Results 1 to 2 of 2

Thread: svchost malware freezes Spybot S&D and ends to avoid detection

  1. #1
    Junior Member
    Join Date
    Mar 2013
    Posts
    1

    Question svchost malware freezes Spybot S&D and ends to avoid detection

    I have a wierd malware using the svchost that begins at startup, but I have not been able to find it's source program.

    It runs a scvhost process with 50% of my CPU in use and prevent any and all internet access. It also seems to be making a bridged internet connection using the Internet Gateway in the Networking options.

    If I disable my network adaptor or the virtualbox adaptor it resets the internet gateway. Under details of Internet Gateway this gateway is sending and reciving data. At the same time I'm unable to connect using IE or thunderbird.

    Also, when I tracked down it's PID through the task manager and tried to analyze it in spybot S&D it hung spybot and then aborted itself.
    I presume this is to prevent detection of it's source. I can kill it manually too in the task manager, but it resumes again at startup and so far no program has found where it's starting up from. It goes away and will resume again at startup but there are no unusual entries in the startup entries in the windows Registry. I've been over them manually and in Spybot which I've found to be the best tool for this. But nothing unusual is there.

    I've run malwarebytes, hijackthis, Spybot, and my normal AVG AV scan, and none of them are finding the source of the infection.

    I had a suspicious file with a long numerical string and a CDF extension that was locked found in Malwarebytes. Malwarebytes was able to delete it at startup and it hasn't reappeared. That is the only positive detection. The rest were false since I have some customized settings (I installed windows using Nlite) which were flagged as hijacks.

    I'm not certain if this is related to the svchost malware though.
    That showed up only this morning and my first time knowing about it was not being able to go online.

    Any advice, or ideas will be appreciated. The malware doesn't seem to be doing anything when that svchost process is closed so my system returns to almost-normal. It's more of an annoyance.

    I'm using windows XP as you may have guessed. System board is a GA-ES2L w/ Core2 6550, 2GB RAM 2TB HDD, soundblaster audigy (latest possible drivers are old), nVidia 8600gt video.

    Henry
    Money talk?! All it ever says to me is "goodbye!"

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello G_H_Ramsey,

    In case you missed it please see the FAQ which includes guidelines for this forum and instructions in post #2 on how to provide the preliminary DDS and aswMBR logs used for analysis.

    http://forums.spybot.info/showthread.php?t=288

    Then start a new topic providing the logs requested with a link back to this thread.

    If you cannot obtain logs please start a topic and make note of the situation, provide details of the computer's current symptoms and wait for a response.

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •