SVChost?

Pezzy

In Runtime
Messages
194
Hi all.

I have Windows 8.1, and use the included Windows Defender.

Recently, I've gotten (and keep getting) the pop-up in the top right-hand corner the message of "Malware detected".

So I launch Defender, go to the History tab, and look at the "Quarantined items". I delete the quarantined item, then go to "All detected items", and then delete it from there.

But, upon shutting down my computer, the next time I boot it up, I keep getting the same pop-up message from Defender that Malware Is detected.

Here's a Copy/ Paste of the details after I go to "All detected items":
Items:
file:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\svchost[1].exe
file:C:\Windows\Temp\svchost.exe


I remember many years ago coming across a virus or malware that spoofed svchost; there was a slight change in the lettering, like the "v" and the "c" were switched, so it spelled: "scvhost". But I believe this one is spelled correctly.

I have even downloaded Malwarebytes and run that, but it discovered nothing; in the Settings, I even made sure an option was checked to check for rootkits.

Any help here? My CPU is not running exceptionally high (as when it does can be indicative of an infection); it's only at 1 or 2%.

Thanks for any input & info.
Pez
 
OK, first: After I ran AdwCleaner, the only thing it really found was on the Registry tab. I didn't "Clean" it yet, but here's a screen-capture shot:

http://i289.photobucket.com/albums/ll217/PezzyDude/AdwCleaner_zpsj6yis6qn.jpg

And here's the LogFile of that item:

http://i289.photobucket.com/albums/ll217/PezzyDude/AdwCleanerLogFile_zpsnjql6svm.jpg

So, is this "Proxy Override" something to be concerned about? Should I "clean" it using AdwCleaner?

And, I did a re-boot, and the Windows Defender had the pop-up again showing Malware Detected; here's a screen shot of Quarantine:

http://i289.photobucket.com/albums/ll217/PezzyDude/Quarantine-2-15-15_zpsnt2lttmc.jpg

And here's a screen shot of All Detected items:

http://i289.photobucket.com/albums/ll217/PezzyDude/AllDetectedItems-2-15-15_zpsht9rixcn.jpg

And, you requested the log from HiJackThis:

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 6:05:22 PM, on 2/15/2015
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v11.0 (11.00.9600.17416)

FIREFOX: 35.0 (x86 en-US)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\ArcSoft\TotalMedia Theatre 6\TotalMedia Server\TM Server.exe
C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe
C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
D:\My Downloads\HijackThis.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = msn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = msn
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Lync Click to Call BHO - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office15\URLREDIR.DLL
O2 - BHO: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\PROGRA~2\MICROS~1\Office15\GROOVEEX.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Razer Synapse] "C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WD Quick View] C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
O4 - Global Startup: TotalMedia Server.lnk = C:\Program Files (x86)\ArcSoft\TotalMedia Theatre 6\TotalMedia Server\TM Server.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office15\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~1\Office15\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll
O9 - Extra button: Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
O9 - Extra 'Tools' menuitem: Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files (x86)\Microsoft Office\Office15\MSOSB.DLL
O18 - Filter hijack: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
O23 - Service: ArcSoft Exchange Service (ADExchange) - ArcSoft, Inc. - C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\WINDOWS\system32\fxssvc.exe (file missing)
O23 - Service: Hauppauge WinTV Extender - Hauppauge Computer Works, Inc - C:\Program Files (x86)\WinTV\Extend\WinTVExtender.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\Program Files (x86)\WinTV\TVServer\HauppaugeTVServer.exe
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\WINDOWS\system32\IEEtwCollector.exe (file missing)
O23 - Service: Intel(R) Capability Licensing Service Interface - Intel(R) Corporation - C:\Program Files\Intel\iCLS Client\HeciServer.exe
O23 - Service: Intel(R) Capability Licensing Service TCP IP Interface - Intel(R) Corporation - C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe
O23 - Service: Intel(R) PROSet Monitoring Service - Unknown owner - C:\WINDOWS\system32\IProsetMonitor.exe (file missing)
O23 - Service: Intel(R) Dynamic Application Loader Host Interface Service (jhi_service) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Launch TotalMedia Theatre 6 Driver - ArcSoft, Inc. - C:\Program Files (x86)\ArcSoft\TotalMedia Theatre 6\TMTLaunchDriverServer.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\WINDOWS\system32\nvvsvc.exe (file missing)
O23 - Service: Razer Game Scanner (Razer Game Scanner Service) - Unknown owner - C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\WINDOWS\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\WINDOWS\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\WINDOWS\system32\sppsvc.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\WINDOWS\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\WINDOWS\system32\wbengine.exe (file missing)
O23 - Service: WD Backup (WDBackup) - Western Digital Technologies, Inc. - C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe
O23 - Service: WD Drive Manager (WDDriveService) - Western Digital Technologies, Inc. - C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-320 (WdNisSvc) - Unknown owner - C:\Program Files (x86)\Windows Defender\NisSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310 (WinDefend) - Unknown owner - C:\Program Files (x86)\Windows Defender\MsMpEng.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9422 bytes

The hiJackThis shows that item that AdwCleaner found; it's about the 9th item down the list, R1:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

Is that an item of concern?

So....with AdwCleaner, do you think I should clean that item found in the Registry tab? And what do you make of the HiJackThis log?

Thanks for any help,
Pez
 
OK, first: After I ran AdwCleaner, the only thing it really found was on the Registry tab. I didn't "Clean" it yet, but here's a screen-capture shot:

*snip*

So, is this "Proxy Override" something to be concerned about? Should I "clean" it using AdwCleaner?
Yes, let AdwCleaner remove it.

And, I did a re-boot, and the Windows Defender had the pop-up again showing Malware Detected; here's a screen shot of Quarantine:

http://i289.photobucket.com/albums/ll217/PezzyDude/Quarantine-2-15-15_zpsnt2lttmc.jpg

And here's a screen shot of All Detected items:

http://i289.photobucket.com/albums/ll217/PezzyDude/AllDetectedItems-2-15-15_zpsht9rixcn.jpg
Go to the directory it's showing, and rename that svchost.exe file to svchost.exe.OLD (just append ".OLD" onto the file, and when it asks to confirm the rename, click yes).

Also, post a screenshot of your MSconfig's Startup tab. Press Start -> type 'msconfig' (without quotes) -> Press Enter -> go to the Startup tab

And, you requested the log from HiJackThis:
*snip*

So....with AdwCleaner, do you think I should clean that item found in the Registry tab? And what do you make of the HiJackThis log?

Thanks for any help,
Pez

HJT log looked fine as far as I could see.
 
OK, like you said, I ran AdwCleaner again and let it clean/ remove that "Proxy Override".

Now.....I just want to be clear on what you suggested next: You want me to go to that directory (from the screen shots I posted from Windows Defender) and rename that svchost.exe file? The thing is, that file is no longer in that directory now that it has been Quarantined by Defender.

Meaning: if I navigate to: C:\Windows\Temp\svchost.exe, svchost is not there, given that it has been Quarantined by Defender.

With the other one:
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\svchost[1].exe, I can navigate as far as C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows; after that, there is no INetCache\IE\svchost[1].exe.

(And just in-case you were going to ask, yes, I do have Show Hidden Files & Folders selected).

So, the only way for me to rename these file(s) - the svchost - is to go into Defender, select the Quarantined/ Detected file(s) by putting a check mark in the box, and then choose the option of "Restore" or "Allow" item. Is that what you suggest I do?

And oh......in your profile, I see you have Windows 8.1 also. You requested a screen shot of my Startup tab. Remember: with Win 8.1 it's not available anymore on the MSconfig/ System Configuration ;) You have to go over to Task Manager and the Startup tab there :silly:

Anyway, here it is:
http://i289.photobucket.com/albums/ll217/PezzyDude/StartUp-2-15-15_zpseaw30oyh.jpg

Now, what's kind of odd is....do you see the 2nd one down just called "Program"? Kind of suspicious, I think. It's very plain looking (no icon to represent it like the others in the list), no Publisher name, and, you know how if you select an item in the list and right-click on it you get a Menu? The choices are: Disable; Open File Location; Search Online; and Properties.

Well, with this "Program" one, if I right-click on it, Open File Location & Properties are grayed-out, meaning, they're not selectable/ clickable. Even more suspicious?

So, please let me know: In Windows Defender, do you want me to Restore/ Allow those items, then navigate to them and rename them?

And what do you think of the screen shot I posted of my Startup tab? Is that "Program" one suspicious? Should I Disable it?

Thanks for your help,
Pez
 
So, please let me know: In Windows Defender, do you want me to Restore/ Allow those items, then navigate to them and rename them?
Nononononono, don't restore them lol. I meant if they were still there.

And what do you think of the screen shot I posted of my Startup tab? Is that "Program" one suspicious? Should I Disable it?

Thanks for your help,
Pez
Go ahead and disable it. I'm guessing it's probably a leftover from what Defender got rid of, since it was trying to open on startup.

Also....I'd suggest installing Avira in place of Defender to make sure that Defender isn't missing anything.
 
OK.....I believe I have finally gotten rid of it!!

In the interim before I read your latest response, I was doing some more investigating & searching on this infection that I had. From one of the screen shots I posted for you - Quarantine-2-15-15_zpsnt2lttmc.jpg Photo by PezzyDude | Photobucket - I did a search on Trojan:Win64/SvcMiner.A.

One of the results from my search suggested things I had already tried, or, things that were not able to be tried since Windows Defender had already Quarantined it (for instance, I didn't need to "stop the process" in Task Manager because it wasn't running at this point due to being Quarantined).

Now.....there are many pieces of software out there for detecting and eliminating malware/ spyware, etc. Besides having Windows Defender, I mentioned in this thread that I also have and ran Malwarebytes. In this particular article I came across, along with its suggestions of what to try, it also recommended a program called "Spyhunter 4". What the heck; I gave it a try.

Not surprisingly, it was only a trial version of the software, and not all features & functions were available. Windows Defender had already Quarantined the file at this point, but after running a scan with this Spyhunter 4, it did find something that both Defended and Malwarebytes didn't find.

It was in my User Profile/ App Data/ Roaming; this infection had created a hidden folder called "Origin", and within this folder was a......vbs script. Yes, a darn vbs script that was most likely recreating this infection after each time I Quarantined & Deleted it.

Since this Spyhunter 4 was only the trial version, it did not offer me the feature of Removal. No matter!!! I just navigated to the location and manually deleted it.

Now upon system reboot, Windows Defender is not showing any pop-up about malware detected; Trojan:Win64/SvcMiner.A is gone!!

And just to let you know, I did go ahead like you suggested and Disabled that generic "Program" that was in the Startup tab of Task Manager. What the heck is that bland thing?!?! Is there a way of removing that entirely?

And oh, just curious: Even though I have gotten rid of it (infection), why did you suggest I try Avira? Do you recommend it because you use it? Do you endorse it from a positive experience with it? Just wondering......

Thanks for all your input,
Pez
 
Now upon system reboot, Windows Defender is not showing any pop-up about malware detected; Trojan:Win64/SvcMiner.A is gone!!
Glad to hear that you got it take care of.

And just to let you know, I did go ahead like you suggested and Disabled that generic "Program" that was in the Startup tab of Task Manager. What the heck is that bland thing?!?! Is there a way of removing that entirely?
You can use something like CCleaner by Piriform and in the Startup items options, there should be an option to delete it.

And oh, just curious: Even though I have gotten rid of it (infection), why did you suggest I try Avira? Do you recommend it because you use it? Do you endorse it from a positive experience with it? Just wondering......

Thanks for all your input,
Pez

Because it's been ranked quite highly for some time now on the non-bias review site AV-Comparatives where they release monthly tests throughout the year, and then at the end of the year compile a nice summary report and score each AV based on it's performance of said tests throughout the year. Avira has scored among the highest each year, and it's free.
http://www.av-comparatives.org/wp-content/uploads/2015/01/avc_sum_201412_en.pdf

Several members here use it.
 
Back
Top Bottom