none
svchost.exe virus Windows 7

    Question

  • My apologies on a long post here, just trying to get as much info on what I have done though.  Also please let me know if I have this on the correct forum.

    Just recently I noticed the svchost.exe virus on my Windows 7 system.  I have tried MalwareBytes, Ad-Aware, Spybot, Spyhunter, MS Security Essentials, etc...  They catch the process and remove it and the file but it gets regenerated back again.  I am stuck now and not sure what else to do.  I'm trying to find out what file is generating the rogue svchost.exe but I'm hitting brick walls at every turn.

    I have run HijackThis and removed some other malware but after that, HijackThis doesn't reveal anything that could be generating this file.

    I have checked msconfig, the usual registry keys of run, runonce, etc....

    Here is how I know it is a virus.

    svchost.exe appears in C:\windows\system32 directory (the normal directory).  It also appears in C:\windows directory.  This is the virus.  The size is 20,480 bytes and shows up in Task Manager as ddsvchost.exe*32 and its owner is winrscmde.  Definitely not normal.  winrscmde does not show up in the registry nor does windows\svchost.exe. 

    According to MalwareBytes, it attempts to connect to 78.41.203.120 (and other similar IP's) which according do IP lookup, are in Romania.  It does change over time also hitting in Virginia and other places.  MalwareBytes is currently blocking any outgoing traffic to it.

    Right clicking on that svchost.exe*32 and selecting go to services shows no highlighted services.  Oddly enough, its Parent PID is another svchost.exe (a 64 bit one residing in C:\windows\system32).  Checking the "go to services" on that one reveals the following list: AeLookupSvc, BITS, Browser, CertPropSvc, EapHost, gpsvc, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProvSvc, RasMan, Schedule, seclogon, SENS, SessionEnv, ShellHWDetection, Themes, Winmgmt, wuauserv all of which are in the netsvcs group.  None of these look suspicious.

    One suspicious registry entry that keeps getting regenerated at reboot is HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION and generates a DWORD svchost.exe with a value of 0.

    Checking printable strings on c:\windows\svchost.exe is below.

    !This program cannot be run in DOS mode.
    .text
    `.data
    .rsrc
    @.reloc
    USER32.dll
    msvcrt.dll
    ntdll.dll
    KERNEL32.dll
    ole32.dll
    Uru*Ur
    TraceMessageVa
    TraceMessage
    winrshost.pdb
    XPVj
    PostMessageW
    DefWindowProcW
    DeleteMenu
    GetSystemMenu
    UpdateWindow
    ShowWindow
    CreateWindowExW
    RegisterClassW
    LoadCursorW
    LoadIconW
    UnregisterClassW
    DestroyWindow
    DispatchMessageW
    TranslateMessage
    GetMessageW
    USER32.dll
    memcpy
    memset
    __CxxFrameHandler3
    _wcsicmp
    mbtowc
    __getmainargs
    _cexit
    _exit
    _XcptFilter
    _ismbblead
    exit
    _acmdln
    _initterm
    _amsg_exit
    __setusermatherr
    __p__commode
    __p__fmode
    __set_app_type
    msvcrt.dll
    _unlock
    __dllonexit
    _lock
    _onexit
    ?terminate@@YAXXZ
    _except_handler4_common
    _controlfp
    EtwLogTraceEvent
    EtwGetTraceEnableFlags
    EtwGetTraceEnableLevel
    EtwGetTraceLoggerHandle
    EtwRegisterTraceGuidsW
    EtwUnregisterTraceGuids
    ntdll.dll
    GetProcessHeap
    InterlockedIncrement
    GetLastError
    HeapCreate
    HeapDestroy
    HeapAlloc
    HeapFree
    LocalFree
    LocalAlloc
    FreeLibrary
    GetProcAddress
    LoadLibraryW
    GetVersionExW
    GetConsoleWindow
    SetConsoleCtrlHandler
    DeleteCriticalSection
    AllocConsole
    InitializeCriticalSection
    HeapSetInformation
    InterlockedDecrement
    CloseHandle
    SetThreadPreferredUILanguages
    SetConsoleCP
    SetConsoleOutputCP
    CreateProcessW
    GenerateConsoleCtrlEvent
    WriteConsoleInputW
    SetConsoleMode
    GetConsoleMode
    GetStdHandle
    OpenProcess
    GetCurrentProcessId
    InterlockedExchange
    Sleep
    InterlockedCompareExchange
    GetStartupInfoA
    SetUnhandledExceptionFilter
    GetModuleHandleA
    QueryPerformanceCounter
    GetTickCount
    GetCurrentThreadId
    GetSystemTimeAsFileTime
    TerminateProcess
    GetCurrentProcess
    UnhandledExceptionFilter
    KERNEL32.dll
    CoRevokeClassObject
    CoUninitialize
    CoCreateInstance
    CoInitializeSecurity
    CoInitializeEx
    CoRegisterClassObject
    ole32.dll
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <!-- Copyright (c) Microsoft Corporation -->
    <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
    <assemblyIdentity
        version="5.1.0.0"
        processorArchitecture="x86"
        name="Microsoft.Windows.WinRM.WinRSHost"
        type="win32"
    <description>Windows Remote Shell Host file</description>
    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
        <security>
            <requestedPrivileges>
                <requestedExecutionLevel
                    level="asInvoker"
                    uiAccess="false"
                />
            </requestedPrivileges>
        </security>
    </trustInfo>
    </assembly>

    Running a difference on the strings for c:\windows\svchost.exe and c:\windows\system32\svchost.exe shows the following: (note anything pointing to the left belongs to c:\windows\svchost.exe and anything to the right belongs to c:\windows\sytem32\svchost.exe)

    6d5
    < USER32.dll
    8c7
    < ntdll.dll
    ---
    > API-MS-Win-Core-ProcessThreads-L1-1-0.dll
    9a9,32
    > NTDLL.DLL
    > API-MS-Win-Security-Base-L1-1-0.dll
    > API-MS-WIN-Service-Core-L1-1-0.dll
    > API-MS-WIN-Service-winsvc-L1-1-0.dll
    > RPCRT4.dll
    > 95TP
    > ;5TP
    > SvchostPushServiceGlobals
    > ServiceMain
    > @PRPRh
    > 95TP
    > ;5TP
    > VWhu:
    > @Ho=
    > @Lr;
    > Phh+
    > Ph@+
    > Ph`*
    > Ph@*
    > Ph4.
    > WVh$.
    > 9=TP
    > ;5TP
    > uh\=
    11,38c34,46
    < Uru*Ur
    < TraceMessageVa
    < TraceMessage
    < winrshost.pdb
    < XPVj
    < PostMessageW
    < DefWindowProcW
    < DeleteMenu
    < GetSystemMenu
    < UpdateWindow
    < ShowWindow
    < CreateWindowExW
    < RegisterClassW
    < LoadCursorW
    < LoadIconW
    < UnregisterClassW
    < DestroyWindow
    < DispatchMessageW
    < TranslateMessage
    < GetMessageW
    < USER32.dll
    < memcpy
    < memset
    < __CxxFrameHandler3
    < _wcsicmp
    < mbtowc
    < __getmainargs
    < _cexit
    ---
    > CoInitializeEx
    > CoCreateInstance
    > CoInitializeSecurity
    > CLSIDFromString
    > RPCRT4.dll
    > API-MS-WIN-Service-winsvc-L1-1-0.dll
    > API-MS-WIN-Service-Core-L1-1-0.dll
    > API-MS-Win-Security-Base-L1-1-0.dll
    > ntdll.dll
    > KERNEL32.dll
    > API-MS-Win-Core-ProcessThreads-L1-1-0.dll
    > msvcrt.dll
    > __wgetmainargs
    41d48
    < _ismbblead
    43d49
    < _acmdln
    47,56c53
    < __p__commode
    < __p__fmode
    < __set_app_type
    < msvcrt.dll
    < _unlock
    < __dllonexit
    < _lock
    < _onexit
    < ?terminate@@YAXXZ
    < _except_handler4_common
    ---
    > memcpy
    58,72c55,65
    < EtwLogTraceEvent
    < EtwGetTraceEnableFlags
    < EtwGetTraceEnableLevel
    < EtwGetTraceLoggerHandle
    < EtwRegisterTraceGuidsW
    < EtwUnregisterTraceGuids
    < ntdll.dll
    < GetProcessHeap
    < InterlockedIncrement
    < GetLastError
    < HeapCreate
    < HeapDestroy
    < HeapAlloc
    < HeapFree
    < LocalFree
    ---
    > _except_handler4_common
    > ?terminate@@YAXXZ
    > __set_app_type
    > __p__fmode
    > __p__commode
    > _cexit
    > TerminateProcess
    > GetCurrentProcess
    > OpenProcessToken
    > GetCurrentProcessId
    > GetCurrentThreadId
    74,84d66
    < FreeLibrary
    < GetProcAddress
    < LoadLibraryW
    < GetVersionExW
    < GetConsoleWindow
    < SetConsoleCtrlHandler
    < DeleteCriticalSection
    < AllocConsole
    < InitializeCriticalSection
    < HeapSetInformation
    < InterlockedDecrement
    86,96c68,73
    < SetThreadPreferredUILanguages
    < SetConsoleCP
    < SetConsoleOutputCP
    < CreateProcessW
    < GenerateConsoleCtrlEvent
    < WriteConsoleInputW
    < SetConsoleMode
    < GetConsoleMode
    < GetStdHandle
    < OpenProcess
    < GetCurrentProcessId
    ---
    > DelayLoadFailureHook
    > GetProcAddress
    > GetLastError
    > FreeLibrary
    > InterlockedCompareExchange
    > LoadLibraryExA
    99,100d75
    < InterlockedCompareExchange
    < GetStartupInfoA
    105d79
    < GetCurrentThreadId
    107,108d80
    < TerminateProcess
    < GetCurrentProcess
    110,117c82,144
    < KERNEL32.dll
    < CoRevokeClassObject
    < CoUninitialize
    < CoCreateInstance
    < CoInitializeSecurity
    < CoInitializeEx
    < CoRegisterClassObject
    < ole32.dll
    ---
    > DeactivateActCtx
    > LoadLibraryExW
    > ActivateActCtx
    > LeaveCriticalSection
    > lstrcmpW
    > EnterCriticalSection
    > RegCloseKey
    > RegOpenKeyExW
    > HeapSetInformation
    > lstrcmpiW
    > lstrlenW
    > LCMapStringW
    > RegQueryValueExW
    > ReleaseActCtx
    > CreateActCtxW
    > ExpandEnvironmentStringsW
    > GetCommandLineW
    > ExitProcess
    > SetProcessAffinityUpdateMode
    > RegDisablePredefinedCacheEx
    > InitializeCriticalSection
    > GetProcessHeap
    > SetErrorMode
    > RegisterWaitForSingleObjectEx
    > LocalFree
    > HeapFree
    > WideCharToMultiByte
    > HeapAlloc
    > RtlAllocateHeap
    > RtlLengthRequiredSid
    > RtlSubAuthoritySid
    > RtlInitializeSid
    > RtlCopySid
    > RtlSubAuthorityCountSid
    > RtlInitializeCriticalSection
    > RtlSetProcessIsCritical
    > RtlImageNtHeader
    > RtlUnhandledExceptionFilter
    > EtwEventWrite
    > EtwEventEnabled
    > EtwEventRegister
    > RtlFreeHeap
    > SetSecurityDescriptorDacl
    > AddAccessAllowedAce
    > SetSecurityDescriptorOwner
    > SetSecurityDescriptorGroup
    > GetTokenInformation
    > InitializeSecurityDescriptor
    > GetLengthSid
    > InitializeAcl
    > StartServiceCtrlDispatcherW
    > SetServiceStatus
    > RegisterServiceCtrlHandlerW
    > RpcMgmtSetServerStackSize
    > I_RpcMapWin32Status
    > RpcServerUnregisterIf
    > RpcMgmtWaitServerListen
    > RpcMgmtStopServerListening
    > RpcServerUnregisterIfEx
    > RpcServerRegisterIf
    > RpcServerUseProtseqEpW
    > RpcServerListen
    > svchost.pdb
    124c151
    <     name="Microsoft.Windows.WinRM.WinRSHost"
    ---
    >     name="Microsoft.Windows.Services.SvcHost"
    126c153
    < <description>Windows Remote Shell Host file</description>
    ---
    > <description>Host Process for Windows Services</description>


    • Edited by w7user2000 Wednesday, August 15, 2012 2:14 AM making it a bit easier to read
    Wednesday, August 15, 2012 2:08 AM

Answers

  • There are two rootkits that is root cause of c:\windows\svchost.exe

    zero access & TDL4/MAXSS (mostly pihar )

    As you say that you have winrscmde pop up,it should be rootkit boot.pihar.TDSSkiller should cure it

    http://support.kaspersky.com/downloads/utils/tdsskiller.exe

    Restart the PC,If MBAM still detects svchost.exe,remove it and re scan,it should come clean.

    Do not mess up C:\windows\system32\svchost.exe,this is valid file

    good luck

    • Marked as answer by w7user2000 Wednesday, August 15, 2012 3:02 PM
    Wednesday, August 15, 2012 3:52 AM

All replies

  • There are two rootkits that is root cause of c:\windows\svchost.exe

    zero access & TDL4/MAXSS (mostly pihar )

    As you say that you have winrscmde pop up,it should be rootkit boot.pihar.TDSSkiller should cure it

    http://support.kaspersky.com/downloads/utils/tdsskiller.exe

    Restart the PC,If MBAM still detects svchost.exe,remove it and re scan,it should come clean.

    Do not mess up C:\windows\system32\svchost.exe,this is valid file

    good luck

    • Marked as answer by w7user2000 Wednesday, August 15, 2012 3:02 PM
    Wednesday, August 15, 2012 3:52 AM
  • There are two rootkits that is root cause of c:\windows\svchost.exe

    zero access & TDL4/MAXSS (mostly pihar )

    As you say that you have winrscmde pop up,it should be rootkit boot.pihar.TDSSkiller should cure it

    http://support.kaspersky.com/downloads/utils/tdsskiller.exe

    Restart the PC,If MBAM still detects svchost.exe,remove it and re scan,it should come clean.

    Do not mess up C:\windows\system32\svchost.exe,this is valid file

    good luck

    I followed your instructions and it worked.  It turned out to be rootkit.pihar.c.  TDSSkiller did catch it and cured it and after a reboot, malwarebytes caught it again.  I then had malwarebytes remove it and rebooted again and now it is completely gone.  I did another reboot just to make sure.  Thank you for your help.  This was really driving me nuts.
    Wednesday, August 15, 2012 3:01 PM
  • YES! it worked you are a genius. so happy i fixed it, i was really starting to worry.
    THANK YOU!
    Thursday, December 27, 2012 2:29 AM
  • Dear Sir (narenxp):

    I was plagued with the same problem as described above.  Additionally, my Windows Security patches would not load, Adobe stopped working, and McAffe Virtual Technicina could not find any product..

    I had been struggling and trying various remedies for months while never turning off my computer.

    Today, I found your reccomendation and followed it.  It worked.  Everything on my computer now works as it should.  It is as if my computer is new.  THANK YOU!!!

    I do not know why McAffe cannot hanle an issue such as this.

    Thank you again.


    • Edited by Ant M Saturday, December 29, 2012 5:33 PM
    Saturday, December 29, 2012 3:44 AM
  • Thank you for asking the question.  I had the same problem.  The probelem is now fixed by the remedy propsed here.

    Thank you!

    Saturday, December 29, 2012 3:47 AM
  • narenxp,

    Thanks for fighting the good fight and not using your powers for evil. This is the easiest fix to a problem that's been driving me bonkers.

    Friday, January 04, 2013 3:19 PM
  • Thanks so much!! My computer restarted on its own, and when it turned back on, no windows were open, yet I had continuous  ads playing. I tried turning the internet on and it wouldn't respond. So when I downloaded Kaspersky TDSSkiller and scanned. Sure enough I found the virus and we got rid of it. Now the computer is back to normal! It sure works better than paid services.
    Monday, April 08, 2013 3:29 AM
  • Genius...thank you so much.  Symantec never detected the svchost.exe issue, Malwarebytes would block the issue, but tdsskiller killed it altogether - I only wish this help site had appeared at the top of the search results months ago when the issue started for me.  Thank you!
    Wednesday, April 10, 2013 5:18 PM
  • I had the same problem. Great help and thanks for the fix.
    Friday, July 05, 2013 12:45 AM
  • how cud go very deeply even every one can deactivate this message "Svchost.exe" it is just because a floppy-drive drive ,,

    let me tell you 

    just open the "computer management" then  go to "device management"  then "double click" on it "again you'll appear another name of "floppy drive" just "right click" on it then "just disable" it.

    how it was easy.

    ________________________________________BoosTupDik_______________________________________

    Thursday, July 25, 2013 11:47 AM
  • i am having svchost.exe problem on my windows 8 64bit as you said i used tdsskiller but it didnt remove or kill the svchost.exe file it says no threat pls help me i am begging you.

    Tuesday, July 30, 2013 8:27 PM
  • THANK YOU !!
    Monday, August 05, 2013 11:52 PM
  • Thanks so much! Worked like a charm!
    Thursday, August 29, 2013 12:11 AM
  • Everytime I try to use tdsskiller it says it cannot be downloaded..... not sure how to get past it so I can rid myself of svchost.exe
    Sunday, September 15, 2013 10:08 PM
  • @BlurredPerspective Use a different computer and download the prog to a flash drive.
    Monday, September 23, 2013 3:01 AM
  • Thanks so much. This utility is going on my fix-it drive. :P

    Monday, September 23, 2013 3:25 AM
  • Thank you so much! This issue got us banned with our ISP since we were "broadcasting" the nework.

    This saved my job!

    Friday, February 28, 2014 3:39 PM