Jump to content
groovyPost Forums

SVCHost.exe in USB

Hammad
 Share
Go to solution Solved by Simon H,

Recommended Posts

Hammad Enthusiast

Hammad

Posted
Posted

I am having a problem. Whenever i plug in my usb in my office computer, the following folders appear.

http://i.imgur.com/gEvdY.jpg

If i try to copy any folder from my computer to my usb drive, it hides the folder the other folder is changed to .exe file.

Scanned it with MSE and it didnt show me anything....i tried deleting the files using cmd (attrib method) and deleted the files. I even did a quick format. But whenever i re plug in my usb these 2 files are always there in it.

ANy suggestions?

Link to comment
Share on other sites
  • Solution
Simon H Rising Star

Simon H

Posted
  • Solution
Posted

Hi Hammad,

I never even heard of this one before so these are just suggestions.

My first thought is that the malicious files have processes running which are preventing the files from being deleted properly.

You could use task manager to search for these processes but first I would try assigning a different letter to the USB drive. For drives with software installed this almost always causes the software to stop working. With any malicious processes stopped you can do a full format on the USB drive which will hopefully nuke that SVCHost, its data folder and anything else on there.

In addition try using USB Oblivion to remove anything left behind In the registry on that computer by the infected USB drive. Here is the link http://code.google.com/p/usboblivion/

If that doesn’t work then there is a program called Autorun Eater which finds and removes malicious files from USB drives. I haven’t used it myself but its free and looks worth a try if no one else can help. Here’s the link http://oldmcdonald.wordpress.com/

If neither of these work, my only suggestion is to try another manual delete.

First check task manager for any processes that the files are running and end them. Then using an elevated command prompt to avoid any administrator rights that may be protecting the files, remove any read only attributes on the unwanted files and delete them. Then double check that they are deleted properly.

Use the command prompt to check for any other suspicious files or directories including hidden ones, end any processes they have running and delete them. Double check they are deleted and if not continue looking for any process that is preventing the delete.

Let me know how you get on

Link to comment
Share on other sites
Hammad Enthusiast

Hammad

Posted
  • Author
Posted

Hi Hammad,

I never even heard of this one before so these are just suggestions.

My first thought is that the malicious files have processes running which are preventing the files from being deleted properly.

 

You could use task manager to search for these processes but first I would try assigning a different letter to the USB drive. For drives with software installed this almost always causes the software to stop working. With any malicious processes stopped you can do a full format on the USB drive which will hopefully nuke that SVCHost, its data folder and anything else on there.

 

In addition try using USB Oblivion to remove anything left behind In the registry on that computer by the infected USB drive. Here is the link http://code.google.com/p/usboblivion/

If that doesn’t work then there is a program called Autorun Eater which finds and removes malicious files from USB drives. I haven’t used it myself but its free and looks worth a try if no one else can help. Here’s the link http://oldmcdonald.wordpress.com/

If neither of these work, my only suggestion is to try another manual delete.

First check task manager for any processes that the files are running and end them. Then using an elevated command prompt to avoid any administrator rights that may be protecting the files, remove any read only attributes on the unwanted files and delete them. Then double check that they are deleted properly.

Use the command prompt to check for any other suspicious files or directories including hidden ones, end any processes they have running and delete them. Double check they are deleted and if not continue looking for any process that is preventing the delete.

Let me know how you get on

 

Well, i researched about it in great great detail. I dont know while researching, i tried every single method and managed to remove the virus from my usb but whenever i plugged it back in it came back. tried KAspersky rootkit scanner, kaspersky internet security and what not.

and in the end, i could find the affected registry keys so the only option left for me was to format my PC>

Link to comment
Share on other sites
Simon H Rising Star

Simon H

Posted
Posted

Hi Hammad,

I never even heard of this one before so these are just suggestions.

My first thought is that the malicious files have processes running which are preventing the files from being deleted properly.

 

You could use task manager to search for these processes but first I would try assigning a different letter to the USB drive. For drives with software installed this almost always causes the software to stop working. With any malicious processes stopped you can do a full format on the USB drive which will hopefully nuke that SVCHost, its data folder and anything else on there.

 

In addition try using USB Oblivion to remove anything left behind In the registry on that computer by the infected USB drive. Here is the link http://code.google.com/p/usboblivion/

If that doesn’t work then there is a program called Autorun Eater which finds and removes malicious files from USB drives. I haven’t used it myself but its free and looks worth a try if no one else can help. Here’s the link http://oldmcdonald.wordpress.com/

If neither of these work, my only suggestion is to try another manual delete.

First check task manager for any processes that the files are running and end them. Then using an elevated command prompt to avoid any administrator rights that may be protecting the files, remove any read only attributes on the unwanted files and delete them. Then double check that they are deleted properly.

Use the command prompt to check for any other suspicious files or directories including hidden ones, end any processes they have running and delete them. Double check they are deleted and if not continue looking for any process that is preventing the delete.

Let me know how you get on

 

Sorry I couldn't help, I guess sometimes you just have to bite the bullet.

Only other option I can think of is to remove the hard drive and connect it as an external data drive to a clean computer. You could then use that computer to scan the drive. The theory being that since the rootkit won’t be running it can’t hide itself.

I seem to remember that you have a laptop that’s not easy for you to open up so formatting might be preferable to you.

 

One other thought, I would use a clean computer to access all my online accounts and change the passwords, just in case you have had any of them stolen by this malware.

Also change any security questions that are accessible through the account such as the ones used by Hotmail. It’s feasible that a criminal could note these down in order to gain access to the account after you have changed the password.

Also if you’ve been entering your credit card details for online purchases on the infected computer it would be an idea to call your bank and get the card stopped, in case those details were stolen.

Link to comment
Share on other sites
Hammad Enthusiast

Hammad

Posted
  • Author
Posted

Hi Hammad,

I never even heard of this one before so these are just suggestions.

My first thought is that the malicious files have processes running which are preventing the files from being deleted properly.

 

You could use task manager to search for these processes but first I would try assigning a different letter to the USB drive. For drives with software installed this almost always causes the software to stop working. With any malicious processes stopped you can do a full format on the USB drive which will hopefully nuke that SVCHost, its data folder and anything else on there.

 

In addition try using USB Oblivion to remove anything left behind In the registry on that computer by the infected USB drive. Here is the link http://code.google.com/p/usboblivion/

If that doesn’t work then there is a program called Autorun Eater which finds and removes malicious files from USB drives. I haven’t used it myself but its free and looks worth a try if no one else can help. Here’s the link http://oldmcdonald.wordpress.com/

If neither of these work, my only suggestion is to try another manual delete.

First check task manager for any processes that the files are running and end them. Then using an elevated command prompt to avoid any administrator rights that may be protecting the files, remove any read only attributes on the unwanted files and delete them. Then double check that they are deleted properly.

Use the command prompt to check for any other suspicious files or directories including hidden ones, end any processes they have running and delete them. Double check they are deleted and if not continue looking for any process that is preventing the delete.

Let me know how you get on

 

Never used my credit card online ever and even i asked my bank never to accept any online transaction. So thats not an issue. anyways formatted my pc and all is good now.

Link to comment
Share on other sites
  • 5 weeks later...
Austin Community Regular

Austin

Posted
Posted

Hi Hammad,

I never even heard of this one before so these are just suggestions.

My first thought is that the malicious files have processes running which are preventing the files from being deleted properly.

 

You could use task manager to search for these processes but first I would try assigning a different letter to the USB drive. For drives with software installed this almost always causes the software to stop working. With any malicious processes stopped you can do a full format on the USB drive which will hopefully nuke that SVCHost, its data folder and anything else on there.

 

In addition try using USB Oblivion to remove anything left behind In the registry on that computer by the infected USB drive. Here is the link http://code.google.com/p/usboblivion/

If that doesn’t work then there is a program called Autorun Eater which finds and removes malicious files from USB drives. I haven’t used it myself but its free and looks worth a try if no one else can help. Here’s the link http://oldmcdonald.wordpress.com/

If neither of these work, my only suggestion is to try another manual delete.

First check task manager for any processes that the files are running and end them. Then using an elevated command prompt to avoid any administrator rights that may be protecting the files, remove any read only attributes on the unwanted files and delete them. Then double check that they are deleted properly.

Use the command prompt to check for any other suspicious files or directories including hidden ones, end any processes they have running and delete them. Double check they are deleted and if not continue looking for any process that is preventing the delete.

Let me know how you get on

 

When my PC catches a virus, I always format as a rule of thumb. Once infected it is near impossible to fully trust your computer regardless of how well you removed the threat.

Nuke it from orbit!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...