Trojan Svchost.exe virus

Printable View

14-02-2009
warehouse peon

Trojan Svchost.exe virus

Hello,
Sorry to cause you to lose time, but I searched everywhere and I did not find an answer to my problems is I have been affected by a virus that was on a game crack, the Antivirus located against the time when I do not delete it fades, it is called svhostr.exe (Yes I am sure this is not svchost if you ask me the question:)
14-02-2009
Shen

Re: Trojan Svchost.exe virus
How to remove svchost.exe ?
1. Start your computer in "SAFE MODE".
2. Verify the CPU usage.
3. If it is normal (less than 10%) then keep going.
4. Delete the file EXPLORE.EXE (check the spelling without the final
  "R") in the directory C:\windows\system32\explore.exe
5. Erase any reference to the EXPLORE.EXE file in your registry.
6. Start you computer in "NORMAL MODE".
14-02-2009
Snake08

Re: Trojan Svchost.exe virus

You need to run some essential steps to remove all the spyware on your computer.Run Deckard's System Scanner (DSS), Run Malwarebytes Anti-Malware
Run the anti spyware removal programs spybot, Run Superantispyware, Run a complete scan with free curing utility Dr.Web CureIt! Install threat fire which will enhance your antivirus protection.
14-02-2009
Zachary

Re: Trojan Svchost.exe virus
This problem can be solved manually by deleting all registry keys and files connected with this software, removing it from starup list and unregistering all corresponding DLLs. Additionally missing DLL's should be restored from distribution in case they are corrupted by Trojan SVCHOST. To fix this threat, you should:
1. Kill the following processes and delete the appropriate files:
- svchostp.exe
- svchostx.exe
Warning: you should delete only those files which checksums are listed as malicious. There may be valid files with the same names in your system. We recommend you to use True Sword for safe problem solution.

2. Delete the following malicious folders:

no information

3. Delete the following malicious registry entries and\or values:
- Key: SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApp lications\List\C:\WINDOWS\system32\svchostp.exe
Warning: If value is listed for some registry entries, you should only clear these values and leave keys with such values untouched. We recommend you to use True Sword utility for safe problem solution.
14-02-2009
Milton.J

Re: Trojan Svchost.exe virus

To remove this Trojan backdoor please do this:
Run windows in safe mode. Enter in the \WINDOWS\HELP folder and then delete the following files:

SVCHOST.EXE RUNDLL32.EXE INTERNAT.EXE

These files are not the original files that windows use to work. The original files infact are stored in the folder \WINDOWS\SYSTEM32. Do that, run MSCONFIG and REGEDIT and delete all strings that run these 3 files from folder \WINDOWS\HELP.

Restart the system and it's all OK!
06-05-2010
dante24

Re: Trojan Svchost.exe virus

I got the same problem on my personal computer at home. I almost crazy on how can i fix my PC at home. I did everything, any possibility install different antivirus but I did nothing.,

My best solution is when I read a blog post from guideandtips blog about how to remove the svchost.exe virus manually without using any antivirus, you can now remove it by your own self. By using their procedure I did it my personal computer is working good right now. Thank you for the Technomatic blogs.

If you have thesame problem on how to remove svchost.exe virus please use this procedure

Hope this link will help you guys to remove your pc problem..
03-09-2010
kcnya222

Re: Trojan Svchost.exe virus

Hi I am new to TechArena, and I wanted to know if the solution you gave would work for me as well. Please forgive me if I am in the wrong thread (I am a newbie to this type of forum)

I have AVG as my main Virus protection and every time I run a scan it has detected the following and labeled them as such

"C:\WINDOWS\System32\svchost.exe (1276):\memory_001a0000";"Trojan horse Adload_r.AKC";"Object is inaccessible."

"C:\WINDOWS\Explorer.EXE (3252):\memory_001a0000";"Trojan horse Adload_r.AKC";"Object is inaccessible."

"C:\WINDOWS\system32\csrss.exe (844):\memory_00270000";"Trojan horse Generic18.BLLP";"Object is inaccessible."

"C:\WINDOWS\Explorer.EXE (1628):\memory_001a0000";"Trojan horse Adload_r.AKC";"Object is inaccessible."

and there is many more....HELP PLEAAAAASSSSEEEE:(
03-09-2010
Zachary

Re: Trojan Svchost.exe virus

Hi kcnya222,

You can try to remove the infection using AVG Rescue CD, download it from here. If it would come back, please provide us with exact detection name and path. The AVG Rescue CD is a powerful must-have toolkit for the rescue and repair of infected machines. It provides essential utilities for system administrators and other IT professionals. Also are you by any chance using multiple antivirus software on your pc?
04-09-2010
kcnya222

Re: Trojan Svchost.exe virus

Hey Zachary,

Thanks for replying. What I have is Malwarebytes, AVG and Windows Washer. And I didn't have any trouble until I had taken ill last May and my AVG license expired during that time. All the kids kept using the internet with no protection. I just recently got rid of a google search engine virus which took me 2 months of trying just about everything I could think of.....but I am at my limits with this one.
04-09-2010
Lemog

Re: Trojan Svchost.exe virus

Your Windows seems to be corrupted. Try to use your Windows CD and repair it. Refer this thread for how to repair your Windows installation. Once done, go into the Safe mode and run MalwareBytes to remove any infection from your computer.
05-09-2010
kcnya222

Re: Trojan Svchost.exe virus

Quote:

Originally Posted by zachary

Hi kcnya222,

You can try to remove the infection using AVG Rescue CD, download it from here. If it would come back, please provide us with exact detection name and path. The AVG Rescue CD is a powerful must-have toolkit for the rescue and repair of infected machines. It provides essential utilities for system administrators and other IT professionals. Also are you by any chance using multiple antivirus software on your pc?

Here is a copy of the report that I received from the Avira Antivir that I just downloaded.

Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\Mathew\Local Settings\History\History.IE5\index.dat
[DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus
C:\Documents and Settings\Mathew\My Documents\Downloads\MindQuizSetup.exe
[DETECTION] Is the TR/BHO.MindQuizSearch Trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\44\34db286c-2b7bf643
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.AO Java virus
--> Is.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.AO Java virus
--> MyName.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.AN Java virus
--> Phone.class
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.AP Java virus
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\MSHist012010071220100719\index.dat
[DETECTION] Contains recognition pattern of the HTML/ADODB.Exploit.Gen HTML script virus
C:\MATT'S_Mom\chfyosn.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\MATT'S_Mom\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\00R8YFQG\results[1].htm
[DETECTION] Contains HEUR/HTML.Malware suspicious code
C:\MATT'S_Mom\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1U9D3MYI\backendcpx[1].htm
[DETECTION] Contains HEUR/HTML.Malware suspicious code
C:\MATT'S_Mom\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\FJ24KNYQ\zaq[1].htm
[DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus
C:\MATT'S_Mom\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\L5UZV5TB\tweaker_us[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
C:\MATT'S_Mom\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\TTM221T3\results[2].htm
[DETECTION] Contains HEUR/HTML.Malware suspicious code
C:\MATT'S_Mom\Program Files\interMute\PopSubtract\PopSub.exe
[DETECTION] Contains HEUR/Crypted suspicious code

Beginning disinfection:
C:\MATT'S_Mom\Program Files\interMute\PopSubtract\PopSub.exe
[DETECTION] Contains HEUR/Crypted suspicious code
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to the quarantine directory under the name '45bd3219.qua'.
C:\MATT'S_Mom\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\TTM221T3\results[2].htm
[DETECTION] Contains HEUR/HTML.Malware suspicious code
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to the quarantine directory under the name '5d2d1db4.qua'.
C:\MATT'S_Mom\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\L5UZV5TB\tweaker_us[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to the quarantine directory under the name '0f60474e.qua'.
C:\MATT'S_Mom\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\FJ24KNYQ\zaq[1].htm
[DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus
[NOTE] The file was moved to the quarantine directory under the name '6943089b.qua'.
C:\MATT'S_Mom\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\1U9D3MYI\backendcpx[1].htm
[DETECTION] Contains HEUR/HTML.Malware suspicious code
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to the quarantine directory under the name '2cd125a5.qua'.
C:\MATT'S_Mom\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\00R8YFQG\results[1].htm
[DETECTION] Contains HEUR/HTML.Malware suspicious code
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to the quarantine directory under the name '53da17c0.qua'.
C:\MATT'S_Mom\chfyosn.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '1f7f3b87.qua'.
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\MSHist012010071220100719\index.dat
[DETECTION] Contains recognition pattern of the HTML/ADODB.Exploit.Gen HTML script virus
[NOTE] The file was moved to the quarantine directory under the name '63697bd0.qua'.
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\44\34db286c-2b7bf643
[DETECTION] Contains recognition pattern of the JAVA/ClassLoader.AP Java virus
[NOTE] The file was moved to the quarantine directory under the name '4e335447.qua'.
C:\Documents and Settings\Mathew\My Documents\Downloads\MindQuizSetup.exe
[DETECTION] Is the TR/BHO.MindQuizSearch Trojan
[NOTE] The file was moved to the quarantine directory under the name '574d6f02.qua'.
C:\Documents and Settings\Mathew\Local Settings\History\History.IE5\index.dat
[DETECTION] Contains recognition pattern of the HTML/Crypted.Gen HTML script virus
[NOTE] The file was moved to the quarantine directory under the name '4abe7104.qua'.