Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svchost.exe virus?


  • Please log in to reply
3 replies to this topic

#1 Jlev12

Jlev12

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 23 July 2013 - 01:39 AM

I've read all the articles I can about svchost.exe and am coming up with no answers.

Here is my problem;

 

Svchost.exe begins when my computer starts, and ends up taking about 300k if I leave it alone.

Upon termination, it restarts itself within minutes and slowly climbs back up to around 300k.

Clicking "Go to services" shows nothing highlighted, Svchost explorer shows it to be using no services.

Using process explorer I checked the TCP usage, and it sends upon climbing, and then stops, and burps more sends every 5 minutes or so.

Some of the ips its sending to are;

108.161.189.32

a23-15-63-139.deploy.static.akamaitetechnologies.com

96.17.202.88

96.17.203.73

float.898.bm-impbus.prod.lax1.adnexus.net

uk2.unitedalliencenetwork.com

thecelebritycafe.net

unknown-68-142-253-x.yahoo.com

the list goes on...

 

These ips are all around the world.. Is this spyware? malware?

 

Ive ran AVG and Malwarebytes and came up with nothing.

My e-mail was compromised in the last few days or so. Can this be the root?

 

Let me know what you guys think..

 

Ive included a dump of svchost.exe at its peak, maybe you guys can extract some information.

 

http://www46.zippyshare.com/v/34386298/file.html



BC AdBot (Login to Remove)

 


#2 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:59 PM

Posted 23 July 2013 - 04:37 AM

Gives this a try:

 

 

Running TDSSKiller to obtain log

 

Note: Don't cure or delete a threat, but choose skip for all instead.

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters

tds2.jpg

  • In the Additional options: Check Detect TDLFS file system
  • Click Start Scan and allow the scan process to run

tds4-1.jpg

  • Choose for all threats to Skip for all of them.
  • Click Continue
  • Please post the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)

===================================================

 

ESET Online Scanner
==================

Note: If your AV is blocking Eset online scanner, please temporarily disable your AV.

 

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and » UNCHECK "Remove found threats" <== Important
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. (If no malware was found you will not be presented with a log).
  • Click the Back button.
  • Click the Finish button.

===================================================


If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:


#3 Jlev12

Jlev12
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 23 July 2013 - 11:29 AM

09:28:24.0026 2676  Scan finished
09:28:24.0026 2676  ============================================================
09:28:24.0048 5456  Detected object count: 2
09:28:24.0048 5456  Actual detected object count: 2
09:28:31.0725 5456  \Device\Harddisk0\DR0\# - copied to quarantine
09:28:31.0727 5456  \Device\Harddisk0\DR0 - copied to quarantine
09:28:31.0788 5456  \Device\Harddisk0\DR0\TDLFS\ldrm - copied to quarantine
09:28:31.0806 5456  \Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine
09:28:31.0812 5456  \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
09:28:31.0819 5456  \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
09:28:31.0827 5456  \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
09:28:31.0843 5456  \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
09:28:31.0855 5456  \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
09:28:31.0857 5456  \Device\Harddisk0\DR0\TDLFS\servers.dat - copied to quarantine
09:28:31.0860 5456  \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
09:28:31.0862 5456  \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
09:28:31.0866 5456  \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
09:28:31.0870 5456  \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
09:28:31.0872 5456  \Device\Harddisk0\DR0\TDLFS\s - copied to quarantine
09:28:31.0874 5456  \Device\Harddisk0\DR0\TDLFS\u - copied to quarantine
09:28:31.0893 5456  \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
09:28:31.0921 5456  \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - will be cured on reboot
09:28:31.0923 5456  \Device\Harddisk0\DR0 - ok
09:28:32.0496 5456  \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Cure
09:28:32.0497 5456  \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
09:28:32.0497 5456  \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip



#4 GodfatherKing

GodfatherKing

  • Members
  • 587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:59 PM

Posted 23 July 2013 - 11:49 AM

It looks like the tool has found your issue, you have/had 2 rootkits.
 
Please change all the passwords on a clean computer. If you do home banking please notify your bank and change all your passwords for safety.
 
====
 
09:28:32.0497 5456  \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
09:28:32.0497 5456  \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

 

 

Repeat the scan at the same instructions as before with TDSSKiller and this time delete the TDSS File System

 

Next check again, now the scan should not find anything more. If that's the case, proceed with Eset Online Scanner.


Edited by GodfatherKing, 23 July 2013 - 11:53 AM.

If you have received help from me and I don't have respond to you for almost >= 3 days, send me a Private Message.  :hello:





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users