help with c:\\windows\system32\svchost.exe Virus

[REDACTED]

here we go

[essexboy]

OK a new programme has been released that makes investigating what is using svchost easy

Download the Technical toolbox (portable)   to your desktop
Run the programme and on the left select Svchost.exe lookup

Right click any where on the right and select Copy list
Open notepad and select paste
Save that as svchost
And attach to your next post

[REDACTED]

wow, that's awesome! thanx for the tip, I'm running it right now

[REDACTED]

here's the list

[essexboy]

OK ta, it will take me a while to run a compare on this

[REDACTED]

okay. well thank you very much for all the help already. and if there's anything I can / should do, let me know...

[essexboy]

OK I have run a compare and for the life of me cannot see where it is coming from

This programme will generate a zip file, if you could upload it to a file sharing site for me to collect

 Download AVZ tool from here to your desktop
Unzip all files to a folder on your desktop
Open the folder and double click the AVZ icon
When the tool opens select "File" > "Standards scripts"


Place a tick in :

 
5. Update signature database

Then press "Execute selected scripts"


Once that has execute then
select "File" > "Standards scripts"
Place a tick in :

3.   Advanced  System Analysis with malware removal mode enabled


When finished look in the folder AVZ4 on your desktop
Open the LOG folder
Attach KL_syscure.zip to your next post

[REDACTED]

okay. what a crafty little virus... grrrr...

I ran the scan three times because for some reason, it never created the zip-folder you asked me to share with you. maybe I have a different version? or maybe I made a mistake?

whenever I run the scans, it creates two zip-folders in the LOG folder: one is called virusinfo_autoquarantine (this one is empty). the other one is called virusinfo_syscure. I uploaded the second one to dropbox so you can have a look:

https://www.dropbox.com/s/x1zqncmhc8qw1p8/virusinfo_syscure.zip?dl=0

I also attached three pictures of the different avz-tabs, in case I made a mistake and have to run a different scan.

thanx again. let me know what to do next!

[essexboy]

That's the one, I need to change my instructions

C:\Program Files (x86)\Tinn-R did you install this programme ?

Also could you temporarily disable Spotify and Skype from running at start

[REDACTED]

okay, great!

Tinn-R is a code editor that I installed to work with the open source statistical software R (http://www.r-project.org).
I installed it maybe one or two years ago and it seems unlikely that it would cause problems now all of a sudden, no?

I deactivated spotify autorun. skype wasn't in my autorun list and it actually never does run when I start my computer. I always have to start it manually. so if your list says otherwise, that's weird.

[essexboy]

Checking through the active and waiting connection shows nothing that should not be running.  I will ask some network gurus for assistance 

[REDACTED]

thank you lots.

[essexboy]

OK I have a few options, one is a programme which I have never used before so I am testing that out

The other is sysinternals

Download to your desktop process explorer from here http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx
Open process explorer and from the menu bar select View > Lower Pane
A Lower window will open
Select svchost.exe
 As soon as an Alert appears do the following :
Then on the menu bar go to File > Save as..
Then select the desktop and click save
On the desktop will then be a text file called svchost please attach that
You may need to edit the file name from svchost.exe.txt  to svchost.txt  to allow it to be attached

[REDACTED]

oookeydokey.

so, I did what you asked. I'm not sure I did it right but well...

cuz svchost.exe shows up in the process list eleven times. sometimes it has a tree of sub-processes, sometimes it doesn't.

however, I "selected" the first one in the list and right when the alarm popped up, I saved a report.

the svchost.exe.txt and a screenshot are attached.

[REDACTED]

hmmm... why didn't it attach the file... I'll try again