download http://diamondcs.com.au/index.php?page=asviewer and run it
search for
HKEY_LOCAL_MACHINE
SOFTWARE\Microsoft\Windows\CurrentVersion\Run [System Process=C:\WINDOWS\svchost.exe
if found. right click it and select delete…
you can delete autostarts using tds’s tools too, press ctrl+a for instance…
i cannot assist you further with this as i haven’t tds on my comp.
right click the link and select save as…
save it into the directory where you installed tds, replace existing file if asked
and scan again…
If an updated tds reports an unknown trojan you need to submit that file C:\WINDOWS\svchost.exe. send it (zipped) as attachment to submit@diamondcs.com.au
C:\Windows\Temp\qftp.tmp\svchost.exe - the temp file always changes to a different file.
The qftp.tmp, isn’t actually a file but a folder which then contains the highly suspect version of svchost.exe.
If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).
MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later. - 2. SUPERantispyware On-Demand only in free version.
Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
Yes looks like you have a shed load of those random named .tmp folders like the qftp.tmp one, which I guess will all have an svchost file inside ?
Thankfully Outpost should block any unauthorised outbound connections and is smart enough to notice any attempts to use a regular outbound connection by svchost.exe (like for windows update). So a Small blessing.
It will continue to pick it up as these qftp.tmp style folders are created with a svchost.exe file inside, until we find what is generating them and put the boot in to kill it.
What is the malware name that avast is calling this svchost.exe in these .tmp folders ?
You can help your self by deleting all but these .tmp folders, but I suspect they may have protection.
You could also check one of the offending svchost.exe files at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
Sorry that URL, doesn’t work as it can’t pick up the re-analysed file. When you have completed the scan there should be an address in the address bar of your browser, like the one when browsing this topic, see image. Is that where you copied the URL from ?
If so there is something wrong with the VT database as the page can’t be found.
If that doesn’t work, you could try copying and pasting the scan results data.
What did SAS turn up in your scan, you didn’t report ?
MD5: 3162d3ae9859a985a3d8fb84bf4acf07
First received: 2009.11.28 10:57:12 UTC
Date: 2009.12.03 12:10:41 UTC [>5D]
Results: 18/41
Permalink: analisis/e53048b9a683e11f284dfb8bbcc3b39216b46b335a061ad37c3f16687ebfbbaf-1259842241
What SAS ???
edit: Yes I did report. I said that it removed 20 threats.
anyway…
another problem with this is…
When I search something into google and then click on one of the results, it would take me to a totally different page filled with viruses.
Sorry that link won’t work either, it has to be copied and pasted from the address bar of the browser, as my image shows.
However, that is a bit of a moot point with 18/41 detections it is looking like a good detection, but the information I’m trying to get is what other scanners detected it and what the malware name it was given. That information could help us find information and a means of attacking the problem.
Saying SAS removed 20 threats, again doesn’t help as there is no information on what it removed for the same reasons above it may help us find information and see if that might be related to the problem.
Google search hijacks could be just something else in the issue but try this tool:
– GOOGLE.GOORED - Firefox popping up ads and or google search redirects.
Please download GooredFix and save it to your Desktop. - Double-click Goored.exe to run it.
Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). - Note: Do not run Option #2 yet.
I don’t see anything obvious in the goored report it is usually able to identify the redirection points, but the extensions without names make it hard.
I only see one relatively new extension:
{972ce4c6-7e08-4474-a285-3208198ce6fd} [10:23 02/12/2008]
So if you can recall what that was, but that is probably clutching at straws.
I don't know what is going on with the the VT link, when I try to use it it doesn't show the results, but gives two other buttons, Reanalysis or Show Last Results, both of which result in file not found.
####
I don't know if all of this might be being masked by a rootkit - see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
- Trend Micro RootkitBuster - http://www.trendmicro.com/download/rbuster.asp
- F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight.
Yes, it will possibly take a bit of time before some of the tools will work with win7, I don’t know if that might also have been a factor in the gooredfix, not being able to check some things in win7.
Though having said that all we did was run a analysis and log. Unfortunately I’m not to familiar with this tool, if you feel it worth the risk you could run gooredfix on option to which is to apply what it considers needs fixing.
uhm! i having this exact same problem as TS, like random files C:/windows/temp/(some random 4 alphabets).scvhost.exe is constantly being created, even after i used cc cleaner to clean it off, it is created again awhile later. and something i notice is like when i nvr on the internet or something, nothing happens , as in my anti virus doesnt pop up warning me of the scvhost.exe thing, but when i on my internet, it pops up. i used spybot search and destroy and avg anti virus but it detects nothing.
Thanks looks like the gooredfix has been updated from what it was the last time I used it (see image) so that it is a one shot deal, find and fix if required.