Ok, I downloaded a KeyGen ( stupid, i know ). Now everytime I run Windows, it runs svchost's and i keep getting lagged out or disconnected from the net :/ PLEASE HELP I did virus scans, kept killing the proccess :\

PLEASE!!!! ZoneAlarm keeps popping up with Allow svchost.exe?

Every 5 seconds :/

Svchost.exe is a necessary system process, also known as Generic Host Process for Win32 Services. It is normal to have multiple copies running. These are collections of services run from dll files. (It can be a worm, but if you have updated your virus definitions and have done a full scan that most likely isn't your problem).

Trust me, i run the cd keygen, then it popped up with all these svchost.exe :/

And its asking for it every 2 seconds on ZA

Try this, go to Start | "Run" | (type) "CMD" (always no quotes)


You will get a command console, type in the following:

"cd\"

"tasklist /svc >tasklist.txt"

This creates a file called "tasklist.txt" in the root c:\. Navigate to that file, open in notepad and paste the results here.

-----------
Instructions are for XP (syntax could be different for other windows).

omg, what's "winstart32.exe" never there before :/

I seriously have a feeling it's dropped some sort of file that keeps spamming svchost.exe or something i dunno :/

tasklist is not recognized as an external bla bla ...

:\

After googling, it would seem that you have the Purol Worm. Have a look here for more info and detailed removal instructions:

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.purol.html

Regards,
Jade.

-{ Quote: "omg, what's "winstart32.exe" never there before :/

I seriously have a feeling it's dropped some sort of file that keeps spamming svchost.exe or something i dunno :/" }-


I googled it, and according to a number of sites, that is associated with the Purol worm. Check the following links for a description of what to look for.

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.purol.html

http://it.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_PUROL.A

Ahhh, I see ;)

Thanks for this.

Ok, how would I remove this? In the easiest way :p

-{ Quote: "tasklist is not recognized as an external bla bla ...

:\" }-


What OS do you run? That is not as important now anyway, you need to follow the instructions for the worm removal. It looks like it deletes the NAV virus definitions.

Doing a "Trend Micro" scan. Thankyou guys :D You are a great help :P

omg, now its making backups of everything :/

-{ Quote: "omg, now its making backups of everything :/" }-


You found yourself a nice little worm. :o The good news is that it doesn't destroy anything that can't be replaced easily, and mostly it tries to replicate. Just don't run any file sharing programs until it is fully cleaned or your temp files will be shared with the world. Trend Micro's scan should help you to remove everything.



1. Attempts to delete all the files from the following folders:

* C:\Progra~1\eSafe\Protect
* C:\Progra~1\McAfee VirusScan
* C:\Progra~1\NORTON~1
* C:\Progra~1\Acceleration Software\Anti-Virus
* C:\Progra~1\F-prot
* C:\Progra~1\Mcafee
* C:\Progra~1\Kasper~1
* C:\Progra~1\Avpersonal
* C:\Progra~1\Bullguard

2. Copies itself as:

* C:\Windows\Hwinfoq.com
* C:\Windows\Lorupscr.scr
* C:\Windows\Winstart32.exe

3. Creates the folder, C:\Windows\MyShares, and copies the following files to that location:

* C:\Windows\Temporary Internet Files\*.txt
* C:\Documents And Settings\Local Settings\Temp\*.doc
* \My Chat Logs\*.*
* C:\Windows\*.pwl
* C:\Windows\*.ini
* C:\Windows\temp\*.Doc
* C:\Windows\Temp\*.txt
* C:\Windows\Temp\*.rtf

4. Checks the following folders:

* C:\Windows\Myshares
* C:\Program Files\Icq\Shared Files
* C:\Program Files\Bearshare\Shared
* C:\Program Files\Morpheus\My Shared Folder
* C:\Program Files\Edonkey2000\Incoming
* C:\Program Files\Gnucleus\Downloads
* C:\Program Files\Gnucleus\Downloads\Incoming
* C:\Program Files\Kazaa\My Shared Folder
* C:\Program Files\Kazaa Lite\My Shared Folder
* C:\Program Files\Limewire\Shared

Then, the worm copies itself to any of the folders that it finds.