| Technical Questions & Help / How to remove svchost.exe? | | | Author | Message | | | January 2, 2004 - 1:52:12pm | 1 of 230 | | | Login |
| | my pc was infected by w32.blaster worm and has now created a memory process svchost.exe, my OS is win2000 prof.edition, the worm was completely remove from the boot record after i run a worm removal kit(stinger), however the removal kit does'nt recognize the svchost.exe so it was bypassed and now resides in the memory, the svchost will automatically run itself after a few minutes of connecting to intrnet. i also got a message "access denied" evrytime i attempt to end the svchost process in the memory using the task manager. what should i do? how can i prevent it from slowing down my PC? thanks... |
| | | | svchost is supposed to be on there, I have like 5 or 6 svchost files funning on my machine... That isn't a virus... |
| | | January 3, 2004 - 10:45:12pm (edit: 1/3/04 - 10:51pm) | 3 of 230 | | To: Trunks007 | Login |
| Thats the welcha worm virus you got there, if your SVCHOST is using all your processing power. Download the patch and there is also a symantec fix for it too which will remove it. Download both the patch and fix files, disconnect from internet, run the fix then patch.
Edit: find the fix here http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html
and patch here: http://www.rcub.bg.ac.yu/Antivirus/Q815021_WXP_SP2_x86_ENU.exe |
| | | Sorry I ran the worm finder, there is no worm on here.. And I already have the update you posted..
I do keep McAfee Anti-virus on here, which ratings wise finds more viruses than Norton.. I use to use Norton Anti-Virus, until I saw those reviews... |
| | | January 3, 2004 - 11:55:35pm | 5 of 230 | | | Login |
| Here is a description of svchost.exe, it is not a virus..
SUMMARY
This article describes Svchost.exe and its functions. Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs).
MORE INFORMATION
The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can run, depending on how and where Svchost.exe is started. This allows for better control and easier debugging.
Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost
Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names that are extracted from the following registry key, whose Parameters key contains a ServiceDLL value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service
To view the list of services that are running in Svchost:
Click Start on the Windows taskbar, and then click Run.
In the Open box, type CMD, and then press ENTER.
Type Tasklist /SVC, and then press ENTER.
Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For further information about a process, type the following command, and then press ENTER:
Tasklist /FI "PID eq processID" (with the quotation marks)
The following example of Tasklist output shows two instances of Svchost.exe that are running. Image Name PID Services
=====
System Process 0 N/A
System 8 N/A
Smss.exe 132 N/A
Csrss.exe 160 N/A
Winlogon.exe 180 N/A
Services.exe 208 AppMgmt,Browser,Dhcp,Dmserver,Dnscache,
Eventlog,LanmanServer,LanmanWorkstation,
LmHosts,Messenger,PlugPlay,ProtectedStorage,
Seclogon,TrkWks,W32Time,Wmi
Lsass.exe 220 Netlogon,PolicyAgent,SamSs
Svchost.exe 404 RpcSs
Spoolsv.exe 452 Spooler
Cisvc.exe 544 Cisvc
Svchost.exe 556 EventSystem,Netman,NtmsSvc,RasMan,
SENS,TapiSrv
Regsvc.exe 580 RemoteRegistry
Mstask.exe 596 Schedule
Snmp.exe 660 SNMP
Winmgmt.exe 728 WinMgmt
Explorer.exe 812 N/A
Cmd.exe 1300 N/A
Tasklist.exe 1144 N/A
The registry setting for the two groupings for this example are as follows:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost:
Netsvcs: Reg_Multi_SZ: EventSystem Ias Iprip Irmon Netman Nwsapagent Rasauto Rasman Remoteaccess SENS Sharedaccess Tapisrv Ntmssvc
RApcss :Reg_Multi_SZ: RpcSs
|
| | | Your not the one with the problem Trunks007 is, thats why I aimed my post at him. My svchost.exe was using all my processor and discovered that the welchia worm makes a copy of svchost.exe which uses all the processors power and slows your computer to almost a halt.
The copy of svchost.exe which isnt the real thing(and a copy of dllhost.exe) can be found in c:\windows\system32\wins these can be deleted, if removing the welchia worm manualy, just make sure to disable system restore beforehand. Some reg keys need to be deleted too Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter, In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>
In the left panel, delete the subkeys:
RpcPatch
RpcTftpd
Now install the patch
Edit:
How Does the Welchia Worm Infect My Computer?
Copies itself to the Wins directory in the System or System32 folder in Windows usually
C:\Windows\System32\Wins\Dllhost.exe for Windows XP or
C:\WinNT\System32\Wins\Dllhost.exe for Windows NT/2000
There is a legitimate file called Dllhost.exe (about 5-6K) in the System32 directory.
Makes a copy of the TFTP server (TFTPD.exe) from the Dllcache directory to the following directories.
C:\Windows\System32\Wins\svchost.exe for Windows XP or
C:\WinNT\System32\Wins\svchost.exe for Windows NT/2000
NOTE: Svchost.exe is a legitimate program, which is not malicious, found in the System32 directory
Creates the following services:
Service Name: RpcTftpd
Display Name: Network Connections Sharing
File: %System%\wins\svchost.exe
This service will be set to start manually.
Service Name: RpcPatch
Display Name: WINS Client
File: %System%\wins\dllhost.exe
This service will be set to start automatically.
Ends the process, MSBLAST, and delete the file %System%\msblast.exe which is dropped by the worm, MSBlast.A. First, it checks the operating system version, then it downloads the appropriate patch from the designated Microsoft Web site. After executing the patch, it reboots the system.
Some of the patches it downloads into the system are as follows:
http://download.microsoft.com/download/6/9/5/6957d785-fb7a-4ac9-b1e6-cb99b62f9f2a/Windows2000-KB823980-x86-KOR.exe
http://download.microsoft.com/download/5/8/f/58fa7161-8db3-4af4-b576-0a56b0a9d8e6/Windows2000-KB823980-x86-CHT.exe
http://download.microsoft.com/download/2/8/1/281c0df6-772b-42b0-9125-6858b759e977/Windows2000-KB823980-x86-CHS.exe
http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe
http://download.microsoft.com/download/e/3/1/e31b9d29-f650-4078-8a76-3e81eb4554f6/WindowsXP-KB823980-x86-KOR.exe
http://download.microsoft.com/download/2/3/6/236eaaa3-380b-4507-9ac2-6cec324b3ce8/WindowsXP-KB823980-x86-CHT.exe
http://download.microsoft.com/download/a/a/5/aa56d061-3a38-44af-8d48-85e42de9d2c0/WindowsXP-KB823980-x86-CHS.exe
http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe
The downloaded patch has the file name, RpcServicePack.exe. This worm deletes this file after it is run.
Before downloading or installing the patch on the system, this worm first checks if the system has been previously patched by checking for specific registry keys to make sure the patch hasnt been installed.
The worm travels through a computer network or local area network looking for unpatched and vulnerable machines. The worm will use a ping to determine if the active machine is on a network.Once the worm identifies a machine as being active on the network, it will either send data to TCP port 135, which exploits the DCOM RPC vulnerability, or it will send data to TCP port 80 to exploit the WebDav vulnerability.
Creates a remote shell on the vulnerable host that will connect back to the attacking computer on a random TCP port between 666 and 765 to receive instructions.
Launches the TFTP server on the attacking machine, instructs the victim machine to connect and download Dllhost.exe and Svchost.exe from the attacking machine. If the file, %System%\dllcache\tftpd.exe exists, the worm may not download svchost.exe.
|
| | | | Sorry for aiming it at you, but he needs to know that the svchost.exe is a normal process.. |
| | | January 12, 2004 - 5:12:50pm | 8 of 230 | | | Login |
| Hi,
I have had the same problem. I recently re-installed XP, but since doing this my CPU has been working at 100% all the time. I tried the welcha fix and patch you gave, but even though it detected and deleted the worm it is still using exactly the same amount of CPU.
Any ideas?
Thanks guys. |
| | | | Try following the manual way of removing the welchia worm, which I described above. To disable system restore before removing possible virus, go to: 'Start', right click 'My Computer', 'Properties' and in the heading click on 'System Restore' check the box labeled 'Turn off system restore for all drives' now you can follow the guide above. |
| | | January 13, 2004 - 9:56:53am | 10 of 230 | | | Login |
| Hi google,
I followed your instructions to the letter, however i found that there was nothing inside c:\windows\system32\wins to be deleted and when i tried to find RpcPatch and RpcTftpd, neither of these were here.
Do you think that it is possible that the Welchia worm has been deleted (by those links you gave)and that it is something else causing the CPU usage to skyrocket?
After i had replied last night, i looked at my network connections and disabled the local network icon. This worked on the net and off the net, yet i have just switched on my pc and although the CPU usage is low off-line, it has gone back too 100% on-line. I have done more Spyware scans, and while it found and deleted one, it seems too have made no impact on the CPU usage while on-line.
This is really bugging me. Any more ideas? |
| | View Printable | | | Technical Questions & Help / How to remove svchost.exe? |
|
|