Can't get rid of svchost.exe virus

sharon122 · 17 Dec 2013

Hello, Iv'e started to use my brother's PC and I noticed that in every restart or boot that Malwarebytes Anti-Malware quarantines "svchost.exe" which is located at "C:\Users\[user's name]\AppData\Local\Temp", I can know that it is a virus because 1. its not located in Windows\system32 and 2. it takes almost 1 MB, when it need to take about 27 KB, I tried to run MBAM, AdwCleaner, TDSSKiller, RKill, Hitman Pro, CCleaner ,AswMBR, ESET Online Scanner, none of them found it (besides MBAM on boot ofcourse), Microsoft Essentials is my AntiVirus.

I tried to restore the virus and delete in manually, still restores on boot.

I didn't want to run ComoboFix because I'm too scared to use it

.

I think that probably the svchost.exe is not the virus itself because even when deleted something restores it each time and none of the programs finds what it is, or because the program is quarantined they can't find it.

Sorry for the long story, hope you will help me.

CanIHaz · 17 Dec 2013

If it's in temp file, you should try to kill the process and run CCleaner to clean out the temp files. If that didnt work, try Hitman Pro to get rid of it.
HitmanPro 3 - SurfRight

Force hitman pro to go into breach mode so it can kill all the process before scanning and deleting.
Hitman Pro in Force Breach Mode |

sharon122 · 17 Dec 2013

CanIHaz said:

If it's in temp file, you should try to kill the process and run CCleaner to clean out the temp files. If that didnt work, try Hitman Pro to get rid of it.
HitmanPro 3 - SurfRight

Force hitman pro to go into breach mode so it can kill all the process before scanning and deleting.
Hitman Pro in Force Breach Mode |

Like I said I tried Hitman Pro, and I forgot to mention that I used CCleaner too, now I tried Hitman Pro in Force Breach mode, just found some cookies like last time. and suspicious file which is :

Startup
HKLM\SYSTEM\CurrentControlSet\Services\xsherlock\

And :

Potential Unwanted Programs _________________________________________________

HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager.1\ (Babylon)
HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager\ (Babylon)

CanIHaz · 17 Dec 2013

those looks normal and the registry sherlock looks like a reg from a game.. But do you have any toolbar by any chance with babylon?

sharon122 · 17 Dec 2013

Maybe my brother install it, but I don't have it on Google Chrome or Firefox

ShamrockRig · 17 Dec 2013

If you feel you NEED to use combofix please refer to this thread Do not use Combofix on your own!! and make sure you have someone who knows EXACTLY what they are talking about, good luck.

sharon122 · 17 Dec 2013

Devlin1888 said:

If you feel you NEED to use combofix please refer to this thread Do not use Combofix on your own!! and make sure you have someone who knows EXACTLY what they are talking about, good luck.

That's the problem, I don't, that's why I asked here so people will guide me

Jacee · 17 Dec 2013

Please download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

After rebooting, tell me if it's gone.

sharon122 · 17 Dec 2013

Jacee said:

Please download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

After rebooting, tell me if it's gone.

No, it's not gone, just to make sure do I need to have svchost.exe on my PC so the program will clean it? because it quarantined by MBAM.

Anyway, this is the log :

Getting user folders.

Stopping running processes.

Emptying Temp folders.

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56478 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: hedev
->Temp folder emptied: 43164427 bytes

User: Public

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56502 bytes

User: Victor
->Temp folder emptied: 6562135892 bytes
->Temporary Internet Files folder emptied: 12820162 bytes
->Java cache emptied: 853578 bytes
->FireFox cache emptied: 115347330 bytes
->Google Chrome cache emptied: 355633491 bytes
->Flash cache emptied: 57650 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 200704 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 332614 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 21067690 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 741 bytes

Emptying RecycleBin. Do not interrupt.

RecycleBin emptied: 0 bytes
Process complete!

Total Files Cleaned = 6,782.00 mb

Jacee · 18 Dec 2013

"Total Files Cleaned = 6,782.00 mb" <--- wow that's a lot of 'garbage' cleaned out of your temporary files!

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.
Click on the Scan button.
AdwCleaner will begin...be patient as the scan may take some time to complete.
After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
Copy and paste the contents of that logfile in your next reply.
A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.