cancel
Showing results for 
Search instead for 
Did you mean: 
cemaswr
Level 7
Report Inappropriate Content
Message 1 of 16

Continuos messages: New malware.j - svchost.exe deleted

I have the following Antivirus installed on my laptop:

McAfee Total Protection Service

Product Version 5.0.0 Patch 003

DAT version 5839.0000

Scan engine version 5400.1158

Recently I have been getting pop-up messages every 5-10 minutes from McAfee. They are similar to what I have listed below, however, the file name changes (but it always begins with C:\WINDOWS\TEMP and always ends with \svchost.exe)

File deleted - svchost.exe

New malware.j

or

File deleted - svchost.exe

Artemis! 25AE1D740FCC

C:\WINDOWS\TEMP\halm.tmp\svchost.exe

Can anyone tell me what is causing the problem, and how can I fix it?

I appreciate the help.

Regards,

cemaswr

Moved to Corporate as this is Total Protection Service - Moderator

Message was edited by: Ex_Brit on 24/12/09 2:51:53 EST PM
Tags (2)
15 Replies

Re: Continuos messages: New malware.j - svchost.exe deleted

i suggest removing your laptop from the network (LAN / WLAN / etc) , and perform a full system scan in safe mode using the latest SDAT.

cemaswr
Level 7
Report Inappropriate Content
Message 3 of 16

Re: Continuos messages: New malware.j - svchost.exe deleted

Thanks darkshyre, I tried restarting in safe mode but it was not booting up. I get the following message:

STOP: 0x0000007E (0XC0000005, 0X80537009, 0XF78AA508, 0XF78AA204)

I did disconnect from the network and performed a scan that showed two potential threats. McAfee deleted these (I think they were cookies).

However, I have noticed that the messages only occur when I am connected to my network at work. When I am connected to other networks (eg at home) the messages do not pop up. Any ideas?

Thanks,

cemaswr.

Highlighted
nchattop
Level 12
Report Inappropriate Content
Message 4 of 16

Re: Continuos messages: New malware.j - svchost.exe deleted

Hi

The  best way to submit potential falses is as follows:

If you believe a false detection or misclassification has occurred with a particular file, use the steps below to submit the sample in question to McAfee Labs for review. 

When analysis of the sample is complete, one of the following will occur:

* The sample is considered clean, detection is suppressed and will be updated in the earliest DAT release.

* The sample is misclassified, reclassification will occur and detection will be updated in the earliest DAT release.

* Analysis of the file determines that the sample is properly detected. The customer will be notified of the results.

*False Positive Submission Procedure:*

1. When submitting a sample, send it to the McAfee Labs Virus Research mailbox: virus_research@avertlabs.com (mailto:virus_research@avertlabs.com)

2. All false positive samples should have the word *FALSE* in the subject line. Example subject line:

*FALSE: In-house file being detected by McAfee*

1. Ensure that you include the On Access / On Demand Scan log files of the McAfee product along with the DAT and engine versions in use at the time. Also, include any other relevant information regarding why you believe the file has been incorrectly detected. This information will be helpful during our analysis of the sample. Example email message:

*NOTE:* Failure to supply all of the information requested above may result in delays in the analysis process.

Hope this helps!

Regards

Neha

cemaswr
Level 7
Report Inappropriate Content
Message 5 of 16

Re: Continuos messages: New malware.j - svchost.exe deleted

Hello Neha,

Thanks for your suggestion. I'll try that and see what happens.

Regards,

cemaswr.

nchattop
Level 12
Report Inappropriate Content
Message 6 of 16

Re: Continuos messages: New malware.j - svchost.exe deleted

Hi

Did the issue fixed?

-Neha

cemaswr
Level 7
Report Inappropriate Content
Message 7 of 16

Re: Continuos messages: New malware.j - svchost.exe deleted

Hello Neha,

Thanks for asking, but the problem is not fixed. In fact, after I updated McAfee about two days ago....it keeps saying "on access scan currently disabled" and the icon in the tray has a red exclamation mark. I opened the console and clicked Fix, but it immediately goes back to saying "on access scan currently disabled". Today the Fix button is grayed out and cannot be clicked. I really am not sure what the problem is.

I do think I have some sort of virus or malware though. I downloaded Avira Antivir since McAfee stopped and that program also gives me pop up messages every few minutes saying:

"A virus or unwanted program was found

C:\WINDOWS\TEMP\etpw.tmp\svchost.exe
Is the TR/Agent.defg Trojan"

and these are the same files that McAfee was detecting and deleting.

Is there any way to fix this? I hope you can help.

Thanks,

cemaswr.

McAfee Employee dmeier
McAfee Employee
Report Inappropriate Content
Message 8 of 16

Re: Continuos messages: New malware.j - svchost.exe deleted

The New Malware.j detection, is a heuristic detection, and indicates that we need a copy of that file.  If you could submit that .tmp file to www.webimmune.net, we could get it added to the dat files with a proper detection/cleaning driver, and it would help.  I'm sure there are other files on the system as well, but let's take it one step at a time.

In order to get that file, you'll need to be careful not to spread the infection to other systems.  Best way is to boot into a boot CD, and then zip up that file, with a password, and then you can place it on another system for submission to webimmune.  Otherwise, a bit more risky of an option, is to connect to the infected system from a clean system, and copy the file to the clean system.  Of course it would likely get detected by the clean system, which would prevent you from copying the file. You could disable the AV on the clean system, but it might get infected at that point. So, perhaps using a thumb drive would be an option.

You get the idea, it's risky, but you need to find the safest way to get that file submitted to webimmune.net.

I like the boot cd option, but one of the best boot CD images out there, is a bit dodgy, in that the licensing for the applications it includes, requires that you have your own separate license for many of the programs.  I'm sure a lawyer somewhere will let me know if I'm crossing the line, but as long as you only boot into the Mini Windows XP option, and don't use any of the applications you do not have a license for, you should be in the clear. It's otherwise a great boot cd, and will allow you to gather the sample, and remove any suspect files manually.

http://www.hirensbootcd.net/

Let us know if you get stuck

cemaswr
Level 7
Report Inappropriate Content
Message 9 of 16

Re: Continuos messages: New malware.j - svchost.exe deleted

Hello David,

The new malware.j was the message I got initially, but that stopped after one day. The message still kept popping up, however it now says:

"File deleted - svchost.exe
Generic.dx!jfw
C:\WINDOWS\TEMP\pucr.tmp\svchost.exe"

or something similar (the text in bold changes).

Should I follow the same steps you suggested. And if so...can you please be a little more specific because I don't quite understand what I need to do.

Thanks,

cemaswr.

Grif
Level 10
Report Inappropriate Content
Message 10 of 16

Re: Continuos messages: New malware.j - svchost.exe deleted

Since the detection is a trojan and it appears that McAfee is having a tough time cleaning it out, please try the steps below to remove it:

Download ALL of the tools below on a friend or family member's, CLEAN computer and copy them to a CD or flash drive, then transfer them to the problem machine.

First, please download and run the following tool to help allow the removal programs below to run. (courtesy of Grinler at BleepingComputer.com)
There are 4 different versions. If one of them won't run then try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

Rkill.exe http://download.bleepingcomputer.com/grinler/rkill.exe
Rkill.com http://download.bleepingcomputer.com/grinler/rkill.com
Rkill.scr http://download.bleepingcomputer.com/grinler/rkill.scr
Rkill.pif http://download.bleepingcomputer.com/grinler/rkill.pif
_____________________

IMMEDIATELY after running the "Rkill" tool above, run/install the Malwarebytes and SuperAntispyware installer and update files from the links below which you've also copied to a CD or flash drive, and transfered to the problem machine. Do NOT restart the computer after running Rkill.

Once downloaded and before transferring Malwarebytes and SuperAntispyware to the problem machine, rename the program installer "mbam-setup.exe" file to something else like "Gogetum.exe", then copy the installer file and the update file to a CD or flash drive.. Transfer the file to the problem machine, then install the "Gogetum.exe" file, then run the update to get the program current.. After that, run a full system scan and delete anything it finds.

Malwarebytes Installer Download Link (Clicking on the links below will immediately start the download dialogue window.)
http://www.besttechie.net/tools/mbam-setup.exe

Malwarebytes Manual Updater link
http://www.malwarebytes.org/mbam/database/mbam-rules.exe

Next, install and run a full system scan with the SuperAntispyware program and the manual updater from the links below. As before, you may need to rename the installer file to get the program to install.:

SuperAntispyware
http://www.superantispyware.com/

SuperAntispyware Manual Updater
http://www.superantispyware.com/definitions.html
____________

In a few situations, in order for the program to run, it was also necessary to rename the main "mbam.exe" file also after installing it.. It resides in the C:\Programs Files\Malwarebytes Antimalware folder....
_____________________

Hope this helps.

Grif