Svchost.exe Rootkit-hidden Items

here is the log file i created with hijackthis


any help would be greatly appreciated


Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 6:49:57 PM, on 5/25/2008


Platform: Windows XP SP2 (WinNT 5.01.2600)


MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Boot mode: Normal


Running processes:


C:\WINDOWS\System32\smss.exe


C:\WINDOWS\system32\winlogon.exe


C:\WINDOWS\system32\services.exe


C:\WINDOWS\system32\lsass.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\System32\svchost.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\system32\LEXBCES.EXE


C:\WINDOWS\system32\spoolsv.exe


C:\WINDOWS\system32\LEXPPS.EXE


C:\Program Files\Common Files\LightScribe\LSSrvc.exe


C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe


C:\Program Files\Viewpoint\Common\ViewpointService.exe


C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


C:\WINDOWS\Explorer.EXE


C:\Program Files\HP USB Multimedia Keyboard\KMaestro.exe


C:\Program Files\Verizon\McciTrayApp.exe


C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe


C:\WINDOWS\system32\MsPMSPSv.exe


C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe


C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe


C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


C:\WINDOWS\system32\wscntfy.exe


C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe


C:\WINDOWS\System32\svchost.exe


C:\Program Files\Mozilla Firefox\firefox.exe


C:\Program Files\Webroot\Spy Sweeper\SSU.EXE


C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


O3 - Toolbar: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)


O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll


O4 - HKLM\..\Run: [btcMaestro] "C:\Program Files\HP USB Multimedia Keyboard\KMaestro.exe"


O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"


O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"


O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"


O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray


O4 - HKLM\..\RunServices: [Windows TaskManager] tskmngr.exe


O4 - HKCU\..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020


O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe


O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O15 - Trusted Zone: *.line6.net


O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab


O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) -


O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166136749234


O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166136742515


O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe


O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe


O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe


O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe


O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe


O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe


O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/Owner/Local%20Settings/Temp/85311-011206-213125-60.a2k/proof.gif


--


End of file - 5603 bytes


please respond back as soon as you can anybody

Comments

  • rootkit
    rootkit ✭✭✭
    edited May 2008

    Pack this into a zip or rar archive with the password infected an attach it here !


    C:\Windows\System32\tskmngr.exe


    Then reboot in safe mode and delete the file (C:\Windows\System32\tskmngr.exe ) NOT taskmgr.exe !!!!!


    Download SUPERAntiSpyware and run a Complete Scan ;)


    After that, post here a new HijackThis log ;)

  • please help!!! i cant find that file. i even set my computer to view hidden files and i still cant find it i can only find tskmgr.exe what should i do

  • rootkit
    rootkit ✭✭✭

    That's good !


    Did you set up to show hidden system files ?!


    Post here another HijackThis log ( a fresh one :D )

  • yeh i have my computer set to view hidden system files but i still cant find it but ill still post another hijack this log


    here it is


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 6:38:58 PM, on 5/25/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\LEXBCES.EXE


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\system32\LEXPPS.EXE


    C:\Program Files\Common Files\LightScribe\LSSrvc.exe


    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe


    C:\Program Files\Viewpoint\Common\ViewpointService.exe


    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\HP USB Multimedia Keyboard\KMaestro.exe


    C:\Program Files\Verizon\McciTrayApp.exe


    C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe


    C:\WINDOWS\system32\MsPMSPSv.exe


    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    C:\WINDOWS\system32\wscntfy.exe


    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


    O3 - Toolbar: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)


    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll


    O4 - HKLM\..\Run: [btcMaestro] "C:\Program Files\HP USB Multimedia Keyboard\KMaestro.exe"


    O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"


    O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"


    O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray


    O4 - HKLM\..\RunServices: [Windows TaskManager] tskmngr.exe


    O4 - HKCU\..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020


    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O15 - Trusted Zone: *.line6.net


    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab


    O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) -


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166136749234


    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166136742515


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe


    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe


    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe


    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe


    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe


    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


    O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/Owner/Local%20Settings/Temp/85311-011206-213125-60.a2k/proof.gif


    --


    End of file - 5557 bytes


    please give me any help you can

  • rootkit
    rootkit ✭✭✭
    edited June 2008

    Reboot in safe mode and delete this:


    c:\windows\system32\mssrv32.exe


    After that, check and press Fix checked in Hijackthis for:



    O3 - Toolbar: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)


    O4 - HKLM\..\RunServices: [Windows TaskManager] tskmngr.exe


    O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe


    Unknown


    O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/Owner/Local%20Settings/Temp/85311-011206-2 13125-60.a2k/proof.gif


    Run a system scan with Bitdefender and SUPERAntiSpyware and then, post here another Hijackthis log ;)

  • GuitarManWill87
    edited May 2008

    i cant find that file either i dont know what to do........is there anything that you can recommend.....i even tried searching for the file in system32 and it still wouldnt come up with anything


    i had also installed kaspersky on my computer acouple days ago cause my bitdefender license expired and kaspersky said i had a Riskware hidden object in C:\Windows\System32\smss.exe


    that file i have found and i can attach it here if you think it will be of any help


    crysty2k5's EDIT: posts merged

  • Download GMER Rootkit Scanner here.


    Install/Run it, after the procedure is done save the output of the log and post it here, If it exceeds the word word limit save it on notepad and attatch it here.

  • here is the log from GMER.....i hope this is the right one


    when i try to run this program it works fine and when i scan


    my computer it works but when i try to save the log file my computer


    freezes on the screen.......i can move the mouse but i cant do anything


    when i try doing it in safe mode i cant run i scan but i hope this log i made


    was enough to let u help me out


    GMER 1.0.14.14536 - http://www.gmer.net


    Rootkit scan 2008-06-03 18:51:03


    Windows 5.1.2600 Service Pack 2


    ---- Devices - GMER 1.0.14 ----


    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)


    AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)


    AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)


    AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)


    AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender SRL)


    ---- EOF - GMER 1.0.14 ----

  • ok........so i had installed kaspersky anti-virus and it showed up that i


    had five trojan horses with the name Trojan.Win32.Monder.gen


    here are the file extentions.......they were all in system32 in windows


    friafsms.dll


    tjoyfdlp.dll


    ipksocbe.dll


    crhufenr.dll


    tqbawcox.dll


    i have 2 questions.....first are these files ok to delete and second when i


    ran kaspersky it said i had riskware hidden object in smss.exe so can i upload


    that file to see if u can find anything wrong with it


    reply back and let me know what i should and can do with the trojan files and


    the risware file

  • rootkit
    rootkit ✭✭✭
    edited June 2008

    First of all, pack the file in a zip or rar archive with the password infected and attach it here !



    c:\windows\system32\friafsms.dll


    c:\windows\system32\tjoyfdlp.dll


    c:\windows\system32\ipksocbe.dll


    c:\windows\system32\crhufenr.dll


    c:\windows\system32\tqbawcox.dll


    Reboot in safe mode and delete:



    c:\windows\system32\friafsms.dll


    c:\windows\system32\tjoyfdlp.dll


    c:\windows\system32\ipksocbe.dll


    c:\windows\system32\crhufenr.dll


    c:\windows\system32\tqbawcox.dll

  • GuitarManWill87
    edited June 2008

    i think kaspersky deleted the files for me......i cant find them myself sorry.....im really bad and new at this........but like i said before..... kaspersky also showed smss.exe as a riskware file so should i upload


    the file here to see if it is infected

  • rootkit
    rootkit ✭✭✭

    Pack the file in a zip or rar archive with the password infected and attach it here !

  • ok....i uploaded 3 files......first is smss.exe which kaspersky said had a hidden object......second is svchost.exe which bitdefender said had a rootkit on it which is why i started this whole thread and third is a file called svchost.exe.bd.ren because i didnt know what it was.....please let me know if any of these files are infected

    /applications/core/interface/file/attachment.php?id=2150" data-fileid="2150" rel="">smss.zip

    /applications/core/interface/file/attachment.php?id=2151" data-fileid="2151" rel="">svchost.zip

    /applications/core/interface/file/attachment.php?id=2152" data-fileid="2152" rel="">svchost.exe.bd.zip

  • rootkit
    rootkit ✭✭✭
    edited June 2008

    Thank you for the samples !


    The guys from the LAB will take a look ;)