Malware Infection - svchost.exe

I received a Toshiba Satellite C655D-S5300 laptop from a friend for virus removal. The only virus protection loaded on the laptop was an inactive version of AVG (along with obvious bloatware products), so I promptly installed Avast Antivirus and Spybot Search and Destroy to determine the severity of infection.

Spybot reported many infections and was able to remove all but 1 of them, the infected file being the svchost.exe infection.

I’ve read through the Avast forums post regarding logs to collect for malware advice. Between Avast and Spybot the malware is contained, however as I am an avid PC/networking student I would like some advice from the Avast community about proper removal of this malware.

Tools used prior to discovering this forum: Avast Antivirus (smart scan and boot-time scan), Spybot Search and Destroy, CMD sfc /scannow command. I have also created a custom firewall setting with Spybot that blocks inbound and outbound traffic to the target IP addresses of the malware (deepspacer and spacesoftpro .coms).

I have attached log files from Malwarebytes Anti-Malware, Farbar Recovery Scan Tool, and aswMBR.
Any help is greatly appreciated.

PLEASE NOTE: Upon my first activation of Malwarebytes I ran the update as directed, made sure to check scan for rootkits, and executed the scan. The scan ran as normal and reported that 202(ish) infections were found along with some rootkits. I proceeded to apply the fixes MAMB had suggested, and executed the reboot when I was prompted. I exported the scan log as a .txt to my desktop, however the log file that was created was blank. I executed a 2nd scan which reported no problems found. The uploaded MAMB log is from the 2nd scan.

Hi there could you let me know what problems remain after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM-x32\...\Run: [AVG9_TRAY] => C:\PROGRA~2\AVG\AVG9\avgtray.exe Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X] URLSearchHook: HKU\S-1-5-21-1560733108-1017999453-2932809850-1000 - (No Name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - No File SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\.DEFAULT -> DefaultScope {{67A2568C-7A0A-4EED-AECC-B5405DE63B64}} URL = SearchScopes: HKU\S-1-5-21-1560733108-1017999453-2932809850-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={AE95FA13-ED32-4D23-A557-465F72F82F6F}&mid=fb66373a3d2e47d19819d16f2a3d8dd6-abb12ca542a25b815111bb91afc12966f2ea41af&lang=us&ds=AVG&pr=fr&d=2011-12-24 22:30:18&v=10.0.0.7&sap=dsp&q={searchTerms} SearchScopes: HKU\S-1-5-21-1560733108-1017999453-2932809850-1000 -> {99AD52C4-8E2C-424C-A525-1E2D1B0A3014} URL = http://search.iminent.com/?appId=84D783AB-66F6-4D61-BF0A-4806D6CA34EE&ref=toolbox&q={searchTerms} BHO: No Name -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> No File BHO-x32: No Name -> {154d932f-dc51-4a4f-9d52-b78b1419d3b4} -> No File BHO-x32: No Name -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> No File BHO-x32: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File Toolbar: HKLM-x32 - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File Toolbar: HKLM-x32 - No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} - No File Toolbar: HKLM-x32 - No Name - {154d932f-dc51-4a4f-9d52-b78b1419d3b4} - No File Toolbar: HKU\S-1-5-21-1560733108-1017999453-2932809850-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File Toolbar: HKU\S-1-5-21-1560733108-1017999453-2932809850-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File Toolbar: HKU\S-1-5-21-1560733108-1017999453-2932809850-1000 -> No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File Toolbar: HKU\S-1-5-21-1560733108-1017999453-2932809850-1000 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll No File Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\14.0.1\ViProtocol.dll () FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\14.0.1\\npsitesafety.dll (AVG Technologies) FF SearchPlugin: C:\Users\ALI JADRON\AppData\Roaming\Mozilla\Firefox\Profiles\1x3ka088.default\searchplugins\SearchTheWeb.xml FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\avg-secure-search.xml FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\SearchTheWeb.xml FF HKLM-x32\...\Firefox\Extensions: [avg@toolbar] - C:\ProgramData\AVG Secure Search\FireFoxExt\14.0.2.14 FF Extension: No Name - C:\ProgramData\AVG Secure Search\FireFoxExt\14.0.2.14 [2013-01-22] CHR HKLM-x32\...\Chrome\Extension: [ndibdjnfmopecpmkdieinmbadjfpblof] - C:\ProgramData\AVG Secure Search\ChromeExt\14.0.2.14\avg.crx [2014-11-24] S4 vToolbarUpdater14.0.1; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.0.1\ToolbarUpdater.exe [945328 2013-01-22] () R1 AvgLdx64; C:\Windows\System32\Drivers\avgldx64.sys [282976 2013-01-23] (AVG Technologies CZ, s.r.o.) R1 AvgMfx64; C:\Windows\System32\Drivers\avgmfx64.sys [35664 2011-11-09] (AVG Technologies CZ, s.r.o.) R1 AvgTdiA; C:\Windows\System32\Drivers\avgtdia.sys [317520 2011-11-09] (AVG Technologies CZ, s.r.o.) R1 avgtp; C:\windows\system32\drivers\avgtpx64.sys [37720 2013-01-22] (AVG Technologies) C:\Program Files (x86)\AVG C:\Program Files (x86)\Common Files\AVG Secure Search

EmptyTemp:
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Thank you for your quick reply and for clarification:

Do I need to disable my virus protection by closing the program or just turning the shields off?

right click avast tray icon and pause shields if avast makes problem

But, you should not need to

Just for good measure, I did disable Avast shields and Spybot Search and Destroy before running AdwCleaner. I have attached logs from both FRST and AdwCleaner after running the fixes.

One thing to note: a windows update ran and installed after running FRST and before running AdwCleaner. I will test the success of the fix by removing my custom firewall settings after uploading this post.

Forgot to include the logs in my last post: here you go.

The fix appears to be working, however Avast’s firewall service still has traces of the Iminent toolbar (it retained default rules associated with Iminent applications). Avast warnings no longer pop up, but those had stopped once I implemented the firewall settings.

Are the traces of the old attempts to access the net or are they new ?

Upon deactivation of the firewall there were no new messages generated through any of the installed virus protection. I’m going to run a Spybot scan as this was the first program to detect the malware.

I am unfamiliar with the Iminent product and am unsure if it is legitimate software or not. Removal failed the first time (most likely due to the malware being present) and I am reluctant to make any system changes until given the clear to do so.

Imminent is termed a PUP but it is not something you want on your system

It should be gone now

I have still found traces of Iminent software located in multiple directories, including the MAMB quarantine file as well as the syswow64 folder of the Windows directory. Iminent no longer appears in the program list, but can still be found with a little digging. The files and directories appear to be empty, but were not completely removed. I have attached a screenshot of the locations.

The malware no longer appears to be active (no new blocked attempts at connection by any virus protection) however as this laptop is not mine, I will not be able to check on it frequently after returning it to the user. I am presently running a Spybot scan and am waiting for it to finish. Will these directories left behind by Iminent be an issue?

No but you can manually delete them

The problem seems to be fixed then. I cannot explore further until I get home later but if any problems persist, I will return with more questions.

Thank you for all your help essexboy.

Once you are happy I will remove the tools and tidy up

Spybot still reports signs of infection, just not the svchost.exe file. Avast is no longer showing signs of blocking malware attempts to contact a web server either.

This infection appears to be fixed but I could have another I previously missed. Is it possible the tools I downloaded could be deemed malicious by Spybot?

The svchost.exe infection was successfully removed, no more Avast warnings and scans are showing clear. Can begin the uninstallation process whenever you are ready essex.

Spybot still reports signs of infection, just not the svchost.exe file.
what does it detect?
Is it possible the tools I downloaded could be deemed malicious by Spybot?
if you mean the tools used by removal team here? ...... yes they are detected all the time, especially after a update

you dont need SpyBoot when you have Malwarebytes

I would be interested to see what spybot finds

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme :wink:

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

I would be interested to see what spybot finds

Spybot reported a single threat of minimal level. It was a default cookie file within Mozilla. It has since vanished from any scans and the laptop is clean.

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

I am definitely taking this advice and holding onto this system a little longer to familiarize myself with Malwarebytes. I have been using Spybot for around 6 years now and had just grown accustomed to it.

If you do need to keep Java then download JavaRa

Thank you for this, I know there are plenty of holes in Java and intend to use this on my own system.

Downloading DelFix and will be monitoring the laptop all day. 8)

edit: DelFix just blew my mind. Amazing piece of software.