System File infected with TR/BProtector.Gen

[Mual]

Hello everyone. I was wondering if I should move all these files to quarantine as suggestion by Avira?

This is the list of the file that are infected:
svchost.exe
nvvsvc.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
spoolsv.exe
taskeng.exe
nvxdsync.exe
nvvsvc.exe
svchost.exe
taskhost.exe
taskeng.exe
Dwm.exe
GooglePinyinDaemon.exe
EXPLORER.exe
GooglePinyinService.exe
mDNSResponder.exe
nvstreamsvc.exe
oodag.exe
conhost.exe
svchost.exe
RAVCpl64.exe
WILDSVC.exe
unsecapp.exe
wmiprvse.exe
wininit.exe
winlogon.exe
services.exe
Isass.exe

I don't know why there are multiples svchost.exe listed. There are all from C:\Windows\system32\svchost.exe.
So what is happening? Any suggestion what should I do?

 

[Mual]

Bump.

 

[Rixterz]

Hi there,

I've had many viruses etc before and I could help you. Please send a link of a screenshot of the task manager window to [Email address removed for your safety] and I'll let you know if I can see anything out of place. Also, how do you know you have this virus? Has your antivirus not got rid of it yet? If so, run a full scan and it'll pick up infected files.

-Rixterz

 

[Barman58]

   Note

Please note - all help should be given within the thread, to help others who may have the same or similar issues

 

[UsernameIssues]

Hi there,

I've had many viruses etc before and I could help you. Please send a link of a screenshot of the task manager window to [Email address removed for your safety] and I'll let you know if I can see anything out of place. Also, how do you know you have this virus? Has your antivirus not got rid of it yet? If so, run a full scan and it'll pick up infected files.

-Rixterz

Welcome to the Seven Forums, Rixterz.

The preferred method for instructing members to post screenshots can be found here:
http://www.sevenforums.com/tutorials/9733-screenshots-files-upload-post-seven-forums.html

 

[Rixterz]

Mual, could you post the screenshot on http://www.sevenforums.com/tutorials/9733-screenshots-files-upload-post-seven-forums.html and give me the link please? Also please make sure to fully show the "Image Name" and "Description" columns in task manager.

 

[cottonball]

Mual,

Please use the following diagnostic tool. It has a powerful detection mechanism, and may help us get to the root of your issues:

:info: Please use the Farbar Recovery Scan Tool.
Download: Farbar Recovery Scan Tool Download
Select the version that applies to your system.
Save it to your Desktop.
Double-click the downloaded file to run it.

When the tool opens click Yes to the disclaimer.
At the program's console, press the Scan button.

When done, the tool produces a log, FRST.txt, in the same directory from which the tool is run (Desktop).
:ar: Please provide the FRST.txt in your reply.

The first time the tool is run, it also makes another log: Addition.txt
:ar: Also post the Addition.txt in your reply.


:info: Next, please use the tool Zoek.exe:
Download > Download zoek.exe version 5.0.0.0

When the Zoek.exe download appears, save to the Desktop.
On the Desktop, right-click Zoek.exe and select: Run as Administrator
Give it a few seconds to appear.
Please disable your AntiVirus and AntiSpyware programs, so they don't interfere with the running of Zoek.exe.
You can find instructions how to disable your security applications here:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides

At the program console, click the Options button and place a checkmark only on the following options:

Do a Deep Scan

Now...
Close any open programs.
Click the Run script button, and wait.
It takes a few minutes to run.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

:ar: Please post the zoek-results.log in your reply.

 

[Mual]

Mual, could you post the screenshot on http://www.sevenforums.com/tutorials/9733-screenshots-files-upload-post-seven-forums.html and give me the link please? Also please make sure to fully show the "Image Name" and "Description" columns in task manager.

Hello Rixterz! Do you mean that I need to take a screenshot of the image name that I saved? (The name of the screenshot itself?)

Description? Which one?

Mual,

Please use the following diagnostic tool. It has a powerful detection mechanism, and may help us get to the root of your issues:

:info: Please use the Farbar Recovery Scan Tool.
Download: Farbar Recovery Scan Tool Download
Select the version that applies to your system.
Save it to your Desktop.
Double-click the downloaded file to run it.

When the tool opens click Yes to the disclaimer.
At the program's console, press the Scan button.

When done, the tool produces a log, FRST.txt, in the same directory from which the tool is run (Desktop).
:ar: Please provide the FRST.txt in your reply.

The first time the tool is run, it also makes another log: Addition.txt
:ar: Also post the Addition.txt in your reply.


:info: Next, please use the tool Zoek.exe:
Download > Download zoek.exe version 5.0.0.0

When the Zoek.exe download appears, save to the Desktop.
On the Desktop, right-click Zoek.exe and select: Run as Administrator
Give it a few seconds to appear.
Please disable your AntiVirus and AntiSpyware programs, so they don't interfere with the running of Zoek.exe.
You can find instructions how to disable your security applications here:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides

At the program console, click the Options button and place a checkmark only on the following options:

Do a Deep Scan

Now...
Close any open programs.
Click the Run script button, and wait.
It takes a few minutes to run.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

:ar: Please post the zoek-results.log in your reply.

Okay, these are the 2 files for the first scan using Farbar.
View attachment FRST.txt

View attachment Addition.txt

Another problem is , that I don't dare to run the Zoek.exe for now. The first time I run it, the moment I run, I got a pop up window and the computer just shut of itself, and restart.
So what should I do? I have done exactly what you said, to disable the anti-virus before running.

 

[Rixterz]

I meant to post (using the link) a screenshot of your task manager window where you got those process names from

 

[Mual]

I meant to post (using the link) a screenshot of your task manager window where you got those process names from

No, is not from task manager, is from the anti virus scanning report. I'll post it when it appears again.

 

[Rixterz]

Oh, I'm sorry! I completely misunderstood your original question

I thought you were showing a list of running processes so someone can see if there is malware running or such.

A really good tool that I use quite often is Norton Power Eraser. When you run it, accept the license agreement, click "Advanced", and then click "Scan Now" beside "System Scan". It'll pick up basically anything and it recently got rid of Win32\Shellcode.A for me - enjoy

 

[Mual]

Oh, I'm sorry! I completely misunderstood your original question

I thought you were showing a list of running processes so someone can see if there is malware running or such.

A really good tool that I use quite often is Norton Power Eraser. When you run it, accept the license agreement, click "Advanced", and then click "Scan Now" beside "System Scan". It'll pick up basically anything and it recently got rid of Win32\Shellcode.A for me - enjoy

Is it save to do so, or should I backup all the files I need before doing this?

 

[UsernameIssues]

Oh, I'm sorry! I completely misunderstood your original question

I thought you were showing a list of running processes so someone can see if there is malware running or such.

A really good tool that I use quite often is Norton Power Eraser. When you run it, accept the license agreement, click "Advanced", and then click "Scan Now" beside "System Scan". It'll pick up basically anything and it recently got rid of Win32\Shellcode.A for me - enjoy

Is it save to do so, or should I backup all the files I need before doing this?

Since you ran the tools mentioned in cottonball's post, it would be best if you leave things alone until you hear back from cottonball on what to do next. Running an automated tool (like Norton Power Eraser) might change/negate the files that you attached to post #8.

In threads like this, it is best to pick one person to follow during the infection cleanup process. The exception being, cottonball and Jacee have a good feel for how the tools that they suggest interact. If both of them enter an infection cleanup thread, then you can safely follow both.

After you complete the cleanup process, we can work on uninstalling some old flawed software that you probably should not have installed.

 

[Rixterz]

As there are important system files infected rather than just extra malicious files being put there, it's best to dump all of your needed files elsewhere and then just let NPE sort the infected ones out.

-Rixterz

 

[derekimo]

As there are important system files infected rather than just extra malicious files being put there, it's best to dump all of your needed files elsewhere and then just let NPE sort the infected ones out.

-Rixterz

https://security.symantec.com/nbrt/npe.aspx

Because Norton Power Eraser uses aggressive methods to detect threats, there is a risk that it can select some legitimate programs for removal. If you accidentally remove a legitimate program, you can run Norton Power Eraser to review past repair sessions and undo them.

I think sticking to the advice and guidance of cottonball would be best.

 

[UsernameIssues]

As there are important system files infected rather than just extra malicious files being put there, it's best to dump all of your needed files elsewhere and then just let NPE sort the infected ones out.

-Rixterz

https://security.symantec.com/nbrt/npe.aspx

Because Norton Power Eraser uses aggressive methods to detect threats, there is a risk that it can select some legitimate programs for removal. If you accidentally remove a legitimate program, you can run Norton Power Eraser to review past repair sessions and undo them.

I think sticking to the advice and guidance of cottonball would be best.

Assumes that the OS will boot ;-(

I agree, wait for cottonball.

@Rixterz,
Our comments are not meant to discourage you from helping in threads... but the infection of system files (if that is indeed what the OP has) is best handled slowly, by less automated tools.

 

[derekimo]

Assumes that the OS will boot ;-(

Exactly.

 

[Rixterz]

OK, it was just a suggestion. At least it's best for me.

 

[cottonball]

Mual,

:info: As far as Zoek goes, try running it from Safe Mode:

Restart the computer.
Tap the F8 key to open the Windows Advanced Options Menu
Select: Safe Mode
Press: Enter

:info: On the files showing in the Avira AV scan, they look like legit files, but, let's not take that for granted.

Please submit the following files for analysis to VirusTotal:
http://www.virustotal.com/
Use the 'Choose File' button to navigate to the location of one of the files:

taskeng.exe
nvxdsync.exe
oodag.exe

In the Choose file to upload prompt, select the file, then, click the 'Open' button.
The file is now displayed in the blank box of VirusTotal
Click: Scan It, and wait for the results.
If you get a message saying: 'File has already been analyzed', click: Reanalyze file now

Once scanned, please provide the link to the results page in your reply.

Next, run the other two files through VT and post the results.

 

[Mual]

Oh, I'm sorry! I completely misunderstood your original question

I thought you were showing a list of running processes so someone can see if there is malware running or such.

A really good tool that I use quite often is Norton Power Eraser. When you run it, accept the license agreement, click "Advanced", and then click "Scan Now" beside "System Scan". It'll pick up basically anything and it recently got rid of Win32\Shellcode.A for me - enjoy

Is it save to do so, or should I backup all the files I need before doing this?

Since you ran the tools mentioned in cottonball's post, it would be best if you leave things alone until you hear back from cottonball on what to do next. Running an automated tool (like Norton Power Eraser) might change/negate the files that you attached to post #8.

In threads like this, it is best to pick one person to follow during the infection cleanup process. The exception being, cottonball and Jacee have a good feel for how the tools that they suggest interact. If both of them enter an infection cleanup thread, then you can safely follow both.

After you complete the cleanup process, we can work on uninstalling some old flawed software that you probably should not have installed.

Yes indeed. Since that cottonball have replied. I should follow his method for now.

As there are important system files infected rather than just extra malicious files being put there, it's best to dump all of your needed files elsewhere and then just let NPE sort the infected ones out.

-Rixterz

https://security.symantec.com/nbrt/npe.aspx

Because Norton Power Eraser uses aggressive methods to detect threats, there is a risk that it can select some legitimate programs for removal. If you accidentally remove a legitimate program, you can run Norton Power Eraser to review past repair sessions and undo them.

I think sticking to the advice and guidance of cottonball would be best.

Mual,

:info: As far as Zoek goes, try running it from Safe Mode:

Restart the computer.
Tap the F8 key to open the Windows Advanced Options Menu
Select: Safe Mode
Press: Enter

:info: On the files showing in the Avira AV scan, they look like legit files, but, let's not take that for granted.

Please submit the following files for analysis to VirusTotal:
http://www.virustotal.com/
Use the 'Choose File' button to navigate to the location of one of the files:

taskeng.exe
nvxdsync.exe
oodag.exe

In the Choose file to upload prompt, select the file, then, click the 'Open' button.
The file is now displayed in the blank box of VirusTotal
Click: Scan It, and wait for the results.
If you get a message saying: 'File has already been analyzed', click: Reanalyze file now

Once scanned, please provide the link to the results page in your reply.

Next, run the other two files through VT and post the results.

After I get the result I'll post here. Thanks in advance