Greetings, chanlon!
I believe that a nasty bug has hijacked your svchost.exe file.
It seems that the svchost.exe file is a handy place for Trojans and
worms to take up residence.
Before you start, make sure that you have backed up any important data
files on your system.
First, you'll want to try to find out which one may have invaded your system:
"To view the list of services that are running in Svchost:
1) Click Start on the Windows taskbar, and then click Run.
2) In the Open box, type CMD, and then press ENTER.
3) Type Tasklist /SVC, and then press ENTER.
Tasklist displays a list of active processes. The /SVC switch shows
the list of active services in each process. For more information
about a process, type the following command, and then press ENTER:
Tasklist /FI "PID eq processID" (with the quotation marks)"
http://support.microsoft.com/default.aspx?scid=kb;EN-US;314056
You can first try a free solution, but be aware that that may not be
enough to do the trick.
I found a series of Annoyances.org Windows XP web forum postings that
does a good job of suggesting most of the things that I would
recommend:
http://www.annoyances.org/exec/forum/winxp/t1084388644
Now, for the free solutions: I highly recommend that you download and
run the following free programs, not just for this problem, but on a
frequent basis (every few days, weekly, or monthly, depending on how
much surfing and download is done on your system):
Spybot Search & Destroy
http://www.security.kolla.de
AdAware
http://www.lavasoft.de
*** IMPORTANT ***
If you already have Spybot and/or AdAware installed on your PC, be
sure to download the latest updates first **each time you run them**.
*****************
Other helpful free anti-scumware utilities:
CWShredder:
http://www.spychecker.com/program/coolwebshredder.html
Online Housecall
http://housecall.antivirus.com
If your system connects to the Internet, it's also a REALLY good idea
to run a firewall program. I (and many people I know) use Zone Alarm
Pro; Zone Alarm also makes a basic free version, which you can
download here:
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp
It's also VERY important to check with Microsoft periodically and make
sure that you have installed any new security-related patches that
have been released.
You can find out if there are any available by going here:
http://v4.windowsupdate.microsoft.com/en/default.asp
Now, once you've performed the Tasklist identification procedure
(which I mentioned at the beginning) and discovered the villain, you
can also search for the guilty party in the AntiVirus applications
information below to find removal procedures.
Ideally, you already have Symantec's Norton AntiVirus or Network
Associates' McAfee AntiVirus installed on your system.
*** IMPORTANT ***
If you aren't already running a major anti-virus package on your
system, it's very ***critical*** that you install one -- and keep it
updated. This is **especially** important if you frequently download
files from the Internet.
*****************
Yes, packages like this cost a little money -- but the time, grief,
and expense that they can save you is ENORMOUS. Eradicating viruses,
worms, Trojans, and parasites is much more difficult and
time-consuming once they've taken up residence, than preventing them
from ever getting there in the first place.
Both Norton and McAfee are highly regarded; I personally use Norton,
with LiveUpdate running [which automatically detects updates to the
virus definitions and prompts you to download them]. I've never been
infected, so that's saying something (although I tend to not engage in
risky practices such as installing IRC and P2P packages, downloading
questionable files, surfing porn sites, or opening e-mail which is
apparently spam).
Here's an example of the kind of invasive program that is probably
causing your problem, from the Norton AntiVirus / Symantec site:
"Spytech
Spyware.Spytech monitors files, network traffic, and keystrokes. This
Spyware gives the person who installed it a Web-based interface with
summaries of logged information on the host computer...
Monitors the following items:
Keystrokes typed
Website visits
Applications run
Internet connections made
Files and documents viewed
Chat conversations
Windows opened
Outgoing email and webmail"
http://securityresponse.symantec.com/avcenter/venc/data/spyware.spytech.html
There are other related postings on the Norton AntiVirus / Symantec site:
Backdoor.Portless
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.portless.html
Backdoor.XTS
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.xts.html
Backdoor.Dewin
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.dewin.html
Backdoor.Litmus.203
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.litmus.203.html
Backdoor.Litmus.203.b
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.litmus.203.b.html
Backdoor.Kaitex.C
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.kaitex.c.html
Backdoor.Beasty.Family
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.beasty.family.html
Backdoor.Beasty.D
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.beasty.d.html
Backdoor.Sdbot.L
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.l.html
W32.BlueCode.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.bluecode.worm.html
W32.Jeefo
http://securityresponse.symantec.com/avcenter/venc/data/w32.jeefo.html
W32.Welchia.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
W32.Welchia.D.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.d.worm.html
W32.Welchia.K
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.k.html
W32.Welchia.Worm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html
Intruder Alert 3.6 W32_Welchia_B_Worm Policy
http://securityresponse.symantec.com/avcenter/security/Content/2004.02.17b.html
W32.Assarm@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.assarm@mm.html
W32.Marol@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.marol@mm.html
W32.Netsky.F@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.f@mm.html
W32.HLLW.Morb@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.morb@mm.html
W32.HLLW.Cozit
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.cozit.html
W32.HLLW.Repsan
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.repsan.html
W32.HLLW.Symten@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.symten@mm.html
PWSteal.Tarno
http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.tarno.html
PWSteal.Tarno.B
http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.tarno.b.html
W32.Darker.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.darker.worm.html
W32.HLLW.Astef
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.astef.html
W32.Mimail.L@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.l@mm.html
W32.Hostidel.Trojan.C
http://securityresponse.symantec.com/avcenter/venc/data/w32.hostidel.trojan.c.html
W32.Cone.D@mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.cone.d@mm.html
W32.Cycle
http://securityresponse.symantec.com/avcenter/venc/data/w32.cycle.html
W32.Torun
http://securityresponse.symantec.com/avcenter/venc/data/w32.torun.html
Trojan.Hazzer
http://securityresponse.symantec.com/avcenter/venc/data/trojan.hazzer.html
Trojan.Ibiza
http://securityresponse.symantec.com/avcenter/venc/data/trojan.ibiza.html
VBS.Masscal.Worm
http://securityresponse.symantec.com/avcenter/venc/data/vbs.masscal.worm.html
and the list goes on and on...
http://search.symantec.com/custom/us/query.html?col=us+kb&qp=%2Blanguage%3Aen&qs=-url%3A/sarc-intl.nsf/+-url%3A/navintl.nsf/&pw=100%25&qt=%22svchost.exe%22&st=1&nh=10&lk=1
The above pages, sponsored by Symantec, offer a removal solution which
of course employs their Norton AntiVirus software.
A clue to the source of your problem may be found here, in a posting
on the McAfee AntiVirus site:
"PWS-Sagic... Method Of Infection
Trojans do not self-replicate. They are spread manually [i.e.
downloaded or loaded deliberately by the user], often under the
premise that the executable is something beneficial. Distribution
channels include IRC, peer-to-peer networks, newsgroup postings, etc."
http://vil.nai.com/vil/content/v_100896.htm
It appears that Internet Relay Chat protocols (such as MSMessenger and
ICQ), P2P file-sharing programs (such as Kazaa and KazaaLite), and
Media Players and Drivers (such as Divx and NVidia[which contains
Cydoor]) have been associated with this problem.
Other related postings on the McAfee / Network Associates site:
W32/Smibag.worm
http://vil.nai.com/vil/content/v_100692.htm
W32/Cozit.worm
http://vil.nai.com/vil/content/v_99761.htm
W32/Morb@MM
http://vil.nai.com/vil/content/v_100241.htm
IRC-Demfire
http://vil.nai.com/vil/content/v_100054.htm
The above pages, sponsored by Network Associates, offer a removal
solution which of course employs their McAfee AntiVirus software.
Search Strategy
svchost.exe spyware
://www.google.com/search?q=svchost.exe+spyware
http://groups.google.com/groups?q=svchost.exe%20spyware&tab=wg
Before Rating my Answer, if you have any questions or problems with
the above information or need assistance in performing the
identification and removal procedures, please post a Request for
Clarification, and I will be glad to assist you.
I hope that this Answer helps you to resolve your nasty problem, and
that you have smooth surfing once again!
Regards,
aceresearcher |
Clarification of Answer by
aceresearcher-ga
on
25 May 2004 09:27 PDT
Hi, chanlon!
I'm not clear on what you mean by
<< It's definitely not a virus because all of the pc's here do not
have that option.>>
To what option are you referring?
Did you try the Tasklist diagnostic to see what processes are running
through svchost.exe?
"To view the list of services that are running in Svchost:
1) Click Start on the Windows taskbar, and then click Run.
2) In the Open box, type CMD, and then press ENTER.
3) Type Tasklist /SVC, and then press ENTER.
Tasklist displays a list of active processes. The /SVC switch shows
the list of active services in each process. For more information
about a process, type the following command, and then press ENTER:
Tasklist /FI "PID eq processID" (with the quotation marks)"
Once you have done so, please post the results, along with some
clarification of the statement I quoted.
Thanks,
ace
|
Request for Answer Clarification by
chanlon-ga
on
25 May 2004 11:58 PDT
<< It's definitely not a virus because all of the pc's here do not
have that option.>>
I was refering to the offline files tab. It's like the standard XP
pro image that comes with the IBM desktops do not have the offline
files tab for some reason.
Here are the results for svchost.exe:
svchost.exe 696 RpcSs
svchost.exe 748 AudioSrv, CryptSvc, Dhcp, dmserver, ERSvc,
EventSystem, helpsvc, lanmanserver,
lanmanworkstation, Netman, Nla,
NWCWorkstation, Schedule, seclogon, SENS,
ShellHWDetection, srservice, Themes, TrkWks,
uploadmgr, W32Time, winmgmt, WZCSVC
svchost.exe 944 Dnscache
svchost.exe 972 LmHosts, RemoteRegistry, SSDPSRV
Thanks again,
Chris
|
