Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SvcHost.exe auto launches, downloads data, and play audio


  • This topic is locked This topic is locked
24 replies to this topic

#1 UnredBenzer

UnredBenzer

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 13 April 2014 - 03:50 PM

Have this issue with SvcHost.exe running, downloading tons from the internet, and then playing audio on the speakers. I found many similar postings, about the audio, but not any related to SvcHost being rogue.

Windows 7 SP1 64-bit

Here are the symptoms:

  • SvcHost.exe will launch by itself.
  • In task manager, the command line shows no path or parameters, just the word svchost.exe
  • If I end task, it will relaunch in exactly 11 minutes from the time it was killed.
  • When launched, if I have my network patch cable disconnected, the memory it takes is about 2 to 3 MB and does not grow.
  • If I am attached to the network/internet, memory it takes grows and grows. I have seen it grow to over a gig of RAM.
  • I used Wireshark to watch all the places it talks to. Many looked evil.
  • If I kill svchost.exe, the talking stops. It resumes when it relaunches 11 minutes later.
  • All that data it puts into memory, will cause the audio to play, sometimes multiple things, that sound like ads or someone reading the news.
  • It seems to have disabled  the ability to do Windows Updates…they error out.
  • My restore points only go back to last Thursday. Thursday is when the audio stuff happened.
  • The only thing that I can tell happened that day was an auto update to Google Chrome. It ran even though no one was on the computer.

Items I have tried

  • Scanned with McAfee Security Center (Cox Communications Suite) and found nothing, though it has claimed many stopping of attempts in the past week.
  • Scanned with Rouge Killer.
    • It will see the rouge svchost.exe running and kill it, but can not tell me why it ran.
    • It did other cleaning the first time, but nothing else has returned.
  • Scanned with Malwarbytes Anti Malware too. Nothing found.
  • Scanned with Malwarbytes MBAR (root killer?)tool. Still nothing found
  • Tried Combo Fix and nothing automatically found. I can post the logs from it if needed.
  • Tried Adwcleaner and it found nothing.
  • ESET Online Scan: Nothing found either

I am sure I am infected by something, but what tools can I use next?

 

Thanks

-Dennis



BC AdBot (Login to Remove)

 


#2 UnredBenzer

UnredBenzer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 13 April 2014 - 04:07 PM

Before anyone mentions it, oops, forgot the DDS log the helpful hints area talks about. I will do that as soon as my PC is ready again. It is being scanned by McAfee again, though I have no hope for them. :)



#3 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:09 PM

Posted 13 April 2014 - 04:53 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

  • Next please re-run FRST again and type the following in the edit box after Search: rpcss.dll
  • Click the Search button
  • It will make a log (Search.txt)- please post the log into your reply to me. (you can use pastebin as well).

 

Also zip and attach all logs from the tools you ran on your own!

 

 

Regards,

Georgi


cXfZ4wS.png


#4 UnredBenzer

UnredBenzer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 13 April 2014 - 05:02 PM

Thanks. I saw the other thread with similar symptoms and similar instructions. Could this be a recent virus then? I hope the data will help. Do you even want a copy of the rpcss.dll, before replacement, if it comes down to that?

I will run the utility in a while. Hope to post the results within three hours.



#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:09 PM

Posted 13 April 2014 - 05:30 PM

Hi,

 

Thanks. I saw the other thread with similar symptoms and similar instructions. Could this be a recent virus then?

 

It's a new version of Pigeon (Zekos). Check this out:

 

https://blog.avast.com/2014/01/15/win3264blackbeard-pigeon-stealthiness-techniques-in-64-bit-windows-part-1/

https://blog.avast.com/2014/01/22/win3264blackbeard-pigeon-stealthiness-techniques-in-64-bit-windows-part-2/
 

 

Do you even want a copy of the rpcss.dll, before replacement, if it comes down to that?

 

No...please post the logs I asked for and don't try to fix it on your own. Doing so will leave me out of the loop.

 

I will run the utility in a while. Hope to post the results within three hours.

No worries and take your time. However since we have a different timezone (here it's 01.30 a.m.) I'll get some sleep and will catch you tomorrow (after 8-9 hours). :)

 

 

Regards,

Georgi


cXfZ4wS.png


#6 UnredBenzer

UnredBenzer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 13 April 2014 - 06:14 PM

Hello, and good morning...Here in Arizona, I will be up till 9pm my time...no idea what it will be there.

 

I think you will recognize the attached files.

 

In the zip, I included the DDS files, once before and once after when that extra svchost.exe was running.

 

Let me know what to do.

 

ps. I downloaded all tools to a thumb drive on my laptop and then put them on the main PC (which is the infected one). I also transferred all log files back the same way. Hope that helps keep me cleaner. But I will go look at the info on that virus.trojan to make sure my thumb drive is safe. Thanks!!!Attached File  Addition.txt   31.03KB   3 downloadsAttached File  FRST.txt   26.87KB   7 downloadsAttached File  LogFiles.zip   70.98KB   2 downloadsAttached File  Search.txt   637bytes   2 downloads



#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:09 PM

Posted 14 April 2014 - 02:53 AM

Hi,

 
Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
 

Regards,
Georgi


cXfZ4wS.png


#8 UnredBenzer

UnredBenzer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 14 April 2014 - 08:04 AM

thanks. I have to leave for work right now. I can run this when I get home, in about 12 hours. The PC will remain off the network until then.

 

-Dennis



#9 UnredBenzer

UnredBenzer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 14 April 2014 - 09:29 AM

Additional Info  After looking at files on the PC by date, it appears I was infected when I turned on the PC Saturday, April 5th. I suspect something the day before dropped a payload, and the next boot up was the next day, and that is when the troubles started, I just did not know it then.

 

So, where did I hit on Friday the 4th? Still trying to narrow it down. But it looks very possible something on Facebook is what did it. Will give an update if I learn anything further.

 

-Dennis



#10 UnredBenzer

UnredBenzer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 14 April 2014 - 08:09 PM

Attached File  Fixlog.txt   3.82KB   3 downloadsOK Here is the TXT file.



#11 UnredBenzer

UnredBenzer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 14 April 2014 - 08:14 PM

The rogue svchost.exe did not launch after the fix/reboot.  That is good!!

 

Running Windows updates now...seem to be working...Will write back after all that is done and I see no more issues.

 

-Dennis



#12 UnredBenzer

UnredBenzer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 14 April 2014 - 08:30 PM

OK new problem. makes no sense, but I think I saw others post this.

 

From IE11, I can not get to Google or Yahoo. I can surf just about every where else. Something left behind to keep me from those sites??

 

let me know what to run and what to send....thanks!!!

 

-dennis



#13 UnredBenzer

UnredBenzer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 14 April 2014 - 08:44 PM

PS. IT seems to be only my account that can not get to goggle and yahoo. My wife's account works fine.



#14 UnredBenzer

UnredBenzer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 14 April 2014 - 08:55 PM

PPS. I can use Chrome and get there. In IE11, I can put in the IP for google or yahoo and get there. So...something is blocking the name.



#15 UnredBenzer

UnredBenzer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 14 April 2014 - 09:18 PM

Attached File  Source.JPG   45.73KB   1 downloadsUpdate: I reset my internet options on the Advance tab, and all seems OK.

 

As to the original problem. I suspect it got infected at 943am on April 4th. Attached is a screen shot of the files sorted together from that time. Note now one of them is one the FRST app moved/renamed.


Edited by UnredBenzer, 14 April 2014 - 11:36 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users