Svchost.exe trojan

[Kenml]

Would like to know how to remove the Gen:Trojan.Heur GM which is accessed through svchost.exe... from my windows temp folder. I have the IObit Security 360 free installed, which I ran but it doesn't see it.

[markusg]

We need to create an OTL Report

 

1. Please download OTL

http://oldtimer.geekstogo.com/OTL.exe

 

2. Save it to your desktop.

3. Double click on the icon on your desktop.

4. Click the "Scan All Users" checkbox.

5. Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.

6. Copy and Paste the following into the textbox.

 

 

netsvcs

msconfig

safebootminimal

safebootnetwork

activex

drivers32

%ALLUSERSPROFILE%\Application Data\*.

%ALLUSERSPROFILE%\Application Data\*.exe /s

%APPDATA%\*.

%APPDATA%\*.exe /s

%SYSTEMDRIVE%\*.exe

/md5start

userinit.exe

eventlog.dll

scecli.dll

netlogon.dll

cngaudit.dll

sceclt.dll

ntelogon.dll

logevent.dll

iaStor.sys

nvstor.sys

atapi.sys

IdeChnDr.sys

viasraid.sys

AGP440.sys

vaxscsi.sys

nvatabus.sys

viamraid.sys

nvata.sys

nvgts.sys

iastorv.sys

ViPrt.sys

eNetHook.dll

ahcix86.sys

KR10N.sys

nvstor32.sys

winlogon.exe

ahcix86s.sys

/md5stop

%systemroot%\system32\drivers\*.sys /lockedfiles

%systemroot%\System32\config\*.sav

%systemroot%\*. /mp /s

%systemroot%\system32\*.dll /lockedfiles

CREATERESTOREPOINT

 

7. Push "scan"

8. Two reports will open, copy and paste them in a reply here:

• OTListIt.txt <-- Will be opened

• Extra.txt <-- Will be minimized

use the attachment manager and attach this txt files

[Kenml]

Wow you guys are fast, Thank you :)

Both files are over the 59K limit. Can I zip them to you?

[enoskype]

Yes, please do so.

 

Cheers.

[Kenml]

Yes, please do so.

 

Cheers.

 

Wow, Here you go.

OTL.zip

[markusg]

otl script

• Please double-click OTL.exe to run it. (Note: If you are running on Vista, or win 7, right-click on the file and choose Run As Administrator).

• Copy all the lines

below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose

Copy):

 

:otl

O4 - HKLM..\Run: [CTxfiHlp] File not found

O4 - HKLM..\Run: [CtxfiReg] File not found

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars present

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.

:commants

[purity]

[EMPTYFLASH]

[emptytemp]

[start explorer]

[Reboot]

• Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.

• Close any browser(s) windows that may be open.

• Using your mouse, click on the red-lettered button Run Fix.

• Once you see a message box "Fix complete! Click OK to open the fix log."

Click the OK button

• The log will open in Notepad (your default text editor).

• Save the log. Post a copy of that log in your next reply.

[Kenml]

Hi marksug, Your instructions are very easy to follow and everything went as listed.

Thanks again for your support.

Here's the text file.

 

All processes killed

========== OTL ==========

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\CTxfiHlp deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\CtxfiReg deleted successfully.

Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Toolbars\ deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.

Error: Unable to interpret <:commants> in the current context!

Error: Unable to interpret <[purity]> in the current context!

Error: Unable to interpret <[EMPTYFLASH]> in the current context!

Error: Unable to interpret <[emptytemp]> in the current context!

Error: Unable to interpret <[start explorer]> in the current context!

Error: Unable to interpret <[Reboot]> in the current context!

 

OTL by OldTimer - Version 3.2.15.0 log created on 10112010_120739

 

Files\Folders moved on Reboot...

 

Registry entries deleted on Reboot...

[markusg]

can you try it again?

 

:otl

O4 - HKLM..\Run: [CTxfiHlp] File not found

O4 - HKLM..\Run: [CtxfiReg] File not found

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars present

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.

:files

:commants

[purity]

[EMPTYFLASH]

[emptytemp]

[start explorer]

[Reboot]

• Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.

• Close any browser(s) windows that may be open.

• Using your mouse, click on the red-lettered button Run Fix.

• Once you see a message box "Fix complete! Click OK to open the fix log."

Click the OK button

• The log will open in Notepad (your default text editor).

• Save the log. Post a copy of that log in your next reply.

 

Edit/Delete Message

[Kenml]

Hi markusg, Fired off OTL again. Here's what came up.

 

All processes killed

========== OTL ==========

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\CTxfiHlp not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\CtxfiReg not found.

Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.

Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.

Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Toolbars\ not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.

========== FILES ==========

Error: Unable to interpret <:commants> in the current context!

Error: Unable to interpret <[purity]> in the current context!

Error: Unable to interpret <[EMPTYFLASH]> in the current context!

Error: Unable to interpret <[emptytemp]> in the current context!

Error: Unable to interpret <[start explorer]> in the current context!

Error: Unable to interpret <[Reboot]> in the current context!

 

OTL by OldTimer - Version 3.2.15.0 log created on 10122010_095613

 

Files\Folders moved on Reboot...

 

Registry entries deleted on Reboot...

[markusg]

post a combofix logfile:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

[Kenml]

Here you go.

ComboFix.zip

[markusg]

please upgrade to bitdefender 2011, update and scan, tell us the results

[Kenml]

please upgrade to bitdefender 2011, update and scan, tell us the results

 

Well your support and great review of the Bitdefender got me. I bought it and have just completed the install. Doing a deep scan now. Will send you the results when it is finished in another 5:13 minutes.

BTW I just renewed my Security Shield subscription a couple of months ago. It is now uninstalled.

 

Regards

 

Ken Alger

[Kenml]

please upgrade to bitdefender 2011, update and scan, tell us the results

 

OK, here's the results.

 

Scanned items: 1323247

Infected items: 56

Suspect items: 0 (no suspected items have been detected)

Resolved items: 53

Unresolved items: 3

[markusg]

is there a full log you can post?

[Kenml]

is there a full log you can post?

 

Sorry about being so late with this. I see there are several Trojan viruses in the Java cache files..

 

Thanks again for your support.

10_17_10.zip