Malware/svchost errors

Status
Not open for further replies.

logicallad

Posts: 6   +0
Hi,

First my system specs:

OS: Windows XP (SP3)
RAM: 4GB
Processor: Intel Quad Core Q6600
I use:
1. AVG v8.0 Free (I update definitions daily twice)
2. Comodo Internet Security v3.5 (I update definitions daily)
3. S&D Spybot v1.6
4. Windows Defender
5. Advanced System Care v3.0 Pro

Yesterday I was surfing the net trying to find a software when I stumbled upon a link for a file which was renamed into the file I wanted(later i understood that it was a divxaccess.exe file). And I do not know whether my stars were bad or I was going through a phase of having my brain numbed I installed the exe file (however, before installing I scanned it using AVG v8.0 free with the latest definitions and with Comodo Internet Security v3.5 again with latest definitions and both did not find any problem in the exe file). Also, Spybot did not throw a registry modification approval window.

After installing the first thing I noticed was that I lost my network (I use a WPA2-TKPor TPK security enabled wireless) I could not access the internet and then being fully aware that restarting the computer would cause problems I restarted the computer (I think I was brain dead at this time). Anyways, as soon as Windows was loaded I got multiple svchost application errors with memory problems (I think it were around 15 or so all for the programs that load on start up).

I pressed ok for most (another mistake) and then my system hanged. So, I restarted and got into windows again but this time I did not acknowledge the svchost application errors and tried to open Spybot but could not, AVG was scanning but nothing got registered as threat in the scan. Comodo was able to pick up 3 potential Virus/Spyware/Malware but it hanged.

I also tried System restore but it gave me an error and asked me to restart the system and then try (I could not even access System Restore). Also, I am not able to use the F8 on startup of computer. I read about Malware attacking boot.ini file so that I cannot boot into safe mode by the System Configuration Utility (or whatever its called). I will be trying to access System Configuration Utility (or whatever its called) and select the SAFEMODE option from Boot.ini but I am not optimistic about it working out.

I also read somewhere about the Malware modifying all svchost processes into scvhost processes which I am yet to confirm.

I really DO NOT want to Repair or do a fresh installation (God forbid). Can anyone suggest a solution please?

Many thanks in advance,
Logicallad
P.S. I will be loading the HJT file as soon as I can reach home from work.
 
Yes I did

Yes, All these steps were done in normal mode.

However, over the last night, I was able to get complete hold of the computer functions.

I used MBAM and ran it about 4 times(3 quick and 1deep) and the 5th time its running as we speak. (Attached)

Also I ran a HijackThis scan and the result is attached.

I also ran GMER scan and it found some hidden content and some problems in the rootkit, but I do not know how to fix them.

Comodo Internet Security v3.5, SpyBot v1.6 and AVG v8.0 Free were also successful in finding multiple malware which I removed from system. (Sorry I cannot attach the log file from my office)

I also installed spywarebuster onto my computer and its running normally.

I have gained access to my System Restore, Spybot and other programs. I am also not getting any svchost error messages. But, one thing for sure, I AM NOT GOING TO USE GOOGLE CHROME. I am a happy man with Mozilla Firefox.

I am aware that these things never go away fully but I do not hold any sensitive information on my computer thankfully. I changed all the passwords as well.

Do you suggest something?

Regards,
Logicallad
 
It wasn't Chrome that was the fault.

It was (and still is):

BitComet
AVG8

Both of these will not help (Yes including AVG8)

By the way where's SuperAntispyware log?

Do this:
Uninstall BitComet (your choice of course!)
Uninstall your AVG Antivirus
Then run the removal tool
Here is the 32Bit version (most users): http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe
Here is the 64Bit version: http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe

Restart

Run Startup Control Panel and remove any not required startups: (should be most!)

Install Avira free AntiVirus

Disable (or ideally uninstall) Spybots S&D

Startup Malwarebytes
Update it again
Run a full scan (you may be shocked at what Avira will find from Malwarebytes being scanned)
Download and run SuperAntiSpyware

Provide the 3 logs

By the way, you have Combofix already installed, you may as well do a final scan with this too, and provide the log too
 
I will do this as soon as I can

I am in my office right now and its my home computer thats infected.

I will be following the procedure as explained by you and post the required logs this evening.

Many thanks
logicallad
 
Thanks Logicallad, it is Logicallad isn't it, because I noticed that Logicallad was posted after every post as: Logicallad, and your Member name is Logicallad, so I'm pretty sure that you (Logicallad) probably don't need sign off with your name Logicallad anymore.

What do you think Logicallad?
 
Here are the log files as you told me
1.SUPERAntiSpyware
2. MBAM
3. Avira
4. HijackThis log again

What do you think Kim?
 
Please startup HJT Scan only
Place a tick next to all the following entries
Select Fix to all of them
Then close HJT Window
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

This entry:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1
Tells me that you are on some type of home business network (more than 1 computer connected)
If this is correct this entry can be left in HJT scan

----------

Download Combofix
Lots of info on its use h e r e
Direct download h e r e

Locate the downloaded Combofix. Double click on it to run, answering any prompts along the way
Note: during Combofix scan (lasting up to 10mins) your Desktop and clock may reset (all normal)
ComboFix will also restart your computer (eventually) and then (eventually) create a log

Save this log file to be attached to a new reply
 
Thanks a TON kim :)

I did the HJT bit that you told me and I think it removed the entries that you told me to highlight (I hope thats not a problem).

Also, yes, I run a home network but only to keep my PS3 in the loop. :)

I am attaching the Combofix log file. One question regarding the log file, it mentions BitComet in the TCP/UDP section, but I have uninstalled it. Why is it then showing this?

I accessed the Comodo options and disabled all options of AntiVirus and Firewall, but, I was still getting the warning from ComboFix, so, I shut down Comodo after the second warning using the task manager(was that done right?? it was a cmdagent,exe process).

Thank you once again for all the help Kim! :)
 
I think you must be joking or something :confused:

Do you know what file sharing programs do? They share your files! You cannot stop your files being shared if you install this type of program, as by installing them you are agreeing that they can bypass your firewall.

Your drive is shared to the hilt. Actually, strictly speaking if you were really concerned (as I would be) you would format immediately. Maybe I'll just show you all the file sharing programs running (I confirm running, as when installed they will start sharing your files straight away)

Azureus
BitComet
FileZilla
FrostWire
Gbridge
GlobalSCAPE
InternetCalls
LimeWire
Pando
TVersity
Veoh
Vuze
Winamp Remote

I have never seen more sharing programs installed on one computer, ever!
And to try to safe guard yourself (impossibility by the way) you have Avira, but you still have AVG8 in the background. If you don't mind - it's a mess :rolleyes:

As I don't usually support users with 1 (yes just 1) file sharing program installed, as they will be just re-infected within a couple of days. I must stop here, good luck to anyone who wants to continue malware removal support with your computer. Anyone out there - go for it.

I will say this though (already said) Backup and format. And do not for the life of you do any banking or any private anything on your present computer system, the way it is horribly set up now.

Solved :) :grinthumb
 
Status
Not open for further replies.
Back