How to find spyware dll launched using svchost.exe

1

This weekend I found my PC was possibly infected by some virus or spyware. There is one "svchost.exe -k netsvcs" in my task manager, and it is running under my user name, rather than SYSTEM accounts. There is already another same process with same command line options under SYSTEM account.

This user account svchost.exe consistently consumes 50% CPU (1 of 2 cores of my CPU). In Process Explorer, I can see it is started by explorer.exe, instead of services.exe. However, I failed to find its real service dll place in registry or disk. Does anyone know how to find this malicious program?

Sheen

Posted 2010-11-22T09:54:25.703

Reputation: 221

Answers

0

Simply use ProcessExplorer. Here is an article.

Petar Minchev

Posted 2010-11-22T09:54:25.703

Reputation: 115

When I use Proc Explorer to view this user account svchost.exe, can't see service tab. No useful information to help find the actual malicious program. – Sheen – 2010-11-24T09:25:32.970

0

ProcessMonitor, also made by SysInternals would be the better choice, just create a filter for svchost.

user56675

Posted 2010-11-22T09:54:25.703

Reputation: 1

0

Make a boot AV disc then boot from the disc and scan the hard drive, remove any infections it finds, I like the Kaspersky disc myself.

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

Then: Install free MBAM, run the program and go to the Update tab and update it, then go to the Scanner Tab and do a quick scan, select and remove anything it finds.

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

When MBAM is done install SAS free version, run a quick scan, remove what it automatically selects. http://www.superantispyware.com/download.html

MBAM and SAS are not AV softwares like Norton, they are on demand scanners that only scan for nasties when you run the program and will not interfere with AV programs like Norton, these can be run once a week to ensure you are not infected. Be sure you update them before each weekly scan.

.

Moab

Posted 2010-11-22T09:54:25.703

Reputation: 54 203

Asked: 2010-11-22T09:54:25.703

Viewed: 1 585 times

Active: 2014-08-04T13:32:34.700