Trouble removing SysWow64 trojan

[shappyrohman]

Recently, my computer has been crashing with either a blue screen or a bizarre pixelation of the screen. I am traveling so I assumed it may have just been the euro-electricity, but that was a bad assumption. I haven't downloaded any new programs, but I did download an album from a rap group (don't worry, they were giving it out for free) and it came in a zip file.

 

My laptop runs fine in safe mode but crashes if I Start Normally. I tried to open Malwarebytes, but it refuses to open, probably because of the virus. I also  tried using Malwarebytes Chameleon to open up Malwarebytes, but all 13 tests failed to get it to start, so I couldn't perform a scan. However, I did notice that the quick scans performed by Chameleon kept pausing on files labeled SysWow64.

 

I came to the forums here and saw that Syswow64 is a known trojan. Also, many people recommended RogueKiller, so I downloaded the program and ran the scan. Below is the report from Rkiller. Can anybody help me with this virus? I would really appreciate it!

 

Rkiller report :

(Note: when the file hh.exe was terminated, the window for Malwarebyte Chameleon closed, so I think that was the program terminated.)

 

RogueKiller V9.3.0.0 [Oct  6 2014] by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : https://www.surlatoile.org/RogueKiller/

Blog : http://www.adlice.com

 

Operating System : Windows 7 (6.1.7600 ) 64 bits version

Started in : Safe mode with network support

User : Jared [Admin rights]

Mode : Scan -- Date : 10/06/2014  17:07:49

 

¤¤¤ Bad processes : 1 ¤¤¤

[suspicious.Path] hh.exe -- C:\Windows\hh.exe[7] -> KILLED [TermProc]

 

¤¤¤ Registry Entries : 14 ¤¤¤

[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com  -> FOUND

[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com  -> FOUND

[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-260108978-2359899843-1326174590-1001\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com  -> FOUND

[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-260108978-2359899843-1326174590-1001\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com  -> FOUND

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{348DC075-403B-4FFA-B4D8-C5C80EF1AC50} | DhcpNameServer : 66.112.235.200 66.112.235.250 10.0.12.3  -> FOUND

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{81AF372D-6727-4BEC-9DE1-50CAF5031093} | DhcpNameServer : 209.222.18.222 209.222.18.218  -> FOUND

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{348DC075-403B-4FFA-B4D8-C5C80EF1AC50} | DhcpNameServer : 66.112.235.200 66.112.235.250 10.0.12.3  -> FOUND

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{81AF372D-6727-4BEC-9DE1-50CAF5031093} | DhcpNameServer : 209.222.18.222 209.222.18.218  -> FOUND

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{348DC075-403B-4FFA-B4D8-C5C80EF1AC50} | DhcpNameServer : 66.112.235.200 66.112.235.250 10.0.12.3  -> FOUND

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{81AF372D-6727-4BEC-9DE1-50CAF5031093} | DhcpNameServer : 209.222.18.222 209.222.18.218  -> FOUND

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND

 

¤¤¤ Scheduled tasks : 2 ¤¤¤

[suspicious.Path] AVG-Secure-Search-Update_JUNE2013_HP_rmv.job -- C:\Windows\TEMP\{4E2872C7-DB4E-40B4-B69C-14612131BD99}.exe (--uninstall=1) -> FOUND

[suspicious.Path] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job -- C:\Windows\TEMP\{13266B46-6284-426C-8DF0-12B55E6C19B7}.exe (--uninstall=1) -> FOUND

 

¤¤¤ Files : 0 ¤¤¤

 

¤¤¤ HOSTS File : 0 ¤¤¤

 

¤¤¤ Antirootkit : 0 (Driver: NOT LOADED [0xc000035f]) ¤¤¤

 

¤¤¤ Web browsers : 1 ¤¤¤

[PUM.HomePage][FIREFX:Config] 3u47xkko.default : user_pref("browser.startup.homepage", "http://speedial.com/?f=1&a=spd_wnzp_14_21_ch&cd=2XzuyEtN2Y1L1QzuyCtD0E0ByCzyyB0C0A0DzztBtAzzzyyBtN0D0Tzu0SzzyByEtN1L2XzutBtFtBtDtFtCyDtFtDtN1L1CzutCyEtDtAtDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StD0A0EyB0B0DtBtAtGyB0AyD0AtGyBtB0C0EtG0E0B0DtAtGyEzzzzyEtAtCtAtCyD0BtDyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCtCyDyC0D0F0EyEtGzytBzyzztGzztA0AzytGzyyC0E0BtGyB0E0DyD0D0AyCtByDtA0CtD2Q&cr=49106506&ir="); -> FOUND

 

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: WDC WD5000BEVT-22A0RT0 +++++

--- User ---

[MBR] 245af315d665ce2a0bab0396f1b8b0f1

[bSP] 35c77ff41e9fa70318e806537ccb5a24 : Windows Vista/7/8 MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 14336 MB

1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 29362176 | Size: 100 MB

2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 29566976 | Size: 462502 MB

User = LL1 ... OK

User = LL2 ... OK

 

 

Please let me know if I should supply any more information or have a chance to save my laptop!

 

Thank you,

Jared

[TwinHeadedEagle]

Hello,
    
 
They call me TwinHeadedEagle around here, and I'll be working with you.
 
     
    
Before we start please read and note the following:

• Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
• Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time.
• Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
• Do not paste the logs in your posts, attachments make my work easier. There is a Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
• Stay with me to the end, the absence of symptoms doesn't mean that your machine is fully operational.
• Note that we may live in totally different time zones, what may cause some delays between answers.
• Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

I can't foresee everything, so if anything unexpected happens, please stop and inform me!
There are no silly questions. Never be afraid to ask if in doubt!
 
 
 
  Rules and policies
 
We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!
 
Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.
 
 
 
 

Please download Farbar Recovery Scan Tool and save it to your desktop.
 
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[shappyrohman]

Thank you,

 

I downloaded Farbar and performed a scan. I have attached the 2 txt logs below.

 

Addition.txt

FRST.txt

[TwinHeadedEagle]

I would first perform some maintenance. When you finish, try to enter Normal Mode. Tell me exactly what is going on.
 
 
 
Fix with Farbar Recovery Scan Tool
 

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

fixlist.txt

[shappyrohman]

The problem lately has been that my laptop crashes without warning or reason. Sometimes it is the "blue screen of death" and other times the screen is covered with pixelated squares (hard to describe). If I try to restart my computer in Normal mode it crashes without getting past the Starting Windows screen. If I start it in Safe Mode w Networking it works perfectly. My laptop has never crashed in Safe Mode, only in Normal Mode. Also, I cannot open Malwarebytes, even when I Run as Administrator, which led me to believe there was a virus in my computer. 

 

The other thing worth mentioning is that I am using an American laptop while I study in France. It may be that the different voltage is causing these problems, but my laptop works fine in Safe Mode so I don't believe that is the issue.

After performing the fix you recommended, I booted up my laptop in Normal Mode and it is currently working. However, I tried to open Malwarebytes and it still does not open.

 

 

Below I have attached the fixlog.txt. Let me know what you think

Fixlog.txt

[TwinHeadedEagle]

Very good. It is a progress
 
 
Now let's wipe and reinstall Malwarebytes:
 
 
 
Uninstall outdated Malwarebytes' Anti-Malware
 
Please download MBAM-clean and save it to your desktop.

• Right-click on mbam-clean.exe icon and select Run as Administrator to start the tool.
• It will ask you to reboot the machine - please do so.

After that follow my next instructions to download & install the newset MBAM version.
 
 
 
Scan with Malwarebytes' Anti-Malware
 
Please download Malwarebytes Anti-Malware and save it to your desktop.

• Install the progam and select update.
• Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
• Click the Scan tab, choose Threat Scan is checked and click Scan Now.
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the Scan Log.
• At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

[shappyrohman]

I was in the middle of doing a Threat Scan with Malwarebytes when my computer crashed again. It was scanning through the file system objects. I didn't see which file it reached, but I recall seeing that it had just scanned system32 files.

 

I am now in Safe Mode and am running the Threat Scan. I will post again when I have a result.

[shappyrohman]

Update: This time I did the Threat Scan in Safe Mode and my computer completely shut off near the end. Not sure what it means

[TwinHeadedEagle]

Can you enter Normal mode?

[shappyrohman]

I am now in Normal mode. I finished the Threat Scan and nothing showed up. However, upon reboot I was prompted to do a Disk Check. 34% into the check, the ChkDsk froze. 

[shappyrohman]

At this point I am starting to think the problem is not a virus, but perhaps a graphics core or hard drive problem. It is a fairly old laptop (almost 5 years)

[TwinHeadedEagle]

I think this problem points to malfunctioned hard drive. When MalwareBytes scans some file that is probably corrupted due to bad sectors on hard drive, system crashed. Failing to complete check disk is another indicator. I think you should think about changing your hard drive. You should visit repair shop, so they can diagnose source of problem.

[shappyrohman]

Ok, I will look into doing that. Thank you very much for your help 

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!