IPB

Welcome Guest ( Log In | Register )

 
Closed TopicStart new topic
> C:\Windows\system32\svchost.exe, Need some assistance please
SCR510
post 30.04.2011 01:09
Post #1


Member
**

Group: Members
Posts: 12
Joined: 25.02.2010




Not sure if it is a virus I did a couple scans with Kaspersky and Malwarebytes but found nothing. I get numerous alerts stating C:\WINDOWS\SYSTEM32\SVCHOST.EXE

I also get this message everytime I restart the computer. "Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience."

Performance is less than optimal and sometimes the system freezes up. Hopefully someone can help me clear up my computer woes.


I tried to run tdsskiller.exe but will only get to 80% and then shutdown program because of error. Tried to run it in safemode with same results.



Attached File(s)
Attached File  GetSystemInfo_SRCREATIONZ_Owner_2011_04_29_10_25_59.zip ( 153,65K ) Number of downloads: 11
Attached File  sysinfo.zip ( 27,68K ) Number of downloads: 5
 
Go to the top of the page
 
+Quote Post
Lucian Bara
post 30.04.2011 01:17
Post #2


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




hello
run this script:
CODE
begin
SetAVZPMStatus(True);
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\WINDOWS\edolibugidixen.dll','');
DeleteFile('C:\WINDOWS\edolibugidixen.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.


instructions: http://forum.kaspersky.com/index.php?s=&am...st&p=678328
-----------------
afterwards post a combofix log:
Download it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe . Save the file to your desktop.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (Choose the option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt , please attach it to your next post. Also, please don't forget to resume the Kaspersky that you paused.
Go to the top of the page
 
+Quote Post
SCR510
post 30.04.2011 02:34
Post #3


Member
**

Group: Members
Posts: 12
Joined: 25.02.2010




QUOTE(Lucian Bara @ 30.04.2011 00:17) *
hello
run this script:
CODE
begin
SetAVZPMStatus(True);
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\WINDOWS\edolibugidixen.dll','');
DeleteFile('C:\WINDOWS\edolibugidixen.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.


instructions: http://forum.kaspersky.com/index.php?s=&am...st&p=678328
-----------------
afterwards post a combofix log:
Download it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe . Save the file to your desktop.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (Choose the option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt , please attach it to your next post. Also, please don't forget to resume the Kaspersky that you paused.



Here is the Combofix logfile.
Attached File(s)
Attached File  ComboFix.txt ( 14,18K ) Number of downloads: 10
 
Go to the top of the page
 
+Quote Post
Lucian Bara
post 30.04.2011 11:37
Post #4


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




any change?
could you zip this file: c:\windows\system32\drivers\kbdhid.sys and send it over PM?
Go to the top of the page
 
+Quote Post
SCR510
post 2.05.2011 22:17
Post #5


Member
**

Group: Members
Posts: 12
Joined: 25.02.2010




QUOTE(Lucian Bara @ 30.04.2011 10:37) *
any change?
could you zip this file: c:\windows\system32\drivers\kbdhid.sys and send it over PM?



Seems to be the same unfortunately. bc.gif

Sending the file in PM now.
Go to the top of the page
 
+Quote Post
Lucian Bara
post 2.05.2011 22:26
Post #6


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




do a scan with tdss killer and post the result: http://support.kaspersky.com/viruses/solutions?qid=208280684
There's a high chance kbdhid.sys was altered by such a rootkit, I sent the file for analysis and will know more later
Go to the top of the page
 
+Quote Post
SCR510
post 3.05.2011 06:30
Post #7


Member
**

Group: Members
Posts: 12
Joined: 25.02.2010




QUOTE(Lucian Bara @ 2.05.2011 21:26) *
do a scan with tdss killer and post the result: http://support.kaspersky.com/viruses/solutions?qid=208280684
There's a high chance kbdhid.sys was altered by such a rootkit, I sent the file for analysis and will know more later



I tried to run tdss killer but it only reaches 80% then gets stuck closes and says it encountered a error.
Go to the top of the page
 
+Quote Post
Lucian Bara
post 3.05.2011 22:06
Post #8


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




can you try this version of tdss killer: http://forum.kaspersky.com/index.php?s=&am...t&p=1648871
Go to the top of the page
 
+Quote Post

Closed TopicStart new topic

 



Lo-Fi Version Time is now: 31.10.2014 23:59