Jump to content

Recommended Posts

I did a scan and my svhost I think was detected but then I ignored it and deleted the other known trojans. Restarted and found this one only (which I also ignored before)

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 5/25/17
Scan Time: 2:01 AM
Logfile:
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.103
Update Package Version: 1.0.2016
License: Premium

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: DESKTOP-H98G8QR\Moe Tee

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 154731
Time Elapsed: 9 min, 29 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 1
Trojan.Agent.CK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\OInstall, No Action By User, [2142], [400550],1.0.2016

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Hello @moetee:

The Malwarebytes' developers/staffers/helpers must have good log data for a quality fault analysis to commence.

1) From the locked/pinned topics, at the beginning of this sub-forum, please follow the steps within the topic at Having problems using Malwarebytes? Please follow these steps

2) In the next reply to your topic, please only attach the three (3) separate files that are developed above: mb-check-results.zip, FRST.txt, and Addition.txt.

Thank you.

Link to post
Share on other sites

If svchost.exe was detected then it wasn't the real Microsoft Windows svchost.exe.  We whitelist legitimate Microsoft Windows components so they cannot be detected so it very well may have been an actual Trojan.  As for this other detection, my best guess based on the vendor name/classification used that it may be a crack of some sort (denoted by the .CK at the end of the vendor name string) which means it may or may not be malicious; you really can never tell with cracks.  Some are free of malware while others are actually malicious and trick users into installing them to crack software while at the same time loading malware onto their systems and/or performing malicious actions in addition to their intended purpose, which is the primary reason that we frequently detect them (because they often do turn out to be Trojanized/malware).

Edited by exile360
Link to post
Share on other sites

That's fine.  I saw you mentioned that you ignored it so I figured you added it to exclusions as well.  If not, then it should show up in your next scan.  If it doesn't, then you should be able to track down the log from the scan where it was detected and post that for them to take a look at.

Link to post
Share on other sites

Ah, I see what's happening.  It isn't detecting svchost.exe, it's detecting your HOSTS file.  Apparently there are some entries in your HOSTS file which are blocking some of our servers which Malwarebytes contacts when updating.  It's possible that these entries were added by one of the other Trojans you removed as it's a common tactic for infections to try to block access to our update servers to prevent Malwarebytes from being able to download/update (since newer databases increase the likelihood that Malwarebytes would be able to detect and remove the infections).  It should be safe to have Malwarebytes fix the detection.

Link to post
Share on other sites

3 minutes ago, moetee said:

How do I view the svhost file? So we can see which servers are removed. Also what didnt it scan the other detection file?

You should be able to view your HOSTS file using a text editor like notepad.  What other file are you referring to?  Is it one of the other detections from one of your previous logs?

Link to post
Share on other sites

7 minutes ago, exile360 said:

You should be able to view your HOSTS file using a text editor like notepad.  What other file are you referring to?  Is it one of the other detections from one of your previous logs?

 

Yeah the Registry Key: 1
Trojan.Agent.CK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\OInstall,

Link to post
Share on other sites

OK, I see the issue.  While your HOSTS file is mostly made up of legitimate entries put there by Spybot Search & Destroy (to block malware/ads/trackers etc.), the second entry from the top, 127.0.0.1    keystone.mwbsys.com is one of the servers that Malwarebytes contacts.  You can either have Malwarebytes fix it or you can do so manually with notepad (you'll have to save the file in a different folder more than likely because of permissions, then you'll have to move the edited file to the original location, replacing the original one).

As for the CMD flash, that's likely the result of that scheduled task that was detected by Malwarebytes previously.  I'm not sure why it isn't being detected now, but I can help you check for it an remove it if you wish.  Do the following and we'll take a look at your scheduled tasks:

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here and save it to your desktop.
  • Note: If using Windows Vista, Windows 7, Windows 8/8.1 or Windows 10 then you also need to do the following:

 

  1. Right-click on Autoruns.exe and select Properties
  2. Click on the Compatibility tab
  3. Under Privilege Level check the box next to Run this program as an administrator
  4. Click on Apply then click OK

 

  • Double-click Autoruns.exe to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and verify that the following are checked, if they are unchecked, check them:
  • Hide empty locations
  • Hide Windows entries
  • Click on the Options button at the top of the program and select Scan Options... then in the Autoruns Scan Options dialog enable/check the following two options:
  • Verify code signatures
  • Check VirusTotal.com
  • Once that's done click the Rescan button at the bottom of the Autoruns Scan Options dialog and this will start the scan again, this time let it finish.
  • When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the file to your desktop and close Autoruns.
  • Right click on the file on your desktop that you just saved and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the ZIP folder you just created to your next reply
Edited by exile360
Link to post
Share on other sites

I don't see any odd scheduled tasks there, so that explains why Malwarebytes is no longer detecting that one, because it's gone.

As for the CMD flash onscreen I'm not sure which item is causing it, but the next time it happens you can check Task Scheduler and look through the tasks there and see which one last ran around the same time you recall seeing the CMD window.  Instructions on opening Task Scheduler can be found here.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.