Custom Search
Audio      Browser      Clock      Driver      DVD      Files      Hard Drive      Hardware      Keyboard      Maintenance      Miscellaneous      Monitor      PC memory      Power supply      Printer      Processor      Screen      Software      Windows       Links                                                 


Step-by-step guide to remove stubborn malware

Question : Here are some attached files for your reference. The problem causes my PC to slow down dramatically and eventually I can hardly do anything with it. Before this, my PC was infected by malware/adware. The Internet Explorer was damaged, thus I had to get it fixed. From the Task Manager, there is a file called SVCHOST.EXE which uses most of the central processing unit bandwidth. Can any virus/malware/adware do such a thing?

Answer : They not only can do such a thing, they usually DO do such a thing. Malware is, by and large, very badly written. Because of this, a lot of malware have the tendency to slow down or otherwise impact the system in a negative way. It's gotten so indicative that the first thing troubleshooters look at when a system deviates from the norm is the presence of malware.

After looking through the logs, we noticed some suspicious behaviour. First of all, the line "C:\WINNT\TEMP\DS3C68.EXE" under "Running processes" tells us that the file "DS3C68.EXE" is running from a temporary folder in the WINNT directory.

The "TEMP" folder under the main directory (which is WINNT in this case) is usually used to store data files that are used by a running program. Because of this, any program running directly from the "TEMP" folder is highly suspect.

Another suspect entry is "04-HKLM\..\Run: [winsync]C:\WINNT\system32\wkrior.exe reg_run" -- this is probably where your problem is. It's malware that many virus cleaners call "Qoologic", and it is not easy to remove. Basically, Qoologic has three major components.

The first component runs from a "winsync" entry in HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run -- this is the aforementioned entry. The filename is typically a random set of six characters.

The next component is typically a DLL (that would probably be the one eating up all the processor bandwidth). In some versions, this DLL is called "wuauclt.dll" and usually placed in the system directory (C:\WINNT in this case).

Note that the offending file is called "wuauclt.dll" and not "wuauclt.exe". Also, with many variants, an entry can be found in C:\Documents and Settings\All Users\Start Menu\Programs\Startup that refers to another executable file -- this is another location where programs can be started automatically.

We don't usually advocate wholesale re-installing for any Trojan infection, but this is one of the times that we're going to say it might be easier to just re-install it. Before we go to that extreme, though, we'll try to take it out.

The first thing to do is to figure out what DLL is causing svchost.exe to do this. The offending DLL can be located with Sysinternals' "Process Explorer" (available from www.systinternals.com). After downloading the program, run it, and then locate the "svchost.exe" entries (they're under "services.exe").

One of the "svchost.exe" entries may have a large number under "CPU". If one such entry exists, right-click on it and select "Properties". If not, note the number in the "PID" column of the offending "svchost.exe" entry, and select the entry with the same PID in Process Explorer.

Once this is done, click on the "Performance Graph" tab to confirm CPU usage. Once this is confirmed, click on the "Threads" tab to view all the DLLs that are being supported by this instance of "svchost.exe".

If there's only one listed, then we've found our culprit. If there's more than one DLL, use a search engine to identify the offending DLL.

Just type the DLL names (including the extensions) into a search engine and read what comes up. In this way, the offending DLL can be identified.

Now that we've identified every file and location, it's time to remove them. Before doing anything, update the browser at windowsupdate.microsoft.com (or download the IE6 service pack 1 from www.microsoft.com/ie and install it). This is a crucial step to ensure that the operating system doesn't get reinfected after the malware is removed.

After this is done, restart the OS in "safe" mode and use HijackThis to remove "04-HKLM\..\Run: [winsync]C:\WINNT\system32\wkrior.exe reg_run" (click on the checkbox to the left of it and then on "Fix Checked").

While you're here, open Windows Explorer, navigate to the "C:\WINNT\TEMP" directory and delete every file in it. Do the same for the "temporary" directories of every user (each user has a temporary directory named C:\Documents and Settings\(user name)\Local Settings\Temp (where (user name) is the name of the user).

The startup entries are more difficult to remove. Look through the entries in "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" to see if all programs there are recognised. If the programs are not easily identifiable, just delete everything in it.

Each user will also have a Startup directory, usually called "C:\Documents and Settings\(user name)\Start Menu\Programs\Startup" where user name is, again, the user name of the particular user account.

The same should be done with these directories as well.

Also look in the C:\WINNT directory for a file called "wuauclt.dll". If it's there, remove it. Note that the name is "wuauclt.dll" not' "wuauclt.exe". "wuauclt.exe" is usually a legitimate program.

Okay, now it's time to cross your fingers and restart the OS.

After restarting the OS, run regedit again and see if it's gone. If it is, allow yourself a small pat on the back. It's gone for now. Don't bring out the champagne yet, however.

After this, run HijackThis periodically to see if it's coming back. If you see "04-HKLM\..\Run: [winsync]C:\WINNT\system32\wkrior.exe reg_run", or "04-HKLM\..\Run: [winsync]C:\WINNT\system32\(x) reg_run" again (where x is some random filename), you've been infected again, in which case you might just want to re-install, and remember to update the browser this time.

If you've removed everything from the "startup" directories, also remember to uninstall and re-install any firewall software/malware cleaners installed on this PC to replace the automatically loaded components.


Step to step guide to remove stubborn malware

Avoiding spyware in sheep's clothing

Root of the problem

Cleaning out the cleaner


E mail
IP address
Search Engines


Sites of similar fields are welcome for exchanging links