TechSpot

Can't remove svchost.exe trojan with Malwarebytes

Solved
By Camethyste
Oct 28, 2012
  1. Camethyste

    Camethyste TS Rookie Topic Starter Posts: 27

    Farbar Service Scanner Version: 27-10-2012
    Ran by Matt (administrator) on 29-10-2012 at 19:29:35
    Running from "C:\Users\Matt\Desktop"
    Microsoft Windows 7 Home Premium Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============

    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****
     
  2. Camethyste

    Camethyste TS Rookie Topic Starter Posts: 27

    # AdwCleaner v2.005 - Logfile created 10/29/2012 at 19:33:32
    # Updated 14/10/2012 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
    # User : Matt - MATT-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Matt\Desktop\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    Folder Deleted : C:\ProgramData\Ask
    Folder Deleted : C:\Users\Matt\AppData\LocalLow\AskToolbar
    Folder Deleted : C:\Users\Matt\AppData\Roaming\iWin
    Folder Deleted : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

    ***** [Registry] *****

    Key Deleted : HKCU\Software\APN
    Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
    Key Deleted : HKCU\Software\Ask.com
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    Key Deleted : HKLM\Software\APN
    Key Deleted : HKLM\Software\AskToolbar
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
    Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
    Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
    Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    [OK] Registry is clean.

    -\\ Mozilla Firefox v13.0.1 (en-US)

    Profile name : default
    File : C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\gknen91d.default\prefs.js

    Deleted : user_pref("extensions.asktb.ff-original-keyword-url", "");
    Deleted : user_pref("keyword.URL", "hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=ORJ&o=100000031&loca[...]

    -\\ Google Chrome v22.0.1229.94

    File : C:\Users\Matt\AppData\Local\Google\Chrome\User Data\Default\Preferences

    Deleted [l.48] : keyword = "safesearch.ask.com",
    Deleted [l.51] : search_url = "hxxp://safesearch.ask.com/web?q={searchTerms}&o=15527&l=dis&prt=&chn=KWD&geo=US&ver=",

    *************************

    AdwCleaner[S1].txt - [4056 octets] - [29/10/2012 19:33:32]

    ########## EOF - C:\AdwCleaner[S1].txt - [4116 octets] ##########
     
  3. Camethyste

    Camethyste TS Rookie Topic Starter Posts: 27

    After running TFC I got a windows message stating that windows had encountered a critical error and needed to reboot. The computer rebooted by itself shortly after. Running ESET next, will post when I'm done. I'm also getting a notice for Java to update. Should I go ahead and update it?
     
  4. Camethyste

    Camethyste TS Rookie Topic Starter Posts: 27

    ESET online scanner is stopped at 4% of initialization and gives the message "Can not get update. Is proxy configured?"
    What should I do?
     
  5. Broni

    Broni Malware Annihilator Posts: 47,078   +257

    Stop the scan and use different browser.
     
  6. Camethyste

    Camethyste TS Rookie Topic Starter Posts: 27

    I've tried it with Chrome, Internet Explorer and Firefox. Same problem with each one.
     
  7. Broni

    Broni Malware Annihilator Posts: 47,078   +257

    Please, run F-Secure Online Scanner

    • Disable your Antivirus program.
    • Checkmark I have read and accepted the license terms.
    • Click on Run Check button.
    • Quick scan (recommended) option will come pre-checked. Don't change it.
    • Click on Start button.
    • When scan is done, in Step 3: Clean the files, leave all settings as they're.
    • Click Next button.
    • Click Full report... button.
    • Copy report's content and paste it into your next reply.
     
  8. Camethyste

    Camethyste TS Rookie Topic Starter Posts: 27

    F-secure online scanner
    There were no files to clean .
    Full Report:


    Scanning Report


    Monday, October 29, 2012 21:03:56 - 21:06:51


    Computer name: MATT-PC
    Scanning type: Quick scan
    Target: System


    No malware found



    Statistics

    Scanned:
    • Files: 5546
    • System: 5546
    • Not scanned: 0
    Actions:
    • Disinfected: 0
    • Renamed: 0
    • Deleted: 0
    • Not cleaned: 0
    • Submitted: 0


    Options

    Scanning engines:
     
  9. Broni

    Broni Malware Annihilator Posts: 47,078   +257

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    ================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Check if your browser plugins are up to date.
    Firefox - https://www.mozilla.org/en-US/plugincheck/
    other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    8. Run Temporary File Cleaner (TFC) weekly.

    9. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    11. (Windows XP only) Run defrag at your convenience.

    12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    13. Read:
    How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
    Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

    14. Please, let me know, how your computer is doing.
     
  10. Camethyste

    Camethyste TS Rookie Topic Starter Posts: 27

    Regarding JavaRa...
    When I ran it, it said it was finished searching for old versions and was creating a log file. But then when it went to display the log file it said it could not find it. Since the log file wasn't created/doesn't exist... did this do what it was supposed to?
     
  11. Camethyste

    Camethyste TS Rookie Topic Starter Posts: 27

    OTL result:

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Matt
    ->Temp folder emptied: 504912674 bytes
    ->Temporary Internet Files folder emptied: 31010963 bytes
    ->Java cache emptied: 3751 bytes
    ->FireFox cache emptied: 5938024 bytes
    ->Google Chrome cache emptied: 10456005 bytes
    ->Flash cache emptied: 700 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 16673056 bytes

    Total Files Cleaned = 543.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: Matt
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: Matt
    ->Java cache emptied: 0 bytes

    User: Public

    Total Java Files Cleaned = 0.00 mb

    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.69.0 log created on 10292012_215912
    Files\Folders moved on Reboot...
    C:\Users\Matt\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    C:\Users\Matt\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
    C:\Users\Matt\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XM94JLJC\aclk[1].htm moved successfully.
    File\Folder C:\Users\Matt\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WNH812E0\aclk[1].htm not found!
    C:\Users\Matt\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WNH812E0\page-2[1].htm moved successfully.
    File\Folder C:\Users\Matt\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U1M1R9OM\aclk[1].htm not found!
    File\Folder C:\Users\Matt\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MECZBU20\aclk[1].htm not found!
    PendingFileRenameOperations files...
    Registry entries deleted on Reboot...
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,078   +257

    I don't need JavaRa log.

     
  13. Camethyste

    Camethyste TS Rookie Topic Starter Posts: 27

    I still had old Java stuff so I uninstalled it as it said to do on the Java site. Everything seems to be running great, thanks soooooo much! You have no idea how much I appreciate it!

    Can I delete from the desktop: MBR.dat, Security Check, and JavaRa?
     
  14. Broni

    Broni Malware Annihilator Posts: 47,078   +257

    Yes, you can delete those.

    Way to go!! [​IMG]
    Good luck and stay safe :)
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.