Need help with this one, I installed CIS 8 after the machine got infected (by email)
It doesn’t detect any viruses, but MBAM did catch a few.
The problem is that although I cleaned a few exe files the problem is coming from svchost which is trusted. I can see it connecting to a number of different malicious IP addresses (botnet).
How can I clean this? Deleting svchost will obviously cause some major problems.
It found one of the files but I did another scan using this tool - http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
It found these entries on the system:
HKLM-x32.…\Run: [aaaaaaaa] => C:\Windows\SysWOW64\aaaaaaaa.exe [69120 2015-01-14] ()
HKU\S-1-5-21-1336365477-2799001624-700887431-6974.…\Run: [aaaaaaaa] => C:\Users\28130000002\aaaaaaaa.exe [69120 2015-01-14] ()
HKU\S-1-5-21-1336365477-2799001624-700887431-6974.…\Run: [dotrudtegibd] => C:\Users\28130000002\dotrudtegibd.exe [154880 2015-01-15] ()
2015-01-15 14:24 - 2015-01-15 14:24 - 00154880 ___SH () C:\Users\28130000002\dotrudtegibd.exe
2015-01-14 11:52 - 2015-01-14 11:52 - 00069120 _____ () C:\Windows\SysWOW64\aaaaaaaa.exe
2015-01-14 11:52 - 2015-01-14 11:52 - 00069120 _____ () C:\Users\28130000002\aaaaaaaa.exe
2015-01-14 11:43 - 2015-01-14 11:43 - 00400384 _____ () C:\Windows\OPgtWMrFHoqhtJW.exe
We cleaned those, and blocked the known IP’s it seemed to be connecting to. I have not seen any activity yet so it might be okay. I am still worried that it may have replaced legitimate processes.
*Note - I have uploaded the listed executables to Comodo so hopefully they are added to the database as they currently go undetected.
you can always run sfc /scannow in cmd prompt. this will check the integrity of the windows files.