Got Virus from a fake WoW Hack

[jazman84]

Hey guys, posted this on offtopic too but there isn't much traffic there.

Sorry if this is in the wrong spot, but I am getting desperate.

So I was unfortunate enough to be one of the 1st to DL http://www.mmowned.com/forums/world-...g-tracker.html (WoW Trax NS - A World of Warcraft EVERYTHING tracker!) *DONT DL THIS. IT IS A VIRUS*

The virus doesn't seem to do anything except slow my system down, however, if I try and stop in in task manager it starts a shutdown sequence and can only be stopped with shutdown -a command and the process reloads.

Anyway, I tried following maclone's instructions, but every time i try to stop the processes through task manager I get the system shutdown error and it closes my PC in about a minute. I really need to get rid of this asap, I have a good virus remover in Eset smart security, but it doesnt seem to remove processes that are running, and they also run in safe mode which throws a spanner into it.

Is there a program similar to rkill that will stop the processes? They are hidden as svchost.exe

Please help!

[Bagger]

Allready removed ?

[jazman84]

No not yet. It doesn't look like the old worm that did the shutdown. I cant really find anything on the virus to get rid of it.

[Crysto]

Allready removed ?

He actually meant the thread.

[Bagger]

Indeed i did :P

[MMOHelping]

#1;
Virus Total doesnt mean anything.

YOU MUST TRUST YOUR INSTINCTS. If the post seems like its fake don't download it.

I suggest;
Install Malware Bytes -GR8 Software (easy)
-Spybot S&D

-If your experianced download Hijack this and View the Logs; (Hard)
Along with any rootkit viewing tools from Hirens Boot Cd is good.

Also alot of simple viruses will just add a startup key; so goto

Run > Msconfig and look for Startups that aren't something you recognize and investigate them! (Easy)

[maclone]

I told you to go safemode if you can't kill the processes.
And not all your svchost.exe processes are malware, in fact if you end the ones needed by Windows, Windows will shutdown by itself.

[MMOHelping]

Correct;

Good way to see, get an advanced process viewer it will tell you where the exe's are running from

<< ProTip : get Hirens Boot CD

[jazman84]

I told you to go safemode if you can't kill the processes.
And not all your svchost.exe processes are malware, in fact if you end the ones needed by Windows, Windows will shutdown by itself.

Thanks for that advice, but the processes were still running in safe mode

[maclone]

Thanks for that advice, but the processes were still running in safe mode

The real svchost.exe is a critical windows process and also runs in safemode...
Open task manager, right click the process and check for the file location, if it isn't "C:\Windows\System32\svchost.exe" it's most likely the malware.

You can also download that and look for an advanced process overview: http://live.sysinternals.com/procexp.exe

[jazman84]

The real svchost.exe is a critical windows process and also runs in safemode...
Open task manager, right click the process and check for the file location, if it isn't "C:\Windows\System32\svchost.exe" it's most likely the malware.

You can also download that and look for an advanced process overview: http://live.sysinternals.com/procexp.exe

They all say they are running from system32 I currently have 5 instances of svchost running.

[maclone]

That's normal.
Then you got no virus and all of this discussion was unnecessary.
That much for slowing down your system.

[Traxex84]

They all say they are running from system32 I currently have 5 instances of svchost running.

It is common to have multiple svchost.exe's the reason being (quote from microsoft)

If you’ve ever taken a look at the Services section in control panel you might notice that there are a Lot of services required by Windows. If every single service ran under a single svchost.exe instance, a failure in one might bring down all of Windows… so they are separated out.

Those services are organized into logical groups, and then a single svchost.exe instance is created for each group. For instance, one svchost.exe instance runs the 3 services related to the firewall. Another svchost.exe instance might run all the services related to the user interface, and so on.

[maclone]

/closed
If there's anything else, PM me.