core.sys malware infection issue & resolution.

[rakesh14021983]

Hi all,

I have recently started noticing multiple instances of svchost.exe in my task mgr.

also... for a period of a month i ran my net conn without any firewall.. now ie seems to be popping up for no reason and redirects me to an unknown web page... is my browser hijacked???

i have scanned my system with avg 7.5 pro, ad aware and spybot search n destroy.. (latest updates installed).. however i have been unable to solve this problem..


I read the following on webpage...



Process File: svchost.exe or svchost
Process Name: Microsoft Service Host Process
Description:
svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated.

Note:

svchost.exe is a process registered as a backdoor vulnerability which may be installed for malicious purposes by an attacker allowing access to your computer from remote locations, stealing passwords, Internet banking and personal data. If unaccounted for, this process should be removed immediately.

Note:
svchost.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

Note: svchost.exe is a process belonging to Microsoft Service Host Process. This could also be a stealth monitoring software that sits in the background and tracks all activities such as keyboard input (including websites visited, passwords etc.) This information can be sent to third parties through email or ftp uploads. If you did not intentionally install this program make sure you remove it to protect your privacy.


I think svchost has been registered as a trojan on my system...


please help me out with this..


any help will be greatly appreciated...

thnx in advance..

[hemant_mathur]

Is it named svchost.exe or scvhost.exe ??

svchost.exe is a system process and usually runs in multiple instances. For more info on it check this link http://www.thinkdigit.com/forum/technology-news/38157-unlocking-mysteries-svchost-exe.html#post319520

scvhost.exe is a trojan.

[anandk]

svchost.exe situated in the system32 folder is the legit ms process. situated anywhere else or scvhost.exe is malware. check exactly what ur suspects r named/spelled and their locations. if required u can get the suspect scanned with multiple scan engines at http://www.virustotal.com/en/virustotalf.html

i think scanning with avg anti-spyware or a-squared anti-malware shud take care of ur problem.

[rakesh14021983]

hey anand n hemant...

the file is svchost.exe itself..not scvhost.exe (i knew that !!

n there is only one instance of the file in c:\windows\system32.. thus i presume it is a legit file..

any other ideas??

[anandk]

nope ! but maybe u'd like to get ur browser checkd for hijackers ! just clicking on this http://www.doxdesk.com/parasite/ might giv u an idea if ur browser has been hijacked. or else ur host file cud v been hijacked get ur hjt logfile auto-analysed at www.hijackthis.de in case ur host file has been hijacked, u might wanna replace it with a good host file from http://www.mvps.org/winhelp2002/hosts.htm

[rakesh14021983]

Hey anand,

okie... HijackThis dint solve the problem.. but it did help me remove a lot of other crap.. so thanks anyways..

actually i discovered the solution....

now as i had said ie used to pop up randomly.. it always used to redirect me to url.cpvfeed.com.. now i dunno hw many know this but this is the problem.

Its malware.. no point scanning ur system with avg / norton / mcafee with latest updates.. does not solve anything.. Ad Aware and Spybot dont solve anything either..

go to c:\windows\system32\drivers

you will find a file called core.sys.. the trick is to delete this.. in normal windows mode you cant.. also if you try to upload the same to www.virustotal.com, it does not work, cuz the malware prevents the upload...

the error msg is "Upload file length is 0 bytes"...

only soln that i found is this..

1) Restart windows in safe mode
2) Delete the core.sys file. You might also find a cache file for core.sys. delete this too.
3) Restart the system in normal mode.
4) Voila!! Problem gone.....


Just thought i would post this.. I dunno how many ppl have the same prob n in case they do, they can use this soln..

anand since u r pretty well knwn in these circles i would definitely suggest you start a new thread n propogate this...

ppl are more likely to listen to you than me brother..

and yeah... thanks a lot for your help n suggestions too!!!

Ciao!!!

[anandk]

hey thanx 4 posting the soln buddy ! one must always do so ! learnt something new bcoz of u - THANX !

ya, "CORE.SYS is a file recently detected by the Prevx database. This file is yet to be determined globally as Good or Bad, therefore it is currently classified as Unknown" prevx

it gives popups from the foll crapsites :
xads.zedo.com
upspiral.com
searchlocal.ws
aavalue.com
url.cpvfeed.com
its detailed removal instructions are given at pchell.

[hemant_mathur]

^^ Reported.
@rakesh14021983 : Great info. thanx