Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Scvhost


  • Please log in to reply
1 reply to this topic

#1 Guest_bg fun_*

Guest_bg fun_*

  • Guests
  • OFFLINE
  •  

Posted 26 October 2006 - 08:51 AM

I've got this trojan that just won't let go of my system. when i first got it, it wanted to get through my firewall, but i didn't let it, so no biggie. but now i get this error message every time i start the comp, cuz it's banging at the wall, trying to get through:
Posted Image
this shows up three times at boot.

i keep running ad-aware, and i keep removing this "windows" entry, but every time i run it, it's back:
Posted Image

i think it's lodged itself in my scvhost-process. this is what my firewall tells me:
Posted Image

AVG and Symantec W32.GaebotFixTool both finds nothing. Please help!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA

Posted 26 October 2006 - 09:58 AM

Svchost.exe is a generic host process name for services that are run from dynamic-link libraries called DLLs. This is a valid system process that belongs to the Windows Operating System which handles processes executed from DLLs. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging.

If svchost.exe is running as a startup/shows in msconfig, this can be bad. See here and here.
Also make sure of the spelling. If its scvhost.exe this a trojan. See here and here.

You can download and use Process Explorer by Sysinternals to investigate all processes and gather additional information to identify and resolve problems. This tool will show the process CPU useage, a description and its path.

One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However it then places itself in a different location on your computer. In XP, the legitimate Svchost.exe file is located in your system folder: C:\WINDOWS\system32\svchost.exe

Other legitimate copies can be found in the following folders:
C:\I386
C:\WINDOWS\ServicePackFiles\i386\
C:\WINDOWS\$NtServicePackUninstall$\

From your screenshot, the svchost.exe in question is running from C:\Windows\svchost.exe

Did you try doing an anti-virus scan in "SAFE MODE"?

I also recommend you download and scan with AVG Anti-Spyware 7.5 in "SAFE MODE".
(This is Ewdio 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware.) Be sure to print out the AVG Anti-Spyware Install-Scan Instructions and read the User Manual.

Then perform this online Virus scan: Trend Micro Housecall <- Use "Autoclean" and manually delete what it can't clean.
[Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.]
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users