Author Topic: SVCHOST.EXE-KILLED BY RK  (Read 18360 times)

0 Members and 4 Guests are viewing this topic.

November 02, 2015, 06:05:11 PM

M.E.Lenns

  • Newbie

  • Offline
  • *

  • 14
  • Reputation:
    0
    • View Profile
SVCHOST.EXE-KILLED BY RK
« on: November 02, 2015, 06:05:11 PM »
Hey all,
Am writing this from a Win 10 Computer.

I have a Win 7 Computer that I suspect has been hijacked and made part of a botnet.

With no applications running, the CPU is at 100%, RAM is at 90%.

Have tried to scan with AVG and it takes hours and hours to finally freeze at 75% complete.

Have scanned with MalwareBytes. It found nothing.

Scanned with RogueKiller and it found and killed SVCHOST.EXE. And RK listed the PID number of the SVCHOST.EXE that it killed.  Everything else was fine. Hit "delete" and X-ed out of RK.

Looked at Task Manager and found thirteen SVCHOST.EXEs running, but none had the PID number listed by RK as killed.

Rebooted, and when the reboot was finished, looked at Task Manager and found MORE than thirteen SVCHOST.EXEs running in Processes. Hand listed all the PID numbers and checked the Services.

Then shortly thereafter the same thing happened. CPU at 100%, Ram at near 90%. Scanned with RK and it found and killed SVCHOST.EXE, and once again RK supplied the PID number. Everything else was fine. BUT, here is something strange. Have looked at SVCHOST.EXEs running in Task Manager, each with a different PID, and the SVCHOST.EXE that RK reported as killed was not in the list that was hand copied. AND after running RK, the number of SVCHOST.EXEs was back to thirteen.

Have done this numerous times. Have even hand copied ALL the PID numbers of ALL the Processes running, and then scanned with RK, and the PID of the SVCHOST.EXE that RK killed is NOT on the list.

It doesn't seem to matter how many times RK kills the SVCHOST.EXE, it comes back. It even comes back without rebooting. Can let the computer just sit, and then check the Task Manager SVCHOST.EXE list, and there will be more than thirteen. Can scan with RK, and it will kill a SVCHOST.EXE and list the PID, but the PID will not be among the numbers listed by the Task Manager, AND right after the RK scan, the number of SVCHOST.EXEs will be back to thirteen.

The Win7 computer is seldom used on the Internet, being connected only for updates and etc. It is used every day for composing (I'm a writer). So for now, I have disconnected it from the DSL Router. AND since disconnecting it, the CPU and RAM %s have dropped to almost nothing.

Would like to get rid of whatever malware program is doing this suspected botnet thing.

Any help, advice, instructions, etc., would be very much appreciated.

BTW, would love to send you a contribution, but don't have a PayPal Account, nor do I know how to use BitCoin. I have a Debit Card Account, or could send a check if I knew where to send it. Also, I don't do FaceBook/Twitter/etc.

Anyway, thanks in advance for any assistance.

Hope this finds you all doing well.

MEL

Reply #1November 02, 2015, 07:00:37 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: SVCHOST.EXE-KILLED BY RK
« Reply #1 on: November 02, 2015, 07:00:37 PM »
Hi MEL,

Could you please attach the TXT and JSON reports produced by RogueKiller in your next reply ?

Regards.

Reply #2November 02, 2015, 07:24:05 PM

M.E.Lenns

  • Newbie

  • Offline
  • *

  • 14
  • Reputation:
    0
    • View Profile
Re: SVCHOST.EXE-KILLED BY RK
« Reply #2 on: November 02, 2015, 07:24:05 PM »
Hi MEL, Could you please attach the TXT and JSON reports produced by RogueKiller in your next reply ? Regards.

Hey Curson, Thank you so much for the VERY prompt response.

Am answering from the Win10 computer.

Will have to hook up and boot the Win7 computer on which is occurring the anomaly. Will do that, and run RK.

With that said, what is the TXT and JSON reports? Where are they found? And how do I attach them to a reply?

BTW, the RK on the Win7 machine has not been updated since it was first downloaded. I think I tried once to update it, but something prevented it from happening. Should I try again, or will the TXT and JSON reports be sufficient?

Thanks again,

MEL


Reply #3November 02, 2015, 07:56:20 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: SVCHOST.EXE-KILLED BY RK
« Reply #3 on: November 02, 2015, 07:56:20 PM »
Hi MEL,

Yes, please download RogueKiller latest version before performing the scan.
When the scan has finished, please click the buttons "Export txt" and "Export Json", then save the files on your desktop. You can use the form in the "Attachments and other options" section to upload those files the next time you post.

Regards.

Reply #4November 02, 2015, 08:07:00 PM

M.E.Lenns

  • Newbie

  • Offline
  • *

  • 14
  • Reputation:
    0
    • View Profile
Re: SVCHOST.EXE-KILLED BY RK
« Reply #4 on: November 02, 2015, 08:07:00 PM »
Hi MEL, Yes, please download RogueKiller latest version before performing the scan.

Hey Curson, the Win7 machine is running version 10.10.0.0. It is running a scan even as I type. When it is finihsed will do what you instructed below. Then will try to download the latest RK version, and do it all again.

Quote
When the scan has finished, please click the buttons "Export txt" and "Export Json", then save the files on your desktop. You can use the form in the "Attachments and other options" section to upload those files the next time you post. Regards.

Will see if I can get that all together.

Thanks again.

MEL

Reply #5November 02, 2015, 08:38:31 PM

M.E.Lenns

  • Newbie

  • Offline
  • *

  • 14
  • Reputation:
    0
    • View Profile
Re: SVCHOST.EXE-KILLED BY RK
« Reply #5 on: November 02, 2015, 08:38:31 PM »
Hi MEL, Yes, please download RogueKiller latest version before performing the scan.

Hey Curson, tried to download RK from your website. It tried, but then quit, and the download folder said that there were no downloads for this session.

The previous download was done on August 14, 2015 at 1:56 p.m. It was 18,286 KB.

Quote
When the scan has finished, please click the buttons "Export txt" and "Export Json", then save the files on your desktop. You can use the form in the "Attachments and other options" section to upload those files the next time you post. Regards

Did this. Am now going to see if I can log on to the forum on the Win7 machine and attach the TXT and JSON files.

This may take a bit of time here.

MEL

Reply #6November 02, 2015, 08:48:02 PM

M.E.Lenns

  • Newbie

  • Offline
  • *

  • 14
  • Reputation:
    0
    • View Profile
Re: SVCHOST.EXE-KILLED BY RK
« Reply #6 on: November 02, 2015, 08:48:02 PM »
Hi MEL, es, please download RogueKiller latest version before performing the scan.
When the scan has finished, please click the buttons "Export txt" and "Export Json", then save the files on your desktop. You can use the form in the "Attachments and other options" section to upload those files the next time you post. Regards.

Hey Curson, here are (hopefully) the TXT and JSON files.

Reply #7November 02, 2015, 10:03:18 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: SVCHOST.EXE-KILLED BY RK
« Reply #7 on: November 02, 2015, 10:03:18 PM »
Hi MEL,

This [Proc.Svchost] detection is a false positive which was fixed in the latest releases.

Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please attach log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST64.exe). Please also attach that along with the FRST.txt into your reply.
Regards.

Reply #8November 02, 2015, 10:17:26 PM

M.E.Lenns

  • Newbie

  • Offline
  • *

  • 14
  • Reputation:
    0
    • View Profile
Re: SVCHOST.EXE-KILLED BY RK
« Reply #8 on: November 02, 2015, 10:17:26 PM »
Hi MEL, This [Proc.Svchost] detection is a false positive which was fixed in the latest releases.

Hey Curson, that's good news. Now, onward through the fog. :)

Quote
Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please attach log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST64.exe). Please also attach that along with the FRST.txt into your reply.
Regards.

Curson, am going to have to do this tomorrow as there are some daily tasks that have to be taken care of presently. Will do this tomorrow mid morning.

I want to thank you for taking the time to do this for me. Be thinking on how I could contribute to your cause.

Hope this finds you doing well. Have a good night.

MEL

Reply #9November 02, 2015, 10:29:44 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: SVCHOST.EXE-KILLED BY RK
« Reply #9 on: November 02, 2015, 10:29:44 PM »
Hi MEL,

You are very welcome.
Please take your time. You don't have to rush. ;)

Regards.

Reply #10November 03, 2015, 09:17:38 PM

M.E.Lenns

  • Newbie

  • Offline
  • *

  • 14
  • Reputation:
    0
    • View Profile
Re: SVCHOST.EXE-KILLED BY RK
« Reply #10 on: November 03, 2015, 09:17:38 PM »
Hi MEL, Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.

Hey Curson, tried to do the FRST64.exe, but the Win7 machine is a 32 bit computer. Downloaded FRST32.

Quote
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please attach log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST64.exe). Please also attach that along with the FRST.txt into your reply.
Regards.

Nonetheless, here are the two files that you requested.

Hope this works.

Thanks again,

MEL
« Last Edit: November 03, 2015, 09:19:37 PM by M.E.Lenns »

Reply #11November 03, 2015, 11:49:08 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: SVCHOST.EXE-KILLED BY RK
« Reply #11 on: November 03, 2015, 11:49:08 PM »
Hi MEL,

Quote from: MEL
Hey Curson, tried to do the FRST64.exe, but the Win7 machine is a 32 bit computer. Downloaded FRST32.
I'm really sorry about that. When I wrote my post, I was certain you were running a 64 bits version of Windows. ???

The FRST logs are clean but I noticed that your computer is quite low on ressources :
Quote
Processor: Intel(R) Pentium(R) 4 CPU 1.80GHz
Percentage of memory in use: 56%
Total physical RAM: 1535.55 MB
Available physical RAM: 670.2 MB
Total Virtual: 3071.11 MB
Available Virtual: 2128.97 MB
With such a low-end processor and only 670MB physical RAM available, it's no wonder your computer to be slow.
For better performances, I advice you to uninstall IObit Advanced SystemCare and IObit Uninstaller. If you don't use TeamViewer on a regular basis, you could uninstall it as well.

Regards.

Reply #12November 04, 2015, 10:50:02 AM

M.E.Lenns

  • Newbie

  • Offline
  • *

  • 14
  • Reputation:
    0
    • View Profile
Re: SVCHOST.EXE-KILLED BY RK
« Reply #12 on: November 04, 2015, 10:50:02 AM »
Hi MEL, I'm really sorry about that. When I wrote my post, I was certain you were running a 64 bits version of Windows. ???

Hey Curson, actually, both the Win7 and the Win10 are 32 bit machined. Am just behind the times. :(

Quote
The FRST logs are clean

That eases my mind. :)

Quote
but I noticed that your computer is quite low on resources:

It is an ancient rig. Originally was gotten to do Desktop Video, but at the time none of the DTV stuff worked very well.

Quote
Processor: Intel(R) Pentium(R) 4 CPU 1.80GHz
Percentage of memory in use: 56%
Total physical RAM: 1535.55 MB
Available physical RAM: 670.2 MB
Total Virtual: 3071.11 MB
Available Virtual: 2128.97 MB

Am surprised! Thought that I had 1.5 Gigs of ram (which at the time that the machine was built was a humongous amount of RAM)! How come there's only 670.2 of it available?

Quote
With such a low-end processor and only 670MB physical RAM available, it's no wonder your computer to be slow.

That the Win7 computer is slow isn't all that critical. All it is used for is word processing. Am way out in the boondocks of Deep East Texas, have a DSL connection to the Internet which is slow. The only reason for even having it connected to the Internet is to research that about which is being written (Wikipedia and Dictionaries for synonyms, definitions, and etc.).

The reason for contacting your very nice forum was, as mentioned previously, because with no applications running, the Win7's CPU was showing that it was maxed out and the RAM was up in the 80-90% range. Suspected that the old thing was part of a botnet. In doing research into that possibility, came across RogueKiller, and when RK kept showing SVCHOST.EXE as being toxic, and no matter how many times it was killed, it kept coming back, the next logical step was to go to your WebPage for help, and there I found your forum.

Quote
For better performances, I advise you to uninstall IObit Advanced SystemCare and IObit Uninstaller. If you don't use TeamViewer on a regular basis, you could uninstall it as well.

All right.

Anyway, would like to thank you for your assistance. You've been absolutely wondrous. This has been a learning experience for me. Have enjoyed becoming part of your community, and will be checking in often.

Hope this finds you doing well.

Take excellent care.

MEL

Reply #13November 04, 2015, 08:08:33 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: SVCHOST.EXE-KILLED BY RK
« Reply #13 on: November 04, 2015, 08:08:33 PM »
Hi MEL,

Quote from: MEL
Am surprised! Thought that I had 1.5 Gigs of ram (which at the time that the machine was built was a humongous amount of RAM)! How come there's only 670.2 of it available?
You have indeed a total of 1.5GB RAM installed but since Windows 7 uses about 1GB RAM, there is only about 600-700MB RAM left for others applications. ;)

Quote from: MEL
The reason for contacting your very nice forum was, as mentioned previously, because with no applications running, the Win7's CPU was showing that it was maxed out and the RAM was up in the 80-90% range. Suspected that the old thing was part of a botnet. In doing research into that possibility, came across RogueKiller, and when RK kept showing SVCHOST.EXE as being toxic, and no matter how many times it was killed, it kept coming back, the next logical step was to go to your WebPage for help, and there I found your forum.
Thanks for the clarification.
You could now delete FRST and the files linked to it.

Quote from: MEL
Anyway, would like to thank you for your assistance. You've been absolutely wondrous. This has been a learning experience for me. Have enjoyed becoming part of your community, and will be checking in often.
Many thanks for the kind words. :)

Take care.

Reply #14November 04, 2015, 10:34:35 PM

M.E.Lenns

  • Newbie

  • Offline
  • *

  • 14
  • Reputation:
    0
    • View Profile
Re: SVCHOST.EXE-KILLED BY RK
« Reply #14 on: November 04, 2015, 10:34:35 PM »
Hi MEL, You have indeed a total of 1.5GB RAM installed but since Windows 7 uses about 1GB RAM, there is only about 600-700MB RAM left for others applications. ;)

Hey Curson, When the Win7 machine was built originally, it had a Win2k O/S. Then a friend gifted me with the Win7 O/S. Happen to like Win7, but it takes longer to boot than did the Win2k.

Quote
Thanks for the clarification. You could now delete FRST and the files linked to it.

Does FRST take any RAM just sitting there? If it doesn't would like to just keep it to look at once in a while.

Quote
Many thanks for the kind words. :) Take care.

Credit where credit is due.

Hang in there.

MEL