Solved c:\Windows\SysWOW64\svchost.exe Issue

Status
Not open for further replies.

Adplusone

New Member
Thread author
Verified
Aug 13, 2014
48
Two questions as I monitor the fix today...1) You said "Some of these files are in FRST quarantine"...do we just leave them there or can we eliminate...and 2) I use McAfee Virus Protection....shouldn't if have protected me...if not...is there a better protection method. Thanks in advance and for sure will buy you a couple of beers via Paypal once I get thru this morning with no reoccurance....mucho thanks!
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
1) We will delete them in last step
2) There are no 100% protection. The best protection is you. I will give you some readings and tools so you can harden your defense and stop this from happening again.


Let me know if everything is ok, so we can finish.
 

Adplusone

New Member
Thread author
Verified
Aug 13, 2014
48
So far so good...two questions 1) If these files are in FRST quarantine...do we just leave them there or is there a way to delete them. 2) If I am using McAfee how did this malware get thru...is there a better option for virus and malwares....

If all remains good this morning I will be buying you some beers via Paypal...so very grateful for your expertise!
 

Adplusone

New Member
Thread author
Verified
Aug 13, 2014
48
Approx three hours later...its back (see attached)

Have pretty much been on the web for last three hours...secure websites and email only

Ugh
 

Attachments

  • Adplusone Wed Aug 20th 843am CST Screen Shot.jpeg
    Adplusone Wed Aug 20th 843am CST Screen Shot.jpeg
    940.2 KB · Views: 128

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Let's run more checks:



Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm "End user Licence Agreement" and "KSN Statement" dialog box by clicking on Accept button.
  • Press Start Scan
  • If Suspicious object is detected, the default action will be Skip, click on Continue.
  • If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.



51a5bf3d99e8a-ComboFixlogo16.png
Scan with ComboFix

This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!


Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on
    51a5bf3d99e8a-ComboFixlogo16.png
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
  • Accept the disclaimer and agree if prompted to install Recovery Console.
  • Do not take any actions while ComboFix goes through your System - it may cause it to stall!
  • This scan may take some time!
  • When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).

Include that log in your next reply.
icon_idea.gif
If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
icon_idea.gif
If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.
 

Adplusone

New Member
Thread author
Verified
Aug 13, 2014
48
TDSSKiller.exe log attached
 

Attachments

  • TDSSKiller.3.0.0.40_20.08.2014_08.56.58_log.txt
    214.5 KB · Views: 82

Adplusone

New Member
Thread author
Verified
Aug 13, 2014
48
COMBOFIX comments...no issues...rebooted as part of scan......no issues to get back on internet after reboot...

NO ISSUES in the first 20 minutes or so...will continue to monitor
 

Adplusone

New Member
Thread author
Verified
Aug 13, 2014
48
After nearly four hours of no outbound detections...boom...four in a very rapid sequence ..all OUTBOUND from c:\windows\sysWOW64\svchost.exe.

IP on three of the four is 88.214.193.211...the other was 37.1.220.204 (which was the same IP as the last detection from this morning).
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Let's make one final scan, maybe it reveals something:



gmericon.png
Scan with Gmer

This type of scan often produces false positives. At any point do not take any action for any suspicious entries you may see there. Instead post the log to be analyzed.

Please download GMER by Gmer and save the file to your desktop.
It will come as a randomly named file (like a6ge38b4.exe) - that's absolutely normal.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
If you are a user of CD emulation software (like Daemon Tools or Alcohol) also disable it for the cleaning process - instructions here.

  • Right-click on randomly named
    gmericon.png
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
  • It is very important that you do not use your computer while Gmer is running!
  • Gmer will open to the Rootkit/Malware tab and perform an automatic quick scan.
  • If you receive a warning about rootkit activity and are asked to fully scan your system click NO!
When the pre-scan is completed, please do the following:
  • Please check in the Quick scan box.
  • Please uncheck the IAT/EAT and Show All.
  • Click Scan.
  • If you see a rootkit warning window click OK.
  • When the scan is finished, Save the results to your desktop as gmer.log.
Please include the content of this file in your next reply.
Don't forget to re-enable previously switched-off protection software!

icon_idea.gif
If you encounter any problems, try running GMER in Safe Mode.
icon_idea.gif
If GMER crashes or keeps resulting in a Blue Screen of Death, uncheck Devices on the right side before scanning.
 

Adplusone

New Member
Thread author
Verified
Aug 13, 2014
48
Ran GMER and log attached.

QUESTION - On each of the scans I have run I disabled by McAfee...but I just realized that Malwarebytes Anti-Malware was still running. Would that have interfered with any of the scan results?
 

Attachments

  • adplusone gmer.log
    13.1 KB · Views: 134

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
No, MalwareBytes won't interfere with these tools.

And again, I do not see any sign of malware that could cause this. Go to Control Panel and remove software you do not need or do not know.

Remove Java and Adobe Reader and install latest version.

warning.gif
SpyBot S&D Warning

MVPS.org is no longer recommending SpyBot S&D due to very poor testing results (scroll down and read under Freeware Antispyware Products).
My advice is to get rid of this program. To do so:
  • Press the
    WindowsKey.png
    + R on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search for SpyBot, right-click the entry and click Uninstall.

This is optional, but please consider it.



Also, open MalwareBytes and export Protection logs from 3-4 days ago.
 

Adplusone

New Member
Thread author
Verified
Aug 13, 2014
48
Looking back this issue started about the time I downloaded Microsoft Silverlight. I uninstalled and while doing so got an error message (attached). Not sure if related but thought you should see it.

So I uninstalled Silverlight and the following programs:

Adobe Air
Adobe Flash
Adobe Reader X
Free RIP
I-Tunes
Java (7-25)
Java (7-25 32 bit)
Misc Dell Service Agreement
Total Recorder
TVScan

I ran a Java cleanup program, rebooted, reinstalled the latest version of Java 7 (ver 67).

Rebooted and am here.

Will next go back and resend requested protection logs
 

Attachments

  • ADPLUSONE Silverlight Uninstall Error Message.pdf
    98.1 KB · Views: 92

Adplusone

New Member
Thread author
Verified
Aug 13, 2014
48
Attached are the 16th and 17th...was out of office on the 18th and 19th so I guess that is why no logs those days?
 

Attachments

  • ADPLUSONE Protection Log 8-16-14.txt
    165.9 KB · Views: 147
  • ADPLUSONE Protection Log 8-17-14.txt
    224.5 KB · Views: 105

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Very nice, we're doing something :)


Do you know anything about this folder and file? I suspected they could be the problem


C:\Users\Jeffrey Schmatz\AppData\LocalLow\MonitorMemory\MigrationCpu\browser.exe
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top