Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes constantly blocks svchost.exe


  • Please log in to reply
5 replies to this topic

#1 mmayo01

mmayo01

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 03 June 2013 - 08:10 AM

I have Malwarebytes Pro running in the backround. As well as Microsoft Security Essentials.

 

I believe I have an infection for 2 reasons.

 

1 - Malwarebytes balloon popup tells me svchost.exe is trying to access a malicious IP and it was blocked.

 

The IP address is: 95.211.194.79

 

 

2. At the following location:

 

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5

 

that Content.IE5 folder is constantly filling up with junk files of between 1kb-14kb a piece. Millions of files. Over the last few days it has accrued up to 13 GB of data on my SSD. I keep manually deleting the folder, but every few days it fills back up again, so I know there is an underlying problem.

 

PLEASE HELP! This is my main Desktop in the household and I'm sick of getting Xfinity Constant Guard notifications on every device in my network when I cannot disable that notification!

 



BC AdBot (Login to Remove)

 


#2 midnite630

midnite630

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 03 June 2013 - 11:36 PM

I have the exact same issue here. Norton 360, malware bytes and Microsoft Malicious Software Removal Tool from May 2013 all report the system is clean after running full scans. 



#3 mmayo01

mmayo01
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 04 June 2013 - 04:33 PM

nothing?



#4 sephira775

sephira775

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 09 June 2013 - 03:59 PM

I am having the exact same issue to the exact same IP Address.



#5 mmayo01

mmayo01
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:09 PM

Posted 18 June 2013 - 12:59 PM

I've been able to stop the folder from gaining data, but I'm not sure if I have completely fixed the issue. I also don't see the malwarebytes popup anymore.

 

Here's what I did.

 

Open task Manager

View Processes

On the bottom click show processes from all users

Find svchost.exe *32

Right click and click Open File Location

If this folder is the SysWOW64 folder, then this is the culprit.

 

All I did was rename the svchost to svchost.bak

 

I did have to mess around with permissions because it told me I needed to get permission from "TrustedInstaller"

 

If this happens, just right click the file

Go to Properties

Click Security Tab

Click Advanced at Bottom

Now click Owner tab

Change owner to you

Click ok out of menus

Right Click svchost again

go to properties

click security tab

Now click edit

You should be able to give yourself full control of this file now, then you will be able to rename the svchost to svchost.bak

 

 

Hope this helps!

 

 

 

This way if it causes other issues on my computer I could rename it back. The process hasn't restarted and I can still access the internet and the Content.IE5 folder is no longer growing.



#6 nickpeq

nickpeq

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 25 June 2013 - 09:35 PM

I'm working on a computer for someone who clearly has some sort of virus.

I installed MalwareBytes, and it is blocking traffic through svchost to the same IP address.

I need some expert help on what is going on there.

 

However, do NOT ever do what mmayo01 is suggesting.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users