Solved Svchost.exe trojan - not removed by Malwarebytes

[clickbang]

Farbar Service Scanner Version: 04-08-2012 01
Ran by Craig Lick (administrator) on 05-08-2012 at 01:04:55
Running from "C:\Users\Craig Lick\Desktop"
Microsoft Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Action Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
Other Services:
==============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

 

[clickbang]

TFC is ran. One thing to note is that on the security check it shows TrendMicro realtime scanning as disabled. This is correct because I needed to disable the software to access the download page. Another item is the NX software is now working again without re-install. One of the scans must have fixed the issue because it's flawless.

ESET online scanner is running now. I'm off to bed and will follow up in the morning. Thanks again for the support.

 

[clickbang]

[FONT=Arial]So I woke up this morning to check out the computer.During the night I received another URL violations email. I've pasted the log below. For the ESET online scanner it has now ran 06:28:55 and is at 99% and working. It does show 18 infected files found, but I can't seen the entire list yet. I will report the log once it's available.[/FONT]

[FONT=Arial]1. a variant of Win32/Packed.BoxedApp.A application[/FONT]
[FONT=Arial]2. Win64/Olmarik.AK tojan[/FONT]
[FONT=Arial]3. Win32/Olmarik.AFK trojan[/FONT]
[FONT=Arial]4. Win64/Olmarik.AK trojan[/FONT]
[FONT=Arial]5. a variant of Win32/Rootkit.Kryptik NH.trojan[/FONT]
[FONT=Arial]6. Win64/Olmarik.AL trojan[/FONT]

 

[clickbang]

Because the block URL list is so long I've decided only to post the first few logs. It you need the entire list please let me know.

RL URL Category Date/Time
http://redirect.xmladfeed.com/presu...m/?q=health+insurance+for+travellers+into+usa Made for AdSense 8/3/2012 3:02
http://redirect.xmladfeed.com/presu...zolyatrafficworld.com/?q=pedicures+on+groupon Made for AdSense 8/3/2012 3:52
http://redirect.xmladfeed.com/presu...user.com/?q=car+insurance+broker+costa+blanca Made for AdSense 8/3/2012 3:52
http://redirect.xmladfeed.com/presu...antec%3A+which+anti-virus+solution+is+best%3F Made for AdSense 8/3/2012 3:52
http://redirect.xmladfeed.com/presu...fference+invhi+health+insurance+plans+ireland Made for AdSense 8/3/2012 3:02
http://redirect.xmladfeed.com/presu...badmin.com/?q=custom+car+auto+cheap+insurance Made for AdSense 8/3/2012 3:52
http://redirect.xmladfeed.com/presu...n.com/?q=auxiliary+power+home+security+system Made for AdSense 8/3/2012 3:02
http://redirect.xmladfeed.com/presu...uba-mega-admin.com/?q=stimulus+debt+reduction Made for AdSense 8/3/2012 3:52
http://redirect.xmladfeed.com/presu...ability+of+health+insurance+for+its+employees Made for AdSense 8/3/2012 3:02
http://redirect.xmladfeed.com/presu...yamegadev.com/?q=tanzania+domain+registration Made for AdSense 8/3/2012 3:02
http://redirect.xmladfeed.com/presu...percentage+of+egyptians+hold+a+college+degree Made for AdSense 8/3/2012 3:52
http://redirect.xmladfeed.com/presu...icworld.com/?q=tips+for+buying+life+insurance Made for AdSense 8/3/2012 3:02
http://redirect.xmladfeed.com/presu...min.com/?q=mbna+oakland+athletics+credit+card Made for AdSense 8/3/2012 3:52
http://redirect.xmladfeed.com/presu...traf.com/?q=credit+card+debt+settlement+facts Made for AdSense 8/3/2012 3:02
http://redirect.xmladfeed.com/presu...baworldadmin.com/?q=aarp+car+insurance+qoutes Made for AdSense 8/3/2012 3:52
http://redirect.xmladfeed.com/presu...m/?q=filling+taxes+with+a+home+based+business Made for AdSense 8/3/2012 3:52
http://redirect.xmladfeed.com/presu...to+insurance+quote+rate+banner+insurance+life Made for AdSense 8/3/2012 3:52
http://redirect.xmladfeed.com/presu...fic.com/?q=physical+exam+for+health+insurance Made for AdSense 8/3/2012 3:52

 

[clickbang]

Here are the ESET Scan results...

C:\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\04.08.2012_17.05.16\mbr0000\tdlfs0000\tsk0000.dta Win32/Olmarik.AYI trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\04.08.2012_17.05.16\mbr0000\tdlfs0000\tsk0001.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\04.08.2012_17.05.16\mbr0000\tdlfs0000\tsk0002.dta Win32/Olmarik.AYH trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\04.08.2012_17.05.16\mbr0000\tdlfs0000\tsk0003.dta Win64/Olmarik.AL trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\04.08.2012_17.05.16\mbr0000\tdlfs0000\tsk0004.dta a variant of Win32/Rootkit.Kryptik.NH trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\04.08.2012_17.05.16\mbr0000\tdlfs0000\tsk0005.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\04.08.2012_17.05.16\mbr0000\tdlfs0000\tsk0009.dta Win32/Olmarik.AFK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\04.08.2012_17.05.16\mbr0000\tdlfs0000\tsk0010.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\04.08.2012_20.27.24\tdlfs0000\tsk0000.dta Win32/Olmarik.AYI trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\04.08.2012_20.27.24\tdlfs0000\tsk0001.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\04.08.2012_20.27.24\tdlfs0000\tsk0002.dta Win32/Olmarik.AYH trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\04.08.2012_20.27.24\tdlfs0000\tsk0003.dta Win64/Olmarik.AL trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\04.08.2012_20.27.24\tdlfs0000\tsk0004.dta a variant of Win32/Rootkit.Kryptik.NH trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\04.08.2012_20.27.24\tdlfs0000\tsk0005.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\04.08.2012_20.27.24\tdlfs0000\tsk0009.dta Win32/Olmarik.AFK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\04.08.2012_20.27.24\tdlfs0000\tsk0010.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\Users\Craig Lick\Downloads\SW2012_SP0.0_SSQ\SW2012_SP0.0_Win32_Full_Multilanguage_SSQ.iso a variant of Win32/Packed.BoxedApp.A application deleted - quarantined
C:\Users\Craig Lick\Downloads\SW2012_SP0.0_SSQ\SW2012_SP0.0_Win64_Full_Multilanguage_SSQ.iso a variant of Win32/Packed.BoxedApp.A application deleted - quarantined
I:\Downloads\SW2012_SP0.0_SSQ\SW2012_SP0.0_Win32_Full_Multilanguage_SSQ.iso a variant of Win32/Packed.BoxedApp.A application deleted - quarantined
I:\Downloads\SW2012_SP0.0_SSQ\SW2012_SP0.0_Win64_Full_Multilanguage_SSQ.iso a variant of Win32/Packed.BoxedApp.A application deleted - quarantined

 

[Broni]

During the night I received another URL violations email

I'm not sure what "violation email" means. Can you explain.

Eset findings are mostly from items quarantined already and couple of illegal downloads.

 

[clickbang]

TrendMicro sends me an email if it detects anything wrong with the computer. The email I received is below. After that I can sign in and view the URL's that were blocked. I'm not sure what is causing this but it just started a few days ago.

Trend Micro Worry-Free Business Security Services Notification
* URL Violation Incidents: 226
* Report time: August 4, 2012 11:05:25 PM PDT
Refer to Live Status/ Web Reputation for further details on https://wfbs-svc-dell-nabu.trendmicro.com/dell

 

[Broni]

So what actual URL was blocked?

 

[clickbang]

These are some examples....

RL URL Category Date/Time
http://redirect.xmladfeed.com/presu...m/?q=health insurance for travellers into usa Made for AdSense 8/3/2012 3:02
http://redirect.xmladfeed.com/presu...zolyatrafficworld.com/?q=pedicures on groupon Made for AdSense 8/3/2012 3:52
http://redirect.xmladfeed.com/presu...user.com/?q=car insurance broker costa blanca Made for AdSense 8/3/2012 3:52
http://redirect.xmladfeed.com/presu...antec%3A which anti-virus solution is best%3F Made for AdSense 8/3/2012 3:52
http://redirect.xmladfeed.com/presu...fference invhi health insurance plans ireland Made for AdSense 8/3/2012 3:02
http://redirect.xmladfeed.com/presu...badmin.com/?q=custom car auto cheap insurance Made for AdSense 8/3/2012 3:52
http://redirect.xmladfeed.com/presu...n.com/?q=auxiliary power home security system Made for AdSense 8/3/2012 3:02
http://redirect.xmladfeed.com/presu...uba-mega-admin.com/?q=stimulus debt reduction Made for AdSense 8/3/2012 3:52
http://redirect.xmladfeed.com/presu...ability of health insurance for its employees Made for AdSense 8/3/2012 3:02
http://redirect.xmladfeed.com/presu...yamegadev.com/?q=tanzania domain registration Made for AdSense 8/3/2012 3:02
http://redirect.xmladfeed.com/presu...percentage of egyptians hold a college degree Made for AdSense 8/3/2012 3:52
http://redirect.xmladfeed.com/presu...icworld.com/?q=tips for buying life insurance Made for AdSense 8/3/2012 3:02
http://redirect.xmladfeed.com/presu...min.com/?q=mbna oakland athletics credit card Made for AdSense 8/3/2012 3:52
http://redirect.xmladfeed.com/presu...traf.com/?q=credit card debt settlement facts Made for AdSense 8/3/2012 3:02
http://redirect.xmladfeed.com/presu...baworldadmin.com/?q=aarp car insurance qoutes Made for AdSense 8/3/2012 3:52
http://redirect.xmladfeed.com/presu...m/?q=filling taxes with a home based business Made for AdSense 8/3/2012 3:52
http://redirect.xmladfeed.com/presu...to insurance quote rate banner insurance life Made for AdSense 8/3/2012 3:52
http://redirect.xmladfeed.com/presu...fic.com/?q=physical exam for health insurance Made for AdSense 8/3/2012 3:52

 

[Broni]

Which browser triggers these warnings?

 

[clickbang]

To be honest I don't know. All browsers are closed during the night and I'm still getting the "excessive URL violations" notification. It's running in the background and I'm not able to see it happening.

 

[Broni]

I think your best option would be to ask this question at Trend's forum.

 

[clickbang]

Ok, I'm just considering doing a clean re-install. IE is having problems and Trend keeps on block websites that typically work fine. It seems like I will input a URL and it will try to forward me to a different one, which Trend blocks. I don't think it's a Trend problem.

 

[Broni]

Which browser is doing this?

 

[clickbang]

Internet Explorer

 

[Broni]

Open IE, go Tools>Internet options>Advanced tab and click on "Reset" button.
Restart IE and see how it goes.

 

[clickbang]

Alright, I did that. We will see how it goes over the next few days. Not that it's much, but I just sent $20 your way for the help.

 

[Broni]

Way to go!!
Good luck and stay safe

...and thank you