Started yesterday. Was surfing the web, when all of the sudden my computer restarts, and immediately after the malware popups start to go off. The responsible process is always \.\globalroot\systemroot\svchost.exe and the active process in the task manager related to it is Svchost.exe *32 with the description winscmde. Even after it is neutralized by MWB, it simply recreates itself, with whatever is responsible for this evading detection.

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.05.07

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Jackson :: TERMINAL [administrator]

6/5/2012 4:50:19 PM
mbam-log-2012-06-05 (16-50-19).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 211833
Time elapsed: 3 minute(s), 48 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) → 3916 → Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) → Delete on reboot.

(end)

Here is the extras from the OTL scan, couldn’t fit both in one post.

Also attach aswMBR log

Sorry for the wait.

Not happy with the MBR so we will check that out first

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

THEN

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Okay here is the file from TDSSKiller, about to run combo fix, will get back to you when that is done.

Also, I know there are probably gonna be a lot more steps before this thing is no longer an issue, but thanks for the help, y’all are lifesavers.

Once combofix has completed then re-run TDSSKiller and delete the following

\Device\Harddisk0\DR0 ( TDSS File System )

Okay, did that, but right as I clicked delete I got a few popups from avast. 10 .dat files, all starting with tsk000 and then either another 0, 1, or 4 following it. They were all in the TDSSkiller quarantine and were moved to the avast virus chest.

Anyway, other than that everything seems to be running fine, haven’t gotten any more of the popups from the network shield, so that is good. System was also a bit quicker on the reboot this time.

I m on my phone at the moment but it looks good
How is the computer behaving

As good as before it was infected. I do have a few questions though. I noticed that Minecraft was deleted by combo fix and I am wondering if it could have possibly been the culprit for the infection. I was on my buddies server before all this happened, is it possible that an infection could be on the server and that it is being spread to those that log on?

And lastly, is there somewhere online I can go to learn how to read the logs produced and what to look for? I greatly appreciate what you have done for me here, but I would like to be able to rely on myself more to fix issues like this in the future, whether they be on my computer or a friends. Once again thanks for everything.

One more thing. Noticing a few files like Desktop.ini and thumbs.db in various locations, such as my pictures folder. Also there are copies of the following folders, and I get a popup of access denied when I try to open them. I am an administrator on the computer and there are no other user accounts. Folders: My Music, My pictures, My Videos, My Documents(under user). Should I be alarmed?

I’m also getting the access denied pop up on folders such as appData and documents and settings in the C drive. Some folders also now have locks on them, or are faded. Those are the ones I am having the pop up occur on.

I do not have access to my main instructions at the moment so I will cobble one together and do the proper one when I get home tomorrow

Go Start > Run

Type in :

Combofix /uninstall

Then run OTL and select Cleanup

Once done let me know what problems remain please

That seems to have cleared everything up. I’ll be sure to let you know if I encounter any more issues. Thanks again.

My pleasure, I will now give the rest of the cleanup

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup and select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe

Awesome. Thanks again.

My pleasure ;D

What firewall would you recommend? I’m looking at the guide you posted, but I noticed the post is quite old, so I want to make sure I’m getting one that is still among the best.

Although the published date is quite old it is updated regularly by modifying the post… The same as my malware logs sticky here, the date for that is Jan 2010, yet I updated it today ;D

Okay thanks, didn’t see the update only the post date.