Malware / Virus removal problem please help....

Hi guys,

I have a big problem which has really been bugging me for 2 weeks now:mad .
I have searched all over the web but found no solution :tired .
As you may see i am new to this forum so please dont be harsh / strict :-o .

Just before i describe my problem i will list my laptop specs:
Acer Aspire 5820T
Intel(R) Core(TM) i5 CPU M 430 @ 2.27GHz
4GB Ram (3.80GB usable)
64Bit Operating system

+ My OS (Operating System) , Windows 7 Home Premium

Ok so here's my problem:

Before 2 weeks my computer was fine but one day i got a problem which caused me to get Bsod and heavily decreased my speed. It also heavily decreased my startup and shut down speed. My startup speed was usually 15 secs and shutdown speed like 25 but now my startup speed is 4mins + and shutdown speed the same:confused .

So what i did was restore my computer to default factory settings with Acer eRecovery Management. Once i booted up again i still recognised the slow speeds like before; i also recognised that eRecovery only deleted all the files on my "C" drive so i went on my "D" drive and deleted everything and started eRecovery Management again.

Again i recognised the same problem so now i downloaded malware bytes and it blocks many ip's using the process svchost.exe i have only seen 2 ip's which it has blocked: "88.214.193.251" and "206.161.121.3" the first one is using port : 53075 but i didn't see the second ones port.

So this virus must be infected in my windows folders. :cry

So I am asking this forum + you guys to help me, i hope someone can help me because i have lots of work to do andi have to many exams to waste my time to much.

Also there is another thread on this forum which is like mine

http://forums.majorgeeks.com/showthread.php?t=238867




Thank you for people who auctually help , please no timewasters!

 

1111

 

I have found more blocked ip's :

2012/02/29 18:52:34 GMT Milad-PC Milad MESSAGE Starting protection
2012/02/29 18:52:36 GMT Milad-PC Milad MESSAGE Protection started successfully
2012/02/29 18:52:39 GMT Milad-PC Milad MESSAGE Starting IP protection
2012/02/29 18:52:40 GMT Milad-PC Milad MESSAGE IP Protection started successfully
2012/02/29 18:57:15 GMT Milad-PC Milad IP-BLOCK 88.214.193.251 (Type: outgoing, Port: 52794, Process: svchost.exe)
2012/02/29 18:57:15 GMT Milad-PC Milad IP-BLOCK 88.214.193.251 (Type: outgoing, Port: 52795, Process: svchost.exe)
2012/02/29 19:02:05 GMT Milad-PC Milad IP-BLOCK 88.214.193.251 (Type: outgoing, Port: 53075, Process: svchost.exe)
2012/02/29 19:04:22 GMT Milad-PC Milad IP-BLOCK 88.214.193.251 (Type: outgoing, Port: 53375, Process: svchost.exe)
2012/02/29 19:07:38 GMT Milad-PC Milad IP-BLOCK 88.214.193.251 (Type: outgoing, Port: 53736, Process: svchost.exe)
2012/02/29 19:07:38 GMT Milad-PC Milad IP-BLOCK 88.214.193.251 (Type: outgoing, Port: 53737, Process: svchost.exe)
2012/02/29 19:07:55 GMT Milad-PC Milad IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 53756, Process: svchost.exe)
2012/02/29 19:08:43 GMT Milad-PC Milad IP-BLOCK 88.214.193.251 (Type: outgoing, Port: 53767, Process: svchost.exe)
2012/02/29 19:08:43 GMT Milad-PC Milad IP-BLOCK 173.236.35.99 (Type: outgoing, Port: 53768, Process: svchost.exe)
2012/02/29 19:11:01 GMT Milad-PC Milad IP-BLOCK 88.214.193.251 (Type: outgoing, Port: 53802, Process: svchost.exe)
2012/02/29 19:11:01 GMT Milad-PC Milad IP-BLOCK 88.214.193.251 (Type: outgoing, Port: 53803, Process: svchost.exe)
2012/02/29 19:15:44 GMT Milad-PC Milad IP-BLOCK 173.236.56.93 (Type: outgoing, Port: 53892, Process: svchost.exe)
2012/02/29 19:15:44 GMT Milad-PC Milad IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 53888, Process: svchost.exe)
2012/02/29 19:15:44 GMT Milad-PC Milad IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 53890, Process: svchost.exe)
2012/02/29 19:15:44 GMT Milad-PC Milad IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 53894, Process: svchost.exe)
2012/02/29 19:15:44 GMT Milad-PC Milad IP-BLOCK 88.214.193.251 (Type: outgoing, Port: 53895, Process: svchost.exe)
2012/02/29 19:15:53 GMT Milad-PC Milad IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 53927, Process: svchost.exe)
2012/02/29 19:15:53 GMT Milad-PC Milad IP-BLOCK 88.214.193.251 (Type: outgoing, Port: 53928, Process: svchost.exe)
2012/02/29 19:15:53 GMT Milad-PC Milad IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 53934, Process: svchost.exe)
2012/02/29 19:17:06 GMT Milad-PC Milad IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 53985, Process: svchost.exe)
2012/02/29 19:18:10 GMT Milad-PC Milad IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 54037, Process: svchost.exe)
2012/02/29 19:21:00 GMT Milad-PC Milad IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 54154, Process: svchost.exe)
2012/02/29 19:21:00 GMT Milad-PC Milad IP-BLOCK 88.214.193.251 (Type: outgoing, Port: 54155, Process: svchost.exe)
2012/02/29 19:22:21 GMT Milad-PC Milad IP-BLOCK 173.236.35.99 (Type: outgoing, Port: 54205, Process: svchost.exe)
2012/02/29 19:26:58 GMT Milad-PC Milad IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 54282, Process: svchost.exe)
2012/02/29 19:27:06 GMT Milad-PC Milad IP-BLOCK 173.236.56.93 (Type: outgoing, Port: 54285, Process: svchost.exe)
2012/02/29 19:27:06 GMT Milad-PC Milad IP-BLOCK 173.236.56.93 (Type: outgoing, Port: 54286, Process: svchost.exe)
2012/02/29 19:27:06 GMT Milad-PC Milad IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 54287, Process: svchost.exe)
2012/02/29 19:27:57 GMT Milad-PC Milad IP-BLOCK 88.214.193.251 (Type: outgoing, Port: 54326, Process: svchost.exe)
2012/02/29 19:29:58 GMT Milad-PC Milad IP-BLOCK 173.236.56.93 (Type: outgoing, Port: 54397, Process: svchost.exe)
2012/02/29 19:31:44 GMT Milad-PC Milad IP-BLOCK 88.214.193.251 (Type: outgoing, Port: 54466, Process: svchost.exe)
2012/02/29 19:38:23 GMT Milad-PC Milad IP-BLOCK 178.162.172.39 (Type: outgoing, Port: 54757, Process: svchost.exe)
2012/02/29 19:50:18 GMT MILAD-PC Milad MESSAGE Starting protection
2012/02/29 19:50:21 GMT MILAD-PC Milad MESSAGE Protection started successfully
2012/02/29 19:50:24 GMT MILAD-PC Milad MESSAGE Starting IP protection
2012/02/29 19:50:26 GMT MILAD-PC Milad MESSAGE IP Protection started successfully
2012/02/29 19:50:40 GMT MILAD-PC Milad IP-BLOCK 141.136.16.150 (Type: outgoing, Port: 49174, Process: svchost.exe)
2012/02/29 19:53:07 GMT MILAD-PC Milad IP-BLOCK 178.162.172.39 (Type: outgoing, Port: 49243, Process: svchost.exe)
2012/02/29 19:53:40 GMT MILAD-PC Milad IP-BLOCK 173.236.35.99 (Type: outgoing, Port: 49278, Process: svchost.exe)
2012/02/29 19:54:04 GMT MILAD-PC Milad IP-BLOCK 178.162.172.39 (Type: outgoing, Port: 49323, Process: svchost.exe)
2012/02/29 19:57:02 GMT MILAD-PC Milad IP-BLOCK 173.236.56.93 (Type: outgoing, Port: 49414, Process: svchost.exe)


From Malwarebytes.....

 

Hi Admin,

Thanks for your quick reply

I have attached the logs below as requested


Thank you again mate

 

I did it was scanning files and then asked me to instal hijacker and i had to accept twice, anyway i'l do it again once I am home .


+ I really appreciate your help, you do this all for me and you do it for free! I really can't thank you enough the world is missing people like you...

 

Hi again Tim,

So i recognised that i uploaded the wrong thing before :-o so here is the MGlogs.zip file.


Thanks again mate

 

Hi Tim,

I have also uploaded the SAS (Super anti Spyware) log.



Thank you

 

Hi Tim,

I have recocgnised that i get Bsod even when im idle now :confused i hope it hasn't affected my memory. I also think the virus has spread in my windows folders because even when i restore my laptop to factory settings it still appears... (But i haven't restored my laptop till this thread started).

Also i have only had the laptop for 1 year now.




Thanks iPromo.

 

Hi Tim,


Ok so i did a full system scan and as my laptop is nearly empty (of software) it only took 40mins to complete. I saw 2 viruses which were named svchost.exe and they were identified as trojans. I also mentioned that i always get blocked ip messages from my computer under the process name svchost.exe and it is outgoing. So malwarebytes said i have to restart my pc to delete the files. I restarted my pc and this time only scanned my windows folder and the 2 files were there again! so this means the virus reproduces itself even when i delete it.... So i am searching the web for anything that resolves the problem..

So if you have any past experience about this virus or know anything about it please state it ... Also i am very sorry to bug you so much Tim -.-" but your the guy with answers :-D



Thanks mate.

 

Hi Tim,

I have attached it for you mate.


Thanks iPromo

 

Hi Tim,

As requested i ran combofix and attached the logs which it produced at the end.



Thanks mate

 

Hi Tim,

I forgot to state that when i was running combofix it said it deleted C:\Windows\svchost.exe , (I didn't get a message box or anything i read it in the batch file) and from then i have scanned my windows folder and Malwarebytes has found nothing but i still get random messages from malwarebytes saying that they blocked the ip "xxxxxxxx" because it was malicious and it also states that it is running under the process name svchost.exe .

So should i do what you stated me to do? (Dragging in the notepad file into combofix on the desktop).

(By "xxxxxx" i mean random ip's every time because i get a message every 5+ minutes"


Thanks Mate

 

Hi Tim,

Ok so i did what you said but these things happened:

1) When i did the thing on combofix everything went smooth and then it rebooted itself and automatically opened the batch file again, at the end it said Creating logs and then a line below it said Please wait for combofixer to create logs and don't turn on any programs (it was something similar) , i left it for 30 mins but it still had the same message so i eventually turned it off but it had produced a log which i have attached.


2) When i did the thing on MGlogs i got a message from hijacker stating that it cannot acess a specific system type... This might be because i had enabled UAC before so should i do everything again with UAV of?




Sorry i know my questions seem stupid to you but im not really into resolving virus type problems im more into programming and designing .... (btw im only 14 so there you go )


Anyway thanks mate.

 

Hi Tim,

I scanned my Windows folder again with Malwarebytes and i got the 2 viruses again. This time i have attached the log + a screenshot by the way i took no action to delete it.


Thanks mate.

 

Hi Tim,

I am very sorry that i haven't been active for these few days. I have had over 5 exams! And i went libary everyday to revise -.-" I will quickly get back to work on my laptop asap.

Sorry for all my time wasting but my grades matter to me

Anyway thanks mate.

 

Hi Tim,

I am very sorry for my late reply but I managed to use a bit of time on my laptop. Ok so i recognised everytime i turn on my laptop a small window quickly opens and closes, it is only visible for 1/2 second so i can't read the title. So i go on task managaer -> all processes and see "svchost.exe" *32 running, i knew this one was the virus because all the other svchost's process's wer only named "svchost.exe". So to verify it was the virus i clicked open file location and it went into C -> Windows -> svchost.exe , i scanned the file and it was infected (Trojan Agent). So I played a bit with the process options and managed it to only read & execute because the system was allowing it to do everything! And when i turn my laptop on now i see the window for 1/2 second but the process is not running. I still get Bsod sometimes (e.g. When i turn on my computer and quickly press Mozilla Firefox) . However i think my Windows files are still infected altough malwarebytes only detects 2 viruses (svchost.exe and the process svchost.exe *32). In addition when I am running in safe mode i never get Bsod.

I think my only solution is to get a new windows cd and install it onto my laptop


Anyway Tim thanks for helping me, can you please tell me what to do now? (do i still need to run combofix?).

Thanks again mate

 

Hi Tim,

I finally got a chance to continue reparing my laptop, so i have attached the mglogs.zip file but the Combofix said that my it is expired, so it shut itself and deleted the shortcut from my dekstop i dont know what to do about the combofix issue redownload?

Addiotional details: The virus file is in C:\Windows\svchost.exe this runs a process called "svchost.exe *32" the username in task manager is identified as "SYSTEM" and the details are "winrscmde" .

Anyway i really appreciate your help Tim you are really talented.

 

Hi Tim,

Long time no see , sorry again I have minimal time.
So i ran combofix 3 times but my computer got bsod 3 times while having combofix on for about 10 mins. However when I do work on my computer I don't get bsod but my startup time is still affected and malwarebyted identifies it still as a virus. I can close the proccess with the step's below:
1) Computer turns on
2) I see the virus window open straight away but I wait for malwarebytes to open in the tray menu
3) When malwarebytes is active, i go on task manager -> show all processes -> and find "svchost.exe*32" -> i click on it once and press end process.
4) (When you end the process of the virus it automatically restarts but the window is not visible like it is on startup) so the virus tries to startup again but malwarebytes opens a window saying to "quarantine" the virus or "ignore" it.
5) I always press quarantine but on the next startup it is the same story :cry

I still think the virus is affecting my bsod problems too well I hope so...
So do you have any other suggestions? or should i try combofix again?

(I dont get the bsod at a specific time when I run combofix, it just happens at a random time) I also don't have any other programs open while I run combofix, i just sit next to my laptop waiting for it :zzz

Thank you again Tim

 

Hi Tim,

I attached the 2 logs, thanks for your quick reply

 

Hi Tim!,

I finally managed to remove the virus, and for everyone else having the same problem I have posted how I have resolved it:

1) Download tdsskiller.

2) Extract the zip file and then right click the .exe file and select "run as administrator" (in win7/vista).

3) It will open up a small gui, just press start scan and it will only take about 2 mins.

4) When it finishes scanning it will ask you what to do with the infected file(s). Just cure them all.

5) It will ask you to reboot your computer, reboot it!

6) When you computer is on again, open task manager and select, "view proccesses from all users". You should now see that there is no svchost.exe*32 running anymore

7) But your nearly finished there is only one last thing to do. Download Malwarebytes and then go to, My computer -> C -> and right click the "Windows" folder. Select scan with Malwarebytes and wait for the scan to finish. At the end of the scan it will ask you to reboot, reboot your computer.

8) Just to be sure everything went correctly, check task manager for the svchost*32.exe process and check the svchost.exe in the windows folder. If they are not there then the virus is gone :wave .


That's It!


Again I would like to thank everyone on this forum who has tried to help me and especially Tim because he has worked his socks of to help me :-D

Thank Again to everyone!

______
iPromo