Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

mscvhost.exe


  • Please log in to reply
19 replies to this topic

#1 crimlair

crimlair

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:03 AM

Posted 10 January 2009 - 06:15 AM

is it new? It's part of huelar and all but I think the mscvhost.exe I was infected with has a persistent rootkit backing it up that I have failed to identify before my laptop crashed.

It's virus that replicates within a device (e.g. USB) once plugged to an infected system. It then disguises itself as a hidden folder with an ".exe" attached to it. Once opened, the virus program is initiated and replicates to the computer it was plugged into at a rapid rate.

Based on my gathered information, this virus originates from emails coming from Windows/Microsoft and asking for a critical update. It is an email attachment. But in my case I haven't opened any of that kind. However, I have encountered a computer in a public cafe that has the redtube.com as homepage, with the folders behaving badly (had an ".exe" attached). I think that's where this came from.

From then, the antivirus currently at work in that laptop may malfunction in several areas (e.g.: fails to open, fails to scan etc.), registry access may be blocked, and several other commands previously accessible to the user may also be blocked. Safe mode doesn't always work in taking out the virus. If an attempt to remove it was done, there may be serious consequences (like what happened to my laptop) imposed to the system (my guess is that it had attached itself to "winlogon" to do that crash). However, anti virus softwares such as HijackThis and autoruns had worked in my case and identified the very elusive mscvhost.exe

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 AM

Posted 10 January 2009 - 08:54 AM

msvchost.exe
Virus Detail: Win32/Rahlue.A

anti virus softwares such as HijackThis and autoruns had worked in my case and identified the very elusive mscvhost.exe

HijackThis and autoruns are not anti-virus softwares but investigative tools. How exactly did you remove this malware? How is your computer running now? Any more reports/signs of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 crimlair

crimlair
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:03 AM

Posted 11 January 2009 - 01:27 AM

Hi quietman7!

Yes, I've been wondering what to call HijackThis and autoruns. Investigative tools. Thanks for that!
About the huelar.exe virus as it was collectively known... I consider them as a group because they're 3 viruses working together to protect each other and keep from being removed from the system, meanwhile making the user's computer life miserable and always attached to huelar virus (as it's motto goes, "I will always be with you -huelar" are the exact words I found in the registry). In my case, HijackThis had found the 3 of them in various places, and of course I deleted them but mscvhost.exe can't be removed because it says it's currently running in the active processes. But when I checked taskman, process explorer and tcpview, there's no sign mscvhost.exe. According to HJT (hijackthis), it's in the "documents and settings". But since that area is infected by the virus, I can't access it without the virus initiating itself again. So I got the idea mscvhost was obviously being obscured by another virus/malware/rootkit protecting it. I still don't know what it is. I also found out the virus disables all search process related to finding it and its associates in all areas of the system. Now I looked into registry and also in safe mode to check and I found some traces of huelar infection but not the elusive mscvhost.exe. There are also some files/subfiles in registry that can't be accessed. When I ran cmd, it failed to find/erase the virus too. So, all hope gone and evaporated, I decided to consult my second to the last option: find a good AV: Norton AV 2009. So it scanned and found the huelars. I rebooted the laptop again to refresh its state only to find out the system had crashed completely because Winlogon had been tampered. From this, my guess is that the mscvhost attached itself to winlogon. My final option (armageddon option [LOL]) then was to reformat the systems affected: Drive C and others. This, I left to the expertise of the computer technician.

Now I have a laptop with a dying hard drive but still equipped with its vital functions (and new short life span), a Drive D remainder of the aftermath and a fresh new experience to digest. I'm still grieving on the loss of my vital wares and files in drive C but I know now I won't put it there again.

I will still run a series of AV scanning on the system to be sure it's free of the virus later.

#4 crimlair

crimlair
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:03 AM

Posted 11 January 2009 - 01:37 AM

thanks for the source quietman! :thumbsup:

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 AM

Posted 11 January 2009 - 08:46 AM

My final option (armageddon option [LOL]) then was to reformat the systems affected: Drive C and others. This, I left to the expertise of the computer technician.

Sorry to hear about having to reformat but sometimes that is the best solution. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Starting over by wiping your drive, reformatting, and performing a clean install of the OS removes everything and is the safest action.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, underground web pages, pirated software, crack sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. When is AUTORUN.INF really an AUTORUN.INF?. For more information on this risk, please read USB-Based Malware Attacks and Please disable Autorun asap!.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 crimlair

crimlair
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:03 AM

Posted 12 January 2009 - 12:16 AM

That was really informative. :flowers: Thanks a lot quietman7! :thumbsup: I'll remember to be more careful next time.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 AM

Posted 12 January 2009 - 09:08 AM

:thumbsup:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 lindaga35

lindaga35

  • Members
  • 384 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:03 AM

Posted 27 January 2009 - 12:14 PM

Hi quietman7!

Yes, I've been wondering what to call HijackThis and autoruns. Investigative tools. Thanks for that!
About the huelar.exe virus as it was collectively known... I consider them as a group because they're 3 viruses working together to protect each other and keep from being removed from the system, meanwhile making the user's computer life miserable and always attached to huelar virus (as it's motto goes, "I will always be with you -huelar" are the exact words I found in the registry). In my case, HijackThis had found the 3 of them in various places, and of course I deleted them but

mscvhost.exe can't be removed because it says it's currently running in the active processes.

But when I checked taskman, process explorer and tcpview, there's no sign mscvhost.exe. According to HJT (hijackthis), it's in the "documents and settings". But since that area is infected by the virus, I can't access it without the virus initiating itself again. So I got the idea mscvhost was obviously being obscured by another virus/malware/rootkit protecting it. I still don't know what it is. I also found out the virus disables all search process related to finding it and its associates in all areas of the system. Now I looked into registry and also in safe mode to check and I found some traces of huelar infection but not the elusive mscvhost.exe. There are also some files/subfiles in registry that can't be accessed. When I ran cmd, it failed to find/erase the virus too. So, all hope gone and evaporated, I decided to consult my second to the last option: find a good AV: Norton AV 2009. So it scanned and found the huelars. I rebooted the laptop again to refresh its state only to find out the system had crashed completely because Winlogon had been tampered. From this, my guess is that the mscvhost attached itself to winlogon. My final option (armageddon option [LOL]) then was to reformat the systems affected: Drive C and others. This, I left to the expertise of the computer technician.

Now I have a laptop with a dying hard drive but still equipped with its vital functions (and new short life span), a Drive D remainder of the aftermath and a fresh new experience to digest. I'm still grieving on the loss of my vital wares and files in drive C but I know now I won't put it there again.

I will still run a series of AV scanning on the system to be sure it's free of the virus later.



#9 lindaga35

lindaga35

  • Members
  • 384 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:03 AM

Posted 27 January 2009 - 12:23 PM

im sorry i didnt mean to quote all of your post. i still learning how to do all this forum stuff. i have seen this mscvhost in my computer, how do i found it for sure?

i have onecare and it finds stuff all the time, i have scanned in safe mode. and with anti malware bytes, and both found trojans.

Lindaga

Edited by lindaga35, 27 January 2009 - 12:25 PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 AM

Posted 27 January 2009 - 01:26 PM

Hello lindaga35

If you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members at the same time in the same thread. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Thanks for your cooperation.
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 lindaga35

lindaga35

  • Members
  • 384 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:03 AM

Posted 27 January 2009 - 01:33 PM

i will thank you so much.

Linda

#12 crimlair

crimlair
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:03 AM

Posted 29 January 2009 - 05:48 AM

Okay, sorry for the belated post.
I've done several, various scans on the system and the registry and it's free from huelar. However, in Drive D, which wasn't formatted because I didn't want to lose it's contents, it appears like the folders are still hidden. When I checked it's properties, the number under "size" just keeps popping out random numbers. But since the boss virus was in Drive C and it's gone now, I don't think huelar is still alive, although there are remnants of its effects. I'm still paranoid about it, so I'm not opening any folders in drive d until I can find a good sized USB and back up the files there.

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:03 AM

Posted 29 January 2009 - 06:45 AM

Method of Distribution
Via Drives and Network Shares
Win32/Rahlue.A propagates by traversing all folders in all drives, including accessible network shares. If a folder is found, the worm creates a copy of itself, using the name and path of the folder as the executable's filename. For example, if the worm finds a folder at C:\Program Files, it drops a copy of itself in that folder as "C:\Program Files.EXE" and hides the original folder.


Be very careful with that infected drive
Chewy

No. Try not. Do... or do not. There is no try.

#14 crimlair

crimlair
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:03 AM

Posted 29 January 2009 - 07:49 AM

:thumbsup: Yes, I'm so careful I only looked at it once, and during that time I've placed Avast! on maximum alert, then after the checking I've scanned the system twice and ran malware bytes twice to do full system scan and had mcafee rootkit detective to scan too. It turned out drive d is just another remainder of the onslaught... But I know well enough not to open any of its folders.

#15 ccyne

ccyne

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 29 January 2009 - 10:09 AM

Just read though this thread. So what you are saying is you basically lost everything due to the infection including the backups on removable media because there is no way to clean it up? I have a thread running myself with a problem I was just checking back and the mscvhost.exe tag on this thread caught my attention. I've seen many processes running in task manager with the svchost.exe and it got me worried. I just wanted to clarify for myself and anyone else browsing the threads that these are or are not same thing.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users