BleepingComputer.com: Help got a weird scvhost.exe virus

Basically its using my bandwidth and not letting me use Google.

This post has been edited by Budapest: 01 February 2012 - 06:06 PM
Reason for edit: Moved from Win7

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report


Please download GMER from here(doesnot work on 64 bit OS)

http://www2.gmer.net/download.php

Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.


Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

i could only get the mmr working

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-01 21:44:49
-----------------------------
21:44:49.284 OS Version: Windows x64 6.1.7600
21:44:49.284 Number of processors: 4 586 0xF0B
21:44:49.285 ComputerName: GLADOS UserName: brian
21:44:50.383 Initialize success
21:44:55.857 AVAST engine defs: 12020101
21:45:06.742 The log file has been saved successfully to "C:\Users\brian\Documents\Tunngle\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-01 21:44:49
-----------------------------
21:44:49.284 OS Version: Windows x64 6.1.7600
21:44:49.284 Number of processors: 4 586 0xF0B
21:44:49.285 ComputerName: GLADOS UserName: brian
21:44:50.383 Initialize success
21:44:55.857 AVAST engine defs: 12020101
21:45:06.742 The log file has been saved successfully to "C:\Users\brian\Documents\Tunngle\aswMBR.txt"
21:45:26.760 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
21:45:26.762 Disk 0 Vendor: WDC_WD5000AAKS-00A7B0 01.03B01 Size: 476940MB BusType: 3
21:45:26.775 Device \Driver\atapi -> MajorFunction fffffa8004f835c4
21:45:26.782 Disk 0 MBR read successfully
21:45:26.785 Disk 0 MBR scan
21:45:26.791 Disk 0 MBR:Pihar-C [Rtk]
21:45:26.795 Disk 0 TDL4@MBR code has been found
21:45:26.798 Disk 0 Windows 7 default MBR code found via API
21:45:26.802 Disk 0 MBR hidden
21:45:26.826 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
21:45:26.852 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476838 MB offset 206848
21:45:26.858 Disk 0 MBR [TDL4] **ROOTKIT**
21:45:26.864 Disk 0 trace - called modules:
21:45:26.886 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8004f835c4]<<
21:45:26.891 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a38060]
21:45:26.896 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> [0xfffffa800478b520]
21:45:26.900 5 ACPI.sys[fffff8800103a781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa8004789680]
21:45:26.905 \Driver\atapi[0xfffffa8004902c70] -> IRP_MJ_CREATE -> 0xfffffa8004f835c4
21:45:27.850 AVAST engine scan C:\Windows
21:46:23.758 AVAST engine scan C:\Windows\system32
21:51:10.116 AVAST engine scan C:\Windows\system32\drivers
21:51:53.980 AVAST engine scan C:\Users\brian
21:57:37.139 File: C:\Users\brian\AppData\Local\Temp\~Quarantine.aswMBR\consrv.dll **INFECTED** Win32:Sirefef-HO [Rtk]
21:57:37.322 File: C:\Users\brian\AppData\Local\Temp\~Quarantine.aswMBR\ewv.dll **INFECTED** Win32:MalOb-IG [Cryp]
22:04:45.352 AVAST engine scan C:\ProgramData
22:13:21.502 Scan finished successfully

Hello will this run?


Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.

It says no infections found thanks! but... i still cant connect to Google?? it says unable to establish connection.

Can you run TDSSkiller ? If yes,post the log

Run aswmbr again and post the log

This post has been edited by narenxp: 02 February 2012 - 12:24 AM

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-01 21:44:49
-----------------------------
21:44:49.284 OS Version: Windows x64 6.1.7600
21:44:49.284 Number of processors: 4 586 0xF0B
21:44:49.285 ComputerName: GLADOS UserName: brian
21:44:50.383 Initialize success
21:44:55.857 AVAST engine defs: 12020101
21:45:06.742 The log file has been saved successfully to "C:\Users\brian\Documents\Tunngle\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-01 21:44:49
-----------------------------
21:44:49.284 OS Version: Windows x64 6.1.7600
21:44:49.284 Number of processors: 4 586 0xF0B
21:44:49.285 ComputerName: GLADOS UserName: brian
21:44:50.383 Initialize success
21:44:55.857 AVAST engine defs: 12020101
21:45:06.742 The log file has been saved successfully to "C:\Users\brian\Documents\Tunngle\aswMBR.txt"
21:45:26.760 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
21:45:26.762 Disk 0 Vendor: WDC_WD5000AAKS-00A7B0 01.03B01 Size: 476940MB BusType: 3
21:45:26.775 Device \Driver\atapi -> MajorFunction fffffa8004f835c4
21:45:26.782 Disk 0 MBR read successfully
21:45:26.785 Disk 0 MBR scan
21:45:26.791 Disk 0 MBR:Pihar-C [Rtk]
21:45:26.795 Disk 0 TDL4@MBR code has been found
21:45:26.798 Disk 0 Windows 7 default MBR code found via API
21:45:26.802 Disk 0 MBR hidden
21:45:26.826 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
21:45:26.852 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476838 MB offset 206848
21:45:26.858 Disk 0 MBR [TDL4] **ROOTKIT**
21:45:26.864 Disk 0 trace - called modules:
21:45:26.886 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8004f835c4]<<
21:45:26.891 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a38060]
21:45:26.896 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> [0xfffffa800478b520]
21:45:26.900 5 ACPI.sys[fffff8800103a781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa8004789680]
21:45:26.905 \Driver\atapi[0xfffffa8004902c70] -> IRP_MJ_CREATE -> 0xfffffa8004f835c4
21:45:27.850 AVAST engine scan C:\Windows
21:46:23.758 AVAST engine scan C:\Windows\system32
21:51:10.116 AVAST engine scan C:\Windows\system32\drivers
21:51:53.980 AVAST engine scan C:\Users\brian
21:57:37.139 File: C:\Users\brian\AppData\Local\Temp\~Quarantine.aswMBR\consrv.dll **INFECTED** Win32:Sirefef-HO [Rtk]
21:57:37.322 File: C:\Users\brian\AppData\Local\Temp\~Quarantine.aswMBR\ewv.dll **INFECTED** Win32:MalOb-IG [Cryp]
22:04:45.352 AVAST engine scan C:\ProgramData
22:13:21.502 Scan finished successfully
22:15:35.917 Disk 0 MBR has been saved successfully to "C:\Users\brian\Documents\Tunngle\MBR.dat"
22:15:36.108 The log file has been saved successfully to "C:\Users\brian\Documents\Tunngle\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-02 00:50:18
-----------------------------
00:50:18.739 OS Version: Windows x64 6.1.7600
00:50:18.739 Number of processors: 4 586 0xF0B
00:50:18.740 ComputerName: GLADOS UserName: brian
00:50:20.308 Initialize success
00:50:25.753 AVAST engine defs: 12020101
00:50:30.358 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
00:50:30.360 Disk 0 Vendor: WDC_WD5000AAKS-00A7B0 01.03B01 Size: 476940MB BusType: 3
00:50:30.364 Disk 0 MBR read successfully
00:50:30.366 Disk 0 MBR scan
00:50:30.377 Disk 0 Windows 7 default MBR code
00:50:30.390 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
00:50:30.400 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476838 MB offset 206848
00:50:30.407 Service scanning
00:50:34.634 Modules scanning
00:50:34.638 Disk 0 trace - called modules:
00:50:34.655 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
00:50:34.659 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a22060]
00:50:34.663 3 CLASSPNP.SYS[fffff880013ca43f] -> nt!IofCallDriver -> [0xfffffa8004784580]
00:50:34.667 5 ACPI.sys[fffff88001043781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa800478c060]
00:50:35.640 AVAST engine scan C:\Windows
00:50:37.781 AVAST engine scan C:\Windows\system32
00:53:01.332 AVAST engine scan C:\Windows\system32\drivers
00:53:10.902 AVAST engine scan C:\Users\brian
00:58:46.787 File: C:\Users\brian\AppData\Local\Temp\~Quarantine.aswMBR\consrv.dll **INFECTED** Win32:Sirefef-HO [Rtk]
00:58:47.260 File: C:\Users\brian\AppData\Local\Temp\~Quarantine.aswMBR\ewv.dll **INFECTED** Win32:MalOb-IG [Cryp]
01:05:09.233 AVAST engine scan C:\ProgramData
01:09:06.812 Scan finished successfully

I didnot get your TDSSkiller log,it seems FIXTDSS as cured your infected mbr.

From aswmbr log,i could see that you are infected with 64 bit zero access rootkit which has been quarantined by avast.We require advanced tools to completely remove it

Read the guide here

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck

You did not psot the proper logs in the new topic.

Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic you started Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run skip it and move on.

Let me know if that went well.