[BrianDrab]

Perfect, thanks. Please do the following.

 

Step#1 - File Identification
1. Run FRST64 by Right-Clicking on the file and choosing Run as administrator.
2. Type or Copy the value SVCHOST.exe and paste it into the Search box of the FRST window.
3. Click the Search Files button.
4. When the search is done it will open a notepad window with the results. Can you copy/paste the contents of this window into your next post?

[Advertisements]

Farbar Recovery Scan Tool (x64) Version: 24-01-2015 01

Ran by Inferno at 2015-01-28 10:29:42

Running from C:\Users\Inferno\Desktop

Boot Mode: Normal

 

================== Search Files: "svchost.exe" =============

 

C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe

[2009-07-14 00:19][2009-07-14 02:14] 0020992 ____A (Microsoft Corporation) 54A47F6B5E09A77E61649109C6A08866 [File is signed]

 

C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe

[2009-07-14 00:31][2009-07-14 02:39] 0027136 ____A (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D [File is signed]

 

C:\Windows\SysWOW64\svchost.exe

[2009-07-14 00:19][2009-07-14 02:14] 0020992 ____A (Microsoft Corporation) 54A47F6B5E09A77E61649109C6A08866 [File is signed]

 

C:\Windows\System32\svchost.exe

[2009-07-14 00:31][2009-07-14 02:39] 0027136 ____A (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D [File is signed]

 

C:\Windows\erdnt\cache86\svchost.exe

[2015-01-27 19:37][2009-07-14 02:14] 0020992 ____A (Microsoft Corporation) 54A47F6B5E09A77E61649109C6A08866 [File is signed]

 

C:\Windows\erdnt\cache64\svchost.exe

[2015-01-27 19:37][2009-07-14 02:39] 0027136 ____A (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D [File is signed]

 

====== End Of Search ======

[infernopg]

Farbar Recovery Scan Tool (x64) Version: 24-01-2015 01

Ran by Inferno at 2015-01-28 10:29:42

Running from C:\Users\Inferno\Desktop

Boot Mode: Normal

 

================== Search Files: "svchost.exe" =============

 

C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe

[2009-07-14 00:19][2009-07-14 02:14] 0020992 ____A (Microsoft Corporation) 54A47F6B5E09A77E61649109C6A08866 [File is signed]

 

C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe

[2009-07-14 00:31][2009-07-14 02:39] 0027136 ____A (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D [File is signed]

 

C:\Windows\SysWOW64\svchost.exe

[2009-07-14 00:19][2009-07-14 02:14] 0020992 ____A (Microsoft Corporation) 54A47F6B5E09A77E61649109C6A08866 [File is signed]

 

C:\Windows\System32\svchost.exe

[2009-07-14 00:31][2009-07-14 02:39] 0027136 ____A (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D [File is signed]

 

C:\Windows\erdnt\cache86\svchost.exe

[2015-01-27 19:37][2009-07-14 02:14] 0020992 ____A (Microsoft Corporation) 54A47F6B5E09A77E61649109C6A08866 [File is signed]

 

C:\Windows\erdnt\cache64\svchost.exe

[2015-01-27 19:37][2009-07-14 02:39] 0027136 ____A (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D [File is signed]

 

====== End Of Search ======

[BrianDrab]

Perfect, thanks. Can you confirm that you are still having the svchost.exe alerts?

 

Also please do the following (even if you have done in the past as I need to see a fresh scan with the logs).

 

 

Step#1 - Malwarebytes Scan

• Open Malwarebytes.
• If an update is found you will be prompted to download and install. Go ahead.
• Click the Settings button and then the Detection and Protection tab. Then check the box to Scan for rootkits. as shown below.
• 
   
• Click the Scan button at the top of the form and then click Scan Now.
  
• If anything is detected, there will be an Apply Actions button. Please click this.
• Once the scan completes click the View detailed log link.
  
• Then click the Copy to clipboard button and paste into your next post.
  

 

[infernopg]

I haven't gotten one today, so i hope it's gone. MB AM couldn't find anything again Thanks for your help! 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 28.01.2015

Scan Time: 18:14:40

Logfile: 

Administrator: Yes

 

Version: 2.00.4.1028

Malware Database: v2015.01.28.07

Rootkit Database: v2015.01.14.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

 

OS: Windows 7 Service Pack 1

CPU: x64

File System: NTFS

User: Inferno

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 349178

Time Elapsed: 3 min, 24 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

[BrianDrab]

Excellent. Let's make sure nothing else is hiding about. Please do the following.

 

Before running these scans, please temporarily disable your antivirus software to avoid conflicts. You can re-enable once it's done. Instructions for doing this on many AVs are here.

 

Step#1 - AdWCleaner
1. Please download AdwCleaner by Xplode onto your desktop.
2. Close all open programs and internet browsers.
3. Right-click on AdwCleaner.exe and select Run as administrator to run the tool.
4. Click on Scan.
5. After the scan is complete click on "Clean"
6. Confirm each time with Ok.
7. Your computer will be rebooted automatically. A text file will open after the restart.
8. Please post the content of that logfile with your next answer.
9. If need be, you can also find the logfile at C:\AdwCleaner\AdwCleaner[S0].txt as well.

 

Step#2 - JRT
1. Download Junkware Removal Tool to your desktop.
2. Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
3, The tool will open and start scanning your system.
4. Please be patient as this can take a while to complete depending on your system's specifications.
5. On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
6. Close the text file and reboot your machine.
7. After your machine is rebooted, please re-enable your antivirus.
8. Post the contents of JRT.txt into your next message.

 

 

Step#3 - ESET Online Scanner and Post Results
This one may take awhile to run but is necessary. Thanks for your patience.

 

• Please go here and click on
• Note: This site is optimized for Internet Explorer. Please use it for this scan. If you wish to use Firefox or Chrome you will be asked to download the ESET Smart Installer first (esetsmartinstaller_enu.exe). Go ahead and download and run this file.
• Please accept the ESET Online Scanner EULA and click Start.
• If prompted, allow the Add-On/Active X to install. If you have problems with this step please see this link.
• Make sure Enable detection of potentially unwanted applications is selected.
• Click the Advanced Settings link.
• Make sure Remove found threats is NOT checked.
• Make sure Scan archives IS checked.
• Make sure Scan for potentially unsafe applications IS checked.
• Make sure Enable Anti-Stealth technology IS checked
• 
   
• Click on Start
• The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed, if anything was detected please click the List of found threats link.
• 
   
• Then click the Copy to Clipboard link and paste this information into your next reply.
• 

   

   

• Then you may click the Back button.
• Check Uninstall Application on Close before clicking finish.

 
Items for your next post

 

1. AdwCleaner Log

2. Junkware Log
3. Contents of the ESET log file

 

[infernopg]

# AdwCleaner v4.109 - Report created 29/01/2015 at 10:29:07

# Updated 24/01/2015 by Xplode

# Database : 2015-01-26.1 [Live]

# Operating System : Windows 7 Professional Service Pack 1 (64 bits)

# Username : Inferno - [bleep]

# Running from : E:\AdwCleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

File Deleted : C:\Users\Inferno\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.audienceinsights.net_0.localstorage

 

***** [ Scheduled Tasks ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v11.0.9600.17496

 

 

-\\ Google Chrome v40.0.2214.93

 

 

*************************

 

AdwCleaner[R0].txt - [861 octets] - [29/01/2015 10:28:10]

AdwCleaner[S0].txt - [785 octets] - [29/01/2015 10:29:07]

 

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [844 octets] ##########

[infernopg]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 6.4.1 (12.28.2014:1)

OS: Windows 7 Professional x64

Ran by Inferno on 29.01.2015 at 10:32:24,28

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

~~~ Services

 

 

 

~~~ Registry Values

 

 

 

~~~ Registry Keys

 

 

 

~~~ Files

 

 

 

~~~ Folders

 

 

 

~~~ Chrome

 

Successfully deleted: [Folder] C:\Users\Inferno\appdata\local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio

 

 

 

~~~ Event Viewer Logs were cleared

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on 29.01.2015 at 10:34:08,95

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[infernopg]

i will let eset run during the night, i tried running it during the day but since i need my computer for my work it stalled a lot (like you said it would)

[BrianDrab]

[infernopg]

ESET didn't detect anything

[BrianDrab]

Excellent. Please do the following.

 

Step#1 - Security Check
1. Download Security Check from here or here or here.
2. Save it to your Desktop.
3. Right-click SecurityCheck.exe and select Run as administrator. Follow the onscreen instructions inside of the black box.
4. A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: Don't be alarmed if the process runs for 10 to 15 minutes before completing. If it runs for over 30 minutes, just close the program and try running it again.

NOTE: If SecurityCheck aborts and you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED! try rebooting the system and then run SecurityCheck again.

[infernopg]

 Results of screen317's Security Check version 0.99.95  

 Windows 7 Service Pack 1 x64 (UAC is disabled!)  

 Internet Explorer 11  

``````````````Antivirus/Firewall Check:`````````````` 

 Windows Firewall Enabled!  

Norton 360    

 WMI entry may not exist for antivirus; attempting automatic update. 

`````````Anti-malware/Other Utilities Check:````````` 

 Call of Duty Ghosts  

 Java 7 Update 67  

 Java version 32-bit out of Date! 

  Java 64-bit 8 Update 31  

 Adobe Reader XI  

 Google Chrome (40.0.2214.91) 

 Google Chrome (40.0.2214.93) 

````````Process Check: objlist.exe by Laurent````````  

`````````````````System Health check````````````````` 

 Total Fragmentation on Drive C: 11% Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log`````````````````````` 

drive C is an SSD

[BrianDrab]

Thanks. I assume you intentionally disabled UAC. If not let me know and we'll enable. If you don't use Java, please uninstall this from Add/Remove programs. If you do use it please follow the instructions below to get updated. Let me know when it's updated.

 

 

1. Keeping Java Updated
WARNING: Java is one of the most exploited programs at this time. The Department of Homeland Security recommends that computer users disable Java. You can read more about this here.
I would recommend that you completely uninstall Java unless you need it to run an important software. If you need it or are unsure or uncomfortable with removing it then I would recommend that you disable Java in your browsers until you need it and then enable it at that time. (See How to disable Java in your web browser and How to unplug Java from the browser). If you don't uninstall it, it's also important that you follow the directions below to update to the latest version of Java.
 
1. Go to this page to download the latest version of Java SE Runtime Environment JRE 8 Update 31.
2. When you click this link you will need to click the "Accept License Agreement" radio button and then click on the "Windows x86 Offline" installer link. You will notice that there is also a Windows x64 link option, however even if you are using a 64-bit operating system, it's very likely you aren't running a 64-bit browser and should only download the "Windows x86 Offline" installer. To determine if you are using a 64-bit browser you can follow these instructions. If you find that you ARE using a 64-bit browser then you can download the "Windows x64" one.

3. Once you click on the appropriate link, please download this to your Desktop like we have with all of our tools.
4. Close any programs you may have running - especially your web browser.
5. Now we need to uninstall all versions of Java that are currently on your machine before we install the newest version. Go to Add/Remove programs (instructions are here) and uninstall any item that appears in the list that has the following as part of the name: Java 7 Update 67
6. Reboot your computer once all Java components are removed.
7. Then from your desktop, right click on the file that was downloaded (jre-8u31-windows-i586.exe or jre-8u31-windows-x64.exe) and select Run as an Administrator to install the latest version. Accept all the defaults and you're good to go.
Note: Java has been notorious for installing foistware (software downloaded without the users knowledge). If you follow the instructions I provided no foistware will be installed but that doesn't mean it won't in the future. While performing the install of this software or any software for that matter, pay attention to each screen and ensure you uncheck any extra software that you don't want installed (i.e. Ask Toolbar, Chrome Browser, etc.).

[infernopg]

Hey yeah UAC was disabled by me.

I uninstalled java, i needed it for a statistics program, but i don't use that one anymore so I probably won't be needing it anymore. Else I'll install it from the link you gave me

[BrianDrab]

OK! Well done, your computer is clean again! Part of our jobs here at G2G is to help you clean your computer. But beyond that and just as important is to provide you with some information to keep you safe and secure on the net as well as to share knowledge. Following is that information.
 
 
1. Clean Up!
We need to remove all the tools that we used so that should you ever be re-infected, you will download updated versions which may have updated detection logic.
1. Download Delfix from here.
2. Ensure everything is checked.
3. Click Run.
Note: The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply.
Note: Delete any  other .bat, .log, .reg, .txt,  and any other files created during this process, and left on the desktop and empty the Recycle Bin.
 
2. Windows Updates
Another essential task is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats. Microsoft releases security updates that help your computer from becoming vulnerable. It is best if you have these set to download automatically. Follow the instructions below to ensure your settings are optimal.
1. Click the Start Orb in the lower left corner of the screen.
2. Type Windows Update in the search box that appears
3. Click on the Windows Update program that appears in the search results.

4. Click on Change Settings.

5. Select "Install updates automatically (recommended)" from the Important updates drop-down.

6. Choose a day and a time when you know the computer will be on and connected to the internet. The default is 3:00AM every day.
7. Ensure that all of the other check boxes are checked.
8. Click OK.
 
3. Keeping Programs Updated
You need to ensure that any programs installed on your machine are kept current. The bad guys exploit vulnerabilities that are found in older versions of software. A very good piece of software that keeps your programs up-to-date is Secunia Personal Software Inspector (PSI). You can download and install it from here. You can read more information about this free software as well as a video walkthrough from here.
 
  
4. Keep Adobe Reader Updated
Check to see what the latest major version of Adobe Reader is here. The full version is something like 11.0.06 for example but the major version is just the first number before the period so 11 in this case or XI.
Verify what version you have by doing the following.
1. Open Adobe Reader
2. Click Help on the menu at the top
3. Select About Adobe Reader
If your major version matches the major version from Adobe then perform the following steps.
1. Open Adobe Reader
2. Click Help on the menu at the top
3. Click Check for Updates
4. Allow any Updates to be downloaded and installed
5. If asked to reboot, please do.
6. Repeat these steps until you are told that no updates are available.
If your major version is lower than the major version from Adobe then perform the following steps.
1. Uninstall Adobe Reader. Click here for instructions on how to uninstall a program.
2. Install the newest version from this website.
Note: Make sure to uncheck the Optional Offer (i.e. Google Chrome, Google Toolbar) unless you really want it.
NOTE: You should disable JavaScript in the program as this is a highly exploitable method for the bad guys to get in your machine. Follow these instructions to disable it in Adobe Reader.
1. Open Adobe Reader
2. Select Edit from the menu and select Preferences
3. Click on JavaScript in the left column and uncheck Enable Acrobat JavaScript.
4. Click OK and close the program.
NOTE: Many installers, including Adobe Reader, offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.
 
5. Antimalware- Preventative

Note: Let's keep Malwarebytes installed as it's a fantastic piece of software. Malwarebytes is an anti-malware software and not an antivirus software so it won't conflict with the Antivirus that you are running. I would recommend that you open up this program, allow it to update and scan your machine at least quarterly...monthly if you can.
 
6. Crypto Warning!!!! - Complete Data Loss can occur!
There are particularly nasty infections out there at the moment that encrypt your data and hold it for ransom. You may read more about this here.
New strains of this are coming out all the time. In fact a very new strain called VirRansom (which is a hybrid of CrytoLocker and CryptoWall) has recently been identified and it's a true self-replicating parasitic virus.

 

• Download CryptoPrevent free for home use here following the instructions below.
• Save the file to your desktop from the link above and then open the program by clicking Run when prompted from your browser or by going to the desktop where the file was saved and double-clicking.
• Accept all the defaults during the install. The last screen of the install has a checkmark in "Launch CryptoPrevent". This is good and will launch the program once you click Finish.
• You will get a prompt asking if you purchased a Product Key for Automatic Updates. You can answer No.
• You will then be prompted to learn more about automatic updates or if you want to purchase a key. This is up to you but you don't have to.
• You will then be prompted to apply all default protections. Answer Yes.
• You may get a message stating that Windows Sidebar and Desktop Gadgets are a major security vulnerability and asking you if you want to disable them. If you don't use these features, answer Yes.
• That's it. The protection is in place.

Note: The free version doesn't provide automatic updates. Periodically, you should open up the program (there is a shortcut on your desktop now) and select the Updates! menu....and select Check for Updates to see if there are any as this infection has serious consequences.
 

 
 
7. Adobe Flash Player
There's a very nasty piece of malware going around right now called Cryptowall. It's very destructive and most recently the newest variant is exploiting unpatched versions of Adobe Flash. Let's make sure you get current.

 

1. Determine if you have the most current version by going to this website. If your version represented by the top box matches the version in the bottom box you are current.

 
2. If your version is older than the current then click on the Player Download Center link (shown in the screen shot above).
3. You will be brought to the install/update page. Ensure you uncheck any optional offers (unless you want them of course) and then click on Install Now.

 
4. You may be prompted to run the installer. Go ahead and do this.
5. When it's complete, click Finish. You now have the latest version. You can verify by going back to this website if you feel the need.
 
 
For more information about computer security and how to protect yourself when on the internet, please read this guide Best Practices for Safe Computing
 
OK, all the best, and stay safe!
 
Items for your next post
1. Contents of the delfix log