none
Malware Services with Svchost.exe RRS feed

  • Question

  • Hi,

    we have seen now a days mostly Viruses/Trojans/Malwares are creating their own services with svchost -k netsvc parameters. in this situation not able to stop this service as well as unable to delete it with Autoruns & even somtimes unable to stop it. even in some cases if we change it from automatic to disable, it will automatically set as automatic once we click on apply. Kindly help how to stop/delete it & how to check which Exe / process use it. Due to this it's sending high broadcast.

    Regards,

    Dhiraj
    Wednesday, December 16, 2009 12:49 PM

All replies

  • 1. To see which tasks are running, open a Run window (Windows key+R), type cmd /k tasklist /svc (note the three spaces) and press Enter. Make a note of them and close the cmd prompt. To get a better description of the associated Service(s), go to Task Manager (Ctrl+Shift+Esc) > Processes Tab and on a specific Svchost, right-click it > Go to Service(s) to see all the Services, which are highlighted.
    Alternatively, use Process Explorer to see what services are running. To see the svchost processes, let the mouse pointer hover over each svchost.exe in the left pane. Download it from here http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx

    2. If you have identified the rogue service, CREATE A SYSTEM RESTORE POINT, then click the Windows Orb (Start), type regedit, press Enter and in the left pane navigate to HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services. Look for the service there, then right-click and delete it. The DisplayName key in the right pane should help you to identify bogus services.

    NOTE. Before deleting the main key in the left pane, make a note of any sub keys to determine which files the service was using and note the ImagePath location(s) in the right pane and delete those files using Windows Explorer. DO NOT DELETE SVCHOST which may be listed.

    3. Now check these 5 registry keys:
    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute which should contain just ‘autocheck autochk *’ (not the quotes)
    These 4 registry keys (which are not always present) and delete anything in the right pane that is suspicious (match the name with anything you have identified above or Google the name if you‘re unsure):
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    4. There are other keys to look at but try the above first.

    5. Remember to create a system restore point before making any registry changes, so that any registry mistakes can be rectified and, perhaps, it's better to rename any ImagePath files rather than delete them. Lastly, document exactly what you've changed and deleted.

    Good luck.



    EDIT

    You probably know this, but I forgot to say that you can identify/stop services from starting by using msconfig > Services Tab > tick Hide MS services and examine the remaining items.

    Wednesday, December 16, 2009 2:13 PM
  • Thanks for your reply, Burr

    As per stpe 1 i got the kulprit file which is assiciated with svchost is "C:\Windows\System32\config\systemprofile\Application Data\gclhk\itqnu.dll". I have closed this handle with Procexp & deleted this DLL. but within next 1 sec, it's recreated.

    Now as per step 4, are you sure i need to look on the above kes or need to check below reg keys. Kindly clearify.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fastuserswitchingcompatibility
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fastuserswitchingcompatibility
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\fastuserswitchingcompatibility


    Dhiraj
    Thursday, December 17, 2009 5:35 AM
  • Well done to you for identifying the culprit.

    The 4 keys I listed are the rarely used keys that may have been used to start the rogue. It only takes a few minutes to look at them (if they are indeed present).

    Here are the possible ‘trigger’ keys, but create a system restore point first just in case you have ‘finger problems‘:
    1. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and in the right pane look for Shell, which should contain just one entry, Explorer.exe. Delete any others.
    2. Also in the right pane look for UserInit, which should contain C:\WINDOWS\system32\userinit.exe followed by a comma. Any other program name(s) following the comma can be removed.
    3. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, right-click and Delete anything in the right pane that you don’t recognise.
    4. HKCU\Software\Microsoft\Windows\CurrentVersion\Run, right-click and Delete anything in the right pane that you don’t recognise.
    5. HKEY_CLASSES_ROOT\exefile\shell\open\command. If the right pane has a single entry (default) with a value of "%1"%* or c:\docs & settings\all users\start menu\programs\startup\msupdate.exe "%1"%* then it is OK. Remove everything else beyond the "%1"%*.
    6. In the x64 (64-bit) versions, there is an additional branch, Wow6432Node at HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run where the entries for x86 (32-bit) software are stored.
    7. Search the registry (F3) for the culprit itqnu.dll and remove any references to it (if any).

    Look in \Windows\System32 for .exe and .dll files that have a Date Modified coinciding with the date of the infection. Also, look for any strange sounding names, e.g. a.exe or g6dt4j7.dll. Don’t delete but rename any that you are unsure about.

    When you have more control of the machine, download the free Malwarebytes' Anti-Malware from http://www.malwarebytes.org/  to clean up any remaining unwanted files.

    Once you are clean, create a system restore point with a meaningful name, e.g. After removing malware.

    Thursday, December 17, 2009 8:03 AM
  • In this case Anti-Virus will take it and try to remove it and take some log and after done some removal it will ask to restart your PC and when you restart whenever it will started then it will remove it during starting the system and will remove it before it run.

    If you have problem then contact your Anti-Virus Malware support team.

    Thursday, January 7, 2010 5:33 AM
  • An infected Svchost by a virus or malware attack usually runs like a Svchost.exe service. In this case it is recommended that you should upgrade your virus protection guard to combat this problem. In addition to this you must also visit the Microsoft Windows Update Page which gives you essential support for Windows update. However, if no virus or malware it detected by the antivirus program in your computer then this implies that the Svchost.exe file is not infected. Further, if you receive the 0xe03c3a68 Svchost.exe error then it essentially means that the computer memory is corrupted by the blaster virus.
    Tuesday, October 5, 2010 8:04 AM