TechSpot

Svchost.exe virus which I just can't get rid of

Inactive
By prof_LJG
Dec 10, 2012
  1. Hi,

    Thank you in advance for any help given! The problem is that I have a virus which shows up as svchost.exe*32 in my task manager, when I see its properties, it originates from my appdata/temp folder. This definitely cant be right. I also had the same thing but with a 'win32*32' on my C:/. Malwarebytes got rid of that one and hasnt come back. Malwarebytes also detects the svchost.exe and deletes on reboot. But when I reboot, it's still there. Even when I browse to the file, find the offending svchost file, delete it. once rebooted it returns...

    ComboFix 12-12-07.01 - Jonathan 10/12/2012 10:58:22.2.4 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.32715.30302 [GMT 0:00]
    Running from: c:\users\Jonathan\Downloads\ComboFix.exe
    AV: Kaspersky Anti-Virus *Disabled/Outdated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
    FW: Kaspersky Anti-Virus *Disabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
    SP: Kaspersky Anti-Virus *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-11-10 to 2012-12-10 )))))))))))))))))))))))))))))))
    .
    .
    2012-12-10 11:03 . 2012-12-10 11:03--------d-----w-c:\users\UpdatusUser\AppData\Local\temp
    2012-12-10 11:03 . 2012-12-10 11:03--------d-----w-c:\users\Default\AppData\Local\temp
    2012-12-10 02:07 . 2012-12-10 02:07--------d-----w-c:\users\Jonathan\AppData\Roaming\Malwarebytes
    2012-12-10 02:07 . 2012-12-10 02:07--------d-----w-c:\programdata\Malwarebytes
    2012-12-10 02:07 . 2012-12-10 02:07--------d-----w-c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-12-10 02:07 . 2012-09-29 19:5425928----a-w-c:\windows\system32\drivers\mbam.sys
    2012-12-10 00:04 . 2012-12-10 02:01--------d-----w-c:\program files (x86)\stinger
    2012-12-09 22:30 . 2012-12-10 10:57--------d-----w-c:\programdata\Kaspersky Lab
    2012-12-09 22:30 . 2012-12-09 22:30--------d-----w-c:\program files (x86)\Kaspersky Lab
    2012-12-09 22:30 . 2012-12-09 22:30556120----a-w-c:\windows\system32\drivers\klif.sys
    2012-12-09 22:25 . 2012-11-08 17:249125352----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{7B1A16B6-D7FD-45E1-95D8-250D2A46F7CE}\mpengine.dll
    2012-12-09 22:25 . 2012-12-09 22:25--------d-----w-c:\users\Jonathan\AppData\Local\Avg2013
    2012-12-09 22:20 . 2012-12-09 22:20--------d-----w-c:\windows\system32\SPReview
    2012-12-09 22:20 . 2012-12-09 22:20--------d-----w-c:\windows\system32\EventProviders
    2012-12-09 22:19 . 2012-10-29 21:0466395536----a-w-c:\windows\system32\MRT.exe
    2012-12-09 22:18 . 2012-10-18 18:253149824----a-w-c:\windows\system32\win32k.sys
    2012-12-09 22:18 . 2012-09-25 22:4778336----a-w-c:\windows\SysWow64\synceng.dll
    2012-12-09 22:18 . 2012-09-25 22:4695744----a-w-c:\windows\system32\synceng.dll
    2012-12-09 20:39 . 2012-12-09 20:39--------d-----w-c:\users\Jonathan\AppData\Roaming\TuneUp Software
    2012-12-09 20:32 . 2012-12-09 22:25--------d-----w-c:\programdata\MFAData
    2012-12-09 20:32 . 2012-12-09 20:32--------d--h--w-c:\programdata\Common Files
    2012-12-09 20:32 . 2012-12-09 20:32--------d-----w-c:\users\Jonathan\AppData\Local\MFAData
    2012-12-07 23:23 . 2012-12-07 23:23--------d-----w-C:\Games
    2012-12-07 23:23 . 2012-12-07 23:23--------d-----w-c:\users\Jonathan\AppData\Local\Black_Tree_Gaming
    2012-12-07 23:23 . 2012-12-07 23:23--------d-----w-c:\program files\Nexus Mod Manager
    2012-12-07 14:29 . 2012-12-07 14:29--------d-----w-c:\users\Jonathan\AppData\Local\Chromium
    2012-12-07 13:48 . 2012-12-09 23:10--------d-----w-c:\program files (x86)\SEGA
    2012-12-06 15:05 . 2012-12-06 15:05--------d-----r-C:\Kernels
    2012-12-05 12:45 . 2012-12-07 14:25--------d-----w-c:\users\Jonathan\AppData\Roaming\Sports Interactive
    2012-12-05 12:45 . 2012-12-05 12:45--------d-----w-c:\users\Jonathan\AppData\Local\Sports Interactive
    2012-12-05 12:42 . 2012-12-06 15:04--------d-----w-C:\Temp
    2012-12-04 22:27 . 2012-12-06 15:35281688----a-w-c:\windows\SysWow64\PnkBstrB.xtr
    2012-12-04 22:27 . 2012-12-04 22:27--------d-----w-c:\users\Jonathan\AppData\Local\PunkBuster
    2012-11-28 00:22 . 2012-12-04 22:27--------d-----w-c:\programdata\Orbit
    2012-11-27 16:48 . 2012-11-27 16:50--------d-----w-c:\windows\SysWow64\_CIConfig
    2012-11-27 16:48 . 2012-11-27 16:48--------d-----w-c:\users\Jonathan\AppData\Local\SCRiN
    2012-11-26 18:12 . 2012-11-26 20:01--------d-----w-c:\program files (x86)\StarCraft II
    2012-11-26 16:40 . 2012-11-27 13:02--------d-----w-c:\program files (x86)\Common Files\Blizzard Entertainment
    2012-11-26 16:40 . 2012-11-26 18:20--------d-----w-c:\programdata\Blizzard Entertainment
    2012-11-26 16:40 . 2012-11-26 16:40--------d-----w-c:\programdata\Battle.net
    2012-11-25 11:36 . 2012-11-25 21:37--------d-----w-c:\program files (x86)\Dragon Age 2
    2012-11-25 11:36 . 2012-11-25 11:39--------d-----w-c:\program files (x86)\Common Files\BioWare
    2012-11-24 15:30 . 2012-11-24 15:30--------d-----w-c:\program files (x86)\SQUARE ENIX
    2012-11-24 01:03 . 2012-11-24 01:03--------d-----w-c:\programdata\REVOLT
    2012-11-21 13:10 . 2012-11-21 13:103123272----a-r-c:\windows\SysWow64\pbsvc.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-12-09 22:24 . 2009-07-14 02:36175616----a-w-c:\windows\system32\msclmd.dll
    2012-12-09 22:24 . 2009-07-14 02:36152576----a-w-c:\windows\SysWow64\msclmd.dll
    2012-12-06 15:35 . 2012-11-09 16:02281688----a-w-c:\windows\SysWow64\PnkBstrB.exe
    2012-12-05 13:25 . 2012-11-09 16:02281688----a-w-c:\windows\SysWow64\PnkBstrB.ex0
    2012-12-03 22:30 . 2012-11-09 16:0276888----a-w-c:\windows\SysWow64\PnkBstrA.exe
    2012-11-04 19:25 . 2012-11-04 19:2595208----a-w-c:\windows\SysWow64\WindowsAccessBridge-32.dll
    2012-11-04 19:25 . 2012-11-04 19:25821736----a-w-c:\windows\SysWow64\npDeployJava1.dll
    2012-11-04 19:25 . 2012-11-04 19:25746984----a-w-c:\windows\SysWow64\deployJava1.dll
    2012-10-31 12:47 . 2012-10-31 12:4791648----a-w-c:\windows\system32\SetIEInstalledDate.exe
    2012-10-31 12:47 . 2012-10-31 12:4789088----a-w-c:\windows\system32\RegisterIEPKEYs.exe
    2012-10-31 12:47 . 2012-10-31 12:4789088----a-w-c:\windows\system32\ie4uinit.exe
    2012-10-31 12:47 . 2012-10-31 12:4786528----a-w-c:\windows\SysWow64\iesysprep.dll
    2012-10-31 12:47 . 2012-10-31 12:4785504----a-w-c:\windows\system32\iesetup.dll
    2012-10-31 12:47 . 2012-10-31 12:4782432----a-w-c:\windows\system32\icardie.dll
    2012-10-31 12:47 . 2012-10-31 12:4776800----a-w-c:\windows\SysWow64\SetIEInstalledDate.exe
    2012-10-31 12:47 . 2012-10-31 12:4776800----a-w-c:\windows\system32\tdc.ocx
    2012-10-31 12:47 . 2012-10-31 12:4774752----a-w-c:\windows\SysWow64\RegisterIEPKEYs.exe
    2012-10-31 12:47 . 2012-10-31 12:4774752----a-w-c:\windows\SysWow64\iesetup.dll
    2012-10-31 12:47 . 2012-10-31 12:4765024----a-w-c:\windows\system32\pngfilt.dll
    2012-10-31 12:47 . 2012-10-31 12:4763488----a-w-c:\windows\SysWow64\tdc.ocx
    2012-10-31 12:47 . 2012-10-31 12:4755296----a-w-c:\windows\system32\msfeedsbs.dll
    2012-10-31 12:47 . 2012-10-31 12:47534528----a-w-c:\windows\system32\ieapfltr.dll
    2012-10-31 12:47 . 2012-10-31 12:4749664----a-w-c:\windows\system32\imgutil.dll
    2012-10-31 12:47 . 2012-10-31 12:4748640----a-w-c:\windows\SysWow64\mshtmler.dll
    2012-10-31 12:47 . 2012-10-31 12:4748640----a-w-c:\windows\system32\mshtmler.dll
    2012-10-31 12:47 . 2012-10-31 12:47452608----a-w-c:\windows\system32\dxtmsft.dll
    2012-10-31 12:47 . 2012-10-31 12:47448512----a-w-c:\windows\system32\html.iec
    2012-10-31 12:47 . 2012-10-31 12:47403248----a-w-c:\windows\system32\iedkcs32.dll
    2012-10-31 12:47 . 2012-10-31 12:4739936----a-w-c:\windows\system32\iernonce.dll
    2012-10-31 12:47 . 2012-10-31 12:473695416----a-w-c:\windows\system32\ieapfltr.dat
    2012-10-31 12:47 . 2012-10-31 12:47367104----a-w-c:\windows\SysWow64\html.iec
    2012-10-31 12:47 . 2012-10-31 12:4735840----a-w-c:\windows\SysWow64\imgutil.dll
    2012-10-31 12:47 . 2012-10-31 12:4730720----a-w-c:\windows\system32\licmgr10.dll
    2012-10-31 12:47 . 2012-10-31 12:47282112----a-w-c:\windows\system32\dxtrans.dll
    2012-10-31 12:47 . 2012-10-31 12:47267776----a-w-c:\windows\system32\ieaksie.dll
    2012-10-31 12:47 . 2012-10-31 12:47249344----a-w-c:\windows\system32\webcheck.dll
    2012-10-31 12:47 . 2012-10-31 12:4723552----a-w-c:\windows\SysWow64\licmgr10.dll
    2012-10-31 12:47 . 2012-10-31 12:47222208----a-w-c:\windows\system32\msls31.dll
    2012-10-31 12:47 . 2012-10-31 12:47197120----a-w-c:\windows\system32\msrating.dll
    2012-10-31 12:47 . 2012-10-31 12:47165888----a-w-c:\windows\system32\iexpress.exe
    2012-10-31 12:47 . 2012-10-31 12:47163840----a-w-c:\windows\system32\ieakui.dll
    2012-10-31 12:47 . 2012-10-31 12:47161792----a-w-c:\windows\SysWow64\msls31.dll
    2012-10-31 12:47 . 2012-10-31 12:47160256----a-w-c:\windows\system32\wextract.exe
    2012-10-31 12:47 . 2012-10-31 12:47160256----a-w-c:\windows\system32\ieakeng.dll
    2012-10-31 12:47 . 2012-10-31 12:47152064----a-w-c:\windows\SysWow64\wextract.exe
    2012-10-31 12:47 . 2012-10-31 12:47150528----a-w-c:\windows\SysWow64\iexpress.exe
    2012-10-31 12:47 . 2012-10-31 12:47149504----a-w-c:\windows\system32\occache.dll
    2012-10-31 12:47 . 2012-10-31 12:47145920----a-w-c:\windows\system32\iepeers.dll
    2012-10-31 12:47 . 2012-10-31 12:47135168----a-w-c:\windows\system32\IEAdvpack.dll
    2012-10-31 12:47 . 2012-10-31 12:4712288----a-w-c:\windows\system32\mshta.exe
    2012-10-31 12:47 . 2012-10-31 12:4711776----a-w-c:\windows\SysWow64\mshta.exe
    2012-10-31 12:47 . 2012-10-31 12:47114176----a-w-c:\windows\system32\admparse.dll
    2012-10-31 12:47 . 2012-10-31 12:47111616----a-w-c:\windows\system32\iesysprep.dll
    2012-10-31 12:47 . 2012-10-31 12:47110592----a-w-c:\windows\SysWow64\IEAdvpack.dll
    2012-10-31 12:47 . 2012-10-31 12:4710752----a-w-c:\windows\system32\msfeedssync.exe
    2012-10-31 12:47 . 2012-10-31 12:47103936----a-w-c:\windows\system32\inseng.dll
    2012-10-31 12:47 . 2012-10-31 12:47101888----a-w-c:\windows\SysWow64\admparse.dll
    2012-10-30 15:38 . 2012-10-30 15:38254528----a-w-c:\windows\system32\drivers\dtsoftbus01.sys
    2012-10-30 14:53 . 2012-10-30 14:5316896----a-w-c:\windows\AsTaskSched.dll
    2012-10-29 09:05 . 2012-10-30 14:5753248----a-w-c:\windows\SysWow64\CSVer.dll
    2012-10-02 22:21 . 2012-10-30 15:1860776----a-w-c:\windows\system32\OpenCL.dll
    2012-10-02 22:21 . 2012-10-30 15:1852584----a-w-c:\windows\SysWow64\OpenCL.dll
    2012-10-02 22:21 . 2012-10-30 15:18973672----a-w-c:\windows\system32\nvumdshimx.dll
    2012-10-02 22:21 . 2012-10-30 15:189146728----a-w-c:\windows\system32\nvcuda.dll
    2012-10-02 22:21 . 2012-10-30 15:18831848----a-w-c:\windows\SysWow64\nvumdshim.dll
    2012-10-02 22:21 . 2012-10-30 15:187697768----a-w-c:\windows\SysWow64\nvcuda.dll
    2012-10-02 22:21 . 2012-10-30 15:187414632----a-w-c:\windows\system32\nvopencl.dll
    2012-10-02 22:21 . 2012-10-30 15:186127464----a-w-c:\windows\SysWow64\nvopencl.dll
    2012-10-02 22:21 . 2012-10-30 15:18364904----a-w-c:\windows\system32\nvEncodeAPI64.dll
    2012-10-02 22:21 . 2012-10-30 15:18313704----a-w-c:\windows\SysWow64\nvEncodeAPI.dll
    2012-10-02 22:21 . 2012-10-30 15:182747240----a-w-c:\windows\system32\nvcuvid.dll
    2012-10-02 22:21 . 2012-10-30 15:182731880----a-w-c:\windows\system32\nvapi64.dll
    2012-10-02 22:21 . 2012-10-30 15:1826331496----a-w-c:\windows\system32\nvoglv64.dll
    2012-10-02 22:21 . 2012-10-30 15:182574696----a-w-c:\windows\SysWow64\nvcuvid.dll
    2012-10-02 22:21 . 2012-10-30 15:1825256296----a-w-c:\windows\system32\nvcompiler.dll
    2012-10-02 22:21 . 2012-10-30 15:18247144----a-w-c:\windows\system32\nvinitx.dll
    2012-10-02 22:21 . 2012-10-30 15:182428776----a-w-c:\windows\SysWow64\nvapi.dll
    2012-10-02 22:21 . 2012-10-30 15:182218344----a-w-c:\windows\system32\nvcuvenc.dll
    2012-10-02 22:21 . 2012-10-30 15:18202600----a-w-c:\windows\SysWow64\nvinit.dll
    2012-10-02 22:21 . 2012-10-30 15:1819906920----a-w-c:\windows\SysWow64\nvoglv32.dll
    2012-10-02 22:21 . 2012-10-30 15:181867112----a-w-c:\windows\SysWow64\nvcuvenc.dll
    2012-10-02 22:21 . 2012-10-30 15:1818252136----a-w-c:\windows\system32\nvd3dumx.dll
    2012-10-02 22:21 . 2012-10-30 15:181760104----a-w-c:\windows\system32\nvdispco64.dll
    2012-10-02 22:21 . 2012-10-30 15:1817559912----a-w-c:\windows\SysWow64\nvcompiler.dll
    2012-10-02 22:21 . 2012-10-30 15:1815309160----a-w-c:\windows\SysWow64\nvd3dum.dll
    2012-10-02 22:21 . 2012-10-30 15:1814922600----a-w-c:\windows\system32\nvwgf2umx.dll
    2012-10-02 22:21 . 2012-10-30 15:181482600----a-w-c:\windows\system32\nvdispgenco64.dll
    2012-10-02 22:21 . 2012-10-30 15:1813443944----a-w-c:\windows\system32\drivers\nvlddmkm.sys
    2012-10-02 22:21 . 2012-10-30 15:1812501352----a-w-c:\windows\SysWow64\nvwgf2um.dll
    2012-10-02 19:51 . 2012-10-31 15:283536817----a-w-c:\windows\system32\nvcoproc.bin
    2012-10-02 19:51 . 2012-10-31 15:283293544----a-w-c:\windows\system32\nvsvc64.dll
    2012-10-02 19:51 . 2012-10-31 15:286200680----a-w-c:\windows\system32\nvcpl.dll
    2012-10-02 19:50 . 2012-10-31 15:28891240----a-w-c:\windows\system32\nvvsvc.exe
    2012-10-02 19:50 . 2012-10-31 15:2863336----a-w-c:\windows\system32\nvshext.dll
    2012-10-02 19:50 . 2012-10-31 15:282557800----a-w-c:\windows\system32\nvsvcr.dll
    2012-10-02 19:50 . 2012-10-31 15:28118120----a-w-c:\windows\system32\nvmctray.dll
    2012-10-02 13:15 . 2012-10-02 13:15430952----a-w-c:\windows\SysWow64\nvStreaming.exe
    2012-09-14 19:19 . 2012-10-31 11:202048----a-w-c:\windows\system32\tzres.dll
    2012-09-14 18:28 . 2012-10-31 11:202048----a-w-c:\windows\SysWow64\tzres.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Pro Agent"="c:\program files (x86)\DAEMON Tools Pro\DTAgent.exe" [2011-03-18 839488]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "USB3MON"="c:\program files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-03-26 291608]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-07-27 35768]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
    "Adobe"="c:\programdata\Adobe\56CF60.vbe" [2012-10-02 7147]
    "AVP"="c:\program files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" [2012-12-10 365336]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "HideSCAHealth"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-10-31 1255736]
    S0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys [2012-03-26 19224]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-10-30 254528]
    S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2010-06-09 11864]
    S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2010-04-22 27736]
    S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [2012-03-09 23816]
    S2 DTSAudioSvc;DTSAudioSvc;c:\program files\Realtek\Audio\HDA\DTSU2PAuSrv64.exe [2012-01-23 233328]
    S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2011-11-09 189608]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-10-02 382824]
    S3 ALSysIO;ALSysIO;c:\users\Jonathan\AppData\Local\Temp\ALSysIO64.sys [x]
    S3 iusb3hub;Intel(R) USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2012-03-26 356632]
    S3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2012-03-26 789272]
    S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-11-02 22544]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-30 15:01]
    .
    2012-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-30 15:01]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2012-05-15 6470760]
    "RtHDVBg_DTS"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2012-05-11 1175656]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker3"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
    @="?????????????????? v1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
    @="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
    @="?????????????????? v2"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
    @="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-12-10 11:03:53
    ComboFix-quarantined-files.txt 2012-12-10 11:03
    ComboFix2.txt 2012-12-10 10:53
    .
    Pre-Run: 227,437,318,144 bytes free
    Post-Run: 227,354,509,312 bytes free
    .
    - - End Of File - - 023B152F55C8A6264C094CB2FF461C3B
    Malwarebytes Anti-Malware 1.65.1.1000
    www.malwarebytes.org
    Database version: v2012.12.10.01
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Jonathan :: JONATHAN-PC [administrator]
    10/12/2012 02:08:13
    mbam-log-2012-12-10 (02-08-13).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 221663
    Time elapsed: 1 minute(s), 15 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|win32 (Trojan.StartPage) -> Data: "C:\kernels\drivers.vbs" -> Quarantined and deleted successfully.
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 3
    C:\win32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Users\Jonathan\AppData\Local\Temp\svchost.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
    C:\Kernels\drivers.vbs (Trojan.StartPage) -> Quarantined and deleted successfully.
    (end)
     
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.


    TDSSKiller Scan

    Please download and run TDSSKiller to your desktop as outlined below:

    Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

    [​IMG]

    -------------------------

    Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    [​IMG]

    ------------------------

    Click the Start Scan button.

    [​IMG]

    -----------------------

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue


    [​IMG]

    ----------------------

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    [​IMG]


    --------------------

    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
    Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

    -------------------

    Here's a summary of what to do if you would like to print it out:

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
     
  3. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Still around. I'd appreciate update at least...is the computer working okay?
     
  4. prof_LJG

    prof_LJG TS Rookie Topic Starter

    Sorry for the late reply, been busy with work.

    Ok computer wise. I ran TDSSKiller, but it didnt detect anything. I still have the 'svchost*32.exe' running everytime I start up my pc. I have to end process it everytime.
     

    Attached Files:

  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Let's work with the following instead:

    Farbar Recovery Scan Tool x64

    Download Farbar Recovery Scan Tool and save it to a flash drive.


    Please make sure to get the 64-bit version

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button. It will do its scan and save a log on your flash drive.
    • Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:
      [​IMG]
      When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
    • Type exit in the Command Prompt window and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.
     
  6. prof_LJG

    prof_LJG TS Rookie Topic Starter

    Ok I've done what you've asked. I assume that this tool was only to scan my system for your reference and not actual repairs or whatnot.

    Thank you
     

    Attached Files:

  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix scan

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop.

    Important information about ComboFix


    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on ComboFix.exe & follow the prompts.
    • When ComboFix finishes, it will produce a report for you.
    • Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
     
  8. prof_LJG

    prof_LJG TS Rookie Topic Starter

    Here's the combofix log
     

    Attached Files:

  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Malwarebytes' Anti-Rootkit

    Please download Malwarebytes' Anti-Rootkit and save it to your desktop.
    • Be sure to print out and follow the instructions provided on that same page for performing a scan.
    • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
    • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
    • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
    • Copy and paste the contents of these two log files in your next reply.
     
  10. prof_LJG

    prof_LJG TS Rookie Topic Starter

    The initial scan came back with nothing detected.
     

    Attached Files:

  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.


    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death

    Note: Absence of issues does not mean that you're protected in the future.
     
     
  12. prof_LJG

    prof_LJG TS Rookie Topic Starter

    There isnt a major issue, the fact is that whenever I turn on my PC when I check the taskmanager, there is a process 'svchost.exe*32' with description 'svchost' which is using a little bit of memory. I dont think my pc has slowed down or anything. But I dont like having unknown programs running. Privacy and security might be at risk. Im running the ESET scan now. I'll post the result when it's finished
     
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay, I'll see those results then.

    It is a common thing to see that in Task Manager. It just means that svchost.exe is running under a 32 bit process, instead of 64 bit.

    It's pretty typical. Take a quick shot at my system:

    quickshot.PNG
     
  14. prof_LJG

    prof_LJG TS Rookie Topic Starter

    Yea I thought that was the case, but the file svchost.exe is found in C:\Users\Jonathan\AppData\Local\Temp. That definitely caused alarms to start ringing.

    The results of the eset scan is attached
     

    Attached Files:

  15. prof_LJG

    prof_LJG TS Rookie Topic Starter

    Restarted my pc. Good news! svchost.exe is no longer there. But as I enter the desktop from loading I get a pop up message as shown in the picture attachment. Could you enlighten me on this?

    Thanks
     

    Attached Files:

  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Try this and see how it goes to get rid of that...

    CCleaner Temporary Files Cleaning

    NOTE: If you already have this installed, you don't have to reinstall it.

    Please download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    • Double-click the CCleaner shortcut on the desktop to start the program.
    • A prompt will ask you if you want CCleaner to do a check to see what cookies it needs to keep. Allow that operation.
    • On the Cleaner tab, click on Run Cleaner on the bottom-right to run the program.
    • Important: Make sure that ALL browser windows are closed before selecting Run Cleaner, or it will ask if you want the program to close them for you (when you do this, all unsaved data may be lost in the browser).

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.
     
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Did it work?
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.