Jump to content

Svchost rootkit virus is lagging out my computer randomly

Recommended Posts

I have recently realized that my computer is infected by a rootkit virus which creates duplicates of the svchost service and in doing so slows down my computer, whilst also playing music and sounds from advertisements.

I was hoping to recieve assistance in removal of this virus.

thank you very much

Link to post
Share on other sites

Welcome to the forum, please start at the link below:


Post back the 2 logs here.....DDS.txt and Attach.txt



Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.


Link to post
Share on other sites

Getting lag spikes because of a rootkit virus causing multiple instances of svchost to open, as well as having obnoxious audio ads playing.

Did the dds scan, and am awaiting further instruction if possible

Thank you

RogueKiller V8.0.0 [08/26/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Jonathan Wilson [Admin rights]

Mode : Scan -- Date : 08/29/2012 15:35:17

¤¤¤ Bad processes : 4 ¤¤¤

[RESIDUE] iexplore.exe -- C:\Program Files (x86)\Internet Explorer\iexplore.exe -> KILLED [TermProc]

[RESIDUE] iexplore.exe -- C:\Program Files (x86)\Internet Explorer\iexplore.exe -> KILLED [TermProc]

[RESIDUE] iexplore.exe -- C:\Program Files (x86)\Internet Explorer\iexplore.exe -> KILLED [TermProc]

[RESIDUE] iexplore.exe -- C:\Program Files (x86)\Internet Explorer\iexplore.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 12 ¤¤¤

[TASK][ROGUE ST] 0 : c:\program files (x86)\internet explorer\iexplore.exe -> FOUND

[TASK][ROGUE ST] 4808 : wscript.exe -> FOUND

[TASK][sUSP PATH] RunAsStdUser Task : "C:\Users\Jonathan Wilson\AppData\Local\seeqdoSA\bin\\SeeqDoSA.exe" -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[FILEASSO] HKLM\[...]\command : (C:\Program Files (x86)\Internet Explorer\iexplore.exe) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : C:\Windows\Installer\{fd78f0bf-2485-bca4-c1fa-e60232d4937a}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\Windows\Installer\{fd78f0bf-2485-bca4-c1fa-e60232d4937a}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Windows\Installer\{fd78f0bf-2485-bca4-c1fa-e60232d4937a}\L --> FOUND

[ZeroAccess][FILE] @ : C:\Users\Jonathan Wilson\AppData\Local\{fd78f0bf-2485-bca4-c1fa-e60232d4937a}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\Users\Jonathan Wilson\AppData\Local\{fd78f0bf-2485-bca4-c1fa-e60232d4937a}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Users\Jonathan Wilson\AppData\Local\{fd78f0bf-2485-bca4-c1fa-e60232d4937a}\L --> FOUND

[susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts www.007guard.com 007guard.com 008i.com www.008k.com 008k.com www.00hq.com 00hq.com 010402.com www.032439.com 032439.com www.0scan.com 0scan.com www.1000gratisproben.com 1000gratisproben.com 1001namen.com www.1001namen.com 100888290cs.com www.100888290cs.com www.100sexlinks.com 100sexlinks.com


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDS721010CLA632 ATA Device +++++

--- User ---

[MBR] ad1d23470d39d1d8febf53b33dcc313a

[bSP] eaeb67da66bd8dfe4cee09429c42d10c : Windows Vista/7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 941510 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1928419328 | Size: 12257 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>




Edited by Maurice Naggar
Link to post
Share on other sites

Welcome to the forum.

Here you go......

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.



One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?


When Should I Format, How Should I Reinstall


I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


Please make sure system restore is running and create a new restore point before continuing!

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

    [*]Select Command Prompt

    [*]In the command window type in notepad and press Enter.

    [*]The notepad opens. Under File menu select Open.

    [*]Select "Computer" and find your flash drive letter and close the notepad.

    [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

    [*]The tool will start to run.

    [*]When the tool opens click Yes to disclaimer.

    [*]Press Scan button.

    [*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:


    [*]Now press the Search button

    [*]When the search is complete, search.txt will also be written to your USB

    [*]Type exit and reboot the computer normally

    [*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)


Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.