smbusa11 Posted September 16, 2003 Share Posted September 16, 2003 I have a xp home machine that always has and active svchost and cause constant internet activity. When i close svchost.exe (not the windows one)from ctrl-alt-del The activty stops and all is good can any one help me figure out what it is and fix it? I have tried the W32.Welchia.Worm fix from symantec but it said it didnt find anything Link to comment Share on other sites More sharing options...
Frank Posted September 17, 2003 Share Posted September 17, 2003 Have you tried scanning for viruses on you machine? Or running a program similar to Ad-Aware? Link to comment Share on other sites More sharing options...
Jediweasel Posted September 17, 2003 Share Posted September 17, 2003 There are files that can cause this problem. Set your system to show all files and reboot in safe mode. Open My Computer and the hard disk. Go to Windows/system32/wins folder. If there are any files in the folder (svchost & dllhost) delete them and reboot. This is a virus and deleteing these files will get your system back up and running. After you get back up, go to www.antivirus.com and run the House Call online scanner. It will make sure you are now clean. If you need a great antivirus solution (and free) go to www.grisoft.com and download the free version of AVG, it works better than Norton or McAfee. Good Luck. Link to comment Share on other sites More sharing options...
cyclingplatypus Posted September 17, 2003 Share Posted September 17, 2003 I get an application error from svchost.exe at shutdown, just before my computer turns off. It doesn't happen all the time but it did start after I installed Outlook 2003 (trial) any ideas. I've googled it and also looked on MS but to no avail. Any help would be appreciated! Link to comment Share on other sites More sharing options...
Samoa Posted September 17, 2003 Share Posted September 17, 2003 There are files that can cause this problem. Set your system to show all files and reboot in safe mode. Open My Computer and the hard disk. Go to Windows/system32/wins folder. If there are any files in the folder (svchost & dllhost) delete them and reboot. This is a virus and deleteing these files will get your system back up and running. After you get back up, go to www.antivirus.com and run the House Call online scanner. It will make sure you are now clean. If you need a great antivirus solution (and free) go to www.grisoft.com and download the free version of AVG, it works better than Norton or McAfee. Good Luck. Does AVG detect worms? I think not. I was using AVG and got the Blaster virus, AVG did nothing. I installed Norton, and it at least quarrantined items. Link to comment Share on other sites More sharing options...
AndyD Posted September 17, 2003 Share Posted September 17, 2003 I'm not sure if it's related but recently there have been several China IPs that have been trying to connect to my pc through the svchost. I'm not sure why this is happening...no virus/trojan programs picked up a problem. I now just block any ip I see trying to access that file. so far I got three IP ranges going. The pcs are constantly trying to connect to me. Not sure of what is going on. I would suggest installing a firewall to see what is going on. I recommend OutPost. Link to comment Share on other sites More sharing options...
snippet1 Posted September 17, 2003 Share Posted September 17, 2003 Whoa! Stop! Svchost.exe is a part of windows that 'hosts' the services that perform various functions (often network-related) in your system. It is not unusual to have multiple processes for svchost at once. Unless it is infected (obviously not) by a virus, it IS NOT A VIRUS. The internet activity from it is a fairly normal thing, which is really just your system keeping in contact with the net. /edit: If you run %SYSTEMROOT%\system32\services.msc, you will see what services svchost is providing. Link to comment Share on other sites More sharing options...
Samoa Posted September 17, 2003 Share Posted September 17, 2003 Whoa! Stop!Svchost.exe is a part of windows that 'hosts' the services that perform various functions (often network-related) in your system. It is not unusual to have multiple processes for svchost at once. Unless it is infected (obviously not) by a virus, it IS NOT A VIRUS. The internet activity from it is a fairly normal thing, which is really just your system keeping in contact with the net. /edit: If you run %SYSTEMROOT%\system32\services.msc, you will see what services svchost is providing. LOL I was just waiting for someone to say that. You don't go deleting svchost.exe and expect there to be no problems. Do it an you will find out. In the wins folder if there are two files, one is the welchia virus, the other is suppose to be there. I have been getting radom connects to the svchost.exe, they as I gather are computers with the blaster virus (welchia also) and are looking to infect your system. I got the patches and still get those attempts, I block them everytime. Link to comment Share on other sites More sharing options...
AndyD Posted September 17, 2003 Share Posted September 17, 2003 Whoa! Stop!Svchost.exe is a part of windows that 'hosts' the services that perform various functions (often network-related) in your system. It is not unusual to have multiple processes for svchost at once. Unless it is infected (obviously not) by a virus, it IS NOT A VIRUS. The internet activity from it is a fairly normal thing, which is really just your system keeping in contact with the net. /edit: If you run %SYSTEMROOT%\system32\services.msc, you will see what services svchost is providing. Not if it's from unknown IPs that are trying to connect to me. I can show you the logs if you want...this happens about 90+ times a day. It's not normal traffic. It specifically tries to connect port 1026. No harm has been done but why take a chance. I've read plenty on svchost already and have limited it's use in OutPost. My system runs just fine. Link to comment Share on other sites More sharing options...
ryuh3d Posted September 17, 2003 Share Posted September 17, 2003 If you think you have a virus go to http://www.pandasoftware.com/activescan/co...n_principal.htm That site might help you. If you don't have a firewall up on your network. Either go to http://www.zonelabs.com/store/content/home.jsp and download their free firewall. Or http://www.helpdesk.umd.edu/documents/4/4206/ go there to see how to enable the Windows XP firewall. Then finally go to http://www.grc.com/default.htm to test how secure you are. Click on Shields Up. Link to comment Share on other sites More sharing options...
Samoa Posted September 17, 2003 Share Posted September 17, 2003 If you think you have a virus go to http://www.pandasoftware.com/activescan/co...n_principal.htmThat site might help you. If you don't have a firewall up on your network. Either go to http://www.zonelabs.com/store/content/home.jsp and download their free firewall. Or http://www.helpdesk.umd.edu/documents/4/4206/ go there to see how to enable the Windows XP firewall. Then finally go to http://www.grc.com/default.htm to test how secure you are. Click on Shields Up. Sheilds UP, has been discontinued. If you want to test your software firewall, see my Firewall Configuration Thread. www.pcpitstop.com has two antivirus tests online and you can see how to tweak your computer some for better performance. Link to comment Share on other sites More sharing options...
DavidGP Posted September 18, 2003 Share Posted September 18, 2003 Sheilds UP, has been discontinued. If you want to test your software firewall, see my Firewall Configuration Thread. www.pcpitstop.com has two antivirus tests online and you can see how to tweak your computer some for better performance. Funny I was their thr other day and Shields Up is alive and kicking with some new tests also eg. File Sharing, Common Ports, All Service Ports etc etc tests! besides that a good place to check your security is http://www.pcflank.com/ and http://www.hackerwatch.org/probe/ Link to comment Share on other sites More sharing options...
Samoa Posted September 18, 2003 Share Posted September 18, 2003 Sheilds UP, has been discontinued. If you want to test your software firewall, see my Firewall Configuration Thread. www.pcpitstop.com has two antivirus tests online and you can see how to tweak your computer some for better performance. Funny I was their thr other day and Shields Up is alive and kicking with some new tests also eg. File Sharing, Common Ports, All Service Ports etc etc tests! besides that a good place to check your security is http://www.pcflank.com/ and http://www.hackerwatch.org/probe/ That was message I read one time at that site. But you can use almost any sleath scanner you want. I recommend sygate though. but pcflank is good. Link to comment Share on other sites More sharing options...
uniacidz Posted September 18, 2003 Share Posted September 18, 2003 MANUAL REMOVAL INSTRUCTIONS Removing the Malware Service This removes the running malware service from memory on systems running Windows NT, 2000, and XP. Open a command prompt window. Click Start>Run, type CMD and then press the Enter key. At the command prompt, type the following: NET STOP "Network Connections Sharing" Press the Enter key. A message should indicate that the service has been stopped successfully. Do the same to stop the following service: NET STOP "WINS Client" Close the command prompt window. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSetServices> Still in the left panel, delete the subkeys: RpcPatch RpcTftpd Close Registry Editor. Removing Malware Components This procedure removes the malware's other components: Double-click the ?My Computer? icon from the desktop. Look for the Windows system folder. Double-click the following folder: WINS Right-click the following files and select Delete from the pop-up menu: SVCHOST.EXE DLLHOST.EXE Click Yes when asked for confirmation. Link to comment Share on other sites More sharing options...
Samoa Posted September 18, 2003 Share Posted September 18, 2003 MANUAL REMOVAL INSTRUCTIONS Removing the Malware Service This removes the running malware service from memory on systems running Windows NT, 2000, and XP. Open a command prompt window. Click Start>Run, type CMD and then press the Enter key. At the command prompt, type the following: NET STOP "Network Connections Sharing" Press the Enter key. A message should indicate that the service has been stopped successfully. Do the same to stop the following service: NET STOP "WINS Client" Close the command prompt window. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSetServices> Still in the left panel, delete the subkeys: RpcPatch RpcTftpd Close Registry Editor. Removing Malware Components This procedure removes the malware's other components: Double-click the ?My Computer? icon from the desktop. Look for the Windows system folder. Double-click the following folder: WINS Right-click the following files and select Delete from the pop-up menu: SVCHOST.EXE DLLHOST.EXE Click Yes when asked for confirmation. thanks davey, I was wrong on that o:D. :D Link to comment Share on other sites More sharing options...
turbomonkeycock Posted September 20, 2003 Share Posted September 20, 2003 Perhaps you have been hacked, or to use the correct term, rooted. This is where people who run warez channels on irc use other peoples connections to host their files and let people leech from. This would explain the multiple connections, and some people name one of their files svchost.exe. Apparently. :ninja: G-Dub Link to comment Share on other sites More sharing options...
Recommended Posts