Infection:Filerepmalware

Hello!

My Avast pop-up is consistently reporting multiple Windows key files as malware, most notably; Rundll32.exe/scvhost.exe, WWAhost.exe and Agent.exe (Not a Windows file, but a battle.net installer)

Once opening Task manager, no suspicious programs appear open, however the system task(Ntoskrnl.exe) uses 100% disk majority of the time, running a Mbam scan revealed no virus’s, and Avast scans also yielded no results.

http://clip2net.com/clip/m0/382ee-clip-13kb.png?nocache=1

I’ve used Virustotal to scan these files, no threat was reported; are these false positives?

Thank you.

https://forum.avast.com/index.php?topic=53253.0

http://pastebin.com/BdzMsyvb Addition.txt
http://pastebin.com/AvnBesPX FRST.txt
http://pastebin.com/6MT8Sk7j aswMBR.txt

—Mbam No results----

Now it’s reporting Svchost.exe at every CMD.exe command.

Isisariey, the instructions clearly say to attach the log files here.

Its not letting me attach them, or else I would; I cannot see any problem with using a pastebin.

Just click on " Attachments and other options"

Attached.

hi I’m having this same problem
my system is a gateway nv59c laptop running windows ten preview build 9860

  1. Start your own thread.
  2. Why did you install Windows 10 Tech Preview as your main OS? I found the beta to be extremely unstable, and they even tell you NOT to install it as a main OS. I tried a dualboot. Mind you, it failed, but, Windows 10 belongs in a Virtual Machine until formally released to the public as Finished and not Beta.

Could you let me know if this stops the alerts

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM-x32\...\RunOnce: [wextract_cleanup0] => rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Joey\AppData\Local\Temp\IXP000.TMP\" HKLM-x32\...\RunOnce: [wextract_cleanup1] => rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Joey\AppData\Local\Temp\IXP001.TMP\" HKLM-x32\...\RunOnce: [wextract_cleanup2] => rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Joey\AppData\Local\Temp\IXP002.TMP\" C:\Users\Joey\jagex_cl_runescape_LIVE.dat C:\Users\Joey\random.dat EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

Attached.

Are you still getting the alerts ?

If so :

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

The alerts have stopped, I will repost here if they happen again? Or create a new thread?

No just let me know when you are happy and I will tidy up

Ok, so I message back in 2 hours and say if a alert has come.

Sure :slight_smile:

May I ask why exactly you scheduled those files for deletion?

They were run once files that pointed to a temp folder using a system programme. Run once are just that they should not be there after a reboot. Plus they use run32 which operates under svchost

Ah, theres a program in my Taskmgr named: Setupafterrebootservice.exe Which is coming under Realtek audio.