Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe in various /temp folders. Malware?


  • This topic is locked This topic is locked
10 replies to this topic

#1 GiakMind

GiakMind

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roma, Italy
  • Local time:01:18 PM

Posted 07 May 2015 - 06:45 AM

Every time I reboot my PC, Avira antivirus finds this "svchost.exe" as virus in some folders. According to avira's quarantine, folders are:

 

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LB99BW13\svchost[4].exe

 

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3XV32ESI\svchost[1].exe

 

C:\Windows\temp\svchost.exe

 

Every boot there are 1 or 2 of this found, every time avira fix them, every boot again with this messages as a sort of loop. This started 2 days ago. My system seems ok (not slowed down or something) but I'm pretty concerned. I tried using Combofix but didn't resolve this problem. Anyone could help me? :)

 

Sorry for any language imperfection, it's not my native one :)

Attached Files


Edited by GiakMind, 07 May 2015 - 01:49 PM.


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:18 AM

Posted 10 May 2015 - 12:20 PM

hi,

 

Iam shelf life and will try to help you. Iam only online once or twice per day during the week. More on the weekends. Dont expect a flurry of quick replies from me.

 

We will get two downloads to use. The first is Adwcleaner and the second is Malwarebytes which you can keep and use as a antimalware app.

 

Please download adwcleaner and save to your desktop.
 
    Right-click on adwcleaner.exe and select Run as Administrator to launch the application.
    Now click on the Scan tab >> once the scan is complete click on the Clean tab and follow the prompts.
    Allow the system to reboot. You will then be presented with the report at restart. Copy & Paste this report on your next reply.
 
    http://www.bleepingcomputer.com/download/adwcleaner/
 
    Note: The log can also be located in your root drive, C:>AdwCleaner >AdwCleaner[S0].txt

 

Malwarebytes: These directions are kind of old but should work:

Please download Malwarebytes Anti-Malware 2.0.3.1025 Final to your desktop.
 
http://data-cdn.mbamupdates.com/v2/mbam/consumer/data/mbam-setup-2.0.3.1025.exe
 
 
    Double-click mbam-setup-2.0.3.1025.exe and follow the prompts to install the program.
    At the end, be sure a checkmark is placed next to the following:
        Launch Malwarebytes Anti-Malware
        A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and     removal capabilities of the program.
    Click Finish.
    On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
    Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
    A Threat Scan will begin.
    With some infections, you may see this message box.
        'Could not load DDA driver'
    Click 'Yes' to this message, to allow the driver to load after a restart.
    Allow the computer to restart. Continue with the rest of these instructions.
    When the scan is complete, click Apply Actions.
    Wait for the prompt to restart the computer to appear, then click on Yes.
    After the restart once you are back at your desktop, open MBAM once more.
    Click on the History tab > Application Logs.
    Double click on the scan log which shows the Date and time of the scan just performed.
    Click 'Copy to Clipboard'
    Paste the contents of the clipboard into your reply.

 

Lets see what those look like and we will go from there.

 


How Can I Reduce My Risk to Malware?


#3 GiakMind

GiakMind
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roma, Italy
  • Local time:01:18 PM

Posted 10 May 2015 - 02:59 PM

I did everything but I still have that Avira's alert of svchost.exe files. I attach results of both scans.

 

Adwcleaner is on attached files

 

Malwarebytes didn't ask me to reboot after his scan and action. The only thing I have in History application log is this, named "protection log", I paste it while I'm performing a second scan. I will edit my message if there will be something different :)

www.malwarebytes.org
 
 
Update, 10/05/2015 21:28:48, SYSTEM, GIANLUCA-PC, Manual, Remediation Database, 2013.10.16.1, 2015.5.9.1, 
Update, 10/05/2015 21:28:48, SYSTEM, GIANLUCA-PC, Manual, Rootkit Database, 2014.9.18.1, 2015.4.21.1, 
Update, 10/05/2015 21:30:04, SYSTEM, GIANLUCA-PC, Manual, Malware Database, 2014.9.19.5, 2015.5.10.5, 
Update, 10/05/2015 21:30:40, SYSTEM, GIANLUCA-PC, Manual, program, 2.0.3.1025, 2.0.4.1028, 
Update, 10/05/2015 21:31:04, SYSTEM, GIANLUCA-PC, Manual, program, 2.0.3.1025, 2.0.4.1028, 
Update, 10/05/2015 21:31:27, SYSTEM, GIANLUCA-PC, Manual, Remediation Database, 2013.10.16.1, 2015.5.9.1, 
Update, 10/05/2015 21:31:28, SYSTEM, GIANLUCA-PC, Manual, Rootkit Database, 2014.11.18.1, 2015.4.21.1, 
Update, 10/05/2015 21:32:14, SYSTEM, GIANLUCA-PC, Manual, Malware Database, 2014.11.20.6, 2015.5.10.5, 
 
EDIT: second scan found svchost.exe as malware, but again it appeared at the reboot :(
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 10/05/2015
Scan Time: 21:57:29
Logfile: 
Administrator: Yes
 
Version: 2.00.4.1028
Malware Database: v2015.05.10.05
Rootkit Database: v2015.04.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Gianluca
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 377259
Time Elapsed: 15 min, 19 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 1
Trojan.BitcoinMiner, C:\Windows\temp\svchost.exe, Quarantined, [0733d19e90fadf57ecbe74039570f50b], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
(end)

Attached Files


Edited by GiakMind, 10 May 2015 - 03:46 PM.


#4 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:18 AM

Posted 10 May 2015 - 06:49 PM

Ok. We will use FRST to remove some items:

 

Open notepad.

 

Please copy the contents of the code box below into notepad:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1973368479-3414220156-1287075655-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
Task: {2FB549F2-BB12-4B5E-9843-71FD683C3927} - System32\Tasks\Origin => C:\ProgramData\Origin\update.vbe [2015-05-06] () <==== ATTENTION
C:\ProgramData\Origin\update.vbe
EmptyTemp:

Save it as fixlist.txt in the same location that you have FRST.exe

Run FRST exe like you did before except this time press the Fix button just once and wait.
The tool will make a log on the desktop (Fixlog.txt) please post it to your reply

 

Update and rerun your antivirus


How Can I Reduce My Risk to Malware?


#5 GiakMind

GiakMind
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roma, Italy
  • Local time:01:18 PM

Posted 11 May 2015 - 11:34 AM

Done, and no more svchost.exe alerts!! :)

 

Thanks a lot! Is there anything else to do?

Attached Files


Edited by GiakMind, 11 May 2015 - 11:35 AM.


#6 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:18 AM

Posted 11 May 2015 - 05:05 PM

ok. Great. You can delete the FRST icon and its associated folder in your C: drive. If you open up adwcleaner i think there is a uninstall button. If not post back. Keep Malwarebytes and note the free version must be updated manually and a scan started manually. It dosnt run in the background.

 

Other than that I think we can end it. Happy Safe Surfing


How Can I Reduce My Risk to Malware?


#7 GiakMind

GiakMind
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roma, Italy
  • Local time:01:18 PM

Posted 11 May 2015 - 05:20 PM

Perfect! Thanks, I really appreciate your work here in this forum! And also, you were really helpful and kind :)

 

Just to know: was really "svchost" a malware? Or maybe something like a false positive?



#8 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:18 AM

Posted 11 May 2015 - 05:46 PM

Ok. Your welcome and thanks.

 

No, it was malware. A svchost process should never be running out of a temp. directory. Your AV could remove it be it was back at reboot. This visial basic script was the source of it showing back up at reboot:

update.vbe

 

If you follow my link below I have an example of a svchost process thats a keylogger.


Edited by shelf life, 11 May 2015 - 05:54 PM.

How Can I Reduce My Risk to Malware?


#9 GiakMind

GiakMind
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roma, Italy
  • Local time:01:18 PM

Posted 12 May 2015 - 02:25 AM

Oh I see. Well, luckily you were here to help me :)

 

Thanks again! Ciao!



#10 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:18 AM

Posted 12 May 2015 - 04:35 PM

Ok your welcome. Happy Safe Surfing "out there"

 

Ciao


How Can I Reduce My Risk to Malware?


#11 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:18 AM

Posted 28 June 2015 - 05:54 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users