Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help pls! Antivirus unable to update,svchost.exe crash and Funny noises from mu pc


  • This topic is locked This topic is locked
13 replies to this topic

#1 urusai

urusai

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 27 April 2009 - 02:54 PM

Ive got a new pc and its been doing weird for the last week. Perhaps im even too late already!!!
I dont know what to do and I'm not that good with computers.
also my pc is in dutch (im from the netehrlands ) so its pretty unhandy to post some messages but i'll try to translate them.
I have a list of problems:

-My antivirus cant update anymore( since one week)
-my pc is running 10 times as slow as it did before
-there are 14 svchost.exe programs running in task manager
-funny noises as if from a video or animal barn are coming from my pc at random times (when i have only this site open and an adobe reader file for example)
-ive had two warnings from starting up my
pc: sopidkc.exe doesnt work
msncache doesnt work.
-also alot of random pictures and programs have been copied/shortcutted and those shortcuts are in my recycle bin witouth me having deleted those.
and ive looked trough my task manager and found: afisicx.exe running which is identified at this site as a worm of some kind?

SO IM a bit confused but also happy I found this site. Could anyone help with this i would be reallyyy greatfull ^^ :thumbsup:

BC AdBot (Login to Remove)

 


#2 urusai

urusai
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 29 April 2009 - 04:39 AM

hi,

ok this morning I started up my laptop (this one which im working on) to see if I have had any replies yet. But while starting it said there was a system crash of somekind and that i could recover my system and return to an older backup which had been made so that my laptop would start up normally.
Well that was what I did and now it seems the files which were infecting my laptop are now gone. So ofcourse the first thing I tried was updating COMODO internet security and windows defender, which both were unable to update before. It didn't work.
So I started looking around in the forums and alot of people usually get a reply saying download malwarebytes and update it and do a system scan. I thought if malwarebytes is also unable to update, there must still be something wrong. So i donwloaded it from one of the links in a reply. Two links didn't work the last one did, after i've downloaded it, MBAM would start installing when i clicked on the .exe so i renamed it and it started. BUT it was stilll unable to update....

SO I'm pretty much clueless what to do right now. :thumbsup:
Both windows defender and COMODO and MBAM are still unable to update, my DEAMON tools program still gets a weird warning at startup and COMODO has around 180 pending files waiting for my review which I don't think are infected and don't know what to do with.

Could anyone help with this problem? Thanks,

(ps. My laptop is pretty new so I thought it was strange things like this happened so soon, are there any tips on improving security or preventing malware other then the things ive got installed on my laptop?)

#3 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 PM

Posted 29 April 2009 - 06:03 PM

I am aware that you are unable to update the definitions. Use the alternate definitions link here. Double click mbam-rules.exe to install them.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Please include the following in your reply:
MBAM log

#4 urusai

urusai
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 04 May 2009 - 06:17 PM

hi,
Thanks for helping me, I did all of the things you said above although I wasn't able to download the update cause it wouldn't connect to that site. I had a friend of mine download it and rename it on my pc to install the update. After the scanning/starting up of my laptop COMODO still wasn't able to update though.
This is the log file:

Malwarebytes' Anti-Malware 1.36
Database version: 2060
Windows 6.0.6001 Service Pack 1

5-5-2009 1:02:31
mbam-log-2009-05-05 (01-02-31).txt

Scan type: Quick Scan
Objects scanned: 66866
Time elapsed: 5 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\ThunMail (Spyware.OnlineGamer) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\Temp\vbnxcvdfhd38.log (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\Temp\vbnxcvdfhd40.log (Trojan.Refpron) -> Quarantined and deleted successfully.
C:\Windows\Temp\vbnxcvdfhd48.exe (Trojan.Refpron) -> Quarantined and deleted successfully.
C:\Windows\Temp\t4m0_569058163174.bk.old (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\Temp\VRT11BC.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Temp\VRTED9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

Thanks,

#5 urusai

urusai
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 07 May 2009 - 02:49 PM

Hey there,

So I'm still experiencing some really weird things on my laptop lately..AND I'm STILL unable to update MBAM/COMODO/Windows DEFENDER or go to any malware deletion/tips site other then bleepingcomputer. I really need help with this cause I my computer is getting slower and gets more stuff each day.

WUDFHOST.EXE and AUTORUN.INF are randomly being put on my usb stick when i put it in, which normally wasn't the case.

COMODO detected some things which might not be normal since i looked up some of the file names below and according to forums these represent worms or at least not something good.
These things just tried to change registry files and started making folders/files.

testabd.exe file was changing registry ..
axssdfrvwn46.exe from system32/3361/SVCHOST.EXE was trying to create file/directory:sopidkc.exe and creating folder: tpsaxyd.exe

And after I said block to all those things, the messages came 4 or 5 more times, and after those some screen popped up and I saw sopidkc.exe and tpsaxyd.exe and some other stuff installing with a "beam" (how do you call it) running under it. In the buttons was no text but questionmarks so i rapidly clicked the right button which I thought might be cancel... well it did stop right that moment and now I don't see anything ELSE strange anymore.

Still I don't think all those things (and all of the rest I mentioned before in my other replies) were good....
Could anyone help me here or does someone know what this all is. :thumbsup:

Thanks alot in advance, Sjors

#6 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 PM

Posted 07 May 2009 - 07:33 PM

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program.
  • Cancel any prompts to download the latest CureIt version and click Start.
  • At the prompt to "Start scan now", click Ok. Allow the setup.exe/driver to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)


#7 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 PM

Posted 09 May 2009 - 07:36 AM

Also, I overlooked one thing. You may do this step after the Doctor Web scan.

WUDFHOST.EXE and AUTORUN.INF are randomly being put on my usb stick when i put it in, which normally wasn't the case.


Download and Run FlashDisinfector

You may a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Edited by xblindx, 09 May 2009 - 07:37 AM.


#8 urusai

urusai
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 10 May 2009 - 07:33 AM

hey,

Okay I've been trying to download it from ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe or any external link I could find via google.
BUT NO!! alas.... since my laptop/worm won't let me connect to any antivirus website I'm pretty much unable to download the program.
Any suggestions on a different way to get the file??

Thanks, Sjors

#9 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 PM

Posted 10 May 2009 - 08:16 AM

Could you get that same friend to get it on a flash drive or other removable media (CD, flash drive, etc) to transfer over? You may even be able to get it emailed to you from a friend, the file is only around 14mb.

You could try this other link: http://www.snapfiles.com/php/download.php?...40952&loc=2

or: http://majorgeeks.com/downloadget4783-1-57...feb793a566.html

Edited by xblindx, 10 May 2009 - 08:16 AM.


#10 urusai

urusai
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 10 May 2009 - 04:35 PM

ok, SO ALOT of things happened....

first I asked a housemate to download Dr Web-CurIt, he send it to me and i've put it on my desktop. It's the launcher.exe file but it says dr web.ltd and has a black spider, We donwloaded it from majorgeeks.com I tried your two links afterwards, which dint't work for me both.

-So I started the express scan +- 30min : 400 files found ( almost all.exe and system32\ files) and infected with Win32.virut.56 virus.......So I guess now I'm screwed??
I also wasnt able to click on the cure button, cause It was blank(unclickable) so I didnt do that, but did follow all of the rest of your steps and It still deleted a few files and said Cured to almost all files in the list.
-the complete scan took 4h 13 min : 950 files found total ( i guess this is inckuding the 400) but I couldnt move anything, altho i clicked on select all and move it didnt seem to move the files, and under "moved" you didnt see 950 files, it said 0.
-after having clicked on "save report list" there was noise and a blue screen with alot on it for 1 sec (WINOWS CRASH DUMP something) had to startup anew and for safety went back to safe mode again.
-at startup a window said this (and details):

windows is herstelt van een onverwachte afsluiting (windows has recovered from a unexpected shutdown)

Aanvullende informatie over dit probleem: (extra info about this ptroblem:)
BCCode: 19
BCP1: 00000021
BCP2: B3A00000
BCP3: 00049C10
BCP4: 006F0064
OS Version: 6_0_6001
Service Pack: 1_0
Product: 768_1

Bestanden die helpen bij het beschrijven van het probleem: (files that help with describing the problem:)
C:\Windows\Minidump\Mini051009-01.dmp
C:\Users\SHWOO\AppData\Local\Temp\WER-47627-0.sysdata.xml
C:\Users\SHWOO\AppData\Local\Temp\WER510C.tmp.version.txt

- So Thats why I don't have a logfile of the 950 or so files that were/are infected.
- I ran another scan after this and now it took 1 min and dind't have any results( yeah right, I didnt believe that) so I scanned again and now it took +-30 min again and still had 0 results ( but have the logfile and will post it at the end of this post)

(also every time I scanned with DrWeb CureIt there was a green Dr.web screen saying: action 50% discount (for users of another antivirus program) with CureIt![r] on the left. I don't know, perhaps this is normal for this program to sponsor their own dr web antivirus, I just thought I should ad this for certainty.)

- So also after startup, my windows said I've got software piracy something, while I have the original certified Vista installed....So??
- and ran flashdisinfector aswell, (cause I trusted your experience with it) altho COMODO said it was some kind of trojan.win32.worm something cmdi or so.. I thought it was a bit weird and Am thinking perhaps COMODO is influenced by virut aswell. So I ran it anyhow and it said my usb was clean.

I searched some things up on the net and in these forums, and everywere people say virut is a virus almost unable to get rid of your pc because its stuck in so many files... I don't know 100% sure if I really have the virus but what to do????

AVG made a virus remover for win32/virut, which I already got send by mail from a friend, And am Running it at the moment to see if it works or if I have any infections. (if the result is still 0 I probably wont be certain aswell right?)

Thanks for the help btw I really appreciate it. but now what to do??

#11 urusai

urusai
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 10 May 2009 - 05:01 PM

ow yeah and I wanted to give you the CureIt.log file of the 30 min express scan ( the second time i ran it after the reboot and total blue screen crash).
But it's way too big to put in here as a whole (around 10min scrolling down on the right)


most of those were in the same way as this one:
C:\Windows\system32\DriverStore\FileRepository\prnca001.inf_92fbd03f\I386\CNB6100I.DLL - OK
but there were a few like this one:
C:\Windows\system32\DriverStore\FileRepository\prnca001.inf_92fbd03f\I386\CNB6100I.DLL gepakt door PESTUB (caught by PESTUB)

And most of the files were with OK behin them


-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Scanned: 839
Infected: 0
Modifications: 0
Suspicious: 0
Adware: 0
Dialers: 0
Jokes: 0
Riskware: 0
Hacktools: 0
Cured: 0
Deleted: 0
Renamed: 0
Moved: 0
Ignored: 0
Scan speed: 1379 Kb/s
Scan time: 00:01:34
-----------------------------------------------------------------------------

Scanning interrupted by user! - no viruses found
=============================================================================
Total session statistics
=============================================================================
Scanned: 839
Infected: 0
Modifications: 0
Suspicious: 0
Adware: 0
Dialers: 0
Jokes: 0
Riskware: 0
Hacktools: 0
Cured: 0
Deleted: 0
Renamed: 0
Moved: 0
Ignored: 0
Scan speed: 810 Kb/s
Scan time: 00:02:40
=============================================================================

#12 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 PM

Posted 10 May 2009 - 07:25 PM

This is beginning to get over my head. You will most likely want to prepare to post in our Hijackthis forums.
Read this guide to posting a HJT log into the HJT section: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Edited by xblindx, 10 May 2009 - 07:28 PM.


#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:31 PM

Posted 11 May 2009 - 03:19 PM

Hello.

Before starting a topic as suggested by xBlindx, there were indications of a backdoor and also the virut file infector in the Malwarebytes Anti-Malware log.

Warning on backdoors:

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Regarding VIRUT:

Virut is a file infector, from you previous posts you said that you have ran the AVG w32/virut removal tool? Correct? Nevertheless this infection is very nasty but it doesn't appear to be active at the moment, either because it was leftovers or simply just it wasn't installed completely.

I would still recommend you format the computer and backup any data information as needed. No exectuables, since this computer was compromised.

NOTE: IF you do wish to continue, then feel free to start another topic in the Malware Removal forum, please note you will need to wait for a while before getting a response

Good luck.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:31 PM

Posted 11 May 2009 - 09:24 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/226186/infection-with-win32virut56-virus/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users