Help! svhost.exe - pretty sure my d/t has a worm/virus :(

Lyrima · August 10, 2006, 05:37:21 PM

First it was my clock. It kept losing an hour. Was quite annoying. I kept changing it back.

Then this morning, I got the following error message:

svhost.exe Application Error:

The instruction at "0.745f2780" referenced memory at "0.00000000". The memory could not be "read".

Click cancel to debug:

Ok/Cancel

So, I clicked ok...computer froze up.

So, I clicked cancel (after hardstarting my computer) computer froze up.

I'm thinking this is bad, very bad. I'm praying I don't have a virus.

Help?

Namae Nai · August 10, 2006, 09:40:45 PM

Was it svhost.exe, or svchost.exe?

svchost.exe is a Windows program that runs at startup and enables Windows services and processes. You need it to run Windows. It's always located in C:\Windows\System32. If you see it in any other folder it's a virus, or other nasty piece of software.

Svhost.exe would probably be a virus of some kind. It's definately not a system file.

What kind of Anti-Virus do you run? Is it up to date?

Your options are likely going to be:
- See if you can fix things in Safe mode. Try to update your system and install any security patches you might be missing.
- See if you can install and update an Anti-Virus program in Safe mode.
- Try a repair install of Windows XP from your Windows CD.
- Re-install Windows XP, (this one is a pain in the butt, and you can lose files if you have anything encrypted or compressed on your Harddrive. Definately last resort.) then reinstall *all* your device drivers and programs. You'll lose all your settings data.

Lyrima · August 11, 2006, 03:59:07 AM

I use Zone Alarm and yes it has an anti virus/anti spyware part which is up to date.

I'm pretty sure I have the worm svhost. Oddly, lastnight, I was finally able to get on line and use my computer at will. It started behaving again when I started moving all My Documents to my stick h/d and putting them on my laptop.

I remember last week Tan had me d/ling things for virus and spyware and I d/l one he loved, and when I had it scan it found a trojan bad thing. Then it asked for money. I uhh, thought it was lying to get my money so I deleted the program (he'd been looking for free ware for me) I'm thinking it was the real deal.

So, let's assume I want to d/l additional virus/spyware protection and one that can fix this current problem w/o an issue. Which one should I buy?

I used to have Norton until I got Zone Alarm--should I use that again?

Is there any reason not to d/l the anti virus program and updates while my computer is up and running regularly? Will the virus somehow change the incoming program to not detect itself?

Gwenae · August 11, 2006, 04:53:12 AM

Lyrima, all the Zonealarm antivirus thing does is let you know if your antivirus is up to date. It's not actually part of the program. However, their spyware product is part of the program. You should have more than one anti-spyware program on your computer because they all do not have the same number of definitions protected. I use Webroot Spysweeper, Adaware Personal Edition, Spybot Search and Destroy, and Spyware Blaster.

You should keep Norton Systemworks and I told you that when I was over there. ZoneAlarm is a Firewall. Use the Norton antivirus portion and you'll be set. The new Norton products have worm protection in them, and have saved me numerous times. I only trust the top named products for antivirus protection and Symantec has it down. You should have (to be on the safe side) Norton Systemworks because it actually corrects problems with your computer.

Also, you have to stop turning off Zonealarm to access things and instead configure it so that you can access stuff without turning it off. When you do that, that's one less level of protection and your computer is wide open. Routers are helpful but do not completely protect you. A firewall is a level of protection as is your router.

I have a firewall and a router and worms still try to get into my machine. They fail, but they sure do try.

Also, Namae asked a really good question, is it Svhost.exe or Svchost.exe. If it's the latter, do not delete it because Windows needs that file.

Which file was it?

Lyrima · August 11, 2006, 05:05:42 AM

It is, without a doubt, svhost.com.

I know you've recommended Norton and so have others...and others have told me they don't like it /shrug

I'm ready and willing to d/l Norton now, if it is safe to do so on an infected machine.

My Zone Alarm is currently scanning for viruses. It *does* have a virus protection and I have it scanning by byte. Now, I don't know more than what the silly program description tells me:

QuoteAnti- virus / Anti-spyware

Keep protection On to protect your computer from viruses and spyware.

And it gives me an option to scan...which it does regularly for me and did on the 8th of August. And it found nothing.

So now I have it scanning by byte, but I'm perfectly happy to get a second program if everyone thinks Norton is the way to go.

Lyrima · August 11, 2006, 06:37:40 AM

Ok, I've looked at Norton and there is a huge array of prices and products. I have two computers that need protection right now.

I know Gwenae suggests system works but I"d like to hear from more folks about this before I spend the money. And I need to know if Norton will play nice with my ZA, which I spent $60 on this winter. I can't keep tossing money at software.

I don't know enough about all this and I don't know how to become knowledgeable. As I said, I'm under the impression ZA does do virus scans and it missed this worm

This is the list of products Norton has:

http://www.symantecstore.com/dr/sat1/ec_MAIN.Entry17C?SID=49997&SP=10024&CID=0&PID=&PN=29&S1=&S2=&S3=&S4=&S5=&V1=11031981&V2=11031981&V3=1&V4=10&V5=&CUR=840&DSP=&PGRP=0&ABCODE=&CACHE_ID=189236

And this is what I have for Zone Alarm:

http://www.zonelabs.com/store/application?namespace=zls_catalog&origin=global.jsp&event=link.catalogHome&dc=12bms&ctry=US&lang=en&lid=home_ho

I got the suite (the one listed for 49.99 but I paid full price--closer to $60.)

Now tell me, do I have to spend another $100 on Norton? Or should I get something else?

HEEEEEEEEEEELP !!

Syllestrae · August 11, 2006, 07:10:00 AM

Hi Lyrima,

Download these, install them, and run their "update" functions (don't scan yet).

http://www.lavasoftusa.com/software/adaware/
http://www.download.com/3000-2144-10122137.html
http://www.intermute.com/spysubtract/cwshredder_download.html

Reboot your PC in safe mode (hit F8 during the early bootup screens and it'll pop an option to boot in safe mode).

Once in safe mode, use all three programs above to scan your system. They'll find most everything problematic that's out there in the way of trojans and worms and junk.

If the problem persists, boot in safe mode again, go into c:/windows/system32, sort by date, and delete any .dll or .exe files which were created the day the problem started (you can right click the files to see created date).

Gwenae · August 11, 2006, 07:39:23 AM

Zonealarm works fine with Norton. I use both together, and never have any problems. I think a lot of people say they don't like the programs because they just don't understand how to configure them. You have to allow some things and disallow others.

Zonealarm must have a separate virus program then, if so, then I was wrong.

It's important to read the instructions when you buy software like this, because you really need to understand how it works and how it can be set up to not interfere with your computer use.

Do as others have suggested and bring up your computer in safe mode. It's safe to install Norton, but you really should go and buy the program so that you have the cd. That way you don't have to keep downloading it each time you want to install it. Just a recommendation.

Gwenae · August 11, 2006, 07:44:36 AM

Here's some info I found out about svhost.exe. It's a W32.Mydoom.i@mm worm. It's an email mass mailing worm.

http://www.symantec.com/security_response/writeup.jsp?docid=2004-041516-1209-99&tabid=3

You can go ahead and remove it if you follow the instructions.

Edit: If you do this, please do it in Safemode!

Scrib · August 11, 2006, 07:51:38 AM

If you don't like Nortons (I'm one who loathes it) and would prefer/don't mind going with a free option, try out AVG at free.grisoft.com.

I use it along with Zone Alarm, Ad-Aware, Spyware Blaster, and Spybot. All are free and work well.

Lyrima · August 11, 2006, 05:10:22 PM

I"ve run three different spy/virus seeking programs and none have found this.

Can it hide that well?

Should I take these drastic steps? How do I know it is there?

I've now purchased and d/led Norton Internet Security. Tomorrow I will continue my work but I need to know..

how can I be certain I've got the silly thing before I go messing with my registry?

*thinks about Syll's list of tasks*

Syllestrae · August 11, 2006, 06:03:01 PM

The links I mentioned above are all free and work well. I've only had one trojan that they couldn't fix (and I removed it manually myself).

Norton firewall is fairly convenient, but honestly I've found the Norton antivirus stuff to be pretty underpowered.

- Syll

Syllestrae · August 11, 2006, 06:05:55 PM

Also, hit ctrl-alt-del to bring up application manager, and click on processes.

Scroll through the list and just double check that it is "svhost.exe" you see there (exact spelling). As mentioned above, there are normal system processes with very similar name.

- Syll

Lyrima · August 12, 2006, 09:13:04 AM

so if I don't see svhost.exe in the application manager it isn't on my computer?

This is a way to check ?

Gwenae · August 12, 2006, 10:42:34 AM

Lyrima, follow the link that I posted, it shows you how to remove it. It might be hidden in the registry.

Removing it from the application manager doesn't mean it's gone from the computer. The steps aren't really that drastic, just follow the paths and steps listed and you can remove it completely.

Lyrima · August 12, 2006, 11:33:12 AM

Gwennie, I looked at the link and read the directions. Daunting at best. And the instructions are from 2004. One would think Symantic would have figured out a better means of finding and removing this in these last two years.

Those instructions were written when the svhost worm was first found, I'm thinking.

I looked for more recent instructions and none were to be found.

At this point, I'm not all that sure if I followed the directions I'd even FIND the thing.

What I'm looking for at this point is a means of being sure I have the worm before I start messing further with my registry.

I'm no longer getting the error message nor amd I having problems (so far) with my computer.

Gwenae · August 12, 2006, 11:36:03 AM

They are the correct instructions. The instructions were probably written when that worm was discovered. Forget about when they were written, do you have any idea how many worms or viruses there are? There's no reason to rewrite the instructions if they're correct.

If you follow the instructions and go into your registry you can be sure that it's gone. If you're not going to try it then you can keep wondering about it.

Imeriel · August 14, 2006, 10:54:58 AM

Truth to be told, there are a fairly decent variety of worms, backdoor.sdbots, trojans etc that use the "svhost.exe" file name to mask themselves. The most likely culprit is the mydoom above. However, there are quite a few others and varients that use the same. Removal on each differs.

Unless someone feels exceptionally comfortable with their PC and has no problem experimenting on varying removal instructions and able to compensate / fix anything that occurs during the process, then the best thing to do is to make sure the PC is scanned by the most up-to-date anti-virus software out there.

Alternatively, there is always the option of backing up any "cannot be lost" info and then a complete disk format / clean install of windows. Which is always my preference.

Syllestrae · August 14, 2006, 11:22:46 AM

Quoteso if I don't see svhost.exe in the application manager it isn't on my computer?

If you don't see it in the list of running processes, and you're not in safe-mode when you check, no, it probably isn't.

Usually worms run all the time once you're infected.

- Syll

ElektroViking · August 14, 2006, 03:30:03 PM

Those instructions are indeed a bit confusing...and i'm a comp geek.
The only reason i can follow it is i've been using Symantec for awhile. Someone who DOESN"T use Symantec, is not going to relize that what they're reading is a list of descriptions, riddled with links of "How to..".

There is nothing wrong with wanting to be sure you HAVE to change the registry.

Syll gave you the best advice. This worm/virus/trojan/whatevermebob.....'s says it will show up in Active Processes. If you do not see it there...there is a "Good" possibillity, that it is gone. And as far as finding out for "SURE"....i don't think this group can give you an answer..there are somethings you may just have to hold your breath and hope.
And if you still are losing sleep, take it to a reliable computer Fix-It store to give it a once over..

I remember the days when we dreamd "Of the day when"..computers always worked when we wanted them to, HOW we wanted them too.....

News:

Help! svhost.exe - pretty sure my d/t has a worm/virus :(

Gwenae

Gwenae

Gwenae

Scrib

Gwenae

Gwenae