Based on what I’ve read from this thread:
http://forum.avast.com/index.php?topic=102682.0
I believe I have managed to catch a TDL4 trojan. Hooray. I have the rogue svchost.exe in c:\windows, which is in my MBR and evades MBAM’s delete on reboot. If I do nothing to quarantine svchost.exe in c:\windows, avast will block attempted connections to the following domains -

URL: hxxp://37.220.36.44/x/
Process: \.\globalroot\systemroot\svchost.exe
Infection: URL:Mal

URL: hxxp://espeak911.com/x/
Process: \.\globalroot\systemroot\svchost.exe
Infection: URL:Mal

URL: hxxp://colexity777.com/x/
Process: \.\globalroot\systemroot\svchost.exe
Infection: URL:Mal

Additionally, avast does not detect the trojan when the rogue application is scanned, though MBAM does. Again though, this trojan is a sneaky devil and will avoid being deleted on reboot. However, if I terminate the trojan svchost in processes, it will immediately attempt to restart. MBAM detects this and allows me to “quarantine”, at which point the rogue app will no longer launch (as far as I can tell). It won’t appear in processes and Avast no longer gives warning messages, so it appears that the trojan is at least unable to connect to its domains, though it is obviously still in my system probably wreaking havoc. I believe my fix will be similar to the one in the link above, but I obviously need individual help. So let the games begin! And thank you.

Hi could you attach the logs please

Sorry, I’m having a hard time getting to the file path specified for the log in order to attach it, so I hope I’m not breaking any rules by pasting it here.

After quick scan:

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.09.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Nick :: FUNSLAVE_MK_IV [administrator]

Protection: Enabled

8/9/2012 4:01:56 PM
mbam-log-2012-08-09 (16-01-56).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 219397
Time elapsed: 2 minute(s), 10 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) → 5468 → Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) → Delete on reboot.

(end)

The two logs I need to see are OTL and aswMBR to determine what type it is

ok, I’m getting those programs now and logs will follow. This stuff is all probably garbage then, but I have it typed up, and maybe it isn’t.

Another MBAM log - I believe this one was after I shut down the trojan process in task manager? Once it hits the “DETECTION” part (14:09:39), it gets another detection every few seconds up til 15:09:38, and then it ALLOW’s… see beow. I’ve cut out the massive middle section which literally never changes except for the time stamp.

2012/08/08 14:08:27 -0400 FUNSLAVE_MK_IV Nick MESSAGE Starting protection
2012/08/08 14:08:28 -0400 FUNSLAVE_MK_IV Nick MESSAGE Executing scheduled update: Daily
2012/08/08 14:08:28 -0400 FUNSLAVE_MK_IV Nick ERROR Scheduled update failed: No address found failed with error code 0
2012/08/08 14:08:29 -0400 FUNSLAVE_MK_IV Nick MESSAGE Protection started successfully
2012/08/08 14:08:32 -0400 FUNSLAVE_MK_IV Nick MESSAGE Starting IP protection
2012/08/08 14:08:34 -0400 FUNSLAVE_MK_IV Nick MESSAGE IP Protection started successfully
2012/08/08 14:09:39 -0400 FUNSLAVE_MK_IV Nick DETECTION C:\Windows\svchost.exe Trojan.Agent QUARANTINE
2012/08/08 14:09:48 -0400 FUNSLAVE_MK_IV Nick DETECTION c:\windows\svchost.exe Trojan.Agent DENY
2012/08/08 14:09:50 -0400 FUNSLAVE_MK_IV Nick DETECTION C:\Windows\svchost.exe Trojan.Agent DENY

…

2012/08/08 15:09:38 -0400 FUNSLAVE_MK_IV Nick DETECTION C:\Windows\svchost.exe Trojan.Agent DENY
2012/08/08 15:09:48 -0400 FUNSLAVE_MK_IV Nick DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW
2012/08/08 15:09:48 -0400 FUNSLAVE_MK_IV Nick DETECTION C:\Windows\svchost.exe Trojan.Agent ALLOW

And today, a second log after MBAM detected and quarantined svchost with a scan, it caught it again automatically:

2012/08/09 15:17:32 -0400 FUNSLAVE_MK_IV Nick MESSAGE Starting protection
2012/08/09 15:17:33 -0400 FUNSLAVE_MK_IV Nick MESSAGE Protection started successfully
2012/08/09 15:17:36 -0400 FUNSLAVE_MK_IV Nick MESSAGE Starting IP protection
2012/08/09 15:17:37 -0400 FUNSLAVE_MK_IV Nick MESSAGE IP Protection started successfully
2012/08/09 15:26:02 -0400 FUNSLAVE_MK_IV Nick MESSAGE Executing scheduled update: Daily
2012/08/09 15:26:26 -0400 FUNSLAVE_MK_IV Nick MESSAGE Starting database refresh
2012/08/09 15:26:26 -0400 FUNSLAVE_MK_IV Nick MESSAGE Scheduled update executed successfully: database updated from version v2012.08.06.11 to version v2012.08.09.10
2012/08/09 15:26:26 -0400 FUNSLAVE_MK_IV Nick MESSAGE Stopping IP protection
2012/08/09 15:27:41 -0400 FUNSLAVE_MK_IV (null) MESSAGE IP Protection stopped
2012/08/09 15:30:46 -0400 FUNSLAVE_MK_IV Nick MESSAGE Starting protection
2012/08/09 15:30:48 -0400 FUNSLAVE_MK_IV Nick MESSAGE Protection started successfully
2012/08/09 15:30:51 -0400 FUNSLAVE_MK_IV Nick MESSAGE Starting IP protection
2012/08/09 15:30:52 -0400 FUNSLAVE_MK_IV Nick MESSAGE IP Protection started successfully
2012/08/09 15:54:51 -0400 FUNSLAVE_MK_IV Nick DETECTION C:\Windows\svchost.exe Trojan.Agent QUARANTINE
2012/08/09 15:54:51 -0400 FUNSLAVE_MK_IV Nick ERROR Quarantine failed: DeleteFile failed with error code 5

Alright,sorry about the delay, I just moved into my dorm. Here are the logs you requested. I got an error 33 upon completion of the OTL log, something about “out of bounds”. Also included is an OTM log, I ran that as suggested by a site detailing running OTL, I hope it didn’t interfere. Here you are:

Also, until this gets cleaned, do you think me quarantining the rogue svchost with MBAM and then killing the process (after which Avast stops reporting blocked IP) is a decent measure of some protection rather than allowing my computer to be bombarded with bad connection requests every 30 seconds?

OK lets try and get it in one

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

FINALLY

run farbar service scanner

https://dl.dropbox.com/u/73555776/FSS.GIF

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Ran tdsskiller seemingly fine, you can check the log. Ran combofix, didn’t touch it at all, turned avast and MBAM off. It got to stage 50 and then seemed to hang. the yellow cursor was one or two lines below “stage 50” blinking away, but after ten minutes or so, nothing had happened and no log was present, so I figured it had stalled. Your instrustioncs say not to rerun, so as of now I have not. I never got a log for combofix. I have not seen an alert from avast as far as blocking connections, although the svchost.exe in c:/windows is still there, and just a second ago, MBAM asked to quarantine it. Please advise with combofix. Thank you so much. Here is the tdss log:

FSS log

Stop combofix via taskmanager please

Re-run TDSSKiller with the same parameters
When you see the following select delete :

\Device\Harddisk0\DR0 ( TDSS File System )

Reboot then re-run Combofix

Walah! That did the trick. Here’s the combofix log:

OK just FSS now… How is the computer behaving ?

I…believe it’s gone. I cant find the rogue svchost, and from what I’ve seen in the last few minutes, no IP blocks have occurred, no MBAM warnings. I’ll do a quick scan with MBAM and AVAST, unless you think a full scan is needed. It this is gone, I’d assume the next step is cleanup of the programs. They don’t take up too much space though - do you advise just hanging on to them in case? THANK YOU so very much. It’s nice to see that there are companies and people willing to help as much as you guys are.
Fss log:

It is best to remove the tools as they are getting continually updated to detect the newer malware types

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix

[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall (Notice the space between the “x” and “/”) then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Go to control panel
[*]Select folder options (Appearance > Folder options in category view)
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup and select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe

All done, everything successful. I will post back only if I have further issues. THANK YOU.

My pleasure