svchost detected by Sonar

Discussion in 'Malware Help (A Specialist Will Reply)' started by Terryv, Jan 26, 2010.

  1. Terryv

    Terryv Private E-2

    Please help ! Win 7 / NIS 2010 / IE latest version
    For the last 4 days when online every 5 minutes NAV gives "svchost.exe detected by Sonar - Quarantined" . At the same time a 4 random character (eg moed.exe) file is created in temp.
    NAV also picking up "svchost.exe (suspicious.dloader)detected by Auto-protect - blocked"
    5th day NAV changes message to "svchost.exe (Infostealer) Autoprotect blocked this virus"

    Many full system scans both normal and safe mode found nothing. Changed NAV Sonar to "Aggressive" found nothing.

    Malwarebytes and Superantispyware found nothing
    Combofix gave bluescreen with IRQL_not_less_or_equal
    Rootkitrevealer "Unable to instal - the service did not respond to the start or control request in a timely fashion"
    MGTools ran successfully
    System cleaned regularly with Ccleaner and Glary Utilities
    Registry scanned for "random character" gave no entries
    I have endeavoured to walk through all the instructions on Major Geeks - any mistakes are entirely my own

    I am now at the end of my capabilities and humbly request help - thanks very much.
     

    Attached Files:

    Terryv, Jan 26, 2010
    #1
  2. Terryv

    Terryv Private E-2

    Additional Norton Internet Security logs

    Thanks
     

    Attached Files:

    Terryv, Jan 26, 2010
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What is this:
    C:\Users\Us\Desktop\20472.exe

    Continue by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:

    * Delete on Reboot
    * then Click on the All Files button.*(or on the folders option)*
    * Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    C:\Temp\FPVG.TMP
    C:\Temp\FXOT.TMP
    C:\Temp\IFGR.TMP
    C:\Temp\lvcomsx.log
    C:\Temp\OERN.TMP
    C:\Temp\PNNR.TMP
    C:\Temp\PVCH.TMP
    C:\Temp\scan0.sca
    C:\Temp\THGU.TMP
    C:\Temp\tidjk.exe
    C:\Temp\VVSX.TMP
    C:\Temp\WAID.TMP
    C:\Temp\BKCT.TMP
    C:\Temp\callingapps.xml
    C:\Temp\CDTE.TMP
    C:\Temp\CNQX.TMP
    C:\Temp\CVTI.TMP
    C:\Temp\EKUV.TMP
    C:\Temp\FNSACAHQUJBJ.exe
    * Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    * Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    Now go to start / run / and type:
    services.msc

    Srolll down to these two:
    TIDJK
    FNSACAHQUJBJ

    Right click, choose properties and set them to disabled.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Jan 27, 2010
    #3
  4. Terryv

    Terryv Private E-2

    Thanks Tim,

    1. I hate to have to admit it but 20472 is the sequential game number of Freecell that I am up to - I just change the shortcut name to remind me where I am up to.

    2. Pocket Killbox ran ok
    3. Selecting the files you mentioned could not be done, as Ccleaner has been run since last post and deleted them. I tried to copy other new ones into Pocket Killbox, but could not - although they have *.tmp names - they are zero byte folders ? No PendingFileRenameOperations prompt
    3. Services does not have any services by those names
    4. Close all programs except Norton, ran Ccleaner, checked C:\Temp - empty, rebooted, checked C:\Temp - a couple of files that are normal, sat and watched - did not touch anything

    Couple of minutes later

    tbve.tmp filefolder 6:04
    cptq.tmp filefolder 6:05
    nivf.tmp filefolder 6:10
    xcvq.tmp filefolder 6:11
    Next two at 6:16
    next two at 6:22
    next two at 6:27 ... and so on and on

    It looks like Norton is stopping these from going anywhere / progressing ?

    5. Ran GetLogs.bat and have attached the file

    Thankyou very very much
    Terry
     

    Attached Files:

    Terryv, Jan 28, 2010
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    All of these temp files need removing:

    C:\Temp\callingapps.xml
    C:\Temp\CPFQ.TMP
    C:\Temp\CQMM.TMP
    C:\Temp\ERDL.TMP
    C:\Temp\GYLI.TMP
    C:\Temp\HCBW.TMP
    C:\Temp\IQKH.TMP
    C:\Temp\NVVF.TMP
    C:\Temp\OBST.TMP
    C:\Temp\PCMQ.TMP
    C:\Temp\PUMQ.TMP
    C:\Temp\QIIQ.TMP
    C:\Temp\SMCN.TMP
    C:\Temp\SOUB.TMP
    C:\Temp\TBVE.TMP
    C:\Temp\WYYE.TMP
    C:\Temp\XCWQ.TMP

    Questions:
    What is this --> C:\Users\Us\AppData\Roaming\Tific
    C:\Users\Us\AppData\Local\Tific

    If you don't know, delete them.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip
     
    TimW, Jan 29, 2010
    #5
  6. Terryv

    Terryv Private E-2

    Thanks again,
    Tific seems to be part of Norton

    tific.ocx is located in C:\Program Files\Norton Internet Security\Engine\17.5.0.127

    It has a valid certificate from Symantec

    Anyway, I deleted the tific directories you mentioned, but could not delete the ActiveX control above as Norton is running - it made no difference to Norton running o'k

    The file folders ? in the temp directory xxxx.tmp are being created every 5 minutes - the ones you listed have been deleted and are constantly being replaced with new ones.

    Attached new MGlogs

    Thanks very much
    terry
     

    Attached Files:

    Terryv, Jan 29, 2010
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Some more were created, but I am not seeing anything as the cause. Let's have you go here:

    Jotti Scanner

    And paste in each of these files. ( Tell me the results please).
    C:\Temp\BMSV.TMP
    C:\Temp\JSUR.TMP
    C:\Temp\TBWI.TMP
    C:\Temp\YQCD.TMP
     
    TimW, Jan 31, 2010
    #7
  8. Terryv

    Terryv Private E-2

    Thanks again,

    It will not copy the "files" into Jotti Scanner as they are zero byte folders with nothing in them.

    Is there any logging tool that will let us know who,or what, creates these folders. It is happening every 5 minutes so we only need a small sample. Norton thinks it is a svchost, and from what I understand svchosts run dll's - how do we track back to find which dll, and then verify what it is.

    Thanks
    Terryv
     
    Terryv, Feb 1, 2010
    #8
  9. Terryv

    Terryv Private E-2

    More info - although no more leads ...
    Created a Norton Bootable Recovery Disk and ran - it found nothing.
    I have checked a number of other Win 7 pc's and not found any files (folders) that look anything like what I am getting in Temp ....a zero byte file folder called "four random characters.tmp" eg eqpp.tmp

    One very interesting development - Norton has stopped logging the creation of these folders as a threat - I checked Nortons exclusions and have nothing listed except \system volume information\ ... ???

    Thanks
     
    Terryv, Feb 1, 2010
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I would say some program is creating them ( and since they are empty, then not a threat), but you would need to post in the software forum to try to run down which program is doing it. You may have to do a diagnostic startup in msconfig to track it down.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore ato create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    TimW, Feb 2, 2010
    #10
  11. Terryv

    Terryv Private E-2

    Thanks very much for your help

    regards
    terryv
     
    Terryv, Feb 3, 2010
    #11
  12. Terryv

    Terryv Private E-2

    Hi,

    Finally gave up and reloaded Windows after reformat - all clear so far

    Thanks again for all your help
     
    Terryv, Feb 4, 2010
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Feb 7, 2010
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds