Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Should I Run Hijackthis?


  • Please log in to reply
6 replies to this topic

#1 bratwurst

bratwurst

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 24 June 2006 - 01:26 AM

Hello, just started reading about security on this website and have downloaded and run the free versions of Adaware, Spybot, Avast, and Zone Alarm. Zone Alarm blocked svchost.exe. I looked it up and saw that it is necessary process, but that it also might be a trojan. I have 5 svchost.exe processes that I can see in task manager. There's also 1 of each lsass.exe, csrss.exe, smss.exe, vsmon.exe, spoolsv.exe, that I heard could be trojans. I was going to run Hijack but the warning on the tutorial says not to if everything on your PC is running fine. Mine is running fine, but I still don't want it to be vulnerable. Should I run it anyway?

Edited by bratwurst, 24 June 2006 - 01:31 AM.


BC AdBot (Login to Remove)

 


#2 Elendil

Elendil

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The US
  • Local time:12:38 AM

Posted 24 June 2006 - 08:16 AM

Well, the list of processes you gave is normal beacsue I too have 5 svchosts running; however, when I used ZA Free, it never blocked a svchost which implies that you may indeed have a trojan. If you're using Windows 2k or Windows XP try using Ewido Anti-Spyware and see if it comes up with anything (if you have a malware problem, chances are Ewido will detect something and remove it).

Here are the instructions for utilizing Ewido in the most efficient way:

Please download Ewido anti-spyware 4; it is a 30 day trial version of the program.
  • Install ewido security suite
  • Ewido will automatically run at the end.
  • The program will now open to the main screen.
  • You will need to update ewido to the latest definition files.
    • On the top row of the main screen click update.
    • Then click on "Start Update".
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the top will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

Reboot into SAFE MODE
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

Open Ewido anti-malware
Click on the scanner button in the top row.
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files if any infections are found, click OK
Close Ewido
Reboot into normal mode
Stanford '14
B.S. Candidate | Computer Science

#3 Harry83

Harry83

  • Members
  • 257 posts
  • OFFLINE
  •  
  • Location:State College PA
  • Local time:12:38 AM

Posted 24 June 2006 - 11:59 AM

Zone Alarm blocked svchost.exe.


svchost.exe is the Generic Host Process for Win32 Services. It is a totally normal process. You may not have done the auto configuration features for ZoneAlarm and then kept getting notifications about it, therefore choosing to block it. If this is the case, it should be allowed.

If you do indeed run Ewido then it will most likely inform you of any spyware problems you might have. Chances are that svchost.exe is a normal process and ZA keeps popping up warnings because you haven't allowed it. Make sure what it's blocking isn't actually called scvhost.exe, which is indeed a trojan.
--
Harry83
Posted Image
Liberating America From Spyware - 1 Computer at a time...

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:38 AM

Posted 24 June 2006 - 04:49 PM

To elaborate a bit more on what Harry83 said about svchost so you will understand it better:

Svchost.exe is a generic host process name for services that are run from dynamic-link libraries called DLLs. This is a valid system process that belongs to the Windows Operating System which handles processes executed from DLLs. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The Svchost.exe file is located in the %SystemRoot%\System32 folder.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 bratwurst

bratwurst
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 25 June 2006 - 03:07 AM

Thanks, guys. Before I download Ewido, I noticed that it does say "generic host process," and the entry details are: C:\WINDOWS\system32\svchost.exe
Does this confirm that it's a normal process or can a the trojan appear under this name too and I should download Ewido anyway?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:38 AM

Posted 25 June 2006 - 07:45 AM

C:\WINDOWS\system32\svchost.exe is the proper location for the legit svchost file.

If its running as a startup/shows in msconfig, this can be bad. See here and here.

Are you experiencing any computer problems?

BTW for any suspicious files you can always to to jotti.org
Browse to the location of the suspicious file and submit [upload] it for scanning/analysis.

I always recommend installing and using Ewido. If you don't want to purchase the program after the 30 day trial, you can still use it as an excellent stand-alone scanner to supplement your other anti-virus and anti-spyware programs.

Edited by quietman7, 25 June 2006 - 07:50 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 bratwurst

bratwurst
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:38 PM

Posted 26 June 2006 - 04:02 AM

I installed ewido and updated it, but I can't start my windows xp pro in safe mode. I tried restarting and continually tapping F8 while it was booting up several times. It just booted up normally like it always does. Never asked me what mode it should start in.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users