Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake svhost.exe trojan in Windows Temp file


  • This topic is locked This topic is locked
10 replies to this topic

#1 ruben969

ruben969

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 14 May 2011 - 12:45 PM

Attached File  Attach.zip   3.37KB   1 downloadsEvery time I run MalwareBytes, I see new svhost.exe files in my Windows\Temp folder. I have read a few forums, but don;t really have a clue how to get rid of it.

The Log on MalwareBytes i something like this:

Heuristics.Reserved.Word.Exploit

Any help would be appreciated,
thanks
Rory

Attached Files

  • Attached File  DDS.zip   7.43KB   3 downloads


BC AdBot (Login to Remove)

 


#2 ruben969

ruben969
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 14 May 2011 - 05:53 PM

Gmer log attachedAttached File  Gmer.zip   864bytes   1 downloads

#3 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 PM

Posted 15 May 2011 - 12:08 AM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
Posted Image P2P - I see you have P2P software (uTorrent) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Please see this post for more information. I recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes at BC are complete.

Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#4 ruben969

ruben969
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 16 May 2011 - 05:54 AM

Thanks for the reply, please stick with me, as I was away 2 days. Working on combofix now,
thanks
Rory

#5 ruben969

ruben969
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 16 May 2011 - 11:47 AM

here is the cobmofix log as requested..please find attchedAttached File  Combofix.txt   26.21KB   3 downloads

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 PM

Posted 16 May 2011 - 09:28 PM

ruben969:

How is your computer running now? Please do this next:

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Posted Image Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes copy and paste the results into your next reply.
Please include the following in your next post:
  • How is the computer running?
  • MBAM log
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 ruben969

ruben969
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 18 May 2011 - 08:17 AM

•How is the computer running? It now seems to be running normally. The MalwareBytes run didnt pick up an extraneous svhost.exe files.

•MBAM log

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6598

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

17/05/2011 09:41:12
mbam-log-2011-05-17 (09-41-12).txt

Scan type: Quick scan
Objects scanned: 187110
Time elapsed: 15 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


•ESET log

C:\Qoobox\Quarantine\C\Users\Rubes\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32 .exe.vir a variant of MSIL/Injector.FF trojan
C:\Users\Rubes\Pictures\stuff\stuff2\erika\bildspel.exe a variant of MSIL/Injector.FF trojan
C:\Users\Rubes\Pictures\stuff\stuff2\erika\bildspel_poserna_20_st.scr a variant of MSIL/Injector.FF trojan

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 PM

Posted 18 May 2011 - 08:55 PM

ruben969:

This will take care of those ESET detections (the other one is already in quarantine):

Posted Image Open notepad and copy/paste the text in the quotebox below into it:

@echo off
del "C:\Users\Rubes\Pictures\stuff\stuff2\erika\bildspel.exe"
del "C:\Users\Rubes\Pictures\stuff\stuff2\erika\bildspel_poserna_20_st.scr"
del /Q %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this: Posted Image
Double click on fix.bat & allow it to run.

Now I have another update and soem very important cleanup for you to take care of:

Posted Image Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Avoid using P2P programs. Refer back to my earlier post for more information.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 ruben969

ruben969
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 18 May 2011 - 11:25 PM

Thanks for your help! Good Karma to you...

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 PM

Posted 19 May 2011 - 09:37 PM

You're welcome, ruben969. Take care.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 PM

Posted 20 May 2011 - 09:02 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users