svchosts.exe virus

[Birdseye]

OK, I have tried reformatting and I still have a virus that causes the svchosts.exe error and messes up cutting/pasting and my cpu is slow. I tried running the symantec bug fix utility but nothing happened.

Any clues? Try a low level format or fdisk? how do I do a LL format?

[MD-2389]

<BLOCKQUOTE><font size="1" face="Arial">quote:</font><HR><font face="Arial" size="3">Originally posted by Birdseye:
Any clues? Try a low level format or fdisk? how do I do a LL format?</font><HR></BLOCKQUOTE>

You have to goto your hard drive manufacturer's website and download their utility to do that. Its generally mentioned as "writing zeros to the drive" or the like.

Have you tried booting into safe mode and running the utility there?

[ccb056]

fdisk simply repartitions the drive, for a llf you will need to goto the manufacturers website and write zeros

although I dont think a low level format is necessary

[AceCombat]

CCB, you using your same name on AA:O Forums?

[Floyd]

the virus-vulnerable part of the hdd is the boot sector (system section), not the data section.
using fdsik deleting and recreating the partitions should suffice, as long as you use a clean boot disk.

as for removing boot viri, you can have it much easier. if you use win2k, you just boot the emergency repair console (where it looks like a dos environment) from CD and type "fixmbr", that rewrites the master boot record. it should work similar with winxp.
there is also a way for win98 with fdisk, but i'm not sure about the procedure anymore.

low level format is not just "writing zeroes", it's definig tracks, sectors and interleaving, while regular format is actually writing "FF"s.
selfmade low level formats can fsck up the performance of your drive, so you better get advised by the manufacturer if you still wanna do that.

i'd recommend checking all your hardware, then fdisk. low level format should be the very last option, though i doubt that it'll help.

-F

[Mobius]

I have never heard of anyone doing an LLF on an HDD. From memory this can destroy your drive. Best avoided.

[Max_T]

The virus u r talking about is not a boot-sector virus. I just cleaned a pc with that virus a few weeks ago. The minute you get on the internet, you get that virus. It's not reinfecting you from the boot sector, but it's reinfecting you when you are going online, b/c that RPC service vulnerability is unpatched.

I don't remember the specifics of that virus, but it's definitely not a boot virus. Just reformat, reinstall, and patch right away, before you go online.

[AceCombat]

<BLOCKQUOTE><font size="1" face="Arial">quote:</font><HR><font face="Arial" size="3">Originally posted by Max_T:
I don't remember the specifics of that virus, but it's definitely not a boot virus. Just reformat, reinstall, and patch right away, before you go online.</font><HR></BLOCKQUOTE>


how else is he gonna get any patches if he is not supposed to go online first


<BLOCKQUOTE><font size="1" face="Arial">quote:</font><HR><font face="Arial" size="3">Originally posted by Mobius:
I have never heard of anyone doing an LLF on an HDD. From memory this can destroy your drive. Best avoided.</font><HR></BLOCKQUOTE>

yes mobi is right ( for once ) Low Level Formatting is a item that is done at the factory, the process lays down the tracks, cylinders and sectors. it should not be used as a option for a user. it voids your warranty. this can happen simply because the pinpoint accuracy at the factory that is practically flawless degrades as the drive is used, thus if a Low-Level Format is performed and the drive doesnt correctly layout the cylinders, tracks and/or sectors properly as they are specified at the factory, it can render the drive inoperable.

[Tyranny]

Ace, how about backing up the patch on disk? Just a thought

[AceCombat]

problem with that.........if the patch is infected aswell and he backs that up......well he is FUBAR even worse now. plus any number of items could be corrupted in his file system aswell.

[Max_T]

<BLOCKQUOTE><font size="1" face="Arial">quote:</font><HR><font face="Arial" size="3">Originally posted by Tyranny:
Ace, how about backing up the patch on disk? Just a thought </font><HR></BLOCKQUOTE>

You'd think he would get that, right? lol

[Max_T]

<BLOCKQUOTE><font size="1" face="Arial">quote:</font><HR><font face="Arial" size="3">Originally posted by AceCombat:
<b> problem with that.........if the patch is infected aswell and he backs that up...
</b></font><HR></BLOCKQUOTE>

This is not a virus per se, it does not multiply. It does not infect all the executable files. This is a worm, that sneaks into the system through the RPC service vulnerability.

Plus u can always get the patch from another PC somewhere.

[MD-2389]

<BLOCKQUOTE><font size="1" face="Arial">quote:</font><HR><font face="Arial" size="3">Originally posted by AceCombat:
<b> problem with that.........if the patch is infected aswell and he backs that up......well he is FUBAR even worse now. plus any number of items could be corrupted in his file system aswell.

</b></font><HR></BLOCKQUOTE>

Its called getting the patch on CD dumbass. Microsoft is giving the damn things away on CD for free (patches upto 10/2003, which includes the RPC patch). They even pay shipping. I suggest you look up the definition of Worm and Virus before replying to this thread again because you obviously weren't paying attention in your so-called A+ class.

[Arch]

<BLOCKQUOTE><font size="1" face="Arial">quote:</font><HR><font face="Arial" size="3">Originally posted by AceCombat:
yes mobi is right ( for once ) Low Level Formatting is a item that is done at the factory, the process lays down the tracks, cylinders and sectors. it should not be used as a option for a user. it voids your warranty. this can happen simply because the pinpoint accuracy at the factory that is practically flawless degrades as the drive is used, thus if a Low-Level Format is performed and the drive doesnt correctly layout the cylinders, tracks and/or sectors properly as they are specified at the factory, it can render the drive inoperable.</font><HR></BLOCKQUOTE>

Actually, you're both wrong. Low level formats have nothing to do with laying down sectors and tracks and the like. It also doesn't void your warranty. In fact, Maxtor's own disk utilities include an option to low level format a drive. In many cases this can actually solve problems with the drive such as mislabeled bad sectors.

All low level formatting does it write zeros to every sector of every track. All the sector and track information is stored on a "control" surface of one of the platters, which is not writable by the user. This is so the drive still knows where the sectors and tracks are once the drive platters heat up after use.

Low level formatting is fine and won't hurt your drive in any way. Birds, if you go to Maxtor site and download their utility software you can low level your drive with it. Last time I used it, which was a couple of years ago, it didn't matter if it was a Maxtor drive or not.

[Asrale]

That sounds like the Blaster worm, or Nachi.B/Lovsan.A. If you have an anti-virus program, run it to identify the worm.

I just cleaned a friend's laptop that had this worm. Man it was aggravating, yes it infects the computer as soon as an Internet connection is active.

What you have to do, is download and install Microsoft's two Windows patches (regardless if you're using 2K or XP) that correct the RPC DCOM vulnerability. I hope you have another PC for doing this. Then, re-scan the system using your AV software and have it remove the worm.

Finally, if this is XP, you should disable Windows Messenger. Do a Google on that for the instructions...

[JMEaT]

<BLOCKQUOTE><font size="1" face="Arial">quote:</font><HR><font face="Arial" size="3">Originally posted by Arch:
<b> Actually, you're both wrong. Low level formats have nothing to do with laying down sectors and tracks and the like. It also doesn't void your warranty. In fact, Maxtor's own disk utilities include an option to low level format a drive. In many cases this can actually solve problems with the drive such as mislabeled bad sectors.

All low level formatting does it write zeros to every sector of every track. All the sector and track information is stored on a "control" surface of one of the platters, which is not writable by the user. This is so the drive still knows where the sectors and tracks are once the drive platters heat up after use.

Low level formatting is fine and won't hurt your drive in any way. Birds, if you go to Maxtor site and download their utility software you can low level your drive with it. Last time I used it, which was a couple of years ago, it didn't matter if it was a Maxtor drive or not.

</b></font><HR></BLOCKQUOTE>

Lol, I was typing a response like that yesterday but clicked sumit to fine the DBB went down again.

I've used MAXLLF on Seagates and WDs and Maxtor. Their utility is pretty nice, but WD has a utility that can LLF in windows taking advantage of faster write speeds, but unless you have anothr PC with an OS, this won't help you

[Warlock]

start
run
msconfig
services
check "hide all MS services"
and look for ones with an unknown name
uncheck it
reboot
go and del the file off of the HDD and out of the Regfile but befor del the file right click on it and do prop and look under version and if MS name isnt in there then thats it cause the virus doesnt have aney copyright info

[BUBBALOU]

I just posted this stuff no more than like 2 weeks ago..... let me get the link about RPC errors and reboots burn these files to a CD and keep them! any reinstall load em back in

Blaster / lovsan worm

my doom

[ccb056]

<BLOCKQUOTE><font size="1" face="Arial">quote:</font><HR><font face="Arial" size="3">Originally posted by AceCombat:
CCB, you using your same name on AA:O Forums?</font><HR></BLOCKQUOTE>

I use the same name everywhere

[Birdseye]

Ok thanks for the help! You guys as usual defeat my efforts in google searching...

Warlock: trying msconfig gives me an error.

I think I may just fdisk/reformat and patch. Seems sure-fire.
I'm running Win2k.

[Mr. Perfect]

You get that error because 2K doesn't have MSconfig. It's XP only I think.

[MD-2389]

<BLOCKQUOTE><font size="1" face="Arial">quote:</font><HR><font face="Arial" size="3">Originally posted by Mr. Perfect:
You get that error because 2K doesn't have MSconfig. It's XP only I think.</font><HR></BLOCKQUOTE>

Actually, MSCONFIG came with Win95, all the way upto WinME, skipped Win2k, and was brought back in XP.

Birds, you can download msconfig if you do a google search for it.

[WarAdvocat]

Birds- I had the same problem with a computer here @ the office at one time. There were two problems - #1 the router (for some reason) was not blocking WAN requests. #2 was that the worm was attacking almost instantly upon reformat.

I'd suggest firewalling your computer solidly before connecting to the net first off.

Now the big problem I had was that it was terminating msconfig and other processes almost as soon as I ran them...and it was blocking installation of patches. I finally figured out what how to get around it. The trick is that the virus process name is sCvHOST and the legitimate windows service is sVcHOST. I call it the dyslexia misdirection. THIS IS A ★■◆● TO SPOT UNLESS YOU ARE TOLD IN ADVANCE...and terminating SVCHOST can crash your system...leading to infinite loops of frustration and screaming while throwing components around the room.

Terminate all instances of SCVHOST and you should be able to operate normally, patch and get rid of the virus.



More on Symantec and Trend Micro's sites if you need cleaning instructions. Check Trend Micro's Free Virus Scan to verify. Removal is relatively easy and straightforward if memory serves.

http://housecall.trendmicro.com/