Malware Infection - svchost.exe

[REDACTED]

I received a Toshiba Satellite C655D-S5300 laptop from a friend for virus removal. The only virus protection loaded on the laptop was an inactive version of AVG (along with obvious bloatware products), so I promptly installed Avast Antivirus and Spybot Search and Destroy to determine the severity of infection.

Spybot reported many infections and was able to remove all but 1 of them, the infected file being the svchost.exe infection.

I've read through the Avast forums post regarding logs to collect for malware advice. Between Avast and Spybot the malware is contained, however as I am an avid PC/networking student I would like some advice from the Avast community about proper removal of this malware.

Tools used prior to discovering this forum: Avast Antivirus (smart scan and boot-time scan), Spybot Search and Destroy, CMD sfc /scannow command. I have also created a custom firewall setting with Spybot that blocks inbound and outbound traffic to the target IP addresses of the malware (deepspacer and spacesoftpro .coms).

I have attached log files from Malwarebytes Anti-Malware, Farbar Recovery Scan Tool, and aswMBR.
Any help is greatly appreciated.

PLEASE NOTE: Upon my first activation of Malwarebytes I ran the update as directed, made sure to check scan for rootkits, and executed the scan. The scan ran as normal and reported that 202(ish) infections were found along with some rootkits. I proceeded to apply the fixes MAMB had suggested, and executed the reboot when I was prompted. I exported the scan log as a .txt to my desktop, however the log file that was created was blank. I executed a 2nd scan which reported no problems found. The uploaded MAMB log is from the 2nd scan.

[essexboy]

Hi there could you let me know what problems remain after this

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

HKLM-x32\...\Run: [AVG9_TRAY] => C:\PROGRA~2\AVG\AVG9\avgtray.exe 
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
URLSearchHook: HKU\S-1-5-21-1560733108-1017999453-2932809850-1000 - (No Name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - No File
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> DefaultScope {{67A2568C-7A0A-4EED-AECC-B5405DE63B64}} URL =
SearchScopes: HKU\S-1-5-21-1560733108-1017999453-2932809850-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={AE95FA13-ED32-4D23-A557-465F72F82F6F}&mid=fb66373a3d2e47d19819d16f2a3d8dd6-abb12ca542a25b815111bb91afc12966f2ea41af&lang=us&ds=AVG&pr=fr&d=2011-12-24 22:30:18&v=10.0.0.7&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1560733108-1017999453-2932809850-1000 -> {99AD52C4-8E2C-424C-A525-1E2D1B0A3014} URL = http://search.iminent.com/?appId=84D783AB-66F6-4D61-BF0A-4806D6CA34EE&ref=toolbox&q={searchTerms}
BHO: No Name -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} ->  No File
BHO-x32: No Name -> {154d932f-dc51-4a4f-9d52-b78b1419d3b4} ->  No File
BHO-x32: No Name -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} ->  No File
BHO-x32: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} ->  No File
Toolbar: HKLM-x32 - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKLM-x32 - No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
Toolbar: HKLM-x32 - No Name - {154d932f-dc51-4a4f-9d52-b78b1419d3b4} -  No File
Toolbar: HKU\S-1-5-21-1560733108-1017999453-2932809850-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-1560733108-1017999453-2932809850-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-1560733108-1017999453-2932809850-1000 -> No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKU\S-1-5-21-1560733108-1017999453-2932809850-1000 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll No File
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\14.0.1\ViProtocol.dll ()
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\14.0.1\\npsitesafety.dll (AVG Technologies)
FF SearchPlugin: C:\Users\ALI  JADRON\AppData\Roaming\Mozilla\Firefox\Profiles\1x3ka088.default\searchplugins\SearchTheWeb.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\avg-secure-search.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\SearchTheWeb.xml
FF HKLM-x32\...\Firefox\Extensions: [avg@toolbar] - C:\ProgramData\AVG Secure Search\FireFoxExt\14.0.2.14
FF Extension: No Name - C:\ProgramData\AVG Secure Search\FireFoxExt\14.0.2.14 [2013-01-22]
CHR HKLM-x32\...\Chrome\Extension: [ndibdjnfmopecpmkdieinmbadjfpblof] - C:\ProgramData\AVG Secure Search\ChromeExt\14.0.2.14\avg.crx [2014-11-24]
S4 vToolbarUpdater14.0.1; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.0.1\ToolbarUpdater.exe [945328 2013-01-22] ()
R1 AvgLdx64; C:\Windows\System32\Drivers\avgldx64.sys [282976 2013-01-23] (AVG Technologies CZ, s.r.o.)
R1 AvgMfx64; C:\Windows\System32\Drivers\avgmfx64.sys [35664 2011-11-09] (AVG Technologies CZ, s.r.o.)
R1 AvgTdiA; C:\Windows\System32\Drivers\avgtdia.sys [317520 2011-11-09] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\windows\system32\drivers\avgtpx64.sys [37720 2013-01-22] (AVG Technologies)
C:\Program Files (x86)\AVG
C:\Program Files (x86)\Common Files\AVG Secure Search

EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.
  

[REDACTED]

Thank you for your quick reply and for clarification:

Do I need to disable my virus protection by closing the program or just turning the shields off?

[Pondus]

right click avast tray icon and pause shields if avast makes problem

[essexboy]

But, you should not need to

[REDACTED]

Just for good measure, I did disable Avast shields and Spybot Search and Destroy before running AdwCleaner. I have attached logs from both FRST and AdwCleaner after running the fixes.

One thing to note: a windows update ran and installed after running FRST and before running AdwCleaner. I will test the success of the fix by removing my custom firewall settings after uploading this post.

[REDACTED]

Forgot to include the logs in my last post: here you go.

[REDACTED]

The fix appears to be working, however Avast's firewall service still has traces of the Iminent toolbar (it retained default rules associated with Iminent applications). Avast warnings no longer pop up, but those had stopped once I implemented the firewall settings.

[essexboy]

Are the traces of the old attempts to access the net or are they new ?

[REDACTED]

Upon deactivation of the firewall there were no new messages generated through any of the installed virus protection. I'm going to run a Spybot scan as this was the first program to detect the malware.

I am unfamiliar with the Iminent product and am unsure if it is legitimate software or not. Removal failed the first time (most likely due to the malware being present) and I am reluctant to make any system changes until given the clear to do so.

[essexboy]

Imminent is termed a PUP but it is not something you want on your system

It should be gone now

[REDACTED]

I have still found traces of Iminent software located in multiple directories, including the MAMB quarantine file as well as the syswow64 folder of the Windows directory. Iminent no longer appears in the program list, but can still be found with a little digging. The files and directories appear to be empty, but were not completely removed. I have attached a screenshot of the locations.

The malware no longer appears to be active (no new blocked attempts at connection by any virus protection) however as this laptop is not mine, I will not be able to check on it frequently after returning it to the user. I am presently running a Spybot scan and am waiting for it to finish. Will these directories left behind by Iminent be an issue?

[essexboy]

No but you can manually delete them

[REDACTED]

The problem seems to be fixed then. I cannot explore further until I get home later but if any problems persist, I will return with more questions.

Thank you for all your help essexboy.

[essexboy]

Once you are happy I will remove the tools and tidy up