First it was my clock. It kept losing an hour. Was quite annoying. I kept changing it back.
Then this morning, I got the following error message:
svhost.exe Application Error:
The instruction at "0.745f2780" referenced memory at "0.00000000". The memory could not be "read".
Click cancel to debug:
Ok/Cancel
So, I clicked ok...computer froze up.
So, I clicked cancel (after hardstarting my computer) computer froze up.
I'm thinking this is bad, very bad. I'm praying I don't have a virus.
Help?
Was it svhost.exe, or svchost.exe?
svchost.exe is a Windows program that runs at startup and enables Windows services and processes. You need it to run Windows. It's always located in C:\Windows\System32. If you see it in any other folder it's a virus, or other nasty piece of software.
Svhost.exe would probably be a virus of some kind. It's definately not a system file.
What kind of Anti-Virus do you run? Is it up to date?
Your options are likely going to be:
- See if you can fix things in Safe mode. Try to update your system and install any security patches you might be missing.
- See if you can install and update an Anti-Virus program in Safe mode.
- Try a repair install of Windows XP from your Windows CD.
- Re-install Windows XP, (this one is a pain in the butt, and you can lose files if you have anything encrypted or compressed on your Harddrive. Definately last resort.) then reinstall *all* your device drivers and programs. You'll lose all your settings data.
I use Zone Alarm and yes it has an anti virus/anti spyware part which is up to date.
I'm pretty sure I have the worm svhost. Oddly, lastnight, I was finally able to get on line and use my computer at will. It started behaving again when I started moving all My Documents to my stick h/d and putting them on my laptop.
I remember last week Tan had me d/ling things for virus and spyware and I d/l one he loved, and when I had it scan it found a trojan bad thing. Then it asked for money. I uhh, thought it was lying to get my money so I deleted the program (he'd been looking for free ware for me) I'm thinking it was the real deal.
So, let's assume I want to d/l additional virus/spyware protection and one that can fix this current problem w/o an issue. Which one should I buy?
I used to have Norton until I got Zone Alarm--should I use that again?
Is there any reason not to d/l the anti virus program and updates while my computer is up and running regularly? Will the virus somehow change the incoming program to not detect itself?
Lyrima, all the Zonealarm antivirus thing does is let you know if your antivirus is up to date. It's not actually part of the program. However, their spyware product is part of the program. You should have more than one anti-spyware program on your computer because they all do not have the same number of definitions protected. I use Webroot Spysweeper, Adaware Personal Edition, Spybot Search and Destroy, and Spyware Blaster.
You should keep Norton Systemworks and I told you that when I was over there. ZoneAlarm is a Firewall. Use the Norton antivirus portion and you'll be set. The new Norton products have worm protection in them, and have saved me numerous times. I only trust the top named products for antivirus protection and Symantec has it down. You should have (to be on the safe side) Norton Systemworks because it actually corrects problems with your computer.
Also, you have to stop turning off Zonealarm to access things and instead configure it so that you can access stuff without turning it off. When you do that, that's one less level of protection and your computer is wide open. Routers are helpful but do not completely protect you. A firewall is a level of protection as is your router.
I have a firewall and a router and worms still try to get into my machine. They fail, but they sure do try.
Also, Namae asked a really good question, is it Svhost.exe or Svchost.exe. If it's the latter, do not delete it because Windows needs that file.
Which file was it?
It is, without a doubt, svhost.com.
I know you've recommended Norton and so have others...and others have told me they don't like it /shrug
I'm ready and willing to d/l Norton now, if it is safe to do so on an infected machine.
My Zone Alarm is currently scanning for viruses. It *does* have a virus protection and I have it scanning by byte. Now, I don't know more than what the silly program description tells me:
QuoteAnti- virus / Anti-spyware
Keep protection On to protect your computer from viruses and spyware.
And it gives me an option to scan...which it does regularly for me and did on the 8th of August. And it found nothing.
So now I have it scanning by byte, but I'm perfectly happy to get a second program if everyone thinks Norton is the way to go.
Ok, I've looked at Norton and there is a huge array of prices and products. I have two computers that need protection right now.
I know Gwenae suggests system works but I"d like to hear from more folks about this before I spend the money. And I need to know if Norton will play nice with my ZA, which I spent $60 on this winter. I can't keep tossing money at software.
I don't know enough about all this and I don't know how to become knowledgeable. As I said, I'm under the impression ZA does do virus scans and it missed this worm :(
This is the list of products Norton has:
http://www.symantecstore.com/dr/sat1/ec_MAIN.Entry17C?SID=49997&SP=10024&CID=0&PID=&PN=29&S1=&S2=&S3=&S4=&S5=&V1=11031981&V2=11031981&V3=1&V4=10&V5=&CUR=840&DSP=&PGRP=0&ABCODE=&CACHE_ID=189236
And this is what I have for Zone Alarm:
http://www.zonelabs.com/store/application?namespace=zls_catalog&origin=global.jsp&event=link.catalogHome&dc=12bms&ctry=US&lang=en&lid=home_ho
I got the suite (the one listed for 49.99 but I paid full price--closer to $60.)
Now tell me, do I have to spend another $100 on Norton? Or should I get something else?
HEEEEEEEEEEELP !!
Hi Lyrima,
Download these, install them, and run their "update" functions (don't scan yet).
http://www.lavasoftusa.com/software/adaware/ (http://www.lavasoftusa.com/software/adaware/)
http://www.download.com/3000-2144-10122137.html (http://www.download.com/3000-2144-10122137.html)
http://www.intermute.com/spysubtract/cwshredder_download.html (http://www.intermute.com/spysubtract/cwshredder_download.html)
Reboot your PC in safe mode (hit F8 during the early bootup screens and it'll pop an option to boot in safe mode).
Once in safe mode, use all three programs above to scan your system. They'll find most everything problematic that's out there in the way of trojans and worms and junk.
If the problem persists, boot in safe mode again, go into c:/windows/system32, sort by date, and delete any .dll or .exe files which were created the day the problem started (you can right click the files to see created date).
Zonealarm works fine with Norton. I use both together, and never have any problems. I think a lot of people say they don't like the programs because they just don't understand how to configure them. You have to allow some things and disallow others.
Zonealarm must have a separate virus program then, if so, then I was wrong.
It's important to read the instructions when you buy software like this, because you really need to understand how it works and how it can be set up to not interfere with your computer use.
Do as others have suggested and bring up your computer in safe mode. It's safe to install Norton, but you really should go and buy the program so that you have the cd. That way you don't have to keep downloading it each time you want to install it. Just a recommendation.
Here's some info I found out about svhost.exe. It's a W32.Mydoom.i@mm worm. It's an email mass mailing worm.
http://www.symantec.com/security_response/writeup.jsp?docid=2004-041516-1209-99&tabid=3
You can go ahead and remove it if you follow the instructions.
Edit: If you do this, please do it in Safemode!
If you don't like Nortons (I'm one who loathes it) and would prefer/don't mind going with a free option, try out AVG at free.grisoft.com.
I use it along with Zone Alarm, Ad-Aware, Spyware Blaster, and Spybot. All are free and work well.
I"ve run three different spy/virus seeking programs and none have found this.
Can it hide that well?
Should I take these drastic steps? How do I know it is there?
I've now purchased and d/led Norton Internet Security. Tomorrow I will continue my work but I need to know..
how can I be certain I've got the silly thing before I go messing with my registry?
*thinks about Syll's list of tasks*
The links I mentioned above are all free and work well. I've only had one trojan that they couldn't fix (and I removed it manually myself).
Norton firewall is fairly convenient, but honestly I've found the Norton antivirus stuff to be pretty underpowered.
- Syll
Also, hit ctrl-alt-del to bring up application manager, and click on processes.
Scroll through the list and just double check that it is "svhost.exe" you see there (exact spelling). As mentioned above, there are normal system processes with very similar name.
- Syll
so if I don't see svhost.exe in the application manager it isn't on my computer?
This is a way to check ?
Lyrima, follow the link that I posted, it shows you how to remove it. It might be hidden in the registry.
Removing it from the application manager doesn't mean it's gone from the computer. The steps aren't really that drastic, just follow the paths and steps listed and you can remove it completely.
Gwennie, I looked at the link and read the directions. Daunting at best. And the instructions are from 2004. One would think Symantic would have figured out a better means of finding and removing this in these last two years.
Those instructions were written when the svhost worm was first found, I'm thinking.
I looked for more recent instructions and none were to be found.
At this point, I'm not all that sure if I followed the directions I'd even FIND the thing.
What I'm looking for at this point is a means of being sure I have the worm before I start messing further with my registry.
I'm no longer getting the error message nor amd I having problems (so far) with my computer.
They are the correct instructions. The instructions were probably written when that worm was discovered. Forget about when they were written, do you have any idea how many worms or viruses there are? There's no reason to rewrite the instructions if they're correct.
If you follow the instructions and go into your registry you can be sure that it's gone. If you're not going to try it then you can keep wondering about it.
Truth to be told, there are a fairly decent variety of worms, backdoor.sdbots, trojans etc that use the "svhost.exe" file name to mask themselves. The most likely culprit is the mydoom above. However, there are quite a few others and varients that use the same. Removal on each differs.
Unless someone feels exceptionally comfortable with their PC and has no problem experimenting on varying removal instructions and able to compensate / fix anything that occurs during the process, then the best thing to do is to make sure the PC is scanned by the most up-to-date anti-virus software out there.
Alternatively, there is always the option of backing up any "cannot be lost" info and then a complete disk format / clean install of windows. Which is always my preference.
Quoteso if I don't see svhost.exe in the application manager it isn't on my computer?
If you don't see it in the list of running processes, and you're
not in safe-mode when you check, no, it probably isn't.
Usually worms run all the time once you're infected.
- Syll
Those instructions are indeed a bit confusing...and i'm a comp geek.
The only reason i can follow it is i've been using Symantec for awhile. Someone who DOESN"T use Symantec, is not going to relize that what they're reading is a list of descriptions, riddled with links of "How to..".
There is nothing wrong with wanting to be sure you HAVE to change the registry.
Syll gave you the best advice. This worm/virus/trojan/whatevermebob.....'s says it will show up in Active Processes. If you do not see it there...there is a "Good" possibillity, that it is gone. And as far as finding out for "SURE"....i don't think this group can give you an answer..there are somethings you may just have to hold your breath and hope.
And if you still are losing sleep, take it to a reliable computer Fix-It store to give it a once over..
I remember the days when we dreamd "Of the day when"..computers always worked when we wanted them to, HOW we wanted them too.....
Honestly, I was only trying to help here but it seems that no one will trust the assistance of a computer professional. Seriously, I was concerned because she was asked to delete it from Windows Task Manager, and I know that it doesn't remove it from the computer that way and that may only be one step in the removal process. The instructions I provided also gave instructions on how to back up the registry. I would never ask someone to do something that would mess up their computer. The instructions given were for a worm. She sounded very worried about it, and I was offering help. That's how I make sure that I don't have anything on my computer. Not all of these virus programs remove every variant out there. Sometimes you have to take steps to remove the threat. While your at it, you can be sure that it's not hiding in your registry because removing it from the task manager, doesn't mean that it's gone, and just because you don't see it could also mean that it's waiting to start up again at another time. As a rule, I don't trust the task manager, because those things have a way of returning.
I'm really not just a computer geek, I do this stuff for a living.
Gwenae's right.. there is never an easy way of making sure that the virus isn't hiding out somewhere else waiting for a chance to re-infect you. Making sure it's gone, and backing up the registry is the safest step. then if it ever comes back, you can whack it back dead.
*hugs Gwenae*
<hugs Namae> I'm so happy to see you! Are you back??
/hopes
QuoteHonestly, I was only trying to help here but it seems that no one will trust the assistance of a computer professional.
*raises an eyebrow*
With all due respect, I don't think anyone was slamming on your personal ability or judgement, Gwen, nor is anyone slighting your wish to help. We all want to help. It's our nature to wish to
There are multiple computer professionals that do such for a living other than yourself on this board.
We all agree, I would think, on the following:
1 -- Just because something is "gone" from the Task Manager doesn't mean it's "gone".
2 -- Editing one's Registry is not something that should be done lightly
3 -- Anti-Virus software isn't always the most relaible thing
4 -- Unless I have that computer in front of me and can look at it in detail, observing behaviour and etc, I cannot definitively say in any honest fashion what is and what isn't.
5 -- Many differing variants other than the typical worm it first became known under use the "svhost" deal to hide itself.
Lyrima is
not a computer professional. A number of us who gave advice are .. and are giving advice from the perspective of what we would do ... what
we would feel comfortable in doing.
That would
not necessarily be the case of someone who is not a comp professional. If a person does not feel comfortable in following advice simply for fear or not having a level of comfort in mucking about with things then telling them "If you're not going to try it then you can keep wondering about it." is not helpful at all.
There is no One Answer. There is only advice. And we've all gave what advice we could think of giving. Just because Lyrima chooses to one thing or another with that advice does not imply distrust or a slight on someone's ability.
Nor does anyone else giving advice that is contrary make anyone else "wrong" or inept.
It's advice. And, like opinions, everyone has one.
/me walks away from the thread.
I'm not a computer expert.
I just get infected all the time from my pr0n surfing so I have a lot of experience cleaning that crap off :p
- Syll
All I'm gonna say is "Oh good lord". Why? Because this isn't an argument!!!! I'm not offended! Seriously, I think I have to start using more emotes.
I think that comment from me came because I was frustrated when I kept trying to explain it and debating about it wasn't going to get it done. I wanted to help and I tried to help. I did not feel that anyone was crapping on me, I was just trying to state that I do know what I'm talking about. I'm not trying to.... you know, I'll just stay quiet in the future.
I'm not doing any good here, and this thread is degenerating.
Quote from: Gwenae on August 15, 2006, 07:24:32 AM
<hugs Namae> I'm so happy to see you! Are you back??
/hopes
*smiles*
Back in what sense? I'm always around, just harder to see sometimes than others.
Quote from: Gwenae on August 15, 2006, 09:27:36 AM
Seriously, I think I have to start using more emotes.
:wv :uglystupid2: :tickedoff: :sc :sleep: :hwt :smiley6600: :smitten: :kia :bdg :--- :cow :pms :brfm :angel: :ana :crazy2: :bm1 :embarassed: :bm2 :knuppel2: :mf_swordfight: :bm3 :gld :police: :buck2: :bm2 :-* :bm3 :bm1 ??? :o :P ??? >:( ;D :embarassed: :laugh: :knuppel2: ::) ??? :wv :uglystupid2: :tickedoff: :sc :sleep: :hwt :smiley6600: :smitten: :kia :bdg :--- :cow :pms :brfm :angel: :ana :crazy2: :bm1 :embarassed: :bm2 :knuppel2: :mf_swordfight: :bm3 :gld :police: :buck2: :bm2 :-* :bm3 :bm1 ??? :o :P ??? >:( ;D :embarassed: :laugh: :knuppel2: ::) ??? :wv :uglystupid2: :tickedoff: :sc :sleep: :hwt :smiley6600: :smitten: :kia :bdg :--- :cow :pms :brfm :angel: :ana :crazy2: :bm1 :embarassed: :bm2 :knuppel2: :mf_swordfight: :bm3 :gld :police: :buck2: :bm2 :-* :bm3 :bm1 ??? :o :P ??? >:( ;D :embarassed: :laugh: :knuppel2: ::) ??? :wv :uglystupid2: :tickedoff: :sc :sleep: :hwt :smiley6600: :smitten: :kia :bdg :--- :cow :pms :brfm :angel: :ana :crazy2: :bm1 :embarassed: :bm2 :knuppel2: :mf_swordfight: :bm3 :gld :police: :buck2: :bm2 :-* :bm3 :bm1 ??? :o :P ??? >:( ;D :embarassed: :laugh: :knuppel2: ::) ??? :wv :uglystupid2: :tickedoff: :sc :sleep: :hwt :smiley6600: :smitten: :kia :bdg :--- :cow :pms :brfm :angel: :ana :crazy2: :bm1 :embarassed: :bm2 :knuppel2: :mf_swordfight: :bm3 :gld :police: :buck2: :bm2 :-* :bm3 :bm1 ??? :o :P ??? >:( ;D :embarassed: :laugh: :knuppel2: ::) ??? :wv :uglystupid2: :tickedoff: :sc :sleep: :hwt :smiley6600: :smitten: :kia :bdg :--- :cow :pms :brfm :angel: :ana :crazy2: :bm1 :embarassed: :bm2 :knuppel2: :mf_swordfight: :bm3 :gld :police: :buck2: :bm2 :-* :bm3 :bm1 ??? :o :P ??? >:( ;D :embarassed: :laugh: :knuppel2: ::) ??? :wv :uglystupid2: :tickedoff: :sc :sleep: :hwt :smiley6600: :smitten: :kia :bdg :--- :cow :pms :brfm :angel: :ana :crazy2: :bm1 :embarassed: :bm2 :knuppel2: :mf_swordfight: :bm3 :gld :police: :buck2: :bm2 :-* :bm3 :bm1 ??? :o :P ??? >:( ;D :embarassed: :laugh: :knuppel2: ::) ??? :wv :uglystupid2: :tickedoff: :sc :sleep: :hwt :smiley6600: :smitten: :kia :bdg :--- :cow :pms :brfm :angel: :ana :crazy2: :bm1 :embarassed: :bm2 :knuppel2: :mf_swordfight: :bm3 :gld :police: :buck2: :bm2 :-* :bm3 :bm1 ??? :o :P ??? >:( ;D :embarassed: :laugh: :knuppel2: ::) ???
There you go. If you need more, lemme know!
I'm sorry if I offended anyone. I did not mean to.