Malware Services with Svchost.exe
Hi,we have seen now a days mostlyViruses/Trojans/Malwares are creating their own services with svchost -k netsvc parameters. in this situation not able to stop this service as well as unable to delete it with Autoruns & even somtimes unable to stop it. even in some cases if we change it from automatic to disable, it will automatically set as automatic once we click on apply. Kindly help how to stop/delete it & how to check which Exe / process use it. Due to this it's sending high broadcast. Regards,Dhiraj
December 16th, 2009 3:49pm

1. To see which tasks are running, open a Run window (Windows key+R), type cmd /k tasklist /svc (note the three spaces) and press Enter. Make a note of them and close the cmd prompt. To get a better description of the associated Service(s), go to Task Manager (Ctrl+Shift+Esc) > Processes Tab and on a specific Svchost, right-click it > Go to Service(s) to see all the Services, which are highlighted.Alternatively, use Process Explorer to see what services are running. To see the svchost processes, let the mouse pointer hover over each svchost.exe in the left pane. Download it from here http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx 2. If you have identified the rogue service, CREATE A SYSTEM RESTORE POINT, then click the Windows Orb (Start), type regedit, press Enter and in the left pane navigate to HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services. Look for the service there, then right-click and delete it. The DisplayName key in the right pane should help you to identify bogus services. NOTE. Before deleting the main key in the left pane, make a note of any sub keys to determine which files the service was using and note the ImagePath location(s) in the right pane and delete those files using Windows Explorer. DO NOT DELETE SVCHOST which may be listed. 3. Now check these 5 registry keys:HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute which should contain just autocheck autochk * (not the quotes)These 4 registry keys (which are not always present) and delete anything in the right pane that is suspicious (match the name with anything you have identified above or Google the name if youre unsure):HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnceHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices 4. There are other keys to look at but try the above first. 5. Remember to create a system restore point before making any registry changes, so that any registry mistakes can be rectified and, perhaps, it's better to rename any ImagePath files rather than delete them. Lastly, document exactly what you've changed and deleted. Good luck. EDIT You probably know this, but I forgot to say that you can identify/stop services from starting by using msconfig > Services Tab > tick Hide MS services and examine the remaining items.
Free Windows Admin Tool Kit Click here and download it now
December 16th, 2009 5:13pm

Thanks for your reply, BurrAs per stpe 1 i got the kulprit file which is assiciated with svchost is "C:\Windows\System32\config\systemprofile\Application Data\gclhk\itqnu.dll".I haveclosed this handle with Procexp & deleted this DLL. but within next1 sec, it's recreated.Now as per step 4, are you sure i need to look on the above kes or need to checkbelow reg keys. Kindly clearify.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fastuserswitchingcompatibilityHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fastuserswitchingcompatibilityHKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\fastuserswitchingcompatibilityDhiraj
December 17th, 2009 8:35am

Well done to you for identifying the culprit. The 4 keys I listed are the rarely used keys that may have been used to start the rogue. It only takes a few minutes to look at them (if they are indeed present). Here are the possible trigger keys, but create a system restore point first just in case you have finger problems:1. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and in the right pane look for Shell, which should contain just one entry, Explorer.exe. Delete any others.2. Also in the right pane look for UserInit, which should contain C:\WINDOWS\system32\userinit.exe followed by a comma. Any other program name(s) following the comma can be removed.3. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, right-click and Delete anything in the right pane that you dont recognise. 4. HKCU\Software\Microsoft\Windows\CurrentVersion\Run, right-click and Delete anything in the right pane that you dont recognise. 5. HKEY_CLASSES_ROOT\exefile\shell\open\command. If the right pane has a single entry (default) with a value of "%1"%* or c:\docs & settings\all users\start menu\programs\startup\msupdate.exe "%1"%* then it is OK. Remove everything else beyond the "%1"%*.6. In the x64 (64-bit) versions, there is an additional branch, Wow6432Node at HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run where the entries for x86 (32-bit) software are stored.7. Search the registry (F3) for the culprit itqnu.dll and remove any references to it (if any). Look in \Windows\System32 for .exe and .dll files that have a Date Modified coinciding with the date of the infection. Also, look for any strange sounding names, e.g. a.exe or g6dt4j7.dll. Dont delete but rename any that you are unsure about. When you have more control of the machine, download the free Malwarebytes' Anti-Malware from http://www.malwarebytes.org/ to clean up any remaining unwanted files. Once you are clean, create a system restore point with a meaningful name, e.g. After removing malware.
Free Windows Admin Tool Kit Click here and download it now
December 17th, 2009 11:03am

In this case Anti-Virus will take it and try to remove it and take some log and after done some removal it will ask to restart your PC and when you restart whenever it will started then it will remove it during starting the system and will remove it before it run. If you have problem then contact your Anti-Virus Malware support team.
January 7th, 2010 8:33am

An infected Svchost by a virus or malware attack usually runs like a Svchost.exe service. In this case it is recommended that you should upgrade your virus protection guard to combat this problem. In addition to this you must also visit the Microsoft Windows Update Page which gives you essential support for Windows update. However, if no virus or malware it detected by the antivirus program in your computer then this implies that the Svchost.exe file is not infected. Further, if you receive the 0xe03c3a68 Svchost.exe error then it essentially means that the computer memory is corrupted by the blaster virus.
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2010 4:07am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics