Hammad

SVCHost.exe in USB

Recommended Posts

I am having a problem. Whenever i plug in my usb in my office computer, the following folders appear.

http://i.imgur.com/gEvdY.jpg

If i try to copy any folder from my computer to my usb drive, it hides the folder the other folder is changed to .exe file.

Scanned it with MSE and it didnt show me anything....i tried deleting the files using cmd (attrib method) and deleted the files. I even did a quick format. But whenever i re plug in my usb these 2 files are always there in it.

ANy suggestions?

Share this post


Link to post
Share on other sites

Hi Hammad,

I never even heard of this one before so these are just suggestions.

My first thought is that the malicious files have processes running which are preventing the files from being deleted properly.

You could use task manager to search for these processes but first I would try assigning a different letter to the USB drive. For drives with software installed this almost always causes the software to stop working. With any malicious processes stopped you can do a full format on the USB drive which will hopefully nuke that SVCHost, its data folder and anything else on there.

In addition try using USB Oblivion to remove anything left behind In the registry on that computer by the infected USB drive. Here is the link http://code.google.com/p/usboblivion/

If that doesn’t work then there is a program called Autorun Eater which finds and removes malicious files from USB drives. I haven’t used it myself but its free and looks worth a try if no one else can help. Here’s the link http://oldmcdonald.wordpress.com/

If neither of these work, my only suggestion is to try another manual delete.

First check task manager for any processes that the files are running and end them. Then using an elevated command prompt to avoid any administrator rights that may be protecting the files, remove any read only attributes on the unwanted files and delete them. Then double check that they are deleted properly.

Use the command prompt to check for any other suspicious files or directories including hidden ones, end any processes they have running and delete them. Double check they are deleted and if not continue looking for any process that is preventing the delete.

Let me know how you get on

Share this post


Link to post
Share on other sites

Hi Hammad,

I never even heard of this one before so these are just suggestions.

My first thought is that the malicious files have processes running which are preventing the files from being deleted properly.

 

You could use task manager to search for these processes but first I would try assigning a different letter to the USB drive. For drives with software installed this almost always causes the software to stop working. With any malicious processes stopped you can do a full format on the USB drive which will hopefully nuke that SVCHost, its data folder and anything else on there.

 

In addition try using USB Oblivion to remove anything left behind In the registry on that computer by the infected USB drive. Here is the link http://code.google.com/p/usboblivion/

If that doesn’t work then there is a program called Autorun Eater which finds and removes malicious files from USB drives. I haven’t used it myself but its free and looks worth a try if no one else can help. Here’s the link http://oldmcdonald.wordpress.com/

If neither of these work, my only suggestion is to try another manual delete.

First check task manager for any processes that the files are running and end them. Then using an elevated command prompt to avoid any administrator rights that may be protecting the files, remove any read only attributes on the unwanted files and delete them. Then double check that they are deleted properly.

Use the command prompt to check for any other suspicious files or directories including hidden ones, end any processes they have running and delete them. Double check they are deleted and if not continue looking for any process that is preventing the delete.

Let me know how you get on

 

Well, i researched about it in great great detail. I dont know while researching, i tried every single method and managed to remove the virus from my usb but whenever i plugged it back in it came back. tried KAspersky rootkit scanner, kaspersky internet security and what not.

and in the end, i could find the affected registry keys so the only option left for me was to format my PC>

Share this post


Link to post
Share on other sites

Hi Hammad,

I never even heard of this one before so these are just suggestions.

My first thought is that the malicious files have processes running which are preventing the files from being deleted properly.

 

You could use task manager to search for these processes but first I would try assigning a different letter to the USB drive. For drives with software installed this almost always causes the software to stop working. With any malicious processes stopped you can do a full format on the USB drive which will hopefully nuke that SVCHost, its data folder and anything else on there.

 

In addition try using USB Oblivion to remove anything left behind In the registry on that computer by the infected USB drive. Here is the link http://code.google.com/p/usboblivion/

If that doesn’t work then there is a program called Autorun Eater which finds and removes malicious files from USB drives. I haven’t used it myself but its free and looks worth a try if no one else can help. Here’s the link http://oldmcdonald.wordpress.com/

If neither of these work, my only suggestion is to try another manual delete.

First check task manager for any processes that the files are running and end them. Then using an elevated command prompt to avoid any administrator rights that may be protecting the files, remove any read only attributes on the unwanted files and delete them. Then double check that they are deleted properly.

Use the command prompt to check for any other suspicious files or directories including hidden ones, end any processes they have running and delete them. Double check they are deleted and if not continue looking for any process that is preventing the delete.

Let me know how you get on

 

Sorry I couldn't help, I guess sometimes you just have to bite the bullet.

Only other option I can think of is to remove the hard drive and connect it as an external data drive to a clean computer. You could then use that computer to scan the drive. The theory being that since the rootkit won’t be running it can’t hide itself.

I seem to remember that you have a laptop that’s not easy for you to open up so formatting might be preferable to you.

 

One other thought, I would use a clean computer to access all my online accounts and change the passwords, just in case you have had any of them stolen by this malware.

Also change any security questions that are accessible through the account such as the ones used by Hotmail. It’s feasible that a criminal could note these down in order to gain access to the account after you have changed the password.

Also if you’ve been entering your credit card details for online purchases on the infected computer it would be an idea to call your bank and get the card stopped, in case those details were stolen.

Share this post


Link to post
Share on other sites

Hi Hammad,

I never even heard of this one before so these are just suggestions.

My first thought is that the malicious files have processes running which are preventing the files from being deleted properly.

 

You could use task manager to search for these processes but first I would try assigning a different letter to the USB drive. For drives with software installed this almost always causes the software to stop working. With any malicious processes stopped you can do a full format on the USB drive which will hopefully nuke that SVCHost, its data folder and anything else on there.

 

In addition try using USB Oblivion to remove anything left behind In the registry on that computer by the infected USB drive. Here is the link http://code.google.com/p/usboblivion/

If that doesn’t work then there is a program called Autorun Eater which finds and removes malicious files from USB drives. I haven’t used it myself but its free and looks worth a try if no one else can help. Here’s the link http://oldmcdonald.wordpress.com/

If neither of these work, my only suggestion is to try another manual delete.

First check task manager for any processes that the files are running and end them. Then using an elevated command prompt to avoid any administrator rights that may be protecting the files, remove any read only attributes on the unwanted files and delete them. Then double check that they are deleted properly.

Use the command prompt to check for any other suspicious files or directories including hidden ones, end any processes they have running and delete them. Double check they are deleted and if not continue looking for any process that is preventing the delete.

Let me know how you get on

 

Never used my credit card online ever and even i asked my bank never to accept any online transaction. So thats not an issue. anyways formatted my pc and all is good now.

Share this post


Link to post
Share on other sites

Hi Hammad,

I never even heard of this one before so these are just suggestions.

My first thought is that the malicious files have processes running which are preventing the files from being deleted properly.

 

You could use task manager to search for these processes but first I would try assigning a different letter to the USB drive. For drives with software installed this almost always causes the software to stop working. With any malicious processes stopped you can do a full format on the USB drive which will hopefully nuke that SVCHost, its data folder and anything else on there.

 

In addition try using USB Oblivion to remove anything left behind In the registry on that computer by the infected USB drive. Here is the link http://code.google.com/p/usboblivion/

If that doesn’t work then there is a program called Autorun Eater which finds and removes malicious files from USB drives. I haven’t used it myself but its free and looks worth a try if no one else can help. Here’s the link http://oldmcdonald.wordpress.com/

If neither of these work, my only suggestion is to try another manual delete.

First check task manager for any processes that the files are running and end them. Then using an elevated command prompt to avoid any administrator rights that may be protecting the files, remove any read only attributes on the unwanted files and delete them. Then double check that they are deleted properly.

Use the command prompt to check for any other suspicious files or directories including hidden ones, end any processes they have running and delete them. Double check they are deleted and if not continue looking for any process that is preventing the delete.

Let me know how you get on

 

When my PC catches a virus, I always format as a rule of thumb. Once infected it is near impossible to fully trust your computer regardless of how well you removed the threat.

Nuke it from orbit!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Similar Content

    • By Wilderness
      Office Excel 2011 - Protect worksheet or workbook - I have protected the worksheet by a password but find I still can copy and past into a new worksheet and then I can change things arround. How can I stop someone being able to change or delete things.
    • By Steve
      Question from Readers:

      Hi groovyPost, How do I copy files and encrypt/password protect a CD? I'm running Windows 7 X64.
      Cheers,
      Chris
    • By Michelle Edighoffer
      Hello, I'm desperately looking for an answer so I'm hoping you can help me! I want to view the websites visited via my home wireless connection. I have a Motorola SBG900 router. I logged into the webpage but I cannot find a log telling me which websites were visited and at what time. Is there a log on this router? Please tell me there is. Thank you for your time.
    • By Rufio
      When I try to login to my router at 192.168.1.1 it accepts my username and password but just displays the message " (192.168.1.2) is managing this device " with a blank white screen, nothing else is visible. Is there anyway to fix this? I can't access my router control panel because of this.
    • By peepmonk37
      I'm so sorry because I know from my last 3 month's experience, and the hundreds of hours I've spent trying to understand how to... well, understand what to look for and what it means, etc., but every time I Google anything, suspicious files, remote and root access to my computer that I did not grant, modem logs, etc, I simply can't understand the BASICS of what people are talking about in order to answer the question I Google... let me begin by saying, 3 months ago I found a "Privitize VPN" on my computer and many files on my phone (both installed on the same day), that ultimately led to the fatal crash of the computer (the C and D drives switched; so that C became my restore and D was my Main... I hope I explained that correctly) my brother in law, the only person I trust on this with an IT background, says he's never seen anything like it... When I located the bugging software on the file (I created a word document with everything I found) and reported it to the Police, it was stolen later that night... it took me months to come to this conclusion, but I've ultimately come to believe that the source of the bugs is in fact, law enforcement... I think on a Federal Level, but I can't be sure of that at this time. I do know how I got mixed up in the investigation… I had a roommate that I didn’t do a proper background check on, and it turns out he’s a career criminal (steals power, steals vehicles and manufactures new VIN plates for them, makes grade A false IDs and deals mass drugs to boot) he has multiple arrests and multiple currently active warrants, and was using my computer and phone to do this shady business, unknown (at the time) to me… took me a while to put all this together, but I promise you it’s valid. He split pretty soon after all this started, but the invasion of my privacy consumed me… I began documenting everything, finding out my friends and family had been bugged, and crazy shit like AT & T even being on it… they sent me 2 “high security modems” in a row, since the one I had and the first one they sent, they told me, had been hacked… they came with “Net gear” official documents and stickers, model numbers, etc., yet Net gear insists they didn’t manufacture them, as the Serial Numbers on them do not match any format Net gear has ever used… so you can see how I trust no one to ask these questions of, and the forums I’ve stumbled on confuse me even more… but this one made some sense to me… and I thought just maybe someone would take pity on my underknowledged butt.I’m working with an attorney for a “malicious prosecution” suit, because I’ve suffered a constant and totally consuming invasion of privacy.. My house and car getting bugged, evidence getting stolen from me on a regular basis if it’s not strapped or chained to me.. . Literally! And the loss of friends and family, as I’ve distanced myself from everyone because I don’t want them to go through this… the more I document, and the more vicious I get with my retaliation, the more severe the attacks, but I promise I’ll sooner blow my brains out, being sure to leave a thank you note to these a-holes for the life they’ve stolen from me, than be quite and hope it blows over.I promise to anyone reading this, that I’m not guilty of anything that warrants the vicious attacks I’ve endured over the last few months, but fair warning that if you offer to help me, you will most likely be investigated in some way as well.I’m sorry for asking, even though I am, and you don’t know me, but I’m at the end of my rope, I don’t see an end to this, I don’t know how to protect myself, and I am sure that I don’t want to live like this one single moment longer… literally. Please, if you can help me understand what to look for and how to protect myself, it can make a life or death difference at this point.I’ve kept ridiculous documentation of all this… amassing over 1600 audio files of conversations involving all this, etc… the hard copies that I painstakingly transcribed by hand after my computer crashed for the 5th time in 3 months… but those files were stolen from me, when only a few feet from me, just a few days ago. It was the last thing on Earth I had that meant anything to me anymore.Thank you
  • Who's Online   0 Members, 0 Anonymous, 26 Guests (See full list)

    There are no registered users currently online