TechSpot

SVChost.exe

By kemp_Drumsalot
Nov 12, 2007
  1. Hello again, it seems aas if I might have run into something once again. I was browsing the net yesterday and all of a sudden, I looked at my firewall and a bunch of firefox were up, so i blocked everything. Then I checked my logs after about 12 hours and noticed that svchost.exe is popping up like crazy trying to do something with my info. What exactly do I need to do, do for you?

    I also would like to add, I just went over to my other computer, to re-download hijackthis, but I could not get an interenet connection, and once I turned the firewall back to custom, a ton of SVChost.exe's appeared in the activity window, and i still couldnt get a connection after checking behind the computer and unplugging and replugging in the modem, so I turned it back to block all.

    Alrighty, so I took Hijackthis install from this computer and put it on a flashdrive, then did a scan. I attached the results. Also, after reading some different things on the forum, i checked my task manager and processes-there was around 5-6 svchost.exe's. Just thought I would throw that in there.

    Haha, I keep remembering things after I post, I also ran a scan with AVG, AVG Spyware, Ad-Aware, Spybot Search & Destroy and didn't get anything on any of them.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    The svchost.exe is probably trying to update some component of your system.

    For instance, Windows Automatic updates uses svchost.exe.

    Regards Howard :)
     
  3. sensaschess

    sensaschess TS Rookie

    Seems to be infected??

    Try using taskmanager to endtask SVChost.exe , if it appears after some time automatically then it could possibly be a virus. use panda antivirus + spyware to check your system. use more than one scanner is advisible.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Svchost.exe is only a virus, if it`s running from anywhere else other than the system32 folder.

    Ending svchost.exe in the task manager, may well result in a system crash.

    Far more likely, that kemp_Drumsalot`s instances of svchost.exe are perfectly legit.

    Regards Howard :)
     
  5. kemp_Drumsalot

    kemp_Drumsalot TS Rookie Topic Starter Posts: 66

    Ok, what should I do about the multiple firefoxes showing up and the connection not working since this started? Also, I keep looknig at my logs, and comodo is denying acess for an application process to some IP, and it continues to show this in gthe log from a couple minutes to seconds of each other. I posting this outside of the house, but I will be able to reply ocassionally for about 5 hours
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, for a more in depth look at your system, please do the following.

    Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

    Combofix will automatically save the log file to C:\combofix.txt

    Post the Combofix log.

    Regards Howard :)
     
  7. kemp_Drumsalot

    kemp_Drumsalot TS Rookie Topic Starter Posts: 66

    Alrighty, I'll download it on my other computer then bring it over like i did the HJT, also, I was wondering if the fact that i had my comodo firewall to block all right now might have affected our results? I planning on turning it to allow all during the two scans to see if it helps.

    By the way, I will not be able to do this for another 4-5 hours, will you be able to help/respond during that time?
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hopefully, I`ll still be around in 4 or 5 hours.

    Regards Howard :)
     
  9. kemp_Drumsalot

    kemp_Drumsalot TS Rookie Topic Starter Posts: 66

    Alrighty heres the combofix log and the new HJT log. What next?
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system is riddled with adware.

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:

    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

    Also, let me know the results of the Panda Antirootkit scan.

    Regards Howard :)

    This thread is for the use of kemp_Drumsalot only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. kemp_Drumsalot

    kemp_Drumsalot TS Rookie Topic Starter Posts: 66

    Cancel this post, I fixed the problem finally.
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Try this and see if it helps at all.

    1.) Download WinsockFix.exe. (by: Option^Explicit)
    2.) UnZip WinsockFix.zip (Pay close attention to where the file is extracted to.)
    3.) Run WinsockFix.exe.
    4.) Click the Fix button.

    Regards Howard :)

    This thread is for the use of kemp_Drumsalot only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. kemp_Drumsalot

    kemp_Drumsalot TS Rookie Topic Starter Posts: 66

    What is that supposed to help with the adware? I fixed the connection problem.
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The Winsockfix was to try and help with your connection problem lol. Glad you`ve got it fixed, now go and follow the instructions mate.

    Regards Howard :)

    This thread is for the use of kemp_Drumsalot only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. kemp_Drumsalot

    kemp_Drumsalot TS Rookie Topic Starter Posts: 66

    Running the online scanner right now, went ahead and updated all my programs before I started it so I'm just waiting for the scan to finish so I can start.








    --------------------
    *Update*
    I'm leaving within the next few mins, the scan still to finish up so I will just leave that and finish when I get back. I will be back in approx 3 hours from now to finish the job, if your not still up, I can hopefully catch you sometime in the morning or during the day tomorrow. Thank you for your help again Howard.
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, no problems.

    Regards Howard :)

    This thread is for the use of kemp_Drumsalot only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. kemp_Drumsalot

    kemp_Drumsalot TS Rookie Topic Starter Posts: 66

    Updated Above Posts
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No problem, we can pick this up again later on.

    Regards Howard :)

    This thread is for the use of kemp_Drumsalot only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. kemp_Drumsalot

    kemp_Drumsalot TS Rookie Topic Starter Posts: 66

    Ok, I'm still doing the cleaning but I just wanted to give you a heads-up and ask a question on my logs.
    Ok, so I found a trojan downloader during my combofix scan, so i put that in my vault and deleted it in safe mode, but i didnt find anything during my actual AVG scan, im still finishing my scans now so I'll post back here when those are done.

    For the logs, do I need to rerun combofix AFTER I finish doing all the stuff I'm doing now or do I do it after i finish all the steps?
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Just follow the steps in order.

    So that means I want the Combofix log from step12, the AVG Antispyware log from step14 and the HJT log from step15.

    Regards Howard :)

    This thread is for the use of kemp_Drumsalot only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  21. kemp_Drumsalot

    kemp_Drumsalot TS Rookie Topic Starter Posts: 66

    Alrighty, the AVG Spyware is running right now. I'll keep trucking.

    Ok, I just finished all that, um I can hear my computer making noises (like when something is scanning or a big file is being downloaded) but I don't have any scanners...oops there it is, windows automatic updates just came up, thats what it was. Anyways, logs are attached what would you like me to do now. Oh, and the vundo didn't come up with anything. neither did panda.
     
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Well done, all clean.

    At least we managed to get rid of a lot of adware from your system.

    We now know what has been causing your problems and this seems to be a fairly common occurrence and at least it shows that the svchost.exe processes you have running are legit.

    Delete the following folder.

    C:\qoobox

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of kemp_Drumsalot only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  23. kemp_Drumsalot

    kemp_Drumsalot TS Rookie Topic Starter Posts: 66

    Well thanks again for all your help howard, i just reset my restore points so thats good to go.

    Now which firewall would you suggest?

    Also, Is it ok if i post the comobfix and HJT logs from my other computer here as well? I would like to check this computer just in case.
     
  24. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Any of these, whichever you prefer.

    Zonealarm, Kerio or Comodo free firewall programmes.

    Regards Howard :)

    This thread is for the use of kemp_Drumsalot only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  25. kemp_Drumsalot

    kemp_Drumsalot TS Rookie Topic Starter Posts: 66

    Alrighty, I don't know whether to pick Zonealarm or comodo, if you had to choose which would you pick? (or if you don't want to say for some reason, is there a difference between the two?)

    Also, I attached the combofix and HJT logs for my OTHER computer, I just wanted to check to make sure this one was alright too, I already did the online virus scan and it didn't come up with anything.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...