Fiskarfred

CLOSED Detected worm - need help

Recommended Posts

When I tried to install a program, the computer said that svchost was created by an unknown publisher that wanted to make changes to my computer. The same applies anytime I try to open any program as an administrator.

I scanned C:\windows\svchost.exe and it had a worm.

Figured I'd ask you experts for help.

Thank you in advance.

Addition_06-03-2018 21.33.33.txt

FRST_06-03-2018 21.33.33.txt

scan_180306-212820.txt

Share this post


Link to post
Share on other sites

The version of EAM on this computer is out of date.  2017.12 is installed and 2018.2 is current.  Update EAM and run a fresh scan.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

2018-03-06 21:20 - 2018-03-06 21:20 - 000003188 _____ C:\Windows\System32\Tasks\{C75FA01A-881E-41EB-A4D7-935F3D8A2096}
2018-03-06 21:17 - 2018-03-06 21:06 - 000041472 _____ C:\Windows\svchost.com
2018-03-06 21:13 - 2018-03-06 21:13 - 000000040 ____H C:\CF255BB1A184
2018-03-06 21:11 - 2018-03-06 21:11 - 000003476 _____ C:\Windows\System32\Tasks\{7A2D2F34-0C8E-45C4-9E21-E545E3E8BD8C}
Task: {99A69628-A2A1-4359-9B3E-8B2A6A6A7545} - System32\Tasks\{7A2D2F34-0C8E-45C4-9E21-E545E3E8BD8C} => C:\Windows\system32\pcalua.exe -a C:\Windows\svchost.com -d "C:\Users\Fredrik T\Desktop\masterkreatif.com-4pex8f9\Adobe Premiere Pro CC 2018 v12.0\Crack\amtemu.v0.9.1.win-painter" -c "C:\Users\FREDRI~1\Desktop\MASTER~1.COM\ADOBEP~1.0\Crack\AMTEMU~1.WIN\AMTEMU~1.EXE"
HKLM\...\exefile\shell\open\command: C:\Windows\svchost.com "%1" %* <==== ATTENTION

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

When I opened windows explorer to see your reply, I had to allow Svchost to make changes to my computer to open the browser, so I did. While following your instructions I shut down the browser. When opening the browser to attach the log I did not need to give Svchost any permissions to open the browser. I tried to open some other programs and no Svchost promt came up. I even tried opening a program with administrator rights and the program's name came up instead of Svchost (I didn't run the program just in case, though).

Should my computer be cured now?

If so, is there anything I should look out for (and if I notice it, return here)?

Fixlog.txt

Share this post


Link to post
Share on other sites

Looks like the main issue has been fixed.

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

 

Share this post


Link to post
Share on other sites

Weird, now it seems to be back. EEK said that even FRST is affected.

I still get the promt to use admin privileges on some programs, it seems. It is almost as if the worm has "revived" itself? Now it asked for admin privileges to open FRST. Also, when I try to open other programs (that actually do need admin privileges), it says that the modules cannot be found. (loadlibrarypythondll not found, then it opens a new "Error"-window showing the way to to a Local\Temp file called python27.dll)

FRST.txt

Addition.txt

scan_180308-224935.txt

Share this post


Link to post
Share on other sites

Also, I now apparently got 3 important and 14 optional windows updates to install. Could this be the worm in disguise or should I install these updates? It says the important updates are Security updates for Microsoft Visual C++ 2005 Service Pack 1 and are published 2012... I will wait with installing them until I hear what you think.

Share this post


Link to post
Share on other sites

If Windows Update is telling you that you have updates, then you have updates and should install them.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

S3 MSICDSetup; \??\E:\CDriver64.sys [X]
Task: {340252DA-AE22-434E-86E0-7A2D8486CD0A} - \{C75FA01A-881E-41EB-A4D7-935F3D8A2096} -> No File <==== ATTENTION
C:\$Recycle.Bin\S-1-5-21-110846612-3622351050-2426096884-1000\$RBAFBOX.com
C:\$Recycle.Bin\S-1-5-21-110846612-3622351050-2426096884-1000\$R4Y6ILM\Set-up.exe
C:\Users\Fredrik T\AppData\Local\Temp\D047444E-0EFA-4810-95C8-29FDA54978FD

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

When I opened Windows Explorer, I got the prompt for an unknown publisher to make changes to the computer again under the name Internet Explorer.

Note that I had to accept this prompt to open the programs, so I did.

 

When I tried to fix with FRST, it didn't work at first as it said that there was no fixlist.txt even though there clearly was. I tried several times and even put them in a separate folder with nothing else, made new fixlist.txt, but it didn't work. In the process, I had to allow "FRST" to make changes to my computer, after this, the prompts changed from saying "FRST" to "Svchost" again. Svchost promt to make changes is back. I downloaded a new FRST version and it worked. I have attached the result.

 

Finally, after the fix, I took the liberty of running a new EEK and FRST scan and now I got even more alerts than before on EEK. I have attached these logs too.

Note that every time I have to open a new program, I have to give "Svchost" permission to make changes to the computer. I have a feeling that every time I have to do this, the worm spreads..?

Fixlog.txt

scan_180309-183454.txt

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites

If this doesn't work, then we'll try another tool.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-21-110846612-3622351050-2426096884-1000\...\MountPoints2: {58dd725e-5835-11e1-9131-806e6f6e6963} - E:\autoplay.exe
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
2018-03-09 18:30 - 2018-03-09 18:30 - 000041472 _____ C:\Windows\svchost.com
2018-03-09 18:30 - 2018-03-09 18:30 - 000003198 _____ C:\Windows\System32\Tasks\{A2C34CF1-21D8-46D5-945E-50F6664AA99F}
Task: {5AB9CDE1-0865-469C-87AD-0EEB50A15AD6} - System32\Tasks\{A2C34CF1-21D8-46D5-945E-50F6664AA99F} => C:\Windows\system32\pcalua.exe -a "C:\Users\Fredrik T\Desktop\New folder\FRST64.exe" -d "C:\Users\Fredrik T\Desktop\New folder"
HKLM\...\exefile\shell\open\command: C:\Windows\svchost.com "%1" %* <==== ATTENTION
C:\$Recycle.Bin\S-1-5-21-110846612-3622351050-2426096884-1000\$ROFABMX.exe
C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe
C:\ProgramData\Package Cache\{2e085fd2-a3e4-4b39-8e10-6b8d35f55244}\VC_redist.x86.exe
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
C:\ProgramData\Package Cache\{dab68466-3a7d-41a8-a5cf-415e3ff8ef71}\VC_redist.x64.exe
C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe
C:\Users\Fredrik T\AppData\Local\Temp\{3F1B1776-2FB5-4B95-BC3E-33E1CD0C0A97}\CreativeCloudSet-Up.exe
C:\Windows\svchost.com

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.