Yet another svchost.exe issue...

Hi,

Looks like a lot of people are getting this ATM… Started about a month ago for me and then last night spam was sent from one of my email accounts (Obviously changed the password on that one pretty quick!) which prompted me to immediately do an mbam scan. That found some dodgy files and PUPs (no malware though) which I removed. When I did a rescan mbam found nothing, and a very thorough avast scan found nothing either, and yet I’m still getting these damn svchost.exe popups where avast is blocking a url request as malware. Windows 8.1. Have attached FRST logs.

Regards,
Jack

Let me know if this stops it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2015-07-12 13:29 - 2015-07-12 13:29 - 00000000 __SHD C:\Users\Jack\AppData\Local\EmieBrowserModeList RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Thanks for this Essexboy, log attached. As others have said, these popups weren’t continuous so I will report back tomorrow to confirm I am still popup free (often would get some on initial boot and as I’ve just restarted as part of that scan I didn’t get any this time so hopefully all ok now…). Seen as there have been a lot of people posting on here with this virus (?) do you/the malware team know what it is? Is the sending of spam to be associated with it or do I have another potential problem there?

-J

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.7.9600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

{524B8049-8D7E-4CE1-A9EA-166C834309B2} canceled.
{E75AB3AE-BF10-4939-A4F4-3702D6F2711D} canceled.
2 out of 2 jobs canceled.


This was the bad boy, it utilises a windows update stream

Right, so bitsadmin was compromised and by resetting we fix it/removed the virus, or that was the virus and we removed it completely? Regardless, am I able to trust updates that appear in the windows update dialogue as available to download/install, then? I.e. this virus was just acting in the background masking its internet connectivity under windows update and windows update itself is fine?

Aye it was just using that as a vehicle to get the browser hijacker downloaded

Each job within the bits is specific, so there would be no danger to windows updates

All we did was reset it, this purges all non-MS jobs

Ok cheers for the clarification. No more popups so far IRL but I had a dream that they were back last night (that’s how irritating they were!!)

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme :wink:

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

Yeah I’ve been clean since but ofc will let you know if that changes! That unchecky is a good idea for a piece of software too, thanks for the link!

:slight_smile: