Not what you were looking for? Ask our experts!
Reply
Visitor
HenrikMattsson
Posts: 3
Registered: ‎05-27-2012
Accepted Solution

svchost.exe runs CPU @ 100% & N360 keeps detecting Hacktool.Rootkit. + Trojan.Gen.2

Hi, 

 

as of yesterday my computer has been performing sluggish. I've identified the problem to a service running under svchost.exe. When i suspend that particular process the computer goes back to running normally again.

 

I've installed and ran Svchost Viewer, and i'm able to indentify themalfunctioning svchost.exe with it's PID. But the service information tree underneath it is empty (unlike all the other services running). The PID is also different everytime i reboot the system.

 

I've performed all kinds of virus scans on the cumputer, but no virus or trojan or anything is detected. However, Norton Auto protect tries blocking two different viruses (the dialogue keeps poping up every five minutes or so). This continues even after the unknown process described above is suspended.

 

The two found viruses are named Hacktool.Rootkit and Trojan.Gen.2, and here's a dump:

 

Full Path: c:\windows\installer\{802c7347-9c23-6c3c-462b-e65e6cccccc8}\u\80000000.@

Threat: Hacktool.Rootkit
____________________________
____________________________
On computers as of 2012-05-27 at 15:54:25
Last Used 2012-05-27 at 15:54:25
Startup Item No
Launched No
____________________________
____________________________
Unknown
Number of users in the Norton Community that have used this file: Unknown
____________________________
Unknown
This file release is currently not known.
____________________________
High
This file risk is high.
____________________________
Threat Details
Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.
____________________________

____________________________
File Actions
File: c:\windows\installer\{802c7347-9c23-6c3c-462b-e65e6cccccc8}\u\80000000.@
Blocked
____________________________
File Thumbprint - SHA:
d9dc59c3f6e026874ea58888c54b597a8c080e446062c9c80be833649df04f29
____________________________
File Thumbprint - MD5:
3ba69999f27f85670cfa627204427584
____________________________

 

 

I can also add that i've been trying to roll back windows to an earlier date, but this operation fails.

 

I've been searching your forums for a solution, and it seems that other people have had similar problems, but still i haven't found a solution. The same goes for other forums i've been searching.

 

So if you could please help me with this i would appreciate it a lot! Thank you so much in advance.

 

Henrik

MagnusLindh
Posts: 159
Topics: 9
Kudos: 23
Blog Posts: 0
Ideas: 0
Solutions: 5
Registered: ‎05-09-2011

Re: svchost.exe runs CPU @ 100% & N360 keeps detecting Hacktool.Rootkit. + Trojan.Gen.2

Hey

 

Go To Norton History = Unsolved risks/Threats and see if thier are any entries thier.

 

You can also try Malwarebytes Anti-Malware to scan your computer for threats.

http://filehippo.com/download_malwarebytes_anti_malware/

 

Thanks

Sweman

Visitor
HenrikMattsson
Posts: 3
Registered: ‎05-27-2012

Re: svchost.exe runs CPU @ 100% & N360 keeps detecting Hacktool.Rootkit. + Trojan.Gen.2

[ Edited ]

Hi Sweman, thank you for your reply!

 

I installed and ran Anti-Malware as you suggested, and it found 4 trojans  (see log below). I removed them, and now the swchost.exe problem seems to be gone!

 

N360 popped up one more time after the removal regarding the Trojan.Gen.2, so we will see if that happens again. 

 

Also 2 windows pop-ups came up after the removal, one stating:

 

RunDLL
---------------------------
There was a problem starting C:\Users\Henrik\AppData\Local\Temp\dradxc.dll

The specified module could not be found.

 

And the other one was something about problem connecting to Playstation remote keyboard. Don't even know what that is, but i'm using a VAIO, so it could be something pre-installed.

 

So thank you so much for your help! :)

 

A question though, how come Norton didn't find those trojans? I thought 360 was supposed to detect these kinds of threats as well. I have no problem continue using Anti-Malware as well, but just so i understand the difference.

 

Thanks again, and have a nice Sunday.

 

/henrik

 

EDIT. 

 

Ah, forgot the log, here we go!

 

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.27.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Henrik :: VAIO2 [administrator]

Protection: Enabled

2012-05-27 16:50:22
mbam-log-2012-05-27 (16-50-22).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231225
Time elapsed: 5 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Users\Henrik\AppData\Local\Temp\dradxc.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\Henrik\AppData\Local\Temp\dradxc.dll (Trojan.Downloader) -> Delete on reboot.
C:\Windows\Installer\{802c7347-9c23-6c3c-462b-e65e6cccccc8}\L\00000008.@ (Trojan.BitMiner) -> Delete on reboot.
C:\Windows\Installer\{802c7347-9c23-6c3c-462b-e65e6cccccc8}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.

(end)

Super Spam Squasher
Bombastus
Posts: 1,786
Registered: ‎11-16-2009

Re: svchost.exe runs CPU @ 100% & N360 keeps detecting Hacktool.Rootkit. + Trojan.Gen.2

MBAM is phenomenal at detecting and especially removing malware that regular antivirus programs (not just Norton) can't find or can't remove. No program detects everything, and MBAM specializes in complementing regular antiviruses.

Visitor
HenrikMattsson
Posts: 3
Registered: ‎05-27-2012

Re: svchost.exe runs CPU @ 100% & N360 keeps detecting Hacktool.Rootkit. + Trojan.Gen.2

ok, i see, i didn't know that, i always thought i was safe using just one system. makes perfect sense though, so thanks for letting me know. 

 

OK, problem solved, thanks a lot guys! :)

 

henrik

Bot Obliterator
Quads
Posts: 16,454
Registered: ‎07-21-2008

Re: svchost.exe runs CPU @ 100% & N360 keeps detecting Hacktool.Rootkit. + Trojan.Gen.2

[ Edited ]

What about getting the other folder, not just the one you have found??

 

The whole numbered folder is to be deleted and the probable other one that exists as like with the others I used OTL for.

 

Zeroaccess Backdoor

 

Quads

Bot Obliterator
Quads
Posts: 16,454
Registered: ‎07-21-2008

Re: svchost.exe runs CPU @ 100% & N360 keeps detecting Hacktool.Rootkit. + Trojan.Gen.2

[ Edited ]

 

 

Win 7 / Vista

 

C:\Users\t[username]\AppData\Local\{[Numbers]}

C:\WINDOWS\Installer\{[Numbers]}

 

XP

 

C:\Documents and Settings\[Username]\Local Settings\Application Data\{[Numbers]}

C:\WINDOWS\Installer\{[Numbers]}

 

The  Backdoor.Win32.ZAccess.sgi variant

http://www.threatexpert.com/report.aspx?md5=816d3c53069962d2039440c885bc670f

 

Quads