Solved

McAfee & Generic.dx - svchost.exe.

Posted on 2008-10-13
14
3,903 Views
Last Modified: 2013-12-06
Hello guys.

I came in this morning and one of my users has a virus alert from McAfee Enterprise Edition.

This is the log from McAfee
[code]
13/10/2008    08:12:14    Deleted     NT AUTHORITY\SYSTEM    C:\WINDOWS\svchost.exe    Generic.dx
"
"
"
13/10/2008      08:12:54      Deleted       NT AUTHORITY\SYSTEM      C:\WINDOWS\svchost.exe      Generic.dx
 [/code]Now, the log indicates that it does indeed keep deleting the file, however the message box keeps reappearing and therefore it keeps trying to remove the virus in a loop.

Here is the Hijack-This log.
[code]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:41:14, on 13/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Mouse Driver\KMWDSrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Mouse Driver\StartAutorun.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Trust\Trust R-series Mouse And Keyboard\MouseDrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mouse Driver\KMConfig.exe
C:\Program Files\Mouse Driver\KMProcess.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
\Srvsbs01\Tharstern\TharsternSQL\Thars.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://SRVSBS01:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\Trust\Trust R-series Mouse And Keyboard\StartAutorun.exe MouseDrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KMCONFIG] C:\Program Files\Mouse Driver\StartAutorun.exe KMConfig.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8E6AA867-94D4-4B4F-8791-1B048F8C122A} (WebInterface Class) - https://fastsend.com/products/Fsplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = prometheus.local
O17 - HKLM\Software\..\Telephony: DomainName = prometheus.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = prometheus.local
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Mouse Driver\KMWDSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6305 bytes
[/code]Can't see anything here, can you? Thanks.

Now I understand, after searching, that some people have had this trojan and have gotten rid of it with mixed results. Some people have had to reinstall Windows, IE. I cannot therefore take the risk of stopping this particular user (a company Director!) from working, or take the risk of losing any Data - it's more than my job is worth, lol. So using Kaplinsky online is a no-no, I would have to disable the whole Network's Virus Scanner, which could invite more infections.

Have you any idea what to do? This is a new job, and I'm relatively new to sorting out viruses from a networked setup - course I have fixed my PC's at home, but I have to think of possible problems now...

Thank you very much.

PS: The user in question does seem to be able to work as normal at present, it's just the alert that will not go.
0
Comment
Question by:SpencerKarnovski
  • 7
  • 6
14 Comments
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22701127
Run either SDFix or MalwareBytes, then combofix if problem persists.(when using Combofix ,antivirus needs to be disabled though)
1.  Download SDFix and save it to your desktop.(either one below)
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.
*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and attach the "Report.txt" back
 


OR: Download Malwarebytes' Anti-Malware to your desktop. check for Updates before scanning.
http://www.malwarebytes.org/mbam.php

2.  Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
0
 

Author Comment

by:SpencerKarnovski
ID: 22701148
Hello rpggamergirl.

Thanks for the suggestions.  I will try them, and get back you when I can.  Will not be able to do them today, as the user is very busy - as seems to be able to function correctly, even with the alert there.

But will try soon, and report back here with my findings.

Thanks
0
 

Expert Comment

by:Didgens
ID: 22703958
I had to download and run SDfix and then combofix to get this off,, but its gone now ... thanks guys
0
 

Author Comment

by:SpencerKarnovski
ID: 22709386
Hi

Ok, so I tried running Maleware Bytes - it did not find anything, ie - Mcafee is still show the Alert.  Furthermore McAfee even noted that application as a virus.

I am going to try steps 1, 2 later on.  However, can we be assured that this will not cause system instability?  This is a company directors PC and I cannot afford anything going wrong.

Thanks again, great help.

Spencer
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22711143
Hi Spencer,

>>> Furthermore McAfee even noted that application as a virus.<<<
It's normal for McAfee to flag SDFix, Combofix or other anti-spyware tools as a risk tool or a virus.

C:\WINDOWS\svchost.exe    
the above that mcafee flags is variant of SDBot so maybe try SDFix first.

>>>However, can we be assured that this will not cause system instability?<<<
Combofix is a safe tool and has more safety nets than any other tools, but I can not guarantee that nothing can go wrong. There are rare cases where a presence of new malware where combofix doesn't have updates yet can interfer the scan and things can go wrong, it happens.

if it helps to know, Combofix does create 2 ERUNT backups when you run it. One taken after the user has agreed to the disclaimer, and another one taken just before combofix reboots the pc.

You need to follow exactly the directions for running combofix, e.g. disabling antivirus/security shields as they can interfer the scan, do not mouseclick while it's running as that can cause CF to stall etc.
0
 

Author Comment

by:SpencerKarnovski
ID: 22711398
Hello rpggamergirl (what game? :) )

Ok, have followed all the listed steps (see attached reports) and... nope, soon as the user boots up the Alert message is still there.   This is the worst Virus I have ever come across, it just will not be removed.  

The only thing I can do now is get in touch with McAfee and ask them.  I mean, the actual software is located on the Server, would I have to go in there and do anything?  Even though I have searched for svchost.exe and found only the one in windows/system32.

Anyway, have a look at the files for me, thank you very much indeed for your help.
[b]SDFix: Version 1.235 [/b]

Run by Administrator on 14/10/2008 at 14:35

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix
 

[b]Checking Services [/b]:
 

Restoring Default Security Values

Restoring Default Hosts File
 

Rebooting
 
 

[b]Checking Files [/b]: 
 

Trojan Files Found:
 

C:\svchost.exe - Deleted

C:\WINDOWS\svchost.exe - Deleted
 

Removing Temp Files
 

[b]ADS Check [/b]:

 
 
 

                                 [b]Final Check [/b]:
 

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-14 14:41:36

Windows 5.1.2600 Service Pack 2 NTFS
 

scanning hidden processes ...
 

scanning hidden services & system hive ...
 

scanning hidden registry entries ...
 

scanning hidden files ...
 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0
 
 

[b]Remaining Services [/b]:
 
 
 
 

Authorized Application Key Export:
 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"

"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
 

[b]Remaining Files [/b]:
 
 

File Backups: - C:\SDFix\backups\backups.zip
 

[b]Files with Hidden Attributes [/b]:
 

Mon  7 Jul 2008     1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"

Mon  7 Jul 2008     4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

Mon  7 Jul 2008     2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

Fri 20 Mar 1998         1,048 A.SH. --- "C:\WINDOWS\system32\fnmode.sys"

Fri  9 Aug 2002             0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Assets\My Asset Reports\rpt.sys"

Fri  9 Aug 2002             0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Bank\My Bank Reports\rpt.sys"

Fri  9 Aug 2002             0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Customer\My Customer Reports\rpt.sys"

Fri  9 Aug 2002             0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Finance\My Finance Reports\rpt.sys"

Fri  9 Aug 2002             0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Invoice\My Invoice Reports\rpt.sys"

Fri  9 Aug 2002             0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Nominal\My Nominal Reports\rpt.sys"

Fri  9 Aug 2002             0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\POP\My POP Reports\rpt.sys"

Fri  9 Aug 2002             0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Products\My Products Reports\rpt.sys"

Fri  9 Aug 2002             0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\SOP\My SOP Reports\rpt.sys"

Fri  9 Aug 2002             0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Supplier\My Supplier Reports\rpt.sys"
 

[b]Finished![/b]
 
 

************************************************************
 

ComboFix 08-10-11.04 - rogerl 2008-10-14 14:50:40.1 - NTFSx86

Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2102 [GMT 1:00]

Running from: C:\Documents and Settings\rogerl\Desktop\Virus_apps\ComboFix.exe

 * Created a new restore point
 

[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]

.
 

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.
 

C:\WINDOWS\IE4 Error Log.txt
 

.

(((((((((((((((((((((((((   Files Created from 2008-09-14 to 2008-10-14  )))))))))))))))))))))))))))))))

.
 

2008-10-14 14:33 . 2008-10-14 14:33	<DIR>	d--------	C:\WINDOWS\ERUNT

2008-10-14 14:03 . 2008-10-14 14:43	<DIR>	d--------	C:\SDFix

2008-10-14 13:43 . 2008-10-14 13:43	<DIR>	d--------	C:\Program Files\Spybot - Search & Destroy

2008-10-14 13:43 . 2008-10-14 13:43	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-10-14 13:40 . 2008-10-14 13:42	<DIR>	d--------	C:\WINDOWS\system32\NtmsData

2008-10-14 08:20 . 2008-10-14 14:52	<DIR>	d--------	C:\quarantine

2008-10-14 08:19 . 2008-10-14 08:19	<DIR>	d--------	C:\Program Files\Malwarebytes' Anti-Malware

2008-10-14 08:19 . 2008-10-14 08:19	<DIR>	d--------	C:\Documents and Settings\rogerl\Application Data\Malwarebytes

2008-10-14 08:19 . 2008-10-14 08:19	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-10-14 08:19 . 2008-09-10 00:04	38,528	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-10-14 08:19 . 2008-09-10 00:03	17,200	--a------	C:\WINDOWS\system32\drivers\mbam.sys

2008-10-13 08:41 . 2008-10-13 08:41	<DIR>	d--------	C:\Program Files\Trend Micro

2008-10-13 07:12 . 2008-10-13 07:26	<DIR>	d--------	C:\WINDOWS\system32\CatRoot_bak

2008-10-10 07:09 . 2008-10-10 07:09	102,400	--a------	C:\WINDOWS\system32\atlcom763_530.dll

2008-10-10 07:09 . 2008-10-10 07:09	20	--a------	C:\WINDOWS\syscheck

2008-10-03 14:12 . 2008-10-03 14:14	<DIR>	d--------	C:\Program Files\RegScrubXP

2008-10-01 14:44 . 2008-10-01 14:44	<DIR>	d--------	C:\Program Files\Mouse Driver
 

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-18 21:10	94,920	----a-w	C:\WINDOWS\system32\dllcache\cdm.dll

2008-07-18 21:10	94,920	----a-w	C:\WINDOWS\system32\cdm.dll

2008-07-18 21:10	53,448	----a-w	C:\WINDOWS\system32\wuauclt.exe

2008-07-18 21:10	53,448	----a-w	C:\WINDOWS\system32\dllcache\wuauclt.exe

2008-07-18 21:10	45,768	----a-w	C:\WINDOWS\system32\wups2.dll

2008-07-18 21:10	36,552	----a-w	C:\WINDOWS\system32\wups.dll

2008-07-18 21:10	36,552	----a-w	C:\WINDOWS\system32\dllcache\wups.dll

2008-07-18 21:09	563,912	----a-w	C:\WINDOWS\system32\wuapi.dll

2008-07-18 21:09	563,912	----a-w	C:\WINDOWS\system32\dllcache\wuapi.dll

2008-07-18 21:09	325,832	----a-w	C:\WINDOWS\system32\wucltui.dll

2008-07-18 21:09	325,832	----a-w	C:\WINDOWS\system32\dllcache\wucltui.dll

2008-07-18 21:09	205,000	----a-w	C:\WINDOWS\system32\wuweb.dll

2008-07-18 21:09	205,000	----a-w	C:\WINDOWS\system32\dllcache\wuweb.dll

2008-07-18 21:09	1,811,656	----a-w	C:\WINDOWS\system32\wuaueng.dll

2008-07-18 21:09	1,811,656	----a-w	C:\WINDOWS\system32\dllcache\wuaueng.dll

2006-05-05 07:39	21,344	------w	C:\Documents and Settings\rogerl\Application Data\GDIPFONTCACHEV1.DAT

1998-03-20 00:00	1,048	-csha-w	C:\WINDOWS\system32\fnmode.sys

.
 

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WireLessMouse"="C:\Program Files\Trust\Trust R-series Mouse And Keyboard\StartAutorun.exe" [2007-03-06 212992]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-03-15 180269]

"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 286720]

"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 135251]

"KMCONFIG"="C:\Program Files\Mouse Driver\StartAutorun.exe" [2007-03-06 212992]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-05-06 155648]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-05-06 118784]

"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]
 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]

Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2007-11-02 19:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]

--a------ 2003-09-29 08:10 81990 C:\Program Files\Network Associates\VirusScan\shstat.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

--a------ 2007-05-11 13:53 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
 

R2 KMWDSERVICE;Keyboard And Mouse Communication Service;C:\Program Files\Mouse Driver\KMWDSrv.exe [2008-03-28 208896]

R2 wowsystem;Remote TCP/IPv6;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs

wowsystem
 

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder
 

2008-10-10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

.

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.google.co.uk/

R0 -: HKLM-Main,Start Page = hxxp://go.compaq.com/1Q00CDT/0409/bl7.asp

R0 -: HKLM-Main,Search Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp

R1 -: HKCU-Internet Settings,ProxyServer = hxxp://SRVSBS01:8080

R1 -: HKCU-Internet Settings,ProxyOverride = ;<local>

R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s

O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
 

O16 -: {8E6AA867-94D4-4B4F-8791-1B048F8C122A} - hxxps://fastsend.com/products/Fsplugin.cab

C:\WINDOWS\Downloaded Program Files\FsPlugin.inf

C:\WINDOWS\Downloaded Program Files\dwnlgui.dll

C:\WINDOWS\Downloaded Program Files\opndlg32.dll

C:\WINDOWS\Downloaded Program Files\trxsc.dll

C:\WINDOWS\Downloaded Program Files\fsplugin.dll

.
 

**************************************************************************
 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-14 14:53:03

Windows 5.1.2600 Service Pack 2 NTFS
 

scanning hidden processes ... 
 

scanning hidden autostart entries ...
 

scanning hidden files ... 
 

scan completed successfully

hidden files: 0
 

**************************************************************************

.

Completion time: 2008-10-14 14:53:55

ComboFix-quarantined-files.txt  2008-10-14 13:53:53
 

Pre-Run: 64,134,406,144 bytes free

Post-Run: 64,584,749,056 bytes free
 

124	--- E O F ---	2008-09-10 18:21:52

Open in new window

0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 22711740
SDFix deleted 2 bad svchost.exe there.
Run combofix again using this script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
C:\WINDOWS\system32\atlcom763_530.dll
C:\WINDOWS\system32\fnmode.sys

Folder::
C:\WINDOWS\syscheck
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:SpencerKarnovski
ID: 22711883
Hi,

Yeh - I did notice that it removed both the files.  I did copy then svchost.exe file to the C:\ drive, just to see if it would make any difference.

But I will try what you have suggested, many many thanks.

I do have a question though.  The svchost.exe is a critical Windows file yes, when Windows loads it checks the list of available processes or something like that using this app.  So, does it mean that the actual Windows svchost.exe file is corrupted with a trojan?  Or is this Trojan masking as a copy of this file.

Thanks for helping, your experience is most welcome and needed :)
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22718933
>>>The svchost.exe is a critical Windows file yes, <<<

Yes, the legit svchost.exe which is located in the system32 folder.


>>>Or is this Trojan masking as a copy of this file.<<<
 
C:\WINDOWS\svchost.exe <-- this one is a trojan and it is just using the legit system filename for camouflage.

>>>So, does it mean that the actual Windows svchost.exe file is corrupted with a trojan? <<<

No, that doesn't mean the legit svchost.exe is infected. Although a file infector can infect svchost.exe or other system files but you would've noticed the symptoms e.g services, programs not working etc.
>>>I did copy then svchost.exe file to the C:\ drive, just to see if it would make any difference.<<<

that wouldn't make any difference, when scanners see svchost.exe in the wrong location it will just be deleted, and that's exactly what SDFix did, it deleted the svchost.exe trojan from the windows folder and also deleted the svchost.exe that you put in the C:\
0
 

Author Comment

by:SpencerKarnovski
ID: 22720632
Thank you so much for explaining that rpggirl.  I am currently waiting for my director to give me access to his PC.

Will let you know how things go.

Your information and help has been great, lets hope this gets rid of the virus once and for all.
0
 

Author Comment

by:SpencerKarnovski
ID: 22739464
Problem solved.  That script worked wonders, thank you very much rpggirl.

May I ask, what it did?  Your answer could be as brief as you want.

Thank you again.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22740160
>>>May I ask, what it did?  Your answer could be as brief as you want.<<<

The script deleted the 2 files below:
C:\WINDOWS\system32\atlcom763_530.dll
C:\WINDOWS\system32\fnmode.sys


C:\WINDOWS\syscheck <-- and the script also deleted this folder.
 
Now that you're done with Combofix, you can then uninstall it.
Go to Start > Run and copy and paste next command in the field:

ComboFix /u


The procedure will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.
 

One  more thing, the version of java on that pc is vulnerable to infections(expecially vundo infection) I suggest updating to the later or latest version.

Updating Java:
Go to Start > Control Panel > Add/Remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select and click Remove.

Then Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp


Thanks!
0
 

Author Comment

by:SpencerKarnovski
ID: 22740292
Hey there!

Well, you have really, really, helped me out here.  I cannot thank you enough.  One day maybe I'll be able to replicate the help that you have given here to someone else.

Thanks rpggirl - may you get triple the amount of XP on your next 100 kills.

Spencer
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22740633
Hi Spencer,

No problem, glad it's resolved.

>>>may you get triple the amount of XP on your next 100 kills.<<<

I haven't played in a long time because once I started a game I couldn't stopped, lol.


Thanks for the points and the excellent grade!



 
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Convert MSI to MSM 1 31
Adding proxy setting to Internet explorer 4 20
Can't install Citrix Receiver anymore 10 26
file size 9 21
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now