I've got no network, and can't copy/paste

[Blackadder]

Hi. A while ago, the wonderful folks here were helping me with a nasty virus. I followed the instructions, and eventually downloaded and installed a free firewall (Outpost) along with Avast! antivirus. Things started to run ok... until recently. Something seems to have either disabled the firewall or the antivirus, or both, and gotten a hold of my machine.

The original thread is here: http://forums.malwarebytes.org/index.php?s...st&p=113563

A quick summary of the current issue - I cannot connect the machine to the internet at all. I get no pop-ups, or redirects, I just have zero internet connectivity with the machine (browsers I've tried are both IE8 & FireFox). The virus seems to have disabled Outpost, and Avast! antivirus. I have tried installing and running the current Malwarebytes, but it doesn't find anything. I have uninstalled that and tried SuperAntivirus. That seemed to have found a few things, but I still cannot connect to the internet or copy/paste. I have since uninstalled SuperAntivirus. I would like to get to a point where I can back up my files and wipe and rebuild the machine with Windows 7. It is currently running XP Pro, but the biggest issue is that it won't allow me to cut and/or paste at all (or drag & drop) so I cannot even back up my files on an external drive to scan elsewhere and save.

I appreciate any and all help you could give me. Thanks!

[miekiemoes]

Hi,

This looks like an issue with your svchost.exe. Most probably this file got deleted, locked/blocked or damaged. Can you open taskmanager and look if svchost.exe is present and active there? There should be at least 5 instances of svchost.exe running.

Also, any possibility that you have set your Outpost Firewall to block svchost.exe? Also, have you tried safe mode already? Do you have the same issues in Windows safe mode? (This in case your firewall may have indeed blocked your svchost.exe).

Can you verify if the file svchost.exe still exists in your C:\Windows\system32 folder?

On another note, if your main interest is to back up your files, see here: http://www.raymond.cc/blog/archives/2007/1...windows-to-ftp/

Or you can use BartPe: http://www.nu2.nu/pebuilder/ which is a similar application

[Blackadder]

Hi, and thanks in advance for helping me!

Task manager shows only one instance of svchost.exe running. I checked Outpost to see if it was being blocked and I don't believe that I saw it listed, or rules blocking it. Do you think that if I removed Outpost that it would continue to be blocked, or that the rules would disappear with Outpost?

Also, I checked in the sys32 directory and svchost.exe still resides there. There is another file svchost.~xe that is there as well though. The modification dates match on both files.

I do have the same issues running in normal or safe mode. No ability to cut or paste.

And, along the lines of backing up files, I have run into a problem trying to use various boot CDs - I'm running a raid 5 configuration and don't know how to load the raid drivers so that I can boot from anything except the OS and still manage to see the files and not have everything be recognized as individual, unformatted disks.

[miekiemoes]

Hi,

So Outpost is indeed blocking it?

However, on the other side, it doesn't make sense, because *if* Outpost is blocking it, then it shouldnt block it in safe mode (normally).

Anyway, what I suggest is, please uninstall Outpost+Avast and reboot. Then, check your drive for other instances of svchost.exe. There should be on in your C:\Windows\system32\dllcache folder as well.

The fact that there's another svchost.~xe present there makes me believe that the original one in your system32 is infected. Not sure about the svchost.~xe one, it could be the legit one renamed, or it could be a malicious one as well.

The best action here is to replace it with another copy, so if you find another instance of svchost.exe on your disk, please rename the one into the system32 folder to svchost.bak (or so) and COPY another one to there, then reboot.

[Blackadder]

Hi - it did not appear like Outpost was blocking it, but something else.

Do you think that if Outpost was blocking it, that the block would remain after I uninstalled Outpost?

I tried to uninstall Avast last night, and received a message that the machine was unable to load/start the Wininstaller. Any ideas?

As of right now, I cannot copy/paste, but if I could replace the svchost.exe file, where should I get a fresh copy from? An uninfected machine? Or from another location on the infected machine?

[miekiemoes]

Hi,

Have you already looked into your C:\Windows\system32\dllcache ? This is a hidden folder by default, so Please set your system to show all files.

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.

Uncheck: Hide file extensions for known file types

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

For Avast, please skip this for now and leave it there. It makes sense that it won't uninstall now since it uses the Windows installer service which won't work now as long as svchost.exe is corrupted.

[Blackadder]

Hi again - I'm at work right now, so I'll do as you recommend as soon as I'm sitting in front of the infected machine when I return home.

But, while I was here I did a search on another machine for the svchost.exe file and did not find it in the dllcache but found it in C:\WINDOWS\ServicePackFiles\i386.

I suppose that I could try to copy the svchost.exe to the sys32 directory and/or the dllcache directory using a command prompt.

If I find the svchost.exe file in both the dllcache directory and the C:\WINDOWS\ServicePackFiles\i386 directory, which one should I try to copy to the sys32 directory?

[miekiemoes]

Hi,

Yes, it can be done from the command prompt. But before you copy, you should rename the svchost.exe in the system32 folder first. rename it to svchost.bak or so

It could be possible, after you have renamed it, that Windows already replaces it with a new version (if present in dllcache) anyway. So, after you have renamed it, first verify if a new svchost.exe got created automatically in the system32 folder. If so, reboot and see if that solved your problem.

If not, then copy the one from the C:\WINDOWS\ServicePackFiles\i386 to your system32 folder. Verify afterwards it is there.

Then reboot.

If still the same and no progress, the best action to take here is a Windows repair install (as more could be damaged here).

A Wndows repair install doesn't erase your data.

http://www.michaelstevenstech.com/XPrepairinstall.htm

[Blackadder]

Hi...

Ok, after a few tries, I finally got my copy and paste ability back. Thank you! (Phew!)

Now I can back up my files - but I'm concerned that I have a virus still and don't want to transfer that along with anything else that's bad to any of my other machines.

Suggestions for a next step?

[miekiemoes]

Hi,

Now since you can copy and paste etc.. we can do better analysis/research as well.

I suggest that you backup any data first which are not exe files/rar files etc.. Just backup files like pictures, documents etc.

Reason is, in case you are dealing with a file infector (like Virut/Sality) which is common nowadays, it also infects other legitimate executable files and we don't want you to back these up.

Anyway, doing some extra research now will show us soon with what you are dealing. I really hope it's no Fileinfector though, because this means a format and reinstall unfortunately.

Anyway...

First of all...

• Start MalwareBytes and click the Update tab. There click "Check for updates"
  
• Once the updates are downloaded, perform a quick scan again.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[Blackadder]

Hiya,

I still have no network connectivity, so is it possible to install MalwareBytes on a flash drive and update it there, or is there a manual update file that I can grab from someplace?

The scan will take some time to finish as the space it's going to be scrubbing is not small.

[miekiemoes]

Put the installer for malwarebytes on a flashdrive.

Also, install Malwarebytes on your computer with Internet connection (the one you are using now), and update it. The database file is located in your C:\Documents and settings\All Users\application data\Malwarebytes' anti-malware with the name rules.ref

copy that rules.ref to your flashdrive as well.

Then, install Malwarebytes on the infected computer. Reboot after install

Then, copy the rules.ref from the flashdrive and let it overwrite the one present on the infected computer.

[Blackadder]

Sweet.

I didn't realize that the update was rules.ref.

Thank you!

I'll do as you recommend as soon as I get back to that machine.

[miekiemoes]

Ok, I read you later

BTW, while you are transferring files anyway, also transfer this file to the infected computer: http://www.forospyware.com/sUBs/ComboFix.exe

Do not use it yet, we will use it later.

[Blackadder]

Hi,

Ok, I ran both a MalwareBytes and HijackThis scan.

Logs are below. Since the reboot after installing MalwareBytes I am receiving a false Windows Security Alert.

What next?

Log files:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4317

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/15/2010 7:35:44 PM

mbam-log-2010-07-15 (19-35-44).txt

Scan type: Quick scan

Objects scanned: 143239

Time elapsed: 9 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\svchost.ex~ (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:43:43 PM, on 7/15/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\nvraidservice.exe

C:\WINDOWS\System32\wbem\unsecapp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O4 - HKLM\..\Run: [soundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe

O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176694849405

O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} (DellSystemLite.Scanner) - http://support.dell.com/systemprofiler/DellSystemLite.CAB

O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file://E:\CDVIEWER\CdViewer.cab

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 4152 bytes

[miekiemoes]

Hi,

Since the reboot after installing MalwareBytes I am receiving a false Windows Security Alert.

Not sure what you mean... Are you sure it's a false alert?

Your HijackThis log doesn't show any strange entries though..

By the way, I see you have the Nvidia firewall (Nvidia NetworkAccessManager). This one is known to cause a lot of problems with Internet Connection and Windows in general, so I suggest you uninstall it.

We will reinstall another 3rd party firewall again afterwards.

Reboot after uninstalling.

Then, since I have also asked to transfer Combofix to the "bad Computer", please run it.

Read here for instructions how to use it:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

[Blackadder]

Hi,

I'm fairly sure it's a false security alarm because it's reporting applications that have been removed.

I ran ComboFix - it stated that it found a rootkit. I'll let you break the news to me of how bad it is...

ComboFix_log.txt

[miekiemoes]

I'm fairly sure it's a false security alarm because it's reporting applications that have been removed.

Can you make a screenshot of that? Because still unsure here if this is a false alert or not.

Your Combofix log doesn't look too bad at all though...

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Dirlook::

C:\Movie

c:\windows\XSxS

c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

Filelook::

c:\windows\system32\svchost.exe

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Also, have you uninstalled the Nvidia networkaccess manager?

[Blackadder]

Hi again,

I took some screenshots and attached them for you to check out.

Ran the scan you wanted - attached that as well.

Sent you a PM.

And I did uninstall the Nvidia Network Access Manager.

Let me know what you think should be done next.

And thanks again for all your time and intelligence!

[Blackadder]

Oh, and happy birthday.

[miekiemoes]

Hi,

The alerts you see there are genuine though. One is from Combofix and the other one is from Windows Security Center.

How are things now? Have you already tried to restore your network connection? (Rightclick icon in taskbar) and click restore.

[Blackadder]

Hi,

I thought the alerts were unusual because that application has been removed.

I can turn on the Windows Firewall, but not the automatic updates for some reason.

Not that it's going to matter in the long run, but I thought I would let you know.

And I did regain network connectivity with the last reboot - but I have two network cards in this machine and you're seeing the one that's not currently in use.

So you think my machine is fairly virus free at the moment?

[miekiemoes]

Not sure what application was removed. Windows Security center cannot be removed. The reason why you got these alerts afterwards is because Combofix restored default behavior of the Windows Security Center.

Also, since you have uninstalled your Firewall and Antivirus in between (improper uninstall however), it's supposed to be that Windows Security Center alerts you about this.

In either way, I suggest you reinstall Avast Antivirus again now.

For the automatic updates, can you give more info here? Do you get an error when you enable it?

Also, is this a legal version of XP? Because that would also explain a lot.

Yes, I believe your machine is malware free now. It's always a good idea to have a final scan with Malwarebytes and Avast to get rid of some leftovers if still present.

[Blackadder]

I removed Avast! and Outpost Firewall before running MalwareBytes and ComboFix.

But it seems as though Windown Security Center still 'sees' them.

That's what led me to believe that the alert was a fake.

How was it an improper uninstall? What did I do wrong?

So, when I try to turn on the automatic updates through WSC I get the error in the screenshot I've attached.

Yes, I believe my version on XP is legal.

Unless the company I work for has been buying pirated software.

[miekiemoes]

Hi,

reason why you get this is because you have disabled the Automatic Updates via msconfig as I can see in a previous Combofix log:

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wuauserv"=2 (0x2)

So, go to start > run, type msconfig

Click the services tab

In the list, scroll to "Automatic Updates" and check that service again, because in your case, it's unchecked.

Click apply & OK, then reboot.

After reboot, you'll get the message that something was changed in your system configuration. Just check the box there to not display this message anymore.