BleepingComputer.com: URL/Browser redirecting virus and pre-existing svchost.exe error

Hi. My browser keeps redirecting me when I click on a link from google and this happens to both Firefox and Iexplorer. It redirects me to websites such as juggle.com, mortgage websites, and half of the time fake anti-virus sites. When I click on the link, it's loading and you would probably think it's a bit slow but at the same time, my CPU Usage for Firefox becomes 99-100% or whichever browser I'm using. Then, the CPU usage goes back to normal and that's when it redirects me to said websites. When I type a website in the URL address bar like youtube.com, it works but when it comes to websites with an extension (e.x. www.bleepingcomputer.com/forums/topic359607.html), the CPU usage becomes 99-100% for Firefox and it redirects me.

I've also come across the svchost.exe problem. One of the svchost.exe is running at 99-100% making the computer really slow. It is a SYSTEM svchost.exe and further details, is DCOM Server Process Launcher and TermService (Terminal Services). I've had it for a while and just recently, it went away by itself and it's still gone and I don't want it to come back. I'm afraid if I leave this any longer, it might damage my computer in the future.

Thanks, Blastx

This post has been edited by Budapest: 15 November 2010 - 04:35 PM
Reason for edit: Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~BP

Hello and welcome. What is your operating System?

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

• Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
  Vista/Windows 7 users right-click and select Run As Administrator.
  
• If TDSSKiller does not run, try renaming it.
  
• To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  
• Click the Start Scan button.
  
• Do not use the computer during the scan
  
• If the scan completes with nothing found, click Close to exit.
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  
• Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  
• A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  
• Copy and paste the contents of that file in your next reply.

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.

Download Link 1
Download Link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
  
• Double-click on mbam-setup.exe to install the application.
  For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware

Hi.

The TDSSKiller.exe scan found no results.
My operating system is Windows XP.

Here is the log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5124

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

11/16/2010 1:20:25 AM
mbam-log-2010-11-16 (01-20-25).txt

Scan type: Quick scan
Objects scanned: 142481
Time elapsed: 7 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{e569e011-7d31-82f5-15f4-4099e20c31da} (Spyware.Passwords.XGen) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nonep (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\program files\microsoft\watermark.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,,c:\program files\microsoft\watermark.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Kevin\Application Data\Qefyop\epcoa.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\WINDOWS\ExplorerSrv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kevin\Local Settings\Temp\tmpb7e7b182\r_KillEXE.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft\watermark.exe (Trojan.Agent) -> Delete on reboot.

The redirecting virus went away after reboot but after you close the browser (Firefox) and then open it again, the redirecting virus is back. I get one odd youtube pop-up and it's always the same.

Thanks, Blastx

This post has been edited by Blastx: 16 November 2010 - 03:06 PM

I'm afraid I have very bad news.

Your log shows this entry: c:\windows\system32\userinit.exe,c:\program files\microsoft\watermark.exe

Watermark.exe is an indication of a serious viral infection known as Ramnit.

Win32/Ramnit.A / Win32/Ramnit.B is a dangerous file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A or VBS/Generic. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.

• Understanding virus names
  
• VirusTotal Threat aliases for W32/Ramnit <- Win32.Ramnit!IK, W32.Ramnit!inf, Win32.Rmnet
  
• VirScan Threat aliases for W32/Ramnit <- Win32/Zbot, PWS.Panda.387, PE_RAMNIT, Trojan/Generic.arhm
  
• McAfee Threat aliases for W32/Ramnit - link 1 <- Trojan.Generic.KD, Win32/Zbot, W32/Cosmu
  
• McAfee Threat aliases for W32/Ramnit - link 2 <- SHeur3.AQRA, W32/Patched-I, Win32.Nimnul, W32/Pedalac

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• When should I re-format? How should I reinstall?
  
• Where to draw the line? When to recommend a format and reinstall?

Quote

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

Quote