There are two rootkits that is root cause of c:\windows\svchost.exe zero access & TDL4/MAXSS (mostly pihar ) As you say that you have winrscmde pop up,it should be rootkit boot.pihar.TDSSkiller should cure it http://support.kaspersky.com/downloads/utils/tdsskiller.exe Restart the PC,If MBAM still detects svchost.exe,remove it and re scan,it should come clean. Do not mess up C:\windows\system32\svchost.exe,this is valid file good luck

My apologies on a long post here, just trying to get as much info on what I have done though. Also please let me know if I have this on the correct forum. Just recently I noticed the svchost.exe virus on my Windows 7 system. I have tried MalwareBytes, Ad-Aware, Spybot, Spyhunter, MS Security Essentials, etc... They catch the process and remove it and the file but it gets regenerated back again. I am stuck now and not sure what else to do. I'm trying to find out what file is generating the rogue svchost.exe but I'm hitting brick walls at every turn. I have run HijackThis and removed some other malware but after that, HijackThis doesn't reveal anything that could be generating this file. I have checked msconfig, the usual registry keys of run, runonce, etc.... Here is how I know it is a virus. svchost.exe appears in C:\windows\system32 directory (the normal directory). It also appears in C:\windows directory. This is the virus. The size is 20,480 bytes and shows up in Task Manager as ddsvchost.exe*32 and its owner is winrscmde. Definitely not normal. winrscmde does not show up in the registry nor does windows\svchost.exe. According to MalwareBytes, it attempts to connect to 78.41.203.120 (and other similar IP's) which according do IP lookup, are in Romania. It does change over time also hitting in Virginia and other places. MalwareBytes is currently blocking any outgoing traffic to it. Right clicking on that svchost.exe*32 and selecting go to services shows no highlighted services. Oddly enough, its Parent PID is another svchost.exe (a 64 bit one residing in C:\windows\system32). Checking the "go to services" on that one reveals the following list: AeLookupSvc, BITS, Browser, CertPropSvc, EapHost, gpsvc, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProvSvc, RasMan, Schedule, seclogon, SENS, SessionEnv, ShellHWDetection, Themes, Winmgmt, wuauserv all of which are in the netsvcs group. None of these look suspicious. One suspicious registry entry that keeps getting regenerated at reboot is HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION and generates a DWORD svchost.exe with a value of 0. Checking printable strings on c:\windows\svchost.exe is below. !This program cannot be run in DOS mode. .text `.data .rsrc @.reloc USER32.dll msvcrt.dll ntdll.dll KERNEL32.dll ole32.dll Uru*Ur TraceMessageVa TraceMessage winrshost.pdb XPVj PostMessageW DefWindowProcW DeleteMenu GetSystemMenu UpdateWindow ShowWindow CreateWindowExW RegisterClassW LoadCursorW LoadIconW UnregisterClassW DestroyWindow DispatchMessageW TranslateMessage GetMessageW USER32.dll memcpy memset __CxxFrameHandler3 _wcsicmp mbtowc __getmainargs _cexit _exit _XcptFilter _ismbblead exit _acmdln _initterm _amsg_exit __setusermatherr __p__commode __p__fmode __set_app_type msvcrt.dll _unlock __dllonexit _lock _onexit ?terminate@@YAXXZ _except_handler4_common _controlfp EtwLogTraceEvent EtwGetTraceEnableFlags EtwGetTraceEnableLevel EtwGetTraceLoggerHandle EtwRegisterTraceGuidsW EtwUnregisterTraceGuids ntdll.dll GetProcessHeap InterlockedIncrement GetLastError HeapCreate HeapDestroy HeapAlloc HeapFree LocalFree LocalAlloc FreeLibrary GetProcAddress LoadLibraryW GetVersionExW GetConsoleWindow SetConsoleCtrlHandler DeleteCriticalSection AllocConsole InitializeCriticalSection HeapSetInformation InterlockedDecrement CloseHandle SetThreadPreferredUILanguages SetConsoleCP SetConsoleOutputCP CreateProcessW GenerateConsoleCtrlEvent WriteConsoleInputW SetConsoleMode GetConsoleMode GetStdHandle OpenProcess GetCurrentProcessId InterlockedExchange Sleep InterlockedCompareExchange GetStartupInfoA SetUnhandledExceptionFilter GetModuleHandleA QueryPerformanceCounter GetTickCount GetCurrentThreadId GetSystemTimeAsFileTime TerminateProcess GetCurrentProcess UnhandledExceptionFilter KERNEL32.dll CoRevokeClassObject CoUninitialize CoCreateInstance CoInitializeSecurity CoInitializeEx CoRegisterClassObject ole32.dll <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <!-- Copyright (c) Microsoft Corporation --> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="5.1.0.0" processorArchitecture="x86" name="Microsoft.Windows.WinRM.WinRSHost" type="win32" <description>Windows Remote Shell Host file</description> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> </assembly> Running a difference on the strings for c:\windows\svchost.exe and c:\windows\system32\svchost.exe shows the following: (note anything pointing to the left belongs to c:\windows\svchost.exe and anything to the right belongs to c:\windows\sytem32\svchost.exe) 6d5 < USER32.dll 8c7 < ntdll.dll --- > API-MS-Win-Core-ProcessThreads-L1-1-0.dll 9a9,32 > NTDLL.DLL > API-MS-Win-Security-Base-L1-1-0.dll > API-MS-WIN-Service-Core-L1-1-0.dll > API-MS-WIN-Service-winsvc-L1-1-0.dll > RPCRT4.dll > 95TP > ;5TP > SvchostPushServiceGlobals > ServiceMain > @PRPRh > 95TP > ;5TP > VWhu: > @Ho= > @Lr; > Phh+ > Ph@+ > Ph`* > Ph@* > Ph4. > WVh$. > 9=TP > ;5TP > uh\= 11,38c34,46 < Uru*Ur < TraceMessageVa < TraceMessage < winrshost.pdb < XPVj < PostMessageW < DefWindowProcW < DeleteMenu < GetSystemMenu < UpdateWindow < ShowWindow < CreateWindowExW < RegisterClassW < LoadCursorW < LoadIconW < UnregisterClassW < DestroyWindow < DispatchMessageW < TranslateMessage < GetMessageW < USER32.dll < memcpy < memset < __CxxFrameHandler3 < _wcsicmp < mbtowc < __getmainargs < _cexit --- > CoInitializeEx > CoCreateInstance > CoInitializeSecurity > CLSIDFromString > RPCRT4.dll > API-MS-WIN-Service-winsvc-L1-1-0.dll > API-MS-WIN-Service-Core-L1-1-0.dll > API-MS-Win-Security-Base-L1-1-0.dll > ntdll.dll > KERNEL32.dll > API-MS-Win-Core-ProcessThreads-L1-1-0.dll > msvcrt.dll > __wgetmainargs 41d48 < _ismbblead 43d49 < _acmdln 47,56c53 < __p__commode < __p__fmode < __set_app_type < msvcrt.dll < _unlock < __dllonexit < _lock < _onexit < ?terminate@@YAXXZ < _except_handler4_common --- > memcpy 58,72c55,65 < EtwLogTraceEvent < EtwGetTraceEnableFlags < EtwGetTraceEnableLevel < EtwGetTraceLoggerHandle < EtwRegisterTraceGuidsW < EtwUnregisterTraceGuids < ntdll.dll < GetProcessHeap < InterlockedIncrement < GetLastError < HeapCreate < HeapDestroy < HeapAlloc < HeapFree < LocalFree --- > _except_handler4_common > ?terminate@@YAXXZ > __set_app_type > __p__fmode > __p__commode > _cexit > TerminateProcess > GetCurrentProcess > OpenProcessToken > GetCurrentProcessId > GetCurrentThreadId 74,84d66 < FreeLibrary < GetProcAddress < LoadLibraryW < GetVersionExW < GetConsoleWindow < SetConsoleCtrlHandler < DeleteCriticalSection < AllocConsole < InitializeCriticalSection < HeapSetInformation < InterlockedDecrement 86,96c68,73 < SetThreadPreferredUILanguages < SetConsoleCP < SetConsoleOutputCP < CreateProcessW < GenerateConsoleCtrlEvent < WriteConsoleInputW < SetConsoleMode < GetConsoleMode < GetStdHandle < OpenProcess < GetCurrentProcessId --- > DelayLoadFailureHook > GetProcAddress > GetLastError > FreeLibrary > InterlockedCompareExchange > LoadLibraryExA 99,100d75 < InterlockedCompareExchange < GetStartupInfoA 105d79 < GetCurrentThreadId 107,108d80 < TerminateProcess < GetCurrentProcess 110,117c82,144 < KERNEL32.dll < CoRevokeClassObject < CoUninitialize < CoCreateInstance < CoInitializeSecurity < CoInitializeEx < CoRegisterClassObject < ole32.dll --- > DeactivateActCtx > LoadLibraryExW > ActivateActCtx > LeaveCriticalSection > lstrcmpW > EnterCriticalSection > RegCloseKey > RegOpenKeyExW > HeapSetInformation > lstrcmpiW > lstrlenW > LCMapStringW > RegQueryValueExW > ReleaseActCtx > CreateActCtxW > ExpandEnvironmentStringsW > GetCommandLineW > ExitProcess > SetProcessAffinityUpdateMode > RegDisablePredefinedCacheEx > InitializeCriticalSection > GetProcessHeap > SetErrorMode > RegisterWaitForSingleObjectEx > LocalFree > HeapFree > WideCharToMultiByte > HeapAlloc > RtlAllocateHeap > RtlLengthRequiredSid > RtlSubAuthoritySid > RtlInitializeSid > RtlCopySid > RtlSubAuthorityCountSid > RtlInitializeCriticalSection > RtlSetProcessIsCritical > RtlImageNtHeader > RtlUnhandledExceptionFilter > EtwEventWrite > EtwEventEnabled > EtwEventRegister > RtlFreeHeap > SetSecurityDescriptorDacl > AddAccessAllowedAce > SetSecurityDescriptorOwner > SetSecurityDescriptorGroup > GetTokenInformation > InitializeSecurityDescriptor > GetLengthSid > InitializeAcl > StartServiceCtrlDispatcherW > SetServiceStatus > RegisterServiceCtrlHandlerW > RpcMgmtSetServerStackSize > I_RpcMapWin32Status > RpcServerUnregisterIf > RpcMgmtWaitServerListen > RpcMgmtStopServerListening > RpcServerUnregisterIfEx > RpcServerRegisterIf > RpcServerUseProtseqEpW > RpcServerListen > svchost.pdb 124c151 < name="Microsoft.Windows.WinRM.WinRSHost" --- > name="Microsoft.Windows.Services.SvcHost" 126c153 < <description>Windows Remote Shell Host file</description> --- > <description>Host Process for Windows Services</description>

There are two rootkits that is root cause of c:\windows\svchost.exe zero access & TDL4/MAXSS (mostly pihar ) As you say that you have winrscmde pop up,it should be rootkit boot.pihar.TDSSkiller should cure it http://support.kaspersky.com/downloads/utils/tdsskiller.exe Restart the PC,If MBAM still detects svchost.exe,remove it and re scan,it should come clean. Do not mess up C:\windows\system32\svchost.exe,this is valid file good luck

There are two rootkits that is root cause of c:\windows\svchost.exe zero access & TDL4/MAXSS (mostly pihar ) As you say that you have winrscmde pop up,it should be rootkit boot.pihar.TDSSkiller should cure it http://support.kaspersky.com/downloads/utils/tdsskiller.exe Restart the PC,If MBAM still detects svchost.exe,remove it and re scan,it should come clean. Do not mess up C:\windows\system32\svchost.exe,this is valid file good luck I followed your instructions and it worked. It turned out to be rootkit.pihar.c. TDSSkiller did catch it and cured it and after a reboot, malwarebytes caught it again. I then had malwarebytes remove it and rebooted again and now it is completely gone. I did another reboot just to make sure. Thank you for your help. This was really driving me nuts.