Two questions as I monitor the fix today...1) You said "Some of these files are in FRST quarantine"...do we just leave them there or can we eliminate...and 2) I use McAfee Virus Protection....shouldn't if have protected me...if not...is there a better protection method. Thanks in advance and for sure will buy you a couple of beers via Paypal once I get thru this morning with no reoccurance....mucho thanks!
c:\Windows\SysWOW64\svchost.exe Issue
- Thread starter Adplusone
- Start date
- Status
- Mar 8, 2013
- 22,627
1) We will delete them in last step
2) There are no 100% protection. The best protection is you. I will give you some readings and tools so you can harden your defense and stop this from happening again.
Let me know if everything is ok, so we can finish.
2) There are no 100% protection. The best protection is you. I will give you some readings and tools so you can harden your defense and stop this from happening again.
Let me know if everything is ok, so we can finish.
So far so good...two questions 1) If these files are in FRST quarantine...do we just leave them there or is there a way to delete them. 2) If I am using McAfee how did this malware get thru...is there a better option for virus and malwares....
If all remains good this morning I will be buying you some beers via Paypal...so very grateful for your expertise!
If all remains good this morning I will be buying you some beers via Paypal...so very grateful for your expertise!
- Mar 8, 2013
- 22,627
Let's run more checks:
Download TDSSKiller and save it to your desktop
Execute TDSSKiller.exe by doubleclicking on it.
Confirm "End user Licence Agreement" and "KSN Statement" dialog box by clicking on Accept button.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
Please post the contents of that log in your next reply.
Scan with ComboFix
This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!
Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Include that log in your next reply.
If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.
Download TDSSKiller and save it to your desktop
Execute TDSSKiller.exe by doubleclicking on it.
Confirm "End user Licence Agreement" and "KSN Statement" dialog box by clicking on Accept button.
- Press Start Scan
- If Suspicious object is detected, the default action will be Skip, click on Continue.
- If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
Please post the contents of that log in your next reply.
This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!
Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
- Right-click on
icon and select
Run as Administrator to start the tool.
- Accept the disclaimer and agree if prompted to install Recovery Console.
- Do not take any actions while ComboFix goes through your System - it may cause it to stall!
- This scan may take some time!
- When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).
Include that log in your next reply.
- Mar 8, 2013
- 22,627
COMBOFIX comments...no issues...rebooted as part of scan......no issues to get back on internet after reboot...
NO ISSUES in the first 20 minutes or so...will continue to monitor
NO ISSUES in the first 20 minutes or so...will continue to monitor
- Mar 8, 2013
- 22,627
After nearly four hours of no outbound detections...boom...four in a very rapid sequence ..all OUTBOUND from c:\windows\sysWOW64\svchost.exe.
IP on three of the four is 88.214.193.211...the other was 37.1.220.204 (which was the same IP as the last detection from this morning).
IP on three of the four is 88.214.193.211...the other was 37.1.220.204 (which was the same IP as the last detection from this morning).
- Mar 8, 2013
- 22,627
Let's make one final scan, maybe it reveals something:
Scan with Gmer
This type of scan often produces false positives. At any point do not take any action for any suspicious entries you may see there. Instead post the log to be analyzed.
Please download GMER by Gmer and save the file to your desktop.
It will come as a randomly named file (like a6ge38b4.exe) - that's absolutely normal.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
If you are a user of CD emulation software (like Daemon Tools or Alcohol) also disable it for the cleaning process - instructions here.
Don't forget to re-enable previously switched-off protection software!
If you encounter any problems, try running GMER in Safe Mode.
If GMER crashes or keeps resulting in a Blue Screen of Death, uncheck Devices on the right side before scanning.
This type of scan often produces false positives. At any point do not take any action for any suspicious entries you may see there. Instead post the log to be analyzed.
Please download GMER by Gmer and save the file to your desktop.
It will come as a randomly named file (like a6ge38b4.exe) - that's absolutely normal.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
If you are a user of CD emulation software (like Daemon Tools or Alcohol) also disable it for the cleaning process - instructions here.
- Right-click on randomly named
icon and select
Run as Administrator to start the tool.
- It is very important that you do not use your computer while Gmer is running!
- Gmer will open to the Rootkit/Malware tab and perform an automatic quick scan.
- If you receive a warning about rootkit activity and are asked to fully scan your system click NO!
- Please check in the Quick scan box.
- Please uncheck the IAT/EAT and Show All.
- Click Scan.
- If you see a rootkit warning window click OK.
- When the scan is finished, Save the results to your desktop as gmer.log.
Don't forget to re-enable previously switched-off protection software!
Ran GMER and log attached.
QUESTION - On each of the scans I have run I disabled by McAfee...but I just realized that Malwarebytes Anti-Malware was still running. Would that have interfered with any of the scan results?
QUESTION - On each of the scans I have run I disabled by McAfee...but I just realized that Malwarebytes Anti-Malware was still running. Would that have interfered with any of the scan results?
- Mar 8, 2013
- 22,627
No, MalwareBytes won't interfere with these tools.
And again, I do not see any sign of malware that could cause this. Go to Control Panel and remove software you do not need or do not know.
Remove Java and Adobe Reader and install latest version.
SpyBot S&D Warning
MVPS.org is no longer recommending SpyBot S&D due to very poor testing results (scroll down and read under Freeware Antispyware Products).
My advice is to get rid of this program. To do so:
This is optional, but please consider it.
Also, open MalwareBytes and export Protection logs from 3-4 days ago.
And again, I do not see any sign of malware that could cause this. Go to Control Panel and remove software you do not need or do not know.
Remove Java and Adobe Reader and install latest version.
MVPS.org is no longer recommending SpyBot S&D due to very poor testing results (scroll down and read under Freeware Antispyware Products).
My advice is to get rid of this program. To do so:
- Press the
+ R on your keyboard at the same time. Type appwiz.cpl and click OK.
- Search for SpyBot, right-click the entry and click Uninstall.
This is optional, but please consider it.
Also, open MalwareBytes and export Protection logs from 3-4 days ago.
Looking back this issue started about the time I downloaded Microsoft Silverlight. I uninstalled and while doing so got an error message (attached). Not sure if related but thought you should see it.
So I uninstalled Silverlight and the following programs:
Adobe Air
Adobe Flash
Adobe Reader X
Free RIP
I-Tunes
Java (7-25)
Java (7-25 32 bit)
Misc Dell Service Agreement
Total Recorder
TVScan
I ran a Java cleanup program, rebooted, reinstalled the latest version of Java 7 (ver 67).
Rebooted and am here.
Will next go back and resend requested protection logs
So I uninstalled Silverlight and the following programs:
Adobe Air
Adobe Flash
Adobe Reader X
Free RIP
I-Tunes
Java (7-25)
Java (7-25 32 bit)
Misc Dell Service Agreement
Total Recorder
TVScan
I ran a Java cleanup program, rebooted, reinstalled the latest version of Java 7 (ver 67).
Rebooted and am here.
Will next go back and resend requested protection logs
- Mar 8, 2013
- 22,627
Attached are the 16th and 17th...was out of office on the 18th and 19th so I guess that is why no logs those days?
- Mar 8, 2013
- 22,627
Very nice, we're doing something 
Do you know anything about this folder and file? I suspected they could be the problem
C:\Users\Jeffrey Schmatz\AppData\LocalLow\MonitorMemory\MigrationCpu\browser.exe
Do you know anything about this folder and file? I suspected they could be the problem
C:\Users\Jeffrey Schmatz\AppData\LocalLow\MonitorMemory\MigrationCpu\browser.exe
- Status
Similar threads
- Locked
- Locked
