Beluga666 Posted May 10, 2021 ID:1456007 Share Posted May 10, 2021 Every so often, Malwarebytes flags an outbound connection towards a suspicious website. When I look closer, the file is the scvhost.exe in the Systems32 folder. I checked and this is the real scvhost.exe. Malwarebytes has not flagged any malware. Link to post Share on other sites More sharing options...
Beluga666 Posted May 10, 2021 Author ID:1456008 Share Posted May 10, 2021 Sorry if there's confusion, the file is named svchost.exe Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 10, 2021 ID:1456057 Share Posted May 10, 2021 (edited) Hi My name is Maurice. I will guide you. Please do all steps on this top pinned topic https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/ Edited May 16, 2021 by Maurice Naggar Link to post Share on other sites More sharing options...
Beluga666 Posted May 11, 2021 Author ID:1456178 Share Posted May 11, 2021 Hi, I did this. I will attach the additions.txt and the other text files here. Malwarebytes is currently scanning. I'll post the log of that too when it's finished. Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Beluga666 Posted May 11, 2021 Author ID:1456179 Share Posted May 11, 2021 Here's the Malwarebytes log malwarebytes_log.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 11, 2021 ID:1456234 Share Posted May 11, 2021 (edited) Hi. The Malwarebytes for Windows found 3 items & flagged them, however the log remarked "NO Action by user". You gotta, on this next run, TICK all lines for removal. In Malwarebytes for Windows program, we want to do a special scan. Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window. Then click the Security tab. Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈 Click it to get it ON if it does not show a blue-color . Next, click the small x on the Settings line to go to the main Malwarebytes Window. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. You can actually click ( tick ) the topmost left check-box on the very top line to get ALL lines ticked ( all selected). 👈 🔻 Then click on Quarantine selected. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 We will do more, later. Edited May 11, 2021 by Maurice Naggar Add screen examples for Malwarebytes Link to post Share on other sites More sharing options...
Beluga666 Posted May 11, 2021 Author ID:1456260 Share Posted May 11, 2021 The scan did not find anything. Here's the log. I also attached the message I'm getting every so often. malwarebytes_log(2).txt error.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 11, 2021 ID:1456267 Share Posted May 11, 2021 The real-time web protection is keeping your system safe from Domain: fbk.xiaomishop.me IP Address: 104.18.9.171 . The result of scan by Malwarebytes for Windows is excellent. Before we do other things. And since pc has McAfee Virusscan, please use that app to do a Scan. After completion, let me know the result. Thanks. Link to post Share on other sites More sharing options...
Beluga666 Posted May 12, 2021 Author ID:1456457 Share Posted May 12, 2021 Hi, I did a full scan and McAfee found 1 virus in the System32 folder. By the time of posting this, I have not gotten a notification of a riskware website, but we'll see if it's fixed. Link to post Share on other sites More sharing options...
Beluga666 Posted May 12, 2021 Author ID:1456468 Share Posted May 12, 2021 I still go the message of the malware trying to send data to an unknown website. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 12, 2021 ID:1456478 Share Posted May 12, 2021 Thanks. When you get a chance, look at McAfee scan log & let me know what the filename of the item found & removed. . Let me suggest you do one scan with Adwcleaner to check for adwares. First download & save it https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner Then do a scan with Adwcleaner https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean Attach the clean log. Link to post Share on other sites More sharing options...
Beluga666 Posted May 12, 2021 Author ID:1456506 Share Posted May 12, 2021 Here is the clean log, and the scan log. I can't find the mcafee logs. AdwCleaner[C00].txt AdwCleaner[S00].txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 12, 2021 ID:1456513 Share Posted May 12, 2021 Thanks. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Look on the Scan Options & select "FULL scan". Have lots of patience. The run may take several hours. Let me know the result of this. The log is named MSERT.log the log will be at C:\Windows\debug\msert.log Please attach that log with your reply. Link to post Share on other sites More sharing options...
Beluga666 Posted May 13, 2021 Author ID:1456736 Share Posted May 13, 2021 It took about 5 hours. Unfortunately, my Malwarebytes trial ended, so nothing is blocking the data being sent. I disconnected my computer from the internet, so I can't send the file right now. However, the scan found 6 files. One of them was removed, that being a file called Win32/DefenderTamperingRestore. The return code is 6. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 13, 2021 ID:1456748 Share Posted May 13, 2021 (edited) You will be needing to connect to the internet, at least so that you can download tools I guide you to & for you to make replies here. . It would be useful to get from you the MSERT.log file so I can review. Do know that Win32/DefenderTamperingRestore is not a big thing. It refers to Defenders antispyware having been off. Anyhow, this MSERT has fixed that & that feature is ON now. . We have already run the Malwarebytes with the rootkit option, plus Adwcleaner, plus the MS SAFETY Scanner. Plus You had scanned with your MCAFEE antivirus. . I would suggest a free scan with the ESET Online Scanner Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log. If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom). Press Continue when all done. You should click to off the offer for “periodic scanning”. Edited May 13, 2021 by Maurice Naggar Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 13, 2021 ID:1456787 Share Posted May 13, 2021 When you get to a stopping point, after doing the last ESET scan, I have a Custom cleanup script, which will be used thru the FRST64. It is intended to run the Windows System File Checker & the Windows DISM to check Windows, plus to remove a .tmp file. 66VU01574V.tmp The script Fixlist.txt needs to be saved to the same folder that contains FRST64.exe / you have yours saved on Desktop. The custom script on this post is ONLY for this machine and NO other. This custom script is for Beluga666 only / for this machine only. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. The system will be rebooted after the script has run. Please save the (attached file named) FIXLIST.txt to the Desktop folder Start the Windows Explorer and then, to the Desktop. RIGHT click on FRST64.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity Please know this will do a Windows Restart. Just let it do its thing. Do let me know how things are overall, after all this. Fixlist.txt Link to post Share on other sites More sharing options...
Beluga666 Posted May 14, 2021 Author ID:1456910 Share Posted May 14, 2021 Here's the logs msert.log log.txt Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 14, 2021 ID:1456915 Share Posted May 14, 2021 Thank you for the reports. The MS SAFETY Scanner did not find any infection. The ESET found & removed 1 file, which seems to have been some sort of game. prun.exe a variant of Generik.NLMIMJW trojan ; cleaned by deleting. . The result of the custom script run is very encouraging. The Windows System File Checker result is all very good. . One new scan with Malwarebytes for Windows, please. Do the same Scan as listed before at. https://forums.malwarebytes.com/topic/274060-suspicious-malware-in-scvhostexe/?do=findComment&comment=1456234 Attach the scan report after that. Also, let me know if you need more assistance. Link to post Share on other sites More sharing options...
Beluga666 Posted May 14, 2021 Author ID:1456922 Share Posted May 14, 2021 Hi, I did a Malwarebytes scan, and it found 4 detections in my Minecraft folder. When I quarentiened, it needed a restart, but when I did, it crashed my computer. So, I decided to restore them. They were .dll, if that helps. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 14, 2021 ID:1456943 Share Posted May 14, 2021 Uhhm, sorry to learn of any 'abort or crash issue'. Let's get fresh readouts so I can review. Please download MBST Support tool. https://downloads.malwarebytes.com/file/mbst Go to the Downloads folder. With your mouse pointer, do a Right-click on the mb-support.1.8.4.xxx.exe file & choose "Run as Administrator" & reply Yes & allow it to proceed. Once you start it click Advanced > Gather Logs Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop. Link to post Share on other sites More sharing options...
Beluga666 Posted May 15, 2021 Author ID:1457053 Share Posted May 15, 2021 Here's the file mbst-grab-results.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 15, 2021 ID:1457095 Share Posted May 15, 2021 Hello. Thank you for the ZIP report. I am going thru it. More yet to digest. But a couple of things stand out. The file Lwjg132.dll is certainly not a part of Windows. It does not belong to Windows operating system. I also notice that Malwarebytes is out of date on the latest Component. So you need to do a Check for Updates in Malwarebytes app. Use the guide here https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows Next, do a Windows RESTART. Next be sure you do not open any games or such. Next, do one new Scan with Malwarebytes. If it tags anything, TICK the line item so that it is Quarantined. When all done, copy the Scan report & attach with Reply. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 16, 2021 ID:1457255 Share Posted May 16, 2021 Hi. For after you are all caught up, please do this too. First, let's make sure Windows is set to SHOW all files & folders. Use option One or Two on this guide article https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html Then I need a new, very current report from FRSTENGLISH tool. Using File Explorer, go to Downloads folder. Right-click on FRSTENGLISH.exe and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run. _Windows 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._ Click YES when prompted by Windows U A C prompt to allow it to run. Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway. Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. Click Yes when the *disclaimer* appears in FRST. The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use. Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked). Press Scan button and wait. The tool will produce 2 logfiles on your desktop: FRST.txt , Addition.txt Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files. Please attach these 2 files to your next reply. Thank you. Link to post Share on other sites More sharing options...
Beluga666 Posted May 16, 2021 Author ID:1457276 Share Posted May 16, 2021 Hi, the scan did not find anything. new_log.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 17, 2021 ID:1457281 Share Posted May 17, 2021 Hi. Thanks for the Malwarebytes scan report. You have the latest version of it. The scan result is all perfect. Please be sure you do the 2 tasks listed on my post https://forums.malwarebytes.com/topic/274060-suspicious-malware-in-scvhostexe/?do=findComment&comment=1457255 Link to post Share on other sites More sharing options...
Recommended Posts