Jump to content

svchost.exe Trojan Agent unable to quarantine - need help


Bo620

Recommended Posts

It happends when show window blue screen with error IRQL_NOT_LESS_OR_EQUAL. I've run Malware and it shows there's Trojan Agent in my c:\windows\svchost.exe (show up twice). Select them all to remove but it did not get quarantine. Ran ComboFix and it fixed 1 andstill one remaining, tried to run it again but still and crash to blue screen again. Ran Malware again and 2 Trojan Agent show up again.

I am able to run window in safe mode with network, it crash too fast if I start Windows normally. Not sure if I did anything wrong during the process. Is there any recommendation?

Reinstall window and formatting my hard-drive will be the very last step I want to do.

Thank you and appriciate your help.

Bo

mbam log:

Malwarebytes Anti-Malware (Trial) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.24.03

Windows Vista Service Pack 2 x64 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

Maybo :: MAYBO-PC [administrator]

Protection: Disabled

11/23/2012 7:53:08 PM

mbam-log-2012-11-23 (19-53-08).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 249182

Time elapsed: 3 minute(s), 4 second(s)

Memory Processes Detected: 1

C:\Windows\svchost.exe (Trojan.Agent) -> 1116 -> Delete on reboot.

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

Link to post
Share on other sites

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs here.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Quit all running programs.

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 48 hours, please send me a PM)

Link to post
Share on other sites

Please create a new system restore point before running Malwarebytes Anti-Rootkit.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC

Link to post
Share on other sites

Well Done, lets run ComboFix to clear up any leftovers.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Advanced System Protector <---did you install this program??

~~~~~~~~~~~~~~~~~~~~~~~~~

Please download AdwCleaner from here and save it on your Desktop.

  1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

MrC

Link to post
Share on other sites

Yes I have Avanced System Protector installed. What should I do with it? Please advise. Thanks!

Did YOU install it?? If so you can keep it :::: if not we can uninstall it.

~~~~~~~~~~~~~~~

Some adware found....lets clear it out.....

  1. Please re-run AdwCleaner
  2. Click on Delete button.
  3. Confirm each time with OK if asked.
  4. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

~~~~~~~~~~~~~~~~~~~~~~~~

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!

MrC

Link to post
Share on other sites

Hmmm I don't recall I d/l and install ASP <_< but it shows up after installing clean up program....I will take care of it....

Oh seems like some programs are out of date...should I update them and run security check again?

Here's the 2 reports:

# AdwCleaner v2.009 - Logfile created 11/24/2012 at 13:42:46

# Updated 24/11/2012 by Xplode

# Operating system : Windows ™ Vista Home Premium Service Pack 2 (64 bits)

# User : Maybo - MAYBO-PC

# Boot Mode : Normal

# Running from : C:\Users\Maybo\Downloads\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

Deleted on reboot : C:\Program Files (x86)\Conduit

Deleted on reboot : C:\Program Files (x86)\GamesBar

Deleted on reboot : C:\Program Files (x86)\Windows iLivid Toolbar

Deleted on reboot : C:\Program Files (x86)\WiseConvert

Deleted on reboot : C:\Program Files (x86)\Zynga

Deleted on reboot : C:\Program Files (x86)\Zynga

Deleted on reboot : C:\ProgramData\iWin

Deleted on reboot : C:\Users\Maybo\AppData\Local\Conduit

Deleted on reboot : C:\Users\Maybo\AppData\Local\Ilivid Player

Deleted on reboot : C:\Users\Maybo\AppData\LocalLow\Conduit

Deleted on reboot : C:\Users\Maybo\AppData\LocalLow\searchquband

Deleted on reboot : C:\Users\Maybo\AppData\LocalLow\Searchqutoolbar

Deleted on reboot : C:\Users\Maybo\AppData\LocalLow\WiseConvert

Deleted on reboot : C:\Users\Maybo\AppData\LocalLow\Zynga

Deleted on reboot : C:\Users\Maybo\AppData\LocalLow\Zynga

Deleted on reboot : C:\Users\Maybo\AppData\Roaming\iWin

***** [Registry] *****

Data Deleted : HKLM\..\Windows [AppInit_DLLs] = c:\PROGRA~2\WI371A~1\Datamngr\datamngr.dll

Data Deleted : HKLM\..\Windows [AppInit_DLLs] = c:\PROGRA~2\WI371A~1\Datamngr\IEBHO.dll

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit

Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes

Key Deleted : HKCU\Software\AppDataLow\Software\searchqutoolbar

Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar

Key Deleted : HKCU\Software\AppDataLow\Software\WiseConvert

Key Deleted : HKCU\Software\AppDataLow\Software\Zynga

Key Deleted : HKCU\Software\AppDataLow\Toolbar

Key Deleted : HKCU\Software\DataMngr

Key Deleted : HKCU\Software\DataMngr_Toolbar

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Searchqu 406 MediaBar

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\WiseConvert Toolbar

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Zynga Toolbar

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7B13EC3E-999A-4B70-B9CB-2617B8323822}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EBD898F8-FCF6-4694-BC3B-EABC7271EEB1}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7B13EC3E-999A-4B70-B9CB-2617B8323822}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EBD898F8-FCF6-4694-BC3B-EABC7271EEB1}

Key Deleted : HKLM\Software\Bandoo

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1301A8A5-3DFB-4731-A162-B357D00C9644}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\BandooCore.EXE

Key Deleted : HKLM\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard

Key Deleted : HKLM\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard.1

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2438727

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3196716

Key Deleted : HKLM\Software\Conduit

Key Deleted : HKLM\Software\DataMngr

Key Deleted : HKLM\Software\Freeze.com

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{71B1DF81-18D9-4E5B-9493-CAB02B6E9D8F}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B325E840-2B54-4325-B1EF-8A73DE56FABD}

Key Deleted : HKLM\Software\SearchquMediabarTb

Key Deleted : HKLM\Software\WiseConvert

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{71B1DF81-18D9-4E5B-9493-CAB02B6E9D8F}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{7B13EC3E-999A-4B70-B9CB-2617B8323822}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{B325E840-2B54-4325-B1EF-8A73DE56FABD}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{EBD898F8-FCF6-4694-BC3B-EABC7271EEB1}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4F5C8E0C-ED91-43ED-8DFD-F8E852B747E5}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{88A67CD7-C14A-4D62-B062-C4E42D348E92}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Searchqu 406 MediaBar

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WiseConvert Toolbar

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Zynga Toolbar

Key Deleted : HKLM\Software\Zynga

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{06DE5702-44CF-4B79-B4EF-3DDF653358F5}

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{7B13EC3E-999A-4B70-B9CB-2617B8323822}]

Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{7B13EC3E-999A-4B70-B9CB-2617B8323822}]

Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{EBD898F8-FCF6-4694-BC3B-EABC7271EEB1}]

Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [DataMngr]

Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{7B13EC3E-999A-4B70-B9CB-2617B8323822}]

Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{EBD898F8-FCF6-4694-BC3B-EABC7271EEB1}]

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.2 (en-US)

Profile name : default

File : C:\Users\Maybo\AppData\Roaming\Mozilla\Firefox\Profiles\j1nepcvo.default\prefs.js

Deleted : user_pref("browser.startup.homepage", "hxxp://www.searchqu.com/406");

Deleted : user_pref("keyword.URL", "hxxp://dts.search-results.com/sr?src=ffb&appid=100&systemid=406&q=");

-\\ Google Chrome v [unable to get version]

File : C:\Users\Maybo\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [5996 octets] - [24/11/2012 10:48:00]

AdwCleaner[R2].txt - [6092 octets] - [24/11/2012 13:40:59]

AdwCleaner[s1].txt - [6111 octets] - [24/11/2012 13:42:46]

########## EOF - C:\AdwCleaner[s1].txt - [6171 octets] ##########

Results of screen317's Security Check version 0.99.55

Windows Vista Service Pack 2 x64 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Disabled!

Norton 360

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

I SPY Mystery

Malwarebytes Anti-Malware version 1.65.1.1000

FixCleaner

Java™ 6 Update 33

Java 7 Update 7

Java™ 6 Update 5

Java™ 6 Update 7

Java version out of Date!

Adobe Flash Player 11.5.502.110

Adobe Reader 8 Adobe Reader out of Date!

Adobe Reader X KB403742.. Adobe Reader out of Date!

Mozilla Firefox 16.0.2 Firefox out of Date!

Google Chrome 21.0.1180.83

Google Chrome 21.0.1180.89

Google Chrome 22.0.1229.79

Google Chrome 22.0.1229.92

Google Chrome 22.0.1229.94

Google Chrome 23.0.1271.64

````````Process Check: objlist.exe by Laurent````````

Norton ccSvcHst.exe

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 4 % Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Advanced System Protector <---it's listed in your control panels add/remove programs.

But if you're going to uninstall it, do it like this:

Download and install the free version of revo-uninstaller > run and see if revo finds it > now uninstall it.

http://www.revounins...e_download.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Java™ 6 Update 33 <---uninstall all of these from add/remove programs and install the latest version from Here

Java 7 Update 7 <------

Java™ 6 Update 5 <--------

Java™ 6 Update 7 <-------------

Java version out of Date!

Adobe Flash Player 11.5.502.110

Adobe Reader 8 Adobe Reader out of Date! <----please uninstall

Adobe Reader X KB403742.. Adobe Reader out of Date! <----please uninstall

http://get.adobe.com.../otherversions/ <---download and install the latest version:

Mozilla Firefox 16.0.2 Firefox out of Date! <----please check for an update

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You have out dated programs on the system which are vulnerable to malware.

Please update or uninstall them

Info on doing that can be found in my Preventive Maintenance

~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Removed Avanced System Protector, uninstall and reinstall lastest version of Java and Adobe. Uninstalled Combofix and RogueKill and deleted logs as instructed.

Should I keep or uninstall the following programs: mbar, Revo Uninstaller, AdwCleaner (I also have CCleaner) and Security Check?

Also, from the last Security Check log, at the end it said Fragmentation on Drive C: 4% so should I defrag c drive? What is SSD?

I really appriciated your effort, time and knowledge to help me throught this problem! As I said, format my harddrive and hope to get rid of the virus is not something I look forward to do. Thanks a lot! :D

Link to post
Share on other sites

Should I keep or uninstall the following programs: mbar, Revo Uninstaller, AdwCleaner (I also have CCleaner) and Security Check?

You can delete them, CCleaner is OK but stay away form the registry cleaner

Also, from the last Security Check log, at the end it said Fragmentation on Drive C: 4% so should I defrag c drive? What is SSD?

It won't hurt to defrag.

SSD:

http://en.wikipedia....lid-state_drive

MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.