Author Topic: evil Trojan attack... (Read 6847 times)

Altezza · « **on:** December 18, 2008, 01:51:38 PM »

hello there,

I've got a nasty little bug in my computer, and it's driving me crazy! I've had a similar thing happen before, asked for help here at CH, and tried all the things that worked before. And for a few minutes, things work just fine. But whatever this new problem is...it's just evil and wicked and I hate it!!

Ok, calming down, I'll try and briefly explain the situation.

No matter what brower I use, after minutes of being online, the CPU usage goes up to 100%. I check Task Manager, and it's always something disguised (or at least I believe it to be so) as svchost.exe - which takes up 95-100% of the CPU. Over the past two days I have run at least two or three of each Malwarebytes scans, SuperAntiSpyware scans, Avira AntiVirus scans....as well as ScanDisc, DeFrag, and several RegCures.

*sigh* ...hours and hours of downtime running these scans, and all for naught.

Avira and Malwarebytes both find a Trojan, saying it's a svchost fake, I quarantine it (as well as a few spyware things they catch), and then have even gone so far as to delete the file from the quarantine.

I thought that would do it.

But it's a freakin' ZOMBIE!!! I think it's dead and gone...but it keeps coming back!!! grrrrr.....

I first noticed the problem when all the little icons on my Explorer quicklinks bar changed from the logos for whatever page I had listed there....to naked women! Bare bottoms and exposed mammaries were NOT what I expected to see there, and immediately clued me into the fact that something was REALLY amiss here. Then, the prob with CPU at 100% nearly all the time....again, i say: grrr....

After having run the RegCure, the naked female forms have disappeared, but I still have the CPU prob, as well as constantly getting kicked offline.

I don't know what other info you might need to try and help this floundering damsel in distress...my computer is a Compaq Presario 2500, the firewall seems to be functioning, Avira Free Edition is my AntiVirus program....and I am at the limits of my sanity.

Thank you for reading all this blather....can you help?

-tezz

Altezza · « **Reply #1 on:** December 18, 2008, 02:01:24 PM »

ah yes, one last thing...

the problem that Malwarebytes says is the fake svchost.exe is listed as follows:

HKLM\SOFTWARE\MicrosoftWindowsNT\CurrentVersion\ImageFileExecution\
options\explorer.exe#Debugger["c:Windows\System32\uiakbacq.old"]

...or maybe it's viakbacq.old ....I can't read my own handwriting....

grrr....

DaveLembke · « **Reply #2 on:** December 18, 2008, 02:02:10 PM »

When removing are you verifying the the windows system restore state is checked turned off?

Right-Click on My Computer
Select System Restore Tab ( Is there a green check mark for Turn OFF System Restore on ALL DRIVES? ) * If not checked.. check it.
Then select OK
Then go through the removal process again
Then reboot system and verify that it is still checked upon boot up that System Restore State is Checked to be OFF
Then try your browser and see what happens.

You can also restore your browser if it is a corrupt brower, but lets start with teh System Restore State.

Good Luck!

Dave

Altezza · « **Reply #3 on:** December 18, 2008, 02:08:50 PM »

I'll give it a try....

as it takes over three hours to run a scan...it may be a little while before I get back to you...

thank you for your help and your good luck wishes! I'm gonna need it!

-t

Altezza · « **Reply #4 on:** December 19, 2008, 12:04:05 AM »

ok...well, that's done.

I ran all three scans, Avira, Malwarebytes, and SuperAntiSpyware. Both Avira and Malwarebytes came up clean, but SuperAntiSpyware caught the "Trojan SVCHost/Fake" once again. It was quarantined, and then I deleted it from the quarantine after reboot.

After reboot, I checked System Restore, and it is still checked as Off.

I've been back online now for about 5 minutes....everything seems fine. At least for now....

As for System Restore, do I need to uncheck it at anytime now? Is there anything else I need to do? Do I DARE hope that the evil Trojan monster is gone, this time for good?

Thanks much.....t

mroilfield · « **Reply #5 on:** December 19, 2008, 01:01:33 AM »

Can you post the logs requested in the below link?

http://www.computerhope.com/forum/index.php/topic,46313.0.html

Altezza · « **Reply #6 on:** December 19, 2008, 01:19:39 AM »

Here they are:

SuperAntiSpyware Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/19/2008 at 07:24 AM

Application Version : 4.0.1154

Core Rules Database Version : 3677
Trace Rules Database Version: 1656

Scan type : Complete Scan
Total Scan Time : 04:28:59

Memory items scanned : 350
Memory threats detected : 0
Registry items scanned : 5678
Registry threats detected : 1
File items scanned : 45877
File threats detected : 0

Trojan.SVCHost/Fake
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe#Debugger [ "c:\windows\system32\uiakbacq.old" ]

Malwarebytes Log:

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 2

19/12/2008 1.29.40
mbam-log-2008-12-19 (01-29-40).txt

Scan type: Full Scan (C:\|)
Objects scanned: 91249
Time elapsed: 3 hour(s), 5 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9.19.03, on 19/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hamlet\Adsl\dslstat.exe
C:\Program Files\Hamlet\Adsl\dslagent.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programmi\Opera\opera.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alltheweb.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Programmi\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Hamlet\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Hamlet\Adsl\dslagent.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmi\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186956585460
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BEB33077-5045-48DC-8C59-70C51A9B45E4}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA31DB1B-3817-48DA-BC08-757DE9E7BEB2}: NameServer = 212.216.112.112 212.216.172.62
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7237 bytes

thanks!

Altezza · « **Reply #7 on:** December 19, 2008, 05:50:11 AM »

hi again.

as I may have guessed....I just ran another SuperAntiSpyware scan of the registry....and the fake svchost.exe file is still there.

can anyone pleeeeease tell me if there is some way to rid myself of this thing?

i downloaded Opera, to use in place of IE, and though it ran perfectly...frighteningly wonderful actually....but then after about 10 minutes, it has slowed to a snail's pace, watching video is choppy, and so on.

Altezza · « **Reply #8 on:** December 20, 2008, 05:34:26 AM »

well, after doing much reading here and on the SAS forums, I decided to run a SAS scan in Safe Mode. It came up clean, said there was no threat found.

So, I rebooted in Normal Mode, ran the scan again (as suggested in the SAS forum, before unchecking the Restore)....and in Normal Mode it says that the bug is still there!

anyone? suggestions? please? $:-\$

BC_Programmer · « **Reply #9 on:** December 20, 2008, 12:00:59 PM »

Start->Run "Services.msc"

please list all items listed as "Started"

what this sounds like, is a malicious service; or possibly a winlogon/notify hook- I think the item causing your high CPU usage would be a process. SVCHOST is the "service host" process that runs all services.

While we wait for an appointed malware expert, we may as well see if there is an easy way to remove the bug.

evilfantasy · « **Reply #10 on:** December 20, 2008, 01:08:37 PM »

Download Disable/Remove Windows Messenger to the Desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the Desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the Desktop.

----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
- R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Before you begin the SDFix instructions you should copy these instructions in a Notepad file and save them to your desktop or print them for easy reference. Much of SDFix will be done in Safe mode and you will be unable to access this web page after booting into Safe mode.

Download SDFix by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

Now, double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
A window will now open showing SDFix being extracted into the C:\SDFix folder. Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions.
DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

When your computer has started in safe mode, and you see the desktop, close all open Windows.

Click on the Start button, click on the Run menu option, and type the following green text into the Open: field then click the OK button.
C:\SDFix\RunThis.bat
SDFix window will open containing some brief info and a disclaimer on the use of the tool.
Type Y on your keyboard and then press Enter to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next reply.

BC_Programmer · « **Reply #11 on:** December 20, 2008, 08:10:58 PM »

disregard my advice above in it's entirety; follow that which Evilfantasy has provided.

Altezza · « **Reply #12 on:** December 22, 2008, 05:09:09 PM »

Thanks for the tips, both of you.

Evilfantasy, I'll give your instructions a try, and get back to you asap.

Thanks again.

Computer Hope Forum

News:

Author Topic: evil Trojan attack... (Read 6847 times)

Altezza

evil Trojan attack...

Altezza

Re: evil Trojan attack...

DaveLembke

Re: evil Trojan attack...

Altezza

Re: evil Trojan attack...

Altezza

Re: evil Trojan attack...

mroilfield

Re: evil Trojan attack...

Altezza

Re: evil Trojan attack...

Altezza

Re: evil Trojan attack...

Altezza

Re: evil Trojan attack...

BC_Programmer

Re: evil Trojan attack...

evilfantasy

Re: evil Trojan attack...

BC_Programmer

Re: evil Trojan attack...

Altezza

Re: evil Trojan attack...