Jump to content

Dave76

Members
 View Profile  See their activity

  • Posts

    7

  • Joined

  • Last visited

 Content Type 

Posts posted by Dave76

    Malware Trojan reported in svchost*32.exe

    in Resolved Malware Removal Logs

    Posted

    HI MC,

    Here are the logs requested:-

    # AdwCleaner v2.105 - Logfile created 01/13/2013 at 16:10:55

    # Updated 08/01/2013 by Xplode

    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

    # User : David - DAVID-VAIO

    # Boot Mode : Normal

    # Running from : C:\Users\David\Desktop\adwcleaner.exe

    # Option [Delete]

    ***** [services] *****

    ***** [Files / Folders] *****

    Folder Deleted : C:\Program Files (x86)\Conduit

    Folder Deleted : C:\ProgramData\boost_interprocess

    Folder Deleted : C:\ProgramData\Partner

    Folder Deleted : C:\Users\David\AppData\Local\Conduit

    Folder Deleted : C:\Users\David\AppData\LocalLow\Conduit

    Folder Deleted : C:\Users\David\AppData\LocalLow\PriceGong

    ***** [Registry] *****

    Key Deleted : HKCU\Software\AppDataLow\Software\Conduit

    Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes

    Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong

    Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar

    Key Deleted : HKCU\Software\Ask&Record

    Key Deleted : HKCU\Software\Conduit

    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3201318

    Key Deleted : HKLM\Software\Conduit

    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{7D86A08B-0A8F-4BE0-B693-F05E6947E780}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{17BF1E05-C0E8-413C-BD1F-A481EEA3B8E9}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{21BA420E-161C-413A-B21E-4E42AE1F4226}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{453DB0C5-F41C-4D97-8DD6-CC72ECD5F699}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4AFC07D0-59BB-46B8-B097-1A46E88EEF71}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6511CE4C-4722-40D0-AD3D-4AFA2F50978A}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{65A16874-2ED0-460E-A547-5FE2EC3A13A7}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{71E02280-5212-45C3-B174-4D5A35DA254F}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{83B2FE06-BA20-4F7D-96C6-6FC3A4E877D3}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8AD9AD05-36BE-4E40-BA62-5422EB0D02FB}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9BEC9B38-BF39-4899-806E-A1C5DFEB60A2}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AEBF09E2-0C15-43C8-99BF-928C645D98A0}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B32966A2-F7C2-4362-A6CF-399EC8B44110}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B86D82BF-D39F-439A-A07C-43EDDC6F6EA6}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8560AC2-21B5-4C1A-BDD4-BD12BC83B082}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DA6305B9-0869-4235-8C1D-533A65E639E5}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E25DA6D6-C365-46CF-ABAF-DC5893135D7A}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E6961C59-CFCE-4CCD-B794-BC78DB98413A}

    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F8B4EC8A-2407-4BE0-AEE2-0F430D65A90D}

    ***** [internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16457

    [OK] Registry is clean.

    -\\ Mozilla Firefox v8.0.1 (en-GB)

    File : C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\zu7akxmu.default\prefs.js

    [OK] File is clean.

    *************************

    AdwCleaner[R1].txt - [3438 octets] - [13/01/2013 09:21:44]

    AdwCleaner[s1].txt - [3533 octets] - [13/01/2013 16:10:55]

    ########## EOF - C:\AdwCleaner[s1].txt - [3593 octets] ##########

    Security Check

    Results of screen317's Security Check version 0.99.56

    Windows 7 Service Pack 1 x64 (UAC is enabled)

    Internet Explorer 9

    ``````````````Antivirus/Firewall Check:``````````````

    Windows Firewall Enabled!

    Microsoft Security Essentials

    Antivirus up to date!

    `````````Anti-malware/Other Utilities Check:`````````

    Malwarebytes Anti-Malware version 1.70.0.1100

    Java 6 Update 29

    Java version out of Date!

    Adobe Reader 10.1.5 Adobe Reader out of Date!

    Mozilla Firefox (8.0.1)

    ````````Process Check: objlist.exe by Laurent````````

    Microsoft Security Essentials MSMpEng.exe

    Microsoft Security Essentials msseces.exe

    Acronis TrueImageHome OnlineBackupStandalone TrueImageMonitor.exe

    `````````````````System Health check`````````````````

    Total Fragmentation on Drive C: 2%

    ````````````````````End of Log``````````````````````

    Thanks

    Dave

    Malware Trojan reported in svchost*32.exe

    in Resolved Malware Removal Logs

    Posted

    Hi MC,

    Thanks for that.

    I could not find the file you referred to in the Drivers folder, I have the 'show hidden files' selected on my system at present.

    Here's the log, I can't see anything on the log which I would want to keep apart form the browsers but presume they won't be deleted if I select clean.

    # AdwCleaner v2.105 - Logfile created 01/13/2013 at 09:21:44

    # Updated 08/01/2013 by Xplode

    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

    # User : David - DAVID-VAIO

    # Boot Mode : Normal

    # Running from : C:\Users\David\Desktop\adwcleaner.exe

    # Option [search]

    ***** [services] *****

    ***** [Files / Folders] *****

    Folder Found : C:\Program Files (x86)\Conduit

    Folder Found : C:\ProgramData\boost_interprocess

    Folder Found : C:\ProgramData\Partner

    Folder Found : C:\Users\David\AppData\Local\Conduit

    Folder Found : C:\Users\David\AppData\LocalLow\Conduit

    Folder Found : C:\Users\David\AppData\LocalLow\PriceGong

    ***** [Registry] *****

    Key Found : HKCU\Software\AppDataLow\Software\Conduit

    Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes

    Key Found : HKCU\Software\AppDataLow\Software\PriceGong

    Key Found : HKCU\Software\AppDataLow\Software\SmartBar

    Key Found : HKCU\Software\Ask&Record

    Key Found : HKCU\Software\Conduit

    Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3201318

    Key Found : HKLM\Software\Conduit

    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{7D86A08B-0A8F-4BE0-B693-F05E6947E780}

    Key Found : HKLM\SOFTWARE\Classes\Interface\{17BF1E05-C0E8-413C-BD1F-A481EEA3B8E9}

    Key Found : HKLM\SOFTWARE\Classes\Interface\{21BA420E-161C-413A-B21E-4E42AE1F4226}

    Key Found : HKLM\SOFTWARE\Classes\Interface\{453DB0C5-F41C-4D97-8DD6-CC72ECD5F699}

    Key Found : HKLM\SOFTWARE\Classes\Interface\{4AFC07D0-59BB-46B8-B097-1A46E88EEF71}

    Key Found : HKLM\SOFTWARE\Classes\Interface\{6511CE4C-4722-40D0-AD3D-4AFA2F50978A}

    Key Found : HKLM\SOFTWARE\Classes\Interface\{65A16874-2ED0-460E-A547-5FE2EC3A13A7}

    Key Found : HKLM\SOFTWARE\Classes\Interface\{71E02280-5212-45C3-B174-4D5A35DA254F}

    Key Found : HKLM\SOFTWARE\Classes\Interface\{83B2FE06-BA20-4F7D-96C6-6FC3A4E877D3}

    Key Found : HKLM\SOFTWARE\Classes\Interface\{8AD9AD05-36BE-4E40-BA62-5422EB0D02FB}

    Key Found : HKLM\SOFTWARE\Classes\Interface\{9BEC9B38-BF39-4899-806E-A1C5DFEB60A2}

    Key Found : HKLM\SOFTWARE\Classes\Interface\{AEBF09E2-0C15-43C8-99BF-928C645D98A0}

    Key Found : HKLM\SOFTWARE\Classes\Interface\{B32966A2-F7C2-4362-A6CF-399EC8B44110}

    Key Found : HKLM\SOFTWARE\Classes\Interface\{B86D82BF-D39F-439A-A07C-43EDDC6F6EA6}

    Key Found : HKLM\SOFTWARE\Classes\Interface\{D8560AC2-21B5-4C1A-BDD4-BD12BC83B082}

    Key Found : HKLM\SOFTWARE\Classes\Interface\{DA6305B9-0869-4235-8C1D-533A65E639E5}

    Key Found : HKLM\SOFTWARE\Classes\Interface\{E25DA6D6-C365-46CF-ABAF-DC5893135D7A}

    Key Found : HKLM\SOFTWARE\Classes\Interface\{E6961C59-CFCE-4CCD-B794-BC78DB98413A}

    Key Found : HKLM\SOFTWARE\Classes\Interface\{F8B4EC8A-2407-4BE0-AEE2-0F430D65A90D}

    ***** [internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16457

    [OK] Registry is clean.

    -\\ Mozilla Firefox v8.0.1 (en-GB)

    File : C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\zu7akxmu.default\prefs.js

    [OK] File is clean.

    *************************

    AdwCleaner[R1].txt - [3351 octets] - [13/01/2013 08:46:46]

    ########## EOF - C:\AdwCleaner[R1].txt - [3405 octets] ##########

    Thanks

    Dave

    Malware Trojan reported in svchost*32.exe

    in Resolved Malware Removal Logs

    Posted

    Hi MC,

    Thanks for the help so far.

    I have downloaded & run the AntiRootKit, which has deleted the SVChost file.

    I ran it again to confirm that no Malware was present.

    However, when I start up my laptop again I get a Windows dialogue box which states that Windows cannot find the SVCHost file, so presume there's still a call coming from somewhere?

    I also get asked if I want to run mbar before windows loads.

    I have attached the log as requested.

    Thanks

    Dave

    system-log.txt

    Malware Trojan reported in svchost*32.exe

    in Resolved Malware Removal Logs

    Posted

    Thanks Mr C,

    Here are the contents of the reports:-

    RogueKiller V8.4.3 [Jan 10 2013] by Tigzy

    mail : tigzyRK<at>gmail<dot>com

    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

    Website : http://tigzy.geekstogo.com/roguekiller.php

    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

    Started in : Normal mode

    User : David [Admin rights]

    Mode : Scan -- Date : 01/11/2013 16:53:54

    ¤¤¤ Bad processes : 1 ¤¤¤

    [sVCHOST] svchost.exe -- C:\Users\David\AppData\Roaming\Adobe32\svchost.exe -> KILLED [TermProc]

    ¤¤¤ Registry Entries : 6 ¤¤¤

    [RUN][sUSP PATH] HKCU\[...]\Run : AdobeUpdate (wscript "C:\Users\David\AppData\Roaming\Adobe32\invis.vbs" "C:\Users\David\AppData\Roaming\Adobe32\bat.bat") -> FOUND

    [RUN][sUSP PATH] HKUS\S-1-5-21-765753904-2071999791-625039582-1001[...]\Run : AdobeUpdate (wscript "C:\Users\David\AppData\Roaming\Adobe32\invis.vbs" "C:\Users\David\AppData\Roaming\Adobe32\bat.bat") -> FOUND

    [HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND

    [HJ DESK] HKCU\[...]\NewStartPanel : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND

    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤

    --> C:\Windows\system32\drivers\etc\hosts

    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: Hitachi HTS725050A9A360 +++++

    --- User ---

    [MBR] cf82ebbd3b7f2acb9798ceed112aeab6

    [bSP] 29c49e32841e68435f2e32c67b546010 : Windows 7/8 MBR Code

    Partition table:

    0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10423 Mo

    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21348352 | Size: 100 Mo

    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 21553152 | Size: 466415 Mo

    User = LL1 ... OK!

    User = LL2 ... OK!

    +++++ PhysicalDrive1: Ricoh SD/MMC Disk Device +++++

    --- User ---

    [MBR] b16545aceb0b1945caa97238ada759bd

    [bSP] 1454de1c7893cd36ec036b5994b60f6c : MBR Code unknown

    Partition table:

    0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 247 | Size: 1945 Mo

    Error reading LL1 MBR!

    Error reading LL2 MBR!

    Finished : << RKreport[1]_S_01112013_02d1653.txt >>

    RKreport[1]_S_01112013_02d1653.txt

    Quarantine Reprt.txt

    Time : 11/01/2013 16:41:25

    --------------------------

    [invis.vbs.vir] -> C:\Users\David\AppData\Roaming\Adobe32\invis.vbs

    [invis.vbs.vir] -> C:\Users\David\AppData\Roaming\Adobe32\invis.vbs

    Time : 11/01/2013 16:48:30

    --------------------------

    [invis.vbs.vir] -> C:\Users\David\AppData\Roaming\Adobe32\invis.vbs

    [invis.vbs.vir] -> C:\Users\David\AppData\Roaming\Adobe32\invis.vbs

    Time : 11/01/2013 16:53:54

    --------------------------

    [invis.vbs.vir] -> C:\Users\David\AppData\Roaming\Adobe32\invis.vbs

    [invis.vbs.vir] -> C:\Users\David\AppData\Roaming\Adobe32\invis.vbs

    Thanks

    Dave

    Malware Trojan reported in svchost*32.exe

    in Resolved Malware Removal Logs

    Posted

    Hi Malwarebytes,

    I have the above reported in users\AppData\roaming\Adobe32.

    If I remove it I get a dialogue box on startup of my laptop stating the file cannot be found, presumably the registery or some other Windows 7 file is looking for it.

    The file seems to be running 'bfgminer 2.5.0. & is top user of my memory & is running 100% of time.

    Could you please advise on how to proceed & your recommendation for it's removal.

    Thanks in anticipation.

    Dave

    dds.txt

    attach.txt

    Malware reported by Malwarebytes as Trojan on svchost.exe

    in Malwarebytes for Windows Support Forum

    Posted

    Hi Malwarebytes,

    I have a reported Trojan Agent reported by Malwarebytes in \Users\AppData\Roaming\Adobe32\svchost.exe

    The file in 'processes' is running at the top slot 100% of the time.

    If I remove it I get an dialogue box to say the file can not be found when I re-start my laptop, presumably the registry or some other startup file is looking for it?

    The svchost seems to be running bfgminer 2.5.0. a bitcoin sytem?

    I would appreciate some advice & your recommendations to what to do to remove the problem.

    Files attached as requested.

    Thanks in anticipation.

    Dave

    attach.txt

    dds.txt

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.