Virus Help

[Rickf]

The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can run, depending on how and where Svchost.exe is started. This allows for better control and easier debugging.

This is not your problem. Svchost.exe is launching a virus in you registry. You have to find the virus first. www.trendmicro.com Write down the names of the viruses and than end each one in the process list. Than delete each virus one by one. Don't end critical system processes like Svchost.exe.

 

[Matt24]

oh okay, so that is why everyone else has that svchost also. okay thanks

 

[1cheater]

Matt, sorry bud, I need to head to bed, my brain is fied today.. I hope you can get this fixed, it not I can help u more tomorrow..

Rickf sounds like he knows his shiit, he should be able to help you

 

[Rickf]

This would also be one of the worms that could duplicate itself as Svchost.exe.


How Does the Welchia Worm Infect My Computer?

Copies itself to the Wins directory in the System or System32 folder in Windows usually

C:\Windows\System32\Wins\Dllhost.exe for Windows XP or
C:\WinNT\System32\Wins\Dllhost.exe for Windows NT/2000

There is a legitimate file called Dllhost.exe (about 5-6K) in the System32 directory.

Makes a copy of the TFTP server (TFTPD.exe) from the Dllcache directory to the following directories.

C:\Windows\System32\Wins\svchost.exe for Windows XP or
C:\WinNT\System32\Wins\svchost.exe for Windows NT/2000

NOTE: Svchost.exe is a legitimate program, which is not malicious, found in the System32 directory

Creates the following services:

Service Name: RpcTftpd
Display Name: Network Connections Sharing
File: %System%\wins\svchost.exe

This service will be set to start manually.

Service Name: RpcPatch
Display Name: WINS Client
File: %System%\wins\dllhost.exe

This service will be set to start automatically.


Ends the process, MSBLAST, and delete the file %System%\msblast.exe which is dropped by the worm, MSBlast.A. First, it checks the operating system version, then it downloads the appropriate patch from the designated Microsoft Web site. After executing the patch, it reboots the system.
Some of the patches it downloads into the system are as follows:

http://download.microsoft.com/download/6/9/5/6957d785-fb7a-4ac9-b1e6-cb99b62f9f2a/Windows2000-KB823980-x86-KOR.exe
http://download.microsoft.com/download/5/8/f/58fa7161-8db3-4af4-b576-0a56b0a9d8e6/Windows2000-KB823980-x86-CHT.exe
http://download.microsoft.com/download/2/8/1/281c0df6-772b-42b0-9125-6858b759e977/Windows2000-KB823980-x86-CHS.exe
http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe
http://download.microsoft.com/download/e/3/1/e31b9d29-f650-4078-8a76-3e81eb4554f6/WindowsXP-KB823980-x86-KOR.exe
http://download.microsoft.com/download/2/3/6/236eaaa3-380b-4507-9ac2-6cec324b3ce8/WindowsXP-KB823980-x86-CHT.exe
http://download.microsoft.com/download/a/a/5/aa56d061-3a38-44af-8d48-85e42de9d2c0/WindowsXP-KB823980-x86-CHS.exe
http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe
The downloaded patch has the file name, RpcServicePack.exe. This worm deletes this file after it is run.

Before downloading or installing the patch on the system, this worm first checks if the system has been previously patched by checking for specific registry keys to make sure the patch hasnt been installed.

The worm travels through a computer network or local area network looking for unpatched and vulnerable machines. The worm will use a ping to determine if the active machine is on a network.Once the worm identifies a machine as being active on the network, it will either send data to TCP port 135, which exploits the DCOM RPC vulnerability, or it will send data to TCP port 80 to exploit the WebDav vulnerability.

Creates a remote shell on the vulnerable host that will connect back to the attacking computer on a random TCP port between 666 and 765 to receive instructions.

Launches the TFTP server on the attacking machine, instructs the victim machine to connect and download Dllhost.exe and Svchost.exe from the attacking machine. If the file, %System%\dllcache\tftpd.exe exists, the worm may not download svchost.exe.

 

[Rickf]

And this would be the ultimate. All the pros use the stinger. If this doesnt do it. Send your machine to belize and I will leave it in someones grass hut for a week for a bush doctor to examine it.

http://vil.nai.com/vil/stinger/

 

[Matt24]

okay, i ended the process of winsys.exe and I deleted it. right when i ended the process my aol and msn instantly connected itself, so it is the culprit. I then deleted it. But still when i run the symantec, I cant run the live update, it just gives me an error. Also I tried to do taht regedit thing,b ut it just kept on closing.

 

[Rickf]

Download the stinger and disable that crummy symantec virus scan. The stinger has all the worms known to man. The patches should also be there.

 

[Matt24]

ok, here is the update, i was able to find out which svchost.exe was bad and i got it deleted. i downloaded the stinger and it has identified the virus i believe.

W32/bagle.k@MM

it picked up all those files that I mentioned before, like the porn and the xxx, and identifed those as the virus and is now deleting those, I deleted them manually the other day but they just came back, so hopefully this keeps it off. When i run trojanhorse, it doesnt find anything now. Thanks for all our help, see your in belize,but if your ever at Churchill let me know, and I'll buy you a few beers.

 

[Rickf]

I am glad i was of some help to you. Nothing worst than having the feeling of someone spying on you with a trojan. Keep using trendmicro virus scan and you will never have a problem.

Hmmm...a cold beer. Look out for my email in the future.

 

[Rickf]

I almost forgot. Goto www.windowsupdate.com
And get the patches needed to stop most of the worm threats that you might be missing.

 

[1cheater]

<BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR>Originally posted by Rickf:
And this would be the ultimate. All the pros use the stinger. If this doesnt do it. Send your machine to belize and I will leave it in someones grass hut for a week for a bush doctor to examine it.

http://vil.nai.com/vil/stinger/<HR></BLOCKQUOTE>

 

[oldmantime]

Great Thread and good help here.

 

[Matt24]

whenever I try to do liveupdate or pretty much anything with my symantec, symantec shuts down and says vcp32.exe error? does this have somethign to do with a virus also. right now, my internet is working pretty good and I can sign in to msn, cant get on Aol IM though. My computer is still running at 100% usage, and I think that should be more like 1-6%, so something must still be going on. Any ideas? I will be back around 5, thanks for all your guys' help.

 

[Rickf]

If you have a license for Symantec follow this link and let them figure out the problem. Its there product and they will have an answer for you. It sounds to me like your virus scan might be taking alot of juice on your cpu because its not running properly from startup.

If you scanned through your drives and can't find anything as far as viruses go it most likely is a program thats not working right in the background.

Install the support if you can. Or try uninstalling and reinstalling your symantec product. It might just be a missing dll file.

https://www-secure.symantec.com/techsupp/activedata/asa_product_detection.jsp?ref=sup4

 

[Matt24]

My last message was incomplete, I must have accidently deleted some stuff or something, so here is all the new info.

With my scan last night it deleted 798 files and repaired one. the file it identifed was W32/bagle(maybe it said beagle).k@MM. Then after that today, I was able to do the thigns I mentioned, but couldnt get on AOl and comp was still at 100%.

So today while I was gone I ran stinger again, and this time it repaired 1 file and identifed the virus W32/Polybot!hosts, I didnt notice this last night but it might have did the same thing. After I got rid of it though I was able to get on AOLIM no prob but IE still sucked.(Im on a diff computer now because cant get on here), so I am going to run that scan again and still see if it repairs and identifes that virus. This guy found a thing on the symantec website where they have specific fixes for viruses and I am getting ready to download them right now.

I do plan on deleting Symantec and redownloading.

 

[Matt24]

Well I just looked at Symantecs website, it makes no sense that the beagle or bagle virus was doing that because my system date is after that date and everything and I could never find a beagle.exe file or anything like that.

 

[Matt24]

ok bingo, I just look at syamntec again and found the specific one with the K in it with the beagle and not .A or .B or whatever, there is like 25 of them. The description fit perfectly so I am downloading that removal tool now.

 

[1cheater]

You have alot of patience Matt

Rickf, where have you been hiding?

 

[Matt24]

I got the program running right now, I dont know how long it takes but maybe an hour or so since it has to scan. I am pumped right now, hopefully this isnt a big letdown.

 

[Matt24]

AAHHHHHHHHHHHHHH

the program says the virus was not found. crap