1 2 Previous Next 15 Replies Latest reply on Jan 19, 2010 3:12 PM by nchattop

    Continuos messages: New malware.j - svchost.exe deleted

      I have the following Antivirus installed on my laptop:

       

      McAfee Total Protection Service

      Product Version 5.0.0 Patch 003

      DAT version 5839.0000

      Scan engine version 5400.1158

       

       

      Recently I have been getting pop-up messages every 5-10 minutes from McAfee. They are similar to what I have listed below, however, the file name changes (but it always begins with C:\WINDOWS\TEMP and always ends with \svchost.exe)

       

      File deleted - svchost.exe

      New malware.j

       

      or

       

      File deleted - svchost.exe

      Artemis! 25AE1D740FCC

      C:\WINDOWS\TEMP\halm.tmp\svchost.exe

       

      Can anyone tell me what is causing the problem, and how can I fix it?

       

      I appreciate the help.

       

      Regards,

      cemaswr

       

      Moved to Corporate as this is Total Protection Service - Moderator

       

       

      Message was edited by: Ex_Brit on 24/12/09 2:51:53 EST PM
        • 1. Re: Continuos messages: New malware.j - svchost.exe deleted

          i suggest removing your laptop from the network (LAN / WLAN / etc) , and perform a full system scan in safe mode using the latest SDAT.

          1 of 1 people found this helpful
          • 2. Re: Continuos messages: New malware.j - svchost.exe deleted

            Thanks darkshyre, I tried restarting in safe mode but it was not booting up. I get the following message:

             

            STOP: 0x0000007E (0XC0000005, 0X80537009, 0XF78AA508, 0XF78AA204)

             

            I did disconnect from the network and performed a scan that showed two potential threats. McAfee deleted these (I think they were cookies).

             

            However, I have noticed that the messages only occur when I am connected to my network at work. When I am connected to other networks (eg at home) the messages do not pop up. Any ideas?

             

            Thanks,

            cemaswr.

            • 3. Re: Continuos messages: New malware.j - svchost.exe deleted

              Hi

               

              The  best way to submit potential falses is as follows:

              If you believe a false detection or misclassification has occurred with a particular file, use the steps below to submit the sample in question to McAfee Labs for review. 

               

              When analysis of the sample is complete, one of the following will occur:

              * The sample is considered clean, detection is suppressed and will be updated in the earliest DAT release.

              * The sample is misclassified, reclassification will occur and detection will be updated in the earliest DAT release.

              * Analysis of the file determines that the sample is properly detected. The customer will be notified of the results.

              *False Positive Submission Procedure:*

              1. When submitting a sample, send it to the McAfee Labs Virus Research mailbox: virus_research@avertlabs.com (mailto:virus_research@avertlabs.com)

              2. All false positive samples should have the word *FALSE* in the subject line. Example subject line:

              *FALSE: In-house file being detected by McAfee*

               

              1. Ensure that you include the On Access / On Demand Scan log files of the McAfee product along with the DAT and engine versions in use at the time. Also, include any other relevant information regarding why you believe the file has been incorrectly detected. This information will be helpful during our analysis of the sample. Example email message:

               

              *NOTE:* Failure to supply all of the information requested above may result in delays in the analysis process.

               

              Hope this helps!

               

              Regards

              Neha

              1 of 1 people found this helpful
              • 4. Re: Continuos messages: New malware.j - svchost.exe deleted

                Hello Neha,

                 

                Thanks for your suggestion. I'll try that and see what happens.

                 

                Regards,

                cemaswr.

                • 5. Re: Continuos messages: New malware.j - svchost.exe deleted

                  Hi

                   

                  Did the issue fixed?

                   

                  -Neha

                  • 6. Re: Continuos messages: New malware.j - svchost.exe deleted

                    Hello Neha,

                     

                    Thanks for asking, but the problem is not fixed. In fact, after I updated McAfee about two days ago....it keeps saying "on access scan currently disabled" and the icon in the tray has a red exclamation mark. I opened the console and clicked Fix, but it immediately goes back to saying "on access scan currently disabled". Today the Fix button is grayed out and cannot be clicked. I really am not sure what the problem is.

                     

                    I do think I have some sort of virus or malware though. I downloaded Avira Antivir since McAfee stopped and that program also gives me pop up messages every few minutes saying:

                    "A virus or unwanted program was found

                     

                    C:\WINDOWS\TEMP\etpw.tmp\svchost.exe
                    Is the TR/Agent.defg Trojan"

                     

                    and these are the same files that McAfee was detecting and deleting.

                     

                    Is there any way to fix this? I hope you can help.

                     

                    Thanks,

                    cemaswr.

                    • 7. Re: Continuos messages: New malware.j - svchost.exe deleted
                      dmeier

                      The New Malware.j detection, is a heuristic detection, and indicates that we need a copy of that file.  If you could submit that .tmp file to www.webimmune.net, we could get it added to the dat files with a proper detection/cleaning driver, and it would help.  I'm sure there are other files on the system as well, but let's take it one step at a time.

                       

                      In order to get that file, you'll need to be careful not to spread the infection to other systems.  Best way is to boot into a boot CD, and then zip up that file, with a password, and then you can place it on another system for submission to webimmune.  Otherwise, a bit more risky of an option, is to connect to the infected system from a clean system, and copy the file to the clean system.  Of course it would likely get detected by the clean system, which would prevent you from copying the file. You could disable the AV on the clean system, but it might get infected at that point. So, perhaps using a thumb drive would be an option.

                       

                      You get the idea, it's risky, but you need to find the safest way to get that file submitted to webimmune.net.

                       

                      I like the boot cd option, but one of the best boot CD images out there, is a bit dodgy, in that the licensing for the applications it includes, requires that you have your own separate license for many of the programs.  I'm sure a lawyer somewhere will let me know if I'm crossing the line, but as long as you only boot into the Mini Windows XP option, and don't use any of the applications you do not have a license for, you should be in the clear. It's otherwise a great boot cd, and will allow you to gather the sample, and remove any suspect files manually.

                       

                      http://www.hirensbootcd.net/

                       

                      Let us know if you get stuck

                      • 8. Re: Continuos messages: New malware.j - svchost.exe deleted

                        Hello David,

                         

                        The new malware.j was the message I got initially, but that stopped after one day. The message still kept popping up, however it now says:

                         

                        "File deleted - svchost.exe
                        Generic.dx!jfw
                        C:\WINDOWS\TEMP\pucr.tmp\svchost.exe"

                         

                        or something similar (the text in bold changes).

                         

                        Should I follow the same steps you suggested. And if so...can you please be a little more specific because I don't quite understand what I need to do.

                         

                        Thanks,

                        cemaswr.

                        • 9. Re: Continuos messages: New malware.j - svchost.exe deleted

                          Since the detection is a trojan and it appears that McAfee is having a tough time cleaning it out, please try the steps below to remove it:

                           

                          Download ALL of the tools below on a friend or family member's, CLEAN computer and copy them to a CD or flash drive, then transfer them to the problem machine.

                           

                          First, please download and run the following tool to help allow the removal programs below to run. (courtesy of Grinler at BleepingComputer.com)
                          There are 4 different versions. If one of them won't run then try to run the other one.
                          Vista and Win7 users need to right click and choose Run as Admin
                          You only need to get one of them to run, not all of them.

                           

                          Rkill.exe http://download.bleepingcomputer.com/grinler/rkill.exe
                          Rkill.com http://download.bleepingcomputer.com/grinler/rkill.com
                          Rkill.scr http://download.bleepingcomputer.com/grinler/rkill.scr
                          Rkill.pif http://download.bleepingcomputer.com/grinler/rkill.pif
                          _____________________

                           

                          IMMEDIATELY after running the "Rkill" tool above, run/install the Malwarebytes and SuperAntispyware installer and update files from the links below which you've also copied to a CD or flash drive, and transfered to the problem machine. Do NOT restart the computer after running Rkill.

                           

                          Once downloaded and before transferring Malwarebytes and SuperAntispyware to the problem machine, rename the program installer "mbam-setup.exe" file to something else like "Gogetum.exe", then copy the installer file and the update file to a CD or flash drive.. Transfer the file to the problem machine, then install the "Gogetum.exe" file, then run the update to get the program current.. After that, run a full system scan and delete anything it finds.

                           

                          Malwarebytes Installer Download Link (Clicking on the links below will immediately start the download dialogue window.)
                          http://www.besttechie.net/tools/mbam-setup.exe

                           

                          Malwarebytes Manual Updater link
                          http://www.malwarebytes.org/mbam/database/mbam-rules.exe

                           

                          Next, install and run a full system scan with the SuperAntispyware program and the manual updater from the links below. As before, you may need to rename the installer file to get the program to install.:

                           

                          SuperAntispyware
                          http://www.superantispyware.com/

                           

                          SuperAntispyware Manual Updater
                          http://www.superantispyware.com/definitions.html
                          ____________

                           

                          In a few situations, in order for the program to run, it was also necessary to rename the main "mbam.exe" file also after installing it.. It resides in the C:\Programs Files\Malwarebytes Antimalware folder....
                          _____________________

                           

                          Hope this helps.

                           

                          Grif

                           

                          1 2 Previous Next