Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't remove svchost 32 winrscmde process that eats CPU


  • Please log in to reply
15 replies to this topic

#1 Doitjnk

Doitjnk

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 31 July 2012 - 03:23 PM

My computer is off the network since I discovered this process and nothing seems to kill it. Please help! I'm missing a deadline due to this...

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:17 AM

Posted 31 July 2012 - 04:58 PM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#3 Doitjnk

Doitjnk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 01 August 2012 - 12:50 AM

Oh my God, it's gotten way, way worse. I never even got a chance to download. TDSKiller. I was on an older laptop trying to see if I could at least use it for email when it slowed down severely. I started a superantispyware scan on it, then went over to a third old laptop to use THAT one for email. but that one was slow too, so I started a scan on it. Then I walked back to the one that was already being scanned and the scan screen was all gray and flashing. Things were unresponsive so I got worried and forced a reboot into safe mode. However, the safe mode screen was weird looking... Said safe mode in all four corners and a bunch of stuff across the top about the windows xp version. I thought maybe this is how it looks inXP since I haven't booted these old computers into safe mode in a long time, and the new one I first wrote you about is windows 7.

Now here's the awful part.... I tried to log in, and it did not recognize my password!!!! So I shut it down. Then I went to the second one I had started a scan on, and that one had completed the scan. I did a removal of the threats it found and it asked to reboot, so I did. But into safe mode because I was worried at this point. However, this one also didn't let me log in! It also had a weird look in safe mode.... Same as the other.

Then some people came over so I didn't get back to it till now. I had left the two old laptops shut down. So then I decided since they are both down and my newer laptop had only that svchost thing plus had been off the network for at least a day or two, I would check it. And much to my dismay, it had the SAME weird safe mode screen, even saying windows XP instead of windows 7, and did not let me log in!!!

I am totally devastated and have no idea what to do. I am writing from my iPad at this point. My husbands Mac seems to be ok. What do I do? I can't even log into my own three computers! Am I going to,lose everything? How did this happen? Have you heard of it? And also, does this mean whoever wrote this program now has my password?

Please help! :-(

#4 Doitjnk

Doitjnk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 01 August 2012 - 09:36 AM

Ok I have an update.. . I woke up this morning and realized I was NOT on my windows 7 machine last night. Somehow in my tiredness, that last login was still on one of the xp machines. So itoday I tried the windows 7 machine and it let me in and is same as when I originally wrote this. So I am going to run the things you asked for and post the results here.

However, this means I have TWO separate problems. The two XP machines that dont let me log in, and the windows 7 machine that has the fake svchost process. I will send logs from win 7 machine and await instructions on what to do with the windows xp machines.

Thanks!

#5 Doitjnk

Doitjnk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 03 August 2012 - 05:30 PM

Hello. I am still hoping for instructions on the computers that I can't log into in safe mode. I notice I can log in normal mode, just safe mode locks me out so I can't run scanners in safe mode.

#6 jillskill

jillskill

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 07 August 2012 - 08:10 PM

I am having the very same problem. To resolve the issues I downloaded Malwarebyetes Anti-Malware tool, which found the malware culprits and removed them - had to reboot right away.

THE PROBLEM: Both Malware and Sys Center 2012 Endpoint FIND the files, remove them, however the trojan files still show back up again.

I also noticed that 'winrscmde.exe' is popping up in my task manager causing high CPU, which also will not go away. I stop the service temporarily, low pri, etc, but of course it restarts. It will not allow me to adjust it even as an admin. With every scan, clean and reboot, it all starts up again.

There is nothing that seems to be 'keeping' these virus/trojan files deleted entirely. I will also be following this. Thanks - Any thoughts are most appreciated.

Here are some of the items found between these above mentioned tools:

Trojan.Agent File c:\\Windows\svchost.exe

Trojan.Agent Memory Process c:\\Windows\svchost.exe 4684
Trojan.Agent Memory Process c:\\Windows\svchost.exe 2924
Trojan.Agent Memory Process c:\\Windows\svchost.exe 2720

Heuristics.res... File c:\\Windows\svchost(44).exe

or:
Trojan:DOS/Alureon.A

NOTE: I'm on an HP Pav dv6 3236 nr / Win 7 / 64 Ultimate / Clear wireless

Thanks - J.

Edited by jillskill, 07 August 2012 - 08:18 PM.


#7 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:17 AM

Posted 07 August 2012 - 08:45 PM

jillskill

Create a new topic

Thanks

#8 Doitjnk

Doitjnk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 08 August 2012 - 08:24 PM

jillskill

Create a new topic

Thanks


I don't get it, why star a new topic? I've been waiting for a response for many days, and even posted a link to this saying it was not responded to, and I still get no response.

#9 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:17 AM

Posted 09 August 2012 - 12:31 AM

I don't get it, why star a new topic? I've been waiting for a response for many days, and even posted a link to this saying it was not responded to, and I still get no response.


Did i say you to start a new topic?

and the windows 7 machine that has the fake svchost process. I will send logs from win 7 machine and await instructions on what to do with the windows xp machines.


You never posted the logs for windows 7 machine? Do you need help?

Edited by narenxp, 09 August 2012 - 12:32 AM.


#10 Doitjnk

Doitjnk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 10 August 2012 - 10:15 PM

Yes, I need help first with the two xp machines. They are the ones who became unusable. I can't log into safe mode because it says it doesn't know my password. But I discovered I can log in regular mode. I tried downloading some antivirus stuff from your website and run it while I wait for a response but sometimes it seems te programs are getting blocked and it seems the CPU gets all taken up so it slows down to an unusable pace. Plus both xp machines have this so I want to resolve before risking putting my windows 7 machine on the Internet.
Can you telll me what to do with the xp machines?

Edited by Doitjnk, 10 August 2012 - 10:16 PM.


#11 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:17 AM

Posted 10 August 2012 - 10:20 PM

But I discovered I can log in regular mode. I tried downloading some antivirus stuff from your website and run it while I wait for a response but sometimes it seems te programs are getting blocked and it seems the CPU gets all taken up so it slows down to an unusable pace.


If you're not able to download them,copy the tools and scan

#12 Doitjnk

Doitjnk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 10 August 2012 - 10:52 PM

But I discovered I can log in regular mode. I tried downloading some antivirus stuff from your website and run it while I wait for a response but sometimes it seems te programs are getting blocked and it seems the CPU gets all taken up so it slows down to an unusable pace.


If you're not able to download them,copy the tools and scan


I was able to download all the various tools from your website. But you still have not told me which ones to run for the xp machines. Only for the windows 7 machine. But I want to fix the xp machines first, that is more important because my sons use them for treatment.

Thanks,
Cathryn

#13 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:17 AM

Posted 11 August 2012 - 08:51 AM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply


These instructions are valid for XP,vista and windows 7 systems

#14 Doitjnk

Doitjnk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 14 August 2012 - 10:15 PM

Should I send logs for one system at a time and resolve one before going on to the next so it doesn't get confusing?

#15 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:17 AM

Posted 14 August 2012 - 10:18 PM

Yes one at a time




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users