Comrade_Smartass Posted September 9, 2018 ID:1268577 Share Posted September 9, 2018 Hey guys, I need help removing what I think is an SvcHost virus. I recently started having adware tabs pop up on my PC and then after searching for solutions found that whenever I opened a Malwarebytes (or similar website) page, my browser would immediately crash. This happens in Chrome, IE, and Tor. I found this thread which seems to be a very similar virus and after reading a few others, I downloaded MalwareBytes, Rkill, adwcleaner, FRST64, tdsskiller, and aswMBR. (I'm typing this on my other PC btw. Downloaded the files on it and emailed them in a .RAR to my desktop.) This lead to me finding a few things: -I restarted my PC and immediately opened the Task manager to find an unnamed task using 50+% of my CPU. If I look at its properties, it says it's Svchost and is located in SysWOW64 where it takes up 44kb. -I can kill this process, but it doesn't stop the virus from opening apps or closing browsers. -I do not have permission to delete the application from SysWOW64. I need "TrustedInstaller" permission, which I know can be a legit Windows thing. -The MB3-setup exe will not run. -If I run Rkill then attempt to run the MB3 exe, it logs the following: Quote Performing miscellaneous checks: * Reparse Point/Junctions Found (Most likely legitimate)! * C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 => C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\INetCache\IE [Dir] -I deleted the INetCache folder which appeared to be empty. Nothing changed. -adwcleaner and FRST64 won't run. -tdsskiller doesn't find anything -I ran aswMBR and my PC blue-screened with the following support info Quote Stop code: PAGE _FAULT_IN_NONPAGED_AREA What failed: aswVmm.sys This is where I am currently and I would appreciate any help anyone can give me. Link to post Share on other sites More sharing options...
nasdaq Posted September 10, 2018 ID:1268659 Share Posted September 10, 2018 Hello, Welcome to Malwarebytes. I'm nasdaq and will be helping you. If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed. === Download the version of this tool for your operating system.Farbar Recovery Scan Tool (64 bit)Farbar Recovery Scan Tool (32 bit) and save it to a folder on your computer's Desktop. Double-click to run it. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. How to attach a file to your reply: In the Reply section in the bottom of the topic Click the "more reply Options" button. Attach the file. Select the "Choose a File" navigate to the location of the File.Click the file you wish to Attach.Click Attach this file.Click the Add reply button. === Please post the logs for my review. Wait for further instructions p.s. If unable to run this program in normal mode, try in Safe Mode with Networking. Link to post Share on other sites More sharing options...
Comrade_Smartass Posted September 10, 2018 Author ID:1268671 Share Posted September 10, 2018 Hi Nasdaq. I took your suggestion and ran it in safe mode and got an error: Quote Error saving file C:\FRST\HIVES\DRIVERS ! Continue with the next file? [ RegCreateKeyEx: 87 - The parameter is incorrect ] I selected yes and then ran the Scan. I've attached the generated files below. P.s: Windows Safe Mode doesn't play nice with extra-wide monitors. lol Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Comrade_Smartass Posted September 10, 2018 Author ID:1268708 Share Posted September 10, 2018 Not to rush you, but can I expect a solution today? I definitely don't want this virus on my PC longer than necessary. Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted September 11, 2018 ID:1268867 Share Posted September 11, 2018 Hello, I will continue working with you. Scan with Malwarebytes' Anti-Malware Please download Malwarebytes Anti-Malware and save it to your desktop. Install the progam. Click the Scan tab, choose Threat Scan is checked and click Start Scan. If threats are detected, click the Quarantine Selected button. You will now be prompted to reboot. Click Yes. Upon completion of the scan (or after the reboot), click the Reports tab. Double-click the Scan Log. At the bottom click Export and choose Text file. Save the file to your desktop and include its content in your next reply. Link to post Share on other sites More sharing options...
Comrade_Smartass Posted September 11, 2018 Author ID:1268895 Share Posted September 11, 2018 Sure thing. I'm assuming you want me to do this in safe mode with networking? As I'm sure you read in my post, I can't visit your website or run Malwarebytes on my desktop while running in normal mode. Anyways, I installed the program and ran a scan, then quarantined the selected threats. I was not prompted to reboot but did anyways, into normal mode. While I was able to boot and reopen Malwarebytes, in closed and refused to reopen several seconds later. The fake SvcHost process is still there as well. The log is posted below. Also, may I ask how this relates to what I was told to do with FRST? Quote Malwarebyteswww.malwarebytes.com-Log Details-Scan Date: 9/11/18Scan Time: 9:45 AMLog File: e66d4bac-b5c8-11e8-96aa-309c239d99d8.json-Software Information-Version: 3.5.1.2522Components Version: 1.0.441Update Package Version: 1.0.6771License: Trial-System Information-OS: Windows 10 (Build 17134.228)CPU: x64File System: NTFSUser: DESKTOP-B18Q53N\Comrade-Scan Summary-Scan Type: Threat ScanScan Initiated By: ManualResult: CompletedObjects Scanned: 289255Threats Detected: 11Threats Quarantined: 11Time Elapsed: 1 min, 3 sec-Scan Options-Memory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: DisabledHeuristics: EnabledPUP: DetectPUM: Detect-Scan Details-Process: 0(No malicious items detected)Module: 0(No malicious items detected)Registry Key: 7PUP.Optional.SearchManager, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\NAHHMPBCKPGDIDFNMFKFGIFLPJIJILCE, Quarantined, [250], [440037],1.0.6771PUP.Optional.SearchManager, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\NAHHMPBCKPGDIDFNMFKFGIFLPJIJILCE, Quarantined, [250], [440037],1.0.6771PUP.Optional.SearchManager, HKU\S-1-5-21-3317883210-2360311007-2641292243-1003\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\nahhmpbckpgdidfnmfkfgiflpjijilce, Quarantined, [250], [440037],1.0.6771PUP.Optional.SearchManager, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\PILPLLOABDEDFMIALNFCHJOMJMPJCOEJ, Quarantined, [250], [183362],1.0.6771PUP.Optional.SearchManager, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\PILPLLOABDEDFMIALNFCHJOMJMPJCOEJ, Quarantined, [250], [183362],1.0.6771PUP.Optional.SearchManager, HKU\S-1-5-21-3317883210-2360311007-2641292243-1003\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\pilplloabdedfmialnfchjomjmpjcoej, Quarantined, [250], [183362],1.0.6771PUP.Optional.WinYahoo, HKU\S-1-5-21-3317883210-2360311007-2641292243-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{518b33ae-375d-712d-6742-d1fe0400268d}, Quarantined, [230], [413444],1.0.6771Registry Value: 1PUP.Optional.WinYahoo, HKU\S-1-5-21-3317883210-2360311007-2641292243-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{518b33ae-375d-712d-6742-d1fe0400268d}|URL, Quarantined, [230], [413444],1.0.6771Registry Data: 1PUP.Optional.WinYahoo, HKU\S-1-5-21-3317883210-2360311007-2641292243-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [230], [413442],1.0.6771Data Stream: 0(No malicious items detected)Folder: 0(No malicious items detected)File: 2PUP.Optional.SearchManager, C:\USERS\COMRADE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [250], [440037],1.0.6771PUP.Optional.SearchManager, C:\USERS\COMRADE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [250], [183362],1.0.6771Physical Sector: 0(No malicious items detected)WMI: 0(No malicious items detected)(end) Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted September 11, 2018 ID:1268900 Share Posted September 11, 2018 Scan with Farbar Recovery Scan Tool Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system. Right-click on icon and select Run as Administrator to start the tool. (XP users click run after receipt of Windows Security Warning - Open File). Make sure that Addition.txt option is checked. option is checked. Press Scan button and wait. The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt. Please attach report into your next reply. Link to post Share on other sites More sharing options...
Comrade_Smartass Posted September 11, 2018 Author ID:1268912 Share Posted September 11, 2018 Okay, here are the new log files. FRST.txt Addition.txt Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted September 12, 2018 ID:1269106 Share Posted September 12, 2018 Fix with Farbar Recovery Scan Tool This fix was created for this user for use on that particular machine. Running it on another one may cause damage and render the system unstable. Download attached fixlist.txt file and save it to the Desktop: Both files, FRST and fixlist.txt have to be in the same location or the fix will not work! Right-click on icon and select Run as Administrator to start the tool. (XP users click run after receipt of Windows Security Warning - Open File). Press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finishes FRST will generate a log on the Desktop, called Fixlog.txt. Please attach it to your reply. fixlist.txt Link to post Share on other sites More sharing options...
Comrade_Smartass Posted September 12, 2018 Author ID:1269125 Share Posted September 12, 2018 The tool did not restart or generate a Fixlog after restart. Do I need to run it again? Link to post Share on other sites More sharing options...
Comrade_Smartass Posted September 12, 2018 Author ID:1269126 Share Posted September 12, 2018 It should be noted that I'm not seeing the occasional popup, website closing, or fake process any longer. Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted September 12, 2018 ID:1269127 Share Posted September 12, 2018 Can you upload fixlog.txt for me? Link to post Share on other sites More sharing options...
Comrade_Smartass Posted September 12, 2018 Author ID:1269143 Share Posted September 12, 2018 Well, someone didn't read my post... ? I did look again though and fixlog is apparently placed inside the same folder as FRST, not on the desktop. I've attached the file below. Thanks for the help so far! Fixlog.txt Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted September 12, 2018 ID:1269144 Share Posted September 12, 2018 Is everything okay now? Link to post Share on other sites More sharing options...
Comrade_Smartass Posted September 12, 2018 Author ID:1269160 Share Posted September 12, 2018 Yeah. As far as I can tell, I don't have any more issues. Thanks for the help! Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted September 13, 2018 ID:1269286 Share Posted September 13, 2018 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
Recommended Posts