Malware/svchost errors

By logicallad
Mar 3, 2009
Topic Status:
Not open for further replies.
  1. Hi,

    First my system specs:

    OS: Windows XP (SP3)
    RAM: 4GB
    Processor: Intel Quad Core Q6600
    I use:
    1. AVG v8.0 Free (I update definitions daily twice)
    2. Comodo Internet Security v3.5 (I update definitions daily)
    3. S&D Spybot v1.6
    4. Windows Defender
    5. Advanced System Care v3.0 Pro

    Yesterday I was surfing the net trying to find a software when I stumbled upon a link for a file which was renamed into the file I wanted(later i understood that it was a divxaccess.exe file). And I do not know whether my stars were bad or I was going through a phase of having my brain numbed I installed the exe file (however, before installing I scanned it using AVG v8.0 free with the latest definitions and with Comodo Internet Security v3.5 again with latest definitions and both did not find any problem in the exe file). Also, Spybot did not throw a registry modification approval window.

    After installing the first thing I noticed was that I lost my network (I use a WPA2-TKPor TPK security enabled wireless) I could not access the internet and then being fully aware that restarting the computer would cause problems I restarted the computer (I think I was brain dead at this time). Anyways, as soon as Windows was loaded I got multiple svchost application errors with memory problems (I think it were around 15 or so all for the programs that load on start up).

    I pressed ok for most (another mistake) and then my system hanged. So, I restarted and got into windows again but this time I did not acknowledge the svchost application errors and tried to open Spybot but could not, AVG was scanning but nothing got registered as threat in the scan. Comodo was able to pick up 3 potential Virus/Spyware/Malware but it hanged.

    I also tried System restore but it gave me an error and asked me to restart the system and then try (I could not even access System Restore). Also, I am not able to use the F8 on startup of computer. I read about Malware attacking boot.ini file so that I cannot boot into safe mode by the System Configuration Utility (or whatever its called). I will be trying to access System Configuration Utility (or whatever its called) and select the SAFEMODE option from Boot.ini but I am not optimistic about it working out.

    I also read somewhere about the Malware modifying all svchost processes into scvhost processes which I am yet to confirm.

    I really DO NOT want to Repair or do a fresh installation (God forbid). Can anyone suggest a solution please?

    Many thanks in advance,
    Logicallad
    P.S. I will be loading the HJT file as soon as I can reach home from work.
  2. cubyong

    cubyong Newcomer, in training Posts: 45

    have you tried doing the 8 steps in normal windows mode?
  3. logicallad

    logicallad Newcomer, in training Topic Starter

    Yes I did

    Yes, All these steps were done in normal mode.

    However, over the last night, I was able to get complete hold of the computer functions.

    I used MBAM and ran it about 4 times(3 quick and 1deep) and the 5th time its running as we speak. (Attached)

    Also I ran a HijackThis scan and the result is attached.

    I also ran GMER scan and it found some hidden content and some problems in the rootkit, but I do not know how to fix them.

    Comodo Internet Security v3.5, SpyBot v1.6 and AVG v8.0 Free were also successful in finding multiple malware which I removed from system. (Sorry I cannot attach the log file from my office)

    I also installed spywarebuster onto my computer and its running normally.

    I have gained access to my System Restore, Spybot and other programs. I am also not getting any svchost error messages. But, one thing for sure, I AM NOT GOING TO USE GOOGLE CHROME. I am a happy man with Mozilla Firefox.

    I am aware that these things never go away fully but I do not hold any sensitive information on my computer thankfully. I changed all the passwords as well.

    Do you suggest something?

    Regards,
    Logicallad
  4. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    It wasn't Chrome that was the fault.

    It was (and still is):

    BitComet
    AVG8

    Both of these will not help (Yes including AVG8)

    By the way where's SuperAntispyware log?

    Do this:
    Uninstall BitComet (your choice of course!)
    Uninstall your AVG Antivirus
    Then run the removal tool
    Here is the 32Bit version (most users): http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe
    Here is the 64Bit version: http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe

    Restart

    Run Startup Control Panel and remove any not required startups: (should be most!)

    Install Avira free AntiVirus

    Disable (or ideally uninstall) Spybots S&D

    Startup Malwarebytes
    Update it again
    Run a full scan (you may be shocked at what Avira will find from Malwarebytes being scanned)
    Download and run SuperAntiSpyware

    Provide the 3 logs

    By the way, you have Combofix already installed, you may as well do a final scan with this too, and provide the log too
  5. logicallad

    logicallad Newcomer, in training Topic Starter

    I will do this as soon as I can

    I am in my office right now and its my home computer thats infected.

    I will be following the procedure as explained by you and post the required logs this evening.

    Many thanks
    logicallad
  6. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Thanks Logicallad, it is Logicallad isn't it, because I noticed that Logicallad was posted after every post as: Logicallad, and your Member name is Logicallad, so I'm pretty sure that you (Logicallad) probably don't need sign off with your name Logicallad anymore.

    What do you think Logicallad?
  7. logicallad

    logicallad Newcomer, in training Topic Starter

    oops... :)

    I am used to doing that with my name so I did not notice.

    thanks for pointing it out. ;)
  8. logicallad

    logicallad Newcomer, in training Topic Starter

    Here are the log files as you told me
    1.SUPERAntiSpyware
    2. MBAM
    3. Avira
    4. HijackThis log again

    What do you think Kim?
  9. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Please startup HJT Scan only
    Place a tick next to all the following entries
    Select Fix to all of them
    Then close HJT Window
    This entry:
    Tells me that you are on some type of home business network (more than 1 computer connected)
    If this is correct this entry can be left in HJT scan

    ----------

    Download Combofix
    Lots of info on its use h e r e
    Direct download h e r e

    Locate the downloaded Combofix. Double click on it to run, answering any prompts along the way
    Note: during Combofix scan (lasting up to 10mins) your Desktop and clock may reset (all normal)
    ComboFix will also restart your computer (eventually) and then (eventually) create a log

    Save this log file to be attached to a new reply
  10. logicallad

    logicallad Newcomer, in training Topic Starter

    Thanks a TON kim :)

    I did the HJT bit that you told me and I think it removed the entries that you told me to highlight (I hope thats not a problem).

    Also, yes, I run a home network but only to keep my PS3 in the loop. :)

    I am attaching the Combofix log file. One question regarding the log file, it mentions BitComet in the TCP/UDP section, but I have uninstalled it. Why is it then showing this?

    I accessed the Comodo options and disabled all options of AntiVirus and Firewall, but, I was still getting the warning from ComboFix, so, I shut down Comodo after the second warning using the task manager(was that done right?? it was a cmdagent,exe process).

    Thank you once again for all the help Kim! :)
  11. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    I think you must be joking or something :confused:

    Do you know what file sharing programs do? They share your files! You cannot stop your files being shared if you install this type of program, as by installing them you are agreeing that they can bypass your firewall.

    Your drive is shared to the hilt. Actually, strictly speaking if you were really concerned (as I would be) you would format immediately. Maybe I'll just show you all the file sharing programs running (I confirm running, as when installed they will start sharing your files straight away)

    Azureus
    BitComet
    FileZilla
    FrostWire
    Gbridge
    GlobalSCAPE
    InternetCalls
    LimeWire
    Pando
    TVersity
    Veoh
    Vuze
    Winamp Remote

    I have never seen more sharing programs installed on one computer, ever!
    And to try to safe guard yourself (impossibility by the way) you have Avira, but you still have AVG8 in the background. If you don't mind - it's a mess :rolleyes:

    As I don't usually support users with 1 (yes just 1) file sharing program installed, as they will be just re-infected within a couple of days. I must stop here, good luck to anyone who wants to continue malware removal support with your computer. Anyone out there - go for it.

    I will say this though (already said) Backup and format. And do not for the life of you do any banking or any private anything on your present computer system, the way it is horribly set up now.

    Solved :) :grinthumb
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.