1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Problems with Redirection and SVCHOST.EXE

Discussion in 'Virus & Other Malware Removal' started by Altec103, May 3, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. Altec103

    Altec103 Thread Starter

    Joined:
    Nov 4, 2008
    Messages:
    21
    Hello. I am new to these forums, but everyone seems nice and helpful so I've decided to post. After I stupidly downloaded a virus that posed as an anti-virus I have been having some trouble. I think I removed the virus, but I have problems with redirection. When I click on Google links I get redirected to random advertising websites. And I've also had some AVG pop-ups about SCVHOST.EXE, but non of the virus scans I've tried so far have picked up anything.

    Here is a HIJACK log.

    Thank you for the help in advance. I have serious security concerns about this.
     
  2. Altec103

    Altec103 Thread Starter

    Joined:
    Nov 4, 2008
    Messages:
    21
    I have some new alerts that I have received from AVG.

    exploit rougue scanner 871
    exploit phoenix exploit kit

    Yet I cannot remove them from my system and I still get redirected from links in my browsers.
     
  3. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Welcome.

    Download the GMER Rootkit Scanner. Unzip it to your Desktop.

    Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
    • Double click GMER.exe.
      [​IMG]
    • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
    • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
        [​IMG]
        Click the image to enlarge it
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
    • Save the log where you can easily find it, such as your desktop.
    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

    Please copy and paste the report into your Post.

    Download OTL to your Desktop
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • OTL should now start. Change the following settings
      • Change Drivers to All
      • Change Standard Registry to All
      • Under File Scans, change File age to 30
    • Under the Custom Scan box paste this in

      netsvcs
      msconfig
      safebootminimal
      safebootnetwork
      %SYSTEMDRIVE%\*.*
      /md5start
      SVCHOST.EXE
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      /md5stop
      %systemroot%\*. /mp /s
      CREATERESTOREPOINT
      %systemroot%\System32\config\*.sav
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles

    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
      • Please post the contents of these files in your next reply.
     
  4. Altec103

    Altec103 Thread Starter

    Joined:
    Nov 4, 2008
    Messages:
    21
  5. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    You can attach those reports here.

    The following file is infected:

    C:\Windows\System32\drivers\mountmgr.sys

    Do not remove it by yourself.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      -----------------------------------------------------------​
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
        -----------------------------------------------------------​
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      -----------------------------------------------------------​
    4. Double click on combofix.exe & follow the prompts.
    5. Install the Recovery Console if prompted.
    6. When finished, it will produce a report for you.
    7. Please post the "C:\ComboFix.txt" .
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

    Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.
     
  6. Altec103

    Altec103 Thread Starter

    Joined:
    Nov 4, 2008
    Messages:
    21
    I attempted to run Combo Fix following your instructions and I am prompted with an error message upon double clicking that states, "Windows cannot access specified path. May not have permission." I ran as administrator too.
     
  7. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Tap on F8 during Startup to reach the Advanced Menu. Is there an option to "Repair your computer"? If not, do you have the VISTA DVD?

    • Run OTL. Make sure all other windows are closed and to let it run uninterrupted.
    • OTL should now start. Change the following settings
      • Change Drivers to All
      • Change Standard Registry to All
      • Under File Scans, change File age to 30
    • Under the Custom Scan box paste this in


      /md5start
      SVCHOST.EXE
      mountmgr.sys
      /md5stop

    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
      • Please post the contents of these files in your next reply.
     
  8. Altec103

    Altec103 Thread Starter

    Joined:
    Nov 4, 2008
    Messages:
    21
    I was thinking along the lines of reformat too. But I have a stock PC and it didn't come with a disk for operrating system. I will call support and see if I can get my hands on one.

    And here is the scan results.
     

    Attached Files:

  9. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Open Notepad. Select Format from the menu. Make sure WordWrap is not selected.

    • Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the quote below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :files
      C:\Windows\System32\drivers\mountmgr.sys|C:\Windows\winsxs\x86_microsoft-windows-mountpointmanager_31bf3856ad364e35_6.0.6001.18000_none_f29824c60705c394\mountmgr.sys /replace
      C:\SZKGFS.dat
      C:\Users\Andrew\AppData\Local\dY4QD
      C:\ProgramData\dY4QD
    • Return to OTL, right click in the "Custom Scans/Fixes" window and choose Paste.
    • Click the red Run Fix button.
    • The computer will restart
    • A report will be produced and saved in the C:\_OTL\MovedFiles folder. Open that report and post its contents in a reply.

    Download Win32kDiag.exe from any of the following links to your desktop:

    http://ad13.geekstogo.com/Win32kDiag.exe
    http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe
    http://rootrepeal.psikotick.com/Win32kDiag.exe

    Run it, it will create a file "Win32kDiag.txt" on the desktop. Post its report in a reply.
     
  10. Altec103

    Altec103 Thread Starter

    Joined:
    Nov 4, 2008
    Messages:
    21
    Do you have MSN? Maybe we can do real time and it would be faster.

    Here is the OTL fix report. Doing other thing now.

    ========== FILES ==========
    Unable to replace file: C:\Windows\System32\drivers\mountmgr.sys with C:\Windows\winsxs\x86_microsoft-windows-mountpointmanager_31bf3856ad364e35_6.0.6001.18000_none_f29824c60705c394\mountmgr.sys without a reboot.
    C:\SZKGFS.dat moved successfully.
    C:\Users\Andrew\AppData\Local\dY4QD moved successfully.
    C:\ProgramData\dY4QD moved successfully.

    OTL by OldTimer - Version 3.2.4.1 log created on 05082010_121402

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
  11. Altec103

    Altec103 Thread Starter

    Joined:
    Nov 4, 2008
    Messages:
    21
    And the other report which does not look very promising.

    Running from: C:\Users\Andrew\Desktop\Win32kDiag.exe

    Log file at : C:\Users\Andrew\Desktop\Win32kDiag.txt

    WARNING: Could not get backup privileges!

    Searching 'C:\Windows'...



    Cannot access: C:\Windows\bthservsdp.dat

    [1] 2010-05-08 12:14:18 12 C:\Windows\bthservsdp.dat ()
     
  12. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    I don't use messengers.

    Download the enclosed folder. Save and extract its contents to the desktop. Once extracted open the folder, right click on the Trans.bat file and select Run as an Administrator. Post the resulting report.
     

    Attached Files:

  13. Altec103

    Altec103 Thread Starter

    Joined:
    Nov 4, 2008
    Messages:
    21
    Volume in drive C is ACER
    Volume Serial Number is B0A7-029A

    Directory of c:\Backup

    05/08/2010 12:32 PM <DIR> .
    05/08/2010 12:32 PM <DIR> ..
    01/20/2008 10:23 PM 57,400 mountmgr.sys
    1 File(s) 57,400 bytes
    2 Dir(s) 157,556,674,560 bytes free
     
  14. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    1. Please download The Avenger by Swandog46 to your Desktop.
    • Right click on the Avenger.zip folder and select "Extract All..."
    • Follow the prompts and extract the avenger folder to your desktop
    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

    Code:
    Begin copying here:
    Files to move:
    C:\Backup\mountmgr.sys|C:\Windows\System32\drivers\mountmgr.sys

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
    • Right click on the window under Input script here:, and select Paste.
    • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
    • Click on Execute
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply.
     
  15. Altec103

    Altec103 Thread Starter

    Joined:
    Nov 4, 2008
    Messages:
    21
    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows Vista

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!

    File move operation "C:\Backup\mountmgr.sys|C:\Windows\System32\drivers\mountmgr.sys" completed successfully.

    Completed script processing.

    *******************

    Finished! Terminate.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/920865

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice