• 1
Hammad

SVCHost.exe in USB

Question

I am having a problem. Whenever i plug in my usb in my office computer, the following folders appear.

http://i.imgur.com/gEvdY.jpg

If i try to copy any folder from my computer to my usb drive, it hides the folder the other folder is changed to .exe file.

Scanned it with MSE and it didnt show me anything....i tried deleting the files using cmd (attrib method) and deleted the files. I even did a quick format. But whenever i re plug in my usb these 2 files are always there in it.

ANy suggestions?

Share this post


Link to post
Share on other sites

5 answers to this question

  • 1

Hi Hammad,

I never even heard of this one before so these are just suggestions.

My first thought is that the malicious files have processes running which are preventing the files from being deleted properly.

You could use task manager to search for these processes but first I would try assigning a different letter to the USB drive. For drives with software installed this almost always causes the software to stop working. With any malicious processes stopped you can do a full format on the USB drive which will hopefully nuke that SVCHost, its data folder and anything else on there.

In addition try using USB Oblivion to remove anything left behind In the registry on that computer by the infected USB drive. Here is the link http://code.google.com/p/usboblivion/

If that doesn’t work then there is a program called Autorun Eater which finds and removes malicious files from USB drives. I haven’t used it myself but its free and looks worth a try if no one else can help. Here’s the link http://oldmcdonald.wordpress.com/

If neither of these work, my only suggestion is to try another manual delete.

First check task manager for any processes that the files are running and end them. Then using an elevated command prompt to avoid any administrator rights that may be protecting the files, remove any read only attributes on the unwanted files and delete them. Then double check that they are deleted properly.

Use the command prompt to check for any other suspicious files or directories including hidden ones, end any processes they have running and delete them. Double check they are deleted and if not continue looking for any process that is preventing the delete.

Let me know how you get on

Share this post


Link to post
Share on other sites
  • 2

Hi Hammad,

I never even heard of this one before so these are just suggestions.

My first thought is that the malicious files have processes running which are preventing the files from being deleted properly.

 

You could use task manager to search for these processes but first I would try assigning a different letter to the USB drive. For drives with software installed this almost always causes the software to stop working. With any malicious processes stopped you can do a full format on the USB drive which will hopefully nuke that SVCHost, its data folder and anything else on there.

 

In addition try using USB Oblivion to remove anything left behind In the registry on that computer by the infected USB drive. Here is the link http://code.google.com/p/usboblivion/

If that doesn’t work then there is a program called Autorun Eater which finds and removes malicious files from USB drives. I haven’t used it myself but its free and looks worth a try if no one else can help. Here’s the link http://oldmcdonald.wordpress.com/

If neither of these work, my only suggestion is to try another manual delete.

First check task manager for any processes that the files are running and end them. Then using an elevated command prompt to avoid any administrator rights that may be protecting the files, remove any read only attributes on the unwanted files and delete them. Then double check that they are deleted properly.

Use the command prompt to check for any other suspicious files or directories including hidden ones, end any processes they have running and delete them. Double check they are deleted and if not continue looking for any process that is preventing the delete.

Let me know how you get on

 

Well, i researched about it in great great detail. I dont know while researching, i tried every single method and managed to remove the virus from my usb but whenever i plugged it back in it came back. tried KAspersky rootkit scanner, kaspersky internet security and what not.

and in the end, i could find the affected registry keys so the only option left for me was to format my PC>

Share this post


Link to post
Share on other sites
  • 1

Hi Hammad,

I never even heard of this one before so these are just suggestions.

My first thought is that the malicious files have processes running which are preventing the files from being deleted properly.

 

You could use task manager to search for these processes but first I would try assigning a different letter to the USB drive. For drives with software installed this almost always causes the software to stop working. With any malicious processes stopped you can do a full format on the USB drive which will hopefully nuke that SVCHost, its data folder and anything else on there.

 

In addition try using USB Oblivion to remove anything left behind In the registry on that computer by the infected USB drive. Here is the link http://code.google.com/p/usboblivion/

If that doesn’t work then there is a program called Autorun Eater which finds and removes malicious files from USB drives. I haven’t used it myself but its free and looks worth a try if no one else can help. Here’s the link http://oldmcdonald.wordpress.com/

If neither of these work, my only suggestion is to try another manual delete.

First check task manager for any processes that the files are running and end them. Then using an elevated command prompt to avoid any administrator rights that may be protecting the files, remove any read only attributes on the unwanted files and delete them. Then double check that they are deleted properly.

Use the command prompt to check for any other suspicious files or directories including hidden ones, end any processes they have running and delete them. Double check they are deleted and if not continue looking for any process that is preventing the delete.

Let me know how you get on

 

Sorry I couldn't help, I guess sometimes you just have to bite the bullet.

Only other option I can think of is to remove the hard drive and connect it as an external data drive to a clean computer. You could then use that computer to scan the drive. The theory being that since the rootkit won’t be running it can’t hide itself.

I seem to remember that you have a laptop that’s not easy for you to open up so formatting might be preferable to you.

 

One other thought, I would use a clean computer to access all my online accounts and change the passwords, just in case you have had any of them stolen by this malware.

Also change any security questions that are accessible through the account such as the ones used by Hotmail. It’s feasible that a criminal could note these down in order to gain access to the account after you have changed the password.

Also if you’ve been entering your credit card details for online purchases on the infected computer it would be an idea to call your bank and get the card stopped, in case those details were stolen.

Share this post


Link to post
Share on other sites
  • 0

Hi Hammad,

I never even heard of this one before so these are just suggestions.

My first thought is that the malicious files have processes running which are preventing the files from being deleted properly.

 

You could use task manager to search for these processes but first I would try assigning a different letter to the USB drive. For drives with software installed this almost always causes the software to stop working. With any malicious processes stopped you can do a full format on the USB drive which will hopefully nuke that SVCHost, its data folder and anything else on there.

 

In addition try using USB Oblivion to remove anything left behind In the registry on that computer by the infected USB drive. Here is the link http://code.google.com/p/usboblivion/

If that doesn’t work then there is a program called Autorun Eater which finds and removes malicious files from USB drives. I haven’t used it myself but its free and looks worth a try if no one else can help. Here’s the link http://oldmcdonald.wordpress.com/

If neither of these work, my only suggestion is to try another manual delete.

First check task manager for any processes that the files are running and end them. Then using an elevated command prompt to avoid any administrator rights that may be protecting the files, remove any read only attributes on the unwanted files and delete them. Then double check that they are deleted properly.

Use the command prompt to check for any other suspicious files or directories including hidden ones, end any processes they have running and delete them. Double check they are deleted and if not continue looking for any process that is preventing the delete.

Let me know how you get on

 

Never used my credit card online ever and even i asked my bank never to accept any online transaction. So thats not an issue. anyways formatted my pc and all is good now.

Share this post


Link to post
Share on other sites
  • 0

Hi Hammad,

I never even heard of this one before so these are just suggestions.

My first thought is that the malicious files have processes running which are preventing the files from being deleted properly.

 

You could use task manager to search for these processes but first I would try assigning a different letter to the USB drive. For drives with software installed this almost always causes the software to stop working. With any malicious processes stopped you can do a full format on the USB drive which will hopefully nuke that SVCHost, its data folder and anything else on there.

 

In addition try using USB Oblivion to remove anything left behind In the registry on that computer by the infected USB drive. Here is the link http://code.google.com/p/usboblivion/

If that doesn’t work then there is a program called Autorun Eater which finds and removes malicious files from USB drives. I haven’t used it myself but its free and looks worth a try if no one else can help. Here’s the link http://oldmcdonald.wordpress.com/

If neither of these work, my only suggestion is to try another manual delete.

First check task manager for any processes that the files are running and end them. Then using an elevated command prompt to avoid any administrator rights that may be protecting the files, remove any read only attributes on the unwanted files and delete them. Then double check that they are deleted properly.

Use the command prompt to check for any other suspicious files or directories including hidden ones, end any processes they have running and delete them. Double check they are deleted and if not continue looking for any process that is preventing the delete.

Let me know how you get on

 

When my PC catches a virus, I always format as a rule of thumb. Once infected it is near impossible to fully trust your computer regardless of how well you removed the threat.

Nuke it from orbit!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Who's Online   0 Members, 0 Anonymous, 25 Guests (See full list)

    There are no registered users currently online