Inactive Persisent virus after reformatting...

J

JohnP77

Hello guys/gals,

Virus that can survive reformatting is tormenting me. "Svchost trojan", it seems untouchable.
Followed your preposting instructions and here are my logs:

Mbamlog -
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 183609
Time elapsed: 48 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
(end)
Gmer - No log

DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by JohnPaul77 at 15:20:05 on 2012-07-28
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6143.4690 [GMT -7:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
-netsvcs
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=userinit.exe,
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{34B35C84-38BD-4232-AF96-7631CD945E69} : DhcpNameServer = 209.18.47.61 209.18.47.62
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRunOnce-x64: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
.
============= SERVICES / DRIVERS ===============
.
R1 MpKsld9647831;MpKsld9647831;C:\Windows\Temp\MpKsld9647831.sys [2012-7-28 35664]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-28 655944]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
.
=============== Created Last 30 ================
.
2012-07-28 22:30:59 -------- d-----w- C:\Windows\Panther
2012-07-28 22:18:50 -------- d-----w- C:\Users\JohnPaul77\AppData\Local\Diagnostics
2012-07-28 22:12:46 20480 ----a-w- C:\Windows\svchost.exe
2012-07-28 21:53:31 9133488 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{778862B8-D343-4A27-9E5A-B5723D21CB49}\mpengine.dll
2012-07-28 21:53:31 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-07-28 21:41:38 -------- d-----w- C:\Users\JohnPaul77\AppData\Roaming\Malwarebytes
2012-07-28 21:41:33 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-07-28 21:41:33 -------- d-----w- C:\ProgramData\Malwarebytes
2012-07-28 21:41:31 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-07-28 21:40:46 826368 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-07-28 21:40:46 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-07-28 21:40:46 204800 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-07-28 21:40:46 139264 ----a-w- C:\Windows\System32\cabview.dll
2012-07-28 21:40:46 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
2012-07-28 21:40:46 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-07-28 21:38:20 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-07-28 21:38:15 99840 ----a-w- C:\Windows\System32\wudriver.dll
.
==================== Find3M ====================
.
2012-06-02 22:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 22:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
.
============= FINISH: 15:20:22.14 ===============

Your help is immensely appreciated,

J.P.
 
My apologies in advance, apparently Gmer leave a log on the second try , here is the log:

Gmer -
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-28 15:38:54
Windows 6.1.7600
Running: lkbutf5q.exe

---- Files - GMER 1.0.15 ----
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\beacon[1].txt 676 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\afr[5].php 2678 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\01[1].htm 8184 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\diet-new-nicotine-patch[2].txt 51603 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\14[3].txt 1600 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\14[4].txt 1600 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\pixel[2].htm 349 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\data_sync[2].htm 572 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\fpi[2].htm 11527 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\ddc[2].htm 12826 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\desserts[1].txt 78156 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA\beacon[1].txt 794 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA\fpi[2].htm 11769 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA\fpi[3].htm 11527 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA\afr[1].php 1806 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA\37_220_36_14[1].htm 1726 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA\oauth[3].txt 259 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA\ddc[2].htm 12826 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA\ddc[3].htm 12826 bytes
---- EOF - GMER 1.0.15 ----
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

======================================

I still need Attach.txt part of DDS.

Next...

Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
 
Hello Broni!

Thanks for your reply , but I had everything backed up anyhow so I reformatted and deleted the partitions this time, which was key to wiping out the svchost virus since its embedded in there good. Simply formatting either drive (Under advanced options on install) manually doesn't cut it.
Thanks again and take care.

-J.P.
 
You must log in or register to reply here.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
783
uber_beetle
uber_beetle
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A

Latest posts

Back