svchost.exe runs CPU @ 100% & N360 keeps detecting Hacktool.Rootkit. + Trojan.Gen.2

HenrikMattsson · ‎05-27-2012

Hi,

as of yesterday my computer has been performing sluggish. I've identified the problem to a service running under svchost.exe. When i suspend that particular process the computer goes back to running normally again.

I've installed and ran Svchost Viewer, and i'm able to indentify themalfunctioning svchost.exe with it's PID. But the service information tree underneath it is empty (unlike all the other services running). The PID is also different everytime i reboot the system.

I've performed all kinds of virus scans on the cumputer, but no virus or trojan or anything is detected. However, Norton Auto protect tries blocking two different viruses (the dialogue keeps poping up every five minutes or so). This continues even after the unknown process described above is suspended.

The two found viruses are named Hacktool.Rootkit and Trojan.Gen.2, and here's a dump:

Full Path: c:\windows\installer\{802c7347-9c23-6c3c-462b-e65e6cccccc8}\u\80000000.@

Threat: Hacktool.Rootkit
____________________________
____________________________
On computers as of 2012-05-27 at 15:54:25
Last Used 2012-05-27 at 15:54:25
Startup Item No
Launched No
____________________________
____________________________
Unknown
Number of users in the Norton Community that have used this file: Unknown
____________________________
Unknown
This file release is currently not known.
____________________________
High
This file risk is high.
____________________________
Threat Details
Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.
____________________________

____________________________
File Actions
File: c:\windows\installer\{802c7347-9c23-6c3c-462b-e65e6cccccc8}\u\80000000.@
Blocked
____________________________
File Thumbprint - SHA:
d9dc59c3f6e026874ea58888c54b597a8c080e446062c9c80be833649df04f29
____________________________
File Thumbprint - MD5:
3ba69999f27f85670cfa627204427584
____________________________

I can also add that i've been trying to roll back windows to an earlier date, but this operation fails.

I've been searching your forums for a solution, and it seems that other people have had similar problems, but still i haven't found a solution. The same goes for other forums i've been searching.

So if you could please help me with this i would appreciate it a lot! Thank you so much in advance.

Henrik

MagnusLindh · ‎05-09-2011

Hey

Go To Norton History = Unsolved risks/Threats and see if thier are any entries thier.

You can also try Malwarebytes Anti-Malware to scan your computer for threats.

http://filehippo.com/download_malwarebytes_anti_malware/

Thanks

Sweman

HenrikMattsson · ‎05-27-2012

Hi Sweman, thank you for your reply!

I installed and ran Anti-Malware as you suggested, and it found 4 trojans (see log below). I removed them, and now the swchost.exe problem seems to be gone!

N360 popped up one more time after the removal regarding the Trojan.Gen.2, so we will see if that happens again.

Also 2 windows pop-ups came up after the removal, one stating:

RunDLL
---------------------------
There was a problem starting C:\Users\Henrik\AppData\Local\Temp\dradxc.dll

The specified module could not be found.

And the other one was something about problem connecting to Playstation remote keyboard. Don't even know what that is, but i'm using a VAIO, so it could be something pre-installed.

So thank you so much for your help! :)

A question though, how come Norton didn't find those trojans? I thought 360 was supposed to detect these kinds of threats as well. I have no problem continue using Anti-Malware as well, but just so i understand the difference.

Thanks again, and have a nice Sunday.

/henrik

EDIT.

Ah, forgot the log, here we go!

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.27.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Henrik :: VAIO2 [administrator]

Protection: Enabled

2012-05-27 16:50:22
mbam-log-2012-05-27 (16-50-22).txt

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Users\Henrik\AppData\Local\Temp\dradxc.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\Henrik\AppData\Local\Temp\dradxc.dll (Trojan.Downloader) -> Delete on reboot.
C:\Windows\Installer\{802c7347-9c23-6c3c-462b-e65e6cccccc8}\L\00000008.@ (Trojan.BitMiner) -> Delete on reboot.
C:\Windows\Installer\{802c7347-9c23-6c3c-462b-e65e6cccccc8}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.

(end)

Bombastus · ‎11-16-2009

MBAM is phenomenal at detecting and especially removing malware that regular antivirus programs (not just Norton) can't find or can't remove. No program detects everything, and MBAM specializes in complementing regular antiviruses.

HenrikMattsson · ‎05-27-2012

ok, i see, i didn't know that, i always thought i was safe using just one system. makes perfect sense though, so thanks for letting me know.

OK, problem solved, thanks a lot guys! :)

henrik

Quads · ‎07-21-2008

What about getting the other folder, not just the one you have found??

The whole numbered folder is to be deleted and the probable other one that exists as like with the others I used OTL for.

Zeroaccess Backdoor

Quads

Quads · ‎07-21-2008

Win 7 / Vista

C:\Users\t[username]\AppData\Local\{[Numbers]}

C:\WINDOWS\Installer\{[Numbers]}

XP

C:\Documents and Settings\[Username]\Local Settings\Application Data\{[Numbers]}

C:\WINDOWS\Installer\{[Numbers]}

The Backdoor.Win32.ZAccess.sgi variant

http://www.threatexpert.com/report.aspx?md5=816d3c53069962d2039440c885bc670f

Quads

Norton 360

svchost.exe runs CPU @ 100% & N360 keeps detecting Hacktool.Rootkit. + Trojan.Gen.2

Re: svchost.exe runs CPU @ 100% & N360 keeps detecting Hacktool.Rootkit. + Trojan.Gen.2

Re: svchost.exe runs CPU @ 100% & N360 keeps detecting Hacktool.Rootkit. + Trojan.Gen.2

Re: svchost.exe runs CPU @ 100% & N360 keeps detecting Hacktool.Rootkit. + Trojan.Gen.2

Re: svchost.exe runs CPU @ 100% & N360 keeps detecting Hacktool.Rootkit. + Trojan.Gen.2

Re: svchost.exe runs CPU @ 100% & N360 keeps detecting Hacktool.Rootkit. + Trojan.Gen.2

Re: svchost.exe runs CPU @ 100% & N360 keeps detecting Hacktool.Rootkit. + Trojan.Gen.2

Products

Services

Support