most recent. This system uptil recently, has been 100% stable, meaning no BSOD's. the occasional program would crash, but 99% of the time that was solved by patches to what ever program was crashing. but now..... I am not sure where to procee next. Toshiba only gave me a way to restore to factory defaults, So, no OS install disc.  while I do have backups including system images (made using Rebit 6), I am hesitant to pull the trigger unless absolutely necessary. so if some one can please help me out, I would much appreciate it

[AdvancedSetup]

Sorry for the delay but the site has been very busy lately.

 

Hello and

Please read the following and post back the logs when ready and we'll see about getting you cleaned up.

General P2P/Piracy Warning:
 
 

 

If you're using

Peer 2 Peer

software such as

uTorrent, BitTorrent

or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have

illegal/cracked software, cracks, keygens etc

. on the system, please remove or uninstall them now and read the policy on

Piracy

.

 
Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.

• Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
• If the log is too large then you can use attachments by clicking on the More Reply Options button.
• Please enable your system to show hidden files: How to see hidden files in Windows
• Make sure you're subscribed to this topic:
  
  • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
    

  [*]Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive [*]Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you. [*]The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone. [*]Perform everything in the correct order. Sometimes one step requires the previous one. [*]If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue. [*]You can check here if you're not sure if your computer is 32-bit or 64-bit [*]Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners. [*]When we are done, I'll give you instructions on how to cleanup all the tools and logs [*]Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. [*]Your topic will be closed if you haven't replied within 3 days [*](If I have not responded within 24 hours, please send me a Private Message as a reminder)
  

 
STEP 0
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes
so that your normal security software can then run and clean your computer of infections.
When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.
 

Link 1

Link 2

• On Windows XP double-click on the Rkill desktop icon to run the tool.
• On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• If the tool does not run from any of the links provided, please let me know.
• Do not reboot the computer, you will need to run the application again.
  

STEP 01
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

• Please download ERUNT from one of the following links: Link1 | Link2 | Link3
• ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
• Double click on erunt-setup.exe to Install ERUNT by following the prompts.
• NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
• Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
• Choose a location for the backup.
  
  • Note: the default location is C:\Windows\ERDNT which is acceptable.
    

  [*]Make sure that at least the first two check boxes are selected. [*]Click on OK [*]Then click on YES to create the folder. [*]Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe
  

STEP 02
Please run a Threat Scan with MBAM.  If you're unable to run or complete the scan as shown below please see the following:  MBAM Clean Removal Process 2x
When reinstalling the program please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.
 
 
STEP 03
Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

• RogueKiller 32-bit | RogueKiller 64-bit
• Quit all running programs.
• For Windows XP, double-click to start.
• For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
• Read and accept the EULA (End User Licene Agreement)
• Click Scan to scan the system.
• When the scan completes Close the program > Don't Fix anything!
• Don't run any other options, they're not all bad!!
• Post back the report which should be located on your desktop.
  

Thank you
 

[cybot]

I was beginning to think I was on my own....

 

I don't use torrent or other file sharing services. I do not believe I have any illegal software or cracks installed on my system. I am currently also having issues with my 'D' key, so, there might be words missing the letter 'D'. I will correct the spelling of those words when I catch them, but I don't always catch them. So please bear with me. there is a process running calle P2PHost.exe, but it is a Microsoft windows process for the people near me program which I believe Is part of windows homegroup.

 

I have followe your irections, and the each scan came back clean. rkill did not find anything to kill. I attached the log for review. MBAM threat scan similairly foun nothing, log attached.

rougekiller. results found stuff like before, but nothing that I woul consider harmuful or bad, I have attaché the log from the scan, however it oes not seem to show every result of the scan. missing is the chrome web browser apps, all of which are green, which I assume is a good sign. I doubt my chromebook would allow the apps to run if they weren't safe. (all the chrome apps come from my chromebook sessions, which are synced up with my windows chrome sessions). the rest of the results appear in attached log.

 

My system seems to have settled down as far das BSOD's are concerned none have occurred in almost 48 hours, so that's good.

Since removal of Netgear Genie, I am also no longer seeing blocked outbound traffic from SVCHOST.EXE alerts. I am assuming that for some reason the winpcap component of Genie was operating in a fashion quite similar to malware. I have also read that some malware has actually incorporated winpcap as part of the malware. I will see if I can contact someone at netgear to see what they have to say about this issue. epending on if you spot something I missed,I wilI recommend that my dad (who co-manages our home network) also uninstall netgear genie. I tracked one of the IP's that's was blocked by MBAM, and it was an IP for a place in central china. another was on in another asian country. very disturbing if what I think is happening here turns out to be true.

Rkill.txt

RKreport_SCN_06182014_151623.log

malwarebytes scan log 2.txt

[AdvancedSetup]

Please go ahead and run through the following steps and post back the logs when ready.
 
STEP 04
Please download Junkware Removal Tool to your desktop.

• Shutdown your antivirus to avoid any conflicts.
• Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next reply message
• When completed make sure to re-enable your antivirus
  

STEP 05
Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  Vista/Windows 7/8 users right-click and select Run As Administrator
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• When it's done you'll see: Pending: Please uncheck elements you don't want removed.
• Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• Look over the log especially under Files/Folders for any program you want to save.
• If there's a program you may want to save, just uncheck it from AdwCleaner.
• If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
• If you're ready to clean it all up.....click the Clean button.
• After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
• Copy and paste the contents of that logfile in your next reply.
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.
• Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
• To restore an item that has been deleted:
• Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
  

STEP 06
Please open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkits, Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.


STEP 07


Please go here to run the online antivirus scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked
• Click on Advanced Settings and ensure these options are ticked:
  
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
    

  
  [*]Click Scan [*]Wait for the scan to finish [*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.
  

STEP 08
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.
  

[cybot]

jrt said it foun a bad module, but did not give an details, the log also did not record this event. I don't know whether this is a false positive or not. ADWcleaner gave no results either since I had already removed netgear genie (winpcap components) an I had not restored the Diskkeeper 12 setup files from quarantine yet. still don't know why they were in the syswow64 directory. currently running MBAM custom scan, which will take quite a while. will post those logs when they become available one threat scan already came back clean, so I chose the custom so I could explicitly tell mbam to scan with those settings. adttempting to update MBAM, gave me a no updates available message. the settings that you said to set, are what I already had them on, so no changes needed there. will post remaining logs when I can

AdwCleanerR7.txt

AdwCleanerS4.txt

JRT.txt

[cybot]

was just sitting here waiting for mbam scan to finish, and another alert occurred out of the blue. genie may not be the culprit after all

malwarebytes protect log 2.txt

[AdvancedSetup]

Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller

Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller.

If any infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection.

Once the tool has completed scanning make sure to re-enable your other security applications.
 

[cybot]

I have already run tdsskiller and posted the logs for it. see first post for the log. I will run the scan again if you want however. MBAM scan just finished, and came back clean. the alert happene again this morning, this time the ip tracked back to Cairo, Egypt..I was playing plants vs. zombies at the time, so no internet browsers were active. ESET scan currently running, preliminary results found win32.opencandy, but this I consider a false positive, as it is detected in the jelly bean key finder setup  file. reading up on the detected threat confirms that it can be considered a false positive. I no longer need the jelly bean software, so I will delete the file anyway once the eset scan completes

malwarebytes scan log 3.txt

[cybot]

the tdsskiller you wanted me to use is a different copy than what I used, so I will d/l the version you wanted an post it's logs as soon as eset finishes

[cybot]

eset just finished it's scan (finally!) only thing found was the w32/opencandy. I went ahead and ran farbar like you asked, logs attached.

 

I also ran kapersky version of tdsskiller, log attached.

 

everything is giving the all clear, but svchost is still trying to contact malicious sites. the only thing that might have cause this is back a couple of months ago, a site I frequent got really badly hacked, and when I went on it (not knowing the site ha been hacked) , the site attempted to install a Trojan. UAC and MSSE had stopped it in its tracks, or so I thought. is it possible that some damage was done before UAC an MSSE put the kybosh on the activity? when it occured UAC brought up a prompt asking me if I wanted to run 'xxxxx' program that resided in the temporary internet files directory. I of course clicked no, and MSSE immediatly gave an alert that a number of files in the internet browsers file cache suddenly had a Trojan there. MSSE cleaned out the problem without issue, and a subsequent quick and full scan revealed no further issues. I I did of course run disk cleanup after MSSE to make sure the problem wouldn't come back.

TDSSKiller.3.0.0.39_19.06.2014_17.45.05_log.txt

FRST.txt

Addition.txt

[cybot]

I don't remember what Trojan it was, but I remember it was classified as a backdoor type Trojan. ont know if that helps any though

[AdvancedSetup]

Well at this time I'm not finding any infections on the system. It may simply be due to Skype that is running or another Internet enabled application.

 

Please see the following.

 

https://helpdesk.malwarebytes.org/forums/21637537-Software-Blocked

 

 

Please download Security Check by screen317 from HERE or HERE.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• If you get Unsupported operating system. Aborting now, just reboot and try again.
• A Notepad document should open automatically called checkup.txt.
• Please Post the contents of that document.
• Do Not Attach It!!!
  

 

[cybot]

I do have Skype installed, it was forced on me by micro$oft when they got rid of the windows live messenger. I have been unimpressed with Skype so far, and since I now have another way of communicating with those on my old messenger list (email an Steam's built in messenger), I will uninstall Skype to see if the alerts stop.

[cybot]

umm.... something (maybe the website?) is not allowing me to paste things from the clipboard into the post. I can do it elsewhere, but not here. as a result I am unable to post the log results in the post. I have attached the log instead.

 

for what ever reason when I try and paste into the reply area nothing happens, same when I click the ifferent paste buttons. I cant even paste from elsewhere in the same document..

 

checkup.txt

[AdvancedSetup]

Yes, there appears to be some type of issues for some users posting to the forum with copy/paste.

 

The log looks okay.

 

At this time there are no more signs of an infection on your system.
However if you are still seeing any signs of an infection please let me know.

Let's go ahead and remove the tools and logs we've used during this process.

Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.
They are often updated daily so if you went to use them again in the future they would be outdated anyways.

The following procedures will implement some cleanup procedures to remove these tools.
 
Download Delfix from here and save it to your desktop. (you may already have this)

• Ensure Remove disinfection tools is checked.
• Click the Run button.
• Reboot
  

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:
If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.
 
 
If there are any other left over Folders, Files, Logs then you can delete them on your own.
 
Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.
How to Delete System Protection Restore Points in Windows 7 and Windows 8

Remove all but the most recent Restore Point on Windows XP


As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.

• How Malware Spreads - How did I get infected
• Best Practices for Safe Computing - Prevention of Malware Infection
• Avoiding those unwanted free applications
• A close look at how Oracle installs deceptive software with Java updates
• IAC / Ask.com toolbars
• Malwarebytes Unpacked Blog
  

If you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.
 

[cybot]

I'm still getting the alerts, is there a program that you know of (free is best) that is able to monitor outgoing traffic and the processes that are requesting the access? I was thinking something that gave me the same data as if I ran 'netstat -a -o -n -b' but in realtime and be running continuously in the back ground, so I could go back an look at what was going on with my system the next time I get the alert goes off.

[cybot]

now I'm starting to see blocked inbound traffic to svchost as well

[AdvancedSetup]

Inbound there is nothing we can do but block as we see them. You're firewall is really the main component that should be blocking unwanted access from a remote site.

 

Let's to ahead and run some scans again and see what we can find.

 

Please visit this webpage and read the ComboFix User's Guide:

• Once you've read the article and are ready to use the program you can download it directly from the link below.
• Important! - Please make sure you save combofix to your desktop and do not run it from your browser
• Direct download link for: ComboFix.exe
• Please make sure you disable your security applications before running ComboFix.
• Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
• Please attach that log file to your next reply.
• If needed the file can be located here:  C:\combofix.txt
• NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.
  

 

[cybot]

in addition to running combofix like you asked, I told windows to return the firewall to defaults just to be sure nothing was amiss.

ComboFix.txt