Did Malwarebytes Detect Trojan virus that Norton missed?

I think my son's computer has a virus.  I just updated Norton & ran a full system scan - nothing was found/detected.  I just a ran a full scan using Malwarebytes.  It says it found 2 Trojan.Agent viruses - Category: one in "File", one in "Memory Process"; Item: C/Windows\svchost.exe; Other - 4276 (with Memory Process).  I clicked on Remove Selected; Malware said it wouldn't properly remove them until the computer re-booted.  Whe I clicked on "Reboot/Restart Now", the computer restarted, but the screen w/ the HP logo came on and stayed on for about 1/2 hour before I turned it off manually.  I went through the same process again (found the same viruses again), but re-booted the computer manually.  Ran Malwarebytes again - same problem (Trojan.Agent viruses still showing up). Also, we weregetting pop-up messages saying "Malwarebytes has successfully blocked access to a potentiallymalicious website: 141.136.16.151 - Type: outgoing; Port 49235; Process: svchost.exe.   Is this s Norton problem or a Malwarebytes problem?  Which forum should I be turning to?  How do I get rid of these?  Is there a way to block these malicious websites?

Don't do anything, I see the file location and realise what that can belong to.

 

I will be back later

 

Quads


To TheBlackKnight

 

Seems like you might have the svchost.exe virus. A couple of things please

 

1. Please confirm that when you installed Malwarebytes you declined the trial of the professional version?

2. Can you post here the output from the MAlwarebytes log that it produces when the scan completes?

 


 

It's not a "Seems like you might have the svchost.exe virus"

 

TheBlackKnight,

 

I will get to you I promise, usually people with malware only come on the forums with "HELP!!" so to speak with the tougher ones.

 

Don't do anything.

 

Quads

Please read carefully and follow these steps.
Download TDSSKiller hxxp://support.kaspersky.com/downloads/utils/tdsskiller.exe and save it to your Desktop. (replace the hxxp with http)
doubleclick on TDSSKiller.exe to run the application,

Find the Change Parameters on the Main IU screen, then Select the Detect TDLFS filesystem.

then on Start Scan.

If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please attach the log in the post back


Please download aswMBR hxxp://public.avast.com/~gmerek/aswMBR.exe to your desktop. (replace the hxxp with http)
Double click the aswMBR.exe icon to run it
it will ask to download extra definitions - ALLOW IT, YES
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and Please attach the log in the post back

 

Quads

 

OK,...I'll try this tonight.  Quick question - will running other ant-virus software conflict with Norton?  For some reason, I remember trying running multiple aV-software on an older computer and it would tell me that I had to e.g., remove Norton, or turn it off, etc.

 

Thanks for your quick response.

It might very well, yes. You should only have one real-time anti-virus installed and running.

I have always been advised not to run Malwarebytes paid version (real time protection) alongside Norton anti virus products due to conflicts.  Although Malwarebytes is an excellent product I still use the free version without real time protection. 

 I read in a thread on here to be sure that you check the recommendations of both products to see if they are compatible. In other words it is not enough if only one of the two products says it is compatible with other software but the other product says opposite.

I wish I could credit the author of that advice because I hang onto it as a sound principle.

 Here is a thread on the Malwarebytes forum that might interest you.  The topic is unrelated but there are several posts related  your question beginning at about post number 13.  http://forums.malwarebytes.org/index.php?showtopic=106111&hl=does malwarebytes replace anti virus software?&st=0

 

There is no point doing anything about Malwarebytes etc. So leave it for now.

 

I know what the infection looks like and that should be delt with first then trying to remove Programs like Malwarebytes etc.  You can open malwarebytes and in the realtime tab just make sure the Realtime is turned off / disabled only.

 

Quads

OK,...we ran TDSSKiller. Two Threats were detected as follows:

 

1.  Rootkit.Boot.Pihar.b

Physical drive: \Device\Harddisk0\DR0

Malware object, high risk.

 

2. TDSS File System

Physical drive: \Device\Harddisk0\DR0

Suspicious object, medium risk.

 

It was necessary to reboot. Screen info was as follows [NOTE:  While we were writing this down, a pop-up cam up - NORTON HAS BLOCKED THREATS.]

Processed 466 Objects, details

Found: 2 threats

Neutralized: 1 threat

Quarantined: 14 objects.

 

When we clicked on "reboot", the hp logo came on and disappeared (the way it's supposed to).

 

The log that was generated from TDSSKiller is pretty big - not having done this before, can I just attach the log's text document?  JUST FYI - We were going to copy & paste it, but when we were copying it, a Malwarebytes pop-up appeared w/ the following message: "MALWAREBYTES HAS DETECTED A MALICIOUS PROCESS ATTEMPTING TO START AND HAS BLOCKED THE EXECUTION ATTEMPT. PLEASE SELECT AN OPTION BELOW (DISABLE PROTECTION; IGNORE; OR QUARANTINE).  The thing it blocked was C:\WINDOWS\SVCHOST.EXE TROJAN.AGENT.  Do we have to run TDSSKiller again,...then aswMBR again?  Not knowing what to do and not being able to go any further w/o selecting one of the actions, we just picked QUARANTINE.

 

We then ran aswMBR as instructed.  It looks like it detected/found 4 files that were infected.  Here's the log:

 

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-27 22:22:57
-----------------------------
22:22:57.915    OS Version: Windows x64 6.1.7601 Service Pack 1
22:22:57.915    Number of processors: 4 586 0x2505
22:22:57.915    ComputerName: LEGITIMENT  UserName:
22:23:00.364    Initialize success
22:24:07.111    AVAST engine defs: 12032702
22:24:43.350    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
22:24:43.350    Disk 0 Vendor: ST950042 0006 Size: 476940MB BusType: 3
22:24:43.365    Disk 0 MBR read successfully
22:24:43.365    Disk 0 MBR scan
22:24:43.365    Disk 0 unknown MBR code
22:24:43.381    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          199 MB offset 2048
22:24:43.397    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       452408 MB offset 409600
22:24:43.428    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        24228 MB offset 926941184
22:24:43.459    Disk 0 Partition 4 00     0C    FAT32 LBA MSDOS5.0      103 MB offset 976560128
22:24:43.506    Disk 0 scanning C:\Windows\system32\drivers
22:24:55.955    Service scanning
22:25:24.066    Modules scanning
22:25:24.066    Disk 0 trace - called modules:
22:25:24.596    ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys iaStor.sys hal.dll
22:25:24.612    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800528d790]
22:25:24.612    3 CLASSPNP.SYS[fffff88001a5143f] -> nt!IofCallDriver -> [0xfffffa800512cb10]
22:25:24.627    5 hpdskflt.sys[fffff88001dc7289] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004f8e050]
22:25:26.453    AVAST engine scan C:\Windows
22:25:29.183    AVAST engine scan C:\Windows\system32
22:29:09.393    AVAST engine scan C:\Windows\system32\drivers
22:29:31.981    AVAST engine scan C:\Users\Sascomander
22:31:36.282    File: C:\Users\Sascomander\AppData\Local\Temp\_av4_\data\aswar0.dll  **INFECTED** Win32:Malware-gen
22:31:36.782    File: C:\Users\Sascomander\AppData\Local\Temp\_av4_\data\updldr0.bin  **INFECTED** Win32:Malware-gen
22:34:35.480    AVAST engine scan C:\ProgramData
22:36:08.456    File: C:\ProgramData\Microsoft\Windows\DRM\EDF9.tmp  **INFECTED** Win32:Malware-gen
22:36:08.503    File: C:\ProgramData\Microsoft\Windows\DRM\EDFA.tmp  **INFECTED** Win32:Malware-gen
22:38:46.968    Scan finished successfully
22:41:17.087    Disk 0 MBR has been saved successfully to "C:\Users\Sascomander\Desktop\MBR.dat"
22:41:17.103    The log file has been saved successfully to "C:\Users\Sascomander\Desktop\aswMBR.txt"


Thanks again for all your help. 

 

Don't worry it's better people who don't know what they are doing, Do Nothing.

 

My thoughts were correct  Boot.Pihar that is why way back I said to do nothing with Malwarebytes and  C:\WINDOWS\SVCHOST.EXE.  

 

This can be a multi step process to make sure your system is clean OK??  I will tell you when you are free to go, system clean.

 

Now

 

Yes please attach the TDSSkiller log to the next post and please look at what the 2 threats Norton detected are:

 

Found: 2 threats

Neutralized: 1 threat

Quarantined: 14 objects.

 

Also Disable the realtime component of Malwarebytes  by opening Malwarebytes and going to the realtime tab and turning it off.

 

Quads


We have the free version of Malwarebytes.  I don't see the Realtime tab that you reference.

 

Here is the portion of the TSSDKiller log that references the detected virus.  If you need more, let me know.

 

22:00:26.0963 7716 MBR (0x1B8)     (35a4fa451025305a24e864aaa8e364c9) \Device\Harddisk0\DR0
22:00:26.0990 7716 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
22:00:26.0990 7716 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
22:00:27.0066 7716 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
22:00:27.0066 7716 \Device\Harddisk0\DR0 - detected TDSS File System (1)
22:00:27.0096 7716 Boot (0x1200)   (b8ff3f1c922092962d5b12b9666f4afe) \Device\Harddisk0\DR0\Partition0
22:00:27.0099 7716 \Device\Harddisk0\DR0\Partition0 - ok
22:00:27.0107 7716 Boot (0x1200)   (b5151692fde71203cf1d54b58395e35f) \Device\Harddisk0\DR0\Partition1
22:00:27.0109 7716 \Device\Harddisk0\DR0\Partition1 - ok
22:00:27.0147 7716 Boot (0x1200)   (a1c63a4b199e133ab408f70f32d7b7d2) \Device\Harddisk0\DR0\Partition2
22:00:27.0149 7716 \Device\Harddisk0\DR0\Partition2 - ok
22:00:27.0165 7716 Boot (0x1200)   (bb4479bcb5868d0d5a1c9afcd0fcc0ef) \Device\Harddisk0\DR0\Partition3
22:00:27.0167 7716 \Device\Harddisk0\DR0\Partition3 - ok
22:00:27.0171 7716 ============================================================
22:00:27.0171 7716 Scan finished
22:00:27.0171 7716 ============================================================
22:00:27.0188 7172 Detected object count: 2
22:00:27.0188 7172 Actual detected object count: 2
22:05:18.0929 7172 \Device\Harddisk0\DR0\# - copied to quarantine
22:05:18.0930 7172 \Device\Harddisk0\DR0 - copied to quarantine
22:05:19.0039 7172 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
22:05:19.0044 7172 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
22:05:19.0066 7172 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
22:05:19.0079 7172 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
22:05:19.0104 7172 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
22:05:19.0124 7172 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
22:05:19.0127 7172 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
22:05:19.0130 7172 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
22:05:19.0133 7172 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
22:05:19.0138 7172 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
22:05:19.0144 7172 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
22:05:19.0147 7172 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
22:05:19.0185 7172 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
22:05:19.0188 7172 \Device\Harddisk0\DR0 - ok
22:05:19.0912 7172 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
22:05:19.0916 7172 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
22:05:19.0916 7172 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
22:08:19.0523 7260 Deinitialize success


TheBlackKnight wrote:

OK,...we ran TDSSKiller. Two Threats were detected as follows:

 .We were going to copy & paste it, but when we were copying it, a Malwarebytes pop-up appeared w/ the following message: "MALWAREBYTES HAS DETECTED A MALICIOUS PROCESS ATTEMPTING TO START AND HAS BLOCKED THE EXECUTION ATTEMPT..


 

Pity. See my original msg. Malwarebytes free edition is not resident. So Malwarebytes cant pop up all of a sudden unless you accepted the trial of the consumer  version when you installed the free Malwarebytes. If you have accepted the trial of the full version then you have two resident av programs and they will work against eachother.

 

If I have the trial of the full version, then should I be able to see the Realtime tab referenced in the other post?

When you open malwarebytes, the first tab is Scanner. The second tab could be "protection".

If you have "protection", open this tab

Do you have a button that says "Start trial"?

If you do then I believe you have no installed a trial of the full version. That is how it should be.

If you have no start trial button, then I think you have installed a trial of the full version as opposed to the free version.

 

After disabling Malwarebyes run TDSSkiller, may want to get an updated version and when it detects this 

 

22:05:19.0916 7172 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
22:05:19.0916 7172 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

 

Change the action to Delete.  So it will delete / remove the file system

 

Quads

START TRIAL button is there.  Looks like I have the free version so I don't need to do anything w/ Malwarebytes, correct?

You are correct

 

Quads

OK,...I updated TSSKiller.  Ran it.  No threats found.  Here is the bottom part of the log.  Am I good to go?  Or are there more steps I need to take?

 

18:10:19.0995 1008 MBR (0x1B8)     (2318ffa5192f35d7d0fc0400e6bae547) \Device\Harddisk0\DR0
18:10:20.0027 1008 \Device\Harddisk0\DR0 - ok
18:10:20.0058 1008 Boot (0x1200)   (b8ff3f1c922092962d5b12b9666f4afe) \Device\Harddisk0\DR0\Partition0
18:10:20.0058 1008 \Device\Harddisk0\DR0\Partition0 - ok
18:10:20.0073 1008 Boot (0x1200)   (b5151692fde71203cf1d54b58395e35f) \Device\Harddisk0\DR0\Partition1
18:10:20.0073 1008 \Device\Harddisk0\DR0\Partition1 - ok
18:10:20.0105 1008 Boot (0x1200)   (a1c63a4b199e133ab408f70f32d7b7d2) \Device\Harddisk0\DR0\Partition2
18:10:20.0105 1008 \Device\Harddisk0\DR0\Partition2 - ok
18:10:20.0120 1008 Boot (0x1200)   (bb4479bcb5868d0d5a1c9afcd0fcc0ef) \Device\Harddisk0\DR0\Partition3
18:10:20.0120 1008 \Device\Harddisk0\DR0\Partition3 - ok
18:10:20.0120 1008 ============================================================
18:10:20.0120 1008 Scan finished
18:10:20.0120 1008 ============================================================
18:10:20.0136 5932 Detected object count: 0
18:10:20.0136 5932 Actual detected object count: 0
18:12:33.0532 2816 Deinitialize success

There were other files detected, would you like to make sure all of your system is clean??

 

A least  Pihar has be broken.

 

Quads