Jump to content

Virus in SVCHOST?


TeeJay3800

Recommended Posts

When I start the Windows Worms Doors Cleaner, I get this warning:

 

virus_warn.jpg

 

I have done a virus scan using BitDefender Online Scanner and it found nothing. I'm not sure if I have an actual virus that BitDefender missed, or if this is a false alarm. Can anyone give me any insight on this?

Dell Latitude D600

Windows 7 Ultimate 32-bit SP1

 

follow_me-c.png

Link to comment
Share on other sites

Windows Worms Doors Cleaner runs fine on my XP Pro system but the multiple SVCHOST modules total way more than 27044k

 

Download MBAM then update then run Quick scan and you may need to reboot to remove locked files:

http://www.malwarebytes.org/mbam.php

"Education is what remains after one has forgotten everything he learned in school." - Albert Einstein

IE7Pro user

Link to comment
Share on other sites

One thing I can think of that fits with that sort of report is that your PC is using a lot of virtual memory, which might not be a virus.

Do you use a RAM optimizer?

What are the system specs?

If you are short on RAM for the programs you run, it would be expected for the swap file to be working hard. (You'd hear some HD thrashing- many read/writes.)

What else have you tried scanning with?

Link to comment
Share on other sites

I have a little question. I just checked out Windows Worms Door Cleaner, and the first three options (port 445 etc.) are enabled. Should I disable them with this program? Or will it cause problems in my Windows XP system?

Link to comment
Share on other sites

I have a little question. I just checked out Windows Worms Door Cleaner, and the first three options (port 445 etc.) are enabled. Should I disable them with this program? Or will it cause problems in my Windows XP system?

I have disabled all 5 items in WWDC without any problems...on both my 2000 and XP machines. I believe if you have file and printer sharing enabled (via your LAN), that will not work. I'm basing that on the descriptions I've read of the ports and services that WWDC disables. However, everything that I use still works. If you something you need doesn't work after using WWDC, its very easy to go back and undue the changes.

Dell Latitude D600

Windows 7 Ultimate 32-bit SP1

 

follow_me-c.png

Link to comment
Share on other sites

Download MBAM then update then run Quick scan and you may need to reboot to remove locked files:

http://www.malwarebytes.org/mbam.php

Is that a full on-demand virus scanner? I'd like to avoid installing more software on this machine because of limited HDD space. That's why I like the online scanners like BitDefender and others offer.

 

This is a really old system that I've kept running pretty well and is still great for web browsing. K6-2, 160MB RAM, 5GB HDD, 2000 SP4, and no memory optimizers.

Dell Latitude D600

Windows 7 Ultimate 32-bit SP1

 

follow_me-c.png

Link to comment
Share on other sites

160MB RAM,

There's your problem, I reckon.

MBAM is a (very good) antimalware scanner, rather than an AV scanner.

Try Dr Web's Cureit.

Standalone demand scanner. Good. No install. Use, then delete. Re-download anew when you need it updated.

Do I understand from your post above that you have no resident AV installed?

Link to comment
Share on other sites

MBAM installer is only 1.8MB and runs fine on my old 500MHZ PIII system and it is great at finding and removing malware and thanks for Windows Worms Door Cleaner as that is a neat service and port disabler application.

"Education is what remains after one has forgotten everything he learned in school." - Albert Einstein

IE7Pro user

Link to comment
Share on other sites

  • Moderators

WWDC has commonly given me a false positive worm alert. When I made my own installer for it I included the regular startup, and a no worms check startup with this in it:

"C:\Program Files\Windows Worms Doors Cleaner\wwdc.exe" -nowormscheck

 

That false positive commonly happens as soon as Windows starts, and I think it may be related to Automatic Updates but I'm not totally positive. In any event I don't even heed that warning it pops up anymore because I know my system is 100% clean.

 

It's such an annoyance this is what I put into the readme file:

FALSE VIRUS DETECTION

 

In Windows XP WWDC can, may, or will falsely detect a supposed "virus" in your svchost.exe file. This is the sole reason this installer version uses shortcuts with "-nowormscheck" to prevent false warnings.

 

Note:

It's typically a false positive especially if you have up-to-date antivirus software installed that features real-time protection ("resident shield, guard"). If svchost.exe is using just a little bit more memory than what WWDC expects it will flag svchost.exe as infected, even if it isn't.

 

The detection of a "virus" in svchost.exe is due to other running Windows programs. svchost.exe will heavily spike in memory usage when Windows XP's Automatic Updates is checking the Microsoft Update/Windows Update website for critical updates for your computer, and svchost.exe may not reduce the memory usage into the zone that WWDC assumes is in a non-virus state.

 

The only workaround is to restart your system if WWDC displays such a message. WWDC will commonly display the false positive about svchost.exe, therefore it could very well be a bug in WWDC.

 

If the message however doesn't disappear after doing a system restart it's recommended that you use a free online virus scanning service such as ESET Online Scanner which is highly recommended and somewhat fast or Panda ActiveScan. Note: Both only work in Internet Explorer.

 

Or install antivirus software if you don't have one already installed on your system. Some 100% free full-featured antivirus software is: AVG Anti-Virus Free Edition, AntiVir PersonalEdition Classic, and Avast Anti-Virus Home Edition. However you should make sure your system is clean first by using one of the free online virus scanning services or both of them, as this insures that whatever 100% free antivirus software you decide upon will install without getting infected itself.

Link to comment
Share on other sites

Do I understand from your post above that you have no resident AV installed?

Nope, not on this machine. I run AntiVir on my XP machine, but I've never encountered a virus on either computer. On-demand virus scans always turn up nothing.

 

Thanks all, for the help and suggestions.

 

- MBAM seems like a great program. However, the first time I did a scan with it, it found a registry hijack related to the start menu. When I fixed it, it simply removed the "logoff" item from the start menu. I'd call that a false positive.

 

- Dr. Web CureIt! also seems like a good app. I haven't done a full scan with it yet, but I will soon. I take it an app like this is better than the online scanners like BitDefender's and others?

 

- Thanks for the info about WWDC, Andavari.

Dell Latitude D600

Windows 7 Ultimate 32-bit SP1

 

follow_me-c.png

Link to comment
Share on other sites

Nope, not on this machine. I run AntiVir on my XP machine, but I've never encountered a virus on either computer. On-demand virus scans always turn up nothing.

You are very lucky.

 

Today's malware purveyors are looking for easily infected prey like your un-protected system to help proliferate their wanton destruction on any other foolish person that stumbles onto the Internet being un-protected.

 

It is like taking a tour of duty in Afghanistan or Iraq that the very brave and honourable soldiers do to try to bring peace and reduce religious persecution to the country's population.

 

They pay with their lives even though they do use the latest personnel protection.

 

You however choose to ignore all warnings and proceed just like Dudly Do-Right of the Mounties and continue forth un-protected.

 

Thanks all, for the help and suggestions.

 

- MBAM seems like a great program. However, the first time I did a scan with it, it found a registry hijack related to the start menu. When I fixed it, it simply removed the "logoff" item from the start menu. I'd call that a false positive.

It is not innocent of false positives but they are fixed rapidly:

http://www.malwarebytes.org/forums/index.php?showforum=42

 

- Dr. Web CureIt! also seems like a good app. I haven't done a full scan with it yet, but I will soon. I take it an app like this is better than the online scanners like BitDefender's and others?

It is heavily recommended by other malware fixers even in avast! forum:

http://forum.avast.com/index.php?topic=37767.0

 

The root cause of your problem is that you insist on running a low powered system un-protected with minimal RAM.

 

I would not consider putting a system on the Internet today without a minimum of 256MB RAM and a small anti virus application like avast! or Avir running resident because I don't like having to constantly keep my systems' back ups current plus clearly labeled and stored in a safe place because it would take too much time and make the use of the Internet unbearable.

 

Edit: added

Read JeanInMontana's response:

http://www.malwarebytes.org/forums/index.php?showtopic=5719

Edited by YoKenny

"Education is what remains after one has forgotten everything he learned in school." - Albert Einstein

IE7Pro user

Link to comment
Share on other sites

No port closings to me, because right after I closed those three ports, I totally lost my internet connection after reboot. When I opened them, my internet was back.

What firewall are you using?

 

I am only using the built in Windows firewall and my ISP supplied modem's built in firewall without problems on XP Home and Pro.

"Education is what remains after one has forgotten everything he learned in school." - Albert Einstein

IE7Pro user

Link to comment
Share on other sites

You however choose to ignore all warnings and proceed just like Dudly Do-Right of the Mounties and continue forth un-protected.

Wow, this went from being very helpful to being very insulting very suddenly.

 

First of all, this is only a backup machine I keep in my bedroom that I use for basic web browsing once in a while. I am well aware of common security risks, that is why I use all the common security software on my main (Athlon 62 X2, 1GB RAM, etc) XP machine...AntiVir, software firewall, hosts file, Spyware Blaster, etc. Running real-time anti-virus really slows the older machine down, and makes it essentially unusable. Even the older computer is behind my NAT router and passes the GRC ShieldsUp! test with a 100% rating, so its not as if it is exposed to the internet completely unprotected.

 

I appreciate all the help here, but there is a difference between offering sincere computer advice, and nearly insulting someone's intelligence...

Dell Latitude D600

Windows 7 Ultimate 32-bit SP1

 

follow_me-c.png

Link to comment
Share on other sites

TeeJay3800, I didn't mean to be insulting but I try to use a bit of humour in what can be a serious subject.

 

I guess, as my heroes are of the like of Inspector Clouseau and not James Bond, I tend to bumble my way through helping people remove malware that infects their systems.

 

The only thing missing are the gorgeous babes:

http://www.imdb.com/title/tt0157503

"Education is what remains after one has forgotten everything he learned in school." - Albert Einstein

IE7Pro user

Link to comment
Share on other sites

Humor is always good! I guess some of your comments came across as a little condescending.

 

I appreciate all the advice and I'm relieved to know there isn't actually a virus on this system. I'd like a little clarification as to what the apps recommended here are for.

 

- MBAM is an "anti-malware" product. Does that mean it is anti-virus or anti-spyware? Could I replace SUPERAntiSpyware with MBAM, or so they search for different types of infections?

 

- Dr. Web CureIt! is strictly an anti-virus app correct? It does the same thing as products like AntiVir, AVG, etc (except without resident protection)?

Dell Latitude D600

Windows 7 Ultimate 32-bit SP1

 

follow_me-c.png

Link to comment
Share on other sites

MBAM is antimalware, like Superantispyware. They are both very good, and similar in function, for spyware, rogues, trojans etc, not so much viruses. Use whichever you prefer. One might be better than the other for different malware, depending on what it is, on the day. (Which is why, with this type of "traditional" malware scanning it has usually been recommended to have more than one scanner. Which isn't a problem if you have plenty of drive space. Since you don't, you might have to choose. Superantispyware occupies ~15MB on my system, MBAM ~3Mb. (Check "add/remove programs".

Re your Q on Cureit, Yes. It also detects and is capable of removing a fair bit of malware. But mainly an AV.

Your approach is probably fairly good given the resource constraints, but the problem with this sort of reactive approach is that it's a bit like shutting the door after th horse has bolted. Yes, you might find something parasitinc on the computer, and remove it successfully, but the question is: what has it sent to the evil mothership from the time it installed to the time you found it?

A software, two - way firewall can prevent this. Doesn't have to be fancy, like Comodo 3 with D+, a simple firewall like Kerio 2, or even Filseclab would make a huge difference in this area of protection. Indeed, I would consider this absolutely essential.

(Don't ask me for a recommendation for a very basic or rather "low resource" firewall, I think the two I've suggested would do, but I don't really know.)

Another mitigation would, of course, not having anything on that computer you're not prepared to have stolen.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.