Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe virus


  • Please log in to reply
7 replies to this topic

#1 wtea44

wtea44

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 03 January 2012 - 02:44 PM

My computer is infected with this pesky svchost.exe virus, the file itself is located in C:/windows not in the system32 computer. I don't like having to post my own topic and i have tried various other solutions to get rid of the virus. Sooo I'm hoping someone here may be able to help me.

Malwarebytes detects it, and it attempts to delete it on reboot, but no success. I've tried running rkill beforehand, doing it in safemode etc.

superantispyware doesn't detect it.

trying to delete it manually doesnt seem to work. tried on reboot, tried going to folder clicking delete tried doing it from the command prompt.

malwarebytes is usually my go to program as its an excellent program, but its only containing the threat due to it being in trial mode and running active protection.

ill attach a log of a flash scan before i leave.

Thanks in advance for any insight anyone might have.
---------------------------------------------------------------------------------------------
Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.31.06

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
nameunimportant :: nameunimportant-PC [administrator]

Protection: Enabled

1/3/2012 1:31:40 PM
mbam-log-2012-01-03 (13-34-07).txt

Scan type: Flash scan
Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Registry | File System | P2P
Objects scanned: 155656
Time elapsed: 49 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 3468 -> No action taken.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> No action taken.

(end)

Edited by wtea44, 03 January 2012 - 03:45 PM.


BC AdBot (Login to Remove)

 


#2 Zaxan

Zaxan

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 03 January 2012 - 03:00 PM

I have a ton of those active when I open the task manager. I don't know if it is a virus or not, but if it is that would make sense.

You could try to do: Run>Regedit and search for the svchost.exe files and delete them manually. That might do the trick.. The only reason why I haven't tried this yet is because I dont know if it is in fact a virus. If it isnt you could be deleting importing parts of the registry.

So we'll just have to wait and see if someone can reply.

#3 wtea44

wtea44
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 03 January 2012 - 03:48 PM

I have a ton of those active when I open the task manager. I don't know if it is a virus or not, but if it is that would make sense.

You could try to do: Run>Regedit and search for the svchost.exe files and delete them manually. That might do the trick.. The only reason why I haven't tried this yet is because I dont know if it is in fact a virus. If it isnt you could be deleting importing parts of the registry.

So we'll just have to wait and see if someone can reply.


mbam tells me it is a virus. that combined with, as i said, it not being in the system32 folder;causes me to be quite sure, in my case at least, that it is a virus.

i wish i woulda changed the title of the thread to 'mbam won't delete virus on reboot' but it can't be helped at this point.

i appreciate the attempt to help zaxan.

Edited by wtea44, 03 January 2012 - 03:49 PM.


#4 wtea44

wtea44
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 04 January 2012 - 03:03 PM

I have managed to correct this problem by myself. The way i've accomplished this i will post so people who have the same problem can possibly do what needs to be done. The virus I had was classified in spybot as smitfraud.c generic. It was an svchost.exe*32 with the description of winrscmde, and would not be removed on reboot by MBAM. Spybot also was not able to terminate it.

First I went to task manager, and view processes by all users. located the svchost with the description of winrscmde and ended the process.

Next, downloaded TDSSkiller

http://support.kaspersky.com/viruses/solutions?qid=208280684

extracted it to the desktop. right clicked and picked run as administrator

it asked me to reboot after it finished scanning, allowed it to reboot.

afterwards ran the latest version of MBAM (right click, run as adminstrator) ran a quick scan. instead of a memory process and a file there was only the file in C:/windows, i clicked remove selected. rebooted and the virus no longer exists on my computer.

Hope this helps random people, and a mod can close this topic if he/she wishes.

#5 MrSynnerster

MrSynnerster

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 05 January 2012 - 05:13 PM

I joined this site to personally thank Wtea44. I had fought my computer for a week with this problem, and was about to spend 150 to get it fixed at the shop around the corner. Thanks so much, this worked PERFECTLY!!!!

I have managed to correct this problem by myself. The way i've accomplished this i will post so people who have the same problem can possibly do what needs to be done. The virus I had was classified in spybot as smitfraud.c generic. It was an svchost.exe*32 with the description of winrscmde, and would not be removed on reboot by MBAM. Spybot also was not able to terminate it.

First I went to task manager, and view processes by all users. located the svchost with the description of winrscmde and ended the process.

Next, downloaded TDSSkiller

http://support.kaspersky.com/viruses/solutions?qid=208280684

extracted it to the desktop. right clicked and picked run as administrator

it asked me to reboot after it finished scanning, allowed it to reboot.

afterwards ran the latest version of MBAM (right click, run as adminstrator) ran a quick scan. instead of a memory process and a file there was only the file in C:/windows, i clicked remove selected. rebooted and the virus no longer exists on my computer.

Hope this helps random people, and a mod can close this topic if he/she wishes.



#6 Aninda

Aninda

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 13 January 2012 - 08:31 AM

Used the exact same process last night to fix my laptop. Unfortunately, I dont think this completely fixes the issue. I realized that if i click on certain shortcuts (lets say, Program Files/Accessories/Command Prompt) it will say that the target for the shortcut is missing. Happened with other shortcuts on my desktop too, though not all of them. I checked the target and i realized that when i clicked on the shortcut, it automatically changes the target to C:Users/Aninda/AppData/Roaming/Local/Temp. I have not gotten around to fixing that yet, still trying to figure out what it might be. i notice the dllhost.exe process in the task manager, but it disappears when i try clicking on it.

I have managed to correct this problem by myself. The way i've accomplished this i will post so people who have the same problem can possibly do what needs to be done. The virus I had was classified in spybot as smitfraud.c generic. It was an svchost.exe*32 with the description of winrscmde, and would not be removed on reboot by MBAM. Spybot also was not able to terminate it.

First I went to task manager, and view processes by all users. located the svchost with the description of winrscmde and ended the process.

Next, downloaded TDSSkiller

http://support.kaspersky.com/viruses/solutions?qid=208280684

extracted it to the desktop. right clicked and picked run as administrator

it asked me to reboot after it finished scanning, allowed it to reboot.

afterwards ran the latest version of MBAM (right click, run as adminstrator) ran a quick scan. instead of a memory process and a file there was only the file in C:/windows, i clicked remove selected. rebooted and the virus no longer exists on my computer.

Hope this helps random people, and a mod can close this topic if he/she wishes.



#7 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:21 AM

Posted 13 January 2012 - 11:07 AM

C:\Windows\svchost.exe (Trojan.Agent) -> No action taken.

This is a symptom of maxss rootkits.Using tdsskiller was a good idea.

Searching for svchost.exe in registry and deleting them is a not recommended and is not going to work.You may need to reinstall your OS if you mess with registry.

Good luck

Edited by narenxp, 13 January 2012 - 11:09 AM.


#8 Aninda

Aninda

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 13 January 2012 - 03:53 PM

this was frustrating to say the least. it kept overloading my laptop, and my laptop kept shutting down due to overheating




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users