Windows system Mal notification

As I’m writing this Avast! continually warns me

  • I have received about15 of them now with each
    containing 2-4 different infected files and it does
    not stop - that it has blocked the following:

http://211.136.8.20/files60600000009EF758/files1.majorgeeks.com/89a00d1f45ff0e3d4647dcf08a
URL: Mal
C:\Windows\System32\svchost.exe

Any idea what this might be? And any suggestions as to make it go away?

Thanks

Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0

OK. I’ve attached the logs.

Thanks

OK, now you’ve to wait a bit…

Intriguing as Major Geeks is a good site. Let me know if this stops it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: BHO: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20121002165454.dll No File BHO-x32: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20121005190435.dll No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File 2015-03-07 10:38 - 2015-03-07 10:38 - 00000000 ____D () C:\Users\Ralph\AppData\Local\{A053B3A2-E369-4AA8-B1C0-FA0471193037} 2015-03-07 10:37 - 2015-03-07 10:37 - 00000000 ____D () C:\Users\Ralph\AppData\Local\{B0E506F1-5869-46CD-A3D9-011262335DAD} 2015-03-03 08:51 - 2015-03-03 08:52 - 00000000 ____D () C:\Users\Ralph\AppData\Local\{C0331966-E4EB-48C5-8DBD-A06AD597FAE5} 2015-02-26 09:42 - 2015-02-26 09:42 - 00000000 ____D () C:\Users\Ralph\AppData\Local\{99BD93E6-E0AB-46F8-87BB-1F18B4CD088A} 2015-02-26 09:42 - 2015-02-26 09:42 - 00000000 ____D () C:\Users\Ralph\AppData\Local\{38D1C6A8-473C-416B-98AA-34E6EBFF6B25} RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

It appears that it worked.
After restart there was no
alarm from Avast!.

I have attached the fixlog.
It is all Greek to me, of course.
But was there a malware in
the computer or false alarm?

But then no, it is not fixed.
As I logged out from this site
the alarm sounded again.
A window appeared with
the same notification as
before - with 6 files blocked
this time.

As I started the computer just now
another notification popped up. It reads:

http://120.198.244.30:9999/download.windowsupdate.com/c/msdownload/update/others/2015/0
URL: Mal
C:\Windows\System32\svchost.exe

I don’t know if I should have posted a
new thread, but will try here first since
the “process” is the same as previously.

Stay in this thread, Essexboy will be back later.

The DNS relates to a mainland China ISP

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

When I clicked on the link to
the Combofix, it didn’t offer
me any possibility to choose
location to save it at. It went
straight to the small window,
asking me whether I wanted
to “save file”, so it was saved
in downloads.

I could run Combofix though,
but just wanted to you know
in case it significantly changes
anything.

I’ve attached the Combofix log.
When I restarted the computer
there were no warnings from
Avast! But as I spoke a little
too early yesterday, I think I
to wait a couple of days before
I can say whether they’re gone.

Yes, I’m in mainland China at the mo

Hold on! just now I got a warning
from Avast! Same as the one I got
initially. There you go. Tricky it seems.

That IP refers to China Mobile communications corporation

This will reset al the internet connection data, although I am not sure it will clear it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

“That IP refers to China Mobile communications corporation”

Does that mean that the problems come from being connected
to China Mobile? And that this will go away once I’m back in
Europe again using a different internet provider??

After restart the warnings came back again a few times, each had
blocked about 6-8 files it said.

Anyway, I’ve attached the log

Unfortunately if that is the ISP you are using then yes

OK. I assume since you didn’t
post any more instructions that
there is nothing to be done about it.

Thanks for you help, anyway.
I will be back in Europe in a week,
and if it hasn’t stopped then, I’ll
pick this thread up once more.

Cheers

If you could please, it appears that all connections in China are routed through that server