Jump to content


  • Content Count

  • Joined

  • Last visited

Posts posted by Comrade_Smartass

  1. Sure thing.  I'm assuming you want me to do this in safe mode with networking?  As I'm sure you read in my post, I can't visit your website or run Malwarebytes on my desktop while running in normal mode.  Anyways, I installed the program and ran a scan, then quarantined the selected threats.  I was not prompted to reboot but did anyways, into normal mode.
    While I was able to boot and reopen Malwarebytes, in closed and refused to reopen several seconds later.  The fake SvcHost process is still there as well.  The log is posted below.

    Also, may I ask how this relates to what I was told to do with FRST?



    -Log Details-
    Scan Date: 9/11/18
    Scan Time: 9:45 AM
    Log File: e66d4bac-b5c8-11e8-96aa-309c239d99d8.json

    -Software Information-
    Components Version: 1.0.441
    Update Package Version: 1.0.6771
    License: Trial

    -System Information-
    OS: Windows 10 (Build 17134.228)
    CPU: x64
    File System: NTFS
    User: DESKTOP-B18Q53N\Comrade

    -Scan Summary-
    Scan Type: Threat Scan
    Scan Initiated By: Manual
    Result: Completed
    Objects Scanned: 289255
    Threats Detected: 11
    Threats Quarantined: 11
    Time Elapsed: 1 min, 3 sec

    -Scan Options-
    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Detect
    PUM: Detect

    -Scan Details-
    Process: 0
    (No malicious items detected)

    Module: 0
    (No malicious items detected)

    Registry Key: 7
    PUP.Optional.SearchManager, HKU\S-1-5-21-3317883210-2360311007-2641292243-1003\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\nahhmpbckpgdidfnmfkfgiflpjijilce, Quarantined, [250], [440037],1.0.6771
    PUP.Optional.SearchManager, HKU\S-1-5-21-3317883210-2360311007-2641292243-1003\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\pilplloabdedfmialnfchjomjmpjcoej, Quarantined, [250], [183362],1.0.6771
    PUP.Optional.WinYahoo, HKU\S-1-5-21-3317883210-2360311007-2641292243-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{518b33ae-375d-712d-6742-d1fe0400268d}, Quarantined, [230], [413444],1.0.6771

    Registry Value: 1
    PUP.Optional.WinYahoo, HKU\S-1-5-21-3317883210-2360311007-2641292243-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{518b33ae-375d-712d-6742-d1fe0400268d}|URL, Quarantined, [230], [413444],1.0.6771

    Registry Data: 1
    PUP.Optional.WinYahoo, HKU\S-1-5-21-3317883210-2360311007-2641292243-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [230], [413442],1.0.6771

    Data Stream: 0
    (No malicious items detected)

    Folder: 0
    (No malicious items detected)

    File: 2
    PUP.Optional.SearchManager, C:\USERS\COMRADE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [250], [440037],1.0.6771
    PUP.Optional.SearchManager, C:\USERS\COMRADE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [250], [183362],1.0.6771

    Physical Sector: 0
    (No malicious items detected)

    WMI: 0
    (No malicious items detected)



  2. Hey guys, I need help removing what I think is an SvcHost virus.

    I recently started having adware tabs pop up on my PC and then after searching for solutions found that whenever I opened a Malwarebytes (or similar website) page, my browser would immediately crash.  This happens in Chrome, IE, and Tor.  I found this thread which seems to be a very similar virus and after reading a few others, I downloaded MalwareBytes, Rkill, adwcleaner, FRST64, tdsskiller, and aswMBR.  (I'm typing this on my other PC btw.  Downloaded the files on it and emailed them in a .RAR to my desktop.)
    This lead to me finding a few things:
    -I restarted my PC and immediately opened the Task manager to find an unnamed task using 50+% of my CPU.  If I look at its properties, it says it's Svchost and is located in SysWOW64 where it takes up 44kb.
    -I can kill this process, but it doesn't stop the virus from opening apps or closing browsers.
    -I do not have permission to delete the application from SysWOW64.  I need "TrustedInstaller" permission, which I know can be a legit Windows thing.
    -The MB3-setup exe will not run.  
    -If I run Rkill then attempt to run the MB3 exe, it logs the following:


    Performing miscellaneous checks:
    * Reparse Point/Junctions Found (Most likely legitimate)! *
    C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 => C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\INetCache\IE [Dir]

    -I deleted the INetCache folder which appeared to be empty.  Nothing changed.
    -adwcleaner and FRST64 won't run.
    -tdsskiller doesn't find anything
    -I ran aswMBR and my PC blue-screened with the following support info


    What failed: aswVmm.sys

     This is where I am currently and I would appreciate any help anyone can give me.

  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.