c:\windows\system32\svchost.exe Virus

[Skenda02]

My dad was online when this windows pops up on the computer saying C:\Windows\System32\svchost.exe
I know this is a virus, i have had it before on a different computer about 2 or 3 years ago and someone helped me get rid of it. I think it has come from a Yahoo pop up window in IE.  I am pretty computer savvy and need some help please.
This virus has attacked everything that would want to get out to the net, has disabled command prompt and will not let me boot the computer in safe mode.  I have ComboFix downloaded onto a flashdrive and started to run it but with all the new virus' out there lately, didn't want to it if there is something else.  When I used it last time I think I used MiniToolbox but that was so long ago, don't remember how I fixed it.
This is a Windows 7 Home OS.  I finally got the computer to do a diagnostics check and the Memory and Hard Drive passed the test.  I backed up all of their important documents, pictures and music ONLY to a removable hard drive.
Can someone help me out?

[DavidR]

Yes, this is usually in indication of an underlying hidden/undetected infection that is trying to access malicious sites.

- This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

- There may be some delay due to differing time zones and availability of the volunteer malware removal specialists. 2am here in the UK, so it may be later today before one of them can take a look at the logs, but it gives you plenty of time get the logs attached to this thread.

I wouldn't suggest running specialist tools such as combofix unless asked to do so.

[Skenda02]

I went to 53253 and downloaded mbam and OTL, so far it is blocking each one when I try to open it.  The virus window pops up again.
It won't even let me open a word document.
Just now, a Torrent window popped up telling me I was illegally downloading movies, just like the other pop up window, it tells me to click to pay for cleaning my computer.
Its pretty smart, anything I pull from the flash drive to the desktop it kills.
Any other thoughts?

[magna86]

Hi,
I do not run every tool you've heard of, because you do not know what each does.

Tell me the version of OS you are using. Vista...7, 8 ..? 32bit or 64bit?



Follow guide and try for running RogueKiller and post here all RK logs...
http://forum.avast.com/index.php?topic=53253.0




Then ...




    Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

    Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
    Only one of them will run on your system, that will be the right version.

   

• Double-click to run it. When the tool opens click Yes to disclaimer.
     
• Press Scan button.
     
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
     
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[Skenda02]

Thank you for your reply!
The OS is Windows 7 Pro
I tried the Rouge Killer but it will not let it begin.  It blocks it and pops up an alert window.  The alert window says it is Windows Paramount Protection and says this is a Trial Version and I have to pay for the full version to clean the PC of the threat.  I cannot connect to the internet, I cannot even open a Word Document or a PDF file document.  Outside of a picture or a wav or mov file, It doesn't matter what I click on to open, it pops up the Firewall window.  There is a Windows icon in the bottom right of the screen that looks like the Windows Updates Icon but when you click on it to open it, I get the Paramount Protection screen.  The PC randomly pops up the Firewall window saying random files are blocked, IP addresses are trying to access the PC and were blocked, IE sites are blocked, etc.  I don't even have it connected to the internet, I have unplugged it and it does not have wireless access.  whatever I have to put on this pc to fix it has to come from a flashdrive and has to fly under the radar of this virus.
I have attached photos of what the Firewall window looks like and when you click on the Protection button what the Paramount window looks like.

[Skenda02]

second picture

[Skenda02]

After about 10 attempts, I was finally able to get to safe mode and run the Rogue Killer and Farbar, reports attached

[Skenda02]

Farbar reports

[magna86]

Cool. 


RogueKiller has done what he can the best. Now we shall use FRST and his script power to target the leftovers and later ComboFix as I want to see what CF shall tell me at the end.
Before we go to FRST, you need to uninstall the following bad software from Control Panel > Programs and Features.

- Coupon Printer for Windows
- MyFreeCodec




---     ---
FRST's FixList
---     ---




1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start
Folder: C:\Windows\System32\Tasks\{4856247E-DE83-4F58-B00F-607499D83E2B}
Folder: C:\Windows\System32\Tasks\{179AD9B3-38F9-49AD-BC00-0009FB0DEEEA}
Folder: C:\Windows\System32\Tasks\{E3626ACB-D49A-47CC-93EC-5CE49A588E91}
Folder: C:\Windows\SysWOW64\locale.nls
Folder: C:\Windows\system32\locale.nls
C:\Users\vince\Desktop\RK_Quarantine
C:\Users\vince\AppData\Roaming\data.sec
C:\Users\vince\AppData\Roaming\svc-mvwl.exe
C:\Users\Administrator\settings.dat
C:\Users\Loretta\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\vince\AppData\Local\Temp\file.exe
C:\Users\vince\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\vince\AppData\Local\Temp\FreemakeVideoDownloader_3.0.1.10.exe
C:\Users\vince\AppData\Local\Temp\FreemakeYoutubeMp3Converter_3.0.1.10.exe
C:\Users\vince\AppData\Local\Temp\i4jdel0.exe
C:\Users\vince\AppData\Local\Temp\K-Lite_Codec_Pack_Basic.exe
C:\Users\vince\AppData\Local\Temp\ntdll_dump.dll
C:\Users\vince\AppData\Local\Temp\ose00000.exe
C:\Users\vince\AppData\Local\Temp\Resource.exe
C:\Users\vince\AppData\Local\Temp\SamsungAPInstaller_1382626857642.exe
C:\Users\vince\AppData\Local\Temp\SamsungAPInstaller_1384216404771.exe
C:\Users\vince\AppData\Local\Temp\SamsungAPInstaller_1389968932882.exe
C:\Users\vince\AppData\Local\Temp\SHSetup.exe
C:\Users\vince\AppData\Local\Temp\sp44614.exe
C:\Users\vince\AppData\Local\Temp\sp46257.exe
C:\Users\vince\AppData\Local\Temp\sp49905.exe.exe
C:\Users\vince\AppData\Local\Temp\sp52594.exe.exe
C:\Users\vince\AppData\Local\Temp\sp53904.exe
C:\Users\vince\AppData\Local\Temp\sp54931.exe
C:\Users\vince\AppData\Local\Temp\tbFree.dll
C:\Users\vince\AppData\Local\Temp\tbProd.dll
C:\Users\vince\AppData\Local\Temp\tmpB2FA.exe
C:\Users\vince\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\vince\AppData\Local\Temp\UninstallHPTCA.exe
C:\Users\vince\AppData\Local\Temp\vcredist_x64.exe
C:\Users\vince\AppData\Local\Temp\_is99FF.exe
HKLM-x32\...\Run: [] - [X]
HKU\S-1-5-21-3047364901-3158520248-2405442867-1001\...\MountPoints2: {51f373e6-4342-11df-bd11-d8d385744bc0} - J:\StormF1.exe
HKU\S-1-5-21-3047364901-3158520248-2405442867-1001\...\MountPoints2: {c46de609-5fd9-11e1-a4bd-d8d385744bc0} - J:\autorunner.exe "John Deere New Products 2012.exe"
HKU\S-1-5-21-3047364901-3158520248-2405442867-1001\...\MountPoints2: {df83d7cd-3b80-11df-b410-d8d385744bc0} - J:\StormF1.exe
URLSearchHook: HKCU - (No Name) - {b2bf7b3f-bf0b-4c48-aec6-f92c51be63e1} - No File
URLSearchHook: HKCU - (No Name) - {adca5064-9e30-43fe-9856-58b07a3149fe} - No File
SearchScopes: HKLM - {4D3BF12C-9654-4A8E-8305-43AC46DC2424} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {4D3BF12C-9654-4A8E-8305-43AC46DC2424} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKCU - {4D3BF12C-9654-4A8E-8305-43AC46DC2424} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKCU - {638517E6-DBA1-4546-A839-56DA82E42F8C} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3214568
Toolbar: HKCU - No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} -  No File
Toolbar: HKCU - No Name - {B2BF7B3F-BF0B-4C48-AEC6-F92C51BE63E1} -  No File
Toolbar: HKCU - No Name - {ADCA5064-9E30-43FE-9856-58B07A3149FE} -  No File
Task: {A9D7C2A0-89A7-4B5E-85C9-FD446E2AAEE5} - System32\Tasks\Go to RoboForm Install page => Rundll32.exe url.dll,FileProtocolHandler "http://www.roboform.com/test-pass.html?aaa=KICMMMLMNJJJNJKJJMMJCNKMLJKMMJCNLMLJMJNMCNGMOJGMLMCNKJOJKMMMHMKMJMOJIMNMOMJMJNJICMJMCNOMPMCNOMFMHMCNPMCNIMJMPMPMFMJMCNOMCNIMJMPMPMCNNMJNPICMOMFMMJBJKJLIMJFMOMGMNMJMJNHICMEJEJMIBJDJJNBJCMJIGJBJMJKJPNIIIIKJNIEJAJIIGJLIMJHJJNKJCMJIIIKJNIEJAJPLGIOJHJAJAJBNMJAJCJJNNICMJNDJCMKJBJ"
Task: {EB162691-097C-452A-9210-73115374A229} - System32\Tasks\Open URL by RoboForm => Rundll32.exe url.dll,FileProtocolHandler "http://www.roboform.com/test-pass.html?aaa=KICMMMLMNJJJNJKJJMMJCNKMLJKMMJCNLMLJMJNMCNGMOJGMLMCNKJOJKMMMHMKMJMOJIMNMOMJMJNJICMIMCNGMCNNMFMGMCNOMPMCNGMNMPMPMFMJMCNOMCNIMJMPMOMCNNMJNPICMOMFMMJBJKJLIMJFMLMIMMMJNHICMEJEJMIBJDJJNBJCMJIGJBJMJKJPNIIIIKJNIEJAJIIGJLIMJHJJNKJCMJIIIKJNIEJAJPLGIOJHJAJAJBNMJAJCJJNNICMJNDJCMKJBJ"
AlternateDataStreams: C:\Users\Administrator\Documents\Fwd_ Contract Changes.eml:OECustomProperty
AlternateDataStreams: C:\Users\Administrator\Documents\Fwd_ Werkowitch_Cope Contract.eml:OECustomProperty
AlternateDataStreams: C:\Users\Administrator\Documents\Re_ Fwd_ Werkowitch_Cope Contract 2.eml:OECustomProperty
AlternateDataStreams: C:\Users\Administrator\Documents\Re_ Fwd_ Werkowitch_Cope Contract.eml:OECustomProperty
AlternateDataStreams: C:\Users\Administrator\Documents\Re_ Fwd_missing addendum 2.eml:OECustomProperty
AlternateDataStreams: C:\Users\Administrator\Documents\Re_ Fwd_missing addendum 3.eml:OECustomProperty
AlternateDataStreams: C:\Users\Administrator\Documents\Re_ Fwd_missing addendum 4.eml:OECustomProperty
AlternateDataStreams: C:\Users\Administrator\Documents\Re_ Fwd_missing addendum.eml:OECustomProperty
AlternateDataStreams: C:\Users\Administrator\Documents\Summary Report for Joel singer.eml:OECustomProperty
AlternateDataStreams: C:\Users\vince\Documents\FW_ Damn economy.eml:OECustomProperty
AlternateDataStreams: C:\Users\vince\Documents\Fw_ Fw_ OOOOOH NO !!!!.eml:OECustomProperty
AlternateDataStreams: C:\Users\vince\Documents\What a split second looks like!.eml:OECustomProperty
CMD: ipconfig /flushdns
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.




---     ---
ComboFix
---     ---





1. Please download ComboFix by sUBs from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
Note: ComboFix must be downloaded to your Desktop.

--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

• Right click on the avast! system tray icon () in the lower right corner of the screen and scroll up to avast! shield controls;
  
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.
- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
- ComboFix will scan your computer in stages, total of 50 stages.
Do not mouse-click around while ComboFix is running.
Note:If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.

[Skenda02]

reports attached
so far no pop up windows! 

[magna86]

Open notepad and copy/paste the text present inside the code box below:

Code: [Select]

@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting Folders>>log.txt
FOR %%i in (
"C:\Windows\System32\Tasks\{4856247E-DE83-4F58-B00F-607499D83E2B}"
"C:\Windows\System32\Tasks\{179AD9B3-38F9-49AD-BC00-0009FB0DEEEA}"
"C:\Windows\System32\Tasks\{E3626ACB-D49A-47CC-93EC-5CE49A588E91}"
"C:\Windows\SysWOW64\locale.nls"
"C:\Windows\system32\locale.nls") DO (
IF EXIST %%i (
RD /S /Q %%i
IF EXIST %%i (
ECHO %%i not deleted>>log.txt
) ELSE (
ECHO %%i deleted successfully>>log.txt)
) ELSE (
ECHO %%i not found>>log.txt))

START NOTEPAD.EXE log.txt
DEL %0

Save this as fix.bat

Choose to Save type as - All Files to your desktop then close the Notepad file.

Double-click on fix.bat to run it.

> Did you got any message after running this bat?
> How is the computer running now?

[Skenda02]

this is the message in the text, looks like it deleted it all.  I am able to connect to windows now and have re-loaded anti-virus and scanned everything.  You were a huge help thank you!!

[magna86]

Folders are not deleted, but it does not matter. They are not malware-related. Let's leave them ...

Tell me, how is the computer running now? If any problem remain, post me fresh FRST.txt logreprot.
If not...then it's time to remove used tools. 

[Skenda02]

Seems to be running fine so far.  I have removed all tools and loaded Avast for them on it.  I ran MalwareBytes and it found a few things and I had it delete them before I connected to the internet again. 
I told them to stop using IE and to use Chrome.  Will let you know if anything changes.
Thanks for all your help!!

[magna86]

That should be Ok now. DelFix shall remove used tools.



=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.