Can't recover from svchost virus

[steve106]

About a week ago my kid got a virus through Facebook, some kind of rouge anti-virus virus. The computer had numerous infections. I have run rkill and combo fix. Scans from Malwarebytes and AVG initially came back with Trojans, but are now coming back clean. However there are two system processes under the heading of "svchost.exe" that keep randomly running and tying up system resources. Occasionally, AVG will pop-up with a trojan warning that it contained. But virus scans are coming back clean. System is very slow.

Additionally, windows tools including system restore, windows firewall will not run.

At wits end...kid is avoiding me.

Any suggestions or time to take the computer in and have the wipe the hard drive?

Combofix log below:

ComboFix 12-03-01.02 - Michael Sonntag 03/01/2012 22:09:54.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.328 [GMT -5:00]

Running from: c:\documents and settings\Michael Sonntag\Desktop\ComboFix.exe

AV: AVG Anti-Virus 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Michael Sonntag\Desktop\Scanner.lnk

c:\windows\system32\404Fix.exe

c:\windows\system32\Agent.OMZ.Fix.exe

c:\windows\system32\dumphive.exe

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\o4Patch.exe

c:\windows\system32\Process.exe

c:\windows\system32\regobj.dll

c:\windows\system32\SET1B8.tmp

c:\windows\system32\SET3F0.tmp

c:\windows\system32\SET51D.tmp

c:\windows\system32\SET649.tmp

c:\windows\system32\SET672.tmp

c:\windows\system32\SET673.tmp

c:\windows\system32\SET674.tmp

c:\windows\system32\SET695.tmp

c:\windows\system32\SET873.tmp

c:\windows\system32\SETCD.tmp

c:\windows\system32\SETDD.tmp

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\WS2Fix.exe

.

c:\windows\system32\drivers\i8042prt.sys . . . is missing!!

.

.

((((((((((((((((((((((((( Files Created from 2012-02-02 to 2012-03-02 )))))))))))))))))))))))))))))))

.

.

2012-02-28 23:23 . 2012-02-28 23:23 -------- d-----w- C:\found.000

2012-02-25 21:38 . 2012-02-26 19:28 -------- d-----w- c:\documents and settings\Michael Sonntag\Local Settings\Application Data\Google

2012-02-25 21:38 . 2012-02-26 19:28 -------- d-----w- c:\documents and settings\Michael Sonntag\Local Settings\Application Data\Deployment

2012-02-25 00:52 . 2012-02-25 00:52 -------- d-----w- c:\documents and settings\Michael Sonntag\Application Data\Malwarebytes

2012-02-25 00:48 . 2012-02-25 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-02-25 00:48 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-02-25 00:47 . 2012-02-25 21:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-02-22 22:48 . 2012-02-22 22:48 -------- d-----w- C:\$AVG

2012-02-22 22:03 . 2012-02-22 22:03 -------- d-----w- c:\documents and settings\Michael Sonntag\Application Data\AVG2012

2012-02-22 22:01 . 2012-02-22 22:01 -------- d-----w- c:\documents and settings\Michael Sonntag\Application Data\AVG Secure Search

2012-02-22 22:01 . 2012-02-22 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Secure Search

2012-02-22 22:01 . 2012-02-22 22:01 -------- d-----w- c:\program files\Common Files\AVG Secure Search

2012-02-22 22:01 . 2012-02-22 22:01 -------- d-----w- c:\program files\AVG Secure Search

2012-02-22 22:00 . 2012-03-02 01:44 -------- d-----w- c:\windows\system32\drivers\AVG

2012-02-22 22:00 . 2012-02-22 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012

2012-02-22 21:59 . 2012-02-22 21:59 -------- d-----w- c:\program files\AVG

2012-02-22 21:51 . 2012-02-16 14:40 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll

2012-02-22 21:51 . 2012-02-16 14:40 45016 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll

2012-02-22 21:51 . 2012-02-16 10:42 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll

2012-02-22 21:51 . 2012-02-16 10:42 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll

2012-02-22 21:51 . 2012-02-16 10:42 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll

2012-02-22 21:38 . 2012-02-22 21:38 -------- d-----w- c:\windows\system32\wbem\Repository

2012-02-22 21:28 . 2012-02-22 21:28 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2012-02-22 21:20 . 2012-02-22 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Common Files

2012-02-22 21:16 . 2012-03-02 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2012-02-22 03:57 . 2012-02-22 03:57 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2012-02-22 03:56 . 2012-02-22 03:56 -------- d-----w- C:\spoolerlogs

2012-02-08 04:13 . 2012-02-08 04:13 -------- d-----w- c:\windows\system32\LogFiles

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-02-16 14:40 . 2012-02-22 21:51 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]

2012-02-22 22:01 1811296 ----a-w- c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll" [2012-02-22 1811296]

.

[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]

[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]

[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Michael Sonntag\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Michael Sonntag\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Michael Sonntag\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Michael Sonntag\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-13 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-13 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-13 118784]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-11-13 1122304]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-08-12 114688]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]

"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-02-22 939872]

.

c:\documents and settings\Michael Sonntag\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\Michael Sonntag\Application Data\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Wireless Connection Manager.lnk - c:\program files\D-Link\DWA-131 revA\wirelesscm.exe [2011-6-30 517440]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Documents and Settings\\Michael Sonntag\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 6:23 AM 230608]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]

R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]

R2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe [2/22/2012 5:01 PM 909152]

R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [6/30/2011 9:02 AM 20480]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 6:21 AM 16720]

R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [6/30/2011 9:02 AM 588032]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 3:16 PM 130384]

S2 WLSVC;WLSVC;c:\program files\D-Link\DWA-131 revA\WLSVC.exe [6/30/2011 9:02 AM 167936]

S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [4/25/2011 9:11 AM 829152]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/12/2010 4:04 PM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 3:16 PM 753504]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

.

2012-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3119098509-2480340896-3674687875-1006Core.job

- c:\documents and settings\Michael Sonntag\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-26 19:28]

.

.

------- Supplementary Scan -------

.

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.2.1

Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.0.6\ViProtocol.dll

FF - ProfilePath - c:\documents and settings\Michael Sonntag\Application Data\Mozilla\Firefox\Profiles\yozai96l.default\

FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B6311cabd-9365-447d-a925-593f2aab5b89%7D&mid=46f4ea4253a947d19c69c59f0bf471c0-7bcf169da0f355c0efc74a25fd10a54d8945f374&ds=AVG&v=10.0.0.7〈=en&pr=pr&d=2012-02-22%2017%3A01%3A39&sap=ku&q=

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-03-01 22:51

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST3402111AS rev.3.ADH -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e

.

device: opened successfully

user: MBR read successfully

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x822D02C6

user & kernel MBR OK

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1028)

c:\windows\system32\WININET.dll

c:\windows\system32\igfxdev.dll

.

- - - - - - - > 'lsass.exe'(1108)

c:\windows\system32\WININET.dll

.

Completion time: 2012-03-03 11:44:27

ComboFix-quarantined-files.txt 2012-03-03 16:44

.

Pre-Run: 18,396,798,976 bytes free

Post-Run: 19,057,270,784 bytes free

.

- - End Of File - - AB0F3C03B09687E3385B59F2FC1AE79F

[MrCharlie]

Welcome to the forum.

Please do not run any other tools unless I say to!

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

Click Scan to scan the system (don't run any other options)

Post back the report.

---------------------

Then.......please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs.

MrC

[LDTate]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!