Solved Svchost.exe trojan... I hope

SWAZI2005 · Oct 15, 2012

All processes killed
========== OTL ==========
Error: No service named SANDRA was found to stop!
Service\Driver key SANDRA not found.
File C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010.SP2\WNt500x64\Sandra.sys not found.
Registry value HKEY_USERS\S-1-5-21-3383956490-2787091852-199161663-1005\Software\Microsoft\Internet Explorer\URLSearchHooks\\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D425283-D487-4337-BAB6-AB8354A81457}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{9D425283-D487-4337-BAB6-AB8354A81457} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
File C:\Windows\assembly\Desktop.ini not found.
File EY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 not found.
File EY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] not found.
File EY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 not found.
File EY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] not found.
File EY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 not found.
File EY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] not found.
Folder EY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64\ not found.
Folder EY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]\ not found.
Folder EY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64\ not found.
Folder EY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Viracola
->Temp folder emptied: 4149228 bytes
->Temporary Internet Files folder emptied: 10266956 bytes
->Java cache emptied: 518756 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 3028 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 24816441 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 97742 bytes
RecycleBin emptied: 881724 bytes

Total Files Cleaned = 39.00 mb

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Public

User: Viracola
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Public

User: Viracola
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 10142012_182714
Files\Folders moved on Reboot...
C:\Users\Viracola\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DF01489EAFAA056ECE.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DF0A6DB45C9394C94A.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DF0E97587B25BBC25F.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DF1E1DC8238B0E5A08.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DF22F30E2257D6FB79.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DF3C92E747A1D1049A.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DF5C13D6BE3DA4F198.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DF6FD5C8C67CC97D29.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DF73CF391AADB9A8A0.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DF7E7E3A1ECCB5BA0A.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DFB20DAAAC3F491696.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DFCD7A7729B95E64DE.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DFEC8523DA44E4E0FD.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DFEDD4071B754B505F.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DFEE1F85F155A72440.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DFF4803F70AB57F57F.TMP not found!
C:\Users\Viracola\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QVI1JWQV\billboard[2].htm moved successfully.
C:\Users\Viracola\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4PBK3DEP\xd_arbiter[1].htm moved successfully.
C:\Users\Viracola\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1GJ96M89\xd_arbiter[3].htm moved successfully.
C:\Users\Viracola\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\Viracola\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
File\Folder C:\Windows\temp\etilqs_fBwSlrwpElhb1hgRPI3c not found!
File\Folder C:\Windows\temp\etilqs_ihqcEOIOoYaT4dzxrXbZ not found!
File\Folder C:\Windows\temp\etilqs_o0rbH9Wjn7OuRPvetxQH not found!
File\Folder C:\Windows\temp\etilqs_QAf4FF3UdEiu1rH2EOee not found!
PendingFileRenameOperations files...
Registry entries deleted on Reboot...

SWAZI2005 · Oct 15, 2012

Results of screen317's Security Check version 0.99.51
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Norton Security Suite
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.65.0.1400
Java(TM) 6 Update 20
Java(TM) 6 Update 31
Java version out of Date!
Adobe Flash Player 11.4.402.287
Adobe Reader 9 Adobe Reader out of Date!
Google Chrome 21.0.1180.83
Google Chrome 21.0.1180.89
Google Chrome 22.0.1229.79
Google Chrome 22.0.1229.92
Google Chrome 22.0.1229.94
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

SWAZI2005 · Oct 15, 2012

Farbar Service Scanner Version: 07-10-2012
Ran by Viracola (administrator) on 15-10-2012 at 00:27:17
Running from "C:\Users\Viracola\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Action Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll
[2012-10-09 23:56] - [2012-06-02 01:41] - 0184320 ____A (Microsoft Corporation) 9C01375BE382E834CC26D1B7EAF2C4FE
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

SWAZI2005 · Oct 15, 2012

All processes killed
========== OTL ==========
Error: No service named SANDRA was found to stop!
Service\Driver key SANDRA not found.
File C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010.SP2\WNt500x64\Sandra.sys not found.
Registry value HKEY_USERS\S-1-5-21-3383956490-2787091852-199161663-1005\Software\Microsoft\Internet Explorer\URLSearchHooks\\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D425283-D487-4337-BAB6-AB8354A81457}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{9D425283-D487-4337-BAB6-AB8354A81457} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
File C:\Windows\assembly\Desktop.ini not found.
File EY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 not found.
File EY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] not found.
File EY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 not found.
File EY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] not found.
File EY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 not found.
File EY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] not found.
Folder EY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64\ not found.
Folder EY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]\ not found.
Folder EY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64\ not found.
Folder EY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Viracola
->Temp folder emptied: 4149228 bytes
->Temporary Internet Files folder emptied: 10266956 bytes
->Java cache emptied: 518756 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 3028 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 24816441 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 97742 bytes
RecycleBin emptied: 881724 bytes

Total Files Cleaned = 39.00 mb

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Public

User: Viracola
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Public

User: Viracola
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 10142012_182714
Files\Folders moved on Reboot...
C:\Users\Viracola\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DF01489EAFAA056ECE.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DF0A6DB45C9394C94A.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DF0E97587B25BBC25F.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DF1E1DC8238B0E5A08.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DF22F30E2257D6FB79.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DF3C92E747A1D1049A.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DF5C13D6BE3DA4F198.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DF6FD5C8C67CC97D29.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DF73CF391AADB9A8A0.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DF7E7E3A1ECCB5BA0A.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DFB20DAAAC3F491696.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DFCD7A7729B95E64DE.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DFEC8523DA44E4E0FD.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DFEDD4071B754B505F.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DFEE1F85F155A72440.TMP not found!
File\Folder C:\Users\Viracola\AppData\Local\Temp\~DFF4803F70AB57F57F.TMP not found!
C:\Users\Viracola\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QVI1JWQV\billboard[2].htm moved successfully.
C:\Users\Viracola\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4PBK3DEP\xd_arbiter[1].htm moved successfully.
C:\Users\Viracola\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1GJ96M89\xd_arbiter[3].htm moved successfully.
C:\Users\Viracola\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\Viracola\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
File\Folder C:\Windows\temp\etilqs_fBwSlrwpElhb1hgRPI3c not found!
File\Folder C:\Windows\temp\etilqs_ihqcEOIOoYaT4dzxrXbZ not found!
File\Folder C:\Windows\temp\etilqs_o0rbH9Wjn7OuRPvetxQH not found!
File\Folder C:\Windows\temp\etilqs_QAf4FF3UdEiu1rH2EOee not found!
PendingFileRenameOperations files...
Registry entries deleted on Reboot...

SWAZI2005 · Oct 15, 2012

Dupe...

Broni · Oct 15, 2012

Eset?

SWAZI2005 · Oct 15, 2012

C:\Program Files (x86)\Yontoo Layers Runtime (Drop Down Deals)\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application cleaned by deleting - quarantined
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files (x86)\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files (x86)\Search Toolbar\SearchToolbarUpdater.exe.vir Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\10.10.2012_21.19.05\mbr0000\tdlfs0000\tsk0000.dta a variant of Win32/Olmarik.AYI trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\10.10.2012_21.19.05\mbr0000\tdlfs0000\tsk0001.dta a variant of Win64/Olmarik.AM trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\10.10.2012_21.19.05\mbr0000\tdlfs0000\tsk0004.dta a variant of Win32/Rootkit.Kryptik.OX trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\10.10.2012_21.19.05\mbr0000\tdlfs0000\tsk0005.dta Win64/Olmarik.AN trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\10.10.2012_21.19.05\mbr0000\tdlfs0000\tsk0009.dta Win32/Olmarik.AFK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\10.10.2012_21.19.05\mbr0000\tdlfs0000\tsk0010.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\Users\Viracola\AppData\Local\Google\Chrome\User Data\Default\Default\aadhdbgcdddgdagggfdgdgdjdedigfgd\background.html Win32/BHO.OEI trojan cleaned by deleting - quarantined
C:\Users\Viracola\AppData\Local\Google\Chrome\User Data\Default\Default\aadhdbgcdddgdagggfdgdgdjdedigfgd\ContentScript.js Win32/BHO.OEI trojan cleaned by deleting - quarantined

Broni · Oct 15, 2012

Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions (if present).
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

===========================

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.

Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Do NOT post JavaRa log.

===============================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the CLEANUP button
Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

13. Please, let me know, how your computer is doing.

SWAZI2005 · Oct 15, 2012

Files\Folders moved on Reboot...
C:\Users\Viracola\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Viracola\AppData\Local\Temp\~DF2AE3158219534A4A.TMP moved successfully.
C:\Users\Viracola\AppData\Local\Temp\~DF72934AF308D15F6C.TMP moved successfully.
C:\Users\Viracola\AppData\Local\Temp\~DF928F0F28299A711D.TMP moved successfully.
C:\Users\Viracola\AppData\Local\Temp\~DF97A9986A7120E3FF.TMP moved successfully.
C:\Users\Viracola\AppData\Local\Temp\~DFD3404954B444F97E.TMP moved successfully.
C:\Users\Viracola\AppData\Local\Temp\~DFE7291589C0BB3989.TMP moved successfully.
C:\Users\Viracola\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MZ3J5ZAD\partner[3].htm moved successfully.
C:\Users\Viracola\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6W6E3JAQ\billboard[2].htm moved successfully.
C:\Users\Viracola\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6W6E3JAQ\bizo_multi[1].htm moved successfully.
C:\Users\Viracola\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6W6E3JAQ\online-scanner[1].htm moved successfully.
PendingFileRenameOperations files...
Registry entries deleted on Reboot...

SWAZI2005 · Oct 16, 2012

Thank you again so very very much! Your patience, understanding, knowledge and wonderful instructions (seriously!!!!!) were beyond compare!!

Broni · Oct 16, 2012

Way to go!!
Good luck and stay safe

Solved Svchost.exe trojan... I hope

SWAZI2005

Posts: 25 +0

SWAZI2005

Posts: 25 +0

SWAZI2005

Posts: 25 +0

SWAZI2005

Posts: 25 +0

SWAZI2005

Posts: 25 +0

Broni

Posts: 56,041 +516

SWAZI2005

Posts: 25 +0

Broni

Posts: 56,041 +516

SWAZI2005

Posts: 25 +0

SWAZI2005

Posts: 25 +0

Broni

Posts: 56,041 +516

Similar threads

Latest posts