URGENT: Svchost.exe

[Keith]

Today I ran something I probably shouldn't have from a website. I am
patched to the hilt and run Norton AV and Internet Security so though I
would be OK. The only patch I don't have is SP2 (because it screws up my
bluetooth adapter).

Norton immediately threw up a warning that svcnet.exe was trying to access
the internet, so I blocked it.

However, now everytime I reboot I get the following registry keys added to
my registry:

Local Machine\Software\Microsoft\Windows\CurrentVersion\Run\
Generic Host Process - REG_SZ - C:\WINDOWS\System32\scvhost.exe

Local Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Shell - REG_SZ - Explorer.exe C:\WINDOWS\System32\scvhost.exe

Also My Computer opens every time I boot.

I have run Adaware, which detects the reg keys and removes them, and also MS
Antispy which detects nothing.

Also run a full system scan with Norton and nothing detected.

Yet everytime I reboot, these reg keys are there even though I delete them.

Help please. Is this something to worry about.

 

[Keith]

Also, svchost.exe and lsass.exe are both active processes with open ports.

lsass.exe has port 500 open

and

svchosts.exe has ports 1900, 123, 1101, 1065, 5000, 1025, 146 open

 

[John E. Carty]

Also, svchost.exe and lsass.exe are both active processes with open ports.

lsass.exe has port 500 open

and

svchosts.exe has ports 1900, 123, 1101, 1065, 5000, 1025, 146 open

Possibly a worm on your system:

W32.HLLW.Lovgate@mm is a mass mailing worm that attempts to email itself to
all the email addresses that it finds in the files with the file extension
that starts with "ht" (for example, all the .htm or .hta files). The subject
and attachment of the incoming email will be chosen from a predetermined
list.

W32.HLLW.Lovgate@mm also attempts to copy itself to all the computers on a
local network, and then infect these computers. The worm also has a backdoor
Trojan capability. By default, the Trojan component listens on port 10168.

If the infected computer is running Windows NT, 2000, or XP, the worm will
attempt to disguise itself as the normal Windows process, "LSASS.EXE."

W32.HLLW.Lovgate@mm is written in the C++ programming language and is
compressed with ASPack.

Type: Worm
Infection Length: 77,312 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows
XP, Windows Me
Systems Not Affected: Windows 3.x, Macintosh, OS/2, UNIX, Linux

 

[DanS]

Also, svchost.exe and lsass.exe are both active processes with open
ports.

lsass.exe has port 500 open

and

svchosts.exe has ports 1900, 123, 1101, 1065, 5000, 1025, 146 open

the key says SCVHOST.exe NOT SVCHOST.EXE

Local Machine\Software\Microsoft\Windows\CurrentVersion\Run\
Generic Host Process - REG_SZ - C:\WINDOWS\System32\scvhost.exe

obviuos maliciousness.

 

[Fin]

Today I ran something I probably shouldn't have from a website. I am
patched to the hilt and run Norton AV and Internet Security so though I
would be OK. The only patch I don't have is SP2 (because it screws up my
bluetooth adapter).

Norton immediately threw up a warning that svcnet.exe was trying to access
the internet, so I blocked it.

However, now everytime I reboot I get the following registry keys added to
my registry:

Local Machine\Software\Microsoft\Windows\CurrentVersion\Run\
Generic Host Process - REG_SZ - C:\WINDOWS\System32\scvhost.exe

Local Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Shell - REG_SZ - Explorer.exe C:\WINDOWS\System32\scvhost.exe

Also My Computer opens every time I boot.

I have run Adaware, which detects the reg keys and removes them, and also
MS
Antispy which detects nothing.

Also run a full system scan with Norton and nothing detected.

Yet everytime I reboot, these reg keys are there even though I delete
them.

Help please. Is this something to worry about.

Hi

I had exactly the same thing happen.

I had spybot installed that did nto detect it
I had adaware installed again it didn't detect and I had AVG antivirus that
did not pict it up and an online scan that did not pick it up.

It was trying to phone home and it was trying to contact some third party
site unknown. Again it stopped when I reinstalled and wiped the hard drive.

 

[Fin]

the key says SCVHOST.exe NOT SVCHOST.EXE

Local Machine\Software\Microsoft\Windows\CurrentVersion\Run\
Generic Host Process - REG_SZ - C:\WINDOWS\System32\scvhost.exe

obviuos maliciousness.

the worrying thing was that again just like this gentlemen the ONLY think
that made me aware of it was the FIREWALL, nothing else detected it, that is
what spooked me, including trend online antivirus sweep.

 

[DanS]

Hi

I had exactly the same thing happen.

I had spybot installed that did nto detect it
I had adaware installed again it didn't detect and I had AVG antivirus
that did not pict it up and an online scan that did not pick it up.

It was trying to phone home and it was trying to contact some third
party site unknown. Again it stopped when I reinstalled and wiped the
hard drive.

here'a link to some security shareware tools,
http://www.diamondcs.com.au/ , which have a trial limit, worth
evaluating.

 

[Keith]

Thanks

Are there any reg keys etc. other than the obvious CurrentVersion\Run to
load stuff at starup or shutdown?

I am trying to avoid a format, and I can't believe that this can't be killed
off without one.

There must be something running that is reloading these reg keys everytime I
reboot.

 

[V Green]

Today I ran something I probably shouldn't have from a website. I am
patched to the hilt and run Norton AV and Internet Security so though I
would be OK. The only patch I don't have is SP2 (because it screws up my
bluetooth adapter).

What was it you did, and from what site?

We won't roast you for it, we promise....

and we need to know what you did in order to help you.

It's possible you have something new, that's not in anybody's
virus def files yet, and is not being detected.

 

[Malke]

Today I ran something I probably shouldn't have from a website. I am
patched to the hilt and run Norton AV and Internet Security so though
I
would be OK. The only patch I don't have is SP2 (because it screws up
my bluetooth adapter).

Norton immediately threw up a warning that svcnet.exe was trying to
access the internet, so I blocked it.

However, now everytime I reboot I get the following registry keys
added to my registry:

Local Machine\Software\Microsoft\Windows\CurrentVersion\Run\
Generic Host Process - REG_SZ - C:\WINDOWS\System32\scvhost.exe

Local Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Shell - REG_SZ - Explorer.exe C:\WINDOWS\System32\scvhost.exe

Also My Computer opens every time I boot.

I have run Adaware, which detects the reg keys and removes them, and
also MS Antispy which detects nothing.

Also run a full system scan with Norton and nothing detected.

Yet everytime I reboot, these reg keys are there even though I delete
them.

Help please. Is this something to worry about.

Yes, you've got something. Two important things to remember for the
future:

1. Your antivirus protection depends on the antivirus definitions of the
program. If a) you haven't kept your av subscription renewed and the
definitions updated; or b) this is a new virus for which definitions
haven't yet been written by the av company - you are not protected.

2. Your firewall will not prevent you from inviting unsavory programs
in, as you have found out.

Here is a link to Symantec's writeup, with removal instructions:
http://securityresponse.symantec.com/avcenter/venc/data/w32.tibick.html

In all cases when removing viral and non-viral malware, you need to do
the work with current tools using updated definitions in Safe Mode.

Malke

 

[Keith]

My AV is uptodate - I make sure of that regularly.

This is what I find so odd.

 

[Keith]

The only thing whatever I have has in common with that virus in the URL is
that it copies svcnet.exe. Nothing else matches up.

 

[Fin]

Thanks

Are there any reg keys etc. other than the obvious CurrentVersion\Run to
load stuff at starup or shutdown?

I am trying to avoid a format, and I can't believe that this can't be
killed
off without one.

There must be something running that is reloading these reg keys everytime
I
reboot.

Yeah also it is very very much like the legitimate file, that is the
problem, it is very very similar to how the file behaves normally, something
to do with the windows automatic update system.

BUT check out the IP number it is trying to connect to, that will give you a
clue as to what it is. The virus/worm I had NOTHING detected it, I MEAN
NOTHING.

I had THREE antivirus suits and TWO anti spyware programs, neither worked.

 

[Fin]

Yes, you've got something. Two important things to remember for the
future:

1. Your antivirus protection depends on the antivirus definitions of the
program. If a) you haven't kept your av subscription renewed and the
definitions updated; or b) this is a new virus for which definitions
haven't yet been written by the av company - you are not protected.

I had the same thing, all mine were 100% updated and nothing detected it.
You had this same conversation with me before do you remember?

2. Your firewall will not prevent you from inviting unsavory programs
in, as you have found out.


Here is a link to Symantec's writeup, with removal instructions:
http://securityresponse.symantec.com/avcenter/venc/data/w32.tibick.html

This is the same thing that I thought it was, NO antivirus software detected
it.

 

[Ronnie Vernon MVP]

Today I ran something I probably shouldn't have from a website. I am
patched to the hilt and run Norton AV and Internet Security so though
I would be OK. The only patch I don't have is SP2 (because it screws
up my bluetooth adapter).

Norton immediately threw up a warning that svcnet.exe was trying to
access the internet, so I blocked it.

However, now everytime I reboot I get the following registry keys
added to my registry:

Local Machine\Software\Microsoft\Windows\CurrentVersion\Run\
Generic Host Process - REG_SZ - C:\WINDOWS\System32\scvhost.exe

Local Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Shell - REG_SZ - Explorer.exe C:\WINDOWS\System32\scvhost.exe

Also My Computer opens every time I boot.

I have run Adaware, which detects the reg keys and removes them, and
also MS Antispy which detects nothing.

Also run a full system scan with Norton and nothing detected.

Yet everytime I reboot, these reg keys are there even though I delete
them.

Help please. Is this something to worry about.

The important item here is the spelling of these files. If you are seeing
"scvhost.exe" then this is a virus. If you are seeing "svchost.exe" this is
a legitimate and critical XP system file, although there are viruses that
can masquerade as this file in different locations.

scvhost.exe...
W32/Gaobot.worm.aa - http://vil.nai.com/vil/content/v_100611.htm
W32/Gaobot.worm.ai - http://vil.nai.com/vil/content/v_100725.htm

svchost.exe...
A description of Svchost.exe in Windows XP:
http://support.microsoft.com/kb/314056

Symantec Security Response - W32.Welchia.Worm:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

 

[CWatters]

Today I ran something I probably shouldn't have from a website. I am
patched to the hilt and run Norton AV and Internet Security so though I
would be OK. The only patch I don't have is SP2 (because it screws up my
bluetooth adapter).

Norton immediately threw up a warning that svcnet.exe was trying to access
the internet, so I blocked it.

Perhaps...

http://www.sophos.com/virusinfo/analyses/trojtibikb.html

See "description" tab

quote

The Trojan also copies itself to the Windows system folder as svcnet.exe.

 

[Fin]

The important item here is the spelling of these files. If you are seeing
"scvhost.exe" then this is a virus. If you are seeing "svchost.exe" this
is a legitimate and critical XP system file, although there are viruses
that can masquerade as this file in different locations.

scvhost.exe...
W32/Gaobot.worm.aa - http://vil.nai.com/vil/content/v_100611.htm
W32/Gaobot.worm.ai - http://vil.nai.com/vil/content/v_100725.htm

svchost.exe...
A description of Svchost.exe in Windows XP:
http://support.microsoft.com/kb/314056

Symantec Security Response - W32.Welchia.Worm:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html



--

Ronnie Vernon
Microsoft MVP
Windows Shell/User

Now that is all totally confusing to the average user, becuase you are
saying the spelling is different, but it can be spelt the same way but in a
different location.
I mean I just had to give up and totally reinstall, the average user could
spend hours messing around and still not have it fixed.

Seems particularly nasty

 

[Fin]

Perhaps...

http://www.sophos.com/virusinfo/analyses/trojtibikb.html

See "description" tab

quote

The Trojan also copies itself to the Windows system folder as svcnet.exe.

Nasty Nasty Nasty, that is the kind of thing that happened to me, it took
me hours to fix it.

 

[Keith]

Thanks all.

I seem to have got it all out of my system now. Lot's of registry keys
reloading it at startup.

No idea what it was - no AV I have detected it.