Jump to content
Comrade_Smartass

Need Help Removing SvcHost Virus

Recommended Posts

Hey guys, I need help removing what I think is an SvcHost virus.

I recently started having adware tabs pop up on my PC and then after searching for solutions found that whenever I opened a Malwarebytes (or similar website) page, my browser would immediately crash.  This happens in Chrome, IE, and Tor.  I found this thread which seems to be a very similar virus and after reading a few others, I downloaded MalwareBytes, Rkill, adwcleaner, FRST64, tdsskiller, and aswMBR.  (I'm typing this on my other PC btw.  Downloaded the files on it and emailed them in a .RAR to my desktop.)
This lead to me finding a few things:
-I restarted my PC and immediately opened the Task manager to find an unnamed task using 50+% of my CPU.  If I look at its properties, it says it's Svchost and is located in SysWOW64 where it takes up 44kb.
-I can kill this process, but it doesn't stop the virus from opening apps or closing browsers.
-I do not have permission to delete the application from SysWOW64.  I need "TrustedInstaller" permission, which I know can be a legit Windows thing.
-The MB3-setup exe will not run.  
-If I run Rkill then attempt to run the MB3 exe, it logs the following:

Quote

Performing miscellaneous checks:
* Reparse Point/Junctions Found (Most likely legitimate)! *
C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 => C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\INetCache\IE [Dir]

-I deleted the INetCache folder which appeared to be empty.  Nothing changed.
-adwcleaner and FRST64 won't run.
-tdsskiller doesn't find anything
-I ran aswMBR and my PC blue-screened with the following support info

Quote

Stop code: PAGE _FAULT_IN_NONPAGED_AREA
What failed: aswVmm.sys

 This is where I am currently and I would appreciate any help anyone can give me.

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Wait for further instructions

p.s.
If unable to run this program in normal mode, try in Safe Mode with Networking.

Share this post


Link to post
Share on other sites

Hi Nasdaq.  I took your suggestion and ran it in safe mode and got an error:
 

Quote

Error saving file
C:\FRST\HIVES\DRIVERS !

Continue with the next file?

[ RegCreateKeyEx: 87 - The parameter is incorrect ]

I selected yes and then ran the Scan.  I've attached the generated files below.

P.s: Windows Safe Mode doesn't play nice with extra-wide monitors. lol

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites

Hello,

I will continue working with you.

 

51a46ae42d560-malwarebytes_anti_malware.Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

  • Install the progam.
  • Click the Scan tab, choose Threat Scan is checked and click Start Scan.
  • If threats are detected, click the Quarantine Selected button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the Reports tab.
  • Double-click the Scan Log.
  • At the bottom click Export and choose Text file.


Save the file to your desktop and include its content in your next reply.

Share this post


Link to post
Share on other sites

Sure thing.  I'm assuming you want me to do this in safe mode with networking?  As I'm sure you read in my post, I can't visit your website or run Malwarebytes on my desktop while running in normal mode.  Anyways, I installed the program and ran a scan, then quarantined the selected threats.  I was not prompted to reboot but did anyways, into normal mode.
While I was able to boot and reopen Malwarebytes, in closed and refused to reopen several seconds later.  The fake SvcHost process is still there as well.  The log is posted below.

Also, may I ask how this relates to what I was told to do with FRST?
 

Quote

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 9/11/18
Scan Time: 9:45 AM
Log File: e66d4bac-b5c8-11e8-96aa-309c239d99d8.json

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.441
Update Package Version: 1.0.6771
License: Trial

-System Information-
OS: Windows 10 (Build 17134.228)
CPU: x64
File System: NTFS
User: DESKTOP-B18Q53N\Comrade

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 289255
Threats Detected: 11
Threats Quarantined: 11
Time Elapsed: 1 min, 3 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 7
PUP.Optional.SearchManager, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\NAHHMPBCKPGDIDFNMFKFGIFLPJIJILCE, Quarantined, [250], [440037],1.0.6771
PUP.Optional.SearchManager, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\NAHHMPBCKPGDIDFNMFKFGIFLPJIJILCE, Quarantined, [250], [440037],1.0.6771
PUP.Optional.SearchManager, HKU\S-1-5-21-3317883210-2360311007-2641292243-1003\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\nahhmpbckpgdidfnmfkfgiflpjijilce, Quarantined, [250], [440037],1.0.6771
PUP.Optional.SearchManager, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\PILPLLOABDEDFMIALNFCHJOMJMPJCOEJ, Quarantined, [250], [183362],1.0.6771
PUP.Optional.SearchManager, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\PILPLLOABDEDFMIALNFCHJOMJMPJCOEJ, Quarantined, [250], [183362],1.0.6771
PUP.Optional.SearchManager, HKU\S-1-5-21-3317883210-2360311007-2641292243-1003\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\pilplloabdedfmialnfchjomjmpjcoej, Quarantined, [250], [183362],1.0.6771
PUP.Optional.WinYahoo, HKU\S-1-5-21-3317883210-2360311007-2641292243-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{518b33ae-375d-712d-6742-d1fe0400268d}, Quarantined, [230], [413444],1.0.6771

Registry Value: 1
PUP.Optional.WinYahoo, HKU\S-1-5-21-3317883210-2360311007-2641292243-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{518b33ae-375d-712d-6742-d1fe0400268d}|URL, Quarantined, [230], [413444],1.0.6771

Registry Data: 1
PUP.Optional.WinYahoo, HKU\S-1-5-21-3317883210-2360311007-2641292243-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [230], [413442],1.0.6771

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 2
PUP.Optional.SearchManager, C:\USERS\COMRADE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [250], [440037],1.0.6771
PUP.Optional.SearchManager, C:\USERS\COMRADE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [250], [183362],1.0.6771

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)


 

Share this post


Link to post
Share on other sites

FRST.gif Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition.txt option is checked. option is checked.

    2873ryc.png

  • Press Scan button and wait.

  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.


Please attach report into your next reply.

Share this post


Link to post
Share on other sites

FRST.gif Fix with Farbar Recovery Scan Tool

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif


icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

fixlist.txt

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.