My Malwarebyes keeps notifying me that svchost is infected. Need help analyzing and cleaning.
follow guide and attach logs…not copy and paste. http://forum.avast.com/index.php?topic=53253.0
AdwCleaner
Malwarebytes
OTL
aswMBR
What is it saying the infection is ?
If this is a detection on an on-demand scan by MBAM, you can copy and paste the contents of the MBAM scan into your next reply.
Hi All,
Thanks for the quick reply.
As of now Malwarebytes keeps locking up.
I ran a scan (but took no action) with TDDSK and got: Rootkit.Boot.Pihar.c
Attached is the OTL log. Scanning with MBR now
attached is the MBR log
ADW log
Updated MBR log (FULL)
Can someone be of assistance here?
malware removers are notified. it may take hours before one arrive so be patient
since most of them are on european time and it is midnight here i guess you want see any until tomorrow
ran a scan (but took no action) with TDDSK and got: Rootkit.Boot.Pihar.cRe-run TDSSKiller and select cure for this .. Whilst I look at your logs
Then attach the TDSSKiller log
Download the latest version of TDSSKiller from here and save it to your Desktop.
[*]Doubleclick on TDSSKiller.exe to run the application
https://dl.dropbox.com/u/73555776/tdss%20start.JPG
[*]Then click on Change parameters.
https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG
[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
[*]Click the Start Scan button.
[*]If a suspicious object is detected, the default action will be Skip, click on Continue.
https://dl.dropbox.com/u/73555776/tdss%20threat.JPG
[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
[*]Get the report by selecting Reports
https://dl.dropbox.com/u/73555776/tdss%20report.JPG
[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.
After you have completed the TDSSKiller run we will then remove the other infections
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:OTL
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{901D0DE9-F56D-11E1-8270-B8AC6F996F26}: D:\Users\neal.weese\AppData\Local\{901D0DE9-F56D-11E1-8270-B8AC6F996F26}\ [2012/09/02 22:18:27 | 000,000,000 | ---D | M]
[2012/09/02 22:18:27 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- D:\USERS\NEAL.WEESE\APPDATA\LOCAL\{901D0DE9-F56D-11E1-8270-B8AC6F996F26}
O4:64bit: - HKLM..\Run: [isrex] D:\Users\neal.weese\AppData\Roaming\isrex.dll (EFD Software)
O4 - Startup: D:\Users\neal.weese\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NexDef Plug-in.lnk = D:\Users\neal.weese\AppData\Local\Autobahn\nexdef.exe ()
[2012/10/15 11:15:53 | 000,000,000 | ---- | M] () -- D:\Users\neal.weese\AppData\Local\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
:Files
C:\$Recycle.Bin\S-1-5-18\$511ae60b612c84159238ae11937ad18a
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Thank you for your assistance. I am currently running TDSSKiller but it is spending a lot of time on ‘Cure’. Is this normal?
It is still showing time but nothing is happening. Here is the log so far when it stopped
18:42:07.0199 5848 Wanarpv6 - ok
18:42:07.0253 5848 [ 3CEC96DE223E49EAAE3651FCF8FAEA6C ] WatAdminSvc C:\Windows\system32\Wat\WatAdminSvc.exe
18:42:07.0344 5848 WatAdminSvc - ok
18:42:07.0382 5848 [ 5AB1BB85BD8B5089CC5D64200DEDAE68 ] wbengine C:\Windows\system32\wbengine.exe
18:42:07.0511 5848 wbengine - ok
18:42:07.0526 5848 [ 3AA101E8EDAB2DB4131333F4325C76A3 ] WbioSrvc C:\Windows\System32\wbiosrvc.dll
18:42:07.0563 5848 WbioSrvc - ok
18:42:07.0604 5848 [ DD1BAE8EBFC653824D29CCF8C9054D68 ] wcncsvc C:\Windows\System32\wcncsvc.dll
18:42:07.0668 5848 wcncsvc - ok
18:42:07.0681 5848 [ 20F7441334B18CEE52027661DF4A6129 ] WcsPlugInService C:\Windows\System32\WcsPlugInService.dll
18:42:07.0743 5848 WcsPlugInService - ok
18:42:07.0772 5848 [ 72889E16FF12BA0F235467D6091B17DC ] Wd C:\Windows\system32\DRIVERS\wd.sys
18:42:07.0804 5848 Wd - ok
18:42:07.0841 5848 [ 441BD2D7B4F98134C3A4F9FA570FD250 ] Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys
18:42:07.0959 5848 Wdf01000 - ok
18:42:07.0974 5848 [ BF1FC3F79B863C914687A737C2F3D681 ] WdiServiceHost C:\Windows\system32\wdi.dll
18:42:08.0010 5848 WdiServiceHost - ok
18:42:08.0014 5848 [ BF1FC3F79B863C914687A737C2F3D681 ] WdiSystemHost C:\Windows\system32\wdi.dll
18:42:08.0034 5848 WdiSystemHost - ok
18:42:08.0077 5848 [ 733006127F235BE7C35354EBEE7B9A7B ] WebClient C:\Windows\System32\webclnt.dll
18:42:08.0136 5848 WebClient - ok
18:42:08.0163 5848 [ C749025A679C5103E575E3B48E092C43 ] Wecsvc C:\Windows\system32\wecsvc.dll
18:42:08.0231 5848 Wecsvc - ok
18:42:08.0247 5848 [ 7E591867422DC788B9E5BD337A669A08 ] wercplsupport C:\Windows\System32\wercplsupport.dll
18:42:08.0293 5848 wercplsupport - ok
18:42:08.0308 5848 [ 6D137963730144698CBD10F202E9F251 ] WerSvc C:\Windows\System32\WerSvc.dll
18:42:08.0352 5848 WerSvc - ok
18:42:08.0364 5848 [ 611B23304BF067451A9FDEE01FBDD725 ] WfpLwf C:\Windows\system32\DRIVERS\wfplwf.sys
18:42:08.0411 5848 WfpLwf - ok
18:42:08.0433 5848 [ 05ECAEC3E4529A7153B3136CEB49F0EC ] WIMMount C:\Windows\system32\drivers\wimmount.sys
18:42:08.0452 5848 WIMMount - ok
18:42:08.0459 5848 WinHttpAutoProxySvc - ok
18:42:08.0510 5848 [ 19B07E7E8915D701225DA41CB3877306 ] Winmgmt C:\Windows\system32\wbem\WMIsvc.dll
18:42:08.0583 5848 Winmgmt - ok
18:42:08.0638 5848 [ 41FBB751936B387F9179E7F03A74FE29 ] WinRM C:\Windows\system32\WsmSvc.dll
18:42:08.0805 5848 WinRM - ok
18:42:08.0829 5848 [ 817EAFF5D38674EDD7713B9DFB8E9791 ] WinUsb C:\Windows\system32\DRIVERS\WinUSB.sys
18:42:08.0865 5848 WinUsb - ok
18:42:08.0911 5848 [ 4FADA86E62F18A1B2F42BA18AE24E6AA ] Wlansvc C:\Windows\System32\wlansvc.dll
18:42:08.0983 5848 Wlansvc - ok
18:42:09.0033 5848 [ DE816A0624D54D68E1FB8A9028DCF81A ] wltrysvc C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
18:42:09.0050 5848 wltrysvc ( UnsignedFile.Multi.Generic ) - warning
18:42:09.0050 5848 wltrysvc - detected UnsignedFile.Multi.Generic (1)
18:42:09.0075 5848 [ F6FF8944478594D0E414D3F048F0D778 ] WmiAcpi C:\Windows\system32\DRIVERS\wmiacpi.sys
18:42:09.0090 5848 WmiAcpi - ok
18:42:09.0114 5848 [ 38B84C94C5A8AF291ADFEA478AE54F93 ] wmiApSrv C:\Windows\system32\wbem\WmiApSrv.exe
18:42:09.0169 5848 wmiApSrv - ok
18:42:09.0182 5848 WMPNetworkSvc - ok
18:42:09.0198 5848 [ 96C6E7100D724C69FCF9E7BF590D1DCA ] WPCSvc C:\Windows\System32\wpcsvc.dll
18:42:09.0265 5848 WPCSvc - ok
18:42:09.0280 5848 [ 2E57DDF2880A7E52E76F41C7E96D327B ] WPDBusEnum C:\Windows\system32\wpdbusenum.dll
18:42:09.0357 5848 WPDBusEnum - ok
18:42:09.0383 5848 [ 6BCC1D7D2FD2453957C5479A32364E52 ] ws2ifsl C:\Windows\system32\drivers\ws2ifsl.sys
18:42:09.0439 5848 ws2ifsl - ok
18:42:09.0462 5848 [ 8D918B1DB190A4D9B1753A66FA8C96E8 ] WSDPrintDevice C:\Windows\system32\DRIVERS\WSDPrint.sys
18:42:09.0505 5848 WSDPrintDevice - ok
18:42:09.0510 5848 WSearch - ok
18:42:09.0581 5848 [ D9EF901DCA379CFE914E9FA13B73B4C4 ] wuauserv C:\Windows\system32\wuaueng.dll
18:42:09.0681 5848 wuauserv - ok
18:42:09.0693 5848 [ 7CADC74271DD6461C452C271B30BD378 ] WudfPf C:\Windows\system32\drivers\WudfPf.sys
18:42:09.0759 5848 WudfPf - ok
18:42:09.0778 5848 [ 3B197AF0FFF08AA66B6B2241CA538D64 ] WUDFRd C:\Windows\system32\DRIVERS\WUDFRd.sys
18:42:09.0838 5848 WUDFRd - ok
18:42:09.0888 5848 [ B551D6637AA0E132C18AC6E504F7B79B ] wudfsvc C:\Windows\System32\WUDFSvc.dll
18:42:09.0940 5848 wudfsvc - ok
18:42:09.0965 5848 [ 9A3452B3C2A46C073166C5CF49FAD1AE ] WwanSvc C:\Windows\System32\wwansvc.dll
18:42:10.0001 5848 WwanSvc - ok
18:42:10.0014 5848 ================ Scan global ===============================
18:42:10.0055 5848 [ BA0CD8C393E8C9F83354106093832C7B ] C:\Windows\system32\basesrv.dll
18:42:10.0087 5848 [ 79CDA06F75AD5373DD447F57575C4400 ] C:\Windows\system32\winsrv.dll
18:42:10.0098 5848 [ 79CDA06F75AD5373DD447F57575C4400 ] C:\Windows\system32\winsrv.dll
18:42:10.0112 5848 [ D6160F9D869BA3AF0B787F971DB56368 ] C:\Windows\system32\sxssrv.dll
18:42:10.0132 5848 [ 24ACB7E5BE595468E3B9AA488B9B4FCB ] C:\Windows\system32\services.exe
18:42:10.0139 5848 [Global] - ok
18:42:10.0140 5848 ================ Scan MBR ==================================
18:42:10.0153 5848 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
18:42:10.0153 5848 Suspicious mbr (Forged): \Device\Harddisk0\DR0
18:42:10.0188 5848 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - infected
18:42:10.0188 5848 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.c (0)
18:42:10.0276 5848 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
18:42:10.0276 5848 \Device\Harddisk0\DR0 - detected TDSS File System (1)
18:42:10.0277 5848 ================ Scan VBR ==================================
18:42:10.0281 5848 [ 73D3D5E6C510775AE2E0673BEC2763B6 ] \Device\Harddisk0\DR0\Partition1
18:42:10.0282 5848 \Device\Harddisk0\DR0\Partition1 - ok
18:42:10.0315 5848 [ A13B0772CE4920DFFEA80D1BBC89C99D ] \Device\Harddisk0\DR0\Partition2
18:42:10.0318 5848 \Device\Harddisk0\DR0\Partition2 - ok
18:42:10.0336 5848 [ 0B4FC92CB78C1D1468CC2B8362A85C5F ] \Device\Harddisk0\DR0\Partition3
18:42:10.0337 5848 \Device\Harddisk0\DR0\Partition3 - ok
18:42:10.0364 5848 [ 49EC5D3500B669DD86FB2D573412706E ] \Device\Harddisk0\DR0\Partition4
18:42:10.0367 5848 \Device\Harddisk0\DR0\Partition4 - ok
18:42:10.0368 5848 ============================================================
18:42:10.0368 5848 Scan finished
18:42:10.0368 5848 ============================================================
18:42:10.0381 8208 Detected object count: 7
18:42:10.0381 8208 Actual detected object count: 7
18:42:53.0840 8208 InstallFilterService ( UnsignedFile.Multi.Generic ) - skipped by user
18:42:53.0840 8208 InstallFilterService ( UnsignedFile.Multi.Generic ) - User select action: Skip
18:42:53.0840 8208 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
18:42:53.0840 8208 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip
18:42:53.0842 8208 OpenVPNService ( UnsignedFile.Multi.Generic ) - skipped by user
18:42:53.0843 8208 OpenVPNService ( UnsignedFile.Multi.Generic ) - User select action: Skip
18:42:53.0845 8208 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
18:42:53.0845 8208 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip
18:42:53.0847 8208 wltrysvc ( UnsignedFile.Multi.Generic ) - skipped by user
18:42:53.0847 8208 wltrysvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
18:42:54.0743 8208 \Device\Harddisk0\DR0# - copied to quarantine
18:46:54.0753 8208 \Device\Harddisk0\DR0 - copied to quarantine
18:50:56.0456 8208 \Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine
18:50:56.0600 8208 \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
18:50:57.0630 8208 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
18:50:57.0790 8208 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
18:50:57.0947 8208 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
18:51:00.0619 8208 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
19:07:00.0704 8208 \Device\Harddisk0\DR0\TDLFS\servers.dat - copied to quarantine
19:07:00.0713 8208 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
19:07:00.0720 8208 \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
19:07:00.0944 8208 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
It finally finished… here is the report after reboot
OTL report
For ComboFix, I cant disable my security as it is locked by my admin.
Voila and there it is gone… ;D
Re-run TDSSKiller with the same parameters
When this bit appears select delete :
\Device\Harddisk0\DR0 ( TDSS File System )
Then run Combofix and accept the warnings about Norton running
That will finish off the Zero access