Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe *32 winrscmde virus


  • Please log in to reply
12 replies to this topic

#1 AndrewR2012

AndrewR2012

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 08 October 2012 - 06:59 PM

I recently came home from vacation and had this virus on my computer. I tried booting to safe mode to run TDSSKiller, however I can't run any applications as this svchost.exe process continues to run randomly and I can't get rid of it.

The file loads into: C:\Windows\svchost.exe
I found the winrscmde.dll file in the system32 folder on my computer.

I have Windows 7.

I'm not sure where to go from here.

I was going to try an ultimate boot cd and try to run tdsskiller from a usb drive. Any help here would be appreciated!

Edit: Moved topic from Windows 7 to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:40 PM

Posted 08 October 2012 - 07:01 PM

Boot into safemode with networking

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here.If you get crashes in normal mode,run it in safemode with networking

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

Edited by narenxp, 08 October 2012 - 07:02 PM.


#3 AndrewR2012

AndrewR2012
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 08 October 2012 - 07:03 PM

When I boot into safemode with networking, and click on tdsskiller.exe, nothing happens.

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:40 PM

Posted 08 October 2012 - 07:06 PM

You may have issues with ASWMBR too.Run ESET online scanner and post the log along with listparts log

Download Listparts from here

For 32 bit

List parts 32

For 64 bit

List parts 64

Launch it,click on SCAN,post the log

#5 AndrewR2012

AndrewR2012
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 08 October 2012 - 07:08 PM

I can't load internet explorer either. I'm not sure where to go from here.

FYI: I'm typing to you from my laptop. My desktop is the infected machine.

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:40 PM

Posted 08 October 2012 - 07:10 PM

Copy the tools to the infected PC and run them.

#7 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:40 PM

Posted 08 October 2012 - 07:10 PM

Copy the tools to infected PC and run them.

#8 AndrewR2012

AndrewR2012
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 08 October 2012 - 07:16 PM

List parts 64 Log File:


ListParts by Farbar Version: 02-10-2012
Ran by Drew (administrator) on 08-10-2012 at 19:14:09
Windows 7 (X64)
Running From: G:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 9%
Total physical RAM: 8191.18 MB
Available physical RAM: 7401.59 MB
Total Pagefile: 16380.55 MB
Available Pagefile: 15602.74 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (Data) (Fixed) (Total:149.05 GB) (Free:47.67 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: () (Fixed) (Total:465.76 GB) (Free:256.82 GB) NTFS
5 Drive g: (PATRIOT) (Removable) (Total:14.89 GB) (Free:14.88 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 1024 KB
Disk 1 Online 149 GB 0 B
Disk 2 Online 14 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 465 GB 31 KB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D NTFS Partition 465 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 149 GB 31 KB

======================================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C Data NTFS Partition 149 GB Healthy System (partition with boot components)

======================================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 4032 KB

======================================================================================================

Disk: 2
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G PATRIOT FAT32 Removable 14 GB Healthy

======================================================================================================

****** End Of Log ******

#9 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:40 PM

Posted 08 October 2012 - 07:19 PM

Can you run ASWMBR?

Download

FIXTDSS

Launch it ,It may ask for restart,reboot the PC

On reboot click on REPAIR

Let me know if you're able to run any of these tools

Download

Malwarebytes

Install,update and run a full scan

Click on Show results.Right click on the list ,select all and remove them.

Post the generated log here

#10 AndrewR2012

AndrewR2012
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 08 October 2012 - 07:21 PM

Can't run MBAM or any of the other tools. FixDSS link is not working. Want's me to buy software?

I do also notice a dllhost.exe process running when I try to run any of the other tools as well. It goes away when the other processes go away as well. Not sure if this helps at all.

#11 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:40 PM

Posted 08 October 2012 - 07:22 PM

Lets take a deeper look

Read the guide here

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here with logs

http://www.bleepingcomputer.com/forums/forum22.html

Good luck

Edited by narenxp, 08 October 2012 - 07:22 PM.


#12 AndrewR2012

AndrewR2012
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 08 October 2012 - 07:26 PM

I am unable to run DDS.com.

Any other help?

#13 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:40 PM

Posted 09 October 2012 - 07:13 AM

I guess you are able to run the tools now.Post the logs as instructed in preparation guide.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users