Win32 errors

[91BlKSi]

Hello all, looking for some help with some win32 errors. My AVG is detecting multiple threats usually trojans from svchost.exe, winlogon.exe and heur.exe. I have included a hijackthis log. Thanks in advance.

 

[Bobbye]

Welcome to TechSpot, 91BlKSi. I will help you with the malware. but first, please follow the steps in the Virus and Malware Removal HERE.

When finished, attach the logs from Malwarebytes and Superantispyware.

Rescan with HijackThis and paste that log> all in your next reply.

I will review all of the logs for malware. Please be sure to check the lines in Malwarebytes and Superantispyware to remove what they find. Don't do any removals in HijackThis- I'll find those and have you remove bad entries.

I do see malware- looks like possible Vundo infection in addition to Heur.

I notice that you have uTorrent which is a P2P programs. P2P (person to person) programs are also called 'file sharing' programs. In earlier computer days, these programs did not have much threat. But as they progressed, so did the dangers of using them. For that reason, we do not permit discussion of this type of program, not do we support it. The exception is to suggest you uninstall and P2P programs for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read this information on P2P Warning to help you better understand these dangers.

If you decide not to remove uTorrent, please do not use it while we are cleaning.

 

[91BlKSi]

Ok, scans are finished. Here are my results. Thank you for your help.

 

[Bobbye]

This is one of the malware infections:

Windows Police Pro is a rogue anti-spyware program which is being spread using an illicit Search Engine Optimization practices. Users may be redirected to its scam website directly from search engine results. Windows Police Pro may sneak into computers by visiting the malicious website that carry a script to download and install it on computers without users consent.

It also appears that you are visiting porn sites. As long as you are doing that, you are going to get malware. You are infected with a Backdoor.Bot> changes all of your passwords and monitor any online financial transactions.

You are loading the uTorrent program. If you want my support to continue, please either uninstall it or take it off of startup:
C:\Program Files\uTorrent\uTorrent.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"

IF you decide to remove the torrent:
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  
• Run Combo-Fix.exe and follow the prompts.
  (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attach the Combofix report.

Rescan with HijackThis and PASTE new log in next reply.

 

[91BlKSi]

Ok, Firstly I have uninstalled utorrent. I am getting an error message when I try to install combo-fix. I changed the file name, shut everything down and it tells me its unsafe to continue the contents of the package have been compromised and I may have a file patching virus "virut" I did a re-download twice from the bleepingcomputer server and once from the forospyware server with the same result each time.

 

[momok]

I have a suspicion the error dialogue you are getting comes from the malware. Which program is giving that error? perhaps you could post a screenshot?

 

[kritius]

It actually comes from ComboFix, it will not run if there is a file infector on board. You need to scan some system files such as explorer, svchost, userinit etc to see if they are infected. If so it's a reformat.

 

[kimsland]

Press F8 before Windows starts up
Select "Safe Mode with Networking"
Download Combofix from here again: https://www.techspot.com/downloads/5587-combofix.html
Run a scan
Then Restart

Then run Combofix in Normal mode

 

[kritius]

It will not run if it is compromised! No sense in doing that, get the files scanned first to check them.

 

[kimsland]

Really?
I thought after having this fault for two days now, it may be worth a 5minute go
I'd try it just in case, it can't hurt

 

[91BlKSi]

Thanks for the replies everyone. It is combo-fix giving me that error code. I did a quick google search and somebody suggested downloading the program with a non-infected computer and using a flash drive to transfer it to the infected computer. Any thoughts on that? I do have access to a clean computer if that sounds possible.The files that are still giving me problems are svchost and winlogon, the heur error hasnt seemed to come back yet.

 

[kimsland]

Yes that's an excellent idea

 

[kritius]

I did a quick google search and somebody suggested downloading the program with a non-infected computer and using a flash drive to transfer it to the infected computer. Any thoughts on that?

This will be at your own risk, the reason that ComboFix will not run is because if there are files that are patched by a file infector then they may be deleted by it, this could make the computer unbootable. This is why sUBs put that routine in, so that ComboFix would not trash your computer. It has already warned you twice, ComboFix is NO GOOD with a file infector, it was not designed to be used against them!

The files that are still giving me problems are svchost and winlogon, the heur error hasnt seemed to come back yet.

This suggests virut, scan the files rather than potentially messing up your computer.

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  
  • C:\WINDOWS\System32\svchost.exe
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

 

[Bobbye]

Please follow the suggestion from kritius. I was going to give you the same one. The message you got when attempting to use Combofix is classic of a Virut infection.

If that is confirmed, it is a waste of time and a continued danger to you to try and clean it. Most of us recommend a reformat/reinstall instead.

 

[momok]

Timely input by Kritius, thanks. Thought I might put in more layman terms for the OP.

@91BlKSi: we strongly do not recommend attempting to run combofix. This is because the type of infection you have typically tries to infect your other legitimate files. More often than not, your windows system files get targeted in the process.

Combofix is a powerful program that can remove bad files, but in your case, it will detect your system files as "bad" and attempt to remove them. Because of that, it can potentially cause disastrous damage to your system.

Please follow kritius's suggestions. you are in good hands.

 

[91BlKSi]

Thanks again for the help guys. Virscan for some reason is giving me a dead link for the "copy to clipboard" link but it didnt show any errors. Heres the link to my scan.

http://virscan.org/report/1b23a1bbb9275892ccacaee0d7576463.html

 

[kimsland]

All Scanners did not find malware!

Have you tried Combofix as yet?
In either Safe Mode with Networking
or via the USB Flash excellent idea

 

[kritius]

Try scanning explorer.exe and userinit.exe. You can't trust just one file to be scanned.

Kimsland, you seem very eager to run ComboFix when you don't actually no what to do with it.

 

[kimsland]

91BlKSi once you finally run Combofix
Please attach >

the Combofix log to a new reply, so as I can view and advise on it
Note: I've done about 10,000 of these things now, pretty sure I know what to advise

 

[kritius]

Thread edited at request of mod.

The thread is all yours kimsland.

 

[Bobbye]

Did you have the entire file scanned?

C:\WINDOWS\System32\svchost.exe