scvhost.exe virus/bug....also known as w32 worm blaster.

[Ryan]

i know alot of you have probably heard about this problem
before and i know you have because ive been searching all
over the internet for answers yet i find my "version" of
this bug different from everyone elses that is posted.

Details.

IM running windows XP Pro. I just reinstalled windows
because my windows had screwed up awhile ago. I did not
reinstall OVER the old windows directory in fear of
losing some of the imporatant info that i wanted to
extract from the old windows before i installed the new
one...so I have a second windows folder for the moment
that is what im running off of.

The main problem is the scvhost.exe proccess. When i do
cnrl+alt+del i get a bunch of proccess that are suposed
to be there but i see 4 scvhost.exe proccess being ran
and 1 of them is taking a good 60% of my cpu power, that
plus system and whatever else im running makes me have
about 0% free cpu so games and such are ran very choppy.

Anyways for those of you that know this worm is renoun
because it gives you these messages every now and then
that say your computer will restart in 60 seconds...then
at the end of the 60 seconds it indeed does restart. Ive
had some help from somebody and we changed remote
procedure call so that the 3 tabs in recover to "take no
action". That in made it so i dont get that message to
restart in 60 seconds at random times. However it still
happens if i try to end task on the file in task manager.

The really really annoying part about this worm tho is
its extreemly tought to get rid of. When you try to use
windows update, or a virus checker they imidiately CLOSE.
NO error message..they just close like somebody is
CLOSING them by hiting the cancel button. Ive read in
some forums and some people say the blaster is made to
not allow windows update to patch it, but not even my
virus checkers work.

Anyways im really stumpted. I cant figure out how to
delete it and i was thinking about reinstalling windows
but the person i was talking to said it might just
comeback again like last time.

Anyways if i cant figure this out soon im going to have
to reformat which is a big pain for me because i have so
many programs. and 56k makes it very hard to redownload
the updates and other various programs i need.

Anyways any suggestions would be appriciated. If i find
anything else out that works ill post it right away.

 

[Shenan Stanley]

i know alot of you have probably heard about this problem
before and i know you have because ive been searching all
over the internet for answers yet i find my "version" of
this bug different from everyone elses that is posted.

Details.

IM running windows XP Pro. I just reinstalled windows
because my windows had screwed up awhile ago. I did not
reinstall OVER the old windows directory in fear of
losing some of the imporatant info that i wanted to
extract from the old windows before i installed the new
one...so I have a second windows folder for the moment
that is what im running off of.

The main problem is the scvhost.exe proccess. When i do
cnrl+alt+del i get a bunch of proccess that are suposed
to be there but i see 4 scvhost.exe proccess being ran
and 1 of them is taking a good 60% of my cpu power, that
plus system and whatever else im running makes me have
about 0% free cpu so games and such are ran very choppy.

Anyways for those of you that know this worm is renoun
because it gives you these messages every now and then
that say your computer will restart in 60 seconds...then
at the end of the 60 seconds it indeed does restart. Ive
had some help from somebody and we changed remote
procedure call so that the 3 tabs in recover to "take no
action". That in made it so i dont get that message to
restart in 60 seconds at random times. However it still
happens if i try to end task on the file in task manager.

The really really annoying part about this worm tho is
its extreemly tought to get rid of. When you try to use
windows update, or a virus checker they imidiately CLOSE.
NO error message..they just close like somebody is
CLOSING them by hiting the cancel button. Ive read in
some forums and some people say the blaster is made to
not allow windows update to patch it, but not even my
virus checkers work.

Anyways im really stumpted. I cant figure out how to
delete it and i was thinking about reinstalling windows
but the person i was talking to said it might just
comeback again like last time.

Anyways if i cant figure this out soon im going to have
to reformat which is a big pain for me because i have so
many programs. and 56k makes it very hard to redownload
the updates and other various programs i need.

Anyways any suggestions would be appriciated. If i find
anything else out that works ill post it right away.

If you did not patch the machine (or at least turn on the firewall and then
patch) before you reconnected to the internet, that is how you got blaster.

Blaster is easy to get rid of.

First - go here:
http://www.microsoft.com/security/incident/blast.asp

Once you get there - PRINT IT.. If the shutdown message appears, click on
START, select RUN and type in the following line:

shutdown -a

and click OK.

That will abort the shutdown and you can continue cleaning the machine.

After you have followed Microsoft's fine instructions, do these things to
really clean up the machine.. There is no telling what other parasites might
be hanging out in your computer:

(Some of this may be repeats of what Microsoft told you..)
Turn on that firewall...
http://www.microsoft.com/WindowsXP/home/using/howto/homenet/icf.asp
(It has been reported that it now works with AOL 9.0+)


Make sure you have all the updates (critical) installed from:
http://windowsupdate.microsoft.com/
(Scan for updates, Review and Install)


Get rid of the spy/ad/mal-ware..
(Yes - using MORE than one of these..
I recommend at least the first three.)

Spybot Search and Destroy
http://www.safer-networking.net/

Lavasoft AdAware
http://www.lavasoft.de

CWSShredder
http://www.spywareinfo.com/~merijn/downloads.html

Hijack This!
http://mjc1.com/mirror/hjt/

I also like "The Cleaner" and "SpywareBlaster" and "SpywareGuard".
- http://www.moosoft.com/
- http://www.javacoolsoftware.com/

The first is a PAY product, but useable for 30 days - it has found and
eliminated problems in the past the others did not. The latter two are
prevention mechanisms. I like SpywareGuard for those with enough processor
to have something running like antivirus software - and it prevents browser
hijacking quite well.


And Assortment of Others:
http://www.merijn.org/downloads.html


After you cleanup your PC somewhat of spy/ad/mal-ware, verify your antivirus
software is updated and run a full scan of your computer. If you have no
antivirus software - get one NOW! Grisoft AntiVirus:
http://www.grisoft.com/us/us_dwnl_free.php


Empty your Temporary Internet Files and shrink the size it stores to about
80 to 120MB (seems to be an optimal size for the normal user)
- Open ONE copy of Internet Explorer.
- Select TOOLS -> Internet Options.
- Under the General tab in the "Temporary Internet Files" section,
do the following:
- Click on "Delete Cookies" (click OK)
- Click on "Settings" and change the
"Amount of disk space to use:" to something between 80MB
and 120MB. (Betting it is MUCH larger right now.)
- Click OK.
- Click on "Delete Files" and select to
"Delete all offline contents" (the checkbox) and click
OK. (If you had a LOT, this could take 2-10 minutes or
more.)
- Once it is done, click OK, close Internet Explorer
- Re-open Internet Explorer.


Uninstall any software you do not use often/ever. (If you have something
installed but never use it, uninstall it.) If you go through Control
Panel -> Add/Remove Programs and see things you seldom if ever use, it is to
your advantage to remove it.

 

[Darrell Gorter[MSFT]]

Hello Ryan,
First order the security CD which contains most of the security patchs. If
you decide to reinstall you can install the patches before connecting to
the Internet so as to reduce the amount or exposure that your machine is
subject to.
http://www.microsoft.com/security/protect/cd/order.asp

To look at the what processes are running in svhost open a command prompt.
From the command prompt run tasklist /svc. This will show all the running
processes that are shown in task manager plus the what the hosted processes
are inside of each instance of Svchost.exe. To see which one is causing
the pain look at the PID number in task Manager and then locate that same
number in the output from tasklist.

Svchost.exe described in this article as well as the usage of tasklist
http://support.microsoft.com/?id=314056

Most of the processes running in svchost should not be killed. So killing
svchost could very well restart your system.
Thanks,
Darrell Gorter[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
| Content-Class: urn:content-classes:message
| From: "Ryan" <[email protected]>
| Sender: "Ryan" <[email protected]>
| Subject: scvhost.exe virus/bug....also known as w32 worm blaster.
| Date: Fri, 20 Feb 2004 17:58:40 -0800
| Lines: 53
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Thread-Index: AcP4HjoiB0eJlmE+SryQySF33UXrPA==
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Newsgroups: microsoft.public.windowsxp.general
| Path: cpmsftngxa07.phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.windowsxp.general:863909
| NNTP-Posting-Host: tk2msftngxa12.phx.gbl 10.40.1.164
| X-Tomcat-NG: microsoft.public.windowsxp.general
|
| i know alot of you have probably heard about this problem
| before and i know you have because ive been searching all
| over the internet for answers yet i find my "version" of
| this bug different from everyone elses that is posted.
|
| Details.
|
| IM running windows XP Pro. I just reinstalled windows
| because my windows had screwed up awhile ago. I did not
| reinstall OVER the old windows directory in fear of
| losing some of the imporatant info that i wanted to
| extract from the old windows before i installed the new
| one...so I have a second windows folder for the moment
| that is what im running off of.
|
| The main problem is the scvhost.exe proccess. When i do
| cnrl+alt+del i get a bunch of proccess that are suposed
| to be there but i see 4 scvhost.exe proccess being ran
| and 1 of them is taking a good 60% of my cpu power, that
| plus system and whatever else im running makes me have
| about 0% free cpu so games and such are ran very choppy.
|
| Anyways for those of you that know this worm is renoun
| because it gives you these messages every now and then
| that say your computer will restart in 60 seconds...then
| at the end of the 60 seconds it indeed does restart. Ive
| had some help from somebody and we changed remote
| procedure call so that the 3 tabs in recover to "take no
| action". That in made it so i dont get that message to
| restart in 60 seconds at random times. However it still
| happens if i try to end task on the file in task manager.
|
| The really really annoying part about this worm tho is
| its extreemly tought to get rid of. When you try to use
| windows update, or a virus checker they imidiately CLOSE.
| NO error message..they just close like somebody is
| CLOSING them by hiting the cancel button. Ive read in
| some forums and some people say the blaster is made to
| not allow windows update to patch it, but not even my
| virus checkers work.
|
| Anyways im really stumpted. I cant figure out how to
| delete it and i was thinking about reinstalling windows
| but the person i was talking to said it might just
| comeback again like last time.
|
| Anyways if i cant figure this out soon im going to have
| to reformat which is a big pain for me because i have so
| many programs. and 56k makes it very hard to redownload
| the updates and other various programs i need.
|
| Anyways any suggestions would be appriciated. If i find
| anything else out that works ill post it right away.
|