system
March 10, 2015, 4:23am
1
As I’m writing this Avast! continually warns me
I have received about15 of them now with each
containing 2-4 different infected files and it does
not stop - that it has blocked the following:
http://211.136.8.20/files60600000009EF758/files1.majorgeeks.com/89a00d1f45ff0e3d4647dcf08a …
URL: Mal
C:\Windows\System32\svchost.exe
Any idea what this might be? And any suggestions as to make it go away?
Thanks
Asyn
March 10, 2015, 5:34am
2
Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0
system
March 10, 2015, 9:34am
3
OK. I’ve attached the logs.
Thanks
Asyn
March 10, 2015, 9:36am
4
OK, now you’ve to wait a bit…
Intriguing as Major Geeks is a good site. Let me know if this stops it
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
BHO: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20121002165454.dll No File
BHO-x32: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20121005190435.dll No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
2015-03-07 10:38 - 2015-03-07 10:38 - 00000000 ____D () C:\Users\Ralph\AppData\Local\{A053B3A2-E369-4AA8-B1C0-FA0471193037}
2015-03-07 10:37 - 2015-03-07 10:37 - 00000000 ____D () C:\Users\Ralph\AppData\Local\{B0E506F1-5869-46CD-A3D9-011262335DAD}
2015-03-03 08:51 - 2015-03-03 08:52 - 00000000 ____D () C:\Users\Ralph\AppData\Local\{C0331966-E4EB-48C5-8DBD-A06AD597FAE5}
2015-02-26 09:42 - 2015-02-26 09:42 - 00000000 ____D () C:\Users\Ralph\AppData\Local\{99BD93E6-E0AB-46F8-87BB-1F18B4CD088A}
2015-02-26 09:42 - 2015-02-26 09:42 - 00000000 ____D () C:\Users\Ralph\AppData\Local\{38D1C6A8-473C-416B-98AA-34E6EBFF6B25}
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
system
March 11, 2015, 1:12am
6
It appears that it worked.
After restart there was no
alarm from Avast!.
I have attached the fixlog.
It is all Greek to me, of course.
But was there a malware in
the computer or false alarm?
system
March 11, 2015, 1:17am
7
But then no, it is not fixed.
As I logged out from this site
the alarm sounded again.
A window appeared with
the same notification as
before - with 6 files blocked
this time.
system
March 11, 2015, 3:26am
8
As I started the computer just now
another notification popped up. It reads:
http://120.198.244.30:9999/download.windowsupdate.com/c/msdownload/update/others/2015/0 …
URL: Mal
C:\Windows\System32\svchost.exe
I don’t know if I should have posted a
new thread, but will try here first since
the “process” is the same as previously.
Asyn
March 11, 2015, 5:37am
9
Stay in this thread, Essexboy will be back later.
The DNS relates to a mainland China ISP
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications , usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
system
March 12, 2015, 3:05am
11
When I clicked on the link to
the Combofix, it didn’t offer
me any possibility to choose
location to save it at. It went
straight to the small window,
asking me whether I wanted
to “save file”, so it was saved
in downloads.
I could run Combofix though,
but just wanted to you know
in case it significantly changes
anything.
I’ve attached the Combofix log.
When I restarted the computer
there were no warnings from
Avast! But as I spoke a little
too early yesterday, I think I
to wait a couple of days before
I can say whether they’re gone.
Yes, I’m in mainland China at the mo
Hold on! just now I got a warning
from Avast! Same as the one I got
initially. There you go. Tricky it seems.
That IP refers to China Mobile communications corporation
This will reset al the internet connection data, although I am not sure it will clear it
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
system
March 12, 2015, 3:34pm
13
“That IP refers to China Mobile communications corporation”
Does that mean that the problems come from being connected
to China Mobile? And that this will go away once I’m back in
Europe again using a different internet provider??
After restart the warnings came back again a few times, each had
blocked about 6-8 files it said.
Anyway, I’ve attached the log
Unfortunately if that is the ISP you are using then yes
system
March 13, 2015, 1:14am
15
OK. I assume since you didn’t
post any more instructions that
there is nothing to be done about it.
Thanks for you help, anyway.
I will be back in Europe in a week,
and if it hasn’t stopped then, I’ll
pick this thread up once more.
Cheers
If you could please, it appears that all connections in China are routed through that server