Jump to content

Another request to help remove svchost.eve trojan.agent


Recommended Posts

I am having a problem similiar to a post in October, malwarebytes detected the two svchost.exe files on my laptop but cannot remove them (norton 360 and norton power eraser did not detect these). I read through the earlier post and have attached the files initially requested in that posting - dds.txt and attach.txt; as well as a roguekiller log. One thing with the roguekiller scan, it appeared to complete it's scan (very quicky) but when it tried to launch internet to open a webpage the computer kept freezing and wouldn't load the page. As an additional note, presently the computer seems rather hit and miss on what websites it will allow/launch, for example I could not open to download the ddc.scr or ddc.com links neither for run or save. I had to download/save the files on another computer to a flash drive and then run them on the laptop with the issues.

Back to issue at hand, not knowing what is being looked for in the please let me know if in fact the roquekiller process did not complete correctly. I also did download the tdsskiller but did not run it yet awaiting instructions.

Thanks,

Mark

attach.txt

dds.txt

RKreport2_S_11062012_02d2006.txt

Link to post
Share on other sites

  • Replies 52
  • Created
  • Last Reply

Top Posters In This Topic

Welcome to the forum.

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please read the directions carefully so you don't end up deleting something that is good!!

Please note that TDSSKiller can be run in safe mode if needed.

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    clip.jpg
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC

Link to post
Share on other sites

Thanks for such promptness. I am not opposed to a re-install. Oddly enough I had just done a reinstall of windows about 3 months ago. My question is if I do this verse trying to clean the computer, can I still run the usual backups and system images to allow reconfiguring of laptop once done with install, or is there a chance of the backups/system image of becoming infected?

Thanks again,

Mark

Link to post
Share on other sites

My question is if I do this verse trying to clean the computer, can I still run the usual backups and system images to allow reconfiguring of laptop once done with install, or is there a chance of the backups/system image of becoming infected?

The back-ups should be OK, I suggest we clean the computer first.

MrC

Link to post
Share on other sites

ok, ran tdsskiller, and I'm attaching the files. when the scan finished and the report log opened it didn't look like it had completed in the notes, so I ran it a second time. First time had the pihar listed as malicious and 4 suspicious files, second time the scan only showed the 4 suspicious ones, sorry about the extra step, although as skip was chosen for the 4 nothing really changed on the second one correct?

TDSSKiller.2.8.15.0_07.11.2012_11.02.21_log.txtTDSSKiller.2.8.15.0_07.11.2012_11.08.05_log.txtTDSSKiller.2.8.15.0_07.11.2012_11.16.01_log.txt

Link to post
Share on other sites

You did it correctly.

Run TDSSKiller again and choose Delete for this one only: (no need to check the Loaded Modules" box or post the log)

11:13:36.0598 4988 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

11:13:36.0598 4988 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

~~~~~~~~~~~~~~~~~~~~~~

Then............

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Trouble running combofix, I disabled norton 360 and malwarebytes and confirmed them to be off, but combofix continues to say norton 360 is still active. Tried contacting the bleeper website to ask but not sure my post made it. Will check again in a little while unless you have any suggestion.

Link to post
Share on other sites

O.k., re-enabled norton 360 and malwarebytes. Norton went into immediate auto-protect and detected/removed two trojans, Turned out to be the two files tdsskiller had put into quarantine. I included that detection log and a quick scan from norton, as well as the most recent log from tdsskiller. I realize the norton's scan may not be much use to you, but.......

next?

mbam-log-2012-11-07 (19-05-57).txt

norton scan post combofix.txt

Resolved Norton Security Risks Upon enable.txt

Link to post
Share on other sites

That all looks OK.

Please download AdwCleaner from here and save it on your Desktop.

  1. Right-click on adwcleaner.exe and select Run As Administrator to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

MrC

Link to post
Share on other sites

Lots of adware found....lets clear it out.....

  1. Please re-run AdwCleaner
  2. Click on Delete button.
  3. Confirm each time with OK if asked.
  4. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

~~~~~~~~~~~~~~~~~~~~~

Then..........

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.

MrC

Link to post
Share on other sites

Results of screen317's Security Check version 0.99.54

Windows 7 Service Pack 1 x64 (UAC is disabled!)

Internet Explorer 8 Out of date!

``````````````Antivirus/Firewall Check:``````````````

Norton 360

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.1.1000

Java 6 Update 20

Java version out of Date!

Adobe Reader 9 Adobe Reader out of Date!

````````Process Check: objlist.exe by Laurent````````

Norton ccSvcHst.exe

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

Symantec Norton Online Backup NOBuAgent.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 1%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Lots of adware found....lets clear it out.....

  1. Please re-run AdwCleaner
  2. Click on Delete button.
  3. Confirm each time with OK if asked.
  4. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Java™ 6 Update 20 <----please uninstall from add/remove programs

Java version out of Date! <-------Download and install the latest version from Here

Adobe Reader 9 Adobe Reader out of Date! <-----please check for an update

You have out dated programs on the system which are vulnerable to malware.

Please update or uninstall them

MrC

Link to post
Share on other sites

overall seems good, responsive, haven't had a internet glitch yet. However, since we did the adwcleaner run-through (and technically the checkup run), the one glitch that has happened several times is when the laptop is shut off and restarted, both automatically or even if off for a while, the laptop starts up ok, gets through login window but when reaches main screen it freezes with the circle loading system running and won't do anything, even with ctrl+alt+del hit repeatedly. Once i kill it with power button and restart it loads all the way and is fine. This has happened 3 times now ..... ?? Thoughts?

Link to post
Share on other sites

No but lets take a look.....

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://www.itxassoci...T-Tools/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.