Jump to content

possible svchost.exe hijack

cybot

By cybot
in Resolved Malware Removal Logs

 Share

Recommended Posts

  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please download Malwarebytes Anti-Rootkit from HERE
If needed there is a self help tutorial here: MBAR tutorial

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

Link to post
Share on other sites
  • Replies 92
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

cybot

cybot

Posted
  • Author
Posted

I already downloaded MBAR (current version) and the scan runs fine until it reaches a certain file an then the scan locks up. I listed the file in my original  post. I think it may be a bug in MBAR, but don't know for sure.

 

I went to the phone company yesteray to exchange Modems, because the one we had was not performing as it should have. and now, not only is our internet as fast as it should be, but I have not received any blocked inbound or outbound svchost.exe messages from mbam yet. We have been the victim of frequent DDOS attacks against our IP address, and I am wondering if someone did manage to successfully infiltrate the modem, could they have planted something malicious that was causing prdoblems?

Link to post
Share on other sites
cybot

cybot

Posted
  • Author
Posted

Consolidate communications (formerly surewest - Roseville) controls the setting and passwords for their modem. so I have no way of knowing what they chose to use. I do know, however, that it was setup to allow them remote access to the settings for diagnostics and other purposes. The router I chose for our home network has a secure password. I was sure to change it before I even plugged in the internet cable from the modem. so the only way I would know if we the modem was compromised in some way was if they outright told us, which I doubt they would admit if it even did happen. the modem does have a router function, but I do not know how it was set.

 

I am currently in a holding pattern waiting to see if those blocked svchost.exe messages are gone for good. If they are, should I report to my ISP that their modem may have been compromised?

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

The previous logs look okay and now that the IP blocks have also vanished I don't think you are infected at this time.

 

 

At this time there are no more signs of an infection on your system.
However if you are still seeing any signs of an infection please let me know.

Let's go ahead and remove the tools and logs we've used during this process.

Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.
They are often updated daily so if you went to use them again in the future they would be outdated anyways.

The following procedures will implement some cleanup procedures to remove these tools.
 
bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:
If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.
 
 
If there are any other left over Folders, Files, Logs then you can delete them on your own.
 
Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.
How to Delete System Protection Restore Points in Windows 7 and Windows 8

Remove all but the most recent Restore Point on Windows XP


As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.


If you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.
 

Link to post
Share on other sites
cybot

cybot

Posted
  • Author
Posted

already ran  the delfix tool already once. I took my unit into the local Tech2U PC Repair shop so they could get the part number to order a new keyboard, but when they ran their "free diagnostic", they called me the next day (Saturday) and said they found a malware infection, I told them about my work here, and they said I should be using something other than MBAM. that aside, they couldn't  or wouldn't give any details on what was found. I did not tell them to remove the infection, so it is presumably still there. I don't know what they found, whether it was a false positive or what. is there any more powerful tools or scans that I can use to make sure I am indeed in the clear?

Link to post
Share on other sites
cybot

cybot

Posted
  • Author
Posted

roger that, in the mean time, I found a reference to a similar situation here, bit.ly/1vqULpQ (bleeping computer link) I checked my syswow64 directory an there is a svchost.exe there and in the system32 disrectory. should there be a svchost.exe in the syswow64 directory? in the link I found the same tools we have been using also I not find anything

Link to post
Share on other sites
cybot

cybot

Posted
  • Author
Posted

yeah sorry about that, I accidently sent the post before it was ready. what I meant to say, was is there any way to tell if any of the system dll's have been patched or something to hide the problem like in the post in the link. that person let his case expire,  and details on that case were a bit scarce . but I do not believe that svchost should be having this kind of activity, especially aimed at IP's that mbam considers malicious.

Link to post
Share on other sites
cybot

cybot

Posted
  • Author
Posted

I don't seem to have any extra copies of svchost running which is what is making so hard for me to track own the source of the problem. I d/l a program called svchost analyzer, and there are two entries for svchost that have 0 services attached to them. there is another at the bottom of the list, but it is liste as inactive but also has services attaché to it. those appear to be all the inactive windows services I dont use. If these two copies of svchost with no services attached to them are the source of the problem, it looks like I may have to perform a similar operation.

is the eset you used the online scanner, danieldow?

Link to post
Share on other sites
cybot

cybot

Posted
  • Author
Posted

I don't know if MSSE will run in safe mode, but I will try. I also have  copy of win8 on an external drive, I coule try booting to that an running a scan from there if you think that would work. I seem to remember hearing about a version of msse that would run at boot time. I will see if I can fin that too.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Well one could easily reinfect the computer by accidentally clicking or installing something they should not.
 
In further review I do see that you're running quite a few games and many of the games now days use Peer2Peer technology to spread out the network bandwidth to users machines instead of all of the traffic coming directly from them. So it works similar to Skype in that it can at times potentially use an untrusted network. Thus when MBAM sees that IP it blocks it and gives the alert. So generally speaking in reviewing your logs I only see minor blocking going on not a huge ongoing block that would be typical of an on-board infection.
 
Ubisoft Game Launcher
Steam
etc... may be the cause of an occasional block and nothing to worry about as the software is doing it's job.
 
You're also using a very limited version of antivirus that is not known to be very well suited for malware and virus protection these days. I would highly suggest you consider uninstalling Microsoft Security Essentials and look at getting a different antivirus program.

List of well known antivirus products
 
 
However I would also highly suggest removing Java once again as per previous instructions to ensure nothing old is left over, using Control Panel, Add/Remove and then run the JavaRA removal tool again.
 
Please download JavaRa-1.16 and save it to your computer.

  • Double click to open the zip file and then select all and choose Copy.
  • Create a new folder on your Desktop named RemoveJava and paste the files into this new folder.
  • Quit all browsers and other running applications.
  • Right-click on JavaRa.exe in RemoveJava folder and choose Run as administrator to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it in your next reply.

Next:
 
Run the TFC tool again.
 
Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

NEXT:

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.
 

fixlist.txt

Link to post
Share on other sites
cybot

cybot

Posted
  • Author
Posted

I am actually looking into another av program right now, considering eset... I already installed the trial, an one thing I am noticing, even in safemode, every file it tries to scan, it gives a error opening file message. is this normal?

 

I don't think steam uses p2p type software in it's client. idk about the ubisoft one though.

Fixlog.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please try the TFC link again. It should be working again now.

 

Please download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!


 

Link to post
Share on other sites
cybot

cybot

Posted
  • Author
Posted

my home router logs are now showing, that who ever has been responsible for the almost constant ddos attacks on our ip address, is now performing teardrop  attacks as well..... no one in my house runs anything below vista, vista/7/8 aren't vulnerable to teardrop attacks, right?? I am going to get really pissed off if they start crashing our pc's when ever they feel like it.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.