Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svchost Trojan - Hijack Trojan - can't remove -


  • This topic is locked This topic is locked
84 replies to this topic

#1 jrhig

jrhig

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 25 November 2017 - 02:24 PM

FarBar Files attached

11-23-2017

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,188 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:56 PM

Posted 25 November 2017 - 05:53 PM

Hi

Welcome :)

I'll be helping you with your computer.

Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.

Please take note of the guidelines for this fix:

  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. :)

Let's begin... :)
 

  • Highlight the entire content of the quote box below.

Start::  
HKU\S-1-5-21-1215526866-1910251183-2460892951-1000\...\Run: [ASRock A-Tuning] => [X]
R3 AsrAutoChkUpdDrv; \??\C:\Windows\SysWOW64\Drivers\AsrAutoChkUpdDrv.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
FirewallRules: [{AEC84DF8-5818-40D0-94F8-6BDB6571FA20}] => (Allow) LPort=2869
FirewallRules: [{FE729A27-2037-40FD-B383-3B89B2E8E8DF}] => (Allow) LPort=1900
HKLM\...\exefile\shell\open\command: C:\Windows\svchost.com "%1" %* <==== ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
2017-11-23 10:39 - 2017-11-23 10:39 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign0926e67398898b12
2017-11-23 10:36 - 2017-11-23 10:36 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsignd28e559afadd5471
2017-11-23 10:36 - 2017-11-23 10:36 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign452132c5821fec6f
2017-11-21 15:58 - 2017-11-21 15:58 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign6beb03e467a18483
2017-11-21 15:58 - 2017-11-21 15:58 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign67f8313016becd3c
2017-11-18 14:41 - 2017-11-18 14:41 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsignfa07fc054dea95a8
2017-11-18 14:41 - 2017-11-18 14:41 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign720121d724bd7ab4
2017-11-18 14:41 - 2017-11-18 14:41 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign470e87f5d0c0624e
2017-11-18 14:27 - 2017-11-18 14:27 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign31799267b82b2457
2017-11-18 14:25 - 2017-11-18 14:25 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsigna15eb78b39cd14d6
2017-11-18 14:25 - 2017-11-18 14:25 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign1ffefdbc91674e7c
2017-11-18 14:21 - 2017-11-18 14:21 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign9e77b9237ec11075
2017-11-18 14:18 - 2017-11-18 14:18 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsigna3caa1e4856dec5b
2017-11-18 14:18 - 2017-11-18 14:18 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign45b8fcfdd630c592
2017-11-16 08:41 - 2017-11-16 08:41 - 000000000 ____D C:\Temp
2017-11-14 17:15 - 2017-11-14 17:15 - 000000000 ____D C:\ProgramData\Temp
2017-11-13 17:36 - 2017-11-13 17:36 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign74f95f693069d981
2017-11-13 17:36 - 2017-11-13 17:36 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign3c203ad56dc02bbf
2017-11-13 17:36 - 2017-11-13 17:36 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign188c8f4a5b0bc25a
2017-11-13 17:35 - 2017-11-13 17:35 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsignec42a5d65792b677
2017-11-13 17:35 - 2017-11-13 17:35 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsignb1987a66121bd049
2017-11-13 17:35 - 2017-11-13 17:35 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign6900cda6c2f05d94
2017-11-13 17:33 - 2017-11-13 17:33 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsignedad51994bb727a6
2017-11-13 17:33 - 2017-11-13 17:33 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsignc0c7702eecae6506
2017-11-13 16:27 - 2017-11-13 16:27 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign8974b84fc936c545
2017-11-13 16:27 - 2017-11-13 16:27 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign3db220a523da8b72
2017-11-13 16:27 - 2017-11-13 16:27 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign09fa94e404e738e2
2017-11-13 16:21 - 2017-11-13 16:21 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign5313c11b4766a7cf
2017-11-13 16:21 - 2017-11-13 16:21 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign2a6df1dbfc5d0e9f
2017-11-13 16:20 - 2017-11-13 16:20 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsigna05ebe1b933d5c36
2017-11-13 16:20 - 2017-11-13 16:20 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign1d1d3d4e86e2c40e
2017-11-13 15:51 - 2017-11-13 15:51 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsignf6499db76820cfa5
2017-11-13 15:51 - 2017-11-13 15:51 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign3e51c3ed387d1962
2017-11-13 15:48 - 2017-11-13 15:48 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsignee2dbe4126b47da3
2017-11-13 15:48 - 2017-11-13 15:48 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign5acc9529a0ceeb6b
2017-11-13 15:47 - 2017-11-13 15:47 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign5ae2c00ccf1c9d0a
2017-11-13 15:47 - 2017-11-13 15:47 - 000000000 ____D C:\Users\PC\AppData\Local\Tempzxpsign1ec14c34663e876e
2017-11-13 16:46 - 2017-11-13 16:46 - 000000000 ____D C:\Program Files (x86)\GUM601A.tmp
2017-11-14 12:21 - 2014-08-28 16:44 - 000615128 ____N (FinePrint Software, LLC) C:\Windows\system32\fppmon5.dll
2017-11-14 12:21 - 2014-08-28 16:44 - 000432856 ____N (FinePrint Software, LLC) C:\Windows\system32\fppr5-x64.dll
C:\Windows\svchost.com
HOSTS:
Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button. FRST will process the lines copied above from the clipboard.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.

Download AdwCleaner from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8/10 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

65MBhLLb.png


  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this

adwcleaner_delete_restart.jpg


  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 jrhig

jrhig
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 25 November 2017 - 06:32 PM

here is Fixlog



#4 jrhig

jrhig
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 25 November 2017 - 06:39 PM

Here .... is Fixlog ...........attached

Attached Files



#5 jrhig

jrhig
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 25 November 2017 - 06:41 PM

Here is Adware log

Attached Files



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,188 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:56 PM

Posted 25 November 2017 - 06:45 PM

Duplcate


Edited by JSntgRvr, 25 November 2017 - 06:46 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,188 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:56 PM

Posted 25 November 2017 - 06:46 PM

Looks clear. How is the computer doing?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 jrhig

jrhig
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 25 November 2017 - 06:54 PM

Computer is terrible

  whenever I click on any program exe file it automatically trys to run svchost.com virus , I can R click run as administrator and that will open run most apps.

 most time I have to run Rkill to temp. terminate the virus in order to open a App......

 

   I'll attach a screen shot from malwarebytes scan 

Attached Files



#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,188 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:56 PM

Posted 25 November 2017 - 07:00 PM

Those were just removed:

 

C:\Windows\svchost.com => moved successfully
HKLM\Software\Classes\exefile\shell\open\command\\Default => value restored successfully

 

Clear the quarantined items and perform a scan with Malwarebytes Antimalware. Let me know if redetected.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 jrhig

jrhig
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 25 November 2017 - 07:03 PM

Everytime I reboot they reappear , been doing this for about a week now , infected 3 of my computers so far ..

 I deleted those rom quaritine just did another M B scan ....  


Edited by jrhig, 25 November 2017 - 07:07 PM.


#11 jrhig

jrhig
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 25 November 2017 - 07:15 PM

here are a couple of instances of total removal , with reboot and the virus reappears  

 

I also attached a previous scan of the registry problems  

Attached Files



#12 jrhig

jrhig
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 25 November 2017 - 07:27 PM

here is " malwarebytes Anti Rootkit " scan log from a few minutes ago , I removed about a dozen times with this program also , they return ..............

Attached Files



#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,188 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:56 PM

Posted 25 November 2017 - 07:38 PM

Download the right version of RogueKiller for your Windows version (32 or 64-bit)

  • Once done, move the executable file to your Desktop, right-click on it and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Check every single entry (threat found), and click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)

This will open the report in Notepad. Copy/paste its content in your next reply
 
Please download Zemana AntiMalware and save it to your Desktop.

  • Right-click on the icon and select Run as administrator to install the program.
  • Click Yes to accept the security warning.
  • Once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
  • Click on the Back button.
  • On the top right corner click on Reports icon (the one with three bars) and double click on the latest report.
  • Now click File > Save As, then choose your Desktop and click the Save button.
  • Please attach the saved report in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 jrhig

jrhig
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 25 November 2017 - 08:05 PM

Rogue killer log

Attached Files



#15 jrhig

jrhig
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 25 November 2017 - 08:15 PM

Zemana Antimalware log attached

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users