also @ TechSpot: Intel confirms a smartwatch is in the pipeline

Scvhost.exe Trojan.Host issue that is killing me!!!

Discussion in 'Virus and Malware Removal' started by alan123, Dec 16, 2012.

Post New Reply
Page 2 of 4

  1. Broni Malware Annihilator Posts: 40,051   +187

    Looks good.

    How is computer doing?

    ==============================

    Uninstall McAfee Security Scan, typical foistware.

    ============================

    Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    Next...

    • Double click on adwcleaner.exe to run the tool.
    • Click on Uninstall.
    • Confirm with yes.

    ================================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
    Broni, Dec 18, 2012
    #21

  2. alan123 Newcomer, in training Posts: 47

    Thanks again for your help Broni!! Computer crashed yesterday but looking good now. 2 symptoms that I am noticing that I didnt have before all these problems. 1- computer takes a long time to load from off position (security software?). 2- for some reason when I plug in my charger into my laptop I get a message saying that the charger is not a Dell approved charger and it will not charge the battery but it will run off the power source. The charger is the same that I have been using and it is the one that came with the laptop.

    I will start the next set of protocols now.
    alan123, Dec 19, 2012
    #22

  3. alan123 Newcomer, in training Posts: 47

    So I ran the first protocol with the log below. The only problem that seems to have occured is that I am unable to connect to the internet (via wireless). I reset the modem but it keeps saying that it is trying to identify the network. Any ideas?


    # AdwCleaner v2.101 - Logfile created 12/18/2012 at 21:44:02
    # Updated 16/12/2012 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
    # User : Alan - ALAN-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Alan\Desktop\adwcleaner.exe
    # Option [Delete]

    ***** [Services] *****

    ***** [Files / Folders] *****
    Folder Deleted : C:\Program Files (x86)\Free Offers from Freeze.com
    ***** [Registry] *****
    Key Deleted : HKLM\Software\Freeze.com
    ***** [Internet Browsers] *****
    -\\ Internet Explorer v9.0.8112.16457
    [OK] Registry is clean.
    -\\ Mozilla Firefox v4.0.1 (en-US)
    Profile name : default
    File : C:\Users\Alan\AppData\Roaming\Mozilla\Firefox\Profiles\6t8pgoq2.default\prefs.js
    [OK] File is clean.
    *************************
    AdwCleaner[S1].txt - [798 octets] - [18/12/2012 21:44:02]
    ########## EOF - C:\AdwCleaner[S1].txt - [857 octets] ##########
    alan123, Dec 19, 2012
    #23

  4. alan123 Newcomer, in training Posts: 47

    FYI, sent the above message from the above is sent from a different system. Once I get the internet running I will complete the protocol.

    Thanks again!!
    alan123, Dec 19, 2012
    #24

  5. Broni Malware Annihilator Posts: 40,051   +187

    Let me know...
    Broni, Dec 19, 2012
    #25

  6. alan123 Newcomer, in training Posts: 47

    So, this is my problem now... When I allow my wireless to <log on> it appears to connect to the network but cannot identify the network. It does the same thing when I plug in the computer to the network using the ethernet cable. I ran the trouble shooter while it was plugged in and the message was: "windows could not automatically detect network proxy settings". At the same time Malwarebyte blocked the trojan agent from file: c:\TDSSkiller_quarantine\17.12.2012\mbr000\tdlfs\tsk002.dfa Trojan.Agent.

    Any ideas what is going on?
    alan123, Dec 20, 2012
    #26
     

  7. Broni Malware Annihilator Posts: 40,051   +187

    Please download Farbar Service Scanner Download Link and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center/Action Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
    Broni, Dec 20, 2012
    #27

  8. alan123 Newcomer, in training Posts: 47

    OK. I dont have my flash drive with me to transfer the files. Will do it within the next hour or so. I will assume at this point not to complete the previous task of downloading and running OTL and to do this instead.

    Thanks again!
    alan123, Dec 20, 2012
    #28

  9. Broni Malware Annihilator Posts: 40,051   +187

    Right.
    Broni, Dec 20, 2012
    #29

  10. alan123 Newcomer, in training Posts: 47

    Farbar Service Scanner Version: 10-12-2012
    Ran by Alan (administrator) on 19-12-2012 at 23:15:58
    Running from "C:\Users\Alan\Desktop"
    Windows 7 Home Premium Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.
    afd Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open afd registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open afd registry key. The service key does not exist.
    Checking LEGACY_afd: ATTENTION!=====> Unable to open LEGACY_afd\0000 registry key. The key does not exist.

    Connection Status:
    ==============
    Localhost is accessible.
    There is no connection to network.
    Attempt to access Google IP returned error.
    Attempt to access Google.com returned error: Other errors
    Attempt to access Yahoo IP returned error.
    Attempt to access Yahoo.com returned error: Other errors

    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    System Restore Disabled Policy:
    ========================

    Action Center:
    ============
    Windows Update:
    ============
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv service is OK.
    BITS Service is not running. Checking service configuration:
    The start type of BITS service is set to Demand. The default start type is Auto.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.

    Windows Autoupdate Disabled Policy:
    ============================

    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.

    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1

    Other Services:
    ==============

    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys
    [2012-02-15 21:52] - [2012-12-18 21:30] - 0022368 ____A (AVG Technologies CZ, s.r.o. ) 42B7E1AA0C7EC54652A50585793F1885
    ATTENTION!=====> C:\Windows\System32\drivers\afd.sys IS INFECTED AND SHOULD BE REPLACED.
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit

    **** End of log ****
    alan123, Dec 20, 2012
    #30

  11. Broni Malware Annihilator Posts: 40,051   +187

    Very well...

    Let's start with missing system file.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
      Code:
      :filefind
afd.sys
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    Broni, Dec 20, 2012
    #31

  12. alan123 Newcomer, in training Posts: 47

    SystemLook 30.07.11 by jpshortstuff
    Log created at 17:12 on 20/12/2012 by Alan
    Administrator - Elevation successful
    ========== filefind ==========
    Searching for "afd.sys"
    C:\Windows\System32\drivers\AFD.SYS --a---- 22368 bytes [05:52 16/02/2012] [05:30 19/12/2012] 42B7E1AA0C7EC54652A50585793F1885
    C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16385_none_33dd3439781e25f7\afd.sys --a---- 500224 bytes [23:21 13/07/2009] [23:21 13/07/2009] B9384E03479D2506BC924C16A3DB87BC
    C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16802_none_3430bc3977dfec2d\afd.sys --a---- 499712 bytes [20:13 16/06/2011] [02:44 25/04/2011] 6EF20DDF3172E97D69F596FB90602F29
    C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16937_none_34154fcd77f3bbda\afd.sys --a---- 499200 bytes [05:52 16/02/2012] [03:59 28/12/2011] DB9D6C6B2CD95A9CA414D045B627422E
    C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.20951_none_3483491e9126fe55\afd.sys --a---- 499712 bytes [20:13 16/06/2011] [02:44 25/04/2011] FBFF8B7C9D116229E9208A0D1CAEB49B
    C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.21115_none_34b263fe91032456\afd.sys --a---- 499200 bytes [05:52 16/02/2012] [04:01 28/12/2011] CCA39961E76B491DDF44B1E90FC8971D
    C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_360e4801750ca991\afd.sys --a---- 499712 bytes [18:07 26/05/2011] [09:23 20/11/2010] D31DC7A16DEA4A9BAF179F3D6FBDB38C
    C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_3618198975057170\afd.sys --a---- 499200 bytes [20:13 16/06/2011] [02:34 25/04/2011] D5B031C308A409A0A576BFF4CF083D30
    C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17752_none_35e10b89752ee0f5\afd.sys --a---- 498688 bytes [05:52 16/02/2012] [03:59 28/12/2011] 1C7857B62DE5994A75B054A9FD4C3825
    C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_3695e61e8e2c13d4\afd.sys --a---- 499200 bytes [20:13 16/06/2011] [03:09 25/04/2011] F4AD06143EAC303F55D0E86C40802976
    C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21887_none_364f3a028e605345\afd.sys --a---- 498176 bytes [05:52 16/02/2012] [04:01 28/12/2011] 36A14FD1A23F57046361733B792CA8DB
    -= EOF =-
    alan123, Dec 20, 2012
    #32

  13. Broni Malware Annihilator Posts: 40,051   +187

    Download following fix: http://www.bleepstatic.com/fhost/uploads/1/fix.bat to your Desktop.

    Restart computer in Safe Mode.
    Double click on downloaded fix.bat file to run the fix.
    Command prompt window will open.
    You should see following message:
    "1 file(s) copied"
    In that case press any key to close command prompt window.
    If you see any error message let me know.

    Restart computer in normal mode and post new FSS log.
    Broni, Dec 20, 2012
    #33

  14. alan123 Newcomer, in training Posts: 47

    Farbar Service Scanner Version: 10-12-2012
    Ran by Alan (administrator) on 20-12-2012 at 17:47:54
    Running from "C:\Users\Alan\Desktop"
    Windows 7 Home Premium Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.
    afd Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open afd registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open afd registry key. The service key does not exist.
    Checking LEGACY_afd: ATTENTION!=====> Unable to open LEGACY_afd\0000 registry key. The key does not exist.

    Connection Status:
    ==============
    Localhost is accessible.
    There is no connection to network.
    Attempt to access Google IP returned error.
    Attempt to access Google.com returned error: Other errors
    Attempt to access Yahoo IP returned error.
    Attempt to access Yahoo.com returned error: Other errors

    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    System Restore Disabled Policy:
    ========================

    Action Center:
    ============
    Windows Update:
    ============
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv service is OK.
    BITS Service is not running. Checking service configuration:
    The start type of BITS service is set to Demand. The default start type is Auto.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.

    Windows Autoupdate Disabled Policy:
    ============================

    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.

    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1

    Other Services:
    ==============

    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys
    [2012-02-15 21:52] - [2011-12-27 20:01] - 0498176 ____A (Microsoft Corporation) 36A14FD1A23F57046361733B792CA8DB
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit

    **** End of log ****
    alan123, Dec 20, 2012
    #34

  15. alan123 Newcomer, in training Posts: 47

    There were no errors
    alan123, Dec 20, 2012
    #35

  16. Broni Malware Annihilator Posts: 40,051   +187

    That looks better.
    We still have one registry key missing though...

    Following steps involve registry editing. Please create new restore point before proceeding!!!
    How to:
    XP - http://support.microsoft.com/kb/948247
    Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    Download PsExec.exe to your desktop (IMPORTANT!)
    Go Start and in "Start search" type in:
    cmd
    Hold CTRL and SHIFT keys, press Enter.
    Command prompt window will open.
    Copy and paste following command:

    "%userprofile%\desktop\psexec" -I -d -s c:\windows\regedit.exe

    Press Enter.
    Registry Editor will open.
    Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
    Right-Click Root and select Permissions...
    Click Advanced.
    Under Owner tab select the entry starting with you user name, example: Farbar(Farbar-PC\Farbar)
    Put a check mark next to Replace owner on subcontainers and objects and click Apply and OK.
    Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
    Click Apply and OK.
    Download Vista.zip Seven.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
    Unzip downloaded file.
    You'll find several files inside.
    Double-click afd.reg and confirm the prompt.
    Double-click LEGACY_AFD.reg and confirm the prompt.
    Please go back to the the Root key again while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry.
    Restart computer.
    Post new FSS log.
    Broni, Dec 20, 2012
    #36

  17. alan123 Newcomer, in training Posts: 47

    At this point:

    Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
    Should I leave <read> checked to <allow>? or uncheck it? It was already checked.
    alan123, Dec 20, 2012
    #37

  18. Broni Malware Annihilator Posts: 40,051   +187

    Leave it as it is.
    Broni, Dec 20, 2012
    #38

  19. alan123 Newcomer, in training Posts: 47

    Farbar Service Scanner Version: 10-12-2012
    Ran by Alan (administrator) on 20-12-2012 at 19:18:35
    Running from "C:\Users\Alan\Desktop"
    Windows 7 Home Premium Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.

    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    System Restore Disabled Policy:
    ========================

    Action Center:
    ============
    Windows Update:
    ============
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv service is OK.
    BITS Service is not running. Checking service configuration:
    The start type of BITS service is set to Demand. The default start type is Auto.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.

    Windows Autoupdate Disabled Policy:
    ============================

    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.

    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1

    Other Services:
    ==============

    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys
    [2012-02-15 21:52] - [2011-12-27 20:01] - 0498176 ____A (Microsoft Corporation) 36A14FD1A23F57046361733B792CA8DB
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit

    **** End of log ****
    alan123, Dec 20, 2012
    #39

  20. Broni Malware Annihilator Posts: 40,051   +187

    Is your connection back?
    Broni, Dec 20, 2012
    #40
Page 2 of 4

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...

Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.