Can't get rid of svchost.exe virus

sharon122 · 18 Dec 2013

Jacee said:

"Total Files Cleaned = 6,782.00 mb" <--- wow that's a lot of 'garbage' cleaned out of your temporary files!

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.
Click on the Scan button.
AdwCleaner will begin...be patient as the scan may take some time to complete.
After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
Copy and paste the contents of that logfile in your next reply.
A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

Log File :

# AdwCleaner v3.015 - Report created 18/12/2013 at 15:54:46
# Updated 10/12/2013 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)
# Username : Victor - VICTOR-PC
# Running from : C:\Users\Victor\Desktop\adwcleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Found : C:\Users\Victor\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgpdioedihjhncjafcpgbbjdpbbkikmi
Folder Found C:\ProgramData\boost_interprocess

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428

-\\ Mozilla Firefox v25.0.1 (he)

[ File : C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\72dm27ti.default\prefs.js ]

Line Found : user_pref("extensions.enabledAddons", "DivXWebPlayer%40divx.com:2.0.2.039,%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:25.0.1");

-\\ Google Chrome v31.0.1650.63

[ File : C:\Users\Victor\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [64625 octets] - [16/12/2013 19:48:29]
AdwCleaner[R1].txt - [1261 octets] - [18/12/2013 15:54:46]
AdwCleaner[S0].txt - [64505 octets] - [16/12/2013 19:49:29]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [1382 octets] ##########

I didn't click the clean button yet, I don't understand why it found my preferences as something bad, and I don't know what is that weird extension it found

Jacee · 18 Dec 2013

Do you have a program called "Cloudfogger"?

Please run AdwCleaner and click "Clean". Copy and paste the .txt log.

Next,

Download DDS from one of these links:
DDS.com
DDS.pif

Disable any script blocking protection
Double click the dds icon to run the tool.
When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt <--- will be minimized in the task tray
Save both reports to your desktop.

Include the contents of both logs in your next post.
The scan will instruct you to post Attach.txt as an attachment.

sharon122 · 18 Dec 2013

Jacee said:

Do you have a program called "Cloudfogger"?

Please run AdwCleaner and click "Clean". Copy and paste the .txt log.

Next,

Download DDS from one of these links:
DDS.com
DDS.pif

Disable any script blocking protection
Double click the dds icon to run the tool.
When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt <--- will be minimized in the task tray
Save both reports to your desktop.

Include the contents of both logs in your next post.
The scan will instruct you to post Attach.txt as an attachment.

No, I don't have a program called Cloudfogger

Log file from AdwCleaner :

# AdwCleaner v3.015 - Report created 18/12/2013 at 22:28:34
# Updated 10/12/2013 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)
# Username : Victor - VICTOR-PC
# Running from : C:\Users\Victor\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\Users\Victor\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgpdioedihjhncjafcpgbbjdpbbkikmi

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428

-\\ Mozilla Firefox v25.0.1 (he)

[ File : C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\72dm27ti.default\prefs.js ]

Line Deleted : user_pref("extensions.enabledAddons", "DivXWebPlayer%40divx.com:2.0.2.039,%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:25.0.1");

-\\ Google Chrome v31.0.1650.63

[ File : C:\Users\Victor\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [64625 octets] - [16/12/2013 19:48:29]
AdwCleaner[R1].txt - [1462 octets] - [18/12/2013 15:54:46]
AdwCleaner[S0].txt - [64505 octets] - [16/12/2013 19:49:29]
AdwCleaner[S1].txt - [1393 octets] - [18/12/2013 22:28:34]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1453 octets] ##########

DDS Log file :

# AdwCleaner v3.015 - Report created 18/12/2013 at 22:28:34
# Updated 10/12/2013 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)
# Username : Victor - VICTOR-PC
# Running from : C:\Users\Victor\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\Users\Victor\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgpdioedihjhncjafcpgbbjdpbbkikmi

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428

-\\ Mozilla Firefox v25.0.1 (he)

[ File : C:\Users\Victor\AppData\Roaming\Mozilla\Firefox\Profiles\72dm27ti.default\prefs.js ]

Line Deleted : user_pref("extensions.enabledAddons", "DivXWebPlayer%40divx.com:2.0.2.039,%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:25.0.1");

-\\ Google Chrome v31.0.1650.63

[ File : C:\Users\Victor\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [64625 octets] - [16/12/2013 19:48:29]
AdwCleaner[R1].txt - [1462 octets] - [18/12/2013 15:54:46]
AdwCleaner[S0].txt - [64505 octets] - [16/12/2013 19:49:29]
AdwCleaner[S1].txt - [1393 octets] - [18/12/2013 22:28:34]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1453 octets] ##########

DDS Attachment :

Jacee · 18 Dec 2013

The DDS Log file you posted, is the AdwCleaner log.
copy and paste the DDS.txt log that you saved on your desktop.

Also,
Download CKScanner by askey127 from HERE
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

sharon122 · 20 Dec 2013

Jacee said:

The DDS Log file you posted, is the AdwCleaner log.
copy and paste the DDS.txt log that you saved on your desktop.

Also,
Download CKScanner by askey127 from HERE
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Ok, I attached the DDS Log File because both logs are too long for one message

CKScanner Log File :

CKScanner 2.4 - Additional Security Risks - These are not necessarily bad
c:\program files\kmspico\autopico.exe
c:\program files\kmspico\autopico.log
c:\program files\kmspico\check_activation_all.cmd
c:\program files\kmspico\install_service.cmd
c:\program files\kmspico\install_task.cmd
c:\program files\kmspico\kmseldi.exe
c:\program files\kmspico\kmspico.log
c:\program files\kmspico\kmswrapper32.dll
c:\program files\kmspico\kmswrapper64.dll
c:\program files\kmspico\log.cmd
c:\program files\kmspico\service_kms.exe
c:\program files\kmspico\service_kms.log
c:\program files\kmspico\silent.cmd
c:\program files\kmspico\triggerkms.exe
c:\program files\kmspico\unins000.dat
c:\program files\kmspico\unins000.exe
c:\program files\kmspico\uninstall_service.cmd
c:\program files\kmspico\cert\kmscert2013\project\licenses.sl.issuance.client_bridge_office.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licenses.sl.issuance.client_root.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licenses.sl.issuance.client_root_bridge_test.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licenses.sl.issuance.client_stil.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licenses.sl.issuance.client_ul.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licenses.sl.issuance.client_ul_oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licenses.sl.pkeyconfig.signed.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licensesetdata._4a5d124a_e620_44ba_b6ff_658961b33b9a.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licensesetdata._4a5d124a_e620_44ba_b6ff_658961b33b9a.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licensesetdata._4a5d124a_e620_44ba_b6ff_658961b33b9a.ppdlic.x rm-ms
c:\program files\kmspico\cert\kmscert2013\project\licensesetdata._ed34dc89_1c27_4ecd_8b2f_63d0f4cedc32.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licensesetdata._ed34dc89_1c27_4ecd_8b2f_63d0f4cedc32.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licensesetdata._ed34dc89_1c27_4ecd_8b2f_63d0f4cedc32.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\project\licensesetdata._ed34dc89_1c27_4ecd_8b2f_63d0f4cedc32.ppdlic.x rm-ms
c:\program files\kmspico\cert\kmscert2013\project\project.reg
c:\program files\kmspico\cert\kmscert2013\proplus\licenses.sl.issuance.client_bridge_office.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licenses.sl.issuance.client_root.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licenses.sl.issuance.client_root_bridge_test.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licenses.sl.issuance.client_stil.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licenses.sl.issuance.client_ul.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licenses.sl.issuance.client_ul_oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licenses.sl.pkeyconfig.signed.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licensesetdata._2b88c4f2_ea8f_43cd_805e_4d41346e18a7.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licensesetdata._2b88c4f2_ea8f_43cd_805e_4d41346e18a7.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licensesetdata._2b88c4f2_ea8f_43cd_805e_4d41346e18a7.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licensesetdata._2b88c4f2_ea8f_43cd_805e_4d41346e18a7.ppdlic.x rm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licensesetdata._b322da9c_a2e2_4058_9e4e_f59a6970bd69.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licensesetdata._b322da9c_a2e2_4058_9e4e_f59a6970bd69.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\licensesetdata._b322da9c_a2e2_4058_9e4e_f59a6970bd69.ppdlic.x rm-ms
c:\program files\kmspico\cert\kmscert2013\proplus\proplus.reg
c:\program files\kmspico\cert\kmscert2013\visio\licenses.sl.issuance.client_bridge_office.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licenses.sl.issuance.client_root.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licenses.sl.issuance.client_root_bridge_test.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licenses.sl.issuance.client_stil.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licenses.sl.issuance.client_ul.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licenses.sl.issuance.client_ul_oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licenses.sl.pkeyconfig.signed.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licensesetdata._3e4294dd_a765_49bc_8dbd_cf8b62a4bd3d.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licensesetdata._3e4294dd_a765_49bc_8dbd_cf8b62a4bd3d.phn.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licensesetdata._3e4294dd_a765_49bc_8dbd_cf8b62a4bd3d.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licensesetdata._3e4294dd_a765_49bc_8dbd_cf8b62a4bd3d.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licensesetdata._e13ac10e_75d0_4aff_a0cd_764982cf541c.oob.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licensesetdata._e13ac10e_75d0_4aff_a0cd_764982cf541c.pl.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\licensesetdata._e13ac10e_75d0_4aff_a0cd_764982cf541c.ppdlic.xrm-ms
c:\program files\kmspico\cert\kmscert2013\visio\visio.reg
c:\program files\kmspico\cert\office2010vl\office14reginfo.reg
c:\program files\kmspico\cert\office2010vl\tokens.dat
c:\program files\kmspico\sounds\affirmative.mp3
c:\program files\kmspico\sounds\begin.mp3
c:\program files\kmspico\sounds\complete.mp3
c:\program files\kmspico\sounds\diagnostic.mp3
c:\program files\kmspico\sounds\transfer.mp3
c:\program files\kmspico\sounds\verified.mp3
c:\program files\kmspico\sounds\warning.mp3
c:\program files\kmspico\tokensbackup\tokens.dat
c:\program files\kmspico\tokensbackup\cache\cache.dat
c:\program files\plex\plex media server\resources\plug-ins\siteconfigurations.bundle\contents\resources\crackle.xml
c:\users\victor\desktop\programs\kms\kmspico.exe
c:\users\victor\desktop\programs\kms\microsoft toolkit.exe
c:\users\victor\downloads\kmspico 6.1.rar
c:\windows\autokms\autokms.exe
c:\windows\prefetch\autokms.exe-7cc2d49e.pf
scanner sequence 3.ZZ.11.GOAPNZ
----- EOF -----

ShamrockRig · 20 Dec 2013

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

Another useful one to use.

Jacee · 20 Dec 2013

Please remove all the programs (that are cracks/keygens) that you downloaded.

You are infected with Trojan Artemis.

Let me know when you've done this, so that we can continue to clean up this infection.