Need help with a customer's computer

linkin

linkin

VIP Member
I got a call today asking me to come fix a computer that wouldn't connect to the internet. Long story short, the computer is infected with MyWebSearch and some virus that uses a fake svchost.exe (AdWare.something)

It keeps trying to use a proxy in IE, FF and Chrome to connect to 127.0.0.1.

So far everything I've done has been unsuccessful. I've tried:

Rkill
Malwarebytes
Super Anti Spyware
HijackThis

Rkill seems to work, but does not. It stops the fake svchost process but it starts right back up again. Malwarebytes is able to install and update, but while scanning it immediately closes and won't run again.

Same goes for all the other programs, except super anti spyware. It will run, says it removes the infection, and requires a reboot. Only it doesn't or can't remove the virus.

I've told the guy to bring is computer over tomorrow so I can slave the drive to my computer and clean it up.

Is this the best course of action? I could not get any hijackthis or malwarebytes logs.
 
I think process explorer can do it. Just start the computer in safe mode and run it, it will detect the problem in red.
 
I have tried all the above programs in safe mode as well, the infections are still present.

I'll give process explorer a go in safe mode when he brings his computer over tomorrow.
 
well there may not be any restore points...
I suppose quarantine the drive and clone all the files, wipe and restore.
Thats what I would do at least.
 
hey linkin have you tried any of the anti-virus boot disc like avg rescue cd etc, all the big anti virus companys have one runs from disc before windows starts
 
Thanks everyone. The computer does have a recovery partition, but I want to be less destructive - hopefully slaving the drive and running combofix and the above programs will do the trick.
 
Just remember that combofix must be ran while the drive is installed in the original machine. And the only reason why I said to run the drive makers diagnostic utility is that you said that malwarebytes shut down in the middle of running it. I've came across this twice and each time found out that there was an error on the drive that had to be fixed first before malwarebytes could finish.
 
I'm on the infected computer as we speak, downloading combofix.

Machine was setup so that it couldn't connect to the internet (tried to connect to 10.1.1.3) with fake DNS servers as well.

Definitely the work of a trojan here.

Every single anti-virus scanning program so far closes immediately or shortly after beginning to scan. Mbam, super anti spyware & spybot s&d.

Let's hope combofix can do this. Rkill has not been able to stop the infection, not even temporarily since yesterday.
 
To end the malware process, have you tried iExplore.exe the offshoot of RKill? Johnb35 sent it to me as more effective at times than "RKill", as many malware don't recognize it.

And if it were me, I'd do as much as possible to work it out. I really hate reinstalling an OS.
 
Last edited:
It seems to work, and it terminates the process (fake svchost.exe) but it starts right up again. Rkill log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 20/02/2011 at 15:49:31.
Operating System: Windows Vista (TM) Home Premium


Processes terminated by Rkill or while it was running:

\\.\globalroot\Device\svchost.exe\svchost.exe


Rkill completed on 20/02/2011 at 15:49:34.
Click to expand...
 
god, it started again! what a pain!!!

I dont normally suggest it, but maybe you're down to trying this in safemode, and I'd do it without networking.

Though, I had a time when I couldn't even run RKill, the computer wouldn't turn off (if I did it would just turn back on!) and I finally got the infection off by restarting the computer (it would restart at least) and running malwarebytes as soon as I saw the desktop in safemode. It wasnt easy, and I had to try it 4 or 5 times before I got it. But once malwarebytes ran, it removed enough of the infection that I was finally able to run combofix. Of course you could just do the same, trying to start combofix the second the desktop appears. It is frustrating doing this, and it may take multiple tries... but maybe worth a shot, eh?!
 
I ran dds.scr to find out what's going on, like here: http://forums.malwarebytes.org/index.php?showtopic=67147

The log is below

DDS (Ver_10-12-12.02) - NTFSx86
Run by test at 16:12:34.49 on Sun 20/02/2011
Internet Explorer: 8.0.6001.19019
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2045.793 [GMT 11:00]

AV: Norton Internet Security *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
AV: AVG Anti-Virus Free *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\Explorer.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\conime.exe
C:\Users\test\AppData\Local\Temp\SAS_SelfExtract\program.com
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
J:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=91&bd=Pavilion&pf=cndt
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=91&bd=Pavilion&pf=cndt
mStart Page = hxxp://eis.esnips.com/page/search/?client_uuid=bda82ac0-85c3-4b48-b0d2-41fde8d1391d
mDefault_Page_URL = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
mDefault_Search_URL = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
mSearch Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
mURLSearchHooks: TV Bar 1.1 Toolbar: {a386d4b0-fddb-4e1c-ae61-4f014013cd9b} -
BHO: {0974BA1E-64EC-11DE-B2A5-E43756D89593} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - No File
BHO: {a386d4b0-fddb-4e1c-ae61-4f014013cd9b} - TV Bar 1.1 Toolbar
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: {B530A9A4-1722-4D16-AAD6-AA85E3AD2ADE} - No File
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: TV Bar 1.1 Toolbar: {a386d4b0-fddb-4e1c-ae61-4f014013cd9b} -
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: {0974BA1E-64EC-11DE-B2A5-E43756D89593} - No File
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\npjpi160_07.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-5/SmileyCreatorInitialSetup1.0.1.4.exe
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
IFEO: image file execution options - svchost.exe
IFEO: a.exe - svchost.exe
IFEO: aAvgApi.exe - svchost.exe
IFEO: AAWTray.exe - svchost.exe
IFEO: About.exe - svchost.exe

Note: multiple IFEO entries found. Please refer to Attach.txt
Hosts: 69.10.57.34 www.google.com
Hosts: 69.10.57.34 google.com
Hosts: 69.10.57.34 google.com.au
Hosts: 69.10.57.34 www.google.com.au
Hosts: 69.10.57.34 google.be

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-18 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-18 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-18 107272]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 SASDIFSV;SASDIFSV;c:\users\test\appdata\local\temp\sas_selfextract\sasdifsv.sys [2010-2-18 12872]
R1 SASKUTIL;SASKUTIL;c:\users\test\appdata\local\temp\sas_selfextract\saskutil.sys [2010-5-11 67656]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2011-2-20 142592]
R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2008-11-11 493568]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S3 PAC207;PC Camer@;c:\windows\system32\drivers\PFC027.SYS [2008-2-13 618112]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2009-6-8 167808]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-18 298264]
S4 gupdate1c9ed8e667e1a0;Google Update Service (gupdate1c9ed8e667e1a0);c:\program files\google\update\GoogleUpdate.exe [2009-6-15 133104]
S4 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-11-6 583648]
S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-2-20 1153368]

=============== Created Last 30 ================

2011-02-20 04:54:33 -------- d--h--w- c:\windows\PIF
2011-02-20 04:40:21 -------- d-----w- c:\windows\Recent
2011-02-20 04:40:21 -------- d-----w- c:\windows\Cookies
2011-02-20 04:37:47 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2011-02-20 04:37:45 -------- d-----w- c:\users\test\appdata\roaming\Spyware Terminator
2011-02-20 04:37:28 -------- d-----w- c:\progra~2\Spyware Terminator
2011-02-20 04:37:27 -------- d-----w- c:\program files\Spyware Terminator
2011-02-20 04:33:52 -------- d-----w- c:\program files\SpywareBlaster
2011-02-20 04:17:34 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-02-20 04:17:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-20 01:19:02 173056 ----a-w- c:\windows\system32\sshnas21.dll
2011-02-19 03:42:03 -------- d-----w- c:\program files\CCleaner
2011-02-19 03:39:42 -------- d-----w- c:\users\test\appdata\roaming\SUPERAntiSpyware.com
2011-02-19 03:39:42 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2011-02-19 03:33:01 388096 ----a-r- c:\users\test\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-02-19 03:33:01 -------- d-----w- c:\program files\Trend Micro
2011-02-19 03:12:47 -------- d-----w- c:\users\test\appdata\local\Hewlett-Packard
2011-02-19 03:11:40 -------- d-----w- c:\users\test\appdata\local\Google
2011-02-19 03:08:29 -------- d-----w- c:\users\test\appdata\roaming\Malwarebytes
2011-02-19 02:56:06 -------- d-----w- c:\program files\Microsoft Security Client
2011-02-19 02:55:54 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-02-19 02:52:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-19 02:52:40 -------- d-----w- c:\progra~2\Malwarebytes
2011-02-19 02:52:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-19 02:52:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-18 06:59:30 -------- d-sh--w- c:\progra~2\ISKQDJEE
2011-02-18 06:58:42 -------- d-sh--w- c:\progra~2\7fe975
2011-02-14 02:45:32 134144 ----a-w- c:\windows\Nsitaa.exe
2011-02-14 02:45:28 59904 --sha-r- c:\windows\system32\ieakengd.dll
2011-02-12 04:10:04 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{263f4fba-38ff-4173-b381-09b4b49d308a}\mpengine.dll
2011-02-09 03:42:17 2039808 ----a-w- c:\windows\system32\win32k.sys
2011-02-09 03:42:08 1205080 ----a-w- c:\windows\system32\ntdll.dll
2011-02-09 03:42:07 3602320 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-02-09 03:42:06 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-02-04 01:43:17 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2011-02-04 01:37:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-02-04 01:37:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-02-04 01:37:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-02-04 01:37:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-02-04 01:37:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-02-04 01:37:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-02-04 01:37:38 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-02-04 00:30:06 -------- d-----w- c:\windows\pss
2011-02-01 02:34:36 -------- d-----w- c:\progra~2\iMdJkHg01803

==================== Find3M ====================

2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-18 06:27:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-18 06:22:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 06:22:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-18 06:22:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-12-18 06:22:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-12-18 05:25:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-18 04:48:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-12-18 04:47:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-12-14 14:49:23 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-11-29 06:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 06:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 16:12:47.18 ===============
Click to expand...
 
Have you run a diagnostic on the drive as Johnb35 recommended? You seem to have a major infection based on the DDS (big surprise huh).

And also, will combofix run at all, if not in normal boot then have you tried safemode?
 
You must log in or register to reply here.
Back
Top