SVCHOST trojan

[musicalpulltoy]

hey!
ok, all must be well.
thank you fer your help you fellows are great!!
*<];-D

[musicalpulltoy]

hey
i dont think its all gone.
a svchost opens in and when shut down things pick up.
?

[Scolabar]

Hi musicalpulltoy,

Please can clarify what you what you mean by:

a svchost opens in and when shut down things pick up

Try to describe exactly what happens and provide any error message(s) you receive.

Did this issue start immediately following the final cleanup instructions or has it started since following further use of the computer?

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

[musicalpulltoy]

hey..
when online page loading goes from good to super slow.
at a restart ( after finding the svchost fake) i wrote down the PID of each svchost running.
when it slowed id shut down the new one and things returned to normal.
go figure ..

[Scolabar]

Hi musicalpulltoy,

Does the slowdown issue recur each time you restart the computer?
If so, please complete the instructions below so we can get a handle on what might be causing the slowdown.

Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before proceeding please make sure any open programs are closed.

Step 1:
Tasklist Utility - XP Home

Please download the Tasklist Utility for Windows XP Home. Save the file to your Desktop.
Note: If the utility is not saved to the Desktop the following batch query will not work.

Step 2:
Batch - Query

Please follow the instructions below BEFORE killing off the "fake" new svchost process:

1. Click on Start > Run.
2. In the text entry box type:
   
   
   notepad
3. Then click on the OK button.
4. This will open an empty Notepad file.
5. Copy and Paste the contents of the box below into the Notepad window:
   
   Code:

   @echo off
   cd "%userprofile%"\desktop
   tasklist /svc /fi "imagename eq svchost.exe" > "%userprofile%"\desktop\svclook.txt
   notepad.exe "%userprofile%"\desktop\svclook.txt
   del %0
   exit

6. Click Format and ensure Wordwrap is Unchecked.
7. Save as svcquery.bat to the Desktop.
8. Save as file type All Files otherwise it will not work.
9. Now double-click on svcquery.bat to allow it to run the query.
   (A command prompt window will flash on the screen briefly.)
10. Please Copy and Paste the contents of the file svclook.txt into your next reply.

Step 3:
"Fake" New Svchost Process - Feedback

When you shutdown the "fake" new svchost process this time, please make a note of the PID and post that information into your next reply.

Step 4:
Include in Next Post

1. Did you have any problems carrying out the instructions?
2. Does the slowdown issue recur each time you restart the computer?
3. svclook.txt.
4. What was the PID of the "fake" new svchost process you needed to shutdown?

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

[Scolabar]

Hi musicalpulltoy,

It has been over 48 hours since my last post.

1. Do you still need help?
2. Do you need more time?
3. Are you having problems following my instructions?
4. In line with Safer-Networking's Forum Guidelines, topics will be closed after 3 days without a response.
5. If you do not reply within the next 24 hours, this topic will be closed.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

[musicalpulltoy]

hi.,.
was busy
when running the query i got "access denied ".
there were 2 pid 672 and2880.
after query 2460 appeared.
no, the new svchost can appear at any time.


Image Name PID Services
========================= ====== =============================================
svchost.exe 1612 DcomLaunch, TermService
svchost.exe 1712 RpcSs
svchost.exe 1884 AudioSrv, CryptSvc, Dhcp, EventSystem,
FastUserSwitchingCompatibility,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, SENS, SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, w32time, winmgmt, wscsvc, wuauserv,
WZCSVC
svchost.exe 196 Dnscache
svchost.exe 364 LmHosts, SSDPSRV
svchost.exe 672 HTTPFilter
svchost.exe 2880 WudfSvc
svchost.exe 2460 stisvc

[musicalpulltoy]

a second 1
pid 2052 and 3998


Image Name PID Services
========================= ====== =============================================
svchost.exe 1268 DcomLaunch, TermService
svchost.exe 1352 RpcSs
svchost.exe 1432 AudioSrv, CryptSvc, Dhcp, EventSystem,
FastUserSwitchingCompatibility,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, SENS, SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, w32time, winmgmt, wscsvc, wuauserv,
WZCSVC
svchost.exe 1484 WudfSvc
svchost.exe 1696 Dnscache
svchost.exe 1724 LmHosts, SSDPSRV
svchost.exe 2052 HTTPFilter
svchost.exe 3988 stisvc

[Scolabar]

Hi musicalpulltoy,

Were you logged into an account with administrative privileges when you tried to run the query?
Did you get the "access denied" error the second time you ran the query as well?
Was the "access denied" error a standard Windows error message dialogu box? Or was error generated by the AVG or ZoneAlarm software?

Regarding the second query do you actually mean you killed the services:

pid 2052 and 3998

or do you mean:
pid 2052 and 3988?

Please try running the steps for the query again with both AVG and ZoneAlarm temporarily dsabled.

Have you attached a scanner or camera recently to your computer?
Or have you installed scanner- or camera-related software?

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

[musicalpulltoy]

hiya
yes its an administrator.
3988.
got access denied every time "standard windows".
there is a scanner connected but no new installs.


Image Name PID Services
========================= ====== =============================================
svchost.exe 1268 DcomLaunch, TermService
svchost.exe 1352 RpcSs
svchost.exe 1432 AudioSrv, CryptSvc, Dhcp, EventSystem,
FastUserSwitchingCompatibility,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, SENS, SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, w32time, winmgmt, wscsvc, wuauserv,
WZCSVC
svchost.exe 1484 WudfSvc
svchost.exe 1696 Dnscache
svchost.exe 1724 LmHosts, SSDPSRV
svchost.exe 2052 HTTPFilter
svchost.exe 3988 stisvc