Suspected virus on PC

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by shadowsofbodom, Feb 5, 2012.

  1. shadowsofbodom

    shadowsofbodom Private E-2

    Around a week ago I felt like my PC performance was really slowing down and after a couple scans with AVG trial, it found viruses but I was not sure if they were removing them completely and/or if my computer was still infected. I read through the readme and followed the steps and still believe my computer to be infected, but of course, I have no real way of knowing myself. So I will post the logs from the programs you asked me to run. Hopefully the logs show what you guys need to know. Thank you for your time.

    -Jordan
     

    Attached Files:

    shadowsofbodom, Feb 5, 2012
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    ClearJavaCache::
KILLALL::
File::
C:\Users\Jordan\AppData\Roaming\Microsoft\Windows\Templates\2fo34m1oy8
C:\ProgramData\2fo34m1oy8
c:\users\Jordan\AppData\Local\Temp\005C600.tmp

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va005]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Feb 5, 2012
    #2
  3. shadowsofbodom

    shadowsofbodom Private E-2

    -Combofix was downloaded and installed on my desktop upon reading the README
    -When I ran Combofix, it stated that I still have my anit-virus open even though I had shut down Vipre (my anti-virus) and disabled the active protection from it before I shut it down. I could not find Vipre in applications or processes under task manager after control+alt+deleting. I uninstall other anti-viruses before running Combfix.
    -I dragged the text file you posted into my combofix exe file and got the following logs and zip files that you requested.

    P.S. things are working ok, but I still suspect a virus/trojan being on my machine.
     

    Attached Files:

    shadowsofbodom, Feb 5, 2012
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not finding any malware in your log. What malware issues are you still having?
     
    TimW, Feb 6, 2012
    #4
  5. shadowsofbodom

    shadowsofbodom Private E-2

    When I have Malwarebytes Anti-Malware with protection, it will periodically say it successfully stops access to a website that looks like an ip address.

    http://i61.photobucket.com/albums/h57/shadowsofbodom/svchost.jpg

    This worries me because I believe svchost.exe was one of the trojans that was removed but it seems it is still trying to get access.
     
    shadowsofbodom, Feb 6, 2012
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not true. See the below in newfiles.txt
    Code:
    "C:\Windows\svchost.exe" 20480 07/13/2009 08:14 PM
    It also shows in winfiles.txt

    Also in procdll.txt the below appears
    Code:
    svchost ([URL="file://\\.\globalroot\systemroot\svchost.exe)"]\\.\globalroot\systemroot\svchost.exe)[/URL]
     
    chaslang, Feb 6, 2012
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Then lets get rid of that bad boy>

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    ClearJavaCache::
KILLALL::
File::
C:\Windows\svchost.exe
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Feb 6, 2012
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I think there will be more to do than this to get this removed. I recommend running both TDSSkiller and MBRcheck too.
     
    chaslang, Feb 6, 2012
    #8
  9. shadowsofbodom

    shadowsofbodom Private E-2

    TimW, I followed your instruction and the virus seems to still be there as this pop-up keeps coming back up every minute or so. http://i61.photobucket.com/albums/h57/shadowsofbodom/svchost.jpg

    Here are the logs you requested though.

    And chaslang, are the TDSSkiller and MBRcheck programs downloadable through your site? And if they are, I assume there are full instructions on how to use them properly? Should I await further instruction before using them?
     

    Attached Files:

    shadowsofbodom, Feb 6, 2012
    #9
  10. shadowsofbodom

    shadowsofbodom Private E-2

    I went ahead and ran TDSSkiller and MBRcheck. After running them and rebooting, it seems the virus is no longer there because I am no longer getting the malwarebyte's pop-up saying that it was trying to access the ip. The logs from TDSSkiller and MBRcheck are attached.
     

    Attached Files:

    shadowsofbodom, Feb 6, 2012
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looks like TDSSKiller did the trick. Let me know if you are having any issues.
     
    TimW, Feb 6, 2012
    #11
  12. shadowsofbodom

    shadowsofbodom Private E-2

    Thank you Tim and chaslang for your volunteer work, you guys are awesome.

    After a couple days go by and I think the computer is safe, is it recommended to uninstall the programs downloaded from README page?
     
    shadowsofbodom, Feb 6, 2012
    #12
  13. shadowsofbodom

    shadowsofbodom Private E-2

    I got another message from malwarebytes anti-malware saying svhost.exe was another trojan and I told it to quarantine it. Not sure where that came from, I barely did any surfing so I don't know what to do next after all those steps.
     
    shadowsofbodom, Feb 6, 2012
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please re-run ComboFix and then run run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    • C:\MGlogs.zip
    • Combo Log
     
    TimW, Feb 7, 2012
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds