PDA

View Full Version : Mal/Spyware hijacked SVChost, help!



Thoughtbot360
2011-05-14, 06:07 PM
Okay...for the past few days, avast antivirus has been finding the same virus infecting the "Physical drive" and it keeps asking me to do boot scans, but those don't work. It literally asked for a boot scan right after a boot scan!

IP address of the perpetrators might be 95.143.193.171 (no that is not mine...at least I don't think that it is. different sources keep changing the number. Somebody ran a scan on my network and told me that "all my browsing data was going to india, and I should just get another modem." ...I'll get right on that) if that helps. Avast blocks websites constantly whenever I dare to switch on my DSL modem....and sometimes I still get interrupted and sent to a tab with a website trying to sell my a car or something.

The malicious process is apparently "SVChost". ...I think a screenshot can sum up my problem here better than words can (well, that and the fact that I can't erase all instances of "svchost" in my computer without destroying it)

http://img641.imageshack.us/img641/5624/welcometomyhell.png
SVChost is vital (and redundant) process. Finding out if any of these are the infected file or not is probably going to be beyond my mere capabilities.


Malwarebytes hasn't picked up anything, but I've just updated it and I'm running a full system check now.

Still, if anybody has any idea what to do about this Malware, I would be greatly appreciative of your help.

TheOasysMaster
2011-05-14, 06:14 PM
Have you tried doing a System Restore back to before the virus started making its presence known?

Manga Shoggoth
2011-05-14, 06:42 PM
Getting a new modem isn't going to change anything - it's the computer that is infected, not the modem (although the virus may have changed modem settings, so you will need to check them).

Once you have a virus on your PC, the only safe thing to do is boot from a known clean Operating System CD and do a complete reinstall of the operating system, add the antivirus software, patch everything up and then do a full scan of the disk.

Only after the full scan should you start using anything else.

Ideally you should start by formatting the disk (thus removing everything, infected or not) and afterwards restore all the non-operating system files (documents, and so on) from backups but I suspect that (like most people) you haven't done many backups.

Thoughtbot360
2011-05-14, 07:06 PM
Getting a new modem isn't going to change anything - it's the computer that is infected, not the modem (although the virus may have changed modem settings, so you will need to check them).

Once you have a virus on your PC, the only safe thing to do is boot from a known clean Operating System CD and do a complete reinstall of the operating system, add the antivirus software, patch everything up and then do a full scan of the disk.

Only after the full scan should you start using anything else.

Ideally you should start by formatting the disk (thus removing everything, infected or not) and afterwards restore all the non-operating system files (documents, and so on) from backups but I suspect that (like most people) you haven't done many backups.

Yeah....backups. Here's the deal. I got a floppy drive I lost the installation disk for, a cd burner that doesn't seem to want to work, and no handy flash drives. So yeah. I've backed up nothing.

SDF
2011-05-14, 07:16 PM
Try using fixexe (http://www.google.com/url?sa=t&source=web&cd=1&ved=0CBYQFjAA&url=http%3A%2F%2Fdownload.bleepingcomputer.com%2Fr eg%2Fantivirus-vista-2010%2FFixExe.reg&rct=j&q=fixexe&ei=1hrPTZqCMILEsAP__NzDCw&usg=AFQjCNERQxfVAhq_ClbVI8t6n-KKLLAU3A&cad=rja) then running malwarebytes in safe mode.

factotum
2011-05-15, 12:53 AM
SVCHOST.EXE is a generic host process for Win32 services. If the actual EXE itself is infected, you're hosed. If it's something that is running and just CALLING itself SVCHOST.EXE, you have a chance--run Task Manager, click View->Select Columns and add "Image Path Name" to the selection, then see if any of those SVCHOST instances are running from a different location to the others. (The "real" one should be C:\Windows\System32).

Thoughtbot360
2011-05-15, 04:27 AM
Try using fixexe (http://www.google.com/url?sa=t&source=web&cd=1&ved=0CBYQFjAA&url=http%3A%2F%2Fdownload.bleepingcomputer.com%2Fr eg%2Fantivirus-vista-2010%2FFixExe.reg&rct=j&q=fixexe&ei=1hrPTZqCMILEsAP__NzDCw&usg=AFQjCNERQxfVAhq_ClbVI8t6n-KKLLAU3A&cad=rja) then running malwarebytes in safe mode.

fixexe? never heard of it. What exactly does it do?

in other news, I can't get image path to work in task manager, the option is grayed out but checked. However, as the screenshot shows, it is from system32.

also, about system restore: A while ago I had another virus and the guy who fixed it said not to use a system restore after the system has been infected. I don't know if that has been

ZombyWoof
2011-05-15, 04:33 AM
SVCHOST.EXE is a generic host process for Win32 services. If the actual EXE itself is infected, you're hosed. If it's something that is running and just CALLING itself SVCHOST.EXE, you have a chance--run Task Manager, click View->Select Columns and add "Image Path Name" to the selection, then see if any of those SVCHOST instances are running from a different location to the others. (The "real" one should be C:\Windows\System32).

It *is* from C:\windows\system32. Check the screenshot :smallcool:

Thoughtbot360
2011-05-15, 05:01 AM
It *is* from C:\windows\system32. Check the screenshot :smallcool:

yes. Alternatively, a different blocked address seems to have hijacked firefox.exe

Avast is still picking them up, however....

Thoughtbot360
2011-05-15, 06:37 AM
okay. New facet of the virus has been discovered. clicking on ANY link that crops up in a search engine immediately redirects to a different website.

GrlumpTheElder
2011-05-15, 07:25 AM
SVCHOST.EXE is a generic host process for Win32 services. If the actual EXE itself is infected, you're hosed.

Not neccessarily. If the actual EXE appears infected, it is most likely a rootkit. I had a problem similar to this. AVG could detect 2 infections, but could only deal with one, the other was inside svchost.exe. I downloaded and ran TDSskiller (support.kaspersky.com/faq/?qid=208283363) and that sorted that out. This may solve your problem

Manga Shoggoth
2011-05-15, 03:03 PM
Yeah....backups. Here's the deal. I got a floppy drive I lost the installation disk for, a cd burner that doesn't seem to want to work, and no handy flash drives. So yeah. I've backed up nothing.

That's why I suggested rebuilding without formatting the disk - at least that way you can scan your current files and then back them up if they are still clean. Memory sticks are they are fairly cheap, and you might be surprised how little you need to back up (unless you have lost of music and videos, that is...)

...Must do a backup - I'm overdue as well...

ZombyWoof
2011-05-15, 08:17 PM
I don't think SVCHost is hijacked. I think Avast! might be hijacked.

Of course, I inherently don't trust any antivirus software especially the ones that have such obtrusive warning banners as Avast apparently does.

But it's like that old joke goes, "Hey doctor, when I touch my head, it hurts. It hurts when I touch my stomach and knee too. What's wrong?" "Your finger's broken."

SDF
2011-05-15, 09:14 PM
Fixexe.reg is a registry file that fixes .exe file association that has be broken, which is usually caused by malware. When .exe file associations are broken, any associated .exe applications cannot be executed, and you will get one of those warnings/errors saying "What do you want to use to Open this file" since Windows can not recognize the file.

Ashtar
2011-05-16, 04:02 AM
If possible, try to boot first to Windows Safe Mode (hold F5 on start-up, select SAFE MODE). This allows A/V software hopefully to work in an *uncorrupted" environment. Download all A/V software you need from another computer onto a USB key, and work from there.

It's always tough to go from an infected computer back to a safe one, since you're never really sure that all the infection is gone.

Good luck!

Starshade
2011-05-16, 05:09 AM
You could try removing all services who you do not know what is from your browser, and starting up a windows program called msconfig, and remove services from startup, then reboot the machine and see if it's gone.
It used to be the viruses DID infect files, but nowadays, it's beecome more common to see malware and viruses who just adds itself to startup of either the PC or an browser, so you could be able to remove it manually, if you spot it.

Thoughtbot360
2011-05-16, 07:38 AM
Not neccessarily. If the actual EXE appears infected, it is most likely a rootkit. I had a problem similar to this. AVG could detect 2 infections, but could only deal with one, the other was inside svchost.exe. I downloaded and ran TDSskiller (support.kaspersky.com/faq/?qid=208283363) and that sorted that out. This may solve your problem

I might be counting my eggs before they hatch, but I just ran TDSskiller, and I am going to call it:

You sir, win this thread. I would like to thank everyone....ah! Its another alert! I spoke too soon!

no wait....its just an update. (also, it seriously did this JUST as I was writing this post. But Image shack is being uncooperative over image sizes (http://img35.imageshack.us/img35/6628/goddammitavast.th.png) all of a sudden. Green pop ups mean that its an update.)

um, yeah. Thanks everyone for all your time posting on this thread. I'm still going to have to run another boot-time scan and Malware bytes scan in safe mode...and other stuff, but by the looks of things, that cured it.

Thoughtbot360
2011-05-26, 09:59 PM
annnnd....I spoke too soon. sigh. Things were great for a couple of days, and in fact, still are. Its just that I have to empty all temporary files and scan for Malware every couple of days.

But I just now got a freaking barrage of suspiscious program alerts...all of them were blocked, but they seem dangerously similar to what I just had.