Author Topic: help with c:\\windows\system32\svchost.exe Virus  (Read 30272 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #45 on: March 02, 2015, 07:17:55 PM »
Not much use there

Avast works well with the following programme as I have had it running for 6 hours with no problem

Please download and install Glasswire
Once it is installed then leave it running in the system tray
When an alert is received open Glasswire
Select the alerts tab
Locate on the right the address sso.anbtr.com
Hover over the file name under that address and either post a screenshot or let me know what file it is
To get the full file name and path if it is truncated cursor over the file name
In my example it is my Kingsoft updater running



REDACTED

  • Guest
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #46 on: March 02, 2015, 10:57:24 PM »
I did all that. but I'm not so sure about this...

so, the first virus alert after me installing glass wire popped up at 22:37 - same as ever. the url the avast! alert showed me was sso.anbtr.com/etc. - also same as ever.

however, the only two activities in the glass wire alert tab were firefox, directly followed by avast! and neither one of them contacted sso.anbtr.com

attached you find a screenshot of all the alerts at that point and one with the details from the firefox activity. the virus scan glass wire offers came back clean.

the next avast! virus alert popped up at 22:47 - same as ever. however, this time glass wire didn't even log anything. there was only a spike in activity.  I attached you a screenshot of the transmission graph.

I don't understand. but I guess that goes without saying...

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #47 on: March 02, 2015, 11:02:17 PM »
Could you temporarily uninstall Firefox.  Reboot the computer and let me know if the alert appears again

REDACTED

  • Guest
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #48 on: March 03, 2015, 04:26:21 PM »
yup. uninstalled firefox. rebooted. alert pops up same as ever.

all in all, the alert has appeared maybe couple of dozen times since I installed glass wire. but in the alert tab, it never registered the activity and the address sso.anbtr.com doesn't appear even once.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #49 on: March 03, 2015, 04:43:21 PM »
OK re-install Firefox if you wish.. 

I will reset the glasswire alerts for you as once it has seen the programme it will not report on it again.  Shutdown Glasswire, and run the fix below
Then restart glasswire and then see if there is any reference to that site at all

 CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
c:\programdata\glasswire\service\glasswire.db

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

REDACTED

  • Guest
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #50 on: March 03, 2015, 05:32:40 PM »
I haven't reinstalled ff yet. but i re-set glasswire following your instructions.

the first time the virus alert appeared afterwards (at 17:14) glasswire shows some activities but no reference to sso.anbtr.com/
(I attached screenshots of two of the events around that time, but I assume it's not helpful at all)

the other times the virus alert appeared after that, glasswire didn't register anything anymore (which makes sense, if it only responds the first time a program goes online)

why does glasswire not detect the virus the way avast! does?
and what now?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #51 on: March 03, 2015, 06:44:02 PM »
Glasswire is a kind of firewall that uses the built in windows one, so it does not have a list of bad sites. 

I will need to get back to the network guys

Meanwhile, could you do the following to ensure that a windows file has not been subverted

Open an elevated command prompt :

Go Start > All programs > Accessories
Right click Command Prompt
Select "Run as Administrator"
In the black box that opens copy/paste or type in the following command :

sfc /scannow

Once it has completed reboot

REDACTED

  • Guest
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #52 on: March 03, 2015, 08:41:40 PM »
okay, cool.

I did all that. the alert appeared like before. however - this time it didn't claim to be a windows system program, but a chrome file. I attached you a screen shot.

thank you so much, as ever.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #53 on: March 03, 2015, 09:54:31 PM »
OK progress the sfc appears to have replaced a suborned file and has now revealed the true location



Re-install Chrome
1. If you have bookmarks, let's save them by exporting them - Export Bookmarks
2. Then I need you to go Google Sync and sign into your account
3. Scroll down until you see the "Stop and Clear" button and click on the button. At the prompt click on "Ok"
4. Now we need to uninstall chrome.
Note: When asked about user data or settings you must remove this also so please check the box.
5. Restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome
6. Import your bookmarks back into Chrome
7. Sign back in to your Chrome browser so that your bookmarks sync with your online account.

REDACTED

  • Guest
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #54 on: March 03, 2015, 10:14:52 PM »
okay. I will totally do all that, although I'm not entirely convinced.

the virus appears in 90% of all cases as C:\windows\system32\svchost.exe

but sometimes it pops up as something else: java, windows explorer, chrome... it did it before (I'm pretty sure I posted pictures of it).

and the last virus alerts all stated C:\windows\system32\svchost.exe as the source again.

so... after I uninstall and reinstall chrome, should I run the sfc / scannow again?

REDACTED

  • Guest
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #55 on: March 03, 2015, 10:43:11 PM »
aaaand - I'm back.

here's what happened: I de-installed chrome. ran the sfc / scannow command once more. rebooted the computer. used internet explorer to go online to re-install chrome and firefox. immediately, the virus alert popped up. and again once I opened chrome.

I attached the two screenshots.

I'm really sorry this is so ... annoying and time consuming to figure out. gggrrrrr...

REDACTED

  • Guest
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #56 on: March 03, 2015, 10:53:52 PM »
wwoops*

something "new" just happened... or not, I don't know how significant this is. but for the first time (I noticed at least), the url was different. creative.wwwpromoter.com or something (wtf? hahaha)

I attached the screenshot.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #57 on: March 03, 2015, 11:27:19 PM »
I thought that was it as Chrome and FF share files...  Back to the drawing board

So you did not get the alert again until chrome was installed, or did I misread that

REDACTED

  • Guest
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #58 on: March 03, 2015, 11:36:39 PM »
no, that's not how it was. the alert appeared when chrome was not re-installed yet.

after I de-installed and rebooted the computer, I opened internet explorer to download chrome. while chrome was in the process of being downloaded, the virus alert popped up. you can see it on screenshot (24), the downloading process is going on in the background. I'm certain that it was before chrome was even being installed.

and firefox I re-installed even after that. so the virus alert popped up when I had neither firefox nor chrome on the computer.

I also hardly synchronize any of my programs or devices and don't log into chrome. I don't let my browsers store information. and the only add ons I have installed are adblock, ghostery, avira, that kind of stuff...

okay. most of this is probably not even relevant. but yeah. I don't really know what to do. or to even tell you that could be helpful... sorry

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: help with c:\\windows\system32\svchost.exe Virus
« Reply #59 on: March 04, 2015, 02:11:52 PM »
OK talking with the network guys it appears that Avast is too good and is stopping it before it even reaches Glasswire.

The next method will entail disabling webshield for a period, now I need to know if you are happy with that before I proceed.