Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help got a weird scvhost.exe virus


  • Please log in to reply
8 replies to this topic

#1 ckeses

ckeses

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 01 February 2012 - 05:54 PM

Basically its using my bandwidth and not letting me use Google.

Edited by Budapest, 01 February 2012 - 06:06 PM.
Moved from Win7


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:42 PM

Posted 01 February 2012 - 08:35 PM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report


Please download GMER from here(doesnot work on 64 bit OS)

http://www2.gmer.net/download.php

Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.


Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

#3 ckeses

ckeses
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 01 February 2012 - 10:16 PM

i could only get the mmr working

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-01 21:44:49
-----------------------------
21:44:49.284 OS Version: Windows x64 6.1.7600
21:44:49.284 Number of processors: 4 586 0xF0B
21:44:49.285 ComputerName: GLADOS UserName: brian
21:44:50.383 Initialize success
21:44:55.857 AVAST engine defs: 12020101
21:45:06.742 The log file has been saved successfully to "C:\Users\brian\Documents\Tunngle\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-01 21:44:49
-----------------------------
21:44:49.284 OS Version: Windows x64 6.1.7600
21:44:49.284 Number of processors: 4 586 0xF0B
21:44:49.285 ComputerName: GLADOS UserName: brian
21:44:50.383 Initialize success
21:44:55.857 AVAST engine defs: 12020101
21:45:06.742 The log file has been saved successfully to "C:\Users\brian\Documents\Tunngle\aswMBR.txt"
21:45:26.760 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
21:45:26.762 Disk 0 Vendor: WDC_WD5000AAKS-00A7B0 01.03B01 Size: 476940MB BusType: 3
21:45:26.775 Device \Driver\atapi -> MajorFunction fffffa8004f835c4
21:45:26.782 Disk 0 MBR read successfully
21:45:26.785 Disk 0 MBR scan
21:45:26.791 Disk 0 MBR:Pihar-C [Rtk]
21:45:26.795 Disk 0 TDL4@MBR code has been found
21:45:26.798 Disk 0 Windows 7 default MBR code found via API
21:45:26.802 Disk 0 MBR hidden
21:45:26.826 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
21:45:26.852 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476838 MB offset 206848
21:45:26.858 Disk 0 MBR [TDL4] **ROOTKIT**
21:45:26.864 Disk 0 trace - called modules:
21:45:26.886 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8004f835c4]<<
21:45:26.891 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a38060]
21:45:26.896 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> [0xfffffa800478b520]
21:45:26.900 5 ACPI.sys[fffff8800103a781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa8004789680]
21:45:26.905 \Driver\atapi[0xfffffa8004902c70] -> IRP_MJ_CREATE -> 0xfffffa8004f835c4
21:45:27.850 AVAST engine scan C:\Windows
21:46:23.758 AVAST engine scan C:\Windows\system32
21:51:10.116 AVAST engine scan C:\Windows\system32\drivers
21:51:53.980 AVAST engine scan C:\Users\brian
21:57:37.139 File: C:\Users\brian\AppData\Local\Temp\~Quarantine.aswMBR\consrv.dll **INFECTED** Win32:Sirefef-HO [Rtk]
21:57:37.322 File: C:\Users\brian\AppData\Local\Temp\~Quarantine.aswMBR\ewv.dll **INFECTED** Win32:MalOb-IG [Cryp]
22:04:45.352 AVAST engine scan C:\ProgramData
22:13:21.502 Scan finished successfully

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:42 PM

Posted 01 February 2012 - 11:54 PM

Hello will this run?


Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 ckeses

ckeses
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 02 February 2012 - 12:09 AM

It says no infections found thanks! but... i still cant connect to Google?? it says unable to establish connection.

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:42 PM

Posted 02 February 2012 - 12:23 AM

Can you run TDSSkiller ? If yes,post the log

Run aswmbr again and post the log

Edited by narenxp, 02 February 2012 - 12:24 AM.


#7 ckeses

ckeses
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 02 February 2012 - 01:13 AM

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-01 21:44:49
-----------------------------
21:44:49.284 OS Version: Windows x64 6.1.7600
21:44:49.284 Number of processors: 4 586 0xF0B
21:44:49.285 ComputerName: GLADOS UserName: brian
21:44:50.383 Initialize success
21:44:55.857 AVAST engine defs: 12020101
21:45:06.742 The log file has been saved successfully to "C:\Users\brian\Documents\Tunngle\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-01 21:44:49
-----------------------------
21:44:49.284 OS Version: Windows x64 6.1.7600
21:44:49.284 Number of processors: 4 586 0xF0B
21:44:49.285 ComputerName: GLADOS UserName: brian
21:44:50.383 Initialize success
21:44:55.857 AVAST engine defs: 12020101
21:45:06.742 The log file has been saved successfully to "C:\Users\brian\Documents\Tunngle\aswMBR.txt"
21:45:26.760 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
21:45:26.762 Disk 0 Vendor: WDC_WD5000AAKS-00A7B0 01.03B01 Size: 476940MB BusType: 3
21:45:26.775 Device \Driver\atapi -> MajorFunction fffffa8004f835c4
21:45:26.782 Disk 0 MBR read successfully
21:45:26.785 Disk 0 MBR scan
21:45:26.791 Disk 0 MBR:Pihar-C [Rtk]
21:45:26.795 Disk 0 TDL4@MBR code has been found
21:45:26.798 Disk 0 Windows 7 default MBR code found via API
21:45:26.802 Disk 0 MBR hidden
21:45:26.826 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
21:45:26.852 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476838 MB offset 206848
21:45:26.858 Disk 0 MBR [TDL4] **ROOTKIT**
21:45:26.864 Disk 0 trace - called modules:
21:45:26.886 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8004f835c4]<<
21:45:26.891 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a38060]
21:45:26.896 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> [0xfffffa800478b520]
21:45:26.900 5 ACPI.sys[fffff8800103a781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa8004789680]
21:45:26.905 \Driver\atapi[0xfffffa8004902c70] -> IRP_MJ_CREATE -> 0xfffffa8004f835c4
21:45:27.850 AVAST engine scan C:\Windows
21:46:23.758 AVAST engine scan C:\Windows\system32
21:51:10.116 AVAST engine scan C:\Windows\system32\drivers
21:51:53.980 AVAST engine scan C:\Users\brian
21:57:37.139 File: C:\Users\brian\AppData\Local\Temp\~Quarantine.aswMBR\consrv.dll **INFECTED** Win32:Sirefef-HO [Rtk]
21:57:37.322 File: C:\Users\brian\AppData\Local\Temp\~Quarantine.aswMBR\ewv.dll **INFECTED** Win32:MalOb-IG [Cryp]
22:04:45.352 AVAST engine scan C:\ProgramData
22:13:21.502 Scan finished successfully
22:15:35.917 Disk 0 MBR has been saved successfully to "C:\Users\brian\Documents\Tunngle\MBR.dat"
22:15:36.108 The log file has been saved successfully to "C:\Users\brian\Documents\Tunngle\aswMBR.txt"


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-02 00:50:18
-----------------------------
00:50:18.739 OS Version: Windows x64 6.1.7600
00:50:18.739 Number of processors: 4 586 0xF0B
00:50:18.740 ComputerName: GLADOS UserName: brian
00:50:20.308 Initialize success
00:50:25.753 AVAST engine defs: 12020101
00:50:30.358 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
00:50:30.360 Disk 0 Vendor: WDC_WD5000AAKS-00A7B0 01.03B01 Size: 476940MB BusType: 3
00:50:30.364 Disk 0 MBR read successfully
00:50:30.366 Disk 0 MBR scan
00:50:30.377 Disk 0 Windows 7 default MBR code
00:50:30.390 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
00:50:30.400 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476838 MB offset 206848
00:50:30.407 Service scanning
00:50:34.634 Modules scanning
00:50:34.638 Disk 0 trace - called modules:
00:50:34.655 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
00:50:34.659 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a22060]
00:50:34.663 3 CLASSPNP.SYS[fffff880013ca43f] -> nt!IofCallDriver -> [0xfffffa8004784580]
00:50:34.667 5 ACPI.sys[fffff88001043781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa800478c060]
00:50:35.640 AVAST engine scan C:\Windows
00:50:37.781 AVAST engine scan C:\Windows\system32
00:53:01.332 AVAST engine scan C:\Windows\system32\drivers
00:53:10.902 AVAST engine scan C:\Users\brian
00:58:46.787 File: C:\Users\brian\AppData\Local\Temp\~Quarantine.aswMBR\consrv.dll **INFECTED** Win32:Sirefef-HO [Rtk]
00:58:47.260 File: C:\Users\brian\AppData\Local\Temp\~Quarantine.aswMBR\ewv.dll **INFECTED** Win32:MalOb-IG [Cryp]
01:05:09.233 AVAST engine scan C:\ProgramData
01:09:06.812 Scan finished successfully

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:42 PM

Posted 02 February 2012 - 07:26 AM

I didnot get your TDSSkiller log,it seems FIXTDSS as cured your infected mbr.

From aswmbr log,i could see that you are infected with 64 bit zero access rootkit which has been quarantined by avast.We require advanced tools to completely remove it

Read the guide here

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:42 PM

Posted 02 February 2012 - 02:08 PM

You did not psot the proper logs in the new topic.

Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic you started Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run skip it and move on.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users