damnportlanders: computer people!

Mother Baby Unit (

lunadragonfly) wrote in

damnportlanders,
@ 2008-01-19 12:08:00

computer people!
help quick, what can you tell me about the trojan svchost.exe? I'm running AVG but I want to know if it's possible damage was done to my computer before I caught it.

(Post a new comment)

	mnemosyne9 2008-01-19 08:13 pm UTC (link)
	svchost.exe is a normal Windows system process. It is not a virus. (Edit: I did some research (should have before posting) and it says in some cases it can be a risk, but it definitely can also be a normal system process.) Edited at 2008-01-19 08:14 pm UTC (Reply to this)(Thread)

lunadragonfly
2008-01-19 08:19 pm UTC (link)

No, I know it is also normal, but in this case it took over the computer and when I ran the antivirus program it popped up as a threat, along with a trojan downloader called 0xf9.exe. Trust me I am not hysterical about viruses and computer stuff in general, I know the difference between an annoyance and a real problem. I did the scan because my computer seriously wouldn't do anything else for more than a second it was so overloaded with multiple copies of the faux svchost.

(Reply to this)(Parent)

dave256
2008-01-19 08:22 pm UTC (link)

svchost.exe is the part of windows that allows DLL files to "execute". It's a standard, run-of-the-mill process, and can be a security risk in that "svchost.exe" will always show up in the process list instead of the dll it is running. Ie, "svchost foo.dll" will put another "svchost.exe" in the process list with no mention of "foo.dll"

It means there COULD be a trojan on your system, that's launched via svchost, but svchost isn't to blame (but rather, you, as a user, for downloading crap and not scanning it before running it are).

(Reply to this)(Thread)

	lunadragonfly 2008-01-19 08:34 pm UTC (link)
	STFU I'm not the only person that uses this computer. I know DP loves the snark but there's no need to treat me like an idiot. Unless you also think the virus scanner that identified this as a virus is also an idiot, in which case it would be nice to point me to one you think is better. All I wanted was some information on what to do next, sorry to bother you. (Reply to this)(Parent)(Thread)

	baloo_ursidae 2008-01-20 12:51 am UTC (link)
	I know DP loves the snark but there's no need to treat me like an idiot. If everybody's using the same login instead of their own normal (not Administrator) user, and that login everyone's using has Administrator privileges, then yes, that was a pretty retarded way to set yourself up for exactly this. (Reply to this)(Parent)(Thread)

	lunadragonfly 2008-01-20 02:24 am UTC (link)
	That's OK I think you're an asshole so kthxbi. (Reply to this)(Parent)(Thread)

	baloo_ursidae 2008-01-20 04:43 am UTC (link)
	If you don't want to use the security measures your operating system provides to prevent exactly this, don't bitch when you get bit. Duh. (Reply to this)(Parent)

	dave256 2008-01-20 01:18 am UTC (link)
	Because, of course, this particular problem is a result of instabilities in the quantum flux. Surely the user did nothing wrong. And don't bother giving useful information like which specific trojan AVG thinks it is. I already told you why it's probably not svchost.exe that's directly the problem. (Reply to this)(Parent)(Thread)

	lunadragonfly 2008-01-20 02:25 am UTC (link)
	Thanks for feeding the ugly stereotype that computer geeks have no social skills, have a wonderful day. (Reply to this)(Parent)(Thread)

	dave256 2008-01-20 03:26 am UTC (link)
	Still using the old standby of dullards everywhere: "I didn't do anything!" eh. For your type, the solution is always, "Oh, you best reinstall windows." (Reply to this)(Parent)

	cratermoon 2008-01-19 08:28 pm UTC (link)
	http://www.symantec.com/security_response/writeup.jsp?docid=2003-081819-3333-99 Enjoy. I'll bill you later at a reasonable price. (Reply to this)(Thread)

	db_cooper 2008-01-19 08:39 pm UTC (link)
	how is linking a very old worm removal tool helpful in this case? and what at all does it have to do with what was asked? (Reply to this)(Parent)(Thread)

	lunadragonfly 2008-01-19 08:57 pm UTC (link)
	Glad I'm not the only one who couldn't figure that out! (Reply to this)(Parent)

	freyis 2008-01-19 08:41 pm UTC (link)
	Did it mention which trojan was in it, or did it just flag the file as a threat? If it is removed/healed by your anti virus software, and it doesn't keep showing up again, then everything should be fine. If it continues to reappear though, I'd run a second anti virus program, like the Housecall one Trend Micro has, to make sure everything is being caught. (Reply to this)(Thread)

lunadragonfly
2008-01-19 09:00 pm UTC (link)

AVG is still running the scan, but what it has isolated so far is this:

svchost.exe trojan
0xf9.exe
dnlsvc.exe
2[1].ani
go[1].exe

I have no idea what most of that means. Honestly my computer almost never has problems and I don't think I've ever gotten a virus before. This resulted from someone else who uses my computer going to some kind of skeezy game code download site, I think. I mean he admitted to it and I can't think where else these would come from, since I don't download anything except from verified major companies, etc. Argh.

(Reply to this)(Parent)(Thread)

freyis
2008-01-19 09:14 pm UTC (link)

So the scan is still going at the moment? When it reaches the end, it should give you a list of options of what do with the infected files, ranging from healing them, quarantining them, and deleting them.

Healing is for normal files that have been infected, quarantining is to keep it around but in a safe place where it can't be executed for possible future healing, and deleting is for removing files that were viruses to begin with.

From the way those files are named, it sounds like the last option, deleting, makes the most sense, except possibly for svchost. It depends on where the svchost.exe file is located. If it's in windows/system32, then it's most likely an infected copy of the original. If it's located anywhere else then it's a virus to begin with, unless someone copied the original file for some reason to another location.

Viruses can come from some pretty odd places. They can lurk around for a long time too before coming active if they are coded to be time sensitive. I had a case of that once where it was set to wait until a year after it was created to do anything. Thankfully I caught it before that :)

(Reply to this)(Parent)(Thread)

	lunadragonfly 2008-01-20 02:28 am UTC (link)
	The scan finally finished right before I left the house, haha. It deleted all the things it found and everything is running smoothly. All the svchost things were not in system32, in fact they were in various odd places (one of them seemed to be in an Adobe file??) So hopefully all's well for now at least. Thanks again for the advice! (Reply to this)(Parent)

	lunadragonfly 2008-01-19 09:01 pm UTC (link)
	Oh and thanks for giving helpful info instead of snarking at me! :) (Reply to this)(Parent)(Thread)

	freyis 2008-01-19 09:15 pm UTC (link)
	You're welcome, I know this community is snark heaven but when it comes to computer problems it's one of the few cases I can give a decent response to a question on here. (Reply to this)(Parent)

	db_cooper 2008-01-19 08:44 pm UTC (link)
	since many many trojans hijack or clone svchost.exe it hard to say.... do you actually know what the infection was or just that svchost.exe was a problem file found during scanning? (Reply to this)(Thread)

	db_cooper 2008-01-19 08:48 pm UTC (link)
	www.free-av.com/ <--- freeware antivirus software that is very good and has kept me virii free since i started using it and i download alot of crap and it constantly catching the bad little 1 and 0 's trying to ruin my day! (just thought i would throw that in.... (Reply to this)(Parent)(Thread)

	lunadragonfly 2008-01-19 09:02 pm UTC (link)
	Thanks! I'm running AVG but if I still have problems its good to get a second opinion I guess. And no, I have no idea on any details beyond what I posted in my comment to freyis above. (Reply to this)(Parent)(Thread)

	db_cooper 2008-01-19 09:09 pm UTC (link)
	a really good indicator of a big problem is infected system files which cant be removed.... that can be a big headache.... as for where you think you got this.... i am guessing it was a attempt at a rootkit and if you caught it quickly it shouldnt be a problem.... i would make sure you change passwords to any website you have logged into since the infection.... (Reply to this)(Parent)

	bliccy 2008-01-19 10:00 pm UTC (link)
	http://www.techsupportforum.com/ They've saved my computer from d34th a few times! (Reply to this)(Thread)

	baloo_ursidae 2008-01-20 12:55 am UTC (link)
	Another good place is to check Usenet for answers, you'll often get far better answers there than most web based forums. There's a web interface for usenet at Google Groups, among others. However, if you think we're snarky, you haven't miserably failed at asking a smart question on Usenet yet. (Reply to this)(Parent)

	baloo_ursidae 2008-01-20 12:48 am UTC (link)
	A number of things could usurp svchost.exe. In the long term, the best cheap fix to dealing with viruses is probably to switch to something other than windows. Thanks to wine, odds are your favorite programs are probably still able to run if you can't find native programs to do the same thing anyway. (Reply to this)(Thread)

	pundigrion 2008-01-20 07:19 am UTC (link)
	I'm not sure it is worth suggesting something so logical to this user... (Reply to this)(Parent)(Thread)

	baloo_ursidae 2008-01-20 07:33 am UTC (link)
	You may have a point there. (Reply to this)(Parent)

lunadragonfly
2008-01-20 07:56 am UTC (link)

Maybe I've got you confused with someone else but I seem to remember having a number of basically friendly interactions with you. Not sure why it's suddenly a great moment to randomly attack me simply because my lack of total geekery establishes me as "illogical." But I guess you've now established your vast superiority, so, whatever. Have a wonderful time with the knowledge that you're better than me.

(Reply to this)(Parent)

lokidecat
2008-01-20 02:11 am UTC (link)

In my opinion AVG sucks goat balls. Most of the time it's method of "cleaning" is to delete the file. This is sometimes necessary, but when I got a horrible one (Win32/Expiro), AVG tried to delete EVERY .exe file on my hard drive fucking it up major-time.

While it's nice to have "free," (see AVG, Avast! etc.) paying for a decent scanner can be a good thing now'n'again. Their engine is far more reliable and feature-filled.

(Reply to this)(Thread)

	lunadragonfly 2008-01-20 02:29 am UTC (link)
	Yeah I think I'm going to get something more fancy for longterm but this definitely seemed to do the trick quickly for today. Which is good because I'm taking 100% of my courseload at PSU online this term and have stuff due over the weekend, so I needed the computer functional asap. (Reply to this)(Parent)

	baloo_ursidae 2008-01-20 04:44 am UTC (link)
	With software, you can get worse software, but it costs more. (Reply to this)(Parent)

Username:		Create an Account Forgot your login? Login w/ OpenID
Password:
	Remember Me
	English • Español • Deutsch • Русский…

About

Help

Get Involved

Legal

Store

LJ Labs