Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some sort of Trojan...svchost.exe


  • This topic is locked This topic is locked
2 replies to this topic

#1 tiko8019

tiko8019

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 06 May 2013 - 09:37 PM

 

Hello, the other day Avast blocked several attempts to connect to a malicious URL. Using Process Explorer I traced the problem to svchost.exe (exact spelling). On the TCP/IP tab under properties for this instance of svchose.exe I found that it was trying to connect to some site in the Netherlands. 
This instance of svchost.exe was spawned by explorer.exe which I thought was odd. 

Information under the Image tab 
Path: C:\WINDOWS\system32\svchost.exe
Command Line: C:\WINDOWS\system32\svchost.exe -k netsvcs 
Current Directory: C:\WINDOWS\Documents and Settings\ACCOUNT NAME 
 
I tried several tools like Avast boot time virus scan (found nothing), Spybot (found nothing), TDSSKiller (found nothing), Rougekiller (just scans while using 50% CPU...10 hours later never finished) and OTL (some info comes up under ZERO ACCESS but I do not know how to use program to clean). 
 
I finally switched to the administrator account, browsed to C:\WINDOWS\Documents and Settings\ACCOUNT NAME\Local Settings and deleted everything. One folder was protected (C:\WINDOWS\Documents and Settings\ACCOUNT NAME\Local Settings\Temp\Sufnnee) this folder contained a folder named SXUSPIK which contained a file wow.dll.  I gained the proper permissions and deleted the Sufnnee folder and its contents. 
 
The instance of svchost.exe that was giving me problems was gone. 
 
Its back! Avast blocked more malicious URLs.
 
winlogin.exe has spawned svchost.exe which in turn has spawned another svchost.exe that is trying to connect to malicious URLs. 
 
Under image tab
Path: C:\WINDOWS\system32\svchost.exe
Command Line: C:\WINDOWS\system32\svchost.exe -k netsvcs
Current Directory: C:\WINDOWS\system32\
 
Please help. I would post the OTL log but I will follow your troubleshooting steps once you give them so everything is current. 
 
Thank You in advance! 

 

 

 

 

 



BC AdBot (Login to Remove)

 


#2 tiko8019

tiko8019
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 06 May 2013 - 10:03 PM

Sorry...I reposted under proper forum topic

http://www.bleepingcomputer.com/forums/t/493752/trojan-svchostexepossibly-zeroaccess/



#3 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Staff Emeritus
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:01:56 AM

Posted 06 May 2013 - 10:07 PM

Since you posted in MRL, this one is closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users