SVCHOST.EXE (Trojan Agent) Removal Help

[LDTate]

OTL Fix

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  

  :OTL
  O15 - HKCU\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
  O15 - HKCU\..Trusted Domains: freerealms.com ([]* in Trusted sites)
  O15 - HKCU\..Trusted Domains: real.com ([rhap-app-4-0] https in Trusted sites)
  O15 - HKCU\..Trusted Domains: real.com ([rhapreg] https in Trusted sites)
  O15 - HKCU\..Trusted Domains: rhapsody.com ([rhap-app-4-0] https in Trusted sites)
  O15 - HKCU\..Trusted Domains: rhapsody.com ([rhapreg] https in Trusted sites)
  O15 - HKCU\..Trusted Domains: soe.com ([]* in Trusted sites)
  O15 - HKCU\..Trusted Domains: sony.com ([]* in Trusted sites)
  :Commands
  [EmptyFlash]
  [EmptyTemp]
  [RESETHOSTS]
  [purity]
  [start explorer]
  [Reboot]

  
  

• Then click the Run Fix button at the top
  
• Let the program run unhindered, it will reboot when it is done and produce a log
  

[PaulPec]

Output from OTL Fix

All processes killed

========== OTL ==========

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clonewarsadventures.com\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\freerealms.com\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\real.com\rhap-app-4-0\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\real.com\rhapreg\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\rhapsody.com\rhap-app-4-0\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\rhapsody.com\rhapreg\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\soe.com\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sony.com\ deleted successfully.

========== COMMANDS ==========

[EMPTYFLASH]

User: All Users

User: Default

->Flash cache emptied: 41620 bytes

User: Default User

->Flash cache emptied: 0 bytes

User: Paul

->Flash cache emptied: 43966 bytes

User: Public

User: TEMP

->Flash cache emptied: 41620 bytes

User: UpdatusUser

->Flash cache emptied: 41620 bytes

Total Flash Files Cleaned = 0.00 mb

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Flash cache emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Paul

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 3752472 bytes

->Java cache emptied: 2148621 bytes

->FireFox cache emptied: 201060982 bytes

->Google Chrome cache emptied: 19980108 bytes

->Opera cache emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Public

->Temp folder emptied: 0 bytes

User: TEMP

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Flash cache emptied: 0 bytes

User: UpdatusUser

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 557056 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 49972 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 86096 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 217.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

OTL by OldTimer - Version 3.2.31.0 log created on 01132012_085519

Files\Folders moved on Reboot...

C:\Users\Paul\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

MBAM is still blocking access to potentially malicious websites. Multiple ports, etc..FYI seems the site is 178.238.233.153 for the most part.

[LDTate]

Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:

C:\Windows\is-M9UTO.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If virustotal is too busy you can try these.

http://virusscan.jotti.org

http://www.kaspersky.com/scanforvirus.html

You know anyone in Germany?

IP Information for 178.238.233.153

IP Location: Germany Giga-hosting Gmbh

178.0.0.0 - 178.255.255.255

[PaulPec]

This is embarassing but I did a search of my computer and it doesn't find is-M9UTO.exe anywhere. I don't know anyone in Germany

[LDTate]

Post a new DDS log scan

[PaulPec]

DDS Scan Log

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24

Run by Paul at 10:42:46 on 2012-01-13

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6135.3639 [GMT -6:00]

.

AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\atieclxx.exe

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Windows\Explorer.EXE

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe

C:\Program Files\Citrix\Secure Access Client\nsverctl.exe

C:\Windows\SysWOW64\PnkBstrA.exe

C:\Windows\SysWOW64\PnkBstrB.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe

C:\Program Files\Logitech\SetPointP\SetPoint.exe

C:\Users\Paul\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe

C:\Program Files\Citrix\Secure Access Client\nsload.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files (x86)\Stardock\Impulse\Now\ImpulseNow.exe

C:\Windows\SysWOW64\Ctxfihlp.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Windows\SysWOW64\CTXFISPI.EXE

C:\Program Files\Logitech\SetPointG\SetPointII.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\WUDFHost.exe

-netsvcs

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\system32\conhost.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\DllHost.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Steam\Steam.exe

C:\Users\Paul\AppData\Local\Mozilla Firefox\firefox.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\rundll32.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\IPS\IPSBHO.DLL

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: DownloadHelper Class: {ff2573ae-e1ed-40e1-83ba-f544cb2ee135} - C:\Program Files (x86)\Common Files\Download Helper\DownloadHelper.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll

uRun: [steam] "c:\program files (x86)\steam\steam.exe" -silent

uRun: [sansaDispatch] C:\Users\Paul\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe

mRun: [CTxfiHlp] CTXFIHLP.EXE

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

StartupFolder: C:\Users\Paul\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\IMPULS~1.LNK - C:\Program Files (x86)\Stardock\Impulse\Now\ImpulseNow.exe

StartupFolder: C:\Users\Paul\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\LOGITE~1.LNK - C:\Program Files (x86)\Common Files\LogiShrd\eReg\SetPoint\eReg.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\CITRIX~1.LNK - C:\Program Files (x86)\Citrix\Secure Access Client\nsload.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15111/CTPID.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{9774EFE1-8B36-498D-B0A7-1F6FAA9C7C16} : DhcpNameServer = 192.168.1.1

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll

BHO-X64: Symantec NCO BHO - No File

BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\IPS\IPSBHO.DLL

BHO-X64: Symantec Intrusion Prevention - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO-X64: DownloadHelper Class: {FF2573AE-E1ED-40e1-83BA-F544CB2EE135} - C:\Program Files (x86)\Common Files\Download Helper\DownloadHelper.dll

TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll

mRun-x64: [CTxfiHlp] CTXFIHLP.EXE

mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun-x64: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\uwwqep5x.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll

FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll

FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll

FF - plugin: C:\Program Files\Citrix\Secure Access Client\npagee.dll

FF - plugin: C:\Program Files\Citrix\Secure Access Client\npagee64.dll

FF - plugin: C:\Users\Paul\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: C:\Users\Paul\AppData\Roaming\Mozilla\plugins\npagee.dll

FF - plugin: C:\Users\Paul\AppData\Roaming\Mozilla\plugins\npagee64.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

.

============= SERVICES / DRIVERS ===============

.

R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\N360x64\0501000.01D\SYMDS64.SYS --> C:\Windows\system32\drivers\N360x64\0501000.01D\SYMDS64.SYS [?]

R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\N360x64\0501000.01D\SYMEFA64.SYS --> C:\Windows\system32\drivers\N360x64\0501000.01D\SYMEFA64.SYS [?]

R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20111223.001\BHDrvx64.sys [2011-11-30 1157240]

R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20120112.002\IDSviA64.sys [2012-1-13 488568]

R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\N360x64\0501000.01D\Ironx64.SYS --> C:\Windows\system32\drivers\N360x64\0501000.01D\Ironx64.SYS [?]

R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\N360x64\0501000.01D\SYMNETS.SYS --> C:\Windows\system32\Drivers\N360x64\0501000.01D\SYMNETS.SYS [?]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]

R2 cag;Citrix cag plugin for Access Gateway;C:\Program Files\Common Files\Deterministic Networks\Common Files\cag.sys [2010-8-4 96384]

R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-1-8 652872]

R2 N360;Norton Security Suite;C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\ccsvchst.exe [2011-5-18 130008]

R2 nsverctl;Citrix Secure Access Client Service;C:\Program Files\Citrix\Secure Access Client\nsverctl.exe [2011-5-18 154776]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-11-7 381248]

R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2010-5-5 583360]

R3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]

R3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]

R3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]

R3 ctxva51;Citrix Virtual Adapter;C:\Windows\system32\DRIVERS\ctxva51.sys --> C:\Windows\system32\DRIVERS\ctxva51.sys [?]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-1-12 138360]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-5-18 2253120]

S3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]

S3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]

S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]

S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2009-12-30 79360]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-12-30 79360]

S3 CT20XUT;CT20XUT;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]

S3 CTEXFIFX;CTEXFIFX;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]

S3 CTHWIUT;CTHWIUT;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe --> c:\program files (x86)\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe [?]

S3 NWUSBCDFIL64;Novatel Wireless Installation CD;C:\Windows\system32\DRIVERS\NwUsbCdFil64.sys --> C:\Windows\system32\DRIVERS\NwUsbCdFil64.sys [?]

S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;C:\Windows\system32\DRIVERS\nwusbser2.sys --> C:\Windows\system32\DRIVERS\nwusbser2.sys [?]

S3 SMSIVZAM5X64;SMSIVZAM5X64 NDIS Protocol Driver;C:\PROGRA~2\VERIZO~1\VZACCE~1\SMSIVZAM5X64.SYS [2009-3-20 43032]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

.

=============== Created Last 30 ================

.

2012-01-13 14:55:19 -------- d-----w- C:\_OTL

2012-01-12 19:11:25 -------- d-----w- C:\Users\Paul\DoctorWeb

2012-01-12 16:40:05 -------- d-sh--w- C:\$RECYCLE.BIN

2012-01-12 14:38:57 -------- d-----w- C:\ComboFix

2012-01-12 00:27:43 98816 ----a-w- C:\Windows\sed.exe

2012-01-12 00:27:43 518144 ----a-w- C:\Windows\SWREG.exe

2012-01-12 00:27:43 256000 ----a-w- C:\Windows\PEV.exe

2012-01-12 00:27:43 208896 ----a-w- C:\Windows\MBR.exe

2012-01-11 03:00:51 306688 ----a-w- C:\Windows\IsUninst.exe

2012-01-11 03:00:24 -------- d-----w- C:\Program Files (x86)\Real Deal UpGrade

2012-01-10 20:12:09 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll

2012-01-10 20:12:09 366592 ----a-w- C:\Windows\System32\qdvd.dll

2012-01-10 20:12:09 1572864 ----a-w- C:\Windows\System32\quartz.dll

2012-01-10 20:12:09 1328128 ----a-w- C:\Windows\SysWow64\quartz.dll

2012-01-10 20:12:05 1731920 ----a-w- C:\Windows\System32\ntdll.dll

2012-01-10 20:12:05 1292080 ----a-w- C:\Windows\SysWow64\ntdll.dll

2012-01-10 20:12:04 77312 ----a-w- C:\Windows\System32\packager.dll

2012-01-10 20:12:04 67072 ----a-w- C:\Windows\SysWow64\packager.dll

2012-01-10 00:33:01 -------- d-----w- C:\Users\Paul\tmp

2012-01-09 22:05:19 21992 ----a-w- C:\Windows\System32\drivers\cpuz135_x64.sys

2012-01-09 22:05:19 -------- d-----w- C:\Program Files\CPUID

2012-01-04 13:35:36 20480 ----a-w- C:\Windows\svchost.exe

2011-12-19 15:37:28 43520 ----a-w- C:\Windows\System32\csrsrv.dll

2011-12-19 15:37:22 3145216 ----a-w- C:\Windows\System32\win32k.sys

2011-12-19 15:37:18 723456 ----a-w- C:\Windows\System32\EncDec.dll

2011-12-19 15:37:18 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll

2011-12-19 15:37:03 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

2011-12-19 15:37:03 2048 ----a-w- C:\Windows\System32\tzres.dll

.

==================== Find3M ====================

.

2012-01-12 17:06:35 18960 ----a-w- C:\Windows\System32\drivers\LNonPnP.sys

2011-12-10 21:24:08 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-11-19 21:17:31 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2011-11-08 00:53:44 321856 ----a-w- C:\Windows\SysWow64\nvStreaming.exe

2011-11-04 01:53:39 2309120 ----a-w- C:\Windows\System32\jscript9.dll

2011-11-04 01:44:47 1390080 ----a-w- C:\Windows\System32\wininet.dll

2011-11-04 01:44:21 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl

2011-11-04 01:34:43 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2011-11-03 22:47:42 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll

2011-11-03 22:40:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2011-11-03 22:39:47 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll

2011-11-03 22:31:57 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2011-10-24 20:29:02 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx

2011-10-24 20:29:02 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts

.

============= FINISH: 10:43:52.21 ===============

[LDTate]

There are a lot of Google hits concerning that IP but I haven't found anyone that's fixed it.

[PaulPec]

Well, do you want to keep trying, and become even more famous. "the man who beat the unbeatable IP/Trojan" or are you telling me to reformat/reinstall? The only thing i worry about as far as the reformat/reinstall is how will I prevent the restore of my backup data from reintroducing the virus? Anyway, appreciate any feedback/ comments re next steps. Thx.

[LDTate]

I'm not so sure it's an actual virus, but something is "calling home".

What firewall are you using?

Can you block those IP's from within the firewall?

[PaulPec]

I'm running norton internet security. I tried creating a rule to block traffic, but probably don't know what I'm doing as I'm not sure what to put in the subnet mask. In essence I created a rule called Malware Find. and in traffic rules told it to block connections to and from other computers. I specified only the computers listed below:

178.238.233.153

Mask 178.255.255.255

78.140.152.71

Mask 78.255.255.255

I moved that rule to the top of the list and rebooted the machine. However, MBAM is stil detecting and blocking. ANy thoughts appreciated.

[PaulPec]

another interessting tidbit. Created a program specific rule for svchost.exe blocking IPs 178.0.0.0 - 178.255.255.25. MBAM still detecting and blocking. Started to wonder if firewall worked at all so blocked all for scvchost. At that point, I could no longer connect to the internet via any browser. (firefox, opera, chrome). BUT MBAM was still reporting blocking of sites. Went back to firewall and turned on custom rule to block only specific addresses above. MBAM still reporting blocking. Ran another MBAM scan:

Malwarebytes Anti-Malware (Trial) 1.60.0.1800

www.malwarebytes.org

Database version: v2012.01.13.03

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Paul :: PAUL-PC [limited]

Protection: Enabled

1/13/2012 2:35:24 PM

mbam-log-2012-01-13 (14-35-24).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 216883

Time elapsed: 3 minute(s), 31 second(s)

Memory Processes Detected: 1

C:\Windows\svchost.exe (Trojan.Agent) -> 3880 -> Delete on reboot.

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)

rebooted..mbam still blocking..maybe try another firewall?

[LDTate]

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  svchost.exe

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

[PaulPec]

SystemLook Results:

SystemLook 30.07.11 by jpshortstuff

Log created at 15:27 on 13/01/2012 by Paul

Administrator - Elevation successful

WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== filefind ==========

Searching for "svchost.exe"

C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\svchost.exe --a---- 182856 bytes [13:34 08/01/2012] [23:50 24/12/2011] B382935AB01B27D0E14F267DBF288896

C:\Windows\svchost.exe ------- 20480 bytes [13:35 04/01/2012] [01:14 14/07/2009] 2CEFF13ACE25A40BD8D97654944297CD

C:\Windows\ERDNT\cache64\svchost.exe --a---- 27136 bytes [01:48 12/01/2012] [01:39 14/07/2009] C78655BC80301D76ED4FEF1C1EA40A7D

C:\Windows\ERDNT\cache86\svchost.exe --a---- 20992 bytes [01:48 12/01/2012] [01:14 14/07/2009] 54A47F6B5E09A77E61649109C6A08866

C:\Windows\System32\svchost.exe --a---- 20992 bytes [23:19 13/07/2009] [01:14 14/07/2009] 54A47F6B5E09A77E61649109C6A08866

C:\Windows\SysWOW64\svchost.exe --a---- 20992 bytes [23:19 13/07/2009] [01:14 14/07/2009] 54A47F6B5E09A77E61649109C6A08866

C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe --a---- 27136 bytes [23:31 13/07/2009] [01:39 14/07/2009] C78655BC80301D76ED4FEF1C1EA40A7D

C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe --a---- 20992 bytes [23:19 13/07/2009] [01:14 14/07/2009] 54A47F6B5E09A77E61649109C6A08866

-= EOF =-

[LDTate]

See if you can copy svchost.exe form here C:\Windows\System32\svchost.exe

To C:\Windows\

See if we can overwrite that one

[PaulPec]

Tried in regular mode, safe mode with command line and safe mode. Also tried to kill processes with task manager in safe mode but then I couldn't to command line or explorer. Fail on my part. Next?

[LDTate]

Open Malwarebytes > click on More Tools > run File ASSASSIN by clicking Run Tool

Select the Files you want to delete .C:\Windows\svchost.exe

Note it will not remove Folders.

[PaulPec]

MBAM performed delete. Reboot, MBAM still reporting blocking. Latest scan result:

Malwarebytes Anti-Malware (Trial) 1.60.0.1800

www.malwarebytes.org

Database version: v2012.01.13.03

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Paul :: PAUL-PC [limited]

Protection: Enabled

1/13/2012 6:15:45 PM

mbam-log-2012-01-13 (18-15-45).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 216845

Time elapsed: 3 minute(s), 26 second(s)

Memory Processes Detected: 1

C:\Windows\svchost.exe (Trojan.Agent) -> 4516 -> Delete on reboot.

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)

[PaulPec]

MBAM sill reporting blocking. You've got the paience of a saint, but unless you've got a few more tricks to pull out, I'm going to start backup process tonite. Since we have the 3 day weekend, I'll probably start format/ reinstall tomorrow. Will keep checking back here tonite though. Appreciate all the efforts. Like I said, any comments re reinstall, or any other tricks you've got, I'm game. Take care.

[LDTate]

I'll give you something else to try.

Check back tomorrow

[LDTate]

Print this out.

Reboot your computer and as Windows starts

Tap F8 and select Repair your computer. Then select Command Prompt.

Next type in the following

Del C:\Windows\svchost.exe

You should see a message '1 file deleted'. If you did not see that message, try again and ensure there is a space after the word Del

[PaulPec]

Access is denied..

[LDTate]

After you load windows,

C:\Windows\svchost.exe

Right Click on it and make sure Read Only is unchecked

Edited January 14, 2012 by LDTate
Read Onl

[LDTate]

We need to try this

Next:

Download TDSSKiller from here and save it to your Desktop.

Note: if the Cure option is not there, please select 'Skip'.

Please read carefully and follow these steps.

1. Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
   
   
2. Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
   
   
3. Click the Start Scan button.
   
   
4. If a suspicious object is detected, the default action will be Skip, click on Continue.
   
   
5. If malicious objects are found, they will show in the Scan results and offer three (3) options.
   
6. Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
   
   

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

[PaulPec]

Hey Larry

Really appreciate your dilligence with this. You're a super guy and a real credit to MB. They're lucky to have you. I know given time, you'd have come up with a solution too, However for speed's sake, and since I wanted to go back to trading a few stocks, I reformatted and repartioned my HD, did a reinstall of windows, installed Norton and as a direct result of you r efforts and the quality of MBAM, purchased a copy. Then I completed reinstall of my other programs. Latest MBAM scan (not the Pro part!!). Oh yeah, and I told my 16 yr old to lay off the inapproprite sites . Thanks again. Take care.

Malwarebytes Anti-Malware (PRO) 1.60.0.1800

www.malwarebytes.org

Database version: v2012.01.13.05

Windows 7 x64 NTFS

Internet Explorer 8.0.7600.16385

Paul :: PAUL-PC [administrator]

Protection: Enabled

1/14/2012 10:48:04 AM

mbam-log-2012-01-14 (10-48-04).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 188935

Time elapsed: 1 minute(s), 24 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[LDTate]

I would say you're good to go.

Great job

You're more than welcome.

Glad we were able to help

Peace be with you