7 Replies Latest reply on Jun 25, 2010 4:46 AM by GSP001

    New Malware.j in svchost.exe

      I've had this Pop-up from McAfee appearing every 5 minutes. Which I confirmed through checking Files that have been quarantined. They have literally been detected every 5 minuted and a scan reveals nothing.

      Not sure what might have caused this. I am assuming in might be coming from the 2nd computer that is also in our network at home.

      What steps should I take in order to either remove or stop this from happening.

      Other information:

      I have not visited any websites that are out of the ordinary. Meaning, same websites that I've visited for years and have been careful to go anywhere that is not known to me.

       

      I've attached a screenshot of what the quaratined files looks like. If there aren't more, it's because I went and removed almost 200 of those files already.

       

      Also, while using Firefox, I seem to be getting different tabs coming up from a supposed "Google" Job offering. I also get re-directed to random websites.

       

      My mouse-cursor seems to randomly be moving all over the place too at random times when in use.

        • 1. Re: New Malware.j in svchost.exe

          The Firefox redirects looks like JS/Redirector VIL - http://vil.nai.com/vil/content/v_249453.htm and would request you to update dats and re-run a scan on the machine.

           

          New malware.J is a heuristic detection, meaning that the scanner has seen suspicious activity on a process like creating new files and attempting to use elevate privileges etc... If a sample is detected as New Malware.j then it is likelythat the system is currently infected and has virus or Trojan processes running.

           

          The New Malware.j detection intentionally does not contain repair, as files detected under this name could be performing any malicious activity.  Samples detected as "New Malware.j" should be submitted to AVERT so that they can be properly classified and have proper repair added to the DAT files.

           

          Please submit the detected samples to Avert using steps outlined here. This will help us identify the infection and add detection accordingly.

          • 2. Re: New Malware.j in svchost.exe

            I'm trying to add the folder to a zip file but that is not working. Is it due to the quarantine McAfee has placed on it?

             

            I'm already signed up to the AVert Labs and am currently trying to send it in. Now I'm also getting Hiloti.gen and Artemis popups from McAfee.

             

             

            Message was edited by: Knivez on 12/22/09 5:05:11 PM CST
            • 3. Re: New Malware.j in svchost.exe

              Something else to try....

               

              Download ALL of the tools below on a friend or family member's, CLEAN computer and copy them to a CD or flash drive, then transfer them to the problem machine.

               

              First, please download and run the following tool to help allow the removal programs below to run. (courtesy of Grinler at BleepingComputer.com)
              There are 4 different versions. If one of them won't run then try to run the other one.
              Vista and Win7 users need to right click and choose Run as Admin
              You only need to get one of them to run, not all of them.

               

              Rkill.exe http://download.bleepingcomputer.com/grinler/rkill.exe
              Rkill.com http://download.bleepingcomputer.com/grinler/rkill.com
              Rkill.scr http://download.bleepingcomputer.com/grinler/rkill.scr
              Rkill.pif http://download.bleepingcomputer.com/grinler/rkill.pif
              _____________________

               

              IMMEDIATELY after running the "Rkill" tool above, run/install the Malwarebytes and SuperAntispyware installer and update files from the links below which you've also copied to a CD or flash drive, and transfered to the problem machine. Do NOT restart the computer after running Rkill.

               

              Once downloaded and before transferring Malwarebytes and SuperAntispyware to the problem machine, rename the program installer "mbam-setup.exe" file to something else like "Gogetum.exe", then copy the installer file and the update file to a CD or flash drive.. Transfer the file to the problem machine, then install the "Gogetum.exe" file, then run the update to get the program current.. After that, run a full system scan and delete anything it finds.

               

              Malwarebytes Installer Download Link (Clicking on the links below will immediately start the download dialogue window.)
              http://www.besttechie.net/tools/mbam-setup.exe

               

              Malwarebytes Manual Updater link
              http://www.malwarebytes.org/mbam/database/mbam-rules.exe

               

              Next, install and run a full system scan with the SuperAntispyware program and the manual updater from the links below. As before, you may need to rename the installer file to get the program to install.:

               

              SuperAntispyware
              http://www.superantispyware.com/

               

              SuperAntispyware Manual Updater
              http://www.superantispyware.com/definitions.html
              ____________

               

              In a few situations, in order for the program to run, it was also necessary to rename the main "mbam.exe" file also after installing it.. It resides in the C:\Programs Files\Malwarebytes Antimalware folder....
              _____________________

               

              Hope this helps.

               

              Grif

              • 4. Re: New Malware.j in svchost.exe

                Even if I am able to install what you've asked on the infected computer, should I still do this on a clean computer? I actually was attempting to get help from bleeping computer as well.

                 

                Here's a link to the topic that I made on Bleeping Computer

                 

                That's what I've been doing.

                 

                Aside from that, I have added symptoms and added viral issues beyond New Malware.j, which I no longer get a warning for.

                 

                At the moment, i am now getting warnings for Bredolab.gen.l, Hiloti.gen, and Artemis!A6A4EF77DC23 from McAfee.

                • 5. Re: New Malware.j in svchost.exe

                  I have a similar problem with this trojan.  McAfee reports:

                   

                  About this Trojan
                  Detected: New Malware.j (Trojan)
                  Quarantined From: C:\WINDOWS\TEMP\pgex.tmp\svchost.exe

                   

                  A new folder under C:\WINDOWS\TEMP\ (pgex in the example above) is created about every 5 minutes. The folders are empty.

                   

                  I have deleted a couple of hundred or more of these folders.

                   

                  No other effects have been detected to date.

                   

                  I have run rkill, and installed, updated and run both Malwarebytes and SuperAntispyware as suggested.

                   

                  The virus persists.

                   

                  Are there any other solutions?

                  • 6. Re: New Malware.j in svchost.exe

                    I also have a similar problem. I now get pop up messages from McAfee every 5-10 minutes saying:

                     

                    "File deleted - svchost.exe
                    Generic.dx!jfw
                    C:\WINDOWS\TEMP\pucr.tmp\svchost.exe"

                     

                    The file name changes (but it always begins with C:\WINDOWS\TEMP and always ends with \svchost.exe). For the first day or two the second line said:

                    "New malware.j"

                     

                    but then that changed to:

                    "Artemis! 25AE1D740FCC"

                     

                    and now it is as shown in the first quote.

                     

                    I have run a lot of programs, malwarebytes AM, SUPERAntispyware, and spybot and none detect any problems.

                     

                    Hopefully a solution can be found. Thanks.

                    • 7. Re: New Malware.j in svchost.exe

                      I have now the same error on my win7 machine.

                      Do you have a solution right now ?

                       

                      wbr

                      George