Not what you are looking for? Ask the experts!
winrscmde... and my experience with Norton
I'm aware my post count will speak volumes, but my background is solid and my current experience is true so look forward to your feedback. Just a quick note, I've been in IT industry for over 20 years, most of which was a Sr. systems engineer/administrator and seen enough to give me a healthy fear of the internet and stick to sites i know and don't open emails I dont recognize (and some I do).
- Windows Vista x64 Ultimate SP2
- Norton Security Suite v188.8.131.52
Anywho on to what happened:
- Surfing the internet doing some research on up-coming quad-core cell phones, sticking to sites i'm familiar with. Opened a UK news website to figure out why Samsung decided against quad-core in their SG3 in US. Had other windows open with information, CNET, Youtube, some smaller cell review sites.
- Within 2 seconds my computer started to reboot. No errors, no prompts for installs on OS or browser add-ons.
- System came back up and kept giving a popup of "winrscmde stopped working and was closed".
What I did:
- Ran full system scan, which took over 4 hours. (spoiler alert, found nothing)
-- During this time I researched on internet, found a bunch of tips like running SFC (done, didnt help) and talking about the svchost.
--- I found a svchost.exe in c:\windows, on top of the real one in the system32 folder. There was a svchost process running in task bar that appeared and disappeared every few seconds that had an odd description of "winrscmde" instead of the real description.
*** Important Note: the svchost file had a last modified date of 2009, but a creation date of today! Shouldnt the OS catch that suspicious detail?
--- When I renamed c:\windows\svchost to something else, another was instantly created.
- Norton Power Eraser, Downloaded and ran
-- I just got to say they should have some sort of full downloadable program to scan my system at this stage. I found it concerning that I had to enable my network knowing I had a trojan or worse actively taking over and doing who-knows-what from my system.
-- First run (plus reboot for rootkit scan) detected a harmless exe on my desktop after coming up. I let it remove it anyways. After competed system BSOD'd with error about kdcom.dll
-- Second run (plus reboot for rootkit scan) detected "Risk: PhysicalDrive0, Type: Boot Record"
--- Thoroughly went through logs and they do not reveal what was detected and cleared at root level.
- Manually removed svchost files from c:\windows because they were still there, but not being duplicated it seemed any longer.
- Rebooted system, installed another virus software mentioned on a thread from similar person.
- I believe I got a virus got on my computer while surfing not-intentionally-malicious websites (perhaps something embedded in comments section by someone).
- Was NOT detected by Norton Security Suite, Windows Defender, IE9's SmartScreen filter
- None of the usual prompts of something attempting to install appeared.
- No clue if system is safe so I will be doing a full reinstall in a few days when my Windows 7 x64 disk shows up.
- Disappointed in Norton, because I am incredibly safe in everything I do online, I would hope they could protect or at least inform me of attacks through my browser. AFTER the fact of being infected it didn't know... but i saw the processes and files behaving strangely myself.
- Will be finding another AV solution, but definitely not McAfee.
Perhaps this day's worth of work will help someone else more than it helped me.
Wish I knew what virus it was.... or is?