Laptop redirecting websites, SVCHOST (winrscmde) using 600+ MB of RAM (spyware)
Would love some help. Not sure what exactly is on the computer, but it's not coming off. SVCHOST.exe is running at 600+MB of RAM and all I can make out is "winrscmde". I'm not entirely sure what it's doing, and can't find it in MSCONFIG to turn it off.
The main problem is that when attempting to browse, it's redirecting us to other sites. If we Google search TDSS Removal Tool it provides results. As soon as we click on a link it redirects us elsewhere.
I do not recall having this issue in Safe Mode, but I didn't test too much to be honest.
MBAM and SBSD haven't provided a solution. I'm desperate for some help, we don't want to format unless it's absolutely necessary.
HP laptop, Win7 Home Premium x64. 2GB RAM.
The main problem is that when attempting to browse, it's redirecting us to other sites. If we Google search TDSS Removal Tool it provides results. As soon as we click on a link it redirects us elsewhere.
I do not recall having this issue in Safe Mode, but I didn't test too much to be honest.
MBAM and SBSD haven't provided a solution. I'm desperate for some help, we don't want to format unless it's absolutely necessary.
HP laptop, Win7 Home Premium x64. 2GB RAM.
I suggest that you try to run Combofix
http://www.bleepingcomputer.com/download/combofix/
It can also run in safe mode and saved me many times
http://www.bleepingcomputer.com/download/combofix/
It can also run in safe mode and saved me many times
Try booting into a normal Windows 7 environment (since scanning and malware removal in Safe mode should be avoided if possible) and follow the recommendations within the following Experts Exchange article. It was written by Younghv, one of the EE community's very best malware removal specialists, and it involves running Rogue Killer to stop the malware process followed immediately by Malwarebytes.
Take a few minutes to thoroughly read the article, and hopefully you will be back in business:
Stop the Bleeding: First Aid for Malware
Take a few minutes to thoroughly read the article, and hopefully you will be back in business:
Stop the Bleeding: First Aid for Malware
This sort of thing has happened to me before - it's nasty! It sounds like your computer has been hijacked.
Try HiJackThis. It will list software and settings - wanted and unwanted. You can go through the list to see what needs to be done removal-wise. Be careful - not everything on the list is bad.
http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/HijackThis.shtml
Good luck!
Try HiJackThis. It will list software and settings - wanted and unwanted. You can go through the list to see what needs to be done removal-wise. Be careful - not everything on the list is bad.
http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/HijackThis.shtml
Good luck!
@liorkr,
There are a lot of solid reasons for never running ComboFix (or any automated scanner/tool) in "Safe Mode".
Please have a read through this for some details:
https://www.experts-exchange.com/A_6650.html Malware Fighting – Best Practices
There are a lot of solid reasons for never running ComboFix (or any automated scanner/tool) in "Safe Mode".
Please have a read through this for some details:
https://www.experts-exchange.com/A_6650.html Malware Fighting – Best Practices
I have seen really nasty virus' these days that reside in protected system files and you need to use a linux av boot cd
see
http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/
see
http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
RogueKiller finds the processes and terminates them. They automatically start back up and crash RogueKiller as I'm running the RK scan tool. RK finds items in the registry that I'm positive aren't any good - I just wish it could complete a scan.
Rkill ran and let me know these were killed:
I've got a MalwareBytes scan running - it's been going for almost 3 hours, 322000 objects scan, 0 objects detected. It was installed and updated to latest updates in Safe Mode with Networking.
I'll try HijackThis next, but don't want to run too much at the same time.
Rkill ran and let me know these were killed:
C:\ProgramData\HP Photo Creations\MessageCheck.exe
\\.\globalroot\systemroot\svchost.exeI've got a MalwareBytes scan running - it's been going for almost 3 hours, 322000 objects scan, 0 objects detected. It was installed and updated to latest updates in Safe Mode with Networking.
I'll try HijackThis next, but don't want to run too much at the same time.
For future reference, typically you can utilize the Quick Scan option within Malwarebytes and save a great deal of time.
ASKER
Will the QuickScan detect these issues?
It should, but then again I see that Younghv's recommendation within his article is to run a Full Scan. If that's the case, I defer to his judgment in this area. Although I have a healthy amount of expertise with Windows 7 itself, Younghv & Rpggamergirl are easily the two most experienced malware removal specialists within the Experts Exchange community, and I have a lot of faith in their advice!
"Will the QuickScan detect these issues? "
Absolutely!
The actual guidance from the MBAM developers is "Quick Scan" first...then "Full Scan".
Post the actual logs that are being generated by "RogueKiller" and I'll ask Tigzy and Russell_Venable to review them for causes.
Absolutely!
The actual guidance from the MBAM developers is "Quick Scan" first...then "Full Scan".
Post the actual logs that are being generated by "RogueKiller" and I'll ask Tigzy and Russell_Venable to review them for causes.
Ooops!
(If I'm still saying "Full Scan", I best be changing that. Thought I made that correction in all EE Articles.)
(If I'm still saying "Full Scan", I best be changing that. Thought I made that correction in all EE Articles.)
ASKER
Attached is the MBAM log. I've ran it several times, and I'm pretty sure it's the same thing every time.
Work on that "attach" thing a little more.
:)
I just went through the same thing "Imbedding" a new image in that Article...took me three tries.
Also attach the log from RogueKiller.
:)
I just went through the same thing "Imbedding" a new image in that Article...took me three tries.
Also attach the log from RogueKiller.
ASKER
wth... Ok, attempt 2 on the MBAM log. RogueKiller was seriously nothing - it just killed those two processes and then keeps crashing when I try to run the full scan. I cleared EVERYTHING from startup - non-MS services and all startup apps. Let's see what happens now...
mbam-log-2012-07-15--2815-24-27-.txt
mbam-log-2012-07-15--2815-24-27-.txt
ASKER
It still happens with all startup items shut off, and the svchost.exe (winrscmde) is running still. Going to try HijackThis.
I'm not sure how you've configured MBAM, but it should have deleted this file:
"HKLM\SOFTWARE\Microsoft\W
You can manually delete that yourself.
What is the purpose of running "HijackThis"? Since Trend bought it from Merjin (and refused to pay him to keep it updated) it just isn't a very valuable tool.
"HKLM\SOFTWARE\Microsoft\W
You can manually delete that yourself.
What is the purpose of running "HijackThis"? Since Trend bought it from Merjin (and refused to pay him to keep it updated) it just isn't a very valuable tool.
ASKER
When I try to delete the registry entry itself, it says "unable to delete".
ASKER
Nevermind - had t o give myself Full rights on the Run folder.
ASKER
With removing that item from the Registry I still have issues with redirection. Is it possible it's actually hijacked svchost.exe?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
TDSS Killer found Rootkit.Boot.Pihar.b. It copied a bunch of stuff to the quarantine, and something will be cured after boot.
Rebooted the laptop. Holy crap, I think it worked! Going to re-enable all of the startup items I disabled...
Re-enabled all startup items and rebooted into Safe Mode. Ran the ESET Uninstall Tool to remove ESET completely - it wasn't working right. Booted back up into Windows and now I can't get logged in remotely. Will try again tomorrow when home.
Once I get logged on remotely, I'll be able to confirm that the TDSS tool fixed it.
Rebooted the laptop. Holy crap, I think it worked! Going to re-enable all of the startup items I disabled...
Re-enabled all startup items and rebooted into Safe Mode. Ran the ESET Uninstall Tool to remove ESET completely - it wasn't working right. Booted back up into Windows and now I can't get logged in remotely. Will try again tomorrow when home.
Once I get logged on remotely, I'll be able to confirm that the TDSS tool fixed it.
Sounds as though you're making progress, but I haven't noticed previous mention of your working on this from a 'remote' location.
Please confirm that you do not have physical access to the system.
===============
Also - I made (another) mistake earlier. The first Expert recommendation to use "TDSSKiller" was from Run5k at http:#a38187766 - I think I need to engage my brain before my fingers.
Thanks.
Please confirm that you do not have physical access to the system.
===============
Also - I made (another) mistake earlier. The first Expert recommendation to use "TDSSKiller" was from Run5k at http:#a38187766 - I think I need to engage my brain before my fingers.
Thanks.
What you can try:
1. AV scan using some well known AV like Norton AV, Kaspersky, ESET, ...
2. Malware scan with malware bytes SW, super antispyware, spybotsearch and destroy
3. turn all startup items in msconfig and when reboot to check if the problem persists, if no, then turn on one by one and lets find the problematic item
4. run under different win user profile and check if the problem persists, if no, then migrate all important documents from old one to new one
5. as last option (no doubts the one which will for 100% solved your problem, but "most destructive" for your current system and configuration) is win resinstall
good luck