Windows 7 suspicious svchost.exe

Audience: Fellow techs, power users

 

A couple weeks ago while performing computer repair service in Snohomish,  the system I was troubleshooting was responding rather slowly. When I fired up process explorer from Sysinternals I found that a svchost.exe process was consuming up to 50% of the CPU’s resources. In Windows Svchost.exe is simply a host process for windows services. Should you bring up Task Manager (Ctrl+Shift+Esc) you will find many svchost.exes listed, but no detailed information as to which services is running within each process (please also note the description column):

svchost.exe in Windows Task Manager

With process explorer you can get much more detailed information about all processes running on your system. In this case, by simply mousing over a svchost.exe process you will see which services it is hosting:

svchost.exe in Process Explorer

 

This can be particularly helpful when trying to find a service that is hogging resources. On the particular system I was working on, however, something was amiss. Firstly the description said “winrscmde” instead of Host Process For Windows Services, and secondly mousing over the entry simply listed “svchost.exe.” Clearly, this process could not be hosting itself. At this point I suspected an imposter. By right clicking any process in Process Explorer you can launch a properties dialog to learn more about the process. The first Tab of this window is “Image.” In this tab you can find, among other items, the file path. Svchost.exe should look like this:

Valid svchost.exe location

The location for svchost.exe should be: C:\Windows\system32\svchost.exe. Again, the afflicted system had an inconsistency here, as the location was C:\Windows\svchost.exe. I navigated to this location and attempted to delete the file, but found that it was locked. Fortunately, Process Explorer has a way to deal with this as well. Two of the other right-click menu items are “Kill Process” or “Suspend.”

Kill Process or Suspend

The thing about Malware (which at this point it should be clear that is what I was dealing with) it that if you kill one part of it, another component might re-launch it. So, by clicking “Suspend” I was able to delete the fake svchost.exe file. I then followed up with an off-line virus scan to remove all traces of infection.

 

In conclusion, Process Explorer in a great tool for trouble shooting malware, and bugs. If you haven’t tried it yet, or the other Sysinteral tools, head on over to http://technet.microsoft.com/en-us/sysinternals/default and check them out.

 

-Nomad 

be safe out there

Advertisements

My documents are hidden!

Target Audience:Techs

Lately I’ve been seeing infections of rogue anti-viruses that are hiding people’s files in their”My Documents” folders, and warning them that there hard drive has critical error. Here are the tools I used to  fix the problem:

Process Explorer & Autoruns from Microsoft’s Sysinternals: To identify the rogue processes, terminate it, and prevent it from running again at start-

UnHide.exe from bleepingcomputer.com: This program unhides user files and is supposed to keep system files hidden.

SuperAntiSpyware: to clean up remaining bits of malware.

AccRestore v2.0:  On one system the Accessories Folder wasn’t just hidden it was deleted. I used this simple tool from Ramesh Srinivasan to fix it.

The final part is to educate users on safe browsing habits, and to offer anti-virus solutions.

I hope this has been useful in the battle against Malware.

-Nomad Computer Repair

Malware Update

-GPU assisted Malware ups the threat level. http://www.theregister.co.uk/2010/09/28/gpu_assisted_malware/

-GMail security check-list. http://gmailblog.blogspot.com/2010/10/help-keep-your-account-safe-with-gmail.html

-Behind the scenes Malware cleaning: http://remove-malware.com/videos/new-video-cleaning-the-client/

-Best Malware Ever? http://www.computerworld.com/s/article/9185919/Is_Stuxnet_the_best_malware_ever_

-And finally make sure that you and your users KNOW what your Anti-virus interface looks like. Fake anti-virus programs are rampant. The best defense is still educating the end-user. http://www.net-security.org/malware_news.php?id=1452

I’ve also been enjoying a few podcasts over at “The Force Field” if you’re into tech, check it out.

Thanks for reading, check back soon, and be safe out there.

-Nomad

This week in Malware

– recommended audiences: Home-user to Tech

I would like to have a weekly recap of Malware news on my blog. I think this would be useful to raise awareness a among home-users and maybe help inform a few fellow techs out there. This is my first edition. Feel free to give me your thoughts on this idea.

Continue reading

Death by Malware?

It seems as though a trojan infected server may have been a contributing factor in the 2008 crash of an airliner in Spain:

http://www.theregister.co.uk/2010/08/20/spanair_malware/

I believe that vigilance on the part of the pilots (and possible ground crew) would have avoided this disaster. The story indicates, however,  that if the central computer had been working properly it should have automatically sent a warning to ground the plane. This is a startling example of how cyber-terrorism could happen in the future.