svchost.exe virus Windows 7
There are two rootkits that is root cause of c:\windows\svchost.exe
zero access & TDL4/MAXSS (mostly pihar )
As you say that you have winrscmde pop up,it should be rootkit boot.pihar.TDSSkiller should cure it
http://support.kaspersky.com/downloads/utils/tdsskiller.exe
Restart the PC,If MBAM still detects svchost.exe,remove it and re scan,it should come clean.
Do not mess up C:\windows\system32\svchost.exe,this is valid file
good luck
August 14th, 2012 11:52pm
My apologies on a long post here, just trying to get as much info on what I have done though. Also please let me know if I have this on the correct forum.
Just recently I noticed the svchost.exe virus on my Windows 7 system. I have tried MalwareBytes, Ad-Aware, Spybot, Spyhunter, MS Security Essentials, etc... They catch the process and remove it and the file but it gets regenerated back again.
I am stuck now and not sure what else to do. I'm trying to find out what file is generating the rogue svchost.exe but I'm hitting brick walls at every turn.
I have run HijackThis and removed some other malware but after that, HijackThis doesn't reveal anything that could be generating this file.
I have checked msconfig, the usual registry keys of run, runonce, etc....
Here is how I know it is a virus.
svchost.exe appears in C:\windows\system32 directory (the normal directory). It also appears in C:\windows directory. This is the virus. The size is 20,480 bytes and shows up in Task Manager as ddsvchost.exe*32 and its owner is winrscmde.
Definitely not normal. winrscmde does not show up in the registry nor does windows\svchost.exe.
According to MalwareBytes, it attempts to connect to 78.41.203.120 (and other similar IP's) which according do IP lookup, are in Romania. It does change over time also hitting in Virginia and other places. MalwareBytes is currently blocking any
outgoing traffic to it.
Right clicking on that svchost.exe*32 and selecting go to services shows no highlighted services. Oddly enough, its Parent PID is another svchost.exe (a 64 bit one residing in C:\windows\system32). Checking the "go to services" on that one reveals
the following list: AeLookupSvc, BITS, Browser, CertPropSvc, EapHost, gpsvc, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProvSvc, RasMan, Schedule, seclogon, SENS, SessionEnv, ShellHWDetection, Themes, Winmgmt, wuauserv all of which are in the netsvcs group.
None of these look suspicious.
One suspicious registry entry that keeps getting regenerated at reboot is HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION and generates a DWORD svchost.exe with a value of 0.
Checking printable strings on c:\windows\svchost.exe is below.
!This program cannot be run in DOS mode.
.text
`.data
.rsrc
@.reloc
USER32.dll
msvcrt.dll
ntdll.dll
KERNEL32.dll
ole32.dll
Uru*Ur
TraceMessageVa
TraceMessage
winrshost.pdb
XPVj
PostMessageW
DefWindowProcW
DeleteMenu
GetSystemMenu
UpdateWindow
ShowWindow
CreateWindowExW
RegisterClassW
LoadCursorW
LoadIconW
UnregisterClassW
DestroyWindow
DispatchMessageW
TranslateMessage
GetMessageW
USER32.dll
memcpy
memset
__CxxFrameHandler3
_wcsicmp
mbtowc
__getmainargs
_cexit
_exit
_XcptFilter
_ismbblead
exit
_acmdln
_initterm
_amsg_exit
__setusermatherr
__p__commode
__p__fmode
__set_app_type
msvcrt.dll
_unlock
__dllonexit
_lock
_onexit
?terminate@@YAXXZ
_except_handler4_common
_controlfp
EtwLogTraceEvent
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
EtwRegisterTraceGuidsW
EtwUnregisterTraceGuids
ntdll.dll
GetProcessHeap
InterlockedIncrement
GetLastError
HeapCreate
HeapDestroy
HeapAlloc
HeapFree
LocalFree
LocalAlloc
FreeLibrary
GetProcAddress
LoadLibraryW
GetVersionExW
GetConsoleWindow
SetConsoleCtrlHandler
DeleteCriticalSection
AllocConsole
InitializeCriticalSection
HeapSetInformation
InterlockedDecrement
CloseHandle
SetThreadPreferredUILanguages
SetConsoleCP
SetConsoleOutputCP
CreateProcessW
GenerateConsoleCtrlEvent
WriteConsoleInputW
SetConsoleMode
GetConsoleMode
GetStdHandle
OpenProcess
GetCurrentProcessId
InterlockedExchange
Sleep
InterlockedCompareExchange
GetStartupInfoA
SetUnhandledExceptionFilter
GetModuleHandleA
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
KERNEL32.dll
CoRevokeClassObject
CoUninitialize
CoCreateInstance
CoInitializeSecurity
CoInitializeEx
CoRegisterClassObject
ole32.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Copyright (c) Microsoft Corporation -->
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
version="5.1.0.0"
processorArchitecture="x86"
name="Microsoft.Windows.WinRM.WinRSHost"
type="win32"
<description>Windows Remote Shell Host file</description>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel
level="asInvoker"
uiAccess="false"
/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
Running a difference on the strings for c:\windows\svchost.exe and c:\windows\system32\svchost.exe shows the following: (note anything pointing to the left belongs to c:\windows\svchost.exe and anything to the right belongs to c:\windows\sytem32\svchost.exe)
6d5
< USER32.dll
8c7
< ntdll.dll
---
> API-MS-Win-Core-ProcessThreads-L1-1-0.dll
9a9,32
> NTDLL.DLL
> API-MS-Win-Security-Base-L1-1-0.dll
> API-MS-WIN-Service-Core-L1-1-0.dll
> API-MS-WIN-Service-winsvc-L1-1-0.dll
> RPCRT4.dll
> 95TP
> ;5TP
> SvchostPushServiceGlobals
> ServiceMain
> @PRPRh
> 95TP
> ;5TP
> VWhu:
> @Ho=
> @Lr;
> Phh+
> Ph@+
> Ph`*
> Ph@*
> Ph4.
> WVh$.
> 9=TP
> ;5TP
> uh\=
11,38c34,46
< Uru*Ur
< TraceMessageVa
< TraceMessage
< winrshost.pdb
< XPVj
< PostMessageW
< DefWindowProcW
< DeleteMenu
< GetSystemMenu
< UpdateWindow
< ShowWindow
< CreateWindowExW
< RegisterClassW
< LoadCursorW
< LoadIconW
< UnregisterClassW
< DestroyWindow
< DispatchMessageW
< TranslateMessage
< GetMessageW
< USER32.dll
< memcpy
< memset
< __CxxFrameHandler3
< _wcsicmp
< mbtowc
< __getmainargs
< _cexit
---
> CoInitializeEx
> CoCreateInstance
> CoInitializeSecurity
> CLSIDFromString
> RPCRT4.dll
> API-MS-WIN-Service-winsvc-L1-1-0.dll
> API-MS-WIN-Service-Core-L1-1-0.dll
> API-MS-Win-Security-Base-L1-1-0.dll
> ntdll.dll
> KERNEL32.dll
> API-MS-Win-Core-ProcessThreads-L1-1-0.dll
> msvcrt.dll
> __wgetmainargs
41d48
< _ismbblead
43d49
< _acmdln
47,56c53
< __p__commode
< __p__fmode
< __set_app_type
< msvcrt.dll
< _unlock
< __dllonexit
< _lock
< _onexit
< ?terminate@@YAXXZ
< _except_handler4_common
---
> memcpy
58,72c55,65
< EtwLogTraceEvent
< EtwGetTraceEnableFlags
< EtwGetTraceEnableLevel
< EtwGetTraceLoggerHandle
< EtwRegisterTraceGuidsW
< EtwUnregisterTraceGuids
< ntdll.dll
< GetProcessHeap
< InterlockedIncrement
< GetLastError
< HeapCreate
< HeapDestroy
< HeapAlloc
< HeapFree
< LocalFree
---
> _except_handler4_common
> ?terminate@@YAXXZ
> __set_app_type
> __p__fmode
> __p__commode
> _cexit
> TerminateProcess
> GetCurrentProcess
> OpenProcessToken
> GetCurrentProcessId
> GetCurrentThreadId
74,84d66
< FreeLibrary
< GetProcAddress
< LoadLibraryW
< GetVersionExW
< GetConsoleWindow
< SetConsoleCtrlHandler
< DeleteCriticalSection
< AllocConsole
< InitializeCriticalSection
< HeapSetInformation
< InterlockedDecrement
86,96c68,73
< SetThreadPreferredUILanguages
< SetConsoleCP
< SetConsoleOutputCP
< CreateProcessW
< GenerateConsoleCtrlEvent
< WriteConsoleInputW
< SetConsoleMode
< GetConsoleMode
< GetStdHandle
< OpenProcess
< GetCurrentProcessId
---
> DelayLoadFailureHook
> GetProcAddress
> GetLastError
> FreeLibrary
> InterlockedCompareExchange
> LoadLibraryExA
99,100d75
< InterlockedCompareExchange
< GetStartupInfoA
105d79
< GetCurrentThreadId
107,108d80
< TerminateProcess
< GetCurrentProcess
110,117c82,144
< KERNEL32.dll
< CoRevokeClassObject
< CoUninitialize
< CoCreateInstance
< CoInitializeSecurity
< CoInitializeEx
< CoRegisterClassObject
< ole32.dll
---
> DeactivateActCtx
> LoadLibraryExW
> ActivateActCtx
> LeaveCriticalSection
> lstrcmpW
> EnterCriticalSection
> RegCloseKey
> RegOpenKeyExW
> HeapSetInformation
> lstrcmpiW
> lstrlenW
> LCMapStringW
> RegQueryValueExW
> ReleaseActCtx
> CreateActCtxW
> ExpandEnvironmentStringsW
> GetCommandLineW
> ExitProcess
> SetProcessAffinityUpdateMode
> RegDisablePredefinedCacheEx
> InitializeCriticalSection
> GetProcessHeap
> SetErrorMode
> RegisterWaitForSingleObjectEx
> LocalFree
> HeapFree
> WideCharToMultiByte
> HeapAlloc
> RtlAllocateHeap
> RtlLengthRequiredSid
> RtlSubAuthoritySid
> RtlInitializeSid
> RtlCopySid
> RtlSubAuthorityCountSid
> RtlInitializeCriticalSection
> RtlSetProcessIsCritical
> RtlImageNtHeader
> RtlUnhandledExceptionFilter
> EtwEventWrite
> EtwEventEnabled
> EtwEventRegister
> RtlFreeHeap
> SetSecurityDescriptorDacl
> AddAccessAllowedAce
> SetSecurityDescriptorOwner
> SetSecurityDescriptorGroup
> GetTokenInformation
> InitializeSecurityDescriptor
> GetLengthSid
> InitializeAcl
> StartServiceCtrlDispatcherW
> SetServiceStatus
> RegisterServiceCtrlHandlerW
> RpcMgmtSetServerStackSize
> I_RpcMapWin32Status
> RpcServerUnregisterIf
> RpcMgmtWaitServerListen
> RpcMgmtStopServerListening
> RpcServerUnregisterIfEx
> RpcServerRegisterIf
> RpcServerUseProtseqEpW
> RpcServerListen
> svchost.pdb
124c151
< name="Microsoft.Windows.WinRM.WinRSHost"
---
> name="Microsoft.Windows.Services.SvcHost"
126c153
< <description>Windows Remote Shell Host file</description>
---
> <description>Host Process for Windows Services</description>
Free Windows Admin Tool Kit Click here and download it now
August 15th, 2012 9:25pm
There are two rootkits that is root cause of c:\windows\svchost.exe
zero access & TDL4/MAXSS (mostly pihar )
As you say that you have winrscmde pop up,it should be rootkit boot.pihar.TDSSkiller should cure it
http://support.kaspersky.com/downloads/utils/tdsskiller.exe
Restart the PC,If MBAM still detects svchost.exe,remove it and re scan,it should come clean.
Do not mess up C:\windows\system32\svchost.exe,this is valid file
good luck
August 15th, 2012 11:09pm
There are two rootkits that is root cause of c:\windows\svchost.exe
zero access & TDL4/MAXSS (mostly pihar )
As you say that you have winrscmde pop up,it should be rootkit boot.pihar.TDSSkiller should cure it
http://support.kaspersky.com/downloads/utils/tdsskiller.exe
Restart the PC,If MBAM still detects svchost.exe,remove it and re scan,it should come clean.
Do not mess up C:\windows\system32\svchost.exe,this is valid file
good luck
I followed your instructions and it worked. It turned out to be rootkit.pihar.c. TDSSkiller did catch it and cured it and after a reboot, malwarebytes caught it again. I then had malwarebytes remove it and rebooted again and now it is completely
gone. I did another reboot just to make sure. Thank you for your help. This was really driving me nuts.
Free Windows Admin Tool Kit Click here and download it now
August 16th, 2012 11:22am