Adlice forum
Software feedback => RogueKiller => Topic started by: kaoskitteh on August 23, 2014, 11:43:14 PM
-
Evening! Or morning! Or afternoon!
I'll try to make this quick: I believe that my Svchost.exe program is infected with... something. I want to fix that, naturally. That's why I've gathered you here today.
I need help in one, possibly two things:
1. I need to confirm that Svchost is indeed infected
2. If it is, I need to fix it.
To start my report, I noticed that Svchost was showing up in my Volume Mixer (sometimes multiple times. I counted 8 once). I looked it up, got RogueKiller, and it was just as suspicious about them as I was. Problem is, RogueKiller is the only thing that seems to agree with me. Both MalwareBytes and Search&Destroy find nothing wrong with the process. I'm convinced that there is something seriously wrong with the process (By the way, the duplicate processes always come from my SysWOW64 folder instead of System32.). RogueKiller doesn't seem to have an option to repair the process directly, and I don't know what programs that might fix it are trustworthy. I've included the log from RogueKiller below, and await response from the people who know what they're doing ;3
-------------------------------Report Start-----------------------------------
RogueKiller V9.2.8.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Chance [Admin rights]
Mode : Scan -- Date : 08/23/2014 15:06:07
¤¤¤ Bad processes : 8 ¤¤¤
[Proc.Svchost] svchost.exe -- C:\Windows\SysWOW64\svchost.exe[Proc.Svchost] svchost.exe -- C:\Windows\SysWOW64\svchost.exe[Proc.Svchost] svchost.exe -- C:\Windows\SysWOW64\svchost.exe[Proc.Svchost] svchost.exe -- C:\Windows\System32\svchost.exe[Proc.Svchost] svchost.exe -- C:\Windows\SysWOW64\svchost.exe[Proc.Svchost] svchost.exe -- C:\Windows\SysWOW64\svchost.exe[Proc.Svchost] svchost.exe -- C:\Windows\SysWOW64\svchost.exe[Proc.Svchost] svchost.exe -- C:\Windows\SysWOW64\svchost.exe
¤¤¤ Registry Entries : 14 ¤¤¤
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3144317477-4014965747-2316806996-1000\Software\Microsoft\Windows\CurrentVersion\Run | {a7eb9183-ccb7-45b8-0b88-e2dea5f0b23a} : "C:\Users\Chance\AppData\Local\Microsoft\{a7eb9183-ccb7-45b8-0b88-e2dea5f0b23a}\{a7eb9183-ccb7-45b8-0b88-e2dea5f0b23a}.exe" -> FOUND
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3144317477-4014965747-2316806996-1000\Software\Microsoft\Windows\CurrentVersion\Run | {a7eb9183-ccb7-45b8-0b88-e2dea5f0b23a} : "C:\Users\Chance\AppData\Local\Microsoft\{a7eb9183-ccb7-45b8-0b88-e2dea5f0b23a}\{a7eb9183-ccb7-45b8-0b88-e2dea5f0b23a}.exe" -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BRDriver64 -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BRSptSvc -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BRDriver64 -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BRSptSvc -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\BRDriver64 -> FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\BRSptSvc -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3144317477-4014965747-2316806996-1000\Software\Microsoft\Internet Explorer\Main | Start Page : about:blank -> FOUND
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3144317477-4014965747-2316806996-1000\Software\Microsoft\Internet Explorer\Main | Start Page : about:blank -> FOUND
¤¤¤ Scheduled tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ HOSTS File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: NOT LOADED [0xc000036b]) ¤¤¤
¤¤¤ Web browsers : 2 ¤¤¤
[PUP][FIREFX:Addon] s8byd29d.default : AVG SafeGuard toolbar [avg@toolbar] -> FOUND
[PUM.HomePage][FIREFX:Config] s8byd29d.default : user_pref("browser.startup.homepage", "https://www.facebook.com/"); -> FOUND
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 51b7d81bad15e8869e96d8007a24f089
[BSP] b0ea3820aba664f00220477c1b486de8 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 114471 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: +++++
--- User ---
[MBR] cacfbcf88b90eda8895c15004f3d0bdb
[BSP] d3bcfa80b85a2d6fdd1f130f549fd199 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 1907627 MB
User = LL1 ... OK
User = LL2 ... OK
============================================
RKreport_SCN_08232014_141446.log - RKreport_DEL_08232014_141554.log
----------------------------------------Report End---------------------------------------
Sincerely,
Cat
-
Hello
Remove those entries:
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3144317477-4014965747-2316806996-1000\Software\Microsoft\Windows\CurrentVersion\Run | {a7eb9183-ccb7-45b8-0b88-e2dea5f0b23a} : "C:\Users\Chance\AppData\Local\Microsoft\{a7eb9183-ccb7-45b8-0b88-e2dea5f0b23a}\{a7eb9183-ccb7-45b8-0b88-e2dea5f0b23a}.exe" -> FOUND
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3144317477-4014965747-2316806996-1000\Software\Microsoft\Windows\CurrentVersion\Run | {a7eb9183-ccb7-45b8-0b88-e2dea5f0b23a} : "C:\Users\Chance\AppData\Local\Microsoft\{a7eb9183-ccb7-45b8-0b88-e2dea5f0b23a}\{a7eb9183-ccb7-45b8-0b88-e2dea5f0b23a}.exe" -> FOUND
Then reboot and redo an scan. Does it show up again (svchost) ?
-
I don't have the log on me right now (away from the computer in question at the moment), but I recall that the two paths in question could not be removed. I received an error for both of them. I can get specifics on the error in question tomorrow. Any other things to keep in mind?
-
That's the only thing to do.
I'd suggest to retry and give the results.
-
I won't be able to get that report until late tonight, maybe tomorrow. Bear with me until then please :3 Thanks for the assistance thus far
-
I sincerely apologize for the delay. I'm away from the computer for the time being, so I'm guiding someone else through the processes needed. Here's the log entry for the two suspicious paths that were specified:
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3144317477-4014965747-2316806996-1000\Software\Microsoft\Windows\CurrentVersion\Run | {a7eb9183-ccb7-45b8-0b88-e2dea5f0b23a} : "C:\Users\Chance\AppData\Local\Microsoft\{a7eb9183-ccb7-45b8-0b88-e2dea5f0b23a}\{a7eb9183-ccb7-45b8-0b88-e2dea5f0b23a}.exe" [Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3144317477-4014965747-2316806996-1000\Software\Microsoft\Windows\CurrentVersion\Run | {a7eb9183-ccb7-45b8-0b88-e2dea5f0b23a} : "C:\Users\Chance\AppData\Local\Microsoft\{a7eb9183-ccb7-45b8-0b88-e2dea5f0b23a}\{a7eb9183-ccb7-45b8-0b88-e2dea5f0b23a}.exe" -> ERROR [2]
Progress was made with the first path (It originally gave an error), but the second path is still being persistent.
-
This is normal error. The 2 registry keys are mirrored, so removing the first one removes the second one. This is minor bug we will eventually fix one day.
After a reboot, does it appear again in a RogueKiller scan?
-
He finally got back to me: here's the scan now:
¤¤¤ Bad processes : 2 ¤¤¤
[Suspicious.Path] {3F7FA92E-0B5C-41DC-A3A2-835D8C943312}.exe -- C:\Windows\TEMP\{3F7FA92E-0B5C-41DC-A3A2-835D8C943312}.exe[7] -> KILLED [TermProc]
[Proc.Svchost] svchost.exe -- C:\Windows\System32\svchost.exe
¤¤¤ Registry Entries : 12 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BRDriver64 -> DELETED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BRSptSvc -> DELETED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BRDriver64 -> DELETED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BRSptSvc -> DELETED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\BRDriver64 -> DELETED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\BRSptSvc -> DELETED
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> REPLACED (0)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> REPLACED (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> REPLACED (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> REPLACED (0)
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3144317477-4014965747-2316806996-1000\Software\Microsoft\Internet Explorer\Main | Start Page : about:blank -> REPLACED (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3144317477-4014965747-2316806996-1000\Software\Microsoft\Internet Explorer\Main | Start Page : about:blank -> REPLACED (http://go.microsoft.com/fwlink/p/?LinkId=255141)
-
The registry paths are all cleaned up now, but svchost is still popping up as a bad process. I'm sure that cleaning out the registries fixed something, but not the initial problem :/
-
There's still something....
Could you do a full scan with Malwarebytes?
EDIT: Please post the report.
-
Scan Date: 9/11/2014
Scan Time: 3:26:01 AM
Logfile: MWBReport.txt
Administrator: Yes
Version: 2.00.2.1012
Malware Database: v2014.09.11.01
Rootkit Database: v2014.09.10.02
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
OS: Windows 7
CPU: x64
File System: NTFS
User: Chance
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 401326
Time Elapsed: 4 min, 46 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 0
(No malicious items detected)
Registry Values: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 0
(No malicious items detected)
Physical Sectors: 0
(No malicious items detected)
(end)
-
So yeah, Malwarebytes didn't find anything. :-\
-
Then I'd go Gmer: http://www.gmer.net/