Adlice forum
General Category => Malware removal help => Topic started by: M.E.Lenns on November 02, 2015, 06:05:11 PM
-
Hey all,
Am writing this from a Win 10 Computer.
I have a Win 7 Computer that I suspect has been hijacked and made part of a botnet.
With no applications running, the CPU is at 100%, RAM is at 90%.
Have tried to scan with AVG and it takes hours and hours to finally freeze at 75% complete.
Have scanned with MalwareBytes. It found nothing.
Scanned with RogueKiller and it found and killed SVCHOST.EXE. And RK listed the PID number of the SVCHOST.EXE that it killed. Everything else was fine. Hit "delete" and X-ed out of RK.
Looked at Task Manager and found thirteen SVCHOST.EXEs running, but none had the PID number listed by RK as killed.
Rebooted, and when the reboot was finished, looked at Task Manager and found MORE than thirteen SVCHOST.EXEs running in Processes. Hand listed all the PID numbers and checked the Services.
Then shortly thereafter the same thing happened. CPU at 100%, Ram at near 90%. Scanned with RK and it found and killed SVCHOST.EXE, and once again RK supplied the PID number. Everything else was fine. BUT, here is something strange. Have looked at SVCHOST.EXEs running in Task Manager, each with a different PID, and the SVCHOST.EXE that RK reported as killed was not in the list that was hand copied. AND after running RK, the number of SVCHOST.EXEs was back to thirteen.
Have done this numerous times. Have even hand copied ALL the PID numbers of ALL the Processes running, and then scanned with RK, and the PID of the SVCHOST.EXE that RK killed is NOT on the list.
It doesn't seem to matter how many times RK kills the SVCHOST.EXE, it comes back. It even comes back without rebooting. Can let the computer just sit, and then check the Task Manager SVCHOST.EXE list, and there will be more than thirteen. Can scan with RK, and it will kill a SVCHOST.EXE and list the PID, but the PID will not be among the numbers listed by the Task Manager, AND right after the RK scan, the number of SVCHOST.EXEs will be back to thirteen.
The Win7 computer is seldom used on the Internet, being connected only for updates and etc. It is used every day for composing (I'm a writer). So for now, I have disconnected it from the DSL Router. AND since disconnecting it, the CPU and RAM %s have dropped to almost nothing.
Would like to get rid of whatever malware program is doing this suspected botnet thing.
Any help, advice, instructions, etc., would be very much appreciated.
BTW, would love to send you a contribution, but don't have a PayPal Account, nor do I know how to use BitCoin. I have a Debit Card Account, or could send a check if I knew where to send it. Also, I don't do FaceBook/Twitter/etc.
Anyway, thanks in advance for any assistance.
Hope this finds you all doing well.
MEL
-
Hi MEL,
Could you please attach the TXT and JSON reports produced by RogueKiller in your next reply ?
Regards.
-
Hi MEL, Could you please attach the TXT and JSON reports produced by RogueKiller in your next reply ? Regards.
Hey Curson, Thank you so much for the VERY prompt response.
Am answering from the Win10 computer.
Will have to hook up and boot the Win7 computer on which is occurring the anomaly. Will do that, and run RK.
With that said, what is the TXT and JSON reports? Where are they found? And how do I attach them to a reply?
BTW, the RK on the Win7 machine has not been updated since it was first downloaded. I think I tried once to update it, but something prevented it from happening. Should I try again, or will the TXT and JSON reports be sufficient?
Thanks again,
MEL
-
Hi MEL,
Yes, please download RogueKiller latest version before performing the scan.
When the scan has finished, please click the buttons "Export txt" and "Export Json", then save the files on your desktop. You can use the form in the "Attachments and other options" section to upload those files the next time you post.
Regards.
-
Hi MEL, Yes, please download RogueKiller latest version before performing the scan.
Hey Curson, the Win7 machine is running version 10.10.0.0. It is running a scan even as I type. When it is finihsed will do what you instructed below. Then will try to download the latest RK version, and do it all again.
When the scan has finished, please click the buttons "Export txt" and "Export Json", then save the files on your desktop. You can use the form in the "Attachments and other options" section to upload those files the next time you post. Regards.
Will see if I can get that all together.
Thanks again.
MEL
-
Hi MEL, Yes, please download RogueKiller latest version before performing the scan.
Hey Curson, tried to download RK from your website. It tried, but then quit, and the download folder said that there were no downloads for this session.
The previous download was done on August 14, 2015 at 1:56 p.m. It was 18,286 KB.
When the scan has finished, please click the buttons "Export txt" and "Export Json", then save the files on your desktop. You can use the form in the "Attachments and other options" section to upload those files the next time you post. Regards
Did this. Am now going to see if I can log on to the forum on the Win7 machine and attach the TXT and JSON files.
This may take a bit of time here.
MEL
-
Hi MEL, es, please download RogueKiller latest version before performing the scan.
When the scan has finished, please click the buttons "Export txt" and "Export Json", then save the files on your desktop. You can use the form in the "Attachments and other options" section to upload those files the next time you post. Regards.
Hey Curson, here are (hopefully) the TXT and JSON files.
-
Hi MEL,
This [Proc.Svchost] detection is a false positive which was fixed in the latest releases.
Please download Farbar Recovery Scan Tool (x64) (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to your Desktop.
- Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will produce a log called FRST.txt in the same directory the tool is run from.
- Please attach log back here.
- The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST64.exe). Please also attach that along with the FRST.txt into your reply.
Regards.
-
Hi MEL, This [Proc.Svchost] detection is a false positive which was fixed in the latest releases.
Hey Curson, that's good news. Now, onward through the fog. :)
Please download Farbar Recovery Scan Tool (x64) (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to your Desktop.
- Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will produce a log called FRST.txt in the same directory the tool is run from.
- Please attach log back here.
- The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST64.exe). Please also attach that along with the FRST.txt into your reply.
Regards.
Curson, am going to have to do this tomorrow as there are some daily tasks that have to be taken care of presently. Will do this tomorrow mid morning.
I want to thank you for taking the time to do this for me. Be thinking on how I could contribute to your cause.
Hope this finds you doing well. Have a good night.
MEL
-
Hi MEL,
You are very welcome.
Please take your time. You don't have to rush. ;)
Regards.
-
Hi MEL, Please download Farbar Recovery Scan Tool (x64) (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to your Desktop.
Hey Curson, tried to do the FRST64.exe, but the Win7 machine is a 32 bit computer. Downloaded FRST32.
- Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will produce a log called FRST.txt in the same directory the tool is run from.
- Please attach log back here.
- The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST64.exe). Please also attach that along with the FRST.txt into your reply.
Regards.
Nonetheless, here are the two files that you requested.
Hope this works.
Thanks again,
MEL
-
Hi MEL,
Hey Curson, tried to do the FRST64.exe, but the Win7 machine is a 32 bit computer. Downloaded FRST32.
I'm really sorry about that. When I wrote my post, I was certain you were running a 64 bits version of Windows. ???
The FRST logs are clean but I noticed that your computer is quite low on ressources :
Processor: Intel(R) Pentium(R) 4 CPU 1.80GHz
Percentage of memory in use: 56%
Total physical RAM: 1535.55 MB
Available physical RAM: 670.2 MB
Total Virtual: 3071.11 MB
Available Virtual: 2128.97 MB
With such a low-end processor and only 670MB physical RAM available, it's no wonder your computer to be slow.
For better performances, I advice you to uninstall IObit Advanced SystemCare and IObit Uninstaller. If you don't use TeamViewer on a regular basis, you could uninstall it as well.
Regards.
-
Hi MEL, I'm really sorry about that. When I wrote my post, I was certain you were running a 64 bits version of Windows. ???
Hey Curson, actually, both the Win7 and the Win10 are 32 bit machined. Am just behind the times. :(
The FRST logs are clean
That eases my mind. :)
but I noticed that your computer is quite low on resources:
It is an ancient rig. Originally was gotten to do Desktop Video, but at the time none of the DTV stuff worked very well.
Processor: Intel(R) Pentium(R) 4 CPU 1.80GHz
Percentage of memory in use: 56%
Total physical RAM: 1535.55 MB
Available physical RAM: 670.2 MB
Total Virtual: 3071.11 MB
Available Virtual: 2128.97 MB
Am surprised! Thought that I had 1.5 Gigs of ram (which at the time that the machine was built was a humongous amount of RAM)! How come there's only 670.2 of it available?
With such a low-end processor and only 670MB physical RAM available, it's no wonder your computer to be slow.
That the Win7 computer is slow isn't all that critical. All it is used for is word processing. Am way out in the boondocks of Deep East Texas, have a DSL connection to the Internet which is slow. The only reason for even having it connected to the Internet is to research that about which is being written (Wikipedia and Dictionaries for synonyms, definitions, and etc.).
The reason for contacting your very nice forum was, as mentioned previously, because with no applications running, the Win7's CPU was showing that it was maxed out and the RAM was up in the 80-90% range. Suspected that the old thing was part of a botnet. In doing research into that possibility, came across RogueKiller, and when RK kept showing SVCHOST.EXE as being toxic, and no matter how many times it was killed, it kept coming back, the next logical step was to go to your WebPage for help, and there I found your forum.
For better performances, I advise you to uninstall IObit Advanced SystemCare and IObit Uninstaller. If you don't use TeamViewer on a regular basis, you could uninstall it as well.
All right.
Anyway, would like to thank you for your assistance. You've been absolutely wondrous. This has been a learning experience for me. Have enjoyed becoming part of your community, and will be checking in often.
Hope this finds you doing well.
Take excellent care.
MEL
-
Hi MEL,
Am surprised! Thought that I had 1.5 Gigs of ram (which at the time that the machine was built was a humongous amount of RAM)! How come there's only 670.2 of it available?
You have indeed a total of 1.5GB RAM installed but since Windows 7 uses about 1GB RAM, there is only about 600-700MB RAM left for others applications. ;)
The reason for contacting your very nice forum was, as mentioned previously, because with no applications running, the Win7's CPU was showing that it was maxed out and the RAM was up in the 80-90% range. Suspected that the old thing was part of a botnet. In doing research into that possibility, came across RogueKiller, and when RK kept showing SVCHOST.EXE as being toxic, and no matter how many times it was killed, it kept coming back, the next logical step was to go to your WebPage for help, and there I found your forum.
Thanks for the clarification.
You could now delete FRST and the files linked to it.
Anyway, would like to thank you for your assistance. You've been absolutely wondrous. This has been a learning experience for me. Have enjoyed becoming part of your community, and will be checking in often.
Many thanks for the kind words. :)
Take care.
-
Hi MEL, You have indeed a total of 1.5GB RAM installed but since Windows 7 uses about 1GB RAM, there is only about 600-700MB RAM left for others applications. ;)
Hey Curson, When the Win7 machine was built originally, it had a Win2k O/S. Then a friend gifted me with the Win7 O/S. Happen to like Win7, but it takes longer to boot than did the Win2k.
Thanks for the clarification. You could now delete FRST and the files linked to it.
Does FRST take any RAM just sitting there? If it doesn't would like to just keep it to look at once in a while.
Many thanks for the kind words. :) Take care.
Credit where credit is due.
Hang in there.
MEL
-
Hi MEL,
Does FRST take any RAM just sitting there? If it doesn't would like to just keep it to look at once in a while.
No, it doesn't. ;)
You can keep it if you want.
Regards.
-
Hi MEL, No, it (FRST) doesn't. ;) You can keep it if you want. Regards.
Hey Curson,
GREAT! Will be in touch.
MEL
-
Hi MEL,
You are very welcome. :)
Regards.
-
Hey Mr. Curson,
The Win7 Computer that had RK that was killing SVCHOST.EXE, of a sudden had RK disappear from it's list of programs. Am redownloading it.
Wanted to ask about another issue. When the Win7 Computer is shutting down, it says it has to close what it calls "Form 1". Don't know what THAT is.
Ran a Microsoft Security Virus Scan yesterday. It took from 9:40 a.m. till 6:00 p.m. to finish and reported that no threats were found.
Anyway, do you happen to know what Form 1 is?
Thanks in advance for any information.
MEL
-
Hi MEL,
It's difficult to be sure but it seems to be the main control/window of a program written in Delphi or VisualBasic which is not exiting on time.
Do you run such a program on your computer ?
Regards.
-
Hi MEL,
Hey Curson,
It's difficult to be sure but it seems to be the main control/window of a program written in Delphi or VisualBasic which is not exiting on time. Do you run such a program on your computer?
Not that I know of. BUT, after running the Microsoft Security Virus Scan, which reported that it didn't find any issues, this Form 1 thing has disappeared. So "All's well that ends well." (W. Shakespeare)
Anyway, thanks for the response. Sorry to have bothered you when it seems that Form 1 was NOT any kind of issue.
BTW, if you are in Paris, take excellent care.
MEL
-
Hi MEL,
Not that I know of. BUT, after running the Microsoft Security Virus Scan, which reported that it didn't find any issues, this Form 1 thing has disappeared. So "All's well that ends well." (W. Shakespeare)
Anyway, thanks for the response. Sorry to have bothered you when it seems that Form 1 was NOT any kind of issue.
You are very welcome. I'm glad the problem is now solved.
BTW, if you are in Paris, take excellent care.
I'm not in Paris, but thanks for the kind words. :)
Regards.