heidikathyrn

Latest victim of the Trojan in svchost.exe!Help

3 posts in this topic

ID: 1   Posted (edited)

Hello there,

I have discovered the trojan in svchost.exe and nothing seems to be touching it. After a lot of time I have been lead to this forum, your time and help will be hugely appreciated.

I have now run combofix after reading another forum post with someone with the exact problem and am including my log here. Your analysis would be great!

ComboFix 12-02-25.02 - Heidi 27/02/2012 12:19:09.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.4061.2999 [GMT 0:00]

Running from: c:\users\Heidi\Desktop\ComboFix.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files (x86)\LP

c:\program files (x86)\LP\E133\2CEC.tmp

c:\program files (x86)\LP\E133\3784.tmp

c:\program files (x86)\LP\E133\4421.tmp

c:\program files (x86)\LP\E133\46E0.tmp

c:\program files (x86)\LP\E133\4AD6.tmp

c:\program files (x86)\LP\E133\6B9.exe

c:\program files (x86)\LP\E133\8853.tmp

c:\program files (x86)\LP\E133\9B35.tmp

c:\program files (x86)\LP\E133\BC9A.tmp

c:\program files (x86)\LP\E133\C6E.tmp

c:\program files (x86)\LP\E133\CBD6.tmp

c:\program files (x86)\LP\E133\D577.tmp

c:\program files (x86)\LP\E133\E3B9.tmp

c:\program files (x86)\LP\E133\E964.tmp

c:\users\Heidi\AppData\Roaming\3AA19

c:\users\Heidi\AppData\Roaming\3AA19\180E1.exe

c:\users\Heidi\AppData\Roaming\3AA19\91AE.AA1

c:\windows\assembly\GAC_32\Desktop.ini

c:\windows\assembly\GAC_64\Desktop.ini

c:\windows\assembly\temp\@

c:\windows\assembly\temp\cfg.ini

c:\windows\svchost.exe

c:\windows\system32\consrv.dll

c:\windows\System64

c:\windows\SysWow64\embedded

c:\windows\SysWow64\embedded\WizardImage.bmp

c:\windows\SysWow64\embedded\WizardSmallImage.bmp

c:\windows\SysWow64\pcre3.dll

c:\windows\SysWow64\winbudump.exe

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_Micorsoft Windows Service

.

.

((((((((((((((((((((((((( Files Created from 2012-01-27 to 2012-02-27 )))))))))))))))))))))))))))))))

.

.

2012-02-27 12:24 . 2012-02-27 12:24 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-02-27 11:51 . 2011-12-10 15:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-02-27 11:10 . 2012-02-27 11:10 -------- d-----w- C:\TDSSKiller_Quarantine

2012-02-27 07:50 . 2012-02-27 07:50 -------- d-----w- c:\users\Heidi\AppData\Roaming\Malwarebytes

2012-02-27 07:50 . 2012-02-27 07:50 -------- d-----w- c:\programdata\Malwarebytes

2012-02-27 07:50 . 2012-02-27 11:51 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-02-26 21:43 . 2011-12-30 17:02 23896 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe

2012-02-26 21:22 . 2012-02-26 21:22 -------- d-----w- c:\programdata\IObit

2012-02-26 21:22 . 2012-02-26 21:22 -------- d-----w- c:\users\Heidi\AppData\Roaming\IObit

2012-02-26 21:22 . 2012-02-26 21:22 -------- d-----w- c:\program files (x86)\IObit

2012-02-24 21:56 . 2012-02-27 12:26 0 --sha-w- c:\windows\system32\dds_trash_log.cmd

2012-02-24 07:31 . 2012-02-26 17:00 -------- d-----w- c:\program files (x86)\191AE

2012-02-22 19:38 . 2012-02-22 19:38 -------- d-----w- C:\$AVG

2012-02-22 19:07 . 2012-02-22 19:07 -------- d--h--w- c:\programdata\Common Files

2012-02-22 19:07 . 2012-02-23 03:21 -------- d-----w- c:\windows\SysWow64\drivers\AVG

2012-02-22 19:06 . 2012-02-23 03:21 -------- d-----w- c:\windows\system32\drivers\AVG

2012-02-22 19:06 . 2012-02-22 19:09 -------- d-----w- c:\programdata\AVG2012

2012-02-22 19:04 . 2012-02-23 03:16 -------- d-----w- c:\program files (x86)\AVG

2012-02-22 18:57 . 2012-02-23 03:16 -------- d-----w- c:\programdata\MFAData

2012-02-21 11:35 . 2012-02-08 07:13 8643640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{25B6D572-F21C-4CFF-BECF-CEAC11E16C35}\mpengine.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-01-29 05:10 . 2011-06-22 06:50 279656 ------w- c:\windows\system32\MpSigStub.exe

2012-01-08 19:55 . 2010-02-10 13:52 2301208 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll

2012-01-08 19:54 . 2012-01-08 19:54 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll

2012-01-08 19:54 . 2010-02-10 13:52 710992 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]

"Advanced SystemCare 5"="c:\program files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe" [2011-12-29 620376]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"RocCqarq"="c:\windows\system32\config\systemprofile\AppData\Local\jikmgwiy\roccqarq.exe" [2012-02-23 97772]

"ACFinder"="c:\windows\system32\config\systemprofile\AppData\Local\AppCore\ACFinder\ACFinder.exe" [2012-02-24 47616]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-9-21 1316192]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"HideSCAHealth"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"mixer"=wdmaud.drv

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [x]

R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [x]

R3 NLNdisMP;NLNdisMP;c:\windows\system32\DRIVERS\nlndis.sys [x]

R3 NLNdisPT;NetLimiter Ndis Protocol Service;c:\windows\system32\DRIVERS\nlndis.sys [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R4 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]

R4 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-18 136176]

R4 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-18 136176]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]

S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2011-12-29 497496]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]

S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]

S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]

S3 NETw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\NETw5v64.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-18 19:55]

.

2011-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-18 19:55]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-06-29 444416]

"combofix"="c:\combofix\CF31270.3XE" [2009-07-14 344576]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

se59nd5

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyServer = http=127.0.0.1:64182

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000

LSP: mswsock.dll

TCP: DhcpNameServer = 192.168.1.1

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exe

Wow6432Node-HKLM-Run-dplaysvr - c:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe

Wow6432Node-HKLM-Run-6B9.exe - c:\program files (x86)\LP\E133\6B9.exe

Wow6432Node-HKU-Default-Run-dplaysvr - c:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe

Notify-WgaLogon - (no file)

Toolbar-Locked - (no file)

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-02-27 12:33:01 - machine was rebooted

ComboFix-quarantined-files.txt 2012-02-27 12:33

.

Pre-Run: 295,117,758,464 bytes free

Post-Run: 294,851,248,128 bytes free

.

- - End Of File - - F7A6432D85EFB668098EFA1C6E2CEB4A

Attach.txt

DDS.txt

Edited by Maurice Naggar
Combofix log merged into 1st post

Share this post


Link to post
Share on other sites

Read this warning about your infection.

-----------------------------------

Please download SystemLook from one of the links below and save it to your Desktop.

http://jpshortstuff....temLook_x64.exe

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :reg
    hkey_local_machine\system\currentcontrolset\services\se59nd5 /s


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

Share this post


Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.