System 32 Virus anyone?

[round man]

we've been fighting this virus at school(ECPI institute of technology) for about a month now and in alot of cases once you get rid of the virus with combo fix or tdsskiller or unhackme,or whatever malware remover you use,.... the code for redirects remain in firefox and other browsers,..the only fix we,ve found for this is to go to the advanced tool options for firefox and set the warn me when browser redirects and it will give you the option to allow a redirect (like when you make a post here and save it) and or just x out of it if you want to stay on the page you are looking at,..this in effect stops the malicious code in an ad or infected site(yes this bugger infects websites) to redirect to some oddball page, or open a new window for some chinese tv site. Every time I log on a local newspaper site the lil bastard acts up again,..seem there are ads out there that are afflicted with this critter and it just don't wanna die,..the disabling redirects in firefox is the only true fix we have found. just finding and removing the infected file may very well not solve your problems,...

 

[S'N'S]

Here's a good explanation of it http://ask-leo.com/where_is_it_alright_for_svchostexe_to_be.html

 

[round man]

Kapersky found it and deleted it,..avast found it again and did the same,...then I ran combofix and it found the same damned virus only a variant,..tdsskiller found it again two days later and supposedly eradicated it,..then we ran highjackthis and it fiound it and we removed it manually,it slipped right by avg and macafee...this is just the short list,we tried at least`ten other really high tech solutions..even after disabling windows restore points and deleteing all the restore points tha lil bastard popped back up,..I have had two computer proffessors and the system administrator try to git rid of it and it persists and keep coming back,.finally I reformatted the drive and it popped back up,...then we put a brand new drive and the lil bastard poked its head out of whatever hole its hiding in again,we scanned all my drives and flashdrives and anything hooked up to or situated nearby on the desk to this machine and nuthin,..notta,..and the browsers still redirected to unwanted sites, I'd like to get the person who wrote this damned code into a room alone for about ten minutes with a ball peen hammer,...you figure the rest out

 

[S'N'S]

Try reading the link I posted,
There are four locations that are all valid places to find a file called "svchost.exe". Note that only one of them, C:\Windows\System32\svchost.exe, should actually be running. The rest are various forms of backup associated with installing and upgrading Windows.
So what if you find a svchost.exe somewhere else? It could be the result of a virus. Your very first step should always be to run an up-to-date anti-virus scan. Most will take care of the problem safely.
If they do not, things are less clear. You can try renaming or removing the file (make a backup copy on floppy or somewhere else first, just in case). But ultimately, I would probably consider scanning again with an additional, different anti-virus product. Once again I'd emphasize that the virus database should be up to date, as new viruses appear every day.

 

[Techman]

Jill you and anyone else is more than welcome to call me at first trouble I will get you up within minutes.. I get calls like this all the time..

Had same problem, nothing short of reformatting will get it.

I really wish those who believe this would not post this. This is never the fix to resort to. I have never had to reformat a hard drive for a maggot ware infection.

Combofix from the right place is free. Malware bytes is good too.

AVG is running a distant last now right down there with nortons and mcafee. Losing AVG is a good idea now. They lost seem to have lost their secret coder ..

Avast FREE is up with the top contenders now.

different anti-virus product

Not the greatest of solutions. Antivirus

Getting the proper cleaner is the best solution. Many anti virus deflectors will not clean a newer class of infections.

disabling redirects in firefox is the only true fix we have found.

As for the redirects to other sites.. This is caused by an infected host file. The best fix is to delete every thing in the host file except the very first line. No need for a cleaner for this one.

.I have had two computer proffessors and the system administrator try to git rid of it and it persists and keep coming back,

They should hire me to teach the courses in computer cleaning then.. There are dozens of paths a computer tech can take. Some are great at networks, some are great at servers.. None are good at it all.

 

[d fleming]

Let me reiterate. Nothing short of reformatting is what my good friend who helps me quite a lot with pc problems came up with after many hours and days of trying to fix my infected drive. Combofix seems to have gotten this drive up and running again but I'm sure I'm not quite through, but still, this program got this machine to stop crashing and freezing and all sorts of other nasty little things right quick. Reg doc, malware, noroton, hijack this and many other fixes weren't quite getting it, but now I'm on the right track. Thanks to everyone for keeping this thread going. I have learned a lot! Glad to hear you are up and going Jill. I have a new machine coming Monday for main production so my poor little 5 year old, 4 gig racecar will get demoted to home use so the teenager can finish killing it. Thanks again everyone, signs 101 rules!

 

[Jillbeans]

Curt, Can you please call 724-586-6923? Thanks!
~at your convenience of course~
Can't find a way to contact you and I'll call you back if you call me.
This thing:
Changes your desktop appearance
gives Windows installer pop ups
PC is now starting in "safe" mode
Pop up saying you've won $1000 from Walmart
hard to access control panel
I no longer have sound for some reason
and the combofix only works for about 5 mins then it's back on the rollercoaster.

 

[dj_elite]

Hit F8 when restarting your computer, run in safe mode and run your virus removal in safe mode

 

[Jillbeans]

Well this has been three days of sheer f*ckery.
When you can say that the two tasks you had in a weekend were trying to fix your PC and peeling off old wallpaper, and the wallpaper part was more rewarding, you know you're screwed.
Thanks for the call Techman and I am sure it's user error on my part, but I did do everything you said in the order you said and this thing still keeps reinstalling itself.
The combofix is pretty slick but the virus is slicker I think.

 

[round man]

Jill if you are using firefox go to tools/options and then on the advanced settings tab check the third box down on the general tab,.then close firefox and restart it. This will make a toolbar show up at the top of your page each time any page wants to redirect your browser and give you the option to redirect to the page you want to go to and or x out if you want to stay where you are at,....It's the only thing I have found that remotely fights this problem.Hope this helps ya,...

 

[signcrafters london]

I ran combofix an hour or so ago and it seems to have fixed my problems. Thanks everyone for that advice. I was feeling good until I read the last few posts of this thread a few minutes ago; now -- DAMN -- I'm worried the thing will come back.

Another bandaid you can try if you are running Firefox is an add-on called Redirect Cleaner. It has been great. I downloaded it about a month ago and it stopped the redirects until tonight when it somehow got disabled. All I had to do was right click to enable it again and all was well. But I decided to come back to this thread and then dl combofix to hopefully solve the problem once and for all.

 

[gnatt66]

Jill if you are using firefox go to tools/options and then on the advanced settings tab check the third box down on the general tab,.then close firefox and restart it. This will make a toolbar show up at the top of your page each time any page wants to redirect your browser and give you the option to redirect to the page you want to go to and or x out if you want to stay where you are at,....It's the only thing I have found that remotely fights this problem.Hope this helps ya,...

great advice!

 

[Techman]

rootkits must be removed only with a special remover.

Any gyration other than that will not work. Turning of redirect in firefox fixes the symptom. It will not fix the cause.

Rootkits take over the system restore and operate within the OS system. They will never be stoped with a antivirus.

usually the bad software will be hidden in the system32 folder.

This junk has to be removed with the latest remover. They change quickly.

 

[phototec]

rootkits must be removed only with a special remover

rootkits must be removed only with a special remover.

Any gyration other than that will not work. Turning of redirect in firefox fixes the symptom. It will not fix the cause.

Rootkits take over the system restore and operate within the OS system. They will never be stoped with a antivirus.

usually the bad software will be hidden in the system32 folder.

Hi Jill,

Techman is CORRECT!

I had the System 32 virus last year, the best help I got was from a website called "WindowsBBS.COM", (link below). You join for FREE and list your symptoms, then one of their analyst contacts you and takes you step by step through various procedures to get the virus off of your computer, it worked for me.

During my experience, I was working with "Broni", a Malware Analyst, his avatar looks like a winnie the poo bear, he did and outstanding job working with me for hours and hours trying to get rid of the virus. He gave me links to download different FREE removal applications and explained step by step what to do. I believe the last step was to use TDSSKILLER to clean the registry where the System 32 virus was hiding.

I would give "WindowsBBS.COM" a try!

http://www.windowsbbs.com/malware-virus-removal/88428-active-system-32-trojans-11-gasfkyfyakffwq-sys.html

Jon

 

[Jillbeans]

Virus day 4....5? Stuck in a hell of sorts.
No matter what I do (safe mode, turn off system restore, etc etc etc)
This MF'in TS'in two-ballSOB keeps reinstalling itself.
Thinking of taking it to Staples.
Thinking of calling Geek Squad.
Thinking of getting out the .44 and killing it.
The SSDD (meaning TDSS but same sh!t different day feels better) did find two files and I followed all instructions but bam there it was again (like a rogue Windows Installer thing popping up)
I switched to Google Chrome from IE.
I have probably screwed things up more on my own than any virus could have.
I have all the discs for all my programs, and can save all my files onto CD.
Should I just reinstall Windows?
Please stop me before I do anything bad.
Thanks.

 

[Locals Find!]

Jill, the reason it keeps reinstalling it self is that its in your registry files. You need to use a root killer app to hunt it down then delete it from your registry.

If you have never messed with your registry before you really should pay someone to do this for you. Since, if you delete the wrong registry key you will have just created a huge expensive paperweight.

A local computer shop / unemployed IT guy should be able to handle this for you reasonably.

 

[randya]

We have a system here with the same issue.
Perhaps this is a new variant, no corrupt host file, and nothing that shows up in the registry (at least that we can find).

TDDSkiller finds a rootkit and the system speeds back up immediately, but the google redirect is still an issue, after a few hours system has slowed.
Eventially the rootkit reappears.

Combofix identifies explorer.exe and login.exe as corrupt.

Various other tools have been used by our IT guy, to no avail.
The system locks up running gmer and has to be shut down hard.

He is going to put a new drive in and start from scratch, but I am still interested if anyone has any further input.

 

[sfr table hockey]

I have not re read through all the posts and not sure if this is of any help.

I had this I think 5 or 6 months ago and the guy who fixed it did not use software but went in and removed things to get rid of it. It took two trys as it did show up again after the first try.

One thing he said is that it was installing itself in the CD rom or somthing like that so that everytime you re-booted the computer it re installed itself.

Not sure if this is of any help.

 

[Jillbeans]

Well mine is still reinstalling itself too.
I think I am going to have to start from scratch.
Will wiping my PC wipe this SOB out?
I can't access Corel and am terrified of screwing up my cutting software.

 

[round man]

Jill I have the same problem. I turned the system restore off on my old drive and tried finding it with all the programs curtis suggested in safe mode and the lil bastard can't be found by any virus/rootkit remover/malware/spyware software,but I still get redirects in my browser,..even after putting in anew drive the problem represented itself so formatting and starting over hasn't helped any. neither did using a totally new drive,..I've scanned everything that is sitting anywhere remotely close to my system much less actually hooked up to it here and it keeps reinventing itself,...the redirect disable for my browser is the only thing that remotely affects the symptoms and still I get the occasional redirect or blank window popping up in the background,..me thinks the ppl that wrote the virus that infected the Iranian nuclear reactors have a hobby,...So far the only thing we can find it is messing with is the browser.