Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Possible rootkit infection. [Solved]


  • This topic is locked This topic is locked

#16
FSB75

FSB75

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Slight problem.

Success.
Posted Image

But not really.

Services
Posted Image

Extended apologies for the "extra space" at the end of the image file. Thought my MS Paint skill were highly tuned.

After I entered the Services, I sorted by name, and as you can see, "Background Intelligent Transfer Service" is not listed. I have stopped at this step until advised on how to proceed.
  • 0

Advertisements


#17
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
We will do it with a fix using OTL or a Windows repair tool.

Please run the Farbar Services scan and post the FSS.txt and I will prepare the automated fix!
  • 0

#18
FSB75

FSB75

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Farbar Service Scanner Version: 06-08-2012
Ran by F S B (administrator) on 11-08-2012 at 13:24:06
Running from "C:\Documents and Settings\F S B\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****

As requested, and thank you.
  • 0

#19
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
OK we will do an OTL fix and get BITS running right.



  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :OTL
    
    
    :files
    ipconfig /flushdns /c
    sc create BITS binpath= "c:\windows\system32\svchost.exe -k netsvcs" start= auto /c
    
    
    
    :reg
    
    
    :Commands
    [createrestorepoint]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date and the time of the tool run.


Then rerun Farbar again and post the FSS.txt
  • 0

#20
FSB75

FSB75

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
No reboot was required.

========== OTL ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\F S B\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\F S B\Desktop\cmd.txt deleted successfully.
< sc create BITS binpath= "c:\windows\system32\svchost.exe -k netsvcs" start= auto /c >
[SC] CreateService SUCCESS
C:\Documents and Settings\F S B\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\F S B\Desktop\cmd.txt deleted successfully.
========== REGISTRY ==========
========== COMMANDS ==========
Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.56.0 log created on 08112012_132959
  • 0

#21
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
How is the computer performing and what issues remain??
  • 0

#22
FSB75

FSB75

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Success.

Posted Image

I have yet to apply the previously requested changes to the service yet though. NOT gonna do it until I'm told to. ;)
  • 0

#23
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Just run Farbar Services Scan again with all checked and post the FSS.txt
  • 0

#24
FSB75

FSB75

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Farbar Service Scanner Version: 06-08-2012
Ran by F S B (administrator) on 11-08-2012 at 13:39:36
Running from "C:\Documents and Settings\F S B\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****


No real issues to the best of my knowledge. However, I would appreciate an educated guideline. As already noted, the item in question that brought all of this to my attention was a suspicious level of "Mem Usage" of one of the currently running svchost.exe (total of 7) listed in my Task Managers. What amount of "usage" is cause for concern?

Example, if a GPU has a "slowdown threshold" of 70°C, then I'm not going to be concerned until it reaches 60° - 65°C. Same thing applies here. Currently the highest running svchost.exe is at 19,652K. Now while it's understood that this particular program is running up to 25+ service, AND the 19,652K isn't a large amount of memory, is it possible to pinpoint a "suspicious" threshold? If the svchost.exe jumps to 60,000K, is that suspicious? How about 100,000K? 300,000K? If this is an impossible question based on an infinite number of existing and/or possible conditions, then, so be it. Just looking for a guideline.

Lastly, as this issue appears to be concluded, I would like to take this time for a sincere, "Thank You". This marks a new beginning for my PC experience. I shall now run the Avast! AV software in the background, and am actually considered a full purchase. In the past I've hated these programs. Invasive, intrusive, aggressive, resource consuming, imperialistic, background running piece of...never mind. I'll run it. For my very last query. What, if anything should I do with the items located in the Avast! "virus chest"? Leave them be? Delete them?

Thank you once again. Record time for a fix, huh?
  • 0

#25
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts

What amount of "usage" is cause for concern?

It depends on what is normal for you especially if you are running games or other hi use programs. So look at it in a few scenarios and when it is "double" normal for those situations it could be an issue.

For my very last query. What, if anything should I do with the items located in the Avast! "virus chest"?

Leave them be until we are finished. :)

Thank you once again.

You are welcome and we will now do the finishing steps.


Record time for a fix, huh?

It is for this specific infection (so far)!








Step 1.

  • Launch Malwarebytes' Anti-Malware, then click Update.
  • Check for updates and then click OK
  • Once the program has updated, select Scanner, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.


Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



Step 2.

Run ESET Online Scan

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Vista / 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

Please go here then click on: Posted Image

If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the following instructions work with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow Add-On/Active X to install.
  • Make sure that the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.


Step 3.

Security Check
Download Security Check by screen317 from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Step 4.

Please post:


mbam log
eset log
security check log


Please give me an update on how your computer is doing!
  • 0

Advertisements


#26
FSB75

FSB75

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Malwarebytes' Anti-Malware

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.11.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
F S B :: HAL3000 [administrator]

8/11/2012 2:11:23 PM
mbam-log-2012-08-11 (14-11-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 195227
Time elapsed: 2 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


ESET Online Scan :angry: :angry: :angry:

C:\System Volume Information\_restore{CAE1D3B0-2415-4635-9EBE-1B482E199B6C}\RP263\A0045673.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\10.08.2012_22.56.40\mbr0000\tdlfs0000\tsk0002.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\11.08.2012_12.05.25\tdlfs0000\tsk0001.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined


Security Check


Results of screen317's Security Check version 0.99.43
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
avast! Free Antivirus
`````````Anti-malware/Other Utilities Check:`````````
Windows Defender
Malwarebytes Anti-Malware version 1.62.0.1300
Wise Registry Cleaner 7.41
Java™ 6 Update 31
Java version out of Date!
Adobe Flash Player 11.3.300.268
Adobe Reader X (10.1.3)
Mozilla Firefox (14.0.1)
````````Process Check: objlist.exe by Laurent````````
AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 0%
````````````````````End of Log``````````````````````
  • 0

#27
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts

ESET Online Scan

This is good all of these are in a restore point or quarantine!!!! :) :) :)

Your Java needs to be updated.

  • Download the latest version of Java SE Runtime Environment (JRE) JRE 7 Update 5 .
  • Under the JAVA Platform Standard Edition, click the "Download JRE" button to the right.
  • Accept License Agreement.[/b]".
  • Click on the link to download Windows Offline Installation 32 bit ( jre-7u5-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista or Win 7 users, right click on the jre-7u5-windows-i586.exe and select "Run as an Administrator.")

  • 0

#28
FSB75

FSB75

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts

ESET Online Scan

This is good all of these are in a restore point or quarantine!!!! :) :) :)


Yes it IS good news...but I was very surprised anything was STILL there.

Posted Image
  • 0

#29
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Now the big question....


How is it running, any issues????
  • 0

#30
FSB75

FSB75

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Honestly...I haven't been "using" it yet.

The svchost.exe that started it all is now up to 22,644K with almost nothing open. That IS up from the 16,000K that it was idling at earlier this morning. But, as you stated earlier, the "what's normal" needs defined first. If that doesn't seem excessive to you, and since the Avast! isn't yelling at me anymore, I'll update for the next 2 - 3 days if anything should arise, with a final, final, final update after work on Monday.

I truly appreciate all your efforts, and it is refreshing to feel with 99.99 (repeating, of course) % confidence that my PC is as clean as it would have been had I simply reformatted. I'm pretty sure this took less than a day, all of course, thanks to your constant presence. May we never meet again, and if I may say so, you are a great assets to this very helpful community.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP