Audio playing in background, being spawned by svchost in SysWOW64 folder

[nibblesandbits]

So I've been working on this laptop for about 3 hours now. Promised to only charge for one hour, so I NEED help. I'm desperate here, I refuse to nuke and pave this machine.

For some reason in Process Explorer there is a SVCHOST.exe process running under webroot's process. The problem was happening before webroot was installed, so I haven't removed it because I don't want to mess with reinserting a license and everything else, because it's not the problem. Anyway, if I let the computer sit there for a little while I see child processes appearing under SVChost... and it's iexplore.exe with arguments to get ads to play in the background. Normally, I'd find what crazy file name was causing the problem, suspend it, bring up windows explorer and then kill it and quickly delete the problem causing file. In this case, I don't know if it's safe to delete that SVCHOST in WINDOWS\SysWOW64. If it isn't safe, I don't know how to disinfect it. I've ran MBAM, ComboFix, AND SAS and none of them have even touched it. Also, the customer has ran McAfee, Webroot, and something else, I can't remember what they said.

I need help. He's going back to the college campus tomorrow and wants it back, not to mention I'm not making more than $60 on this job which sucks. I'm just going to keep googling and messing around, hopefully I'll find something or someone here will help me.


Thanks!

 

[iisjman07]

I'd recommend scanning the machine using the Kaspersky live cd; if there's rootkit then finding from within the host OS isn't the best way to go about these things. If you don't have the time you could load up any live cd of your choice and change the file extension of the suspect svchost to something like .xxx - it won't be able to auto-load on startup and you can restore it incase things go wrong.

 

[nibblesandbits]

I'd recommend scanning the machine using the Kaspersky live cd; if there's rootkit then finding from within the host OS isn't the best way to go about these things. If you don't have the time you could load up any live cd of your choice and change the file extension of the suspect svchost to something like .xxx - it won't be able to auto-load on startup and you can restore it incase things go wrong.

I just checked my own Win7 computer and there is an SVCHOST.exe in that directory. Since it's a Windows file, could I just copy my version of the file to their computer since mine isn't infected and everything else seems to be clear after scanning with the scanners?

 

[NYJimbo]

If the scanners are not finding this supposed infected file then it might not be finding all the related files that made it infected. Like iisjman07 said, do the kaspersky rescue disk (make sure its the latest AND you update it). I would even install MSE after that and tell it to do a FULL scan. MSE is very good at spotting stuff that even combofix doesnt find.

I would not assume removing the one file will remove whatever got it infected in the first place.

 

[iisjman07]

I just checked my own Win7 computer and there is an SVCHOST.exe in that directory. Since it's a Windows file, could I just copy my version of the file to their computer since mine isn't infected and everything else seems to be clear after scanning with the scanners?

It's hard to say. You could try copying the file and I would expect it'll be alright, but you might as well just rename the old possible infected copy incase it doesn't. On another note, you can't really say that everything seems to be clear after scanning without having done a scan from outside the host operating system (either with a live cd or slaving it another machine), because there's a potential to miss a lot of malware by just scanning within the infected environment.

 

[javjim]

use hijackthis

thats a good program.

also try in sysinternals.com

process monitor or process explorer,

cant remember , but it will show you who is opening what and what registry/ open files are being used

 

[nibblesandbits]

Running Kaspersky 10 CD now. Letting it scan while I go grab some late lunch.

 

[Galdorf]

combofix will fix this i have seen that one many times before.

 

[NYJimbo]

combofix will fix this i have seen that one many times before.

Yeah, it should, but in his first post he says he ran combofix.

 

[Galdorf]

Vba rescue seems to find really new stuff you might want to download the iso and scan with that.