Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost virus came back


  • This topic is locked This topic is locked
11 replies to this topic

#1 Xnitro67

Xnitro67

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 15 November 2017 - 01:39 AM

i dont know how but it hid in my Nox android VM player. i tried the fixlist from my last one and i thought it got rid of it but came back. and now i cant get frst64 to run unless i redownload it from IE(admin). So im not sure on what to do ill make sure ill wait and also i want to make sure this virus is out of my pc for good and uninstall nox without triggering it back.i mean ill reinstall windows if it comes down to it but ill wait for help this time!

 

Edit: IE isn't letting me copy n paste

Attached Files


Edited by Xnitro67, 15 November 2017 - 01:47 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,883 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:26 AM

Posted 15 November 2017 - 09:56 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Cracked/warez versions of programs

Cracked/warez versions of programs sound "good" and "cheap", but they can cause all sorts of headaches for you and damage to your computer. No reputable forum will support any method of cracking, warez, workarounds, providing any methods, tools, or posting of links designed for this express purpose.

There are people who have spent a great deal of money on developing and testing hardware and software, marketing and distributing it, and then on education and support for it. They have spent long, tedious, difficult and brain-numbing days/nights on their endeavor. They are attempting to make an honest living and feed their families.

Let's not support the thieves who rip them off and cheat them out of the fruits of their labor.


Remove this program in bold via the Control Panel > Programs > Programs and Features.
IDM Patch 6.29 build 2 Patch (HKLM-x32\...\IDM Patch 6.29 build 2 Patch) (Version: 6.29 build 2 - Crackingpatching.com Team)
Crack software is the start of you problems.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction <==== ATTENTION
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll [2017-09-22] (Internet Download Manager, Tonec Inc.)
BHO-x32: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll [2017-09-22] (Internet Download Manager, Tonec Inc.)
CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxp://mail.ru/cnt/10445?gp=811009","hxxps://search.yahoo.com/?type=502468&fr=yo-yhp-ch"
CHR Extension: (ZeveraTor) - C:\Users\david\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajcnoieoaefgfkgnpldkckdoigbhfgbg [2017-11-02]
CHR Extension: (Amazon Assistant for Chrome) - C:\Users\david\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbjikboenpfhbbejgkoklgkhjpfogcam [2017-11-02]
HKLM\...\exefile\shell\open\command: C:\Windows\svchost.com "%1" %* <==== ATTENTION
ShellIconOverlayIdentifiers: [	IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll [2017-06-23] (Tonec Inc.)
C:\Windows\svchost.com
C:\Program Files (x86)\Internet Download Manager

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#3 Xnitro67

Xnitro67
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 15 November 2017 - 10:55 AM

As far as i know i never had issues with cracked programs what started this was a keygen but anyways once my pc restarted my programs started back up but there is something else going on here i think windows defender keeps popping up with the win32/netshta.a virus in alot of exes i had. some it has deleted and some cleaned out. should i be worried?

Attached Files


Edited by Xnitro67, 15 November 2017 - 10:56 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,883 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:26 AM

Posted 16 November 2017 - 07:34 AM



Hi,

should i be worried?


Yes, Download and run this program.

https://www.avg.com/en-us/remove-win32-neshta

Let me know if the probem persists.

#5 Xnitro67

Xnitro67
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 16 November 2017 - 01:18 PM

i did happen to find this program didnt find anything normally it did do a pre boot run though but since the last time i replied windows defender hasnt popped up. i guess ill let it stay on cause last time i turned it off while it was removing it. seems i get the annoying viruses lol the last one i had was years ago called something with voodoo (explorer/desktop) but that one i got rid of myself with unlocker.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,883 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:26 AM

Posted 16 November 2017 - 02:22 PM

Let me know if a few days if all is well.

#7 Xnitro67

Xnitro67
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 22 November 2017 - 02:51 AM

everything is good except for a weird thing that keeps popping up in malwarebytes some PUP in google chrome web data (MailRu) even though i hit quarantine comes back in the next scan ive looked in the chrome settings and extentions nothing mentions MailRu



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,883 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:26 AM

Posted 22 November 2017 - 08:07 AM



Hi,

To remove this you will possibly have to reset the Sync in Chrome.

Read this article and proceed.

Chrome Secure Preferences detection always comes back
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

#9 Xnitro67

Xnitro67
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 23 November 2017 - 02:33 AM

as i was looking through that post and was deleting search engines i did find the MailRu search then i did a scan and now clean :)



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,883 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:26 AM

Posted 23 November 2017 - 08:21 AM

Hi,

Good catch.

This ;entry was set in my fix but did not get remove.
CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxp://mail.ru/cnt/10445?gp=811009","hxxps://search.yahoo.com/?type=502468&fr=yo-yhp-ch"

Thanks for the information.

#11 Xnitro67

Xnitro67
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 24 November 2017 - 06:16 AM

okay so somehow my laptop is showing the virus but its not infected keeps popping up on C:/onedrivetemp/ .temp file even if i delete it comes back should i do a scan with the programor should i exclude it?



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,883 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:26 AM

Posted 24 November 2017 - 08:06 AM


laptop is showing the virus but its not infected keeps popping up on C:/onedrivetemp/ .temp file even if i delete it comes back should i do a scan with the programor should i exclude it?


You should be able to fix this error.
Follow some of the instructions on this page.
https://answers.microsoft.com/en-us/onedrive/forum/odwork-odfiles/windows-defender-keeps-saying-onedrivetemp-folder/ee344d26-968c-49df-a34f-b8233e2cd939?auth=1

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users