Inactive Laptop has a nasty virus

devinwzrd

Posts: 11   +0
This laptop that has come into my possession has a pretty wicked infection. It claims the svchost.exe is infected, but I can't do anything about it. Here's the log:

Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.29.11

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Trevor Serdoner :: TEKIETEE [administrator]

Protection: Disabled

1/29/2013 7:44:50 PM
MBAM-log-2013-01-29 (19-50-05).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 235188
Time elapsed: 4 minute(s), 38 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 1604 -> No action taken.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\ProgramData\TheBflix\bhoclass.dll (PUP.DownloadnSave) -> No action taken.
C:\Windows\System32\mrvcl32.exe (Trojan.Clicker.CT) -> No action taken.
C:\Windows\svchost.exe (Trojan.Agent) -> No action taken.

(end)
 
Hello, and welcome to TechSpot.


rulesx.png
Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.


TDSSKiller Scan

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

tdss_1.jpg


-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg


------------------------

Click the Start Scan button.

tdss_3.jpg


-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue


tdss_4.jpg


----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


tdss_5.jpg



--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Sometimes these logs can be very large, in that case please attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.



ComboFix scan

Please download ComboFix
combofix.gif
by sUBs
From TechSpot

Direct Link (alternative)

Please save the file to your Desktop.

Important information about ComboFix


After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
  • Double click on ComboFix.exe & follow the prompts.
  • When ComboFix finishes, it will produce a report for you.
  • Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
 
ComboFix isn't avalible to download for some reason. But here's my log for TDSSKiller
 

Attachments

  • TDSSKiller.2.8.15.0_29.01.2013_20.34.16_log.txt
    169.6 KB · Views: 2
Please be patient. We're very busy security professionals. Sometimes it takes a while getting around to other users. Thanks for your patience.

Please run TDSSKiller again and delete the TDSS File System. Post a new log.


RogueKiller Scan

  • Download RogueKiller from the following link and save it on your desktop:
    TechSpot
    Official Site (alternative
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan
RGKRScan.png


  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.
RGKRDelete.png


  • The report has been created on the desktop.
  • Next click on the ShortcutsFix

    RGKRShortcutsFix.png
  • The report has been created on the desktop.
Please post:

All RKreport.txt text files located on your desktop.


ESET Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
  • Click Start or wait for the scanner to load.
  • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, there are a couple of things to keep in mind:
  • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
  • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
  • Open the logfile from wherever you saved it
  • Copy and paste the contents in your next reply.


Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

  • Slow computer
  • Error messages
  • Fake antivirus alerts or the icon in the system tray
  • svchost.exe running at 100%
  • System crashes or blue screen of death

Note: Absence of issues does not mean that you're protected in the future.
 
My cursor seems to not be able to move if I'm not in Safe Mode. In Safe Mode my trac pad works fine, but in a regular startup it will not work at all...
Also RogueKiller stops working in Safe Mode.
 
I'm not too sure. I've been doing this in safe mode. Should I still do the ESET scan? and I'll post the new TDSS log in a sec.
 
Good!

OTL Quick Scan

Please download OTL by OldTimer to your Desktop.
  • Close all windows and double click OTL.exe.
  • Click Quick Scan button and let the program run uninterrupted.
  • It will produce a log for you called OTL.txt, please post it in your next reply.
  • You may need to use two posts to get it all.
 
I'm waiting on the ESET scan to finish. Would you like me to cancel it, or just wait and do the OTL after?
 
Here's the ESET scan log. I'm starting the OTL right now.

C:\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll Win32/Adware.Yontoo.B application
C:\Users\All Users\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe a variant of Win32/Toolbar.Widgi application cleaned by deleting - quarantined
C:\Program Files (x86)\IObit Toolbar\IE\6.6\iobitToolbarIE.dll a variant of Win32/Toolbar.Widgi application cleaned by deleting - quarantined
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\ProgramData\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\ProgramData\TheBflix\bhoclass.dll.vir Win32/Adware.MultiPlug.A application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\29.01.2013_20.34.17\mbr0000\tdlfs0000\tsk0002.dta a variant of Win32/Rootkit.Kryptik.RG trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\30.01.2013_11.14.46\tdlfs0000\tsk0000.dta Win32/Olmarik.AYI trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\30.01.2013_11.14.46\tdlfs0000\tsk0001.dta Win64/Olmarik.AM trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\30.01.2013_11.14.46\tdlfs0000\tsk0002.dta a variant of Win32/Rootkit.Kryptik.RG trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\30.01.2013_11.14.46\tdlfs0000\tsk0003.dta Win64/Olmarik.AN trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\30.01.2013_11.14.46\tdlfs0000\tsk0007.dta Win32/Olmarik.AFK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\30.01.2013_11.14.46\tdlfs0000\tsk0008.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\Users\Trevor Serdoner\AppData\Local\Google\Chrome\User Data\Default\Default\aadcdhgcgbdggfgddadidegddedagcgf\background.js Win32/TrojanDownloader.Tracur.V trojan cleaned by deleting - quarantined
C:\Users\Trevor Serdoner\AppData\Roaming\Mozilla\Firefox\Profiles\g0bn0bsg.default\extensions\plugin@yontoo.com\content\overlay.js Win32/Adware.Yontoo application cleaned by deleting - quarantined
 
Here's the OTL log and some extras log that came too.
 

Attachments

  • OTL.Txt
    86.5 KB · Views: 3
  • Extras.Txt
    88.1 KB · Views: 2
Fixing Google Chrome

In order to remove infectious webpages from Google Chrome homepage and search settings, you have to do so manually.

Here is the way to do it.

1. Start Google Chrome.
2. Hit the wrench or triple line icon and choose "Settings":

chrome10.png


3. In the On Startup section, hit "Set pages":

chrome11.png


4. Find hxxp://simplespeedy.info and hit the X all the way to the right on it and hit OK:

chrome12.png


5. Then, find the "Search" section and hit "Manage search engines...":

chrome13.png


6. In both "Default search settings" and "Other search engines" sections, find the following and delete them using the X at the far right:

WebSearch - simplespeedy.info

chrome14.png



7. DONE!



OTL Fix

Please run OTL
  • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    :OTL
    IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678
    IE - HKCU\..\URLSearchHook: {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} - No CLSID value found
    IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678
    FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&ilc=12&type=382950"
    [1635/10/11 00:34:38 | 000,004,815 | ---- | M] () (No name found) -- C:\Users\Trevor Serdoner\AppData\Roaming\mozilla\firefox\profiles\g0bn0bsg.default\extensions\jiyfxjkxey@jiyfxjkxey.org.xpi
    [2013/01/28 20:23:55 | 000,000,559 | ---- | M] () -- C:\Users\Trevor Serdoner\AppData\Roaming\mozilla\firefox\profiles\g0bn0bsg.default\searchplugins\WebSearch.xml
    [2011/09/01 09:48:14 | 000,000,000 | ---D | M] (uTorrentBar Community Toolbar) -- C:\Users\Trevor Serdoner\AppData\Roaming\mozilla\Firefox\Profiles\g0bn0bsg.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
    [2013/01/29 22:22:00 | 000,000,000 | ---D | M] (continuetosave) -- C:\Users\Trevor Serdoner\AppData\Roaming\mozilla\Firefox\Profiles\g0bn0bsg.default\extensions\51072a5d0c0c8@51072a5d0c101.com
    CHR - Extension: continuetosave = C:\Users\Trevor Serdoner\AppData\Local\Google\Chrome\User Data\Default\Extensions\bbbichdnoaipegibimgjbiobjbjpbilm\1\
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    [2013/01/28 20:23:47 | 000,000,000 | ---D | C] -- C:\ProgramData\BetterSoft
    [2013/01/28 20:23:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\continuetosave
    [2013/01/28 20:23:43 | 000,000,000 | ---D | C] -- C:\ProgramData\continuetosave

    :files
    ipconfig /flushdns /c

    :commands
    [emptytemp]
    [reboot]
  • Then click the Run Fix button at the top.
  • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
  • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
    Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)



Kaspersky Virus Removal Tool

The Kaspersky Virus Removal Tool is a scan-and-remove solution from Kaspersky that searches out the most common malware and attempts to remove it from your computer.

Please download the Kaspersky Virus Removal Tool from Kaspersky's Official Link and save it to your Desktop.

  • Double-click the Setup file to install it on your computer.
  • Once it has installed, review and accept the agreement and press the Start button.
  • You will presented with the main interface, but don't scan yet, click the options tab (gear icon):
    image1nz.png
  • On the Scan Scope tab, make sure to checkmark all the options, except for the CD/DVD drive:
    image2pmb.png
  • On the Security Level tab, make sure to move the slider up denoting "Current Security Level: High":
    image3vd.png
  • Now, go back to the Automatic Scan tab, and choose "Start Scanning". It may take several hours to complete. Please allow it to do so.
  • Once done scanning, choose the Report tab (page icon), select Detected Threats tab on left, and choose Disinfect All:
    image5mf.png
  • Then, choose Save. Also, in the Automatic Report tab, select Save:
    image4vy.png
  • Please post the reports in your next reply.
  • Once you exit, the tool should uninstall automatically.
 
Hello, are you still with us? Please update us with the state of your situation, so we know how to continue from here.

We'd still like to help. Topic marked inactive, until your return.
 
Back