TechSpot

Persisent virus after reformatting...

Inactive
By JohnP77
Jul 28, 2012
  1. Hello guys/gals,

    Virus that can survive reformatting is tormenting me. "Svchost trojan", it seems untouchable.
    Followed your preposting instructions and here are my logs:

    Mbamlog -
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 183609
    Time elapsed: 48 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 1
    C:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    (end)
    Gmer - No log

    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 8.0.7600.16385
    Run by JohnPaul77 at 15:20:05 on 2012-07-28
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6143.4690 [GMT -7:00]
    .
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Windows\system32\sppsvc.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    -netsvcs
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    mWinlogon: Userinit=userinit.exe,
    mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
    TCP: Interfaces\{34B35C84-38BD-4232-AF96-7631CD945E69} : DhcpNameServer = 209.18.47.61 209.18.47.62
    mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    mRunOnce-x64: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 MpKsld9647831;MpKsld9647831;C:\Windows\Temp\MpKsld9647831.sys [2012-7-28 35664]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-28 655944]
    R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
    .
    =============== Created Last 30 ================
    .
    2012-07-28 22:30:59 -------- d-----w- C:\Windows\Panther
    2012-07-28 22:18:50 -------- d-----w- C:\Users\JohnPaul77\AppData\Local\Diagnostics
    2012-07-28 22:12:46 20480 ----a-w- C:\Windows\svchost.exe
    2012-07-28 21:53:31 9133488 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{778862B8-D343-4A27-9E5A-B5723D21CB49}\mpengine.dll
    2012-07-28 21:53:31 279656 ------w- C:\Windows\System32\MpSigStub.exe
    2012-07-28 21:41:38 -------- d-----w- C:\Users\JohnPaul77\AppData\Roaming\Malwarebytes
    2012-07-28 21:41:33 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-07-28 21:41:33 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-07-28 21:41:31 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-07-28 21:40:46 826368 ----a-w- C:\Windows\SysWow64\rdpcore.dll
    2012-07-28 21:40:46 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
    2012-07-28 21:40:46 204800 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
    2012-07-28 21:40:46 139264 ----a-w- C:\Windows\System32\cabview.dll
    2012-07-28 21:40:46 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
    2012-07-28 21:40:46 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
    2012-07-28 21:38:20 2622464 ----a-w- C:\Windows\System32\wucltux.dll
    2012-07-28 21:38:15 99840 ----a-w- C:\Windows\System32\wudriver.dll
    .
    ==================== Find3M ====================
    .
    2012-06-02 22:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
    2012-06-02 22:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
    .
    ============= FINISH: 15:20:22.14 ===============

    Your help is immensely appreciated,

    J.P.
     
  2. JohnP77

    JohnP77 TS Rookie Topic Starter

    My apologies in advance, apparently Gmer leave a log on the second try , here is the log:

    Gmer -
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-07-28 15:38:54
    Windows 6.1.7600
    Running: lkbutf5q.exe

    ---- Files - GMER 1.0.15 ----
    File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\beacon[1].txt 676 bytes
    File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\afr[5].php 2678 bytes
    File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\01[1].htm 8184 bytes
    File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\diet-new-nicotine-patch[2].txt 51603 bytes
    File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\14[3].txt 1600 bytes
    File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\14[4].txt 1600 bytes
    File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\pixel[2].htm 349 bytes
    File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\data_sync[2].htm 572 bytes
    File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\fpi[2].htm 11527 bytes
    File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\ddc[2].htm 12826 bytes
    File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\desserts[1].txt 78156 bytes
    File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA\beacon[1].txt 794 bytes
    File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA\fpi[2].htm 11769 bytes
    File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA\fpi[3].htm 11527 bytes
    File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA\afr[1].php 1806 bytes
    File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA\37_220_36_14[1].htm 1726 bytes
    File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA\oauth[3].txt 259 bytes
    File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA\ddc[2].htm 12826 bytes
    File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA\ddc[3].htm 12826 bytes
    ---- EOF - GMER 1.0.15 ----
     
  3. Broni

    Broni Malware Annihilator Posts: 46,860   +254

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ======================================

    I still need Attach.txt part of DDS.

    Next...

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  4. JohnP77

    JohnP77 TS Rookie Topic Starter

    Hello Broni!

    Thanks for your reply , but I had everything backed up anyhow so I reformatted and deleted the partitions this time, which was key to wiping out the svchost virus since its embedded in there good. Simply formatting either drive (Under advanced options on install) manually doesn't cut it.
    Thanks again and take care.

    -J.P.
     
  5. Broni

    Broni Malware Annihilator Posts: 46,860   +254

    Thanks for letting me know :)
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.