help with c:\\windows\system32\svchost.exe Virus

[REDACTED]

here we go!

[essexboy]

Do you recognise this folder :  C:\Users\Anna\Orgakram
If not then run the fix below

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
2015-02-12 20:18 - 2015-02-12 20:18 - 00000000 ____D () C:\9937829a2006d58763d2
2015-02-08 20:52 - 2013-11-07 10:10 - 00000000 ____D () C:\Users\Anna\Orgakram
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

C:\Users\Anna\Orgakram is one of my personal folders that contains all my official bureaucratic correspondence.

I *could* delete it if that meant getting rid of this malware (I have a backup on my external harddrive +/- one or two files).

should I do it? why did you assume it was a good idea to destroy it?

[essexboy]

It was just a name that I could only find as anickname.. I always find those suspicious.  There is no need to delete that folder

At the moment I am ata a loss as to what is causing it.  I know that it is a programme trying to update a list of URL's however, it could be any of the programmes on your system that is using it.   

What programmes had you installed/updated prior to this occurring

[REDACTED]

I really thought about it and tried to figure it out, but I actually haven't installed anything new recently and I only updated boring stuff. like adobe flash player, firefox, the cisco secure mobility client I need to log into my university account... stuff...

I attached a picture of all updated programs from the control panel - maybe that would help.

any other ideas what I could try / do / run? thanx a lot*

[essexboy]

OK lets reset the IPV

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
CMD: ipconfig /flushdns
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

thanx, I did that.

the fixlog is attached,

as is the protocoll of the scan I ran afterwards.

I restarted the computer and once I opened chrome, I got another virus alert (the same as ever).

[essexboy]

Is this Chrome only or all browsers ?

[REDACTED]

hm, no. the operating system is windows 8, so it should have internet explorer pre-installed.

and my default browser is actually still firefox, although, I don't know, it's turned into such a cpu hog that I just use chrome most of the time...

[essexboy]

Could you try IE and FF to see if they alert as well

[REDACTED]

yup. just hanging out online with ff and ie and the virus alert popped up again.

[REDACTED]

I made screenshots of two more virus alert instances. one occurred yesterday while I updated java, the other one just now.

so far, most of the alerts stated C:Windows/System32/svchost.exe as the process responsible. however, sometimes it says something else.

since I already mentioned it before (one time it even said avast was the source), this might not be helpful, but since I was able to catch in on a screenshot, I thought I'd post it anyway, just to give you as much information as possible.

thanx again.

[essexboy]

Are you using a proxy as the domain name is the same in all cases

[REDACTED]

I am sorry. I am not sure I understand what you are saying. or asking.

yes, the object / URL / proxy as the domain name the virus is trying to contact is always the same. I haven't recorded all of them, but I've tried to keep track and read them all, it's always the same.

"http://sso.anbtr.com/domain/wpad.WDS01.COM"

no, I am not using a proxy as a domain name.

[essexboy]

It is now a matter of determining which programme could be using that site, initially I will look at the tasks that are unsigned 

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that