PDA

View Full Version : svchost.exe spawns iexplore.exe



uimagine
2006-12-28, 22:18
Hi All, First thanks for the assistance on this issue. I'm all out of options, and the last and final step would be to reformat the drive.

I have a problem where the system would call svchost.exe and it would kickoff a iexplore.exe. This would start happening the minute I log into windows XP Home. The iexplore.exe would just grind at 99%, and cause me not to be able to use the system. It would keep starting iexplore.exe processes. I had to disable iexplore.exe by renaming the entire folder.

I had some other trojans that I recently removed, but apparently not clean enough. I removed windhcp.ocx, Lineage.

When I go to msconfig I would see an entry on there that is 'checked' in startup. The startup item and command are both 'junk characters'. The location is
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:Load

When I go to that location using regedit, the values look blank. But when I display binary data, there's actually something in there. I can overwrite that value. If I reboot in safe mode, my value sticks in there. But if I reboot in normal mode, something is re-populating that registry entry. I can see it in msconfig everytime. I put an entry to load c:\hjt\hijackthis.exe in there, but if i load in normal mode, it will call my entry, then overwrite it with the trojan.

My guess is that something is starting in normal mode that is not started in safe mode. But i can't figure out what that 'something' is.

On top of all that, I removed my Norton Antivirus but can't install it again, so I can't re-scan. (althouth the first scan came up empty)
Here's the programs that I've used to scan and none reported anything:

Spybot
Norton Antivirus
CA eTrust Antivirus Online
F-Secure Online scanner.
AVG Anti-Spyware
Ad-Aware SE

all of them using the latest definitions.

I think i'm 99% of the way there, but that last 1% is what's killing the system.

Here's my hijacklog:

Logfile of HijackThis v1.99.1
Scan saved at 12:14:52 PM, on 12/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer2\iexplore.exe
C:\WINDOWS\regedit.exe
C:\HJT\scanner.exe

F3 - REG:win.ini: load=c:\hjt\hijackthis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://pictures.aol.com/ap/Resources/2.0.3.64/cab/aolpPlugins.10.4.0.3.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://magicsoftware.webex.com/client/v_mywebex-t20-localized/webex/ieatgpc.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe


*************************
Here's the startup list:

StartupList report, 12/28/2006, 12:16:50 PM
StartupList version: 1.52.2
Started from : C:\HJT\scanner.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer2\iexplore.exe
C:\DOCUME~1\Jim\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\Jim\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\WINDOWS\regedit.exe
C:\HJT\scanner.exe
C:\WINDOWS\system32\NOTEPAD.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=c:\hjt\hijackthis.exe
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll - {C56CB6B0-0D96-11D6-8C65-B2868B609932}

--------------------------------------------------

Enumerating Task Scheduler jobs:

1-Click Maintenance.job
E2F079C3ABBBF193.job
FRU Task #Hewlett-Packard#hp psc 2170 series#1083718745.job
ISP signup reminder 1.job
Symantec NetDetect.job
{3CF9F8D9-420F-4C21-96C8-B13BBA9E7A11}_DELL_4550_Jim.job
{E1E55917-E2F4-49B5-A0DD-5D2B74416E71}_DELL_4550_Jim.job
{F5114CCB-18A9-42C9-A470-B84F791188FE}_DELL_4550_Jim.job

--------------------------------------------------

Enumerating Download Program Files:

[AOL Pictures Uploader Class]
InProcServer32 = C:\Program Files\AOL Pictures\10_4_0_3a\aolpUploader.dll
CODEBASE = http://pictures.aol.com/ap/Resources/2.0.3.64/cab/aolpPlugins.10.4.0.3.cab

[WScanCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\webscan.dll
CODEBASE = http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

[F-Secure Online Scanner 3.0]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\fscax.dll
CODEBASE = http://support.f-secure.com/ols/fscax.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[GpcContainer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ieatgpc.dll
CODEBASE = https://magicsoftware.webex.com/client/v_mywebex-t20-localized/webex/ieatgpc.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\system32\VundoFix.exe||C:\DOCUME~1\Jim\LOCALS~1\Temp\GLB1A2B.EXE||C:\DOCUME~1\Jim\LOCALS~1\Temp\aol5A.tmp


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 6,615 bytes
Report generated in 0.031 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

*****************************************
Thanks so much for the assistance!

LonnyRJones
2007-01-02, 16:40
Hi uimagine, Welcome.

Remove Hijackthis from that load value
Your not connecting to the internet while in safe mode with networking are you ?

Do you have any items on Hijackthis ignorlist ? if so remove them, we need to see all of it.

Did windhcp.ocx stay deleted ?
do you have this service ?
http://vil.nai.com/vil/content/v_141038.htm
WinDHCPsvc

Since you have removed Norton antivirus i suggest you install a differant av and cleanup after Norton
Install update and do a full scan with (only one) of the free av's mentioned here
http://forums.spybot.info/showthread.php?t=279
after that
Symantec Removal: http://basconotw.mvps.org/SymRem.htm

Post a new hijackthis log taken not while in safe mode and with no items in its ignore list (if there were any)

uimagine
2007-01-03, 02:43
Hi Lonny,
I was actually able to find the problem and fixed it. But in response to your comments:

I actually removed windhcp.ocx successfully previously. I DID have a winDHCP service which I removed.

I used all the virus scanners and was not able to find my problem.
Trend Micro, F-Secure, I even used AVG after your reply, and still no luck.

Eventually, I looked up all the locations that windows would possibly start applications, and found a registry entry at the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

It had the value:
"twin"="C:\windows\system32\twunk32.exe"

I deleted the registry value, and also deleted the twunk32.exe file.
Rebooted, and problem solved.

Just wanted to share with everybody on this board because this virus was NOT located with any of the anti-virus software, nor any of the adware/malware programs. My hijackthis log that was posted did not have anything in the ignorelist and it STILL did not find the culprit. The problem is that it puts entries in the startup list and then just uses svchost.exe programs and iexplorer.exe so it is almost impossible to detect.

I was able to clean things up without reformatting, and I hope this helps somebody solve their issues in the future.

LonnyRJones
2007-01-03, 03:15
Do you still have the file ? perhaps in the recycle bin

One of our experts is curious what these Task Scheduler jobs are
{3CF9F8D9-420F-4C21-96C8-B13BBA9E7A11}_DELL_4550_Jim.job
{E1E55917-E2F4-49B5-A0DD-5D2B74416E71}_DELL_4550_Jim.job
{F5114CCB-18A9-42C9-A470-B84F791188FE}_DELL_4550_Jim.job

Check please.
are you on xp pro or home ?

uimagine
2007-01-03, 04:13
sorry but I no longer have the file. I deleted it from my recycle bin.

those 3 jobs you mentioned are probably PCAnywhere related. After I removed Norton Anti-Virus, the only other Symantec product I have is PCAnywhere.

I'm actually on XP Home.

LonnyRJones
2007-01-03, 04:31
Hi
Next time try sending it to your av vendor first.
Are they visible in Scheduled Tasks ? if so see what they point to
you could delete the norton job if it's is still there.

What av did you decide on ?

uimagine
2007-01-03, 05:12
Lonny, Good idea on sending it to the AV vendor. I was just so frustrated, that I was just happy to rid of it. next time i'll copy it off somewhere.

The 3 jobs you mentioned do not appear anywhere in scheduled tasks. I actually uninstalled PCAnywhere and it is no longer there.

I ended up with AVGFree just because it is less intrusive. I may end up with Norton 2006 again, but have been quite disappointed that no virus scanner was able to pick up anything. Trend Micro was the only one that reported the winDHCP AFTER i had a clean norton run.

I'm sure that they all have good and bad points, so I'll stick to AVG for now.
thanks for your attention!

LonnyRJones
2007-01-05, 04:19
So no current problems ?

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

LonnyRJones
2007-01-05, 09:43
I neglected to ask you if you have renamed the Internet Explorer folder back ?
If you havent yet do rename it back to normal

Go start run copy/paste in
"C:\WINDOWS\Offline Web Pages"
press enter, tell us what you see there ?
Any offline web page present you did not set uo ?
Another start run command
attrib -h "c:\windows\tasks\*.job"
start run type in
c:\windows\tasks
press enter, what do you see there ?

LonnyRJones
2007-01-12, 04:56
Hi

Do you have these two files in c:\ or the root of other drives