Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firewall disabled on startup, suspicious svchost.exe process


  • Please log in to reply
3 replies to this topic

#1 Village Baka

Village Baka

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Location:Arizona
  • Local time:05:52 PM

Posted 22 February 2013 - 05:30 PM

My computer is running Windows 7 Home Premium 64-bit, and I'm pretty sure I ended up with a virus somehow. The three main symptoms I've noticed:

 

  • On system startup, the Windows Firewall service is disabled. Running services.msc and setting it to automatic does start it up normally, but any time I shut down and restart, it's disabled again.
  • My CPU "idles" hellaciously hot. Before the problem manifested, my CPU would idle after startup around 30-35C and my GPU at 40-45C, with the fans running at 50% (I use Speedfan for heat/noise management). After the apparent infection, the CPU is more like 65C with the GPU often breaking 70C with all fans cranked up to 100% speed. Task manager also shows between 30-50% CPU usage with absolutely no other programs open, so obviously something very intensive is running that wasn't previously.
  • There's a suspicious svchost.exe process running in task manager. If at any point during this assessment my reasining is wrong, please point it out because I'm sort of guessing my way through it: the svchost in question ends with a *32, which I think indicates it's a 32-bit program instead of 64-bit. Since I'm running 64-bit Windows 7, there's shouldn't be any 32-bit svchosts. Second, the description for every other svchost is "Host Process for Windows Services"; the suspicious one's description is just "svchost.exe". When I kill this process, Windows keeps running normally and nothing seems to break. Additionally, it seems that process is what's pushing my computer's CPU so hard; as soon as I kill it, temps and usage % drop back into the normal range.

I think it's pretty obvious that my system is infected with some sort of malware, but I have no idea what to do about it. I downloaded Microsoft Security Essentials but multiple full system scans have found nothing. A friend suggested it might be a bitcoin miner; I did some research and that kind of software does match my problems, being something heavily CPU-intensive that would need unrestricted access to the internet, but I've absolutely no clue how to confirm that, how to find it, or what to do about it if I could.

 

All I can do for now is make sure to re-enable my firewall service and kill the false svchost after every startup. Any advice on how to get rid of this thing permanently would be greatly appreciated!


Edited by Village Baka, 22 February 2013 - 06:06 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:52 PM

Posted 22 February 2013 - 08:05 PM

Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size

Click Go and post the result.

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Download Malwarebytes Anti-Rootkit from HERE
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • DO NOT click on the Cleanup button. Simply exit the program.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt


NOTE. Make sure all logs are pasted not attached.


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 Village Baka

Village Baka
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Location:Arizona
  • Local time:05:52 PM

Posted 24 February 2013 - 01:03 AM

EDIT: I found out positively where the virus came from, and the tools posted didn't tell anything I didn't already know, nor did MBAM/MBAR succeed in removing it (though at least they found out where it was hiding). I had posted the logs but it occurred to me that it was probably going to take longer to get help trying to finagle the thing off my computer than to just start over, and I've already formatted my hard drive and reinstalled Windows. So, problem solved. Thanks for the help either way.


Edited by Village Baka, 24 February 2013 - 02:52 AM.


#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:52 PM

Posted 24 February 2013 - 12:24 PM

Thanks for letting me know :)


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users