03-24-2012 01:16 PM
I think my son's computer has a virus. I just updated Norton & ran a full system scan - nothing was found/detected. I just a ran a full scan using Malwarebytes. It says it found 2 Trojan.Agent viruses - Category: one in "File", one in "Memory Process"; Item: C/Windows\svchost.exe; Other - 4276 (with Memory Process). I clicked on Remove Selected; Malware said it wouldn't properly remove them until the computer re-booted. Whe I clicked on "Reboot/Restart Now", the computer restarted, but the screen w/ the HP logo came on and stayed on for about 1/2 hour before I turned it off manually. I went through the same process again (found the same viruses again), but re-booted the computer manually. Ran Malwarebytes again - same problem (Trojan.Agent viruses still showing up). Also, we weregetting pop-up messages saying "Malwarebytes has successfully blocked access to a potentiallymalicious website: 184.108.40.206 - Type: outgoing; Port 49235; Process: svchost.exe. Is this s Norton problem or a Malwarebytes problem? Which forum should I be turning to? How do I get rid of these? Is there a way to block these malicious websites?
03-24-2012 03:26 PM
Seems like you might have the svchost.exe virus. A couple of things please
1. Please confirm that when you installed Malwarebytes you declined the trial of the professional version?
2. Can you post here the output from the MAlwarebytes log that it produces when the scan completes?
03-24-2012 04:48 PM
It's not a "Seems like you might have the svchost.exe virus"
I will get to you I promise, usually people with malware only come on the forums with "HELP!!" so to speak with the tougher ones.
Don't do anything.
03-24-2012 09:37 PM - edited 03-24-2012 09:38 PM
Please read carefully and follow these steps.
Download TDSSKiller hxxp://support.kaspersky.com/downloads/utils/tdsskill
doubleclick on TDSSKiller.exe to run the application,
Find the Change Parameters on the Main IU screen, then Select the Detect TDLFS filesystem.
then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please attach the log in the post back
Please download aswMBR hxxp://public.avast.com/~gmerek/aswMBR.exe to your desktop. (replace the hxxp with http)
Double click the aswMBR.exe icon to run it
it will ask to download extra definitions - ALLOW IT, YES
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and Please attach the log in the post back
03-26-2012 09:35 AM
OK,...I'll try this tonight. Quick question - will running other ant-virus software conflict with Norton? For some reason, I remember trying running multiple aV-software on an older computer and it would tell me that I had to e.g., remove Norton, or turn it off, etc.
Thanks for your quick response.
03-26-2012 11:13 AM
I have always been advised not to run Malwarebytes paid version (real time protection) alongside Norton anti virus products due to conflicts. Although Malwarebytes is an excellent product I still use the free version without real time protection.
I read in a thread on here to be sure that you check the recommendations of both products to see if they are compatible. In other words it is not enough if only one of the two products says it is compatible with other software but the other product says opposite.
I wish I could credit the author of that advice because I hang onto it as a sound principle.
Here is a thread on the Malwarebytes forum that might interest you. The topic is unrelated but there are several posts related your question beginning at about post number 13. http://forums.malwarebytes.org/index.php?showtopic
03-26-2012 02:19 PM - edited 03-26-2012 03:00 PM
There is no point doing anything about Malwarebytes etc. So leave it for now.
I know what the infection looks like and that should be delt with first then trying to remove Programs like Malwarebytes etc. You can open malwarebytes and in the realtime tab just make sure the Realtime is turned off / disabled only.
03-27-2012 08:09 PM
OK,...we ran TDSSKiller. Two Threats were detected as follows:
Physical drive: \Device\Harddisk0\DR0
Malware object, high risk.
2. TDSS File System
Physical drive: \Device\Harddisk0\DR0
Suspicious object, medium risk.
It was necessary to reboot. Screen info was as follows [NOTE: While we were writing this down, a pop-up cam up - NORTON HAS BLOCKED THREATS.]
Processed 466 Objects, details
Found: 2 threats
Neutralized: 1 threat
Quarantined: 14 objects.
When we clicked on "reboot", the hp logo came on and disappeared (the way it's supposed to).
The log that was generated from TDSSKiller is pretty big - not having done this before, can I just attach the log's text document? JUST FYI - We were going to copy & paste it, but when we were copying it, a Malwarebytes pop-up appeared w/ the following message: "MALWAREBYTES HAS DETECTED A MALICIOUS PROCESS ATTEMPTING TO START AND HAS BLOCKED THE EXECUTION ATTEMPT. PLEASE SELECT AN OPTION BELOW (DISABLE PROTECTION; IGNORE; OR QUARANTINE). The thing it blocked was C:\WINDOWS\SVCHOST.EXE TROJAN.AGENT. Do we have to run TDSSKiller again,...then aswMBR again? Not knowing what to do and not being able to go any further w/o selecting one of the actions, we just picked QUARANTINE.
We then ran aswMBR as instructed. It looks like it detected/found 4 files that were infected. Here's the log:
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-27 22:22:57
22:22:57.915 OS Version: Windows x64 6.1.7601 Service Pack 1
22:22:57.915 Number of processors: 4 586 0x2505
22:22:57.915 ComputerName: LEGITIMENT UserName:
22:23:00.364 Initialize success
22:24:07.111 AVAST engine defs: 12032702
22:24:43.350 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
22:24:43.350 Disk 0 Vendor: ST950042 0006 Size: 476940MB BusType: 3
22:24:43.365 Disk 0 MBR read successfully
22:24:43.365 Disk 0 MBR scan
22:24:43.365 Disk 0 unknown MBR code
22:24:43.381 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
22:24:43.397 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 452408 MB offset 409600
22:24:43.428 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 24228 MB offset 926941184
22:24:43.459 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 976560128
22:24:43.506 Disk 0 scanning C:\Windows\system32\drivers
22:24:55.955 Service scanning
22:25:24.066 Modules scanning
22:25:24.066 Disk 0 trace - called modules:
22:25:24.596 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys iaStor.sys hal.dll
22:25:24.612 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800528d790]
22:25:24.612 3 CLASSPNP.SYS[fffff88001a5143f] -> nt!IofCallDriver -> [0xfffffa800512cb10]
22:25:24.627 5 hpdskflt.sys[fffff88001dc7289] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004f8e050]
22:25:26.453 AVAST engine scan C:\Windows
22:25:29.183 AVAST engine scan C:\Windows\system32
22:29:09.393 AVAST engine scan C:\Windows\system32\drivers
22:29:31.981 AVAST engine scan C:\Users\Sascomander
22:31:36.282 File: C:\Users\Sascomander\AppData\Local\Temp\_av4_\data
22:31:36.782 File: C:\Users\Sascomander\AppData\Local\Temp\_av4_\data
22:34:35.480 AVAST engine scan C:\ProgramData
22:36:08.456 File: C:\ProgramData\Microsoft\Windows\DRM\EDF9.tmp **INFECTED** Win32:Malware-gen
22:36:08.503 File: C:\ProgramData\Microsoft\Windows\DRM\EDFA.tmp **INFECTED** Win32:Malware-gen
22:38:46.968 Scan finished successfully
22:41:17.087 Disk 0 MBR has been saved successfully to "C:\Users\Sascomander\Desktop\MBR.dat"
22:41:17.103 The log file has been saved successfully to "C:\Users\Sascomander\Desktop\aswMBR.txt"
Thanks again for all your help.