Resurging svchost.exe*32 TempFile taking needed CPU runtime

Razraal · 03 Dec 2013

Hello everyone!

I've been having this problem for approximately a month.
This particular file, named svchost.exe (size: 942KB), located in C:\Users\David\AppData\Local\Temp is giving me some bad times.

Everytime I log in my Windows account, this file starts executing itself, and is shown on Task Manager as the image proves it.

The most straightforward solution would be to delete this file permanently.
When I do that, it reappears after rebooting or logging out and then logging in.

I've tried deleting the whole content of the specified folder above, and yet it still shows up again, aswell as all the other "temporary" files.

I asked around, before posting this problem here, and one of the possible reasons could be a malfunctioning windows update.

The goal is to get rid of this nasty file permanently.
Can I count on your help?

Thank you for your time,
-Razraal

Britton30 · 03 Dec 2013

The svchost.exe process is vital for w7 to operate. If you succeed in deleting it the system will be bricked.
The svchost.exe is an internal kind of OS that w7 uses to run its own processes. I have from 11-17 or more instances of it running. This particular one may be caused by a program you installed a month ago.

carwiz · 03 Dec 2013

That's way too big and in the wrong folder to be a Windows svchost agent. It's also not the one running in Task Manager. The one in the Temp folder dated 4-12-2013 must have been added by an app you installed as Britton30 mentioned. Malwarebytes AM adds one but it's not even 1/3 the size of that one. Right click on it and select Properties. Click on the Digital Signatures tab and see if it's signed.

Britton30 · 03 Dec 2013

Carwiz jogged my memory, a Windows svchost.exe should only be in one or two places, C:\Windows\System32, Or if a 64 bit system, here too, C:\Windows\SysWOW64.

Size should be in the 20-30 KB range.

Resurging svchost.exe*32 TempFile taking needed CPU runtime-scvhost.png

Run a full scan with an updated MalwareBytes and Super AntiSpyware, links in my sig. You may well have a Trojan or worm which self replicates.

Razraal · 04 Dec 2013

carwiz said:

Right click on it and select Properties. Click on the Digital Signatures tab and see if it's signed.

There is no Digital Signature tab whatsoever. The copyright field is empty though.
On the image, the tabs are translated to:
Details, Previous Versions, General, Compatibility, Security.

Razraal · 04 Dec 2013

Britton30 said:

Carwiz jogged my memory, a Windows svchost.exe should only be in one or two places, C:\Windows\System32, Or if a 64 bit system, here too, C:\Windows\SysWOW64.

Size should be in the 20-30 KB range.

Hence why I specified this particular file's location and size.

Run a full scan with an updated MalwareBytes and Super AntiSpyware, links in my sig. You may well have a Trojan or worm which self replicates.

I ran a full scan with an updated MalwareBytes a few days ago. It detected this file and deleted it. However, this didn't prove to be a consistent solution, as the file reappeared in the same place after logging in again.

I just ran a full scan with SUPERAntiSpyware, it found several cookies and the svchost file.
It deleted the file after approximately 40 minutes of scan.
It then asked a reboot, which I agreed.
Upon logging in, the file was on the specified location again, only this time it was blocked by SUPERAntiSpyware, and was not executed.

carwiz · 04 Dec 2013

Sounds like malware to me.

It also sounds like it has installed a root kit that wasn't detected. I put in a help call to one of our AV/Malware gurus to look in on this thread.

Britton30 · 04 Dec 2013

This post by Cottonball may help.
Virus Help

Also this:
Download Adwcleaner by xPlode.

Download

Save to the Desktop

Right-click on adwcleaner.exe and choose Run as administrator

Click the Search button

Upload the AdwCleaner[Sn].txt in your reply.

Note

The log file is at C:\AdwCleaner[Sn].txt