svchost.exe virus

[swedishfish44]

I use Windows Task Manager frequently to "end process" of frozen programs.  Recently my computer has been really slow and I noticed when I was in Task Manager that there was a svchost.exe using almost 100% CPU and over 1,000,000K.  This is NOT the case when I work offline.  I believe it may have a virus embedded in it.  I have run multiple scans with Malwarebytes and Norton and nothing has been found to be infected.  While I work on the computer Norton continuously notifies me that they blocked an attack and when I boot up my computer without opening up Internet Explorer my computer starts playing advertisements and music.  Yet no applications have been opened.

 

Thanks

[AdvancedSetup]

Hello and

Please run the following and post back all the logs as ATTACHMENTS by clicking on the More Reply Options button.


STEP 01

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

• Please download ERUNT from one of the following links: Link1 | Link2 | Link3
• ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
• Double click on erunt-setup.exe to Install ERUNT by following the prompts.
• Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
• Choose a location for the backup.
  • Note: the default location is C:\Windows\ERDNT which is acceptable.
• Make sure that at least the first two check boxes are selected.
• Click on OK
• Then click on YES to create the folder.
• Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe
  
  
  STEP 02
  
  Please download Malwarebytes Anti-Rootkit from HERE
  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt
  STEP 03
  
  Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus
  STEP 04
  
  Please download AdwCleaner by Xplode to your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • If prompted by the User Account Control click Yes to allow it to run.
  • Under Actions click on the Delete button.
  • Click OK on all prompts.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the entire contents of that logfile to your next reply.
  • You can find the logfile at C:\AdwCleaner[s1].txt where the number in brackets indicates how often it was run.
  STEP 05
  
  
  
  Please go here to run the online antivirus scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

[swedishfish44]

Step 1 log attached

README.TXT

[swedishfish44]

The logs for Steps 2, 3, and 4 are attached.

 

When running the Anti-Rootkit utility at startup it says it identified AppInit_Dlls and may be caused by rootkit activity.  It said if there were problems with the scan then rerun it and remove that at start up.  I did not have any problems.  When I ran the 2nd recommended scan the same message appeared at startup.  I did not remove it again.  The 2nd scan was clean.  Do you know if that should be removed?

 

Currently on Step 5

mbar-log-2013-07-09 (22-42-01).txt

system-log.txt

JRT.txt

AdwCleanerS1.txt

[swedishfish44]

Step 5 log attached

ESET.txt

[AdvancedSetup]

Lets run some other scanners that can double check on those entries for us.

 

We'll do this one first.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  

 

[swedishfish44]

See logs attached.

 

Thanks for the help.

FRST.txt

Addition.txt

[AdvancedSetup]

I'm sorry, I lost track of your post.  I don't see anything obvious in that log except some old software that needs to be removed as it has exploited code in it.

 

Please fully uninstall ALL versions of Java.

 

J2SE Runtime Environment 5.0 Update 6 (Version: 1.5.0.60)
Java™ 6 Update 11 (Version: 6.0.110)
Java™ 6 Update 5 (Version: 1.6.0.50)
Java™ 6 Update 7 (Version: 1.6.0.70)

 

Are you still experiencing infection type issues?

[swedishfish44]

Thanks for the help.  No more signs of it.

[AdvancedSetup]

Great, probably best to run the following and reboot even if it does not ask you to.

Then run a new set of DDS scan logs and post those back please.

 

 

Please Run TFC by OldTimer to clear temporary files:

• Download TFC from here and save it to your desktop.
• http://oldtimer.geekstogo.com/TFC.exe
• Close any open programs and Internet browsers.
• Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
• Please be patient as clearing out temp files may take a while.
• Once it completes you may be prompted to restart your computer, please do so.
• Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.
  

 

 

Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop
dds.scr
dds.com


Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr or dds.com to run the tool.
Click the Run button if prompted with an Open File - Security Warning dialog box.
A black DOS console should open and run for a moment. 

When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt
   

• Save both reports to your desktop
• Please include the following logs in your next reply as an attachment: DDS.txt and Attach.txt
  You can ignore the note about zipping the Attach.txt file

 

 

Thanks

[swedishfish44]

See attached

dds.txt

attach.txt

[AdvancedSetup]

You're still having some software issues it looks like but the computer appears to be clean at this time.

 

==== Event Viewer Messages From Past Week ========.7/19/2013 8:48:53 AM, error: Service Control Manager [7024]  - The SQL Server (TOCTTARGPPC05) service terminated with service-specific error 1814 (0x716).7/19/2013 8:39:12 AM, error: Service Control Manager [7034]  - The SQL Server VSS Writer service terminated unexpectedly.  It has done this 1 time(s).7/19/2013 8:39:12 AM, error: Service Control Manager [7034]  - The SigmaTel Audio Service service terminated unexpectedly.  It has done this 1 time(s).7/19/2013 8:39:12 AM, error: Service Control Manager [7034]  - The NICCONFIGSVC service terminated unexpectedly.  It has done this 1 time(s).7/19/2013 8:39:12 AM, error: Service Control Manager [7034]  - The Dell Wireless WLAN Tray Service service terminated unexpectedly.  It has done this 1 time(s).7/19/2013 8:39:12 AM, error: Service Control Manager [7034]  - The Broadcom ASF IP and SMBIOS Mailbox Monitor service terminated unexpectedly.  It has done this 1 time(s).==== End Of File ===========================

 

 

 

I'm going to be on the road with limited access to the board until Tuesday but I will try to check back in if possible.

We'll run some other tests then and see if we can correct these other errors or not then.

Thanks
 

[AdvancedSetup]

Just checking back to see if you're ready to look at this more or if you still need/want help or not.

Thanks

[swedishfish44]

Thanks.  I do have a question.  Would any of the scans that I have run affect the computer recognizing a profile on the computer?  On Monday morning I went to log into the computer and it could not find my profile.  It was still there.  From a web search I made a new profile and attempted to copy the other profile to the newly setup one.  But it gave a security error when I went to copy.

[AdvancedSetup]

Well it sounds like you probably have some permission issues or possibly still some infection on the computer.

 

Please run the MBAR scanner again and check for updates.  Then post back the logs.

 

Then run this one

 

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List content of Hosts
• List IP configuration
• List Winsock Entries
• List last 10 Event Viewer log
• List Installed Programs
• List Devices
• List Users, Partitions and Memory size.
• List Minidump Files
  

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.
 

[AdvancedSetup]

Are you still with us?

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!