TechSpot

After removing FBI Moneypak Ransomware, svchost.exe Trojan on Windows 7 keeps returning

Solved
By TruelightE525
Nov 14, 2012
  1. TruelightE525

    TruelightE525 TS Rookie Topic Starter Posts: 44

    Hi Broni,

    Thanks for the info about deleting the MBR.dat file.

    Regarding the programs that I am concerned about, they are actually programs that were installed on the PC TODAY and YESTERDAY that I don't recall installing. (I originally thought there were only programs installed today.) Please advise me regarding the legitimacy/necessity of these programs being on the PC. I don't want to leave any viruses on the PC. At the same time, I don't want to delete any legitimate/necessary programs that are normally automatically installed on this PC without any user intervention. BTW, the PC we've been cleaning is an HP Pavilion Entertainment PC. Here is the program list you requested below:

    Installed On: 11/17/2012
    Microsoft Live Search Toolbar
    WildTangent Games App (HP Games)
    JMicron Flash Media Controller Driver
    Google Toolbar for Internet Explorer
    SelectionLinks
    iLinc11 Client
    Yahoo! Software Update
    Yahoo! Toolbar
    Windows Media Encoder 9 Series
    Windows Live Essentials 2011
    HP Games
    Sendori
    SMPlayer 0.6.9
    Microsoft Office Professional 2007 Trial
    Mozilla Firefox 4.0.1 (x86 en-US)
    Homepage Protection
    Microsoft Office Home and Student 2007
    ESET Online Scanner v3
    Microsoft Office Enterprise 2007
    Dell PC Suite
    Citrix Receiver
    BucksBee Loyalty Plugin - 100884.rs
    Akamai NetSession Interface Service
    Adobe Shockwave Player 11.5
    Adobe Flash Player 11 Plugin
    Adobe Flash Player 11 ActiveX
    Adobe AIR

    Installed On: 11/16/2012
    Microsoft Office PowerPoint Viewer 2007 (English)
    Compatibility Pack for the 2007 Office system
     
  2. TruelightE525

    TruelightE525 TS Rookie Topic Starter Posts: 44

    Hi Broni,

    I keep forgetting to mention in the process of cleaning the PC that Internet Explorer is still not working correctly and Firefox is still missing from the Task Bar (so I haven't tested it out yet). Previously (when the PC was totally infected and crashing all the time), both IE and Firefox were taking me to sites that were different from the web addresses that I entered, and at some point, one of the viruses removed the Firefox icon from the Task Bar. How it did it, I don't know. Now, when I go to Internet Explorer, it cannot connect with any websites. So, I've been using Safari for the last two days on this PC. Any help you can give me regarding repairing these web browsers would be helpful and appreciated.
     
  3. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    The only program installed by us is ESET Online Scanner.
    You can keep it for future use.

    As for IE.
    Open it, go Tools>Internet options>Advanced tab and click on "Reset" button.
    Restart IE and see how it goes.

    As for Firefox...
    Go Start>All programs, find Firefox, right click on it, then Send to>Quick Launch
     
  4. TruelightE525

    TruelightE525 TS Rookie Topic Starter Posts: 44

    Hi Broni,

    OK...I will keep ESET Online Scanner.

    I was going to Reset IE per your instructions, but I decided not to Reset IE after all. Here's what happened:

    After opening IE, it took a long time before I could even go to Tools>Internet options. When I finally was able to go to the Advanced tab, I read about all the things that were going to be reset to default and/or deleted upon Resetting. I had a bad feeling about Resetting everything, so I Canceled instead. After the Cancel, I was able to use IE again to surf the web. It's slower than I think it should be, but not unresponsive.

    As for Firefox, there was no Quick Launch option. So, what I did to make it show up on the Taskbar again was...
    Go Start>All programs, find Firefox, right click on it, then Pin to Taskbar.

    I'm going to continue now with the long list of previous instructions from 1:04 pm today, starting with:

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    I'll let you know if I have any problems or send you my next post of log contents, whichever comes first.

    Thanks again for all your help. Hope you're having a Happy Saturday. :)
     
  5. Broni

    Broni Malware Annihilator Posts: 47,078   +258

  6. TruelightE525

    TruelightE525 TS Rookie Topic Starter Posts: 44

    Hi Broni,

    Sorry for all the questions/problems today, but I was in the process of deleting tools and logs leftover on the PC, and I noticed a folder on the C: drive called, TDSSKiller_Quarantine. Should that folder and its contents be deleted? While I await your reply, I will continue working on the rest of your instructions.
     
  7. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    You can delete that folder.
    I don't mind you asking questions at all :)
     
  8. TruelightE525

    TruelightE525 TS Rookie Topic Starter Posts: 44

    Hi Broni,

    For Firefox, I could not update:
    Silverlight Plug-In, Google Earth Plugin, and Citrix ICA Client.

    There were other plug-ins that simply said "? Research" next to the plug-in name:
    Facebook Plugin, iTunes Application Detector, Windows LiveĀ™ Photo Gallery, iLinc Communications Netscape/Mozilla Install Plugin v 11.2, and Google Update.

    What do I do about them?

    I'm going to continue working on update the other browsers' plug-ins while I await your reply. Thanks again for all your help!
     
  9. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    Don't worry about those.
     
  10. TruelightE525

    TruelightE525 TS Rookie Topic Starter Posts: 44

    Hi Broni,

    For Safari, I could not update:

    Apple Safari (Installed Version: 5.1.5, Latest Version: 5.1.7) or Adobe Shockwave Player (Installed File Version: 10.4.1, Latest File Version: 11.6.8.638).

    But I don't think the Qualys BrowserCheck is not giving me accurate info about Adobe Shockwave Player. I looked at the programs that were installed under Start>Control Panel>Programs and Features, and it showed that I had installed the latest version of Adobe Shockwave Player (11.6.8.638). As a matter of fact, I think I installed it when I updated the plug-ins for Firefox, before I started updating the plug-ins for Safari. And I did restart Firefox after installing all of the plug-ins so that they would be accessible to Firefox, so I'm not sure what's the problem So, please let me know if this is a real issue that I need to resolve or if I can ignore it and keep going.

    I'm going to start updating the plug-ins for Internet Explorer now. Thanks!

     
  11. TruelightE525

    TruelightE525 TS Rookie Topic Starter Posts: 44

    Hi Broni,

    I may have to Reset Internet Explorer after all. It's too slow to do anything useful. However, I was able to run the Qualys BrowserCheck using IE. But it gave me some more (I think) inaccurate info about the version of one of the programs (Adobe Flash Player) that it says is a Security Risk. It says the PC has Adobe Flash Player 11.4.402.287 installed, rather than 11.5.502.110. But there are two Adobe Flash Player's that were installed yesterday. One was Adobe Flash Player 11 Plugin (11.5.502.110), while the other was Adobe Flash Player 11 ActiveX (11.4.402.287). Should I ignore this or is this an issue I need to resolve?

    Thanks!
     
     
  12. TruelightE525

    TruelightE525 TS Rookie Topic Starter Posts: 44

    Hi Broni,

    I did the Reset on IE, but it's not any faster. Any other suggestions on how to speed it up?
     
  13. TruelightE525

    TruelightE525 TS Rookie Topic Starter Posts: 44

    Here are my latest MalwareBytes log contents:

    Malwarebytes Anti-Malware 1.65.1.1000
    www.malwarebytes.org

    Database version: v2012.11.17.06

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    kc :: KC-PC [administrator]

    11/18/2012 2:01:58 AM
    mbam-log-2012-11-18 (02-01-58).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 212741
    Time elapsed: 4 minute(s), 14 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    This is the first time I've seen MalwareBytes show all 0's. Does this mean the PC is really clean or do I need to Perform the Full Scan just to make sure? I've been seeing the infection for so long, it's hard to really believe that the PC is clean!
     
  14. Broni

    Broni Malware Annihilator Posts: 47,078   +258

    You're good to go :)
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.