Apparent virus after scan/removal

S

Sadie

Please check carefully the spelling of the "svhost.exe"
you mention.It is quite normal to have more that two
instances of svchost.exe running in Task
Manager,depending on your services configurations.Some
trojans and virii masquerade as legitimate processes,with
variations upon the spelling:scvhost.exe,for example.Or,a
listing in upper case,such as SVCHOST(S).EXE

lsass.exe is normal.How many are in Taskmanager?

Is anything consuming an inordinate ammount of CPU?

You mention a Blaster infection.It is possible that Nachi
got in and tried to clean it (Which was Nachi's
purpose,though,it was really bad at it,and leaves a
backdoor open on the O.S.)

Another possibilty:Blaster fall-out.Post Blaster
infection,after the infection is cleaned,the local
computer sends "attacking" signals back to itself.

Are you up to date with ALL critical patches?

Sadie

-----Original Message-----
It looks like I have virus(es):
-lsass.exe. and up to 4 versions of svhost.exe show up in Task Manager
-Firewall (McAfee) intercepts strange outgoing processes
-Virus scanner (McAfee) sends note about Nachi
BUT,
I've scanned system with McAfee (updated definitions)
Click to expand...
and Symantec on line tool: nothing found. I've done
security updates thru 5/10. I've done Sasser check:
nothing. I removed Blaster 5/7 successfully following
Jupiter Jones and Microsoft instructions. I've done Sys
Restore off then back on. No more unexpected shut
downs. Running XP Home.
 
G

Guest

Thanks for advice
It is "svchost.exe", varying from 400 to 1500 kb in Task Manager. Only one lsass.exe
No processes causing big CPU use. I did have that problem with a dialup accelerator, but it went away when I removed the accelerator
All critical patches available last week went in. I had a problem at one point with the download being interrupted but my machine said the patch was installed (it wasn't). I searched for files with its name, deleted them, then started over. Does the update in MS04-011 take the place of some previous patches (like for Blaster)

How deal with "blaster fall out"?
 
S

Sadie

Don't fret too much about Blaster fallout.

I don't know exactly what the problem is.I am trying to
think of the quickest way of resolving this.

Go to start>run>type cmd
click O.K.

In the command box that opens carefully type tasklist /svc

hit enter

Next,right click on the frame of the command box (the
blue bit at the top)choose edit>select all>right click on
frame again>choose edit>select copy

Then paste the resultant text here.Like this:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.



Image Name PID Services
========================= ======
=============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 328 N/A
csrss.exe 380 N/A
winlogon.exe 404 N/A
services.exe 448 Eventlog, PlugPlay
lsass.exe 460 ProtectedStorage
svchost.exe 652 DcomLaunch
svchost.exe 692 RpcSs
svchost.exe 740 AudioSrv, CryptSvc,
Dhcp, Netman, RasMan,
SharedAccess,
ShellHWDetection, TapiSrv,
Themes, winmgmt
Zanda.exe 868 Norman ZANDA
explorer.exe 1100 N/A
Njeeves.exe 1104 Norman NJeeves
Nvcoas.exe 1164 nvcoas
Nipsvc.exe 1184 NipSvc
Nvcsched.exe 1196 NVCScheduler
Zlh.exe 1512 N/A
Nymse.exe 1604 N/A
Nip.exe 1616 N/A
CClaw.exe 1628 N/A
sgmain.exe 1808 N/A
sgbhp.exe 1824 N/A
IEXPLORE.EXE 2324 N/A
AcroRd32.exe 2272 N/A
cmd.exe 5680 N/A
tasklist.exe 5460 N/A
wmiprvse.exe 5868 N/A

Shutdown the command box by typing exit
then hit enter.

If you have scanned at Windows Update,are you missing
any "critical" patches?

Sadie
-----Original Message-----
Thanks for advice.
It is "svchost.exe", varying from 400 to 1500 kb in Task Manager. Only one lsass.exe.
No processes causing big CPU use. I did have that
Click to expand...
problem with a dialup accelerator, but it went away when
I removed the accelerator.
All critical patches available last week went in. I had
Click to expand...
a problem at one point with the download being
interrupted but my machine said the patch was installed
(it wasn't). I searched for files with its name, deleted
them, then started over. Does the update in MS04-011
take the place of some previous patches (like for
Blaster)?
 
S

Sadie

Chris,

It's really late here,now.What I'll do is throw the stock
links at you.You can use what is pertinant to the
situation:

Stinger (Best saved to
floppy)will scan for all the 40 or so big-name viruses:

stinger:
http://vil.nai.com/vil/stinger/

Spybot Search And Destroy.An amazingly sophisticated
piece of freeware.So much more than just a spyware hunter:

http://safer-networking.org/

Browser Hijacking fixes:

http://www.spywareinfo.com/~merijn/downloads.html

http://www.computercops.biz/zx/phoenix22/cws.zip

Free DOS version of f-secure Anti-virus:
http://www.f-secure.com/download-purchase/tools.shtml

F-Secure's free disinfection tools page,covering all
major,highly publicised virii:

http://www.f-secure.com/download-purchase/tools.shtml

Free Trojan and premium rate dialer seeking programme:

http://www.emsisoft.com/en/

Stop rogue active x controls getting onto your P.C. in
the first place (works spectacularly well alongside
Spybot):

http://www.javacoolsoftware.com/spywareblaster.html

Virus fixing tools available on site:

http://www.norman.com

Sygates free firewall:

http://smb.sygate.com/products/spf_standard.htm

Lots of free tools to control cookies,scripts etc:

http://www.analogx.com/contents/download/system.htm

Spyware related forums:

http://www.spywareinfo.com/forums/index.php?showforum=30
http://computercops.biz/forum67.html
http://forum.aumha.org/viewforum.php?f=30
http://forums.net-integration.net/index.php?showforum=32
http://cexx.org

Close those problematic ports with this how-to guide from
my idol,Black Viper.(Be aware,these recommendations will
not be compatible with everyones set-up.Take BV's advice):

http://www.blackviper.com/WinXP/servicecfg.htm

Quite possibly the best piece of freeware of all time,The
D'combobulator.NOT a problem those using Windows 98 need
worry about (use at your discretion):

http://grc.com/dcom/

How to enable the XP firewall,if you don't have a third
party one installed:

http://support.microsoft.com/?kbid=320855

Free Virus scans at any of the locations below:

Trend:
http://housecall.antivirus.com
http://housecall.trendmicro.com

McAfee:
http://www.mcafee.com/myapps/mfs/default.asp

Panda:
http://www.pandasoftware.com/activescan/

Someone in your timezone will be along in a minute,I
expect!

Sadie
-----Original Message-----
Don't fret too much about Blaster fallout.

I don't know exactly what the problem is.I am trying to
think of the quickest way of resolving this.

Go to start>run>type cmd
click O.K.

In the command box that opens carefully type tasklist /svc

hit enter

Next,right click on the frame of the command box (the
blue bit at the top)choose edit>select all>right click on
frame again>choose edit>select copy

Then paste the resultant text here.Like this:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.



Image Name PID Services
========================= ======
=============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 328 N/A
csrss.exe 380 N/A
winlogon.exe 404 N/A
services.exe 448 Eventlog, PlugPlay
lsass.exe 460 ProtectedStorage
svchost.exe 652 DcomLaunch
svchost.exe 692 RpcSs
svchost.exe 740 AudioSrv, CryptSvc,
Dhcp, Netman, RasMan,
SharedAccess,
ShellHWDetection, TapiSrv,
Themes, winmgmt
Zanda.exe 868 Norman ZANDA
explorer.exe 1100 N/A
Njeeves.exe 1104 Norman NJeeves
Nvcoas.exe 1164 nvcoas
Nipsvc.exe 1184 NipSvc
Nvcsched.exe 1196 NVCScheduler
Zlh.exe 1512 N/A
Nymse.exe 1604 N/A
Nip.exe 1616 N/A
CClaw.exe 1628 N/A
sgmain.exe 1808 N/A
sgbhp.exe 1824 N/A
IEXPLORE.EXE 2324 N/A
AcroRd32.exe 2272 N/A
cmd.exe 5680 N/A
tasklist.exe 5460 N/A
wmiprvse.exe 5868 N/A

Shutdown the command box by typing exit
then hit enter.

If you have scanned at Windows Update,are you missing
any "critical" patches?

Sadie
-----Original Message-----
Thanks for advice.
It is "svchost.exe", varying from 400 to 1500 kb in
Click to expand...
Task
Manager. Only one lsass.exe.
No processes causing big CPU use. I did have that
Click to expand...
problem with a dialup accelerator, but it went away when
I removed the accelerator.
All critical patches available last week went in. I
Click to expand...
had
a problem at one point with the download being
interrupted but my machine said the patch was installed
(it wasn't). I searched for files with its name, deleted
them, then started over. Does the update in MS04-011
take the place of some previous patches (like for
Blaster)?
How deal with "blaster fall out"?
.
Click to expand...
.
Click to expand...
 
G

Guest

I tried "tasklist /svc" in a command box but it is an unrecognized command

Thanks for your suggestions.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Warning: Mcafee virus scan screwed my PC 5
Task Manager 5
Got virus - now have to boot up twice (after off/on) 5
Got virus - now have to boot up twice (after off/on) 12
spoolsv.exe using all CPU cycles 4
Super fast system went super sluggish after registry curruption 1
over 600 virus's found! ran anti-virus but still not working 12
over 600 viruses found - computer still sluggish after cleaning 6

Top