Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 svchost.exe removal


  • Please log in to reply
7 replies to this topic

#1 BryanLikesPC's

BryanLikesPC's

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL
  • Local time:06:27 AM

Posted 07 November 2012 - 11:16 PM

I have been having issues with my computer for a couple of weeks where it will run really, really slow, and it would constantly give the BSOD almost everytime I opened the internet. I reinstalled Windows 7 on the computer a couple of months ago because of a virus infection that damaged the system files, and it was fine for a while, until this. When I had windows installed, I kept MalwareBytes, Windows Security Essentials, Windows Defender, and Advanced System Care all on the computer, and yet this virus still got in. It runs as a 32 bit instance from the Windows folder, not from the system32 or the syswow64. I end the process and delete the svchost.exe from the Windows folder, and they both come back literally seconds later. I cannot get rid of it no matter what I do. I discovered this file today, and I have been all over this forum for the last 6 hours trying to find something that will get rid of it. Please start me at the beginning. I have a flash drive, and I have DVDs if it is neccessary to burn one. I also have a Windows 7 and a Windows 8 disc.

CURRENT OS:

WINDOWS 7 ULTIMATE x64 BUILD 7600

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:27 AM

Posted 07 November 2012 - 11:28 PM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here.If you get crashes in normal mode,run it in safemode with networking

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#3 BryanLikesPC's

BryanLikesPC's
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL
  • Local time:06:27 AM

Posted 07 November 2012 - 11:47 PM

I ran the TDSKiller in the earlier stages. Here are the results:

18:57:02.0526 3032 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
18:57:04.0539 3032 ============================================================
18:57:04.0539 3032 Current date / time: 2012/11/07 18:57:04.0539
18:57:04.0539 3032 SystemInfo:
18:57:04.0539 3032
18:57:04.0539 3032 OS Version: 6.1.7600 ServicePack: 0.0
18:57:04.0539 3032 Product type: Workstation
18:57:04.0539 3032 ComputerName: ENDRES-PC
18:57:04.0539 3032 UserName: Endres
18:57:04.0539 3032 Windows directory: C:\Windows
18:57:04.0539 3032 System windows directory: C:\Windows
18:57:04.0539 3032 Running under WOW64
18:57:04.0539 3032 Processor architecture: Intel x64
18:57:04.0539 3032 Number of processors: 2
18:57:04.0539 3032 Page size: 0x1000
18:57:04.0539 3032 Boot type: Normal boot
18:57:04.0539 3032 ============================================================
18:57:07.0300 3032 BG loaded
18:57:08.0657 3032 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
18:57:08.0657 3032 Drive \Device\Harddisk1\DR1 - Size: 0xF0300000 (3.75 Gb), SectorSize: 0x200, Cylinders: 0x1E9, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
18:57:08.0688 3032 ============================================================
18:57:08.0688 3032 \Device\Harddisk0\DR0:
18:57:08.0704 3032 MBR partitions:
18:57:08.0704 3032 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x13C3000
18:57:08.0704 3032 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x13D7000, BlocksNum 0x38FAE800
18:57:08.0704 3032 \Device\Harddisk1\DR1:
18:57:08.0704 3032 MBR partitions:
18:57:08.0704 3032 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x80, BlocksNum 0x781780
18:57:08.0704 3032 ============================================================
18:57:08.0766 3032 C: <-> \Device\Harddisk0\DR0\Partition2
18:57:08.0766 3032 ============================================================
18:57:08.0766 3032 Initialize success
18:57:08.0766 3032 ============================================================
18:57:15.0583 1228 Deinitialize success


I am running Malwarebytes on it right now, so I will see if after running the other programs malwarebytes can get rid of it. Crossing Fingers

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:27 AM

Posted 07 November 2012 - 11:49 PM

TDSSkiller log is incomplete.I never said you to run malwarebytes.Please follow my instructions :)

#5 BryanLikesPC's

BryanLikesPC's
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL
  • Local time:06:27 AM

Posted 07 November 2012 - 11:51 PM

Sorry, I had started malwarebytes long before I even posted the topic. I was just getting it started in case it didn't work. I'm at like 105 infections, so it's doing way more now than it was

#6 BryanLikesPC's

BryanLikesPC's
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, IL
  • Local time:06:27 AM

Posted 08 November 2012 - 10:51 PM

I think that it is OK now, the malwarebytes removed a bunch of tracking cookies and potential malware, and the problem seems to be gone. Thanks!

NOTE:
I ran the TDSKiller first, then the aswMBR, and then malwarebytes to finish the removal process for my machine.

#7 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:27 AM

Posted 09 November 2012 - 05:39 AM

You may be still infected.Post the logs as instructed.

#8 virgildelgado

virgildelgado

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 13 June 2013 - 05:56 PM

i am experiencing almost the same problem as well, mines only worse i think. im following your instructions as of now.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users