Fri, 12/05/2006 - 11:15am
Didn't know where else to post this.
Ok, so it seems I have a nasty little trojan worming it's way around my computer...
I have checked my task manager and I have about 6 svchost.exe processes running. SOme of which are using up MASSES of my CPU memory.
After doing some homework, I hacve found that the process is a necessary windows file that runs code, but is also vulnerable to trojans and spyware. From what I've read - the REAL svchost.exe is in the C:\Windows\System32 folder (which makes sense).
I've identified these files on my PC:
C:\WINDOWS\system32
C:\WINDOWS\ServicePackFiles\i386
C:\WINDOWS\$NtServicePackUninstall$
C:\WINDOWS\Prefetch
I know the top on (system32) is the REAL real one. But I'm reluctant to delete or stop any of the processes cause I could fuck Windows right up if I get it wrong.
My computer is showing all the symptoms of some form of trojan running in the background (is trojan the right word?). Anyhoo, what I wnt to ask is:
Is a registry scan thing like UniBlue Registry Booster (Free Registry Scan) reliable? it says it can identify and fix the problem caused by trojans hiding as svchost.exe... (but I'm reluctant to download anything new I don't know about)....
AVG hasn't picked up any virus - Am currently downloading and running Norton as well (forums suggest onluy Norton is catching onto it, strangely)...
I've cleaned up my PC using Spybot (are there better spyware programs?) and restricted a bunch of cookies from being dumped on my PC.
Would a registry scan be advised (rather than deleting teh files manually)?
is there anything else I can do? You think it's okay ot delete the file and end the process for:
C:\WINDOWS\ServicePackFiles\i386
C:\WINDOWS\$NtServicePackUninstall$
C:\WINDOWS\Prefetch - this one in particular, I have read that it should be left as it is a back up file, but the file names is suss
(SVCHOST.EXE-3530F672.pf) and it's the most recently modified file. I wonder if that post about leaving it there was a dodgy person trying to discourage people getting rid of the file???
Most responses say to delete ANYTHING that's not in C:\WINDOWS\SYSTEM32
Am I paranoid?
Could I be infecting others by being online?
To ease concerns, I'm pretty sure this won't be infecting other's PCs - it's not an email worm or anything, as far as I can tell. I beleive it's jsut allowing spyware onto my PC and it's slowing my PC right down. Computer shits itself everytime I close a program and bumps me off teh net every now and again...
Cheers
Fri, 12/05/2006 - 11:16am
#1
Re: Geek Question - Ren? Reggie?
rita
you're a nerd
rock the fucken fuck or stfu
Fri, 12/05/2006 - 11:17am
#2
Re: Geek Question - Ren? Reggie?
yes you are paranoid
rock the fucken fuck or stfu
Fri, 12/05/2006 - 11:48am
#5
Re: Geek Question - Ren? Reggie?
Fri, 12/05/2006 - 11:59am
#6
Re: Geek Question - Ren? Reggie?
spy bot works well
Fri, 12/05/2006 - 12:08pm
#9
Re: Geek Question - Ren? Reggie?
spybot + virus software should do the trick
dont delete anything reets untill you find it neccessary (ie dont)
Fri, 12/05/2006 - 12:09pm
#10
Re: Geek Question - Ren? Reggie?
we have norton. ill copy it for you next time jon come around with his discs
Fri, 12/05/2006 - 12:18pm
#11
Re: Geek Question - Ren? Reggie?
hmm, bugger
delete the ones except the one you need
sounds like you won't fuck it anymore than it is
also get zone alarm and install that if you don't have it
also - anyone else got this problem
rember the wierdo stuff here a couple of weeks ago?
Fri, 12/05/2006 - 12:19pm
#12
Re: Geek Question - Ren? Reggie?
opps, maybe wot he said....
Fri, 12/05/2006 - 12:59pm
#13
Re: Geek Question - Ren? Reggie?
Ok this is a tricky one, i have this too i think on a PC at home, and if you google you'll find a lot of people just going "LEAVE IT ALONE !! 1" but of course we know one can't do that when it's consuming 100% of processor etc.
Ok so what do we do? We need svchost of course because it's a vital windows service. The PreFetch folder is a kind of temporary folder that windows uses... you can delete svchost from there if you want, windows will just pop a new file in there for next time it wants access.
i recommend searching the entire harddrive, particularly in the program files folders, as a malignant svchost.exe may be hiding somewhere outside of the windows system folders.
also there a trojans that are known to hide themselves as "C:\windows\system\ svchost.exe" <- notice the space after system\, making the filename
" svchost.exe" so have a look for that too.
exact method of removal depends on the exact kind of trojan.
An automated registry scan / removal could be a good idea as you certainly don't want to be editing it yourself if you don't know what you're doing
ok well i have to go to lunch at the moment - it's a family thing - but when i get back i'll continue this, i think i've narrowed it down to a group of three trojans/virii and have found maybe a tool or two to remove it, depending on which/what you have.. so if you can wait that long (an hour or so) i'll be bach
da da da dum!
Fri, 12/05/2006 - 1:04pm
#14
Re: Geek Question - Ren? Reggie?
there is a registry inconsistency thing in spybot, run it anyway....
it works well, i can't remember how to run it though....
good luck tails
Fri, 12/05/2006 - 1:22pm
#16
Re: Geek Question - Ren? Reggie?
download hijackthis and run it mate
In safemode of course.
Fri, 12/05/2006 - 1:31pm
#17
Re: Geek Question - Ren? Reggie?
yeah well, it's pretty easy to activate something from a script in word
in fact we used to send eject commands to people's cd players once for a laugh
but that shit just causes unrest so no more hacking for pete, not that that really qualifies
Fri, 12/05/2006 - 1:42pm
#19
Re: Geek Question - Ren? Reggie?
ahhh fuck i meant don't run it in safe mode LOL oops.
however DO turn off system restore, then run your antivirus software in safe mode first.
You should be able to pick up and delete stuff easier. But yeah no need to run hijackthis in safemode. no point really...
Fri, 12/05/2006 - 1:46pm
#20
Re: Geek Question - Ren? Reggie?
maybe use the spybot one then, it's fully free and easy
kinda like me but i'm cheap and easy is all
Mon, 15/05/2006 - 11:14am
#21
Re: Geek Question - Ren? Reggie?
Dam now I have same problem. ?Try this
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm...
Wed, 17/05/2006 - 12:15pm
#22
Re: Geek Question - Ren? Reggie?
I'll have a gander at this later this arvo when i get a chance for ya, hit me up on msn if you like and we can work through it. Another Virus proggy to try is Kaspersky which i use at home after learning that Norton and AVG were both shit 
Wed, 17/05/2006 - 3:43pm
#24
Re: Geek Question - Ren? Reggie?
he he - "proggy" you'are a REAL geek aren't you. Endearing terms for programs - I think that's cool 
Wed, 17/05/2006 - 6:40pm
#25
Re: Geek Question - Ren? Reggie?
its worth a shot
free trial version
http://www.kaspersky.com/trials
Yes
but I have identified a fucking wickid little worm all by myself without the use of a virus scanner (GO ME!)!!!
Geeks will inherit the Earth, my friends - just you wait!
Wrong. Most of the time.
riding the obnox train