Hello guys/gals,
Virus that can survive reformatting is tormenting me. "Svchost trojan", it seems untouchable.
Followed your preposting instructions and here are my logs:
Mbamlog -
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 183609
Time elapsed: 48 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
(end)
Gmer - No log
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by JohnPaul77 at 15:20:05 on 2012-07-28
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6143.4690 [GMT -7:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
-netsvcs
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=userinit.exe,
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{34B35C84-38BD-4232-AF96-7631CD945E69} : DhcpNameServer = 209.18.47.61 209.18.47.62
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRunOnce-x64: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
.
============= SERVICES / DRIVERS ===============
.
R1 MpKsld9647831;MpKsld9647831;C:\Windows\Temp\MpKsld9647831.sys [2012-7-28 35664]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-28 655944]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
.
=============== Created Last 30 ================
.
2012-07-28 22:30:59 -------- d-----w- C:\Windows\Panther
2012-07-28 22:18:50 -------- d-----w- C:\Users\JohnPaul77\AppData\Local\Diagnostics
2012-07-28 22:12:46 20480 ----a-w- C:\Windows\svchost.exe
2012-07-28 21:53:31 9133488 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{778862B8-D343-4A27-9E5A-B5723D21CB49}\mpengine.dll
2012-07-28 21:53:31 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-07-28 21:41:38 -------- d-----w- C:\Users\JohnPaul77\AppData\Roaming\Malwarebytes
2012-07-28 21:41:33 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-07-28 21:41:33 -------- d-----w- C:\ProgramData\Malwarebytes
2012-07-28 21:41:31 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-07-28 21:40:46 826368 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-07-28 21:40:46 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-07-28 21:40:46 204800 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-07-28 21:40:46 139264 ----a-w- C:\Windows\System32\cabview.dll
2012-07-28 21:40:46 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
2012-07-28 21:40:46 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-07-28 21:38:20 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-07-28 21:38:15 99840 ----a-w- C:\Windows\System32\wudriver.dll
.
==================== Find3M ====================
.
2012-06-02 22:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 22:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
.
============= FINISH: 15:20:22.14 ===============
Your help is immensely appreciated,
J.P.
Virus that can survive reformatting is tormenting me. "Svchost trojan", it seems untouchable.
Followed your preposting instructions and here are my logs:
Mbamlog -
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 183609
Time elapsed: 48 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
(end)
Gmer - No log
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by JohnPaul77 at 15:20:05 on 2012-07-28
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6143.4690 [GMT -7:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
-netsvcs
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=userinit.exe,
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{34B35C84-38BD-4232-AF96-7631CD945E69} : DhcpNameServer = 209.18.47.61 209.18.47.62
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRunOnce-x64: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
.
============= SERVICES / DRIVERS ===============
.
R1 MpKsld9647831;MpKsld9647831;C:\Windows\Temp\MpKsld9647831.sys [2012-7-28 35664]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-28 655944]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
.
=============== Created Last 30 ================
.
2012-07-28 22:30:59 -------- d-----w- C:\Windows\Panther
2012-07-28 22:18:50 -------- d-----w- C:\Users\JohnPaul77\AppData\Local\Diagnostics
2012-07-28 22:12:46 20480 ----a-w- C:\Windows\svchost.exe
2012-07-28 21:53:31 9133488 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{778862B8-D343-4A27-9E5A-B5723D21CB49}\mpengine.dll
2012-07-28 21:53:31 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-07-28 21:41:38 -------- d-----w- C:\Users\JohnPaul77\AppData\Roaming\Malwarebytes
2012-07-28 21:41:33 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-07-28 21:41:33 -------- d-----w- C:\ProgramData\Malwarebytes
2012-07-28 21:41:31 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-07-28 21:40:46 826368 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-07-28 21:40:46 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-07-28 21:40:46 204800 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-07-28 21:40:46 139264 ----a-w- C:\Windows\System32\cabview.dll
2012-07-28 21:40:46 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
2012-07-28 21:40:46 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-07-28 21:38:20 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-07-28 21:38:15 99840 ----a-w- C:\Windows\System32\wudriver.dll
.
==================== Find3M ====================
.
2012-06-02 22:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 22:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
.
============= FINISH: 15:20:22.14 ===============
Your help is immensely appreciated,
J.P.