svchost.exe randomly playing audio/music

[Noodlestein]

Ended up waking up this morning to some god awful music playing from my PC, assumed it was some SC2 Stream I had left open only to realize that in the volume mixer it was showing multiple instances of "Host Process for Windows Services"

After this happened I ran mbam to find out what it was and after the scan, came up with a few trojans so I had them deleted(restart required) and after the restart I am still seeing Host processes inside volume mixer so I can only assume that it's still not quite taken care of.

Screen of the VM. (Over time more and more host processes will show up)

DDS.txt

Attach.txt

[MrCharlie]

Welcome to the forum.

Before we proceed further, please uninstall or disable uTorrent and any other peer-to-peer filesharing app.

Continued use of filesharing or ill-advised downloads will surely re-infect your system.

Risks of File-Sharing Technology.

P2P file sharing: Know the risks

It's also against our policy:

http://forums.malwar...showtopic=97700

----------------------------------------

Then........

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

[Noodlestein]

Thank you for the quick response.

As for uTorrent, not all P2P is used for pirating. Last I used it for was to download DayZ updates (Arma II Mod)

I personally have a decent enough income to purchase any games I want to play (Whether you want to believe it or not).

In anycase to not cause any issues with this site I'll uninstall it. no skin off my back etc.

I'll use get Roguekiller

In the meantime MBAM just finished its scan again and these roots still are there after restarting/telling it to delete em.

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.02.04

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Yuki Onna :: YUKIONNA-PC [administrator]

Protection: Enabled

8/2/2012 4:03:25 AM

mbam-log-2012-08-02 (05-21-18).txt

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 472506

Time elapsed: 1 hour(s), 15 minute(s), 28 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Windows\System32\drivers\str.sys (Rootkit.Agent) -> No action taken.

C:\Windows\SysWOW64\drivers\str.sys (Rootkit.Agent) -> No action taken.

(end)

[Noodlestein]

Rogue Killer log:

RogueKiller V7.6.4 [07/17/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User: Yuki Onna [Admin rights]

Mode: Scan -- Date: 08/02/2012 05:29:08

¤¤¤ Bad processes: 1 ¤¤¤

[sUSP PATH] DAT9D5C.tmp.exe -- C:\Users\YUKION~1\AppData\Local\Temp\DAT9D5C.tmp.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 5 ¤¤¤

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Yuki Onna\AppData\Local\{bbef532c-91fd-9765-4494-451f599585da}\n.) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : c:\windows\installer\{bbef532c-91fd-9765-4494-451f599585da}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{bbef532c-91fd-9765-4494-451f599585da}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{bbef532c-91fd-9765-4494-451f599585da}\L --> FOUND

[ZeroAccess][FILE] @ : c:\users\yuki onna\appdata\local\{bbef532c-91fd-9765-4494-451f599585da}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\users\yuki onna\appdata\local\{bbef532c-91fd-9765-4494-451f599585da}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\yuki onna\appdata\local\{bbef532c-91fd-9765-4494-451f599585da}\L --> FOUND

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 3dns.adobe.com 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com activate.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.wip.adobe.com

127.0.0.1 activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com adobe-dns-3.adobe.com adobe-dns-4.adobe.com

127.0.0.1 adobeereg.com practivate.adobe practivate.adobe.com practivate.adobe.newoa practivate.adobe.ntp practivate.adobe.ipp ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com

127.0.0.1 ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com

127.0.0.1 www.adobeereg.com wwis-dubc1-vip60.adobe.com www.wip.adobe.com www.wip1.adobe.com

127.0.0.1 www.wip2.adobe.com www.wip3.adobe.com www.wip4.adobe.com wwis-dubc1-vip60.adobe.com crl.verisign.net CRL.VERISIGN.NET ood.opsource.net

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD1600JS-75NCB1 ATA Device +++++

--- User ---

[MBR] ead600fe48778e0a1597305584b1e8d9

[bSP] 3e7564a16314eedcfdb13b7a54325ed2 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 152485 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: ST3300622AS ATA Device +++++

--- User ---

[MBR] 07892dcc05f6682b15f7e22933ca05b4

[bSP] e24cb1d96bb0435339ae2e20363bf06b : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 286157 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

[MrCharlie]

As for uTorrent, not all P2P is used for pirating. Last I used it for was to download DayZ updates (Arma II Mod)

I personally have a decent enough income to purchase any games I want to play (Whether you want to believe it or not).

In anycase to not cause any issues with this site I'll uninstall it. no skin off my back etc.

I volunteer my free time to help you

I'm not part of the staff here

It's the forums policy not mine > I'm just following the rules.

MrC

[MrCharlie]

Here you go................

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

On the System Recovery Options menu you will get the following options:

• 
  
  • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
    

  [*]Select Command Prompt

  [*]In the command window type in notepad and press Enter.

  [*]The notepad opens. Under File menu select Open.

  [*]Select "Computer" and find your flash drive letter and close the notepad.

  [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

  Note: Replace letter e with the drive letter of your flash drive.

  [*]The tool will start to run.

  [*]When the tool opens click Yes to disclaimer.

  [*]Press Scan button.

  [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:

  services.exe

  [*]Now press the Search button

  [*]When the search is complete, search.txt will also be written to your USB

  [*]Type exit and reboot the computer normally

  [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

MrC

[Noodlestein]

I volunteer my free time to help you

I'm not part of the staff here

It's the forums policy not mine > I'm just following the rules.

MrC

Sorry if it came off as if I was upset, or if I upset you as well as that was not my intent. and I do appriciate you taking your time to help myself with my issue.

I truely am appriciative.

In anycase, I have also removed utorrent so it shouldn't cause any further issues.

[MrCharlie]

Did you see my post above yours?? MrC

[Noodlestein]

Did you see my post above yours?? MrC

Yes, I just got done following it. I had issues with my bios as I couldn't find a repair, so I had to locate my windows cd which took much longer than I had hoped.

In anycase here are the files.

FRST.txt

Search.txt

[MrCharlie]

OK, here you go......Please carefully carry out this procedure!!!!!!

Open notepad. Make sure "word wrap" under Format is unchecked! Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

2 dlxsxfnugpnq; "C:\Users\YUKION~1\AppData\Local\Temp\DAT9D5C.tmp.exe" --SERVICE [45568 2012-08-01]
C:\Users\YUKION~1\AppData\Local\Temp\DAT9D5C.tmp.exe
C:\Windows\Installer\{bbef532c-91fd-9765-4494-451f599585da}
C:\Users\Yuki Onna\AppData\Local\{bbef532c-91fd-9765-4494-451f599585da}
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

MrC

[Noodlestein]

Done. Hopefully it worked out.

Fixlog.txt

[MrCharlie]

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[Noodlestein]

Done, and the log file.

Hopefully everything went well.

ComboFix.txt

[MrCharlie]

Looks Good.....

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[Noodlestein]

And the log from MBAM

I assume they're not bad since it's in quarentine files?

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.02.07

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Yuki Onna :: YUKIONNA-PC [administrator]

Protection: Enabled

8/2/2012 7:38:54 AM

mbam-log-2012-08-02 (08-40-12).txt

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 467676

Time elapsed: 55 minute(s), 57 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\FRST\Quarantine\DAT9D5C.tmp.exe (Trojan.Phex.THAGen6) -> No action taken.

C:\Users\Yuki Onna\Desktop\RK_Quarantine\DAT9D5C.tmp.exe.vir (Trojan.Phex.THAGen6) -> No action taken.

(end)

[MrCharlie]

That's correct, how is it running?? MrC

[Noodlestein]

Awesome, it's running fine, I don't see the host process popping up anymore in the volume control so I imagine thats fixed

So in MBAM, should I have it delete those two quarenteened files?

[MrCharlie]

Awesome, it's running fine, I don't see the host process popping up anymore in the volume control so I imagine thats fixed

So in MBAM, should I have it delete those two quarenteened files?

No, we'll be deleting that folder.

-----------------------------

Great

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[Noodlestein]

Awesome, Thanks a bunch for the help.

I really do appreciate it

[Maurice Naggar]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.