I love freeware, it's extremely fun to me to get some new program that is really cool, however, there's a few meanies out there who like to give a little bit more than they say. So I got a program recently, that when I went to run it gave me an error, and "wasn't able to run", of course, I immediately recognized this as a lame cover up for a malware drop, so I went after it as fast as possible, and smacked myself for not trying it out in a sandbox like I usually do.
Initially there were two new programs in my startup, one was a.exe, and I don't remember the other, I got rid of these very quickly, ran a scan, and assumed that my computer was fine. Little did I know.
About a day later, I start noticing that the first link in every Google search I made would link me to some advertising site, rather than what the link truly was. When hovering over the link, it points to the correct place, but as soon as you click on it, the link changes to the new advertising page, when I saw this I knew that I hadn't gotten rid of the malware yet.
So, I went to scan with Malwarebytes, but found that about 3 seconds into the scan, the program would shut down, not crash, simply shut down. I also tried scanning with AVG, and found that I couldn't even open up a scan window. I scanned with SUPER Antispyware, and that worked, but it only found one trojan, and the problem still persisted after this was removed. I've tried starting up under BartPE, and doing scans from there, but for some reason I can't get Malwarebytes to scan, and any other scanners I've used don't pick up the problem.
So I've given up on scanners, I think manual removal is my best bet at this point, so I checked out my startup list, it had already been cleaned from before, and I knew every entry on there. So I went to check my services with an external program, in this case, WinPatrol, and found that whenever I would access the Services tab the program would immediately shut down. I tried using Autoruns, and that also crashed, finally I found a program called Starter, which was able to view my service list without crashing.
Now, there are a lot of services, and it's obnoxious trying to find the right one, I know most of them are clean, and the others that I'm not certain of, I'm pretty sure I've seen before. So, I decided to try another route, so I opened up Process Explorer and checked out the situation. Only program I saw out of place was mscorsvw.exe, which from a search proved to be an actual program, the .NET Runtime Optimization Service, however, I don't think I've seen it before, and when I ended it it would restart, there were also a few Media Center services that I didn't usually have on, which also would restart, so I found each of these in Services and removed them, all except the .NET Runtime Optimization Service.
However, I must have been wrong or something, because even with those services disabled, I still had the same problem. So I started ending random processes, and found that a few of my svchost processes wouldn't start the Shutdown.exe protocol if they were ended, like they usually do, of course, some did, so I had to use shutdown -a to stop that, and found the true culprit of my search engine problems, because when I ended a few of them, my searches no longer took me to the wrong pages. However, I still cannot run scans, even with the fake ones ended, and I don't know where the false svchost is, so does anyone have any ideas what I can do from here?
I just noticed that I have 41 entries in my Services that all execute:
C:\WINDOWS\system32\svchost.exe -k netsvcs
Now, I KNOW some of these are normal ones, but can anyone tell me what makes them do anything different?
Post has been edited 1 time(s), last time on Sep 4 2009, 1:42 am by Falkoner.
None.