HELP ... SVCHOST.EXE

[IQY]

I HAVE 4 SVCHOST APPLICATIONS RUNNING when i start my
machine. When i try to end process. on one of the SYSTEM
based svchosts i get a pop up from the NT AUTHORITIES -
PROMTING A SHUT DOWN - SIMILAR TO THE POP UP THAT THE
WELCHIA WORM ANNONCES.

VIRUS SCANS HAVE DETECTED NOTHING

HOW CAN I SOLVE THIS PROBLEM.

THANKS.

 

[Chris Lanier]

Greetings

You have got a virus, and you should have 4 copies of svchost.exe running.

A Description of Svchost.exe in Windows XP
http://support.microsoft.com/?kbid=314056
---
Removal info at..
http://www.kellys-korner-xp.com/xp_qr.htm#rpc

More info about the worm:
http://www.microsoft.com/security/incident/blast.asp

More info about the worm:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

 

[davetest]

I HAVE 4 SVCHOST APPLICATIONS RUNNING when i start my
machine. When i try to end process. on one of the SYSTEM
based svchosts i get a pop up from the NT AUTHORITIES -
PROMTING A SHUT DOWN - SIMILAR TO THE POP UP THAT THE
WELCHIA WORM ANNONCES.

VIRUS SCANS HAVE DETECTED NOTHING

HOW CAN I SOLVE THIS PROBLEM.

THANKS.

SVCHOST.EXE is the process responsible for system services.
It's normal to see numerous instances of them in the task
manager. Based on the info you gave, there's no evidence of a virus.
However, run a full system scan for peace of mind:
http://www.pandasoftware.com/activescan/com/

Dave

 

[Steve Nielsen]

It is normal for serveral instances of SVCHOST to be running - on a
fresh install of XP I see four SVCHOST processes running, too. In itself
this does not indicate a problem.

It is the blaster worm that does the shutdown countdown, not the welchia
worm. Have you patched the OS and used one of the fixblast tools
available for blaster to be sure it's not there? I suggest going to the
Symantec site and getting FixBlast removal tool.

One of the things these worms can do is prevent many popular a/v
products from detecting them, or at least from reporting that the
infection is found and even when some a/v products detect and clean the
infection they don't necessarily repair the damages doen to the
registry. In other words, one cannot rely solely on a/v products.

Steve

 

[Bruce Chambers]

Greetings --

It's perfectly normal to have several instances of Svchost.exe
running:

A Description of Svchost.exe in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314056

However:

If you connected the PC to the Internet without having first
installed the KB824146 Hotfix, without having first installed an
antivirus application with current virus definition files, and before
enabling a firewall, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger


Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[IQY]

I have run a virus scan using Norton (with updated
definitions), and it did not detect anything. I did have
a Welchia worm a few weeks back, but I removed it (may not
have completely been removed), there is still a trace of
it running in the background processes, I think (in the
form of that SVCHOST.EXE file that prompts the NT
AUTHORITIES shut down, if closed).

When I try and close this background file ("End Task"), it
causes my computer to shut down. This is not normal,
bearing in mind that no virus is being detected. It's
hidden in the registry! I tried remastering my computer,
and it is still running in the background processes (in
the form of one of the SVCHOST.EXE files.

How could I remove the bad part of the SVCHOST.EXE file?

Thank you

 

[Steve Nielsen]

Have you installed the KB824146 Hotfix? If not then you almost certainly
have been infected again. Antivirus does NOT protect agains Welchia or
Blater worms. You MUST install the hotfix or no matter how many times
you clean the system it will almost immediately become infected again.

The symptoms you describe are that of Balster worm infection, not
Welchia worm.

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Steve