Ironman13

2 Trojan.Agent SVChost.exe unable to get deleted upon reboot

18 posts in this topic

Hello, I believe you have addressed this before. But, I want to make sure that I follow the corrct steps with whatever this is.

I have run AVG as well as housecall and neither scans even see this. Malwarebytes sees it but does not delete it upon reboot.

I am unclear as to if this is a real threat or not.

Please let me know you thoughts.

Thanks,

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.10.15.10

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Administrator :: SMARTBOX [administrator]

10/15/2012 9:00:46 PM

mbam-log-2012-10-16 (06-31-20).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 450920

Time elapsed: 2 hour(s), 4 minute(s), 55 second(s)

Memory Processes Detected: 1

C:\Windows\svchost.exe (Trojan.Agent) -> 3696 -> No action taken.

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\svchost.exe (Trojan.Agent) -> No action taken.

(end)

dds.txt

attach.txt

Share this post


Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

------->Your topic will be closed if you haven't replied within 3 days!<--------

Share this post


Link to post
Share on other sites

Thank You-Here is the report

RogueKiller V8.1.1 [10/01/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website: http://tigzy.geekstogo.com/roguekiller.php

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Administrator [Admin rights]

Mode : Scan -- Date : 10/17/2012 10:50:32

¤¤¤ Bad processes : 1 ¤¤¤

[sVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 7 ¤¤¤

[TASK][sUSP PATH] iMeshNAG.job : C:\Users\ADMINI~1\AppData\Local\Temp\iMesh_setup.exe -> FOUND

[TASK][bLPATH] HPCustParticipation HP Officejet 6700 : "C:\Program Files\HP\HP Officejet 6700\Bin\HPCustPartic.exe" /UA 9.5 /DDV 0x1000 -> FOUND

[TASK][sUSP PATH] iMeshNAG : C:\Users\ADMINI~1\AppData\Local\Temp\iMesh_setup.exe NAGMETHOD=Schedule -> FOUND

[TASK][sUSP PATH] {4D6D8932-EDCF-4420-8B1D-F8126BB12376} : C:\Windows\system32\pcalua.exe -a "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\348DFNKM\ANTAgent_2217.exe" -d C:\Users\Administrator\Desktop -> FOUND

[TASK][sUSP PATH] {66C6677E-2A3A-4A04-9FD6-C984579FDE2E} : C:\Windows\system32\pcalua.exe -a "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H2IWM6OY\mp600win111ej[1].exe" -d C:\Users\Administrator\Desktop -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

Share this post


Link to post
Share on other sites

You're missing part of the log, can you copy and paste the complete log. Thanks.....MrC

Share this post


Link to post
Share on other sites

Sorry about that. Here is the complete log.

RogueKiller V8.1.1 [10/01/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website: http://tigzy.geekstogo.com/roguekiller.php

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Administrator [Admin rights]

Mode : Scan -- Date : 10/17/2012 10:50:32

¤¤¤ Bad processes : 1 ¤¤¤

[sVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 7 ¤¤¤

[TASK][sUSP PATH] iMeshNAG.job : C:\Users\ADMINI~1\AppData\Local\Temp\iMesh_setup.exe -> FOUND

[TASK][bLPATH] HPCustParticipation HP Officejet 6700 : "C:\Program Files\HP\HP Officejet 6700\Bin\HPCustPartic.exe" /UA 9.5 /DDV 0x1000 -> FOUND

[TASK][sUSP PATH] iMeshNAG : C:\Users\ADMINI~1\AppData\Local\Temp\iMesh_setup.exe NAGMETHOD=Schedule -> FOUND

[TASK][sUSP PATH] {4D6D8932-EDCF-4420-8B1D-F8126BB12376} : C:\Windows\system32\pcalua.exe -a "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\348DFNKM\ANTAgent_2217.exe" -d C:\Users\Administrator\Desktop -> FOUND

[TASK][sUSP PATH] {66C6677E-2A3A-4A04-9FD6-C984579FDE2E} : C:\Windows\system32\pcalua.exe -a "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H2IWM6OY\mp600win111ej[1].exe" -d C:\Users\Administrator\Desktop -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD25 00AAJS-65M0A SCSI Disk Device +++++

--- User ---

[MBR] c83437cae76a22bfe69c84ccb7a7b974

[bSP] c1b72764b614ea9c87e84284e8df15c3 : Windows Vista/7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 227208 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 465528832 | Size: 11165 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Share this post


Link to post
Share on other sites

Please download Listparts64

Run the tool, click Scan and post the log (Result.txt) it makes

Next............

Please read the directions carefully so you don't end up deleting something that is good!!

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    clip.jpg
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Share this post


Link to post
Share on other sites

Here is the log from Listparts64. I will begin with TDSSKiller download and instructions as listed.

ListParts by Farbar Version: 16-10-2012

Ran by Administrator (administrator) on 17-10-2012 at 11:56:30

Windows 7 (X64)

Running From: C:\Users\Administrator\Desktop

Language: 0409

************************************************************

========================= Memory info ======================

Percentage of memory in use: 64%

Total physical RAM: 1918.49 MB

Available physical RAM: 685.59 MB

Total Pagefile: 3836.98 MB

Available Pagefile: 1576.6 MB

Total Virtual: 8192 MB

Available Virtual: 8191.88 MB

======================= Partitions =========================

1 Drive c: (COMPAQ) (Fixed) (Total:221.88 GB) (Free:102.95 GB) NTFS

2 Drive d: (FACTORY_IMAGE) (Fixed) (Total:10.9 GB) (Free:2.03 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 232 GB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 221 GB 101 MB

Partition 3 Primary 10 GB 221 GB

======================================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 SYSTEM NTFS Partition 100 MB Healthy System (partition with boot components)

======================================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C COMPAQ NTFS Partition 221 GB Healthy Boot

======================================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 D FACTORY_IMA NTFS Partition 10 GB Healthy

======================================================================================================

==========================================================

TDL4: custom:26000022

****** End Of Log ******

Share this post


Link to post
Share on other sites

It looks like this worked. :D

Attached are the before and after MBAM logs after having run the TDSSKiller.

Is there anything further that I need to do?

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.10.17.07

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Administrator :: SMARTBOX [administrator]

10/17/2012 12:42:37 PM

mbam-log-2012-10-17 (12-42-37).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 221618

Time elapsed: 7 minute(s), 1 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

(end)

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.10.17.07

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Administrator :: SMARTBOX [administrator]

10/17/2012 12:59:34 PM

mbam-log-2012-10-17 (12-59-34).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 221687

Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Share this post


Link to post
Share on other sites

I need to see the logs from TDSSKiller > you can attach them. MrC

more-reply-options.jpg

choose-files1.jpg

Share this post


Link to post
Share on other sites

Hopefully this is what you are looking for. I have not deleted any reports but dont seem to have a file that I can attach. This is from the reports function when launching TDSSKiller.

13:15:42.0712 3224 TDSS rootkit removing tool 2.8.13.0 Oct 12 2012 17:26:47

13:15:43.0118 3224 ============================================================

13:15:43.0118 3224 Current date / time: 2012/10/17 13:15:43.0118

13:15:43.0118 3224 SystemInfo:

13:15:43.0118 3224

13:15:43.0118 3224 OS Version: 6.1.7601 ServicePack: 1.0

13:15:43.0118 3224 Product type: Workstation

13:15:43.0118 3224 ComputerName: SMARTBOX

13:15:43.0118 3224 UserName: Administrator

13:15:43.0118 3224 Windows directory: C:\Windows

13:15:43.0118 3224 System windows directory: C:\Windows

13:15:43.0118 3224 Running under WOW64

13:15:43.0118 3224 Processor architecture: Intel x64

13:15:43.0118 3224 Number of processors: 1

13:15:43.0118 3224 Page size: 0x1000

13:15:43.0118 3224 Boot type: Normal boot

13:15:43.0118 3224 ============================================================

13:15:46.0488 3224 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x7E2D, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000040

13:15:46.0503 3224 ============================================================

13:15:46.0503 3224 \Device\Harddisk0\DR0:

13:15:46.0503 3224 MBR partitions:

13:15:46.0503 3224 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000

13:15:46.0503 3224 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x1BBC4000

13:15:46.0503 3224 \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0x1BBF6800, BlocksNum 0x15CE800

13:15:46.0503 3224 ============================================================

13:15:46.0519 3224 C: <-> \Device\Harddisk0\DR0\Partition2

13:15:46.0566 3224 D: <-> \Device\Harddisk0\DR0\Partition3

13:15:46.0566 3224 ============================================================

13:15:46.0566 3224 Initialize success

13:15:46.0566 3224 ============================================================

Share this post


Link to post
Share on other sites

That's better...........

Run TDSSKiller again and choose Delete for this one only: (no need to check the Loaded Modules" box or post the log)

12:28:36.0063 5280 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

12:28:36.0063 5280 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

~~~~~~~~~~~~~~~~~~~~~

Then............

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Share this post


Link to post
Share on other sites

I ran TDSSKiller again but it does not find anything. No threats found, nuetralized or quarantined.

Should I move on with ComboFix or am I missing something here?

Share this post


Link to post
Share on other sites

MrC,

Unfortunately, I won't get this completed before I need to go out of town in the morning. Work got in the way this afternoon.

I will start a new thread refrencing ComboFix when I return in a week and maybe we can finish it all up then.

I do appreciate your help and will most certainly be making a contribution.

Thank You

Share this post


Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.