Need help to identify virus

S

Steven Ung

Hello group, I hope someone can help me out.

2~3 days ago, several Win2000/XP (5~10) computers on our network display
symptom of virus infection but we're unable to identify it. The Norton AV
7.6 Corporate edition that was running on the PC (with the latest patch) was
apparently disabled.

The following are some of the things that we observe:-

1. Extremely high network traffic causing routers/switches/hubs to crashed.
2. Constant 100% CPU usage on the infected PC, svchost.exe seems to be the
culprit, but we know that svchost.exe is actually a window service
starter/manager, so it must be something else.
3. At Windows 2000 startup, 2~3 extremely fast DOS like prompt popup is
being displayed and it happens so fast we're not able to get a glimpse of
what it is trying to run.

Since the build in AV is already disabled, we've tried to scan using the
online scanner from McAfee, Norton but none seems to be able to detect the
problem.

Is there anyone here having the same symptom? Thanks in advance for any
help.

(Please forgive my crappy English as it is not my first language.)
 
J

Jack the Bear

2. Constant 100% CPU usage on the infected PC, svchost.exe seems to be the
culprit, but we know that svchost.exe is actually a window service
starter/manager, so it must be something else.
Click to expand...

Where is ths svchost.exe? And are you sure the spelling is exactly correct.
The only good one on Win2K is in system32, any others are misplaced, or bad.
A good svchost could also be running a bad dll. More information needed.

In any event take the infected PCs off the network.

- Jack.
 
S

Steven Ung

Jack the Bear said:
Where is ths svchost.exe? And are you sure the spelling is exactly correct.
The only good one on Win2K is in system32, any others are misplaced, or bad.
A good svchost could also be running a bad dll. More information needed.
Click to expand...

A check reveals 2 svchost.exe in the system. One is in system32, whilst
another in system32\dllcache. I compared both (binary comparison, fc
svchost.exe \dllcache\svchost.exe /b) but no difference was encountered.
In any event take the infected PCs off the network.
Click to expand...

Yes, already did that.

I manage to get pause one of the DOS window (at startup) and saw a line "C$
was deleted successfully"

Thanks for the feedback.
 
J

Jack the Bear

A check reveals 2 svchost.exe in the system. One is in system32, whilst
another in system32\dllcache. I compared both (binary comparison, fc
svchost.exe \dllcache\svchost.exe /b) but no difference was encountered.

I manage to get pause one of the DOS window (at startup) and saw a line "C$
was deleted successfully"

Thanks for the feedback.
Click to expand...

The C Share? I'm way out of my depth when it comes to the NT based stuff,
I'm on Win98 and hope Never to see XP or whatever comes after. That
being said, do you have MSInfo32.exe on this machine? If not move a copy
over from any machine that's got one, and look at the running tasks. Aside
from that, I'd say you're going to be busy in the registry If you need an
MSInfo32, mail me and I can provide one from Win98SE. My email is
correct. Put "ACA-V" or "ACV" in the subject line, so my spam and worm
filters don't hide it on me.

- Jack the Bear.
(e-mail address removed)
 
K

kurt wismer

Steven said:
Hello group, I hope someone can help me out.

2~3 days ago, several Win2000/XP (5~10) computers on our network display
symptom of virus infection but we're unable to identify it. The Norton AV
7.6 Corporate edition that was running on the PC (with the latest patch) was
apparently disabled.

The following are some of the things that we observe:-

1. Extremely high network traffic causing routers/switches/hubs to crashed.
2. Constant 100% CPU usage on the infected PC, svchost.exe seems to be the
culprit, but we know that svchost.exe is actually a window service
starter/manager, so it must be something else.
Click to expand...

process explorer (from http://www.sysinternals.com) can tell you what
services a particular instance of svchost.exe is hosting...
3. At Windows 2000 startup, 2~3 extremely fast DOS like prompt popup is
being displayed and it happens so fast we're not able to get a glimpse of
what it is trying to run.

Since the build in AV is already disabled, we've tried to scan using the
online scanner from McAfee, Norton but none seems to be able to detect the
problem.

Is there anyone here having the same symptom? Thanks in advance for any
help.

(Please forgive my crappy English as it is not my first language.)
Click to expand...

have you tried doing a full system scan after restarting in safe mode?
 
S

Steven Ung

kurt wismer said:
process explorer (from http://www.sysinternals.com) can tell you what
services a particular instance of svchost.exe is hosting...


have you tried doing a full system scan after restarting in safe mode?
Click to expand...

NAV refuses to start, even in safe mode. But since we can't delay too long
on this problem, we had to resort to the dreaded re-formating option.

If I'm not mistaken, this problem is due to the PCs that has not been
updated with Windows critical updates to correct the DCOM RPC vulnerability.

It can be easily fixed by going to windows update, but since the
viral/trojan infection it prevents you from going to the internet. More
information can be obtained from
http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.blaster.worm.html.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Unknown Virus, please help identify 8
Virus Help 15
Help to identify this virus 3
Virus - Help Needed 3
Help identify virus? these symptoms.... 86
Anti-virus wars start up again (Its time to party like its the 1999) 30
Can't identify virus 6
HELP!!!!!!!!!!!! - W32.Spybot.Worm Virus on Vista 10

Top