My first real interest in computers came from trying to remove malware from an old computer, however, I've recently learned that malware has gotten a lot smarter in the past few years.

I love freeware, it's extremely fun to me to get some new program that is really cool, however, there's a few meanies out there who like to give a little bit more than they say. So I got a program recently, that when I went to run it gave me an error, and "wasn't able to run", of course, I immediately recognized this as a lame cover up for a malware drop, so I went after it as fast as possible, and smacked myself for not trying it out in a sandbox like I usually do.

Initially there were two new programs in my startup, one was a.exe, and I don't remember the other, I got rid of these very quickly, ran a scan, and assumed that my computer was fine. Little did I know.

About a day later, I start noticing that the first link in every Google search I made would link me to some advertising site, rather than what the link truly was. When hovering over the link, it points to the correct place, but as soon as you click on it, the link changes to the new advertising page, when I saw this I knew that I hadn't gotten rid of the malware yet.

So, I went to scan with Malwarebytes, but found that about 3 seconds into the scan, the program would shut down, not crash, simply shut down. I also tried scanning with AVG, and found that I couldn't even open up a scan window. I scanned with SUPER Antispyware, and that worked, but it only found one trojan, and the problem still persisted after this was removed. I've tried starting up under BartPE, and doing scans from there, but for some reason I can't get Malwarebytes to scan, and any other scanners I've used don't pick up the problem.

So I've given up on scanners, I think manual removal is my best bet at this point, so I checked out my startup list, it had already been cleaned from before, and I knew every entry on there. So I went to check my services with an external program, in this case, WinPatrol, and found that whenever I would access the Services tab the program would immediately shut down. I tried using Autoruns, and that also crashed, finally I found a program called Starter, which was able to view my service list without crashing.

Now, there are a lot of services, and it's obnoxious trying to find the right one, I know most of them are clean, and the others that I'm not certain of, I'm pretty sure I've seen before. So, I decided to try another route, so I opened up Process Explorer and checked out the situation. Only program I saw out of place was mscorsvw.exe, which from a search proved to be an actual program, the .NET Runtime Optimization Service, however, I don't think I've seen it before, and when I ended it it would restart, there were also a few Media Center services that I didn't usually have on, which also would restart, so I found each of these in Services and removed them, all except the .NET Runtime Optimization Service.

However, I must have been wrong or something, because even with those services disabled, I still had the same problem. So I started ending random processes, and found that a few of my svchost processes wouldn't start the Shutdown.exe protocol if they were ended, like they usually do, of course, some did, so I had to use shutdown -a to stop that, and found the true culprit of my search engine problems, because when I ended a few of them, my searches no longer took me to the wrong pages. However, I still cannot run scans, even with the fake ones ended, and I don't know where the false svchost is, so does anyone have any ideas what I can do from here?

I just noticed that I have 41 entries in my Services that all execute:
C:\WINDOWS\system32\svchost.exe -k netsvcs

Now, I KNOW some of these are normal ones, but can anyone tell me what makes them do anything different?

Post has been edited 1 time(s), last time on Sep 4 2009, 1:42 am by Falkoner.

Update:
So I guess getting rid of the .NET service fixed the Google first resultNevermind, it's back, that or something else I did, but I still can't scan It looks to me like it's like a permanent thing it did, my guess is there's some corrupt entry in my Services list, that crashes most programs that try to look over it now.

Post has been edited 1 time(s), last time on Sep 4 2009, 10:02 pm by Falkoner.

Reinstall?

I would have said HOSTS file when I first started reading but now I'm not so sure. Have you tried Combofix? Be careful where you get it from.

Checked HOSTS file, hasn't been changed at all. I'm gonna try Combofix now. I've tried ZoneAlarm, Avast, A-squared, Spybot S&D, Ad-Aware SE, SUPER Anti-spyware, IObit Security 360, IObit Advanced SystemCare(crashed when checking for security holes, I'm guessing from checking Service list), Windows Live OneCare, HiJackThis(crashed), A-Squared HiJackFree(crashed), Avast, Avira, 1-2-3 Spyware Free, Malwarebytes Antimalware(crashed), AVG Free(won't run), and a couple others I can't remember.


Yeah, that's definitely an option, I have my system set up so that should take under an hour, however, I kinda wanna fix this manually, just for the practice.

EDIT:
YES! I believe ComboFix did the trick, which is very ironic because it was a tool I had the entire time, but had decided to ignore, the ugly interface kinda threw me off I guess. Other scanners also picked up QUAD Registry Cleaner as a problem, but I figured it may have been a false alarm, as I had a few of those, however, ComboFix removed it, and it also found an infected eventlog.dll, which I bet was the main problem. Thanks guys

Post has been edited 1 time(s), last time on Sep 4 2009, 10:31 pm by Falkoner.

So many programs used and you have not even mentioned HijackThis...


The virus is probably a .exe which runs at startup and randomly injects DLLs into the svchost processes which continue the dirty work or something like that. Start in failsafe mode and see if the virus is gone or not. If it is gone then you can probably remove it using hijackthis.

Actually, I did in that list of programs, it crashed

I don't believe it was an executable anymore, from what I saw when ComboFix fixed it, I think that the spyware had infected eventlog.dll, so it was using that to block it, and I assume that one of the svchost's was loading something from it. My startup was clean, it had just left behind its effect.

Oh, well. I'd ha've suggested failsafe mode + hijackthis, but looks like it truly was a quite bad trojan
When you get infected by something like that the best you can do is format the hard drive anyway.

I think people overestimate what safe mode does, all it does is turn off unnecessary drivers for your computer's operation, it's only good when your computer is basically not working, not if it's working but has malware on it, the startup remains the same, the drivers loaded is the only thing that really changes.

probably not related to this topic, but what antivirus are you using?

AVG Free, I usually don't get stuff like this, and as you saw, when I do it gets fixed pretty fast.

No. It also disables all the custom startup stuff, so it'll prevent most viruses from starting. Only the ones that have installed themselves into system files will get executed.

Hey, I had malware before.
If you want a pretty dandy detection system, try IceSword. It works amazingly.