My dad had spent days using different antivirus programs to try to clean his computer, but it is still no good. I believe his scvhost.exe file is infected with malware hidden within. I wish some1 here can help him, thank you very much. The attached files are the logs from malwarebyte and OTL.
Hi lets try this for starters, MBAM could not delete the offending file
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL IE - HKU\S-1-5-21-526146932-1143213520-2917878697-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:62566 FF - prefs.js..browser.search.selectedEngine: "WhiteSmoke Bar Customized Web Search" FF - prefs.js..network.proxy.http: "127.0.0.1" FF - prefs.js..network.proxy.http_port: 62566 [2011/09/18 18:22:15 | 000,000,000 | ---D | M] (WhiteSmoke Bar Community Toolbar) -- C:\Users\aaa\AppData\Roaming\Mozilla\Firefox\Profiles\biw6aqcw.default\extensions\{167d9323-f7cc-48f5-948a-6f012831a69f} [2011/08/17 00:01:31 | 000,000,000 | ---D | M] (ShopToWin9) -- C:\Users\aaa\AppData\Roaming\Mozilla\Firefox\Profiles\biw6aqcw.default\extensions\{46d606b0-a645-11df-981c-0800200c9a66} [2011/08/17 00:01:27 | 000,000,000 | ---D | M] (No name found) -- C:\Users\aaa\AppData\Roaming\Mozilla\Firefox\Profiles\biw6aqcw.default\extensions\{46d606b0-a645-11df-981c-0800200c9a66}\chrome\content\dca\core\extensionManager [2011/09/21 11:10:06 | 000,002,223 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\websearch.xml O3 - HKU\S-1-5-21-526146932-1143213520-2917878697-1000\..\Toolbar\WebBrowser: (no name) - {167D9323-F7CC-48F5-948A-6F012831A69F} - No CLSID value found. O3 - HKU\S-1-5-21-526146932-1143213520-2917878697-1000\..\Toolbar\WebBrowser: (no name) - {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No CLSID value found. O33 - MountPoints2\{6dcd44e4-0e73-11df-99d0-000325487b49}\Shell\AutoRun\command - "" = j.cmd O33 - MountPoints2\{6dcd44e4-0e73-11df-99d0-000325487b49}\Shell\open\Command - "" = j.cmd O33 - MountPoints2\{a8f6fbb5-18ee-11df-82f7-000325487b49}\Shell\Autoplay\Command - "" = xmss.exe O33 - MountPoints2\{a8f6fbb5-18ee-11df-82f7-000325487b49}\Shell\AutoRun\command - "" = xmss.exe O33 - MountPoints2\{a8f6fbb5-18ee-11df-82f7-000325487b49}\Shell\Explore\Command - "" = xmss.exe O33 - MountPoints2\{a8f6fbb5-18ee-11df-82f7-000325487b49}\Shell\Open\Command - "" = xmss.exe [2011/09/18 18:22:20 | 000,000,000 | ---D | C] -- C:\Program Files\WhiteSmokeTranslator [2011/09/23 23:04:29 | 000,007,680 | ---- | M] () -- C:\Windows\System\svchost.exe [2011/09/15 23:26:11 | 000,001,080 | -HS- | M] () -- C:\Users\aaa\AppData\Local\5b5s8f0nhi1 [2011/09/15 23:26:11 | 000,001,080 | -HS- | M] () -- C:\ProgramData\5b5s8f0nhi1 [2011/09/21 23:50:32 | 000,000,000 | ---- | C] () -- C:\Windows\750334238 [2011/09/15 23:26:11 | 000,001,080 | -HS- | C] () -- C:\Users\aaa\AppData\Local\5b5s8f0nhi1 [2011/09/15 23:26:11 | 000,001,080 | -HS- | C] () -- C:\ProgramData\5b5s8f0nhi1 [2011/06/25 08:27:23 | 000,010,000 | -HS- | C] () -- C:\Users\aaa\AppData\Local\13gpr2hj11f04eu87q3qw51t4w67sao78p15gh8lk6e [2011/06/25 08:27:23 | 000,010,000 | -HS- | C] () -- C:\ProgramData\13gpr2hj11f04eu87q3qw51t4w67sao78p15gh8lk6e [2011/09/23 23:04:29 | 000,007,680 | ---- | M] () MD5=51DD43C1097407AA8437509BD4EF6D37 -- C:\WINDOWS\system\svchost.exe:Files
ipconfig /flushdns /c:Commands
[purity]
[resethosts]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
I successfully finished the custom fix, but when i run the combofix, the computer restarted unexpectedly while I was away, and the log is not where to be found. What should I do next?
Could you please re-run combofix and if it does the same again I will go to plan B ;D
it happaned again. I think I need to try another plan.
Download AVPTool from Here to your desktop
Run the programme you have just downloaded to your desktop (it will be randomly named )
First we will run a virus scan
Click the cog in the upper right
http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPfront.gif
Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpsettings.gif
Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post
Now the Analysis
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information
http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPAnalysis.gif
On completion click the link to locate the zip file to upload and attach to your next post
http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPZiplocation.gif
while I am scanning, it said it needs 4 days to finish the scan ???
Skip directly to the analysis portion please
the report from the scan is not completely finished I believe, but the log still ended up as a huge file like around 57 MB. I can only attach the analysis log. I have to use media fire link because I cannot upload the log here. I will upload the 57 MB one too if you are okay with it. Thanks.
I will be unavailable after this afternoon I am afraid
[*]Re-run AVPTool
[*]Select the Manual Disinfection tab and press Script execution
http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpmanual.gif
[*]Where it states Insert text script in the following box copy the below script and press Run script
Copy from Begin until End
http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpscript.gif
begin
SetAVZPMStatus(True);
SetAVZGuardStatus(True);
SearchRootkit(true, true);
DeleteService('cfjccajr');
SetServiceStart('cfjccajr', 4);
StopService('cfjccajr');
BC_DeleteSvc('cfjccajr');
DeleteFile('C:\Windows\system32\drivers\cfjccajr.sys');
BC_DeleteFile('C:\Windows\system32\drivers\cfjccajr.sys');
DeleteFile('C:\Windows\TEMP\9BEB.tmp');
BC_DeleteFile('C:\Windows\TEMP\9BEB.tmp');
BC_DeleteFile('C:\Windows\system\svchost.exe');
DeleteFile('C:\Windows\system\svchost.exe');
BC_ImportDeletedList;
BC_ImportAll;
ExecuteSysClean;
ExecuteWizard('TSW',2,3,true);
BC_Activate;
RebootWindows(true);
end.
[]Your system will reboot on completion, if it does not please do so yourself
[]On completion please run another analysis scan and attach the zip file