Solved Virus Help

[Breakyorself]

Okay, so recently I've been reinstalling a lot of stuff after my computer reset and it seems I've gotten a really, really, really, really, really, horrible virus.

It doesn't do much other than play annoying ads in the background which if I mute just restarts a minute later.

But it somehow found it's way into the legitimate windows/system32/svchost.exe

I know this, because Avast says so and it's able to play these annoying ads before the computer is logged on/is still booting up. Avast isn't able to do anything except warn me of it considering it's in the real svchost.

Is there any possible way of fixing this considering it's in such a crucial file that I can't just end or delete it?

 

[VistaKing]

Hi Breakyorself

Download AdwCleaner


Download



:ar: Save to the Desktop

:ar: Right-click on adwcleaner.exe and choose Run as administrator

:ar: Click the Search button

:ar: Upload the AdwCleaner[Sn].txt in your reply.

   Note

The log file is at C:\AdwCleaner[Sn].txt

 

[Breakyorself]

Here

 

[VistaKing]

Breakyorself


Run the Delete

:ar: Close all open programs.
:ar: To run the program, right-click AdwCleaner.exe and select "Run as Administrator
:ar: Click on Delete and confirm the prompt.
:ar: After it finishes, the computer is restarted.

Upload the log saved at C:\AdwCleaner[S1].txt

 

[Breakyorself]

Sadly, this also recreated another BSOD error for me :|.

 

[VistaKing]

Open up the AdwCleaner application . Right click choose Run as administrator click on Delete . The report says you pressed search

 

[Breakyorself]

Sorry, I did hit delete I just uploaded the wrong one.

 

[VistaKing]

Restart the PC and run Malwarebytes

Run Malwarebytes

   Note

Click on Malwarebytes to download

When the installation is done uncheck Enable free trial of Malwarebytes (see image below )

Update the definitions and do a full scan

:ADDED: Another tool we could run


Download Farbar Recovery Scan Tool from below on a non infected PC
For 32-bit (x86) systems
Download


Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems
Download


Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

:ar: To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

:ar: To enter System Recovery Options by using Windows installation disc:
Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

:ar: On the System Recovery Options menu you will get the following options:
Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Command Prompt

Select Command Prompt

In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

   Note

Replace letter e with the drive letter of your flash drive.

   Tip

Type the commands below to see what your letter is for the USB drive and press ENTER after each command

Diskpart
List volume

The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
Now press the Search button
When the search is complete, search.txt will also be written to your USB
Type exit and reboot the computer normally
Please copy and paste both logs in your reply.(FRST.txt and Search.txt)

 

[cottonball]

Breakyorself,

We need to check for possible Zero Byte Partition/Master Boot Record infection.

Is it possible for you to provide the latest avast! Scan Log?

Also, let's see what your system shows with the following short scan...
You can do this scan before doing the Farbar Recovery Scan Tool scan above, if you wish.

Please download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement:

Select the x64 version for your 64-bit system.
Click the dark-blue button to download.
Save to the Desktop.

Close all windows and browsers.
Right-click and select: Run as Administrator

At the program console, wait for the prescan to finish. (Under Status, it says: Prescan finished.)
Press: SCAN

When done, a report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.

 

[Jacee]

Sounds like a "Bootkit" whistler infection ... TDSSKiller may help, but I'll leave you in the hands of Cottonball because I don't recommend just 'cleaning' this type of infection.

Bootkits
A kernel-mode rootkit variant called a bootkit is used predominantly to attack full disk encryption systems, for example as in the "Evil Maid Attack", in which a bootkit replaces the legitimate boot loader with one controlled by an attacker; typically the malware loader persists through the transition to protected mode when the kernel has loaded.[35][36][37][38] For example, the "Stoned Bootkit" subverts the system by using a compromised boot loader to intercept encryption keys and passwords.[39] More recently, the Alureon rootkit has successfully subverted the requirement for 64-bit kernel-mode driver signing in Windows 7 by modifying the master boot record.[40]
The only known defenses against bootkit attacks are the prevention of unauthorized physical access to the system—a problem for portable computers—or the use of a Trusted Platform Module configured to protect the boot path.[41]

Source: http://en.wikipedia.org/wiki/Rootkit

 

[VistaKing]

Breakyorself

After you've done a clean install of Windows what software were you installing ? Before you got the virus

 

[Breakyorself]

Sorry for the wait, I had to fix a boot problem that led to a BSOD, and it's taking awhile to do the scan.

I was installing an ethernet driver, the AMD driver, a few other simple drivers, but I think the problem was one thing I downloaded for the USB host controller(When I searched for it on my own) which ended up not working but it didn't start causing problems until awhile later.

 

[VistaKing]

What is the model of the motherboard ?

 

[Breakyorself]

Motherboard: Gigabyte GA-Z77-D3H Intel Z77 Chipset DDR3 ATX Mainboard w/ IRST, Lucid Virtu MVP, Ultra Durable4 Classic, 7.1 HD Audio, GbLAN, 2x Gen3 PCIe x16, 3x PCIe x1 & 2 PCI

The RK file is also attached

This is the website that seems to be assiociated with it according to avast: http://108.59.13.103/check.php?tim

edit: Going to eat and do the other scan might not post for a bit

 

[VistaKing]

Breakyorself

I posted the USB 3.0 driver on your other thread here

Other drivers for your board . Here

 

[Breakyorself]

Breakyorself

I posted the USB 3.0 driver on your other thread here

Other drivers for your board . Here

I meant that BEFORE I came to ask for help here I searched for the driver and that's probably when I dled the virus. I do have the right driver now though.

Anyway here are the farbar results:

 

[cottonball]

On the malware, please provide the latest avast! Scan Log.

Will take a look at the above reports.

Thanks!

 

[VistaKing]

Breakyorself

When you installed Windows did you do the Upgrade ? I see a Windows.old folder inside C:\Windows

 

[Breakyorself]

It wasn't an upgrade. My old windows was messed up and giving me constant BSODS, so I downloaded windows 7 home premium(what I had before) from a place in safe mode on my old windows install. Then, I ran the setup and it reinstalled windows and put everything else in a windows.old. I then used my windows key and proceeded to install around 150 windows updates, so it was back to the same version as my messed up windows was.

 

[VistaKing]

You did an in place install which is reinstalls windows onto itself creating the .old folder . If your old OS had a virus you carried it over to your new install . That is why if your OS has any issues you back up important data wipe the drive and start from scratch