system
April 15, 2010, 5:38am
1
Recently while surfing around Youtube, my firewall popped up a security warning for me:
Name: svchost.exe
Publisher: Unknown Publisher
Type: Application
From: C:\WINDOWS\system32\svchost
Screenshot: http://img.photobucket.com/albums/v387/Jomaru/firewalled.png
Now I know svchost is a vital part of my system and should never be deleted, however when I give it the “okay” to run the program, the process doesn’t run, instead it starts up iexplorer.exe in the background (there’s no window popping up or anything), which is immediately marked to me as suspicious. I terminate the process and the warning pops up again. It’s an eternal loop right now, not sure of what to do because no scanner is picking anything up.
Running:
avast! Antivirus (of course)
SuperAntiSpyware
MalwareBytes
Everything is up to date, but I can’t quite shake the feeling that they’re missing something.
Folder Screenshot: http://img.photobucket.com/albums/v387/Jomaru/svchost.png
system
April 15, 2010, 5:44am
2
::Virus Total Log::
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.04.15 Trojan-Dropper.SuspectCRC!IK
AhnLab-V3 5.0.0.2 2010.04.14 -
AntiVir 7.10.6.77 2010.04.14 -
Antiy-AVL 2.0.3.7 2010.04.14 -
Authentium 5.2.0.5 2010.04.15 -
Avast 4.8.1351.0 2010.04.14 -
Avast5 5.0.332.0 2010.04.14 -
AVG 9.0.0.787 2010.04.14 Dropper.Generic.CKLO
BitDefender 7.2 2010.04.15 -
CAT-QuickHeal 10.00 2010.04.15 -
ClamAV 0.96.0.3-git 2010.04.15 Trojan.Spy-71263
Comodo 4603 2010.04.15 -
DrWeb 5.0.2.03300 2010.04.15 -
eSafe 7.0.17.0 2010.04.14 -
eTrust-Vet None 2010.04.14 -
F-Prot 4.5.1.85 2010.04.15 -
F-Secure 9.0.15370.0 2010.04.15 -
Fortinet 4.0.14.0 2010.04.12 -
GData 19 2010.04.15 -
Ikarus T3.1.1.80.0 2010.04.15 Trojan-Dropper.SuspectCRC
Jiangmin 13.0.900 2010.04.13 -
Kaspersky 7.0.0.125 2010.04.15 -
McAfee 5.400.0.1158 2010.04.15 Generic MSIL.c
McAfee-GW-Edition 6.8.5 2010.04.15 -
Microsoft 1.5605 2010.04.14 -
NOD32 5029 2010.04.14 -
Norman 6.04.11 2010.04.14 -
nProtect 2010-04-14.01 2010.04.15 -
Panda 10.0.2.7 2010.04.14 -
PCTools 7.0.3.5 2010.04.15 -
Prevx 3.0 2010.04.15 -
Rising 22.43.03.01 2010.04.15 -
Sophos 4.52.0 2010.04.15 -
Sunbelt 6178 2010.04.15 Trojan.Win32.Generic!BT
Symantec 20091.2.0.41 2010.04.15 -
TheHacker 6.5.2.0.261 2010.04.14 -
TrendMicro 9.120.0.1004 2010.04.15 -
VBA32 3.12.12.4 2010.04.14 -
ViRobot 2010.4.15.2277 2010.04.15 -
VirusBuster 5.0.27.0 2010.04.14 -
Additional information
File size: 934748 bytes
MD5…: 2a9eb9df69037fbcd6fb00e9ef4e2439
SHA1…: 6a8876f14240027289618c1a8aa5cd6a26b92466
SHA256: 23ad5dc89dede02fe73d08f58f08834b9053c63e5feeca436ca08e0cbcbcf755
ssdeep: 24576:C7NFhfSyNbMTai8S1P9IntN+cpXsOQrUKdgzMMtSgMnZYqfxr:CHhfPE8G
PutEchPQrL2MxLnZYqfxr
PEiD…: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x1752e
timedatestamp…: 0x4bb6ef5d (Sat Apr 03 07:33:49 2010)
machinetype…: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x2000 0x15534 0x15600 7.52 ab4db8ab950fbe34f1d5bd713b38097e
.reloc 0x18000 0xc 0x200 0.10 b395b055887e35c3c3b5037183392b9e
.rsrc 0x1a000 0x6186 0x6200 4.01 1e6a1ce3c7f78bc6c2f9ce89ecc16d5b
( 1 imports )
mscoree.dll: _CorExeMain
( 0 exports )
RDS…: NSRL Reference Data Set
pdfid.: -
trid…: Generic CIL Executable (.NET, Mono, etc.) (74.0%)
Windows Screen Saver (13.2%)
Win32 Executable Generic (8.6%)
Generic Win/DOS Executable (2.0%)
DOS Executable Generic (2.0%)
sigcheck:
publisher…: n/a
copyright…:
product…: Trend Micro
description…:
original name: C:\Documents and Settings\nathu\Desktop\stub - Version 3.0 mini.exe
internal name: C:\Documents and Settings\nathu\Desktop\stub - Version 3.0 mini.exe
file version.: 4.0.0.0
comments…: n/a
signers…: -
signing date.: -
verified…: Unsigned
Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99
Asyn
April 15, 2010, 10:37am
3
As a-squared dedects it, you could download and run a-squared free.
http://www.emsisoft.com/en/software/free/
asyn
system
April 16, 2010, 6:28am
4
Downloaded, installed, scanned. Hounded the scanned results and got rid of the stuff that was actually bad. Rebooted and everything’s actually worse. This scanner goes bye-bye now. =/
For a more in-depth of what’s going on now. I’m getting pop-ups from the A-Squared website, along with other “offered scanners” and while the background process for the program runs, my computer is slowed significantly, plus the instance where I was able to stop the random infinite-loop of the “svchost.exe” and “iexplore.exe” executables with SmitFraudFix, they came back after using the aforementioned software.
Asyn
April 16, 2010, 8:38am
5
For free malware removal help with a-squared please go here:
http://support.emsisoft.com/forum/6-malware-removal-help/
asyn
system
April 17, 2010, 1:49pm
6
oh god stop recommending a-squared it has lots of false positives.
Dichromaru, maybe you have smth like this threat:
http://www.threatexpert.com/report.aspx?md5=58ea7efbe3aad97f0d43a32ef96f2d58
system
April 17, 2010, 1:55pm
7
Agreed. Don’t use a-squared… maybe MBAM?
+100 - A-Squared is the False Positive King
Asyn
April 17, 2010, 2:29pm
9
He already had Mbam on his system, as well as SAS… (see first post)
system
April 18, 2010, 8:58am
10
First Goto Control Panel and Delete all other anti-virus and waste software that you Don’t Need, Then Goto RUN type msconfig goto startup uncheck all un-wanted applications, then restart PC and install Avast. Always use a single Anti-Virus It will Never Slow down your PC. Never Use these false positive anti-virus Avast is a branded and Standard Program For Anti-Virus with Boot-Time Scan.
system
April 18, 2010, 10:00am
11
First Goto Control Panel and Delete all other anti-virus and waste software that you Don’t Need, Then Goto RUN type msconfig goto startup uncheck all un-wanted applications, then restart PC and install Avast. Always use a single Anti-Virus It will Never Slow down your PC. Never Use these false positive anti-virus Avast is a branded and Standard Program For Anti-Virus with Boot-Time Scan.
so dude
have you read through this topic yet?
system
April 18, 2010, 10:41am
12
yes, he Face Slow down Problem after svchost.exe problem so thats just a advice from me to fasten his PC. ok dude?
system
April 18, 2010, 11:21am
13
Dude just W…T…F…!? ??? ??? ??? :o You gave advice that anyone totally knows about. Actually, if you’d read the topic, you’d see dude has already done most of what you said. Fail.
system
April 18, 2010, 12:32pm
14
oh yes W T F !! ???
Then Re-Install Windows!! Last Solution!! :o ;D
Asyn
April 18, 2010, 8:08pm
16
Guys, please calm down and relax…
As the OP didn’t post back here, the problem should be solved.
Peace and happiness… 8)
asyn