SVC Host virus won't go away

Discussion in 'Malware Help (A Specialist Will Reply)' started by MortisFK, Oct 6, 2012.

  1. MortisFK

    MortisFK Private E-2

    Hello,

    I have Windows 7 64-bit version on my desktop computer. A few days ago, all my programs shut down and the computer rebooted, I had not noticed any suspicious activity before this. Yesterday, I got a blue screen error and the computer shut down. When I started it back up, I was getting IE randomly openiong on it's own, and Firefox was redirecting the links that I clicked on. In Task Manager, I see the process SVCHost.exe *32 described as WINRSCMDE, it keeps opening itself, and the physical memory used will keep growing if I do not end the process.

    In Safe Mode with Networking, I ran Malewarebytes, Spybot Search & Destroy, and Trend Micro Housecall. All 3 found trojans and fixed them, and I ran them multiple times. I am still getting the redirected links, and the WINRSCMDE is still in my processes.

    I know the first thing I need to do is download and run TDSKiller. My questions are: Should I be working under Safe Mode, or normal boot up. Is it OK to let the WINRSCMDE keep using up physical memory, or should I keep ending the process. It opens every 40 seconds or so, but I do not want to damage anything.

    Thank you all very much for your help.
     
    MortisFK, Oct 6, 2012
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Kestrel13!, Oct 6, 2012
    #2
  3. MortisFK

    MortisFK Private E-2

    Hello, thanks for your help. Here are my logs. Also, IE kept randomly opening on it's own during all the scans.
     

    Attached Files:

    MortisFK, Oct 7, 2012
    #3
  4. MortisFK

    MortisFK Private E-2

    Also, here is the MGTools log.
     

    Attached Files:

    MortisFK, Oct 7, 2012
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Rerun Hitman Pro and have it delete everything it finds EXCEPT:

    • C:\Windows\system32\services.exe

    With this entry I want you to use the option REPLACE.

    Now rescan again, just a scan, no fix and attach that log.



    http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [RUN][SUSP PATH] HKCU\[...]\Run : Skype Update (Rundll32.exe C:\Users\Carl\AppData\Local\Skype\vglxekoi.dll,IZDSP_Process) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-21-2441295050-1105691804-215257311-1000[...]\Run : Skype Update (Rundll32.exe C:\Users\Carl\AppData\Local\Skype\vglxekoi.dll,IZDSP_Process) -> FOUND
    • [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-2441295050-1105691804-215257311-1000\$01a4c8cc11a9a5a5f264bede045b1dda\n.) -> FOUND
    • [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$01a4c8cc11a9a5a5f264bede045b1dda\n.) -> FOUND
    • [HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$01a4c8cc11a9a5a5f264bede045b1dda\n.) -> FOUND
    • [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-2441295050-1105691804-215257311-1000\$01a4c8cc11a9a5a5f264bede045b1dda\n.) -> FOUND
    • [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$01a4c8cc11a9a5a5f264bede045b1dda\n.) -> FOUND
    • [HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$01a4c8cc11a9a5a5f264bede045b1dda\n.) -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.

    and the same for items on Files/Folder tab please....

    • [ZeroAccess][FOLDER] U : C:\Windows\Installer\{01a4c8cc-11a9-a5a5-f264-bede045b1dda}\U --> FOUND
    • [ZeroAccess][FOLDER] L : C:\Windows\Installer\{01a4c8cc-11a9-a5a5-f264-bede045b1dda}\L --> FOUND
    • [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND
    • [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> FOUND
    • [ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$01a4c8cc11a9a5a5f264bede045b1dda\@ --> FOUND
    • [ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-2441295050-1105691804-215257311-1000\$01a4c8cc11a9a5a5f264bede045b1dda\@ --> FOUND
    • [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$01a4c8cc11a9a5a5f264bede045b1dda\U --> FOUND
    • [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-2441295050-1105691804-215257311-1000\$01a4c8cc11a9a5a5f264bede045b1dda\U --> FOUND
    • [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$01a4c8cc11a9a5a5f264bede045b1dda\L --> FOUND
    • [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-2441295050-1105691804-215257311-1000\$01a4c8cc11a9a5a5f264bede045b1dda\L --> FOUND
    • [Susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe --> FOUND

    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Do not reboot your computer yet.



    Now rerun MalwareBytes and attach the new log if it finds anything.



    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.


    Code:
    :Files
C:\Windows\svchost.exe
C:\Users\Carl\AppData\Local\Skype\vglxekoi.dll

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Skype Update"=-
[HKEY_USERS\S-1-5-21-2441295050-1105691804-215257311-1000\Software\Microsoft\Windows\CurrentVersion\run]
"Skype Update"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{2843657F-3B59-413D-B559-D3DDAF00953A}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2843657F-3B59-413D-B559-D3DDAF00953A}]

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


    • Reboot the machine.
    • Rerun RogueKiller (no fix just a scan) attach log.
    • Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
    • Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Oct 7, 2012
    #5
  6. MortisFK

    MortisFK Private E-2

    Hi, here are the logs. The first time I ran RogueKiller, it wanted me to reboot as soon as I hit the "delete" button. You said not to reboot yet, so I didn't. It said it cannot delete without reboot. So I moved on to the next step.

    After Malwarebytes scan it found 1, and I had to reboot.

    MGTools asked me to install Trend Micro HiJackThis, but I did not agree to terms, and it went away.

    I did not receive any pop-ups during all these processes. Things seem to be running OK at the moment.

    Again, thank you very much for your help with my issue.
     

    Attached Files:

    MortisFK, Oct 7, 2012
    #6
  7. MortisFK

    MortisFK Private E-2

    Also, here is the MGTools log. Thanks again.

    P.S., during the first RogueKiller scan, most of the files you told me to delete were not showing in the list. I was only able to find 3 that matched the description you gave.
     

    Attached Files:

    MortisFK, Oct 7, 2012
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please rerun RogueKiller and let it fix the entries I outlined to you if they still show. Reboot if it tells you to and then rescan and attach the new log.
     
    Kestrel13!, Oct 8, 2012
    #8
  9. MortisFK

    MortisFK Private E-2

    Most of the files you listed still did not show. Here is the log. Thank you.
     

    Attached Files:

    MortisFK, Oct 8, 2012
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Malware Bytes no longer finds anything I presume? How is everything running?
     
    Kestrel13!, Oct 9, 2012
    #10
  11. MortisFK

    MortisFK Private E-2

    Malwarebytes scan is clear with nothing found. It has been running wonderfully. No pop ups or redirecting links, and nothing strange running in my task manager processes.

    Please let me know if there are any other final touches that need done. Again, I can't thank you enough for your help.
     
    MortisFK, Oct 9, 2012
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You are most welcome. :)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Oct 10, 2012
    #12
  13. MortisFK

    MortisFK Private E-2

    Thanks. 1 other thing, when going through "How to protect yourself..." I found that my Windows Update is not running. It says "The service is not running, you may need to restart." But after restarting, it still does run. Did I turn this off somehow during the cleanup?
     
    MortisFK, Oct 10, 2012
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Repair Windows Firewall
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.

    After reboot, check to see if your firewall is working. Then run MGTools.exe again and attach the MGlogs.zip it produces. This is damage the malware caused. It does not mean the malware is still there though :)
     
    Kestrel13!, Oct 10, 2012
    #14
  15. MortisFK

    MortisFK Private E-2

    Attached are the logs from MGTools and also from Windows Repair. I checked after they ran, and Windows Updates is working now. Thanks.
     

    Attached Files:

    MortisFK, Oct 10, 2012
    #15
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Excellent. No other issues?
     
    Kestrel13!, Oct 11, 2012
    #16
  17. MortisFK

    MortisFK Private E-2

    Everything is running perfectly. Again, I can't thank you enough. And I would recommend using MajorGeeks to anyone who reads this thread in the future. It is incredible what you folks do, you are a true service to humanity.
     
    MortisFK, Oct 11, 2012
    #17
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Thankyou. :) I am glad everything is running nicely again.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Oct 11, 2012
    #18
  19. MortisFK

    MortisFK Private E-2

    I've run through the final steps. Everything is working wonderfully. :)
     
    MortisFK, Oct 11, 2012
    #19
  20. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Good, good. ;) That's what we like to hear!
     
    Kestrel13!, Oct 12, 2012
    #20
  21. MortisFK

    MortisFK Private E-2

    Hello, I've found another function that seems to not be working due to left overs from the virus/cleanup process.

    I run a render farm off this computer, and the other networked computers cannot see/access my computer any longer. I see that the certain files are no longer shared as they were. When I try to share them, nothing happens.

    Under the Network, I get a message that says "Network discovery and file sharing are turned off. Network computers and devices are not visible. Click to change..."

    When I click to change, and choose "Turn on network discovery and file sharing", it gives me the same message again.
     
    MortisFK, Oct 26, 2012
    #21
  22. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You can ask about this in the software forum. :)
     
    Kestrel13!, Oct 26, 2012
    #22

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds