svchost virus came back

i dont know how but it hid in my Nox android VM player. i tried the fixlist from my last one and i thought it got rid of it but came back. and now i cant get frst64 to run unless i redownload it from IE(admin). So im not sure on what to do ill make sure ill wait and also i want to make sure this virus is out of my pc for good and uninstall nox without triggering it back.i mean ill reinstall windows if it comes down to it but ill wait for help this time!

 

Edit: IE isn't letting me copy n paste

Edited by Xnitro67, 15 November 2017 - 01:47 AM.

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Cracked/warez versions of programs

Cracked/warez versions of programs sound "good" and "cheap", but they can cause all sorts of headaches for you and damage to your computer. No reputable forum will support any method of cracking, warez, workarounds, providing any methods, tools, or posting of links designed for this express purpose.

There are people who have spent a great deal of money on developing and testing hardware and software, marketing and distributing it, and then on education and support for it. They have spent long, tedious, difficult and brain-numbing days/nights on their endeavor. They are attempting to make an honest living and feed their families.

Let's not support the thieves who rip them off and cheat them out of the fruits of their labor.

Remove this program in bold via the Control Panel > Programs > Programs and Features.
IDM Patch 6.29 build 2 Patch (HKLM-x32\...\IDM Patch 6.29 build 2 Patch) (Version: 6.29 build 2 - Crackingpatching.com Team)
Crack software is the start of you problems.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.

Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction <==== ATTENTION
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll [2017-09-22] (Internet Download Manager, Tonec Inc.)
BHO-x32: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll [2017-09-22] (Internet Download Manager, Tonec Inc.)
CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxp://mail.ru/cnt/10445?gp=811009","hxxps://search.yahoo.com/?type=502468&fr=yo-yhp-ch"
CHR Extension: (ZeveraTor) - C:\Users\david\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajcnoieoaefgfkgnpldkckdoigbhfgbg [2017-11-02]
CHR Extension: (Amazon Assistant for Chrome) - C:\Users\david\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbjikboenpfhbbejgkoklgkhjpfogcam [2017-11-02]
HKLM\...\exefile\shell\open\command: C:\Windows\svchost.com "%1" %* <==== ATTENTION
ShellIconOverlayIdentifiers: [	IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll [2017-06-23] (Tonec Inc.)
C:\Windows\svchost.com
C:\Program Files (x86)\Internet Download Manager

End

Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

As far as i know i never had issues with cracked programs what started this was a keygen but anyways once my pc restarted my programs started back up but there is something else going on here i think windows defender keeps popping up with the win32/netshta.a virus in alot of exes i had. some it has deleted and some cleaned out. should i be worried?

Edited by Xnitro67, 15 November 2017 - 10:56 AM.

Hi,

should i be worried?

Yes, Download and run this program.

https://www.avg.com/en-us/remove-win32-neshta

Let me know if the probem persists.

i did happen to find this program didnt find anything normally it did do a pre boot run though but since the last time i replied windows defender hasnt popped up. i guess ill let it stay on cause last time i turned it off while it was removing it. seems i get the annoying viruses lol the last one i had was years ago called something with voodoo (explorer/desktop) but that one i got rid of myself with unlocker.

Let me know if a few days if all is well.

everything is good except for a weird thing that keeps popping up in malwarebytes some PUP in google chrome web data (MailRu) even though i hit quarantine comes back in the next scan ive looked in the chrome settings and extentions nothing mentions MailRu

Hi,

To remove this you will possibly have to reset the Sync in Chrome.

Read this article and proceed.

Chrome Secure Preferences detection always comes back
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

as i was looking through that post and was deleting search engines i did find the MailRu search then i did a scan and now clean

Hi,

Good catch.

This ;entry was set in my fix but did not get remove.
CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxp://mail.ru/cnt/10445?gp=811009","hxxps://search.yahoo.com/?type=502468&fr=yo-yhp-ch"

Thanks for the information.

okay so somehow my laptop is showing the virus but its not infected keeps popping up on C:/onedrivetemp/ .temp file even if i delete it comes back should i do a scan with the programor should i exclude it?

laptop is showing the virus but its not infected keeps popping up on C:/onedrivetemp/ .temp file even if i delete it comes back should i do a scan with the programor should i exclude it?

You should be able to fix this error.
Follow some of the instructions on this page.
https://answers.microsoft.com/en-us/onedrive/forum/odwork-odfiles/windows-defender-keeps-saying-onedrivetemp-folder/ee344d26-968c-49df-a34f-b8233e2cd939?auth=1

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===