I think my son's computer has a virus. I just updated Norton & ran a full system scan - nothing was found/detected. I just a ran a full scan using Malwarebytes. It says it found 2 Trojan.Agent viruses - Category: one in "File", one in "Memory Process"; Item: C/Windows\svchost.exe; Other - 4276 (with Memory Process). I clicked on Remove Selected; Malware said it wouldn't properly remove them until the computer re-booted. Whe I clicked on "Reboot/Restart Now", the computer restarted, but the screen w/ the HP logo came on and stayed on for about 1/2 hour before I turned it off manually. I went through the same process again (found the same viruses again), but re-booted the computer manually. Ran Malwarebytes again - same problem (Trojan.Agent viruses still showing up). Also, we weregetting pop-up messages saying "Malwarebytes has successfully blocked access to a potentiallymalicious website: 141.136.16.151 - Type: outgoing; Port 49235; Process: svchost.exe. Is this s Norton problem or a Malwarebytes problem? Which forum should I be turning to? How do I get rid of these? Is there a way to block these malicious websites?
Don't do anything, I see the file location and realise what that can belong to.
I will be back later
Quads
To TheBlackKnight
Seems like you might have the svchost.exe virus. A couple of things please
1. Please confirm that when you installed Malwarebytes you declined the trial of the professional version?
2. Can you post here the output from the MAlwarebytes log that it produces when the scan completes?
It's not a "Seems like you might have the svchost.exe virus"
TheBlackKnight,
I will get to you I promise, usually people with malware only come on the forums with "HELP!!" so to speak with the tougher ones.
Don't do anything.
Quads
Please read carefully and follow these steps.
Download TDSSKiller hxxp://support.kaspersky.com/downloads/utils/tdsskiller.exe and save it to your Desktop. (replace the hxxp with http)
doubleclick on TDSSKiller.exe to run the application,
Find the Change Parameters on the Main IU screen, then Select the Detect TDLFS filesystem.
then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please attach the log in the post back
Please download aswMBR hxxp://public.avast.com/~gmerek/aswMBR.exe to your desktop. (replace the hxxp with http)
Double click the aswMBR.exe icon to run it
it will ask to download extra definitions - ALLOW IT, YES
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and Please attach the log in the post back
Quads
OK,...I'll try this tonight. Quick question - will running other ant-virus software conflict with Norton? For some reason, I remember trying running multiple aV-software on an older computer and it would tell me that I had to e.g., remove Norton, or turn it off, etc.
Thanks for your quick response.
It might very well, yes. You should only have one real-time anti-virus installed and running.
I have always been advised not to run Malwarebytes paid version (real time protection) alongside Norton anti virus products due to conflicts. Although Malwarebytes is an excellent product I still use the free version without real time protection.
I read in a thread on here to be sure that you check the recommendations of both products to see if they are compatible. In other words it is not enough if only one of the two products says it is compatible with other software but the other product says opposite.
I wish I could credit the author of that advice because I hang onto it as a sound principle.
Here is a thread on the Malwarebytes forum that might interest you. The topic is unrelated but there are several posts related your question beginning at about post number 13. http://forums.malwarebytes.org/index.php?showtopic=106111&hl=does malwarebytes replace anti virus software?&st=0
There is no point doing anything about Malwarebytes etc. So leave it for now.
I know what the infection looks like and that should be delt with first then trying to remove Programs like Malwarebytes etc. You can open malwarebytes and in the realtime tab just make sure the Realtime is turned off / disabled only.
Quads
OK,...we ran TDSSKiller. Two Threats were detected as follows:
1. Rootkit.Boot.Pihar.b
Physical drive: \Device\Harddisk0\DR0
Malware object, high risk.
2. TDSS File System
Physical drive: \Device\Harddisk0\DR0
Suspicious object, medium risk.
It was necessary to reboot. Screen info was as follows [NOTE: While we were writing this down, a pop-up cam up - NORTON HAS BLOCKED THREATS.]
Processed 466 Objects, details
Found: 2 threats
Neutralized: 1 threat
Quarantined: 14 objects.
When we clicked on "reboot", the hp logo came on and disappeared (the way it's supposed to).
The log that was generated from TDSSKiller is pretty big - not having done this before, can I just attach the log's text document? JUST FYI - We were going to copy & paste it, but when we were copying it, a Malwarebytes pop-up appeared w/ the following message: "MALWAREBYTES HAS DETECTED A MALICIOUS PROCESS ATTEMPTING TO START AND HAS BLOCKED THE EXECUTION ATTEMPT. PLEASE SELECT AN OPTION BELOW (DISABLE PROTECTION; IGNORE; OR QUARANTINE). The thing it blocked was C:\WINDOWS\SVCHOST.EXE TROJAN.AGENT. Do we have to run TDSSKiller again,...then aswMBR again? Not knowing what to do and not being able to go any further w/o selecting one of the actions, we just picked QUARANTINE.
We then ran aswMBR as instructed. It looks like it detected/found 4 files that were infected. Here's the log:
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-27 22:22:57
-----------------------------
22:22:57.915 OS Version: Windows x64 6.1.7601 Service Pack 1
22:22:57.915 Number of processors: 4 586 0x2505
22:22:57.915 ComputerName: LEGITIMENT UserName:
22:23:00.364 Initialize success
22:24:07.111 AVAST engine defs: 12032702
22:24:43.350 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
22:24:43.350 Disk 0 Vendor: ST950042 0006 Size: 476940MB BusType: 3
22:24:43.365 Disk 0 MBR read successfully
22:24:43.365 Disk 0 MBR scan
22:24:43.365 Disk 0 unknown MBR code
22:24:43.381 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
22:24:43.397 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 452408 MB offset 409600
22:24:43.428 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 24228 MB offset 926941184
22:24:43.459 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 976560128
22:24:43.506 Disk 0 scanning C:\Windows\system32\drivers
22:24:55.955 Service scanning
22:25:24.066 Modules scanning
22:25:24.066 Disk 0 trace - called modules:
22:25:24.596 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys iaStor.sys hal.dll
22:25:24.612 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800528d790]
22:25:24.612 3 CLASSPNP.SYS[fffff88001a5143f] -> nt!IofCallDriver -> [0xfffffa800512cb10]
22:25:24.627 5 hpdskflt.sys[fffff88001dc7289] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004f8e050]
22:25:26.453 AVAST engine scan C:\Windows
22:25:29.183 AVAST engine scan C:\Windows\system32
22:29:09.393 AVAST engine scan C:\Windows\system32\drivers
22:29:31.981 AVAST engine scan C:\Users\Sascomander
22:31:36.282 File: C:\Users\Sascomander\AppData\Local\Temp\_av4_\data\aswar0.dll **INFECTED** Win32:Malware-gen
22:31:36.782 File: C:\Users\Sascomander\AppData\Local\Temp\_av4_\data\updldr0.bin **INFECTED** Win32:Malware-gen
22:34:35.480 AVAST engine scan C:\ProgramData
22:36:08.456 File: C:\ProgramData\Microsoft\Windows\DRM\EDF9.tmp **INFECTED** Win32:Malware-gen
22:36:08.503 File: C:\ProgramData\Microsoft\Windows\DRM\EDFA.tmp **INFECTED** Win32:Malware-gen
22:38:46.968 Scan finished successfully
22:41:17.087 Disk 0 MBR has been saved successfully to "C:\Users\Sascomander\Desktop\MBR.dat"
22:41:17.103 The log file has been saved successfully to "C:\Users\Sascomander\Desktop\aswMBR.txt"
Thanks again for all your help.
Don't worry it's better people who don't know what they are doing, Do Nothing.
My thoughts were correct Boot.Pihar that is why way back I said to do nothing with Malwarebytes and C:\WINDOWS\SVCHOST.EXE.
This can be a multi step process to make sure your system is clean OK?? I will tell you when you are free to go, system clean.
Now
Yes please attach the TDSSkiller log to the next post and please look at what the 2 threats Norton detected are:
Found: 2 threats
Neutralized: 1 threat
Quarantined: 14 objects.
Also Disable the realtime component of Malwarebytes by opening Malwarebytes and going to the realtime tab and turning it off.
Quads
We have the free version of Malwarebytes. I don't see the Realtime tab that you reference.
Here is the portion of the TSSDKiller log that references the detected virus. If you need more, let me know.
22:00:26.0963 7716 MBR (0x1B8) (35a4fa451025305a24e864aaa8e364c9) \Device\Harddisk0\DR0
22:00:26.0990 7716 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
22:00:26.0990 7716 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
22:00:27.0066 7716 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
22:00:27.0066 7716 \Device\Harddisk0\DR0 - detected TDSS File System (1)
22:00:27.0096 7716 Boot (0x1200) (b8ff3f1c922092962d5b12b9666f4afe) \Device\Harddisk0\DR0\Partition0
22:00:27.0099 7716 \Device\Harddisk0\DR0\Partition0 - ok
22:00:27.0107 7716 Boot (0x1200) (b5151692fde71203cf1d54b58395e35f) \Device\Harddisk0\DR0\Partition1
22:00:27.0109 7716 \Device\Harddisk0\DR0\Partition1 - ok
22:00:27.0147 7716 Boot (0x1200) (a1c63a4b199e133ab408f70f32d7b7d2) \Device\Harddisk0\DR0\Partition2
22:00:27.0149 7716 \Device\Harddisk0\DR0\Partition2 - ok
22:00:27.0165 7716 Boot (0x1200) (bb4479bcb5868d0d5a1c9afcd0fcc0ef) \Device\Harddisk0\DR0\Partition3
22:00:27.0167 7716 \Device\Harddisk0\DR0\Partition3 - ok
22:00:27.0171 7716 ============================================================
22:00:27.0171 7716 Scan finished
22:00:27.0171 7716 ============================================================
22:00:27.0188 7172 Detected object count: 2
22:00:27.0188 7172 Actual detected object count: 2
22:05:18.0929 7172 \Device\Harddisk0\DR0\# - copied to quarantine
22:05:18.0930 7172 \Device\Harddisk0\DR0 - copied to quarantine
22:05:19.0039 7172 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
22:05:19.0044 7172 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
22:05:19.0066 7172 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
22:05:19.0079 7172 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
22:05:19.0104 7172 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
22:05:19.0124 7172 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
22:05:19.0127 7172 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
22:05:19.0130 7172 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
22:05:19.0133 7172 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
22:05:19.0138 7172 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
22:05:19.0144 7172 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
22:05:19.0147 7172 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
22:05:19.0185 7172 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
22:05:19.0188 7172 \Device\Harddisk0\DR0 - ok
22:05:19.0912 7172 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
22:05:19.0916 7172 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
22:05:19.0916 7172 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
22:08:19.0523 7260 Deinitialize success
TheBlackKnight wrote:OK,...we ran TDSSKiller. Two Threats were detected as follows:
.We were going to copy & paste it, but when we were copying it, a Malwarebytes pop-up appeared w/ the following message: "MALWAREBYTES HAS DETECTED A MALICIOUS PROCESS ATTEMPTING TO START AND HAS BLOCKED THE EXECUTION ATTEMPT..
Pity. See my original msg. Malwarebytes free edition is not resident. So Malwarebytes cant pop up all of a sudden unless you accepted the trial of the consumer version when you installed the free Malwarebytes. If you have accepted the trial of the full version then you have two resident av programs and they will work against eachother.
If I have the trial of the full version, then should I be able to see the Realtime tab referenced in the other post?
When you open malwarebytes, the first tab is Scanner. The second tab could be "protection".
If you have "protection", open this tab
Do you have a button that says "Start trial"?
If you do then I believe you have no installed a trial of the full version. That is how it should be.
If you have no start trial button, then I think you have installed a trial of the full version as opposed to the free version.
After disabling Malwarebyes run TDSSkiller, may want to get an updated version and when it detects this
22:05:19.0916 7172 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
22:05:19.0916 7172 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
Change the action to Delete. So it will delete / remove the file system
Quads
START TRIAL button is there. Looks like I have the free version so I don't need to do anything w/ Malwarebytes, correct?
You are correct
Quads
OK,...I updated TSSKiller. Ran it. No threats found. Here is the bottom part of the log. Am I good to go? Or are there more steps I need to take?
18:10:19.0995 1008 MBR (0x1B8) (2318ffa5192f35d7d0fc0400e6bae547) \Device\Harddisk0\DR0
18:10:20.0027 1008 \Device\Harddisk0\DR0 - ok
18:10:20.0058 1008 Boot (0x1200) (b8ff3f1c922092962d5b12b9666f4afe) \Device\Harddisk0\DR0\Partition0
18:10:20.0058 1008 \Device\Harddisk0\DR0\Partition0 - ok
18:10:20.0073 1008 Boot (0x1200) (b5151692fde71203cf1d54b58395e35f) \Device\Harddisk0\DR0\Partition1
18:10:20.0073 1008 \Device\Harddisk0\DR0\Partition1 - ok
18:10:20.0105 1008 Boot (0x1200) (a1c63a4b199e133ab408f70f32d7b7d2) \Device\Harddisk0\DR0\Partition2
18:10:20.0105 1008 \Device\Harddisk0\DR0\Partition2 - ok
18:10:20.0120 1008 Boot (0x1200) (bb4479bcb5868d0d5a1c9afcd0fcc0ef) \Device\Harddisk0\DR0\Partition3
18:10:20.0120 1008 \Device\Harddisk0\DR0\Partition3 - ok
18:10:20.0120 1008 ============================================================
18:10:20.0120 1008 Scan finished
18:10:20.0120 1008 ============================================================
18:10:20.0136 5932 Detected object count: 0
18:10:20.0136 5932 Actual detected object count: 0
18:12:33.0532 2816 Deinitialize success
There were other files detected, would you like to make sure all of your system is clean??
A least Pihar has be broken.
Quads