Hello,
Im on avast business pro and we got a virus alert in C:\mswvc.exe that is being alerted on one of the machines almost EVERYDAY (also gets quarantined or deleted). Is there a way to see how this virus is being constantly created?

attach requested logs >> https://forum.avast.com/index.php?topic=194892.0

also upload C:[b]mswvc.exe[/b] and scan it here www.virustotal.com
post link to scan result here

it is a windows 2003 server. Mbytes is not compatible is there any alternative?

and step #2 FRST ? those two diagnostic logs are the important ones

here are the 2 logs from the FRST.
Is the mbytes log mandatory? Would a legacy version of mbytes be enough?

I will notify the malware expert @Sass Drake and he will give further instructions

It may take hours before he is online

thank you for your prompt reply, i will be waiting

• Open Notepad (click Start button → type notepad.exe → press Enter)
• Copy text from code block below and paste it into Notepad

Task: C:\WINDOWS\Tasks\sysnetsf.job => C:\Documents and Settings\Default User\Application Data\WINYS\mtwvc.exe
HKLM\...\batfile\DefaultIcon: %SystemRoot%\System32\shell32.dll,-153 <==== ATTENTION
HKLM\...\cmdfile\DefaultIcon: %SystemRoot%\System32\shell32.dll,-153 <==== ATTENTION

• Go to File → Save As
• Make sure that UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Bear in mind that Microsoft doesn’t support no longer Windows Server 2003 and it didn’t received any security update during last 4 years.

thanks for the reply, here is the attached log

What is system status now?

sorry i should have been more descriptive. the machine shuts off on its own. After running a full avast scan, i’m not able to find any viruses but the next day i will see that virus was detected and deleted. I will also see the “unexpected shutdown window” servers see when they shutdown. When it is on, it acts normally but when it shuts off unexpectedly it causes issues for others.

since i’ve been seeing the same virus everyday wanted to see if avast is able to trace where the file is being created and delete the program or report the application that is calling that process. I have multiple computers that are seeing this mswvc.exe almost everyday.

Report tomorrow what happened with Avast.

will do thank you

I have been having the same problem for about a month. I have about 5 users who are having the same symptoms shutdowns that seem to happen at about the same time. There is nothing in task scheduler. Avast detects it and remove it and it starts up again Sophos does the same.

Please start your own new topic and follow the instructions/link to create your own logs given in Reply #1.

hi guys, the machine didn’t shutdown today, but I we got the the same alert mswvc.exe that was moved to quarantine.

Is there a deep scan or logs that can see where this mswvc.exe is getting created from?

If you get another Avast alert, take a screenshot of it, also expand the window if it has an option for details/further information, etc and capture that info also.

As Far as logs go:
Assuming (dangerous I know) it is the file system shield, check the C:\ProgramData\AVAST Software\Avast\report\FileSystemShield.txt, but I doubt that that would give you any more detailed information than the alert. It could be that it is being initiated/recreated by another file/function (as in the C:\WINDOWS\Tasks\sysnetsf.job) that Sass Drake tried to remove in his fixlist.

It will certainly require further input from Sass Drake, when he is available. This may take a little while depending on your respective Time Zones and his available time (as a volunteer Malware removal specialist).

That’s me for the night 1:30am here.

sure thing, i will take a picture next time i get alerted from avast.

[s]Download and run TDSSKiller following instructions here.
After you finish scan, there should be report file on location similar to C:\TDSSKiller_*.txt.

Attach it to your message.[/s]

Can you discoonect that machine from network and post new FRST.txt and Addition.txt logs.