|
Posted by *rain*drops* on May 16, 2007, 2:57 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I did an online scan using TrendMicro. It found "worm_rbot.ffx" in the
system32 folder. I let it clean. I have not rebooted yet. I googled and
most entries say svhost.exe is a bogus file with a worm in it. Some posts
said it was a valid process that causes problems after an MS update. I'm
confused.
I found the file svhost.exe and checked properties -- no version or
manufacturer. Its creation date was 2/15/2006 and modification date was
8/10/2004. My computer software was first loaded on 2/15/2006.
I use MCE 2005 / XP SP2 with updates.
Questions:
1. Is it a worm or a valid MS component?
2. Am I safe to reboot?
3. What other security measures should I take?
Thank you for your assistance.
--
*rain*drops*
|
|
Posted by David H. Lipman on May 16, 2007, 4:29 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| I did an online scan using TrendMicro. It found "worm_rbot.ffx" in the
| system32 folder. I let it clean. I have not rebooted yet. I googled and
| most entries say svhost.exe is a bogus file with a worm in it. Some posts
| said it was a valid process that causes problems after an MS update. I'm
| confused.
|
| I found the file svhost.exe and checked properties -- no version or
| manufacturer. Its creation date was 2/15/2006 and modification date was
| 8/10/2004. My computer software was first loaded on 2/15/2006.
|
| I use MCE 2005 / XP SP2 with updates.
|
| Questions:
| 1. Is it a worm or a valid MS component?
| 2. Am I safe to reboot?
| 3. What other security measures should I take?
|
| Thank you for your assistance.
|
Reboot, "svhost.exe" is NOT valid.
Check to make sure ALL vulnerabilities have been mitigated...
http://secunia.com/software_inspector
Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the
PC.
You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file.
Additional Instructions:
http://pcdid.com/Multi_AV.htm
* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
|
Posted by PA Bear on May 16, 2007, 5:10 pm
If you were Registered and logged in, you could reply and use other advanced thread options
to an appropriate forum.
Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware
When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. **Post your log to
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
analysis, not here.**
If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin; DTS-L.org
*rain*drops* wrote:
> I did an online scan using TrendMicro. It found "worm_rbot.ffx" in the
> system32 folder. I let it clean. I have not rebooted yet. I googled and
> most entries say svhost.exe is a bogus file with a worm in it. Some posts
> said it was a valid process that causes problems after an MS update. I'm
> confused.
>
> I found the file svhost.exe and checked properties -- no version or
> manufacturer. Its creation date was 2/15/2006 and modification date was
> 8/10/2004. My computer software was first loaded on 2/15/2006.
>
> I use MCE 2005 / XP SP2 with updates.
>
>
> Questions:
> 1. Is it a worm or a valid MS component?
> 2. Am I safe to reboot?
> 3. What other security measures should I take?
>
> Thank you for your assistance.
|
|
Posted by *rain*drops* on May 16, 2007, 9:54 pm
If you were Registered and logged in, you could reply and use other advanced thread options
David -- I got the virus-checking batch files and DLed and ran the virus
checkers. I ran them in NORMAL mode because I could not boot into safe
mode.
Sophos: all clean
Trend: found and cleaned WORM_RBOT.FFX
Kaspersky: ran all the way; all clean; no logfile found
Rebooted. The file svhost.exe is no longer on my system.
Could not run http://secunia.com/software_inspector because the program
would not load. I got the java applet okay, but nothing showed up on the
page; it just sat there. I haven't applied any updates to Windows or MS
files since January. I use Adobe Acrobat 5. I also use Thunderbird,
Firefox, OE6 for these newsgroups, occasionally IE 6, Newsbin and
occasionally Forte Agent. I keep FF & Tbird up to date. I don't let other
applications go online. None of my games go online.
Tried 3x to boot into safe mode. I've done this before. Use f8 key. The
list of files loading ran, but stopped at drivers\mup.xxx. It sat there for
15 minutes the first time. It sat there the second time I don't how long.
So I finally booted back into Normal.
I will update and run Hijack This and report back. I will try again
tomorrow to get into Safe Mode. In the meantime, if you have any
suggestions for me on that, I'll be glad to give them a try.
BTW, I've had computers since 1991. This is the first time I've ever had an
infection. I use Zone Alarm and AVG and keep AVG up to date.
What damage might the worm have done? Do I need to check any file
integrities, or change passwords, or notify others online?
--
*rain*drops*
--
*rain*drops*
>I did an online scan using TrendMicro. It found "worm_rbot.ffx" in the
>system32 folder. I let it clean. I have not rebooted yet. I googled and
>most entries say svhost.exe is a bogus file with a worm in it. Some posts
>said it was a valid process that causes problems after an MS update. I'm
>confused.
>
> I found the file svhost.exe and checked properties -- no version or
> manufacturer. Its creation date was 2/15/2006 and modification date was
> 8/10/2004. My computer software was first loaded on 2/15/2006.
>
> I use MCE 2005 / XP SP2 with updates.
>
>
> Questions:
> 1. Is it a worm or a valid MS component?
> 2. Am I safe to reboot?
> 3. What other security measures should I take?
>
> Thank you for your assistance.
>
> --
>
> *rain*drops*
>
>
>
>
|
|
Posted by Alex Krawarik [MSFT] on May 17, 2007, 2:50 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> BTW, I've had computers since 1991. This is the first time I've ever had
> an infection.
...that you know of....
> What damage might the worm have done? Do I need to check any file
> integrities, or change passwords, or notify others online?
to be honest, anything and everything.
The general rule (for me, YMMV) is that once something is detected, pretty
much no matter what, I flatten and rebuild. I do data-backups to CD/DVD
semi-regularly to keep the pain of this process to a minimum, and try to
minimize keeping anything particularly interesting (financial data, blah
blah blah) on my machine
|
| Similar Threads | Posted | | infected? | January 25, 2006, 9:56 pm |
| infected with Sasser | October 31, 2005, 3:48 pm |
| Re: Infected by Adware | March 9, 2006, 6:17 pm |
| Can't handle infected PC. Please Help! | April 15, 2006, 6:32 am |
| infected message | September 6, 2006, 2:26 pm |
| Vista is infected. | March 6, 2008, 5:14 am |
| computer is infected message | November 28, 2006, 9:53 pm |
| How did Google Know my System ws infected? | February 2, 2007, 1:12 pm |
| Infected from Google Virus from maxfiles.com | September 20, 2005, 1:23 am |
| Internet explorer infected problem | December 27, 2005, 12:49 pm |
|
XML site map