Solved SVCHOST *32 instance has strong Hijack/Virus behind it

[Marker]

Hi there,

My problem is an svchost *32 file that has a strong hijack behind it, kicks in about 9 minutes after starting the pc. It kills every search for, or launch of antivirus software like adwcleaner / FRST.exe / Farbar and so on, it doesn't kill just any antivirus program just the ones that can do damage to the virus I guess. I think it's new virus because can't find any info that sounds just like mine except here on this site.
SOLVED - svchost.exe *32 Issue

My time window is small, 9 minutes before it kicks in and then it seems to become more active when I am active trying to locate and destroy. Very responsive like there is a person responding to what I do except that it's instant response. Cleverly made anyway..

How I got it.... totally my own doing, I tried to reactivate a copy of Word with the help of KMSpico. Umpf, stupid.
The one I think is the culprit is what I downloaded from:
KMSpico 10.2.0 Final + Portable (Office and Windows 10 Activator) | SadeemPC
After executing the downloaded file a notepad file was visible full of code.

I think that was the code I am fighting now, but not getting anywhere :
svchost*32 can't be terminated or the OS terminates, there are no services connected to that instance of svchost, it runs under "user", most of the time that I have been working on this there are 2 instances of the svchost*32 and 1 of them is taking up 50% of the cpu. If I shut down windows I get a blue screen.
That's about it.
I will attach the requested FRST.txt and Addition.txt BUT they are from before the 9 minutes mark when the virus kicks in. After that time window FRST will not run in any way.

Please advise!

Thank you,

Mark

 

[TwinHeadedEagle]

Hello,

Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Install the progam.
• Click the Scan tab, choose Threat Scan is checked and click Start Scan.
• If threats are detected, click the Quarantine Selected button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the Reports tab.
• Double-click the Scan Log.
• At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.



Please download Zemana AntiMalware and save it to your Desktop.

• Install the program and once the installation is complete it will start automatically.
• Without changing any options, press Scan to begin.
• After the short scan is finished, if threats are detected press Next to remove them.

Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.​

• Open Zemana AntiMalware again.
• Click on
  
  icon and double click the latest report.
• Now click File > Save As and choose your Desktop before pressing Save.
• The only left thing is to attach saved report in your next message.

 

[Marker]

Thank you so much for your reply TwinHeadedEagle!

I ran Malwarebytes, txt attached.
But for Zemana, it won't work as I have already spent my 15 days trial.
Any other program that could do the same?

 

[Marker]

Sorry I had to send my reply without closing word as the alarm clock sounded and I had to shut down the computer.
I noted that after restarting when Malwarebytes had run, the time window of 9 minutes did not work.
The virus kicked in before that, when shutting down well within the time window I got a blue screen.

Thanks for you help thusfar!

Greetings,

Mark

 

[Marker]

Thanks to a good tip I had Zemana do it's job, file attached.
Looking forward to your view on the resulting logs.
See where the fly sits on my ceiling...

Thanks for looking at them, thanks for being here and spending time helping me!

Greetings,

Mark

 

[TwinHeadedEagle]

How is the situation now?

 

[Marker]

Here is an update after running Malwarebytes (still running but not detecting anything) and Zemana.
Everything seems fairly quiet, no more svchost*32 on 50% CPU.
No more browser stops on antivirus search, and no more antivirus programs halted and disappearing immediately
after start.
So that is good.

Now AVG is time and again, say every half hour, blocking a file called VSFILTER.ax
Which by AVG is identified as IDP.ALEXA.51
That file is created again and again, along with pmain.dll / unzip.exe / VSFilter.ax.zip in C:\Users\Gebruiker\AppData\Local\Temp
At one instance of that happening this message appeared:
cannot create file C:\users\user\appdata\local\tabcntrl\msiexec64.exe

So as this never happened before the svchost*32 problem, I gues there is still something lurking in the electronic brain of my computer...

I am still waiting for further instructions and hope for some of your time @TwinHeadedEagle

 

[Marker]

Just missed your message TwinHeadedEagle before hitting the post button..

 

[TwinHeadedEagle]

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition.txt option is checked.
  
  
  
  
  
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please attach report into your next reply.

 

[Marker]

Here are both reports:

 

[TwinHeadedEagle]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.



How is the situation after this fix?

 

[Marker]

Hi there @TwinHeadedEagle thanks for the instructions.
After executing the fixlist there are a couple things notable:
Mostly user settings that have been reset, lots of small things, Chrome full reset, wifi taskbar icon changed to ethernet icon and maybe some more.
As there was no obvious terror present before the fix no big changes, but the appearance of VSFilter.ax and company persist.
There is no legal call for those files; no video or anything being played or software called on that would need those as far as I know.
AVG still flags it as IDP.ALEXA.51.

Is there any logic in it to you? It beats mine by a mile or 2...

 

[TwinHeadedEagle]

You had remnants of previous infection so we had to clean it. That's why some settings were reset.

I don't know why is AVG flagging this, can you contact their support for the explanation?

 

[Marker]

I will, as I understand VSFilter should live in system32 and can be uninstalled, but in this case it's created in Appdata/local/Temp.
But maybe they have experience with it as a virus way of behaving.
Anyway! Thanks for your help and time. Very happy folk like you are here to help us when things go beyond the event horizon of
simple folk like me...
Keeping an eye on my swatter for future use.
Keep your high post and sharp eyes, thumbs up @TwinHeadedEagle