SVCHost is driving my firewall up the wall

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello Everyone

some time ago i had an intrusion onto my system. the intruder was of course
a trojan received by me in an email. it cleverly disguiseds itself, starts
automaticall at start up with windows, and uses the svchost (Generic Host fo
Windows Processes) to piggy back of onto the web. my problem is as follows,
svchost.exe is a valid process w/o which no internet connection seems to
work. that is, if i block access to the internet for svchost.exe, internet
explorer, firefox, realplayer, winamp,... etc, none of these will be able to
access the internet. so the question than is, how do i discern which of the
many instances of svchost.exe are valid, and in turn, for each of these,
which threads are valid windows functionality threads, and which are
malicious code? and once these are identified, how do i kill these
permenantly?

I'm running windows XP Pro SP2.
 
Try running Services (services.msc) to see if you can go through the list of
what's running to figure out the culprit.
 
Dougy said:
Hello Everyone

some time ago i had an intrusion onto my system. the intruder was of
course a trojan received by me in an email. it cleverly disguiseds
itself, starts automaticall at start up with windows, and uses the
svchost (Generic Host fo Windows Processes) to piggy back of onto the
web. my problem is as follows, svchost.exe is a valid process w/o
which no internet connection seems to work. that is, if i block
access to the internet for svchost.exe, internet explorer, firefox,
realplayer, winamp,... etc, none of these will be able to access the
internet. so the question than is, how do i discern which of the
many instances of svchost.exe are valid, and in turn, for each of
these, which threads are valid windows functionality threads, and
which are malicious code? and once these are identified, how do i
kill these permenantly?

I'm running windows XP Pro SP2.
Click to expand...

http://www.sysinternals.com/Utilities/ProcessExplorer.html
http://www.diamondcs.com.au/portexplorer/
 
From: "Dougy" <[email protected]>

| Hello Everyone
|
| some time ago i had an intrusion onto my system. the intruder was of course
| a trojan received by me in an email. it cleverly disguiseds itself, starts
| automaticall at start up with windows, and uses the svchost (Generic Host fo
| Windows Processes) to piggy back of onto the web. my problem is as follows,
| svchost.exe is a valid process w/o which no internet connection seems to
| work. that is, if i block access to the internet for svchost.exe, internet
| explorer, firefox, realplayer, winamp,... etc, none of these will be able to
| access the internet. so the question than is, how do i discern which of the
| many instances of svchost.exe are valid, and in turn, for each of these,
| which threads are valid windows functionality threads, and which are
| malicious code? and once these are identified, how do i kill these
| permenantly?
|
| I'm running windows XP Pro SP2.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *
 
Back
Top