Boclean

[Guest]

[Solar max]

On startup boclean warns of a trojan in svchost.exe asks if it should delete it.Is the trojan reinstalling itself on startup or is this spurious and is there a way of removing it?Using Windows XP,service pack 2 ,32 bit

 

[Japo]

It does sound like it may be a nastie, since I don't think BOClean would flag the legit svchost.exe, certainly it doesn't over here in my XP.

svchost.exe is a Windows system file, but there are viruses that use the same name placing themselves in another folder. First of all check if this svchost.exe that triggers the alert is in C:\WINDOWS\system32\, if it's not it's a virus.

[Rednose]

Hi Solar max, welcome to the forum

Japo is right. Please open BOCleans menu by right-clicking its taskbar icon, and than left-click "Examine report". Copy and paste the contents here.

Greetz, Red.

[Solar max]

------------------------------
02/03/2009 16:48:07: RSK-RENOS.CB VARIANT STOPPED BY BOCLEAN!   
Trojan horse was found in memory.
C:\DOCUME~1\TAM\LOCALS~1\TEMP\1_DROPPER_286962.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Tam

------------------------------
02/03/2009 19:29:12: BKDR-IRCBOT.GS VARIANT STOPPED BY BOCLEAN!   
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\SVCHOST.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Tam

------------------------------
02/03/2009 20:41:17: BKDR-IRCBOT.GS VARIANT STOPPED BY BOCLEAN!   
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\SVCHOST.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Tam

------------------------------
02/03/2009 22:18:13: BKDR-IRCBOT.GS VARIANT STOPPED BY BOCLEAN!   
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\SVCHOST.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Tam

------------------------------
02/04/2009 07:57:35: BKDR-IRCBOT.GS VARIANT STOPPED BY BOCLEAN!   
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\SVCHOST.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Tam

------------------------------
02/05/2009 11:25:04: BKDR-IRCBOT.GS VARIANT STOPPED BY BOCLEAN!   
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\SVCHOST.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Tam

------------------------------
02/06/2009 09:11:55:
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\SVCHOST.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Tam

------------------------------
02/06/2009 22:33:55:
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\SVCHOST.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Tam

------------------------------
02/07/2009 09:39:09:
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\SVCHOST.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Tam



Hope this helps Solar Maximum

[Japo]

Weird. The file flagged seems to be in the right location. However as I understand from this link svchost.exe is designed to run code from other files, possibly third-party .

Press Ctrl+Alt+Del to bring up the Task Manager, go to the Processes tab, and see if there is any instance of svchost.exe running. There should be--I don't think Windows can run with none of them--and if there are, that means BOClean is detecting something bad in one instance but not in others. My uneducated theory would be that the virus is other non directly executable file that uses one instance of svchost.exe to run (code injection) but not svchost.exe itself. It's a shame that BOClean can't tell what code is being run through svchost.exe; CIS Defense+ on the other hand would be able I think.

[Solar max]

OK, 6 instances of SVCHOST .EXE running,according to Task Manager


                                         Regards Solar Max

[Japo]

If I'm right and the nastie is another file that injects its code into svchost.exe--which is what svchost.exe is for on the other hand--, BOClean will stop it every time, but it won't be able to tell you which file is the virus, it will flag svchost.exe, but that wouldn't be the virus.

So in short you would be safe because BOClean doesn't let the malicious code run, but you wouldn't get rid of the alert because BOClean doesn't know which file to delete, and the virus tries back again and again. Interesting case.


You could run a scan with one or more programs and see if they find and remove the virus and the alerts stop. Or run HijackThis and post the log. Moreover you could give CIS a try, I think Defense+ would be able to catch the nastie in the act of injecting itsef in svchost.exe (again if my hypothesis is right).

[eXPerience]

99% we have a winner here : virus .  88)

Please follow these steps,
1) Back-up all your files and folders using a back-up program, for example Comodo Back-up

2) Download following programs and install them
- SUPERAntispyware
- Malwarebytes' Ant-Malware
- Bitdefender Free

3) Check for definition Updates (Important!).


4) Allow each program to scan. Scan one at a time.


5) Let the programs clean the infections.


6) Reboot into normal mode and see if you find any remains of the virus

7) Download and install Hijackthis. Afterwards, do a system scan and safe a log file. A text file will open in notepad, safe this one and later upload it together with your post.
DO NOT FIX ANYTHING YET !!!



8) Please post back in this topic :
- if you think your computer is still infected
- The hijackthis log
- the name of the malware the programs said


For now, I will leave the topic here, if it's indeed a virus, we should move this to the Malware removal assistance board

Xan

[Rednose]

I would clean the temperory files as well before starting the above procedure.

Greetz, Red.

[eXPerience]

@ Rednose = Yeah, that might be a good idea for in the future. Thanks rednose, I'll add it later
@ Solar max : Also download and run Ccleaner

Xan

[Solar max]

Thanks again,one other thing I should have mentioned is the warning box is headed BKDR-IRCBOT GS.variant is this any further help?

                      Regards Solar Max

[Japo]

That's the name BOClean gives to what it found, according to the matching signature.

Just try to remove it with the procedure posted above. There must be a startup or service entry in the registry. And of course the file should be deleted eventually as well (not svchost.exe but the yet unknown one).

[Solar max]

OK, all signs of virus activity on startup gone post from Hijack This as follows,


Scan saved at 13:09:11, on 16/02/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Comodo\CBOClean\BOC4UPD.EXE
C:\Program Files\Comodo\COMODO Internet Security\cfpupdat.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.demon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.demon.net
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [UpdateWin] C:\WINDOWS\system32\acluiv.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [UpdateWin] C:\WINDOWS\system32\acluiv.exe
O4 - HKCU\..\Run: [MalwareRemovalBot] C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -boot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.demon.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1D6CC2F-D53C-463B-9F08-10F2A89B88CE}: NameServer = 158.152.1.58 158.152.1.43
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe

--
End of file - 4882 bytes


Malware names Removed were Trojan dropper,Task Manager Virus,Fake trojan, lasi log from Malware Bytes AntiMalware  below


Database version: 1764
Windows 5.1.2600 Service Pack 2

15/02/2009 21:35:37
mbam-log-2009-02-15 (21-35-37).txt

Scan type: Full Scan (C:\|)
Objects scanned: 118978
Time elapsed: 59 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Tam\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tam\Application Data\MalwareRemovalBot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tam\Application Data\MalwareRemovalBot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{EBB8D012-E8F0-421B-8E23-D6FFBE2EE699}\RP534\A0028425.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EBB8D012-E8F0-421B-8E23-D6FFBE2EE699}\RP539\A0028897.rbf (Rogue.SpyCleaner) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EBB8D012-E8F0-421B-8E23-D6FFBE2EE699}\RP543\A0029339.rbf (Rogue.SpyCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tam\Application Data\MalwareRemovalBot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tam\Application Data\MalwareRemovalBot\Log\2009 Feb 14 - 11_13_09 AM_327.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tam\Application Data\MalwareRemovalBot\Log\2009 Feb 15 - 09_51_55 AM_845.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tam\Application Data\MalwareRemovalBot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\acluiv.exe (Backdoor.Bot) -> Delete on reboot.

                           Regards Solar Max

[kail]

Hi Solar max

I cannot help much (I'm not an AV expert & I currently have the flu). However..

O4 - HKCU\..\Run: [UpdateWin] C:\WINDOWS\system32\acluiv.exe

.. this one looks a little suspect (unless you know what it is). I recommend running this EXE through some of the on-line AV scanners.

[FFKefka77]

According to MalwareBytes, C:\WINDOWS\system32\acluiv.exe (Backdoor.Bot) -> Delete on reboot.  So lets just hope that fixes his prob.  I would also say update your Adaware 2007 to the Anniversary Edition, which seems to be a lot better and a ton faster

[Tags:]