Jump to content

Suspicious malware in scvhost.exe


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hi. The Malwarebytes for Windows found 3 items & flagged them, however the log remarked "NO Action by user". You gotta, on this next run, TICK all lines for removal.

 

In Malwarebytes for Windows program, we want to do a special scan.

 

Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window.

 

Then click the Security tab.   

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈

 

Click it to get it ON if it does not show a blue-color

.

Next, click the small x on the Settings line to go to the main Malwarebytes Window.

 

Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

MB4_scan_tick_ALL2.jpg.e8a7f94bceca3237b7dbe17faacfa577.jpg.eaa1290d11415a31b955d0d02bcd00be.jpg

You can actually click ( tick ) the topmost left check-box on the very top line to get ALL lines ticked ( all selected). 👈

🔻

Then click on Quarantine selected.

MB4_scan_all_Quarantine2.jpg.dd0e7b543cdb7c69c37bcf14f0e5b9d1.jpg.99effbb718d3c8cb828ea629b501bcfd.jpg

Then, locate the Scan run report; export out a copy; & then attach in with your reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

We will do more, later. 

Edited by Maurice Naggar
Add screen examples for Malwarebytes
Link to post
Share on other sites

The real-time web protection is keeping your system safe from 

Domain: fbk.xiaomishop.me

IP Address: 104.18.9.171

.

The result of scan by Malwarebytes for Windows is excellent.

Before we do other things. And since pc has McAfee Virusscan, please use that app to do a Scan.

After completion, let me know the result.  Thanks.  :D

 

Link to post
Share on other sites

Thanks. When you get a chance, look at McAfee scan log & let me know what the filename of the item found & removed.

.

Let me suggest you do one scan with Adwcleaner to check for adwares.

First download & save it 

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

 

Then do a scan with Adwcleaner 

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

 

Attach the clean log.

Link to post
Share on other sites

Thanks.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select "FULL scan". Have lots of patience. The run may take several hours.

  

Let me know the result of this.

The log is named MSERT.log  

the log will be at  

C:\Windows\debug\msert.log

Please attach that log with your reply.

Link to post
Share on other sites

It took about 5 hours. Unfortunately, my Malwarebytes trial ended, so nothing is blocking the data being sent. I disconnected my computer from the internet, so I can't send the file right now. However, the scan found 6 files. One of them was removed, that being a file called Win32/DefenderTamperingRestore. The return code is 6.

Link to post
Share on other sites

You will be needing to connect to the internet, at least so that you  can download tools I guide you to & for you to make replies here.

.

It would be useful to get from you the MSERT.log file so I can review.

Do know that Win32/DefenderTamperingRestore is not a big thing. It refers to Defenders antispyware having been off.  Anyhow, this MSERT has fixed that & that feature is ON now.

.

We have already run the Malwarebytes with the rootkit option, plus Adwcleaner, plus the MS SAFETY Scanner.

Plus You had scanned with your MCAFEE antivirus.

.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.

 

Go to the saved file, and double click it to get it started.

 

When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for “periodic scanning”.

Edited by Maurice Naggar
Link to post
Share on other sites

When you get to a stopping point, after doing the last ESET scan, I have a Custom cleanup script, which will be used thru the FRST64.

It is intended to run the Windows System File Checker & the Windows DISM to check Windows, plus to remove a .tmp file. 66VU01574V.tmp

 

The script Fixlist.txt  needs to be saved to the same folder that contains FRST64.exe   /  you have yours saved on Desktop.

 

The custom script on this post is ONLY for this machine and NO other.   This custom script is for  Beluga666   only / for this machine only.

 

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

 

The system will be rebooted after the script has run.

 

Please save the (attached file named) FIXLIST.txt   to the  Desktop folder

Start the Windows Explorer and then, to the Desktop.

 

RIGHT click on  FRST64.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:

Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.

If you receive a message that a reboot is required, please make sure you allow it to restart normally.

The tool will complete its run after restart.

When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.

Fixlist.txt

Link to post
Share on other sites

Thank you for the reports.

The MS SAFETY Scanner did not find any infection.

The ESET found & removed 1 file, which seems to have been some sort of game.

prun.exe a variant of Generik.NLMIMJW trojan ; cleaned by deleting.

.

The result of the custom script run is very encouraging.

The Windows System File Checker result is all very good.

.

One new scan with Malwarebytes for Windows, please.

Do the same Scan as listed before at. https://forums.malwarebytes.com/topic/274060-suspicious-malware-in-scvhostexe/?do=findComment&comment=1456234

 

Attach the scan report after that.

Also, let me know if you need more assistance.

Link to post
Share on other sites

Uhhm, sorry to learn of any 'abort or crash issue'.  Let's get fresh readouts so I can review.

Please download MBST Support tool.

https://downloads.malwarebytes.com/file/mbst

Go to the Downloads folder. With your mouse pointer, do a Right-click on the mb-support.1.8.4.xxx.exe file & choose "Run as Administrator"  & reply Yes & allow it to proceed.

Once you start it click Advanced > Gather Logs

 

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

Link to post
Share on other sites

Hello. Thank you for the ZIP report. I am going thru it. More yet to digest. But a couple of things stand out.

The file Lwjg132.dll is certainly not a part of Windows. It does not belong to Windows operating system.

I also notice that Malwarebytes is out of date on the latest Component. So you need to do a Check for Updates in Malwarebytes app.  Use the guide here https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

 

Next, do a Windows RESTART.

Next be sure you do not open any games or such.

Next, do one new Scan with Malwarebytes.

If it tags anything, TICK the line item so that it is Quarantined.

When all done, copy the Scan report & attach with Reply.

Link to post
Share on other sites

Hi.  For after you are all caught up, please do this too.

First, let's make sure Windows is set to SHOW all files & folders.

Use option One or Two on this guide article 

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

Then

I need a new, very current report from FRSTENGLISH tool.

Using File Explorer, go to Downloads folder.

Right-click on FRSTENGLISH.exe and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.

 

_Windows 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._

Click YES when prompted by Windows U A C prompt to allow it to run.

Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.

 

Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

 

Click Yes when the *disclaimer* appears in FRST.

The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

 

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).

Press Scan button and wait.

 

image.png.5d47975010636d1d032768cefa8d6625.png

 

The tool will produce 2 logfiles on your desktop: FRST.txt , Addition.txt 

Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

 

Please attach these 2 files to your next reply.

Thank you.

Link to post
Share on other sites

Hi. Thanks for the Malwarebytes scan report. You have the latest version of it. The scan result is all perfect.

Please be sure you do the 2 tasks listed on my post 

https://forums.malwarebytes.com/topic/274060-suspicious-malware-in-scvhostexe/?do=findComment&comment=1457255

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.