virus C:\mswvc.exe everyday

[chad82]

Hello,
Im on avast business pro and we got a virus alert in C:\mswvc.exe that is being alerted on one of the machines almost EVERYDAY (also gets quarantined or deleted). Is there a way to see how this virus is being constantly created?

[Pondus]

attach requested logs  >>  https://forum.avast.com/index.php?topic=194892.0



also upload   C:\mswvc.exe  and scan it here  www.virustotal.com
post link to scan result here

[chad82]

it is a windows 2003 server. Mbytes is not compatible is there any alternative?

[Pondus]

it is a windows 2003 server. Mbytes is not compatible is there any alternative?

and step #2 FRST ?   those two diagnostic logs are the important ones

[chad82]

here are the 2 logs from the FRST.
Is the mbytes log mandatory? Would a legacy version of mbytes be enough?

[Pondus]

I will notify the malware expert @Sass Drake and he will give further instructions

It may take hours before he is online

[chad82]

thank you for your prompt reply, i will be waiting

[Sass Drake]

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

Task: C:\WINDOWS\Tasks\sysnetsf.job => C:\Documents and Settings\Default User\Application Data\WINYS\mtwvc.exe
HKLM\...\batfile\DefaultIcon: %SystemRoot%\System32\shell32.dll,-153 <==== ATTENTION
HKLM\...\cmdfile\DefaultIcon: %SystemRoot%\System32\shell32.dll,-153 <==== ATTENTION

• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Bear in mind that Microsoft doesn't support no longer Windows Server 2003 and it didn't received  any security update during last 4 years.

[chad82]

thanks for the reply, here is the attached log

[Sass Drake]

What is system status now?

[chad82]

sorry i should have been more descriptive. the machine shuts off on its own. After running a full avast scan, i'm not able to find any viruses but the next day i will see that virus was detected and deleted. I will also see the "unexpected shutdown window" servers see when they shutdown. When it is on, it acts normally but when it shuts off  unexpectedly it causes issues for others.

[chad82]

since i've been seeing the same virus everyday wanted to see if avast is able to trace where the file is being created and delete the program or report the application that is calling that process. I have multiple computers that are seeing this mswvc.exe almost everyday.

[Sass Drake]

Report tomorrow what happened with Avast.

[chad82]

will do thank you

[REDACTED]

I have been having the same problem for about a month.  I have about 5 users who are having the same symptoms shutdowns that seem to happen at about the same time.   There is nothing in task scheduler. Avast detects it and remove it and it starts up again Sophos does the same.