Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected Infection, Multiple Svchost.exe and iexplorers


  • This topic is locked This topic is locked
64 replies to this topic

#16 BuckEyeJog

BuckEyeJog
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 19 July 2016 - 01:15 AM

That must have been when editing the last reply.

 

aswMBAR:

 

aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software

Run date: 2016-07-18 01:15:01

-----------------------------

01:15:01.244 OS Version: Windows x64 6.1.7601 Service Pack 1

01:15:01.244 Number of processors: 4 586 0x2505

01:15:01.244 ComputerName: BLUEBEAST UserName:

01:15:04.535 Initialize success

01:15:04.551 VM: initialized successfully

01:15:04.551 VM: Intel CPU supported virtualized

01:15:12.208 VM: supported disk I/O iaStor.sys

01:15:14.127 AVAST engine defs: 16071700

01:15:22.254 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

01:15:22.254 Disk 0 Vendor: ST950042 D005 Size: 476940MB BusType: 3

01:15:22.379 VM: Disk 0 MBR read successfully

01:15:22.379 Disk 0 MBR scan

01:15:22.395 Disk 0 Windows VISTA default MBR code

01:15:22.410 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63

01:15:22.426 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15000 MB offset 80325

01:15:22.426 Disk 0 Boot: NTFS code=1

01:15:22.457 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 461899 MB offset 30800325

01:15:22.488 Disk 0 scanning C:\Windows\system32\drivers

01:15:35.733 Service scanning

01:15:58.399 Modules scanning

01:15:58.399 Disk 0 trace - called modules:

01:15:58.415 ntoskrnl.exe CLASSPNP.SYS disk.sys stdflt.sys iaStor.sys hal.dll

01:15:58.415 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80051aa060]

01:15:58.415 3 CLASSPNP.SYS[fffff88001b9c43f] -> nt!IofCallDriver -> [0xfffffa800508fa90]

01:15:58.415 5 stdflt.sys[fffff88001ae7a4a] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004f1c050]

01:15:59.398 AVAST engine scan C:\Windows

01:16:02.331 AVAST engine scan C:\Windows\system32

01:19:17.331 AVAST engine scan C:\Windows\system32\drivers

01:19:34.225 AVAST engine scan C:\Users\Bendlebender

01:56:01.668 File: C:\Users\Bendlebender\Downloads\zoek.exe **INFECTED** Win32:Malware-gen

01:58:14.582 AVAST engine scan C:\ProgramData

02:22:38.453 Disk 0 statistics 6166223/0/22 @ 0.86 MB/s

02:22:38.781 Scan finished successfully

02:23:41.181 Disk 0 MBR has been saved successfully to "C:\Users\Bendlebender\Documents\MBR.dat"

02:23:41.181 The log file has been saved successfully to "C:\Users\Bendlebender\Documents\aswMBR.txt"

 

And Zip File.Attached File  MBR.zip   568bytes   0 downloads

 

 



BC AdBot (Login to Remove)

 


#17 nasdaq

nasdaq

  • Malware Response Team
  • 40,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:47 PM

Posted 19 July 2016 - 08:37 AM


This is a false positive.
C:\Users\Bendlebender\Downloads\zoek.exe **INFECTED** Win32:Malware-gen

We no longer need this tool. You can Delete it and all it's folders and files
===

Try this.

to perform a clean boot in Windows Vista, W7, W8.
http://support.microsoft.com/kb/929135

Read and follow the instructions on the page before proceeding.

Did you find any conflicting issues?

#18 BuckEyeJog

BuckEyeJog
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 20 July 2016 - 01:49 AM

In the Clean Boot Environment, no message conflicts appeared, the computer ran smoother with much less physical memory. Internet Explorer wasn't as a resource hog also, though there still was multiple Svchost.exe. Rebooting brought back the same problem and symptoms, however.



#19 nasdaq

nasdaq

  • Malware Response Team
  • 40,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:47 PM

Posted 20 July 2016 - 08:27 AM



How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector (PSI)
Follow the instructions on this page.

http://www.bleepingcomputer.com/tutorials/detect-vulnerable-programs-with-secunia-psi/

Update all that is identified.

#20 BuckEyeJog

BuckEyeJog
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 21 July 2016 - 02:05 AM

On Installing Windows Update, the computer got stuck searching for updates. Couldn't get around to finish using Secunia. Now more physical memory is been used with more processes.



#21 nasdaq

nasdaq

  • Malware Response Team
  • 40,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:47 PM

Posted 21 July 2016 - 07:26 AM


Close all Windows and processes.

Restart the computer normally.

Then go to this Microsoft page.

How do I reset Windows Update components?
https://support.microsoft.com/en-ca/kb/971058

Run the fix for Windows 7.

===

Can you now complete the Windows updates?

#22 BuckEyeJog

BuckEyeJog
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 22 July 2016 - 02:53 AM

Working on it. Will give the results next reply.



#23 BuckEyeJog

BuckEyeJog
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 24 July 2016 - 01:33 AM

Not sure about the instructions of how much of  the Windows Registry to back up. Just specifically the Windows Update Fix-related ones? Is there a way to safely, efficiently back up the Registry through Cobian or something else? It would be better to know before the under of the engine hood of the registry is poked at.



#24 nasdaq

nasdaq

  • Malware Response Team
  • 40,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:47 PM

Posted 24 July 2016 - 07:39 AM

No you cannot backup the registry.

The System restore is there for that.

#25 BuckEyeJog

BuckEyeJog
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 25 July 2016 - 01:16 AM

Whew, that is a relief. Saved some time. Followed the instructions, reset Windows Components. When re-registering the files, not every directory of some .dlls could be found, and some could not be uploaded. While Windows Update did install, through Secunia as before Windows updates couldn't be completed.



#26 nasdaq

nasdaq

  • Malware Response Team
  • 40,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:47 PM

Posted 25 July 2016 - 07:33 AM

If this is the message you get then follow the instructions on the page.

http://www.thewindowsclub.com/we-couldnt-complete-the-updates-undoing-changes

#27 BuckEyeJog

BuckEyeJog
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 26 July 2016 - 02:15 AM

That message does not come up. But Secunia doesn't recognize Windows Update has installed, and then Windows Update stays checking for updates.



#28 nasdaq

nasdaq

  • Malware Response Team
  • 40,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:47 PM

Posted 26 July 2016 - 07:19 AM


Did you try the suggested fix on this page?
http://www.thewindowsclub.com/we-couldnt-complete-the-updates-undoing-changes

Is the problem persisting?

#29 BuckEyeJog

BuckEyeJog
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 27 July 2016 - 01:44 AM

Thankfully, the computer does not get into an endless boot loop. The fix before the above has been applied. However, when using Secunia, Secunia prompts to open up Internet Explorer and install Windows Update through the start menu. From there, the control panel where Windows Update is located, Windows Update becomes stuck on checking for updates. The same problems with slowness and gobbling Physical Memory is still there. Is the fix you are talking about is Fix Windows Update through remooptimizer?



#30 nasdaq

nasdaq

  • Malware Response Team
  • 40,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:47 PM

Posted 27 July 2016 - 08:35 AM

Run the Fix for Windows 7 on this page
https://support.microsoft.com/en-gb/kb/2714434

Restart the computer normally.

How is it now?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users