Jump to content

Svchost.exe / problem, after delete, and restart, it is back/active again.


Recommended Posts

  • Staff

Hello and welcome to the Malwarebytes Forum,

Let's see if we can find out what's going on.

Please run the following diagnostic tool:

Please download the appropriate version of Farbar Recovery Scan Tool (FRST.exe) from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/(for 32bit systems)

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/(for 64bit systems)

save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Link to post
Share on other sites

@CatByte

 

Tnx for the reply. I already sort of fixed the problem.

I used this tool: https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

 

And I found some weird program named: fd78g6d9f870g68d7f6g87df6g8d26fg, some mining crap,

while all others were named properly, chrome opera, msi afterburner

 

I disable it, and delete it from auto start.

 

The problem no longer appears, but I know I still got crap on my PC so I would like to kill it 100%.

 

Here are two attachments from FRST.exe

 

 

 

 

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Staff

Please do the following:

Download attached fixlist.txt file and save it to the Desktop.

FixList.txt

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Link to post
Share on other sites

  • Staff

Open Malwarebytes:

• On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.

• Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.

• A Threat Scan will begin.

• With some infections, you may see this message box.

○ 'Could not load DDA driver'

• Click 'Yes' to this message, to allow the driver to load after a restart.

• Allow the computer to restart. Continue with the rest of these instructions.

• When the scan is complete, click Apply Actions.

• Wait for the prompt to restart the computer to appear, then click on Yes.

Attach the resulting log.

• Open MBAM once more.

• Click on the History tab > Application Logs.

• Double click on the scan log which shows the Date and time of the scan just performed.

• Click 'Export' > Click 'Text file (*.txt)'

• In the Save File dialog box which appears, click on Desktop.

• In the File name: box type a name for your scan log.

• A message box named 'File Saved' should appear stating "Your file has been successfully exported" > Click Ok

Attach that saved log to your next reply.

NEXT

Please download AdwCleaner and save it to your desktop.

http://www.bleepingcomputer.com/download/adwcleaner/?rha=1

ATTENTION: After you click the Download Now button, another page will open - DO NOT CLICK any additional 'download now' buttons as they are sponsored advertisements. Please wait and look toward the top or bottom of your browser for the option to Run or Save. Click Save to save the file.

 

Double click on AdwCleaner.exe to run the tool.

Click on the Scan button.

After the scan has finished... click on the Cleaning button.

Press OK when asked to close all programs and follow the onscreen prompts.

Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

After rebooting, a log file report (AdwCleaner[s0].txt) will open automatically.

Attach that log file to your next reply.

A copy of that log file will also be saved in the C:\AdwCleaner folder.

 

Please advise how the computer is running now and if there are any outstanding issues.

Link to post
Share on other sites

  • Staff

Please do the following:

Go here to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish
Please advise how the computer is running now and if there are any outstanding issues.
Link to post
Share on other sites

  • Staff

Hello

I do recommend deleting the files flagged by ESET

C:\Program Files (x86)\NCH Software\Debut\debut.exe

C:\Program Files (x86)\NCH Software\Debut\debutsetup_v2.02.exe

C:\ProgramData\Origin\update.vbe

C:\Users\All Users\Origin\update.vbe

D:\Instalaciono\harwareinfo64\Core temp zipovani.7z

D:\Instalaciono\PLEJERI\bsplayer261.1065.exe

D:\Instalaciono\PLEJERI\BS Player\bsplayer.exe

D:\Instalaciono\PLEJERI\km player\3.7.0.113_20131016055856.exe

D:\Instalaciono\PLEJERI\VLC\vlc-media-player.exe

D:\Instalaciono\Screen reccorders\debutpsetup.exe

D:\Instalaciono\Video obrada programi\FreemakeVideoConverterSetup.exe

D:\Instalaciono\winFlash\wintoflash-setup.exe

They are mostly installation files that are bundled with adware (the type that will install an unwanted toolbar if you don't remember to "opt out" during installation)

I'm glad to hear things are now back to normal, now we can clean up our tools:

You can delete the FRST and ESET logs and programs from your desktop.

NEXT

Double click on adwcleaner.exe to run the tool.

Click on the Uninstall button

Confirm with yes

If there are any logs/tools remaining on your desktop > right click and delete them

NEXT

Below I have included a couple of recommendations for how to protect your computer against malware infections.

It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection.

Refer to this Microsoft article - Strong passwords: How to create and use them

http://www.microsoft.com/security/online-privacy/passwords-create.aspx

Keep Windows updated by regularly checking their website at :

http://windowsupdate.microsoft.com

This will ensure your computer has always the latest security updates available installed on your computer.

http://www.mywot.com

Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

Green to go

Yellow for caution

Red to stop

WOT has an addon available for Chrome, Firefox and IE

AdblockPlus, Surf the web without annoying ads!

Blocks banners, pop-ups and video ads - even on Facebook and YouTube

Protects your online privacy

Two-click installation, It's free!

https://adblockplus.org/en/internet-explorer

https://adblockplus.org/en/firefox

https://adblockplus.org/en/chrome

click the link(s) for your browser(s) and download.

Thank you for your patience, and performing all of the procedures requested.

If there are no other questions or concerns then we can go ahead and close this thread

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.