[RESOLVED] SVCHOST.EXE virus

[704_Skate]

My brother encountered this virus in his task manager. We tried to searching for a solution but got no luck. Anyone know how to delete it. We'll run a virus scan to see what that will do. In the mien time does anyone know how to rid of it?

[Broni]

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

STEP 1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Under Configuration and Preferences, click the Preferences button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* Back on the main screen, under Scan for Harmful Software click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under Complete Scan, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.
NOTE: Tracking cookies may be omitted from the log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

STEP 4. Download, install, and run HijackThis:
http://www.snapfiles.com/get/hijackthis.html
Post HijackThis log.
Do NOT attempt to "fix" anything!


DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

[Welshjim]

704_Skate--Broni was posting while I was typing.
Before doing what Broni suggested, perhaps you do not have a problem.
Having a real "SVCHOST.EXE virus " is rare .
SVCHOST.EXE is almost always a legitimate MS program that helps other applications (primarily Services) run.
Just having SVCHOST.EXE show up in Task Manager as running is not a problem. In fact, if you have an SVCHOST.EXE virus you usually cannot open Task Manager.
Does your brother have problems with the PC?
If your brother is getting error messages, what is the exact error message he is getting? I expect it will name another file.
A scan with an antivirus program never hurts. I hope your brother has an AV program installed, updates it frequently for latest reference definition files and run scans at least once a week as general maintenance.
P.S. I suspect this is overkill, but you or your brother can see the files/services svchost.exe is helping to run by running tasklist /svc from a command prompt.

[704_Skate]

Yeah welsh you were right, that wasn't the virus, the virus was just duplicating that program and creating fake ones,

I think he mentioned something about getting the virus from internet explorer?

[Welshjim]

I think he mentioned something about getting the virus from internet explorer?

First of all, if your brother still has some other virus then he should follow Broni's suggestions.
In response to your question, you can get viruses from any of the ways a PC's hard drive is exposed to the outside. That includes surfing on the internet, downloading and installing corrupt programs/files (so IE is involved as the path but is not the cause), emails, using infected CD's, DVD's or flash drives, etc., etc.,.
These days you need to have antivirus and antispyware programs installed, and frequently updated and used. Plus a firewall. And take advantage of the Security measures offered within IE. You could also consider using a HOSTS file and a program like SpyWareBlaster.

[Broni]

As for SVCHOST.EXE, the only legit location of the mentioned file is C:\Windows\System32.
If found somewhere else, it's most likely some malware, pretending to be a legit file.

[704_Skate]

ok well the problem seems to be solved

he didn't tell me what it was, but what ever it was, nothing got rid of it. So he ended up backing his computer up onto his HDD and completely reinstalled XP,

also the virus some how turned his machine at the time into a spam machine, we got this weird message from road runner today about some spam coming out from a machine.

[Train]

Not weird, I would say he did not have a firewall and probably no AV program installed either. Nor any updates so he did not own the computer any more until he reformatted and reinstalled XP. Someone made a Zombie out of it.

[704_Skate]

no he does has an A/V, AVG free, got threw somehow though,

my brother is actually a web designer, and today he told me the virus went on all his websites and even customer websites. it made an <iframe> and put links everywhere so bascially when ever someone accessed the page, they'll get the virus unless they have an A/V program I think?

also he looked up where it came from, it came from the netherlands, and these people who made it have 4 servers.

ugh I don't understand why people do this stuff? It's not right, and most of these deadly viruses are from other countries outside the US because everyone hates us lol.

[Train]

In that case, unless it was written into the AV program prior to hitting that site, you got infected right quickly.

I hate for folks do that too. And we are NOT lonesome in that feeling either.

[704_Skate]

http://www.cnn.com/2009/TECH/03/31/a...eref=time_tech

Think it was this ^^

[Train]

If it was, he did not have the latest updates installed then.
We have a thread or to warning folks about that worm.
But if someone hacked his server, That could be a mess to clean out.

[704_Skate]

uh-o, I don't have the latest updates installed????!?!?!?!

and idk, I think if someone hacked him we would've seen a lot more, hmm.

[Train]

Vritical updates are important.
So are Service Packs.

No, if they write things right, you see nothing today.
Now in the past, there were a few nasties that would wipe out your BIOS chip. Yep buy a new BIOS chip or motherboard.

[Welshjim]

And some AV programs will let a virus enter the PC and only detect it when a scan is run.