Friday, August 31, 2012

How to revmove the process "svchost.exe*32" description "winrscmde"

It seems to go by a few different names also.

Rootkit Zero Access Or Bootkit.Boot.Pihar.c

I've looked through several other solutions but the tool that I found that actually removes it was TDSSKiller.

It came up as Bootkit.Boot.Pihar.c.  I scanned the hard drive and then allowed it to reboot the computer.  When the computer booted, it popped up with a window asking to run a file.  Make sure the file says its from Kaspersky.  We don't want to reinstall something we just removed.

Run a Malwarebytes scan to confirm that it is truly removed.  You will notice its not showing up any more in the task manager.  Remember to see it in task manager you need to click "Show all processes".

Some of the other sites I've read say that Combofix also removes it. Combofix blue screened the PC was working on.

I rebooted and it looks like the process is removed but its still there.  Malwarebytes still finds it.  Combofix ran through completely after rerunning it.  Combofix killed my internet connection.  It will connect to the wireless, but an IP can not be obtained.  Will keep updating as I'm finding new info out.

As always all of this is "Use at your own risk".  Always remember to back up your data.

OS:  Windows 7 Home Premium 64-bit